Protecting Your PCs Against Computer Crime

PROTECTING YOUR PCS AGAINST COMPUTER CRIME

Alan Fraser

The theft of personal computers and their components is a huge problem in the UK (one estimate is that it amounts possibly up to £1 billion per year in direct and consequential losses), and a crime which most companies have now experienced. This article aims to give some practical advice on how to reduce the risk of crime. Jana I.S.S. Limited can help with:

Anti-theft surveys
Recommending measures
Project management of action plans
Awareness training and materials for users.

Recommendations

General: Make sure you keep an up-to-date inventory of all your PCs. Determine the criticality of each PC on your site to determine the best defence required for it (e.g. establish three categories and draw up a set of defences for each category).
Protecting against internal theft: to prevent pilferage, cables on portables and other expensive equipment are good (internal staff don't walk around with bolt cutters), as are internal alarms (such as motion sensors). Security screws on PC cases prevent people tampering with the internals.
Protecting against external theft: The best defence recommended by the insurance industry to combat theft from unoccupied premises is a combination of two measures: building alarms linked to the police, and lock-down devices (plates, enclosures) for all PCs. The alarm goes off, giving the thieves only a short period of time before the police respond. The lock-down devices delay them so they can’t get the stuff quickly enough to take away.

Choice of Defences

Personnel security: the incidence of internal theft is increasing. At a recent BCS Security Group meeting an attendee said "Only a couple of years ago my company had 5000 employees and everybody was happy. Now we have half that number, the place is full of contractors and ex-employees who've been outsourced, and the employees remaining are all demoralised. Consequently, we see our biggest threat not coming from outsiders, but from disgruntled insiders." Do management know their new employment paradigm creates insecurity? Do they care? In the meantime, respond to the risks - take up references for all new staff, including temporary staff and contractors. Give all staff awareness training about the risks of PC and component theft and preventive measures they can take. One of our customers says they lose as many portable PCs from inside their offices as outside.

Building alarms: an absolute necessity, you must have full coverage of the building (every floor), and they should be zoned so that the building can be protected even when people are working late. You must have a fool-proof procedure in place to ensure they are always switched on when the building is empty. Alarms must be tested regularly, too!

Hardening the building: this is strongly recommended if possible. Too many office buildings these days are very easy to break into because of their large glass windows (We've seen a police video showing thieves smashing a huge window so they then were able to walk in and out with a roomful of PC equipment in 1 minute 45 seconds!). Protect vulnerable windows and doors, and not just on the ground floor. If the building has scaffolding up it must be guarded, as scaffolding provides a very easy method of entry to upper floors.

Physical access control: this is strongly recommended, also other common-sense security measures - close doors and windows, lock up, set alarms, etc.

Location of PCs: they shouldn’t be on display to outsiders, as is the case in too many companies where modern PCs can be seen by passers-by just by looking through the window from the street. Don’t tempt them - fit window blinds!

Security guards: use a reputable company that trains and invests in its people, and supplement the guards with alarms.

Dogs: dogs roaming round a compound or a building used to be a great deterrent, but nowadays thieves will sue you if they get bitten! Not recommended except under the constant control of a security guard.

Lock-down devices: cables can protect against internal theft, but all professional thieves have bolt-cutters these days. A cabled PC can still be broken open to steal the components. To increase security where there's risk of professional theft, enclosure boxes and locking plates are strongly recommended, and these can be bought in all sizes for portables, desktop PCs, mini-towers and servers - we have details of some manufacturers, but if you make these security items and want this page to link to your site, let us know . (We are an independent consultancy that recommends suppliers impartially and does not take commission.) Security screws on PC cases can stop internal theft of components. Diskette locks are good for preventing illegal copying of software and infections caused by boot sector viruses, but not against theft. One tip is to cover the PC's processor chip with superglue - this works well against theft, but prevents upgrades and maintenance! (Apparently a coating of superglue also takes fingerprints very well.)

