Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Re: stolen laptop

From: "Steven Adair" <steven () securityzone org>
Date: Wed, 11 Apr 2007 12:49:19 -0500 (EST)
I would say the stuff you are looking for and with which I am about to
reply would follow more under a procedure than a policy.  Things you might
want to take into consideration in the event of a stolen laptop (sounds
like a Windows laptop, so some answers will be M$ specific):

1) Determine what information was on the machine.  Was there financial
data, privacy data, etc.  Take the appropriate steps in these cases.  This
may involve notifying users and engaging law enforcement.

2) This ties into #1 but what kind of other information would have been on
the machine specific to authentication.  Were there any PKI credentials,
password files, auto-saved passwords, etc.  You may want to have these
accounts/credentials revoked, locked, and/or reissued for security
purposes.

-other credentials to be concerned with here would be VPN group passwords,
IPSec pre-shared keys, etc.

3) This ties into #3 but you may want to also make sure the machine
account is removed or locked.  This way should the machine find its way
back onto your network, it is no longer allowed to authenticate against
the domain.  This is really a trivial solution here though.

4) If you have a local administrator account with the same password across
your organization (which would include on the stolen laptop), it may be
time to reset this password to something new on the machines.

5) Checking for failed attempts to login is something you want to do and
audit regularly.  If you are not doing this already, you could look for
any specific failures related to this instance.  However, that will
probably not yield much.  If you have a monitoring/auditing process in
place, by all means supplement it with any pertinent information.

That's about all that comes to mind for me right now.  Hope that helps.

Steven
securityzone.org


Hi

I have a laptop policy about where it should/should not be kept,
encryption, etc but what happens if one is stolen?  Change the login
password?  Check AD for any failed login attempts?

Any checklists much appreciated

Jono

!DSPAM:461d18f2275431782517640!
Previous By Date Next
Previous By Thread Next

Current thread: