COTS Security Guidance (CSG)
CSG-13\S
December 2009
Summary of Laptop Computer Security
Table of Contents
- Foreword
- Effective Date
- List of Abbreviations and Acronyms
- 1. Introduction
- 2. Background
- 3. Purpose
- 4. Scope
- Annex A – Summary of Recommendations
- Annex B – Security Checklist
- Annex C – Summary of Security Issues
- Bibliography
Foreword
The Summary of Laptop Computer Security (CSG-13\S) is an unclassified publication, issued under the authority of the Chief, Communications Security Establishment Canada (CSEC).
Suggestions for amendments should be forwarded through departmental communications security channels to your Client Services Representative at CSEC.
For further information, please contact CSEC's ITS Client Services area by e-mail at itsclientservices@cse-cst.gc.ca or call 613-991-7654.
Effective Date
This publication takes effect on 12/02/2009.
Carey Frey
Director, Industry Program
© 2009 Government of Canada, Communications Security Establishment Canada
It is not permissible to make copies or extracts from this publication without the written consent of CSEC.
List of Abbreviations and Acronyms
- AP
- Access Point
- BIA
- Business Impact Assessment
- C&A
- Certification and Accreditation
- CD
- Compact Disc
- CSEC
- Communications Security Establishment Canada
- DG
- Director General
- DSL
- Digital Subscriber Line
- DVD
- Digital Versatile Disc
- GC
- Government of Canada
- IEEE
- Institute of Electrical and Electronics Engineers
- IP
- Internet Protocol
- IPSec
- IP Security
- ISP
- Internet Service Provider
- IT
- Information Technology
- ITS
- IT Security
- ITSA
- IT Security Alert
- ITSG
- IT Security Guide
- LCD
- Liquid Crystal Display
- MAC
- Media Access Control
- MITS
- Management of Information Technology Security
- NAC
- Network Access Control
- OS
- Operating System
- PC
- Personal Computer
- PDA
- Personal Digital Assistant
- PIA
- Privacy Impact Assessment
- PKI
- Public Key Infrastructure
- Q2
- Second Quarter
- RFP
- Request For Proposal
- SSL
- Secure Sockets Layer
- TRA
- Threat and Risk Assessment
- VPN
- Virtual Private Network
- WEP
- Wired Equivalent Privacy
- WPA
- Wi-Fi Protected Access
- WPA2
- Wi-Fi Protected Access version 2
1. Introduction
Laptop computers (laptops) are subject to all of the IT security vulnerabilities that threaten the traditional IT environment, when connected to the departmental network the laptop is protected in accordance with the department's IT security architecture. However the transportable nature of the laptop greatly increases the risk of certain vulnerabilities as compared to the traditional IT desktop environment; this document focuses on those vulnerabilities.
2. Background
Laptops represent a growing proportion of all end-user computer platforms. A key advantage of a laptop over a desktop is its portability allowing many GC users to their laptops in remote locations. Most laptops include more than 1 network connection technology; it is this inter-connectivity flexibility that renders the laptop more vulnerable to cyber threats then their desktop counterparts.
3. Purpose
This document is IT security guidance for departments to securely manage the use of laptops.
4. Scope
This document focuses on the secure use of laptops through their lifecycle.
Figure 4-1: Typical Laptops
(Image sources: [1] first and third: Yahoo!; [2] second: HP Canada)
This security guidance is for a laptop processing and/or storing unclassified information, it does not apply to a laptop processing or storing 'Protected' or 'Classified' data. It is worth noting that while a single unit of 'data' may be 'unclassified' the aggregate sensitivity of a large store of that data may be greater than 'unclassified' – the aggregate sensitivity should be revealed in the TRA. If the aggregate sensitivity of a laptop's data store is greater than 'unclassified' than this security guidance does not apply to it.
This document consists of three (3) annexes that summarize the security issues with regard to Laptop Computers as discussed in the COTS Security Guidance (CSG) Details of Laptop Computer Security (CSG-13\G) document. The intended audience for this document is the "Departmental Security Officer (DSO)".
Annex A – Summary of Recommendations
The table on this page summarizes the key risk mitigation strategies and policies for a typical GC environment. The ranking reflects the associated risk and priority.
