Laptops: Is Your Network's Integrity Flying Out the Door?
When a laptop flies out the door, so can your network integrity. Jacqueline Emigh explains how companies are securing their most vulnerable endpoints.
With laptop theft now rising at astonishing rates, network managers need to assure rock solid security around these less than traditional endpoints..Otherwise, when a laptop gets snatched, corporate information and network integrity can fly out the door.
In 2001, 591,000 laptops were lost to theft, of 53 percent more than the year before. In contrast, only 15,000 got taken in 2001, or 6 percent less than the previous year, according to statistics from SafeWare, a company that specializes in computer insurance.
Why? Laptops are smaller and easier to lift than desktop PCs. "We have at 30 laptops that we loan out to faculty members and audiovisual assistants. People can get forgetful - leaving the laptop around when they're talking with students, for example," said Victor Aulestia of the University of Maryland. Finally, the school used Absolute Software's Computrace retrieval system to nail down a duo of laptop thieves.
Moreover, laptops are more likely than desktop PCs to land in places outside the confines of the corporate firewall. Laptops can be stolen not just from the work site, but from customers' offices, airports, out-of-town trade shows, homes, cars, or wherever else your end users roam. Qualcomm CEO Irwin Jacobs, for instance, was delivering a speech when his laptop vanished right off the stage.
So what's the impact on network security? In many senses, laptops are "moving doors" to enterprise networks. Experts point to three main areas of concern.
- Like home PCs and other remote end points, laptops contain corporate data. Quite often, PC hard drives hold "company secrets" or other proprietary information.
- Laptops are outfitted with software and hardware for accessing enterprise networks and e-mail systems. Many companies today use VPNs for remote access, and lots of VPNs aren't well secured. Wireless nets represent another big threat.
- Laptops can act as viral breeding grounds. A virus introduced through a laptop's floppy drive, for instance, can later engulf an entire network.
Keys to the data kingdom
"One of the biggest concerns for network managers is data security. Companies don't want outsiders to get hold of their proprietary information. Laptops often contain company data that users have downloaded from servers over corporate nets," noted Jay Parker, senior marketing manager for Dell's Platitude lineup.
Whether it's been downloaded from servers, or not, corporate data can be as a strong magnet for thieves. Whoever grabbed Jacobs' laptop got access to secret information, as well as financial statements and personal data such as digitzed photos of Jacobs' grandchildren.
In an even more telling case, a laptop containing highly classified federal government information disappeared from the US State Department back in the year 2000.
Officials of the department were called upon to explain their security procedures to US Congress. The State Department offered a $25,000 reward for return of the laptop, and punished six of its own employees.
"What kind of secrets could have been compromised? Everything from the names of spies to electronic intercepts from spy satellites," NBC News reporter Andrea Mitchell told the nation, during a TV broadcast just after the State Department incident.
VPN end points
For remote network access by laptops and other PCs, VPNs provide some measure of security by encrypting data in the VPN tunnel. Many VPNs, though, still authenticate users only through passwords - and that just isn't enough, experts say.
In one recent survey, Infonetics Research predicted that the percentage of mobile workers using VPNs will rise from 30 percent in 2001 to 71 percent in 2003. Among "telecommuters and day extenders," on the other hand, the proportion will increase from 23 percent to 68 percent over the same period, according to the research.
In 2001, 72 percent of remote access VPN respondents were using NT login. Only 42 percent were deploying digital certificates/PKI. Other authentication methods included tokens (26 percent); shared secrets (17 percent); smart cards (17 percent); RADIUS (17 percent); and biometrics (3 percent).
By 2003, though, password reliance is expected to diminish, with the numbers changing as follows: NT login (63 percent); digital certificates/PKI (53 percent); tokens (31 percent); smart cards (23 percent); RADIUS (21 percent); shared secrets (15 percent); and biometrics (10 percent).
"Password protection can be too easy to break," maintained Genelle Hung, a market analyst at Radicati Group. One major telecom firm, for instance, formerly used its own company name as the internal network password, Hung pointed out.
Many end users jot down passwords on sticky notes, and attach them to their PCs. Software for password "sniffing" is readily available on the Web.
Unless VPNs are better protected, a stolen laptop can become an easy (and free) ticket for accessing the enterprise net.
Computer Web conferencing company PlaceWare issues laptops to most of its employees. None of PlaceWare's laptops have been stolen. Nonetheless, PlaceWare turned to Sybase's Mobile Anywhere Studio software, following the internal outbreak of a new virus.
Typically, it's hard to tell how a virus has made its way on to an enterprise net. Laptops, though, can be a likely source. For one thing, it's just about impossible to manually distribute antivirus software, updates, and security patches to all of the remote laptops a company owns.
Meanwhile, many laptops are only "occasionally connected," a factor that can interfere with conventional methods of electronic software distribution.
