Unformatted Attachment Preview
Laptop theft: a case study on effectiveness of
security mechanisms in open organizations
Trajce Dimkov, Wolter Pieters, Pieter Hartel
Distributed and Embedded Security Group
University of Twente, The Netherlands
{trajce.dimkov, wolter.pieters, pieter.hartel}@utwente.nl
Abstract—Organizations rely on physical, technical and
procedural mechanisms to protect their physical assets. Of
all physical assets, laptops are the probably the most troublesome to protect, since laptops are easy to remove and conceal.
Organizations open to the public, such as hospitals and
universities, are easy targets for laptop thieves, since every
day hundreds of people not employed by the organization
wander in the premises. The problem security professionals
face is how to protect the laptops in such open organizations.
In this study, we look at the effectiveness of the security
mechanisms against laptop theft in two universities. We
analyze the logs from laptop thefts in both universities and
complement the results with penetration tests. The results
from the study show that surveillance cameras and access
control have a limited role in the security of the organization
and that the level of security awareness of the employees
plays the biggest role in stopping theft. The results of
this study are intended to aid security professionals in the
prioritization of security mechanisms.
Keywords: laptop theft, case study, penetration tests, physical security, security awareness.
I. Introduction
Of all physical assets, laptops are particularly hard
to protect. Laptops are mobile, easily concealable, there
is a big market to sell the hardware and there can
be hundreds of them in a single building. With the
increased data storage capabilities of laptops, the loss
of even a single laptop can induce dramatical costs to
the organization [1]. Thus, although there can be a large
number of laptops in an organization, losing even a
single laptop may not be acceptable.
Organizations open to the public are particularly at
risk from laptop theft. Hospitals and universities, for
example, accept hundreds of people that can wander
in the premises every day. Marshall et al. [2] stress
that 46% of data breaches occur in institutions open to
the public: education, health care and the government.
Laptops containing sensitive medical or academic data
become highly vulnerable in these environments.
The problem security professionals face is how to
protect the laptops in such open organizations. There
are three types of security mechanisms to secure laptops
This research is supported by the Sentinels program of the Technology Foundation STW, applied science division of NWO and the
technology programme of the Ministry of Economic Affairs under
project number TIT.7628.
in a buildings: physical, technical and procedural mechanisms. Physical mechanisms, such as doors and cameras, physically isolate the thief from the laptop and/or
identify her in case of an incident. Technical mechanisms
such as laptop tracking and remote data deletion protect
the laptop and the data in the laptop by using software.
Procedural mechanisms such as organizational policies
and rules decrease the number of mistakes by employees
and increase the resilience of employees toward social
engineering.
The contribution of this paper is evaluation of the existing security mechanisms for protecting laptops based
on (1) logs of laptop thefts which occurred in a period
of two years in two universities in Netherlands, and (2)
14 penetration tests in the same universities, where the
goal was to gain possession of a marked laptop from an
employee unaware of the penetration test. We look at all
successful and unsuccessful laptop thefts and provide a
guideline of which mechanisms should be considered
first in implementing security mechanisms.
The outline of the rest of the paper is as follows. In
section 2 we introduce related work. In section 3 we
evaluate the logs of the laptop thefts and in section 4
we describe the penetration tests and the results from the
tests. Section 5 summarizes our conclusions and suggests
a guideline for which mechanisms should be considered
first in adding security mechanisms. Section 6 concludes
the paper.
II. Related Work
Protection against laptop theft is researched by the
computer science and the crime science community.
In the computer science community, the accent is on
protecting the data residing in the laptop and finding the
location of the stolen laptop. Several security products,
such as TrueCrypt1 and BitLocker2 provide encryption
for the whole hard drive. A few manufactures even produce self-encrypting hard drives where the encryption
key never leaves the drive [3, 4]. These approaches suffer
from two problems. First, when the thief has physical
possession of the laptop, she can always successfully
1 www.truecrypt.org
2 blogs.technet.com/bitlocker
Stolen laptops
Cut Kensington locks
Other physical damage
Figure 1.
