Portable Data Device Security Best Practices

Why Mobile devices?

  • Large capacity
  • Convenient
  • Mobile / portable
  • Compact
  • Fast
  • Easy to use

Risks

  • Easy to steal
  • Easy to misplace
  • Easy to gain access to information
    • Grab and run
    • Wireless
  • Devices are used to collect all kinds of information

What kinds of information are at risk of being compromised?

  • Confidential Information
  • Financial information
    • Personal - Banking information
    • Corporate – Customer credit card information
  • Student grades
  • Health data
  • Social Insurance Numbers
  • Meeting minutes
  • Unpublished research drafts
  • Staff member reviews
  • Personal contact information
    • Phone numbers
    • E-mail lists
  • Decryption keys and passwords

What can be done?

Ask yourself “Is it really necessary that I transport this sensitive information?”  If the answer is no, then do not copy the information.  If it is mandatory that you have to transport information considered to be sensitive, some basic steps are needed to ensure that mobile information is maintained with the highest integrity.

If you are unsure how to proceed forward following these practices, please consult ITS for further assistance.

Best Practices

Think Security

Whenever using mobile data, always keep in mind the question: “What could happen if an unauthorized person gained control of this information?”
Look for and try to use the most secure methods for handling data:

http://security.uwo.ca/
http://security.uwo.ca/homecomputer.html
http://www.microsoft.com/security/default.mspx
http://www.microsoft.com/athome/security/default.mspx
http://www.trendmicro.com/en/security/general/guide/overview.htm
http://www.trendmicro.com/vinfo/default.asp?sect=SA
http://www.us-cert.gov/cas/tips/ST04-020.html
 
Get training – understand your equipment

Read the instructions.  New electronic devices have more features, which mean that you will have more of a “learning curve” to be able to understand and use these items properly.  Default settings are often the least secure for devices, and everyone who has the same device will have the same default settings.  Read the manuals that come with your items and be sure you understand the settings and how to change the default settings, especially anything related to security.

http://security.uwo.ca/
http://isc.sans.org/

 Use safe / secure passwords

  • Choose a strong password
  • Use passwords to lock the system or information on the device
  • Enable the password-locking feature of the screensaver on laptops.
  • Passwords alone should not be your only defense.  Always try to use as many security methods as possible, including encryption of data (see Encryption below)
  • Passwords should never be written down, especially not next to the computer.

http://www.microsoft.com/athome/security/privacy/password.mspx
http://www.microsoft.com/athome/security/privacy/password_checker.mspx

Do not reuse passwords

  • Do not use the same password for everything that requires a password.  Do not use your work password for your personal banking password, etc.
  • Use encryption
  • If you must transport sensitive information, use encryption software to encrypt the information effectively and securely.
  • Be sure to know the proper password and method to un-encrypt the information.  Decryption keys locked in safes, safety deposit boxes, or otherwise stored (escrowed) in a safe location can help prevent a data loss catastrophe.  Encrypted information cannot typically be recovered at all.
  • Encryption will not make any difference if there are hard copies of the information in the same case as the stolen laptop.
  • ALL sensitive data should be encrypted, including sensitive information on hard drives, USB devices, CD’s, cell phones, PDA’s etc.

Keep up to date with patches

  • If the device is a computer, keep the patches up to date.  Most vendors provide simple notification and update procedures.  (i.e. Microsoft Windows Update and Trend’s PC-Cillin software)
  • Check for patches to brand new equipment.  New devices often have undiscovered software issues, until they are released to the public.

http://update.microsoft.com/
http://www.trendmicro.com/download/pattern.asp
http://www.cert.org/security-improvement/practices/p067.html

Scan periodically for viruses / Spy Ware / Trojans, etc.

  • Periodically run full system scans to check for all of the above.  If possible / necessary, use software that scans specifically for each of these types of threats.  Extend the full scan to the contents of your mobile devices as well i.e. Run a full scan on everything on your USB, or all drives of your laptop or desktop computer.
  • Occasionally make use of the free web based scanning programs offered by the major Anti-Virus vendors.  These full scans offer a “second opinion” about the health and safety of your computer.
  • Mobile device users should never download free software from the Internet without a high level of assurance that the product is safe: no adware, no spy ware, and no viruses.

http://www.trendmicro.com/en/security/general/virus/overview.htm
http://housecall.trendmicro.com/
http://www.trendmicro.com/spyware-scan/
http://www.trendmicro.com/vinfo/
 
Use a “personal firewall”

  • A personal firewall is a complex but inexpensive program that can be installed on most PC computers.  It filters information going both into and out of the computer.
  • Use of a personal firewall is strongly recommended.  It will effectively defend a computer from many of the most pervasive and dangerous network attacks:  An intruder will have a much harder time getting into your system if a firewall is installed, configured and running.
  • Do not say “yes” to every question asked by the firewall software.  This will defeat the entire purpose of the firewall software.  Be prudent in your choices, and know how to fix / use your firewall software so that you can correct any errors if you make the rules too tight or loose.

http://www.firewallguide.com/

Harden your system

  • Find and use techniques to tighten the security of your system.  Base installations of Operating systems often have standard defaults that leave the system vulnerable.

http://www.firewallguide.com/tighten.htm
http://www.lbl.gov/ITSD/Security/systems/wxp-security-checklist.html
http://www.tom-cat.com/security.html
http://www.us-cert.gov/cas/tips/ST04-017.html

Secure Wireless / Secure Remote Access (Western ROAMs)

  • Where possible, use the most secure method available to communicate on the network.  When working from off-campus, use Western ROAMs.  When using wireless on campus, use the UWOSecure-v2 network.

UWOSecure-v2

http://www.uwo.ca/its/doc/hdi/wireless/#secure

Western ROAMs

http://www.uwo.ca/its/doc/hdi/access/remoteaccess.html
http://wroams.uwo.ca/

Back Up data

  • Make frequent and necessary backups of data, in the event that data is lost.  Have a Personal Disaster Recover Plan.

http://www.microsoft.com/athome/setup/backupdata.aspx
http://www.microsoft.com/windowsxp/using/setup/learnmore/bott_03july14.mspx
http://free-backup.info/why-do-i-need-to-backup-my-data.html

Disable unused access methods

  • If you have a laptop, but are not using the wireless card, turn it off.
  • Lock the keyboard when you step away from a computer or mobile device.

Mark your device

  • Make use of the Campus Community Police Service’s program to mark electronic devices

http://www.uwo.ca/police/computersecurity.htm

Disguise your carry case

  • Do not make you laptop or handheld device an obvious target for theft.  Put your laptop case in a knapsack or gym bag

Store your case in safe places – lock your system up if necessary

  • Put them in the trunk of your car before you arrive at your destination – out of sight, out of mind
  • Do not leave a laptop unattended.  If you must, make sure the screen is locked and that the equipment is firmly secured.  New locking cables are secure and can be used to bolt or tie equipment down.
  • Make sure that locking devices are securely fashioned to mobile computers as well as an unmovable or immobile object that prevents the computer from being removed without unlocking it first.

http://www.microsoft.com/athome/security/privacy/ontheroad.mspx

Do not expose your equipment to adverse environmental conditions.

  • Do not leave your equipment in a cold car overnight, and if you do – when you bring it into a warm environment, give it some time to warm up.  Likewise, do not leave equipment in a hot car during the summer.
  • Be cautious with food and drink around your portable devices.  Spills and crumbs can quickly destroy electronics.

Western provides the best student experience among Canada's leading research-intensive universities.