Marking devices: covert identifying marks (Alpha Dot, “smart water”, etc.) will only help you identify your property after it’s been stolen - they’re no deterrent to thieves unless they’re widely advertised, known to thieves, and credible to them. Obvious non-removable marking (etching, engraving, dyes/ paints, security labels) acts as a deterrent, but reduces resale value. Make sure that anything you do to deter theft doesn’t invalidate the manufacturer’s warranty - check first. Any internal or external marking devices should be noted on your asset register for each PC. The police say many possible prosecutions for stealing computers and peripherals fail because the owners cannot positively identify their property. Also - tell everyone your property is marked, as per this notice seen on a Barclays Bank branch window.

Encryption: this will prevent unauthorised access to your confidential information, but is again more of an “after the event” measure, to prevent the information on a desktop or portable PC falling into the wrong hands if the PC or its hard disk is stolen. Encryption is essential for portables which have confidential information on them (it is very easy to get into a Windows portable, even one using the more secure NTFS file system, and it is also easy to break Microsoft Office and WinZip passwords). Our favoured solution is to have an encrypted partition (D: drive) on the PC’s hard disk that all your confidential information can be stored on, with the C: drive containing the operating system and application software remaining unencrypted. This is an alternative to encrypting the entire disk, and reduces problems with maintenance - the PC can safely be given to a service company without compromising the confidential data by having to reveal encryption keys.

Smoke devices: these weren't recommended in the past because the smoke particles could damage systems and even cause electrical fires (they had much bigger particles than cigarette smoke, which is bad enough for PCs). However, we're assured by Mike Hudson of Protect Security Systems UK Limited that this problem has now been fixed. Smoke products which use a closed system where the smoke generation ingredients don't suffer from deterioration will not cause equipment damage or fires. However, we're still concerned that today's legal environment is too burglar-friendly (hence the remark about dogs above) - a burglar who injured himself while blinded by the smoke or who suffered ill effects from smoke inhalation could sue your company. There have apparently been no such cases so far - most burglars who set off the smoke security system leave the premises rapidly.

PC alarms (motion sensors): these can be set off by accidental knocking or power fluctuations, and rarely stop external thieves. They’re useful only if you have a problem with internal theft.

Secure cabinets: some firms have now installed these to keep portable PCs in at lunchtime and overnight, after experiencing theft from their offices. Again, these are recommended if you have a problem with internal theft. You can also buy them to fit in the boots of cars.

Staff awareness: train staff to see PC security as a personal responsibility - they should ensure all security devices and procedures are used, challenge strangers, report anything suspicious, and make sure building and sensitive rooms are locked up, etc.

Security incident handling procedure: this must be in place to cover both emergency response and subsequent procedures. Each incident must be reviewed thoroughly and the loopholes closed to prevent reoccurrence.

Portable PC Thefts

In the UK thefts of portable PCs are very well organised in major city centres, airports and even railway stations. They're even stolen from cars parked at roadside restaurants in rural areas (see the poster from Northamptonshire Police on left). Portables are valued more for their information than for their physical value, and there's a well-organised trade in illegally-obtained company information. Insurance companies are getting worried about portable PC theft claims and starting to query them (they have a sneaking suspicion that many are just forgotten on trains, for example). The time is soon coming when they won't pay out unless you can show you took reasonable care of the portable and concealed it. Don’t use a branded carrying case - disguise the fact you have a PC by hiding it inside a briefcase or other bag.

Always use a security cable to attach your portable to something immovable if you have to leave it for any length of time (in an office or in a hotel room, for example).

Encrypt all your confidential information (see above).

We know of several cases where business travellers have checked in their portable PCs at the airport and never seen them again. Never check-in your portable at the airport (unless forced to by the airport authorities, see below). Always hand-carry the PC and keep any storage media (hard-disk, CD-ROM, diskettes, smartcards, etc.) separately. However, on some flights (mainly to and from the USA, but maybe also Israel) you are not allowed hand luggage of any kind, except essential medication - you are forced to check-in your portable. Under such circumstances it is essential that you know about this beforehand by asking your travel agent to check hand luggage rules on all your flights, and hide your portable in your ordinary luggage. A separate portable PC bag is an obvious target for a thief, but a portable hidden in clothes inside a big case is much safer. Obviously you then have the risk of your luggage going astray, but this is better than a guarantee of losing your portable PC! In mid 2003 it was announced that all hold baggage on flights to, from and within the USA must be left unlocked. This is of course the same as handing over your luggage directly to the baggage thieves! If you can't put your valuables in your hold baggage you must take them with you on the plane - make a fuss if they try to force you to check them in, but be willing to let them examine everything closely! Make sure your portable has a charged battery - trying to show security staff it's a genuine PC when the battery's flat is really embarrassing...

