With laptop theft now rising at astonishing rates, network managers need to
assure rock solid security around these less than traditional
endpoints..Otherwise, when a laptop gets snatched, corporate information
and network integrity can fly out the door.
In 2001, 591,000 laptops were lost to theft, of 53 percent more than the
year before. In contrast, only 15,000 got taken in 2001, or 6 percent less
than the previous year, according to statistics from SafeWare, a company
that specializes in computer insurance.
Why? Laptops are smaller and easier to lift than desktop PCs. “We have at
30 laptops that we loan out to faculty members and audiovisual assistants.
People can get forgetful – leaving the laptop around when they’re talking
with students, for example,” said Victor Aulestia of the University of
Maryland. Finally, the school used Absolute Software’s Computrace retrieval
system to nail down a duo of laptop thieves.
Moreover, laptops are more likely than desktop PCs to land in places
outside the confines of the corporate firewall. Laptops can be stolen not
just from the work site, but from customers’ offices, airports, out-of-town
trade shows, homes, cars, or wherever else your end users roam. Qualcomm
CEO Irwin Jacobs, for instance, was delivering a speech when his laptop
vanished right off the stage.
So what’s the impact on network security? In many senses, laptops are
“moving doors” to enterprise networks. Experts point to three main areas of
- Like home PCs and other remote end points, laptops contain corporate
data. Quite often, PC hard drives hold “company secrets” or other
- Laptops are outfitted with software and hardware for accessing enterprise
networks and e-mail systems. Many companies today use VPNs for remote
access, and lots of VPNs aren’t well secured. Wireless nets represent
another big threat.
- Laptops can act as viral breeding grounds. A virus introduced through a
laptop’s floppy drive, for instance, can later engulf an entire network.
Keys to the data kingdom
“One of the biggest concerns for network managers is data security.
Companies don’t want outsiders to get hold of their proprietary
information. Laptops often contain company data that users have downloaded
from servers over corporate nets,” noted Jay Parker, senior marketing
manager for Dell’s Platitude lineup.
Whether it’s been downloaded from servers, or not, corporate data can be as
a strong magnet for thieves. Whoever grabbed Jacobs’ laptop got access to
secret information, as well as financial statements and personal data such
as digitzed photos of Jacobs’ grandchildren.
In an even more telling case, a laptop containing highly classified federal
government information disappeared from the US State Department back in the
Officials of the department were called upon to explain their security
procedures to US Congress. The State Department offered a $25,000 reward
for return of the laptop, and punished six of its own employees.
“What kind of secrets could have been compromised? Everything from the
names of spies to electronic intercepts from spy satellites,” NBC News
reporter Andrea Mitchell told the nation, during a TV broadcast just after
the State Department incident.
VPN end points
For remote network access by laptops and other PCs, VPNs provide some
measure of security by encrypting data in the VPN tunnel. Many VPNs,
though, still authenticate users only through passwords – and that just
isn’t enough, experts say.
In one recent survey, Infonetics Research predicted that the percentage of
mobile workers using VPNs will rise from 30 percent in 2001 to 71 percent
in 2003. Among “telecommuters and day extenders,” on the other hand, the
proportion will increase from 23 percent to 68 percent over the same
period, according to the research.
In 2001, 72 percent of remote access VPN respondents were using NT login.
Only 42 percent were deploying digital certificates/PKI. Other
authentication methods included tokens (26 percent); shared secrets (17
percent); smart cards (17 percent); RADIUS (17 percent); and biometrics (3
By 2003, though, password reliance is expected to diminish, with the
numbers changing as follows: NT login (63 percent); digital
certificates/PKI (53 percent); tokens (31 percent); smart cards (23
percent); RADIUS (21 percent); shared secrets (15 percent); and biometrics
“Password protection can be too easy to break,” maintained Genelle Hung, a
market analyst at Radicati Group. One major telecom firm, for instance,
formerly used its own company name as the internal network password, Hung
Many end users jot down passwords on sticky notes, and attach them to their
PCs. Software for password “sniffing” is readily available on the Web.
Unless VPNs are better protected, a stolen laptop can become an easy (and
free) ticket for accessing the enterprise net.
Computer Web conferencing company PlaceWare issues laptops to most of its
employees. None of PlaceWare’s laptops have