Best way to make my laptop safe.

Discussion in 'macOS' started by Kronie, Sep 24, 2009.

  1. Kronie macrumors 6502a

    Kronie

    Joined:
    Dec 4, 2008
    #1
    Up until now, I have used my laptop for personal use and some photo work.

    NOW I will be using it for my business that works with credit card #'s AND social security numbers. Very sensitive data. What I am basically doing is pulling information from a website database off the site and saving onto the computer.

    My friend who works in IT security is basically telling me to dump the laptop for a desktop. That even if I store the information off the laptop that because it passes through the machine that the information can be accessed somehow. I have never heard of that but then again I don't deal in IT security. Is that true?

    My plan was to create a encrypted disc in disc utility and hold all the business files in there. OR save the files on an encrypted external drive and not even store them on the laptop. Honestly I use my laptop in clamshell 98% of the time, so I could just sell my laptop and buy a Mac Pro.

    If I do keep the laptop whats the best way to secure the data?
     
  2. maflynn Moderator

    maflynn

    Staff Member

    Joined:
    May 3, 2009
    Location:
    Boston
    #2
    I think a few simple steps will ensure the safety of the computer and the data.

    When traveling, keep the laptop insight at all times. Don't walk away briefly to talk to the airline attendant at the airport or make a quick call. Bring it with you. Also get a lock so that it when you're in the office or hotel it will be secured to the desk/table.

    As for the table. Consider using encrypted DMGs. I think these are better then using the filevault which encrypts your home folder. The risk with encrypting your home folder is if something occurs to the encrypted file, a bit gets flipped, or some other corruption you lose your entire home folder. An encrypted DMG is the best of both worlds, it provides encryption so you can store your sensitive data in the DMG. Just be sure that you don't store the encrypted dmg's password in keychain - kind of defeats the purpose.

    I travel with a laptop, less so lately but when I do go out, I follow those recommendations.
     
  3. Tex-Twil macrumors 68020

    Tex-Twil

    Joined:
    May 28, 2008
    Location:
    Europe
    #3
    Hi,
    I think that weather you have a notebook or desktop, it changes nothing. If your flat gets rubbed, the thief will have no problems taking a desktop computer. You might consider though a physical access restriction. Like locking the server into a safe, cupboard or whatever.

    Of course if you keep your laptop, I would never take it to public places if the data it has are so sensitive.

    Now the data protection. What exactly will be the usage of the database ? I mean how often will it be accessed ? Does it have to be running 24/7 ?

    I'm not familiar with the encrypted DMG but I guess it is something similar to using TrueCrypt which allows you to create an encrypted partitions/volumes/files. It is supported on Linux,Windows and OSX. If you use it, remember to set strong password or even a key encryption which could be stored on a USB crypto devise.


    Then of course you have to be careful with the OS it self. This means strong admin passwords, disable as many network services as possible (screen sharing, file sharing, ..). I would also think about having a dedicated computer just for this server purpose. Running such a server on a OS that you use for everyday usage is not a good idea (possible viruses, crashes updates ... )


    Finally, do you have control of the application which access the database ? You have to authenticate any connection to the database. The connection will go through the internet so it must be encrypted otherwise the previous advices as useless. Do you trust how the application is developed ? There could be some bugs/security holes which could give an access to the database (SQL injection ...)


    Those are just general advices since I don't know what is exactly your situation so take what you want ;)

    There is another point I would care about though if I was hosting a productive database at home: its availability. Keep on mind that the access to the DB will relay on your internet access provider connection. If it's down for X reason, your application will be down as well. The same apply to your electricity supply since it can be cut for a reason (thunderstorm, maintenance) and the provider will NOT necessarily inform you on time.


    Another thing comes to my mind. Even if it's a bit off-topic it's worth mentioning it. Since you will be storing private information (social security numbers), you might have to compliant with some laws. I don't know which country you are living in but for instance in France you would have to fill,sign some forms in this case. See a wiki page about CNIL

    Good luck,
    Tex
     
  4. Kronie thread starter macrumors 6502a

    Kronie

    Joined:
    Dec 4, 2008
    #4
    I'm worried about physical theft more than anything. If I lose a database of SSN's or other personal data. Its hello Bankruptcy court.

    my thoughts are that a thief can grab my laptop from my house much easier than then a 40LB desktop, and if I switch over to a desktop I wont be tempted to take my laptop anywhere because I wont have one.

