Laptops: The Most Dangerous Tool on the Network

A March 24 article in the Wall Street Journal reported thatlaptops are the weakest link in data security.

This is a news flash?

Let's go out on a limb here and argue that laptops are the biggest issuein corporate network security in general.

Let's face it, laptops come and go as they please. They spend too littletime on the network to ensure that they are patched and updated. Theirowners have no notion of what sensitive data is or how it should beprotected. Owners also have bad habits that can lead to unintentional,but disastrous, consequences.

You know what I'm talking about.

You know the guy who sits in his hotel room and engages in questionableactivities on the Internet. He downloads images, games, music, videos orwhatever, and unknowingly brings a virus or Trojan horse back inside thecorporate firewall.

Then there's the employee who spends most of her time looking for theperfect stuffed animal, outfit or toy for her grandchild on variousshopping sites. She clicks on a rogue link that takes her to a malicioussite that downloads a keystroke logger on her machine.

What about the systems geek you sent to your data center in Belfast,Maine last month. She always has the latest and greatest laptop becauseshe can't hold onto it for more than 90 days. She puts it down in theairport and doesn't remember it until somewhere over Detroit. It's notsuch a big deal. There's no sensitive data on it... except the entirenetwork's topology, including where the most sensitive servers reside,their IP addresses and what ports are open for business.

Yah, right. No big deal.

Lots of people think sensitive data stops at Social Security numbers orcredit card account data. But in an age where buyouts, hostile takeoversand mergers are often a bigger part of a business' health than its actualbusiness, sensitive data also can include information like customerdemographics, internal documents, and real assets -- from cash on hand tothe existing network infrastructure.

Piecing the intelligence together prior to making a bid or a move isessential in this day and age. And frequently the foot in the door is thelaptop.

This isn't all spy vs. spy stuff either.

There are plenty of ways to compromise an unpatched system. There aremultiple exploits to take advantage of Microsoft's Internet Explorer.There are applications out there designed to provide remote support andconvenience, and some times the corporate office requires them.

Some remote desktop applications have the potential to be co-opted as abackdoor for someone looking to get information about your business.Sure, the junior executive vice president to the vice president needssomeone who can log in remotely on his laptop to reset his password.Otherwise, he'd never get any work done.

But just maybe this isn't the way to do it.

Obviously, the problem with laptops is both behavioral and mechanical.We need to find a way to keep our laptops up-to-date with the most recentpatches and service packs. We also need to figure out how to convince ouremployees to stop doing stupid things on company time, or at least withcompany assets.

The easy one is addressing mechanical vulnerabilities. Setting corporatelaptops to auto-update, and to check for updates whenever it firstrecognizes a network connection, are both good places to start.

Pushing out patches to applications is a little more difficult. Onesolution, though, is a quarantine process using vlans on your routerinfrastructure. If a machine is off the network, and then rejoins thenetwork, it gets scanned and ''approved'' before being given a routableaddress. If it doesn't pass muster, it gets put into a protected networkarea where it only displays a webpage that says contact the networkadministrator.

Hopefully, if your traveling marketing person has to explain too manytimes why he has spyware, malware, viruses, Trojans, and other nastinesson his system, he'll quit doing it. Or, you'll have sufficientdocumentation to chuck him out the door.

Frequently your employees don't know that what they've done is a badidea.

Susie Shopper is just looking for a special gift, on her own time,while away from home. However, she needs to be aware of the risks shetakes with critical data if she clicks on sketchy links in email messagesfrom strangers. More than likely, she has personally identifiableinformation on the laptop, as well as company data. If she uses the quickcart function on any e-commerce site, for instance, she has her creditcard number stored somewhere.

The risks are not in using the laptop for personal business, but howthe laptop is used.

Depending on corporate policy, personal use may or may not be okay withyou. (If you have a corporate policy that states: No personal businessis to be conducted on corporate assets'', give it up and write somethingpractical. Otherwise, your CEO needs to be fired for calling to makereservations for her anniversary. But that's a discussion for anotherday.)

You deal with behavior through education. One example would be anyoneissued a laptop, must go through a briefing -- no exceptions, no excuses.The briefing consists of reminding them that the world is a dangerousplace, and they should always, always consider where they are going andhow they get there. This holds true for the World Wide Web, as well. Ifyou receive email from an unexpected source, don't click on the link anddon't open the attachments.

This is the adult version of never take candy from strangers. Howdifficult can it be?

If you check out laptops to individuals who are traveling on companybusiness, and then they are returned, it's a good idea to have an imageof the standard setup and authorized applications. Each time a laptopreturns, wipe the disk and install a fresh image. One consideration here-- you might want to back up the data on incoming drives so your CFO canhave his accounting reports back on Monday morning when he realizes whathe's done.

Now, all we have to figure out is how to handle that systems geek whoneeds to have his laptop chained to his waist.