Locked office
(burglary)
18
1
16
Open office
Restricted location
Public location
No details
Total
11
5
0
2
0
0
27
1
0
1
0
0
59
7
16
Information from the logs. The logs from both universities are merged to anonymize the data.
execute a number of attacks [5, 6, 7]. Second, these
approaches seem to ignore the human element, or more
precisely, induce performance overhead and decrease
the usability of the laptop. A recent study by Panemon
[8] shows that the majority of non-IT individuals, even
when provided with an encrypted laptop, turn off the
encryption software.
A number of tracking applications, such as Adeona [9]
and LoJack [10], can track the location of the laptop
they are installed on. In case of theft, these solutions use
Internet to provide the owner with the current location of
the laptop. These solutions suffer from two problems: (1)
if the goal of the theft is obtaining data from the laptop,
the thief might never connect the laptop to Internet and
(2) the thief may remove the application by flashing
the BIOS and/or formating the hard drive, making the
tracking impossible.
The approach from the crime science community is
more general, and considers the laptop and its environment. The goal in this field is to prevent a thief from
stealing the laptop in the first place, by either changing
the environment surrounding the laptop or by creating
situations that will deter a thief [11]. Kitteringham [12]
provides a a list of 117 strategies how to prevent a
laptop theft. The strategies include implementation of
physical, technical and procedural mechanisms. The list
is quite elaborate, although the effectiveness of these
mechanisms of each of them is unclear.
Willison and Sipnonen [13] use 25 techniques [11] on
how the environment can reduce the risk of theft and
link them with attack scripts. These results are used to
understand how a specific class of attacks could have
been stopped. Similarly, we also link these techniques
with attack scripts, but we look at which mechanisms
were in place and which failed to protect the laptops.
There are few reports which analyze laptop theft.
These reports focus on the money loss from a stolen
laptop [1] and the frequency of laptop theft and the
most affected sectors [2]. Our results are complementary,
and look at the effectiveness of conventional security
mechanisms in stopping laptop theft.
alarms raised by the theft and the role of technical
and physical mechanisms in securing the laptop and
finding the thief, such as access control and surveillance
cameras.
However, the logs provide limited information about
the level of security awareness of the employees. In particular, the logs do not provide any information of possible violation of the procedural security mechanisms,
such as letting strangers inside an office and sharing
credentials between employees.
Therefore, as a second step, we orchestrated 14 penetration tests where we used social engineering to steal a
laptop.
III. Methodology
We used two approaches to look at the security mechanisms in use and their effectiveness.
First, we looked at logs of the laptop thefts in two
universities in Netherlands. From the logs we got information about: the main reason for the laptop theft,
1) Location of the theft: In 46% of the thefts, the laptop
was stolen when the employee left it unattended in a
public location, such as a cafeteria or meeting room. In
19% of the cases, the theft occurred when the employee
left the office for a short period of time without locking
the door.
A. Log analysis
In a period of two years, the universities reported 59
laptop thefts (Figure 1 and 2). A sample log is shown
in Appendix A. The logs from the thefts provide (1) the
location from where the laptop was stolen, (2) protection
mechanisms on the laptop, and (3) how the theft was
discovered.
!"# $!%
& '! ()# $*
+
Figure 2. In majority of the cases, the theft occurred because the
employee either left the laptop in a public location or forgot to lock
the office door.
Figure 3. During three of the laptop thefts the students produced a fake e-mail giving them permission to take a laptop and went to the janitor.
When the third team approached the janitor, he just gave them the keys and let the students go alone in the office.
In 30% of the thefts, the thief broke into a locked office
either by forcing the door or breaking a window. In two
of these burglaries there is no evidence of used force, and
the guards assumed the thief used a master key or other
credential to gain access. These two cases are targeted
thefts, since the thief stole only a laptop and nothing
else.
2) Protection mechanisms on the laptop: From the logs
we could not deduce if any software protected the
laptop.
In five of the thefts that occurred in an unlocked office,
the laptop was locked with Kensington lock. Only one of
the laptops stolen in a public location was locked with
a Kensington lock.
