MOD Laptop ‘anomalies’ = systemic failure

Search Security published this, on 29 July 2008:

Last week, the MoD was forced, in an answer to a parliamentary question, to admit that during the last four years, 658 of its laptops were stolen, and another 89 lost. Only 32 of the devices have been recovered. In addition, 121 USB memory sticks have been taken or misplaced since 2004, with 26 of the losses happening this year, including three that contained information classified as “secret” and 19 that were “restricted”.

What makes the news even more depressing is that earlier estimates of losses had put the scale of the problem much lower (at 347 laptops stolen between 2004 and 2007). Defence Secretary Des Browne explained that there had been “anomalies” in the earlier reporting process.

Of course, any organisation that can undercount the number of lost laptops over a three year period by about 50% doesn’t actually have a functioning system for accounting for its laptops. A functioning system, in an organisation like the MOD, might have components like:

* Loss of any laptop treated as an information security incident;
* Centralised collation of reports of lost laptops;
* Regular physical checks on the continued existence and status of all laptops;
* Automated monthly online updates of all laptops that both ensure that laptops are not running illegitmate software, that all anti-malware software is up to date, and so on – and, of course, that the laptop is still active and authenticating correctly.
* Any failures in any of these checks should be reconciled with the physical check and the incident reports.

If the MOD had any of these systems in place, it would at least know how many laptops it had lost. As it doesn’t know this (those ‘anomalies’) one’s conclusion must be that it simply hasn’t put in place systems that are adequate to this task. And if it hasn’t bothered even to make sure that it knows where its laptops actually are, how can it really be sure that all of those lost laptops are encrypted and that none of them have been used in a way that would breach data protection law or the security of the realm?

And what makes anyone certain that the more recent figure is any more correct than the earlier underestimate? How does the MOD know that actual laptop losses aren’t running into the thousands?

About The Author

Alan Calder

Alan Calder is an acknowledged international cyber security expert and a leading author on information security and IT governance issues. He is also the CEO of GRC International Group PLC

3 Comments

  1. Bogdan Dragomir September 15, 2008

    I would guess that the number of laptops is a bit less important from the security stand point as long as all of them should have a full disk encryption deployed. How would you verify if all of them have the encryption active is simple by setting a software push taking place once the laptop comes to life. Lost of laptops is unlikely to be stopped; however you are right diminishing its number would reflect in decreased potential exposure. If working offline wouldn’t be a requirement I would suggest enabling using laptops as “thin clients” and work on remote systems…
    “How does the MOD know that actual laptop losses aren’t running into the thousands?” that should be quite easy to figure out through periodic audit against machine network authentication.

    Best regards,
    Bogdan Dragomir
    http://rosecurit.eu
    rosecurit@rosecurit.eu

  2. Svavar Ingi Hermannsson September 15, 2008

    speaking of losses running into the thousands, did any one read results from the study posted last month where it says that more than 10.000 laptops go missing at US airports each week!

    that’s 10.000 laptops each week? I’ve never lost a laptop and I have a really hard time understanding how so many laptops can go missing each “week”

    http://www.engadget.com/2008/07/06/study-says-more-than-10-000-laptops-go-missing-at-us-airports-ea/

  3. Bogdan Dragomir September 15, 2008

    That is interesting, it might not be an average of 10000, but that might represent the top losses; I believe that the question asked at the end of the article is a valid one “what happens with all those laptops?” Anyway, the “silver bullet” against loosing the laptop is as usual increased user awarenes. As for the confidential data existing on the laptop, …there are several solutions such as: using a folder/file encryption software (folder lock), using a whole disk encryption solution (drivecrypt, pgp), not storing confidential data on your laptop … or the OL’ method and highly recommended: don’t buy/travel (with) a laptop unless you have the ability to take care of it!!