    Does anyone know when there updating the Mac Pro's? Not because I want the latest and greatest but because I can get a good deal on the previous model. :)
     
  5. Tex-Twil macrumors 68020

    Tex-Twil

    Joined:
    May 28, 2008
    Location:
    Europe
    #5
    I think that you cannot build a system security on the fact that a desktop is heavier. Seriously.

    You can also lock your notebook with a cable to something

    Only you can protect yourself from doing this :) But as you said, if you lose the date you'll get into troubles

    http://buyersguide.macrumors.com/#Mac_Pro

    Tex
     
  6. Richard1028 macrumors 68000

    Joined:
    Jan 8, 2009
    #6
    Why the heck is a desktop more secure than a laptop? Yeah, the desktop is heavier but it stays in the same spot. If I were a thief at least I'd know where it always was.

    Actually, this whole thread is nonsense. There's no silver bullet anybody here has that kills stupidity. Lock your doors, don't leave the macbook unattended and use your common sense.
     
  7. Tex-Twil macrumors 68020

    Tex-Twil

    Joined:
    May 28, 2008
    Location:
    Europe
    #7
    I don't think my advices are nonesense.

    A "common" sense is not enough for securing an IT system. sorry.
     
  8. electroshock macrumors 6502a

    electroshock

    Joined:
    Sep 7, 2009
    #8
    Tips:

    - Set an unique open firmware password so you'd have to enter it to even power on the machine
    - Physically secure the laptop when not in use, especially when away from home or office
    - Ensure your screen saver kicks in after a minute of inactivity
    - Ensure screen saver requires a password before waking up
    - Use a good password (and is different from your open firmware password)
    - Turn off all services such as sharing for things you don't need
    - Make use of DMG disk images but use a good passphrase that is not either your login password nor your open firmware password
    - Regularly change passwords every so often (say, every 3-6 months)
    - Don't write down passwords anywhere; commit them to memory
    - Do keep the password to the DMG image written down somewhere that is kept secure and accessible to appropriate business associates (and they know where), mostly so if you get hit by a bus, they'll still be able to unlock the encrypted DMG image
    - Make sure 'use secure virtual memory' option is enabled in system preferences somewhere
    - Make use of VPN software when on the road to remotely access your company's servers to ensure any data to/from their systems remains encrypted
    - If you use file transfer software, use something like Panic's Transmit (supports scp, sftp, etc.) to transmit data in an encrypted way over the network or to use a VPN that uses 3DES or AES encryption
    - Use a separate user account to store and process the data rather than your own personal login account. You can use the Fast User Switch feature to jump back and forth seamlessly.
    - For the separate account that holds the data, set it up to use FileVault, and ensure the user/pass info for this account is written down somewhere your business associates can get to. This is in addition to using encrypted DMG disk images to store the actual data.
    - For the separate user account, make sure it is NOT set up as an administrator account
    - Turn off automatic login (without a password) in system preferences -> accounts
    - Purchase and install something like Orbicule's Undercover software which may help with recovery of the machine, but this may not be of any use if you set up an open firmware password
    - I'm not sure if you can set a hard drive password on Macs, though I know it can be done elsewhere
    - Ensure your MacOS X firewall is enabled AND has rules to protect the machine for various applications and interfaces. That way, when you're connected via wireless in public, you won't be such so naked or vulnerable to attacks or compromises
    - Enable the option that turns on requiring password to unlock any system preferences
    - Disable the guest account
    - When you delete a confidential file, don't just merely throw it in the trash and then empty the trash. Throw it in the trash then select the option to securely erase it.
    - If you ever sell the Mac with that hard drive or replace it, use Disk Utility's secure erase option (7-pass is suggested) to wipe it first
    - If you use Time Machine to do backups, I think you'd have to ensure your FileVault'd user account needs to be completely logged out because I don't think it can back up the FileVault stuff while the user is logged in
    - In Safari preferences, make sure you TURN OFF 'Open safe files after downloading' for both your personal account and the protected data account
    - Ensure you've got an antivirus utility installed
    - In system prefs for software update, make sure it's set up to download updates automatically on a daily basis
    - In system prefs -> security, disable remote control infrared receiver
    - Consider disabling the iSight or any webcam (if your Mac has one) whenever not in use
     