| Risk Mitigation | Priority | Security Policy |
|---|---|---|
| Specification – Require host-based intrusion detection/ prevention software, firewalls, and network access control (NAC) software Specification – Require secure VPN connections to GC network access, Specification – Require disk encryption software Configuration – Limit privileged access Decommissioning – Sanitize durable memory (hard drive) |
 |
Specification – Require a Threat and Risk Assessment (TRA) for each unique deployment of laptop assets Specification – Incorporate TRA security requirements in the laptop specification/procurement process Configuration – Enforce 'least privilege' for the assignment of user access privileges Decommissioning – Develop appropriate decommissioning policy for laptop computer to ensure data confidentiality of residual data |
| Specification – Require 'anti-theft' features such as locking cables Configuration – Require regular updates of security-related software and data file Configuration – Require an active password-protected screen saver Configuration – Disable or remove hardware not required for work related activities (i.e. wireless network, infrared ports) |
 |
Specification – Develop an appropriate configuration policy for remote-use laptop computers Configuration – Develop policy for secure laptop configuration for remote access environments Configuration – If required provide 'administrator' privileges through a separate 'user-administrator' access Configuration – Develop an appropriate-use policy for laptop computer users that require regular software and security data files updates |
| Inventory Control – Enforce strong inventory controls Inventory Control – Enforce configuration management Decommissioning – Reconcile software and hardware with inventory control |
 |
Inventory Control – Develop an appropriate-use policy to prevent alterations to the deployed configuration Inventory Control – Develop an appropriate-use policy to restrict use to work-related activities Decommissioning – Develop policy to require formal decommissioning at end-of-life |
Annex B – Security Checklist
This section is an IT security technology functionality requirements checklist.
Operating System Protection
- Minimal OS services configuration
- Minimal software configuration
- User Accounts configured with least-privileges
- Strong laptop-Administrator Authentication
- Strong laptop-User Authentication
- User department IT security policy training
- User appropriate-use agreement
- Anti-virus Software
- IDS Software
- IPS Software
- Encrypt wireless communications
Data Security
- Strong Passwords
- Two-Factor Authentication
- Biometric Authentication
- Data Encryption
- Encrypt stored data
- Encrypt data in transit
- User data-security awareness training
Connectivity
- Wireless connectivity only if required
- VPN connectivity for remote department access
- User network-security awareness training
Physical Security
- Secure laptop with locking cables
- User physical-security awareness training
Annex C – Summary of Security Issues
| Security Issue | Risk | Mitigation | Policy |
|---|---|---|---|
| No Threat and Risk Assessment (TRA) | The presumed threat to the laptop is underestimated resulting in an unacceptable level of risk. | Perform a TRA for the laptop and its intended operating environment. | Require a Threat and Risk Assessment (TRA) for each unique deployment of laptop assets |
| Incorrect Specifications | The assumed threat to the laptop is unknown resulting in an unacceptable level of risk. | Perform a TRA for the laptop and its intended operating environment. | Appropriate configuration policy for remote use laptop computers |
| Misconfiguration | The assumed threat to the laptop is underestimated resulting in an unacceptable level of risk. | Perform another TRA for the laptop specific to its configuration and its intended operating environment. | Appropriate configuration policy for remote use laptop computers |
| The laptop cannot be used for the intended purpose. Loss of 'availability' may impact the normal business process. | Develop a Business Continuity Plan (BCP) that anticipates the loss of laptop 'availability'. | ||
| Insufficient Inventory Control | Loss of 'availability' may impact the normal business process. | Develop stringent inventory control procedures. | Asset management policy |
| Loss or Theft | Laptop computers may be used in insecure environments. | IT Security Awareness Training:
When in use the laptop should be secured using a locking-cable. When not in use the laptop should be stored in a secure location. When being transported the laptop should never be left unattended. |
The departments' appropriate Use policy for IT equipment.
Appropriate configuration policy for remote use laptop computers |
| Laptop computers are high-value assets that are susceptible to crimes of opportunity. | |||
| Laptop computers may contain sensitive department data the confidentiality of which may be compromised. | Protect departmental data by using data encryption along with backup and recovery procedures appropriate for a laptop. | ||
| Unauthorized Use | Employee uses the laptop for non-work related tasks that, if publicly known, would embarrass the department. | IT Security Awareness Training: sanctions. | The departments' appropriate Use policy for IT equipment. |
| Employee uses the laptop for illegal activities for which the departments may be liable. | IT Security Awareness Training: sanctions. | ||
| Employee allows the unauthorized use of the laptop by a third party. | IT Security Awareness Training: appropriate use. | ||
| Insecure Use | Employee uses the laptop for work related tasks in an insecure IT environment (wireless hotspot). | IT Security Awareness Training: appropriate use.
OS hardening, Security software, configuration management Secure specification and configuration |
The departments' appropriate Use policy for IT equipment. |
| Compromise of department data | Protect departmental data by using data encryption.
Require strong user authentication, minimal ports and access protocols, firewall, IDS and IPS. |
||
| Cyber Attack | Compromise of laptop asset. | Require strong user authentication, minimal ports and access protocols, firewall, IDS, IPS and OS hardening. | The departments' appropriate Use policy for IT equipment.
Appropriate configuration policy for remote use laptop computers |
| Compromise of department data | Protect departmental data by using data encryption. |
Bibliography
[1] Yahoo! Image Search Results for laptop. In Yahoo! [online]. Yahoo! [cited 11 November 2008].
http://images.search.yahoo.com/search/images?ei=UTF-8&_adv_prop=image&va=laptop&fr=slv8-&imgsz=large.
[2] HP Canada Consumer Laptops, Notebook Computer & Tablet PCs. In HP Canada [online]. Hewlett-Packard Development Company, 2008 [cited 11 November 2008].
http://www.hp.com/canada/products/landing/notebook_tabletpc/index.html