That's why PlaceWare adopted the Sybase product, according to Alex Lubarov, PlaceWare's director of IT. "PlaceWare is in the business of hosting customers' conferences, but security starts with employees themselves. About 75 percent of our fleet is laptops," Lubarov said.
"We have multiple layers of protection. We realized, though, that our antivirus software was not letting us plug in all the security holes. We couldn't keep FedExing out all this stuff to users for manual updates. In order to prevent contamination, we had to 'call up the reserves,'" he contended.
Meant for remote management of laptops, desktops, and PocketPC and Palm devices, Sybase's product has given ManageWare the ability to presage deployment of security updates. ManageWare is also using a feature that lets the company "remove applications from people's workstations if they're out of compliance with our list of authorized software," Lubarov said.
Alternatively, if a laptops does happen to fall into the wrong hands, it can be a simple matter for interlopers to inject a virus into an laptop, unless the data is protected through encryption or other means.
Beyond locks & cables
Some companies facing laptop theft rely mainly on cables, locks, and alarm systems. Fortunately, though, a wide range of other solutions are also available. Thse include motion detection systems, for preventing laptop theft; encryption products, for making data unreadable; and theft retrieval programs, for getting stolen laptops back.
It's easier, of course, to prevent theft in the first place than to hunt down a laptop after it's already been nabbed. Some alarm systems are making life harder for would-be thieves by integrating motion detection technology. Port, for example, sells a series of Defcon alarm units for laptops.
The Defcon units are mostly useful for desktop replacement machines. The Defcon I is a standalone unit that attaches to the laptop's security slot through a special cable, equipped with sensors, plus a mounting clip. If the loop surrounding the laptop is disconnected or cut, the alarm goes off. The Defcon III is a similar product, except that you buy it as a briefcase.
On the other hand, the TrackIT Portable Anti-Theft System is suitable to end users-on-the-go. The system is made up of two separate units, which communicate with each other through RF wireless. One unit is carried by the user, whereas the other is contained in the laptop case. If the two units get separated beyond a predefined distance, an alarm will go off on each unit. Pricing is about $59.
Another device, Caveo Anti-Theft, adds encryption to the motion detection alarm equation. If the user doesn't know the code for stopping the audible alarm, Cavio will disable the PC and encrypt all data. Caveo's product sells for $99.
Encryption products are designed to make data unreadable to unintended eyes. There are two basic types of encryption software: disk encryption, which scrambles the whole hard drive; and file encryption, used for encrypting only e-mail or specified files.
Microsoft's Windows 2000 and XP come with the Encrypting File System (EFS) protocol directly built-in. Third-party vendors of encryption software include McAfee Corp., PC Guardian, and Curtis Computer Products, which sells Data Defender.
Vendors, though, are taking hardware approaches, too. Future editions of IBM ThinkPad, for example, will also come with built-in encryption. "Our encryption will be done above the bios level, but below the OS level," said Ronald P. Sperano, program director, Mobile Market Development, in IBM's Personal Systems Group.
"The mobile client is an extremely important part of the overall security solution," according to Sperano. Through IBM's ThinkVantage program, several other new security technologies for laptop PCs are now in the works, as well.
Interesting new products are also coming to market on the hardware device side. The new SecuriKey Personal Version. for example, is essentially a hardware "key" with an encryption chip. The key -- which is small enough to slip into a pocket, or to wear on a key ring -- pops into the PC's USB port. If the key is pulled out, all data becomes instantly encrypted. SecuriKey includes two keys in each package, just in case the user loses a key. Password protection is optionally available.
Personal Version is geared to the sort of ease of use that mobile workers need, according to Bennett Griffin, SecuriKey's president and CEO. SecuriKey, though, also produces an Enterprise Version, for central administration by network managers or other IT staff with the use of PKI certificates. Users of the Enterprise Edition range from a VA Medical Center in Colorado to the Episcopal Diocese of New York.
Theft retrieval programs generally revolve around stealth software, which is loaded on to both the laptop and a remote server operated by a monitoring service. When connected to a phone line or a network, the PC automatically broadcasts its phone number or IP address.
Both of the University of Maryland's thieves got caught after plugging into the Internet. As things turned out, one of the crooks attended the university, while the other was a student at another school. "Since then, word has gotten out that we're using Computrace, and we haven't had any further problems," according to Aulestia, who is director of instructional technology at the state university.
"Network security isn't just a matter of protecting against viruses and hackers. It's also a matter of keeping people from stealing your equipment," Aulestia insisted.
Aside from Computrace, theft retrieval programs include Lucira Technologies' Secure PC; Cyber Angel from Computer Sentry Software; Homing Pigeon from ZeaSoft; and Stealth Signal, from the company of the same name. Stealth Signal is noteworthy for its support of Apple's Macintosh OS.