3) Theft discovery: The majority of the thefts (93%)
were reported by the laptop owner. In a few cases the
report came from an employee who observed a broken
door or window (5%). Only one of the thefts triggered
an alarm. In this case, the thief grabbed the laptop while
the employee went to collect print outs and left through
the fire door, triggering the fire alarm.
In all buildings, in both universities, there are surveillance cameras (CCTV) and either partially or fully centralized access control systems able to log access requests. Surprisingly, the systems provided no useful
information in any of the thefts. These mechanisms are
further analyzed in section IV.
The information we obtained from the logs is limited.
The logs provide information obtained after the theft
took place, based on evidence found by the police and
the security guards. The logs do not provide information
on how the thief reached the location nor on whether
the security awareness of the employees contributed to
the theft. To check the effectiveness of the procedural
mechanisms, we performed a set of penetration tests
where we used social engineering as a means to obtain
a laptop.
B. The penetration tests
To perform the penetration tests, we got help from
45 master students in computer security which took
the role of penetration testers. Before performing the
tests we informed and got permission from the chief
security officers in both universities. We informed the
officers exactly which locations we were going to test
and the names of the staff and students involved. No
other security person in the universities knew of the
tests. The tests were approved by the legal department
from the university.
The students were divided in teams of three. The goal
of each team was to steal a clearly marked laptop from
an employee who is unaware of the penetration test.
First, we did a pilot study with only three teams and
three laptops. Based on the results and insights of the
pilot study, we performed an additional 11 penetration
tests the next year. The methodology used for performing the tests and the design decisions of the tests are
thoroughly described in [14].
The rest of the section (1) defines the roles in a
penetration test, describes the (2) setup, (3) execution
and (4) the closure phase in the test, and discusses (5)
the results and (6) the limitations of the tests.
1) Roles in the penetration test: We define five roles in
the penetration tests.
1 Coordinator - an employee responsible for the experiment and the behavior of the penetration tester.
The coordinator orchestrates the penetration tests.
2 Penetration tester - a student who attempts to gain
possession of the asset without being caught.
3 Contact person - an employee who volunteers to
distribute the asset to the custodians.
4 Custodian - an employee at whose office the laptop
is placed.
5 Employee - person in the university who has none
of the roles above.
2) Setup of the environment: At the start of the study,
we chose four volunteers as contact persons, who in
turn found custodians who volunteered to take part in
the study. The selection of contact persons and custodians was pseudo-random. The common attribute among
these participants was that the contact persons were
1. Social engineer night pass from an employee.
2. Enter the building early in the morning.
3. Social engineer the cleaning lady to access the office.
4. Cut any protection on the laptop using a bolt cutter.
5. Leave the building during office hours.
Figure 6.
Figure 4. In nine of the tests the custodians willingly gave the laptop,
either believing that the teams were from the help desk or that they
were sent by the coordinator.
acquaintances to the authors, and the custodians were
acquaintances to the contact persons.
After selecting the contact people and the custodians, we bought and marked the laptops that need to
be stolen. The contact persons asked the custodians
to sign an informed consent, and then distributed the
clearly marked laptops, each with a web-camera and a
Kensington lock. The custodians resided in two different
universities in nine different buildings. To steal any of
the laptops, the penetration testers needed to circumvent three layers of access control: the entrance of the
building, the entrance of the office where the custodian
works and the Kensington lock.
The contact people told the custodians the universities
are doing a usability study on the new laptops, and
thus they needed to measure the satisfaction level of
the custodians. They informed the custodians that the
level of satisfaction would be measured using motion
detection web-cameras that would record the usage of
the laptops. The data collected by the cameras was stored
on a PC inside their office. Furthermore, for security
reasons, the contact people instructed the custodians to
lock the laptops with a Kensington lock and to leave the
cameras recording at all times. bg The contact people
also asked the custodians not to leave any private nor
work related data on the laptops. With these measures,
we tried to reduce the risk of data leakage and loss of
productivity caused by any theft.
