Laptops: The Most Dangerous Tool on the Network
eSecurityPlanet Columnist Linda LeBlanc says laptops are the biggest issue in corporate network security. There are ways to lessen the danger, though.
This is a news flash?
Let's go out on a limb here and argue that laptops are the biggest issue in corporate network security in general.
Let's face it, laptops come and go as they please. They spend too little time on the network to ensure that they are patched and updated. Their owners have no notion of what sensitive data is or how it should be protected. Owners also have bad habits that can lead to unintentional, but disastrous, consequences.
You know the guy who sits in his hotel room and engages in questionable activities on the Internet. He downloads images, games, music, videos or whatever, and unknowingly brings a virus or Trojan horse back inside the corporate firewall.
Then there's the employee who spends most of her time looking for the perfect stuffed animal, outfit or toy for her grandchild on various shopping sites. She clicks on a rogue link that takes her to a malicious site that downloads a keystroke logger on her machine.
What about the systems geek you sent to your data center in Belfast, Maine last month. She always has the latest and greatest laptop because she can't hold onto it for more than 90 days. She puts it down in the airport and doesn't remember it until somewhere over Detroit. It's not such a big deal. There's no sensitive data on it... except the entire network's topology, including where the most sensitive servers reside, their IP addresses and what ports are open for business.
Yah, right. No big deal.
Lots of people think sensitive data stops at Social Security numbers or credit card account data. But in an age where buyouts, hostile takeovers and mergers are often a bigger part of a business' health than its actual business, sensitive data also can include information like customer demographics, internal documents, and real assets -- from cash on hand to the existing network infrastructure.
Piecing the intelligence together prior to making a bid or a move is essential in this day and age. And frequently the foot in the door is the laptop.
This isn't all spy vs. spy stuff either.
There are plenty of ways to compromise an unpatched system. There are multiple exploits to take advantage of Microsoft's Internet Explorer. There are applications out there designed to provide remote support and convenience, and some times the corporate office requires them.
Some remote desktop applications have the potential to be co-opted as a backdoor for someone looking to get information about your business. Sure, the junior executive vice president to the vice president needs someone who can log in remotely on his laptop to reset his password. Otherwise, he'd never get any work done.
But just maybe this isn't the way to do it.
Obviously, the problem with laptops is both behavioral and mechanical. We need to find a way to keep our laptops up-to-date with the most recent patches and service packs. We also need to figure out how to convince our employees to stop doing stupid things on company time, or at least with company assets.
The easy one is addressing mechanical vulnerabilities. Setting corporate laptops to auto-update, and to check for updates whenever it first recognizes a network connection, are both good places to start.
Pushing out patches to applications is a little more difficult. One solution, though, is a quarantine process using vlans on your router infrastructure. If a machine is off the network, and then rejoins the network, it gets scanned and ''approved'' before being given a routable address. If it doesn't pass muster, it gets put into a protected network area where it only displays a webpage that says contact the network administrator.
Hopefully, if your traveling marketing person has to explain too many times why he has spyware, malware, viruses, Trojans, and other nastiness on his system, he'll quit doing it. Or, you'll have sufficient documentation to chuck him out the door.
Frequently your employees don't know that what they've done is a bad idea.
Susie Shopper is just looking for a special gift, on her own time, while away from home. However, she needs to be aware of the risks she takes with critical data if she clicks on sketchy links in email messages from strangers. More than likely, she has personally identifiable information on the laptop, as well as company data. If she uses the quick cart function on any e-commerce site, for instance, she has her credit card number stored somewhere.
The risks are not in using the laptop for personal business, but how the laptop is used.
Depending on corporate policy, personal use may or may not be okay with you. (If you have a corporate policy that states: No personal business is to be conducted on corporate assets'', give it up and write something practical. Otherwise, your CEO needs to be fired for calling to make reservations for her anniversary. But that's a discussion for another day.)
You deal with behavior through education. One example would be anyone issued a laptop, must go through a briefing -- no exceptions, no excuses. The briefing consists of reminding them that the world is a dangerous place, and they should always, always consider where they are going and how they get there. This holds true for the World Wide Web, as well. If you receive email from an unexpected source, don't click on the link and don't open the attachments.
This is the adult version of never take candy from strangers. How difficult can it be?
If you check out laptops to individuals who are traveling on company business, and then they are returned, it's a good idea to have an image of the standard setup and authorized applications. Each time a laptop returns, wipe the disk and install a fresh image. One consideration here -- you might want to back up the data on incoming drives so your CFO can have his accounting reports back on Monday morning when he realizes what he's done.
Now, all we have to figure out is how to handle that systems geek who needs to have his laptop chained to his waist.