  9. CylonGlitch macrumors 68030

    CylonGlitch

    Joined:
    Jul 7, 2009
    Location:
    SoCal
    #9
    This is the weak point in the whole security paradigm that you're talking about. It isn't the data stored on your hard drive, especially if well encrypted. It is this database itself on the internet! W.T.F. NO sensitive database should be on the internet, if it is, there had better be some damn good protections around this such as VPN tunneling with AES256 and rotating keys. If this is just on the net with a firewall, someone WILL get to it. And that is a lot safer, and easier then stealing your desktop or laptop.

    If someone is trying to get to your data, typically desktops are easier targets then laptops. Why? Desktops are stationary, and often left alone. Anyone could come in with a USB key logging dongle and connect it to the keyboard. Most people assume nothing has changed on their desktops and rarely look at the back. Laptops, make it a habit of ALWAYS having it with you. Either it is on your lap being used, or it is on your shoulder (in a bag). NEVER set down. At night or when on vacation, LOCK it up somewhere secure. So many desktops are left sitting around in unlocked rooms; easy prey for someone who wants your data.
     
  10. Kronie thread starter macrumors 6502a

    Kronie

    Joined:
    Dec 4, 2008
    #10
    Anytime you EVER apply for anything online. a purchase, credit card, Mortgage, Auto loan, credit repair, Insurance quote, whatever it is. Its stored in a database on the server. How does an online company get to there customer DATA? Its much safer on the server with SSL than being auto emailed to the business.

    And believe me, I have been there, there are some companies out there that take all of your personal information and when you hit submit, its emailed to the company!!
     
  11. dbwie macrumors 6502

    Joined:
    Jun 11, 2007
    Location:
    Albuquerque, NM, USA
    #11
    I'm not a security expert, but I'm wondering... if you can access a database and pull information off from it, can you also work on that data while leaving it in the database? If you don't pull the information to your computer, but work with it remotely through a VPN, that would seem like the easiest and safest approach?
     
  12. belvdr macrumors 603

    Joined:
    Aug 15, 2005
    #12
    That's possible and the recommended way.
     
  13. CylonGlitch macrumors 68030

    CylonGlitch

    Joined:
    Jul 7, 2009
    Location:
    SoCal
    #13
    Depends on the company strategy of securing data. Some are better then others, and far too many of those fly by night mortgage companies of the early '00s were very lax with security. Not a good thing.

    Stealing laptops with data is easy to do, but encrypting the data, keeping it offline and under lock and key (preferably in an office with a security system and guards) when not used, is a better solution.
     
  14. polaris20 macrumors 68020

    Joined:
    Jul 13, 2008
    #14
    As CylonGlitch already alluded to, I would recommend removing that data and putting it on a box inside a protected network, and that that machine not have direct internet access. VPN into the network and access the data that way.

    Then I would download TrueCrypt and encrypt your entire drive on your Mac, not just use FileVault. It slows the machine down a little, but it's the only way to ensure (as much as possible) that if/when the laptop is stolen that it becomes a brick for the thief.

    It might cost you money with a consulting company if you don't have the expertise to install a proper VPN system, but if there's money and information involved, I'd say it's worth the expense.
     
  15. Kronie thread starter macrumors 6502a

    Kronie

    Joined:
    Dec 4, 2008
    #15
    Maybe I will just buy a Dell. Windows is a "business machine" right? I'm sure its safer.....
     
  16. electroshock macrumors 6502a

    electroshock

    Joined:
    Sep 7, 2009
    #16
    Wouldn't make any real difference. You'd still need to do the same things to secure it as you would on a Mac.
     
  17. Kronie thread starter macrumors 6502a

    Kronie

    Joined:
    Dec 4, 2008
    #17
    I know, it was a joke.

    I think my safest route is to just save my sensitive business files on an external that's encrypted. And bolt it to the floor.
     
  18. electroshock macrumors 6502a

    electroshock

    Joined:
    Sep 7, 2009
    #18
    My bad -- I seem to be dense today. :D
     

Share This Page