In a few cases a custodian asked a contact person what
is precisely measured with the cameras. The answer was
that the moment the contact person tells the custodian
which behavior is measured, the custodian might change
his behavior and invalidate the study.
3) Execution of the penetration tests: After setting up
the environment, we gave to each of the penetration
teams the location of a single laptop they should obtain.
The penetration tests lasted for two weeks. In the first
week, each team scouted their location and collected
as much information as possible about the custodian
Example of an attack scenario
and the security mechanisms at the location. Then, each
team proposed a list of attack scenarios they wanted
to conduct. A sample attack scenario is presented in
Figure 6. During the second week of the test, after getting
approval for executing the scenarios by the coordinator,
the teams started testing.
The actions of the teams were logged using the CCTV
system, the web-cameras we positioned in the offices of
the custodians and through recording devices carried by
the teams during the attacks. We used such excessive
recordings (1) to have a better overview of why the
attacks succeeded/failed and (2) to be sure the employees
were treated with respect by the penetration testers.
After each successful or failed attempt, the teams
provided an attack trace of which mechanisms they
circumvented and, in case of failed attempts, which
mechanism caused the attack to fail.
4) Closure: After all penetration tests were over, we
debriefed the custodians and the contact people through
a group presentation, where we explained the penetration test and its goal. All custodians and contact
people were thanked and rewarded for helping in the
assessment of the security in their university.
5) Results: Eventually, all teams were successful in
stealing their laptop. Besides the 14 successful thefts,
there were an additional 11 unsuccessful attempts.
The favorite approach of the teams was to directly
confront the custodian and ask for the laptop. Nine of
the teams took roles as service desk employees, students
that urgently needed a laptop for a few hours or claimed
they were sent by the coordinator. Four teams used
mobile phones or pocket video cameras to record the
conversation with the employees. In one case they took
a professional camera and a cameraman, and told the
custodian the recording is part of a study to measure
the service quality of the service desk.
Approach
Disguise
Social engineered the custodian
as coordinator helpers
as help desk
as students
Social engineered the janitor
as students
Social engineered the cleaning lady
as PhD student
5
2
2
4
1
Figure 7. From 9 of the teams that social engineered the custodian, 5
as a people sent by the coordinator, 2 of the teams took a role as help
desk employees and 2 as students. 4 teams approached the janitor as
students that needed to pick up a laptop, with a fake email as a proof,
and 1 team took a role as a PhD student who forgot the key to his
office
Figure 5. In five tests the teams social engineered a person other than the custodian. In two of these cases the students used a bolt cutter to
cut the Kensington lock, and in three found the keys from the lock in the office.
The resistance of the employees varied. In six cases,
the custodians gave the laptop easily after being shown a
fake email and being promised they would get the laptop
back in a few hours. In two cases the custodian wanted a
confirmation from the coordinator. The teams succeeded
in the attempt because the custodian called a number
provided by the penetration testers. Needless to say, the
number was of another team member pretending to be
the coordinator. In one case a colleague of the custodian
got suspicious and sent an email to campus security.
Since only the chief security officer knew about the
penetration test, in a few hours the security guards all
over the campus were all alerted and started searching
for suspicious students.
However, in five cases the students were not able to
social engineer the custodian directly and were forced
to look for alternative approaches. For example, in one
of the cases the students entered the building before
working hours. At this time a cleaning lady cleaned the
offices, and under the assumption it was their office let
the students inside. After entering the office, the students
cut the Kensington lock and left the building before the
custodian arrived. On the way out, they even asked the
same cleaning lady to lock again the office door.
6) Limitations of the test: During the analysis of the
recordings from the tests, we observed that a few custodians were easily persuaded to hand in the marked
laptop. The reason might be that employees are less
reluctant to give in a temporary laptop than their own
laptop.
Another limitation of the test might be the high selfconfidence of the testers. The security guards were not
aware of the penetration test. If caught, the identification
process would be unpleasant experience for the testers.
Nevertheless, they knew they will not go to jail for their
actions. A thief might rather wait for the laptop to be
left unattended than approaching an employee directly
and asking for their laptop.
