It was a Monday afternoon when the phone rang. I recognized distress in the caller’s voice.
He ran a small Idaho accounting firm with his family, and they had locked up their office on Friday as usual, only to discover the next morning that they had been burglarized. The owner had already called the police and inventoried his office. His concern in calling me was with the sole item stolen: a laptop.
From a digital security perspective, this is a nightmarish scenario. Firewalls and network-intrusion detection systems may be effective in thwarting a would-be hacker in Russia, but they do not stop someone from literally walking through the door.
This particular laptop had thousands of financial records involving the firm’s clients. That meant there was much more than the loss of a laptop at stake.
Premium content for only $0.99
For the most comprehensive local coverage, subscribe today.
I went to the client’s office with Dylan Evans, my digital forensic examiner. The client explained that the laptop — like all the machines in their office — was set up with full-disk encryption. That means that without the correct passphrase for decryption, the machine would be unusable. Without decryption, its data is gibberish. That was a relief.
We discussed details such as the strength of his password and the particular encryption product used. We were satisfied that even though the thief had the laptop, he would not obtain any of the data. Encryption prevented a massive data breach.
That still left us to consider the matter of motive and the possibility of other security compromises. Was that particular laptop targeted? Or was it merely an opportunistic theft of something light and valuable?
It seemed strange that only one item had been burglarized, so we wanted to consider at the bigger picture.
Our first thought was that the thief could have been another employee — someone with insider knowledge of the building and that particular laptop’s usage. More data breaches are caused by employees than by external hackers. However, the owner assured us that all employees were accounted for: The business was run exclusively by his family members, and they were together all weekend.
We examined the office and considered the likely order of events. The business consisted of a main reception area connected to three offices and a break room. The lock on the front door had been broken into with a crowbar or other brute-force instrument. The middle office door had also been broken into. Notably, that middle office had a standard doorknob, while the others had numerical keypad locks.
While there were plenty of valuable items in the main reception area, including an expensive printer/copier and various artwork, those items were heavy compared with a laptop. It seemed likely that the burglar broke in through the front door, scanned the room, identified the least-secure door, broke through it and grabbed the first valuable thing he saw: the laptop.
Whether the keypad locks offered any extra security or not, the perception of security was enough to keep the burglar out of those rooms.
We concluded that the break-in was likely opportunistic, not a targeted data theft. Even so, the owner wanted to verify that the main server — contained within one of the other offices — had not been accessed, because remote desktop connections were often used during business.
With a few clicks, Dylan copied the event logs from the server. He determined that the last time the server was accessed was during normal business on the Friday before the burglary. Nobody had been on the server.
In information security, it is much more common for everything to go wrong than to go right. This business’s practices give me hope for the future. Businesses that use encryption and a little physical security can keep a thief from stealing something far more important than a laptop.
Neal Custer is president of Reveal Digital Forensics & Security, a subsidiary of Custer Agency Inc., and an adjunct professor at Boise State University. firstname.lastname@example.org. Written in collaboration with Dylan Evans, Reveal’s vice president of operations. This column appears in the Sept. 21,-Oct. 18 2016, edition of the Idaho Statesman’s Business Insider magazine. Click here for the Statesman’s e-edition, which includes Business Insider (subscription required).