Some companies have experienced thefts of portables inside their own car parks as staff walk to and from the building. If this situation has occurred to you, make staff leave their portable PC at Reception first, then park their car if arriving, or drive back to get it if leaving.

Police Viewpoint

Our police sources say that the police culture is to concentrate the vast majority of their resources into preventing and clearing up crimes against the individual and car crime, because these are the areas of greatest public concern. They don't have much resource to spend on PC and component thefts, even though many are drug-related. Also the Crown Prosecution Service is under-funded, and to avoid accusations of wasting public money, never proceeds with a case unless they’re 100% certain they’ll get a conviction. IT-related cases can be difficult to bring to court, because of the specialist knowledge required to mount an effective prosecution. As mentioned above, many possible prosecutions for stealing computers and peripherals fail because the owners cannot positively identify their property. It is therefore the duty of each business to take responsibility for its own protection against computer theft - the business community can’t rely on the police or the courts.

It is difficult to evaluate the size of computer crime. Most home thefts are just classed as “burglary”, most business thefts are classed as “office equipment”. Employee theft is almost never reported to the police, so the scale is impossible to measure.

Our aim must be to deter thieves by making our property less desirable to steal, e.g. uniquely identifiable chips that won’t work in another PC (the analogy is with cars and car audio equipment, where the problem of theft became so serious that manufacturers were forced to respond). “Retrofitting” security is more expensive and less effective.

Other Security Issues to Consider

Good housekeeping (including following the procedures you already have in place) can be more effective than extra security measures.

Some thieves who are knowledgeable about IT (many are these days) pose as IT students, and get shown round premises looking at equipment, or send fake surveys on college notepaper, asking for the completed form to be sent to a private address. Another ploy is to phone up posing as a maintenance company and ask for a rough idea of your inventory. Recommendations:

· Make sure students are genuine by checking with their schools/colleges/universities

· If you complete surveys, only send them to a college address

· Don’t give out inventory information over the phone, check out the caller and send the information to the company’s address

Adopt good visitor control procedures. Never admit unexpected callers. All visitors should be escorted while on the premises. Check the identities of engineers/maintenance staff. Following staff into an office or “tailgating” is the most common way of gaining access to a controlled building. Don’t allow anyone to follow you in unless you make sure they check in at reception. Have staff wear prominent identity cards and challenge anyone not wearing one.

There is a high incidence of repeat theft - they take your old equipment for a small return, then come back in a couple of weeks to get all the new latest technology stuff! You have to be doubly on your guard - don't think lightning can't strike twice!

When having new PCs delivered, ask the company to use a plain van. After installation, don’t leave empty boxes where they can be spotted, break them up and bag them for disposal.

After a theft, backups are a serious problem, just because too few companies have them. File servers are being specially targeted, and are often not protected adequately. Most should be protected in locked rooms and enclosure boxes. A file server is both expensive and difficult to replace (there can be a long lead time from suppliers even if backups are available for disks).

Things We Wished We’d Done!

A survey of theft victims asked them what they wished they’d done beforehand. In addition to taking anti-theft precautions, the findings were that they wished they’d:

· Had a contingency plan

· Taken regular, checked, backups

· Kept copies of all original software off-site

· Kept details of server and PC system configurations

· Had an arrangement with a supplier for fast replacement of equipment

· Had identifiable marking for stolen property

Jana I.S.S. Limited can help you put procedures in place to deal with all of these.

Remember, thieves are always looking for a soft target, don’t let it be you.

The advice given on this and other pages is for general information only, as a starting point for ideas rather than solutions to specific problems. Jana Information Systems Services Limited will not accept legal liability for any consequences for any individual or company of following any advice on this page except as part of a legally-binding contract between this company and a customer, with appropriate professional liability insurance in place.