The results of the test are based on only two universities and their security mechanisms. Other institutions
might have different specter of mechanisms for protecting their laptops.
IV. Observations
The observations presented in this section focus on
the effectiveness of security mechanisms in two open
institutions to protect laptops. The observations should
probably apply also to any mobile asset, such as medical
equipment, beamers and mobile phones.
We observed three main security mechanisms in the
universities: surveillance cameras, access control and a
level of security awareness of the employees.
A. Surveillance cameras
Security officers do not use cameras as alarming mechanisms, but use them a posteriori, to identify an offender
after an accident has taken place. The security officers
cannot afford to monitor all surveillance cameras. The
cameras work only when a motion is detected, and
automatically store the recording in a back end server.
The delay between the occurrence and report of the theft
gives the thief sufficient time to leave the building.
Even when used to identify the thief a posteriori, the
cameras provide limited information about the thief. In
none of the logs nor during any of the penetration tests
the cameras provided enough information to reveal the
identity of the thief.
The CCTV cameras are not able to identify the thief
because (1) they are not mounted in offices, (2) the thief
can easily conceal the laptop and (3) thieves usually
know the position of the cameras and obscure their face.
The cameras are not mounted in offices. All penetration tests and 49% of the thefts took place in an
office. Cameras are not mounted in offices to preserve the
privacy of the employees and because mounting cameras
in every office is not cost effective. Without surveillance
in these offices, it is impossible to identify a thief during
the act.
Instead of in offices, the cameras are usually mounted
on entrance doors. Many people pass through the entrances with bags, and each of the bags might conceal
the stolen laptop. Even if there are only two persons
observed by the camera, if the persons are not caught
on the spot and challenged by the security guards, the
evidence from the surveillance camera can not be used
against them.
Cameras positioned to monitor public locations, such
as cafeterias, halls and reception desks can record the
thief during the theft. The logs show that 46% of the
laptop thefts happened in public locations. During the
penetration tests we noticed that these cameras are
usually set on motion detection, and are not actively
monitored by the security guards. A careful thief would
obscure her face from the cameras using a hat, a hood or
just covering her face with her hands before she steals
the laptop. In one of the penetration tests, three penetration testers wandered with newspapers on top of their
faces through the building without being challenged by
anybody.
In conclusion, the surveillance system provides no
help in stopping the theft and has limited usage in
identifying the thief a posteriori.
B. Access control
The security logs and from the penetration tests show
that although there are multiple layers of access control
in both universities, it is still possible to steal a laptop.
We spotted two weaknesses on the access control in
the universities. Locks are usually bypassed because (1)
they are disabled during working hours and (2) the
doors and windows where the locks reside are easy to
force.
The access controls on the entrances of the building
are easily bypassed because they are disabled during
working hours and because there are too many people
with credentials that can open the door. From the 14
penetration teams, 13 bypassed the entrance locks by
attacking during working hours and one team social
engineered credentials from an employee to enter the
building out of working hours.
Another attack vector for stealing a laptop is to force
a door or a window. The penetration teams were not
allowed to damage any property of the universities
except cutting the Kensington locks. However, the logs
from actual laptop thefts show that in 30% of the thefts,
the thief broke a door or a window to get access to the
office.
Similarly to recordings from surveillance cameras, logs
from the access control systems provide limited help in
identifying the thief. The logs show whose credential
was used to enter a restricted area at a specific time
period. Since the credentials are easy to steal or social
engineer and because there are many people entering
and leaving the area where the theft occurs, it is very
hard to deduce which person is the thief.
In conclusion, the typical access control mechanisms
deployed in the universities are mainly used to deter
opportunistic thieves, but provide no help against a
determined thief.
C. Security awareness of the employees
The level of security awareness of the employees plays
a crucial role in success or failure of a theft.
The human element is the main reason behind the
success of the laptop thefts. In 69% of the laptop thefts
and 100% of the penetration tests, the theft occurred
either because the employee left the laptop unattended
in a public location or did not lock the door when
leaving the office. Similarly, during the penetration tests,
employees opened door from offices of their colleagues,
shared credentials or handed in laptops without any
identification. Therefore, even with strong access control
in place, if the security awareness of the employees is
low, the access control can easily be circumvented.
On the other hand, the human element is the main
reason behind the failure of 67% of all failed penetration
tests. In these cases, an employee informed the security
guards for suspicious activities, rejected to open a door
for the tester, rejected to unlock a laptop without permission from the custodian or interrupted the tester during
the theft. In these cases, the employees besides enforcing
the access control mechanisms, also played a role as an
additional surveillance layer around the laptop.
Employees are usually considered as the weakest link
in the security of an organization [15]. We observe that
employees can also be the strongest link in the security
of open organization. A proper security education of
employees increases the employee’s resistance to social
engineering, and increases effectiveness of the other
security mechanisms.
V. Conclusion
In this paper we analyzed the logs of laptop thefts
which occurred in a period of two years in two universities in Netherlands. We complemented the findings from
these logs with 14 penetration tests which we conducted
in the same universities.
Based on the logs and the penetration tests, we conclude that physical security mechanisms provide deterrent rather than protective security role in laptop theft in
open organizations. Security awareness of the employees
is the main element which determines if a theft will be
successful or not and influences the effectiveness of the
other security mechanisms.
In the future we plan to repeat the penetration tests.
This time, to make the penetration tests more realistic,
we plan to randomly select of contact persons and
custodians and give the laptops to the custodians few
months before the start of the tests.
References
[1] L. Ponemon. Cost of a lost laptop. Technical report,
Ponemon Institute, April 2009.
[2] M. Marshall, M. Martindale, R. Leaning, and D. Das.
Data Loss Barometer. September 2008.
[3] Seagate Technology. Can your computer keep a
secret? 2007.
[4] Seagate Technology. Drivetrust technology:a technical overview. 2007.
[5] P. Kleissner. Stoned bootkit. In Black Hat USA, 2009.
[6] Ellick M. Chan, Jeffrey C. Carlyle, Francis M. David,
Reza Farivar, and Roy H. Campbell. Bootjacker:
compromising computers using forced restarts. In
CCS ’08: Proceedings of the 15th ACM conference on
Computer and communications security, pages 555–
564, New York, NY, USA, 2008. ACM.
[7] Sven Türpe, Andreas Poller, Jan Steffan, Jan-Peter
Stotz, and Jan Trukenmüller. Attacking the bitlocker
boot process. In Trust ’09: Proceedings of the 2nd
International Conference on Trusted Computing, pages
183–196, Berlin, Heidelberg, 2009. Springer-Verlag.
[8] L. Ponemon. The human factor in laptop encryption. Technical report, Ponemon Institute, December
2008.
[9] Thomas Ristenpart, Gabriel Maganis, Arvind Krishnamurthy, and Tadayoshi Kohno.
Privacypreserving location tracking of lost or stolen
devices: cryptographic techniques and replacing
trusted third parties with dhts. In SS’08: Proceedings
of the 17th conference on Security symposium, pages
275–290, Berkeley, CA, USA, 2008. USENIX Association.
[10] Absolute Software.
Lojack for laptops
www.lojackforlaptops.com.
[11] D.B. Cornish and R.V. Clarke. Opportunities, precipitators and criminal decisions: A reply to Wortley’s critique of situational crime prevention. Crime
Prevention Studies, 16:41–96, 2003.
[12] G. Kitteringham. Lost laptops = lost data: Measuring costs, managing threats. Crisp report, ASIS
International Foundation, 2008.
[13] R. Willison and M. Siponen. Overcoming the insider: reducing employee computer crime through
situational crime prevention. Communications of the
ACM, 52(9):133–137, 2009.
[14] T. Dimkov, W. Pieters, and P. Hartel. Two methodologies for physical penetration testing using social
engineering. Technical report, CTIT, December 2009.
[15] N. Barrett. Penetration testing and social engineering hacking the weakest link. Information Security
Technical Report, 8(4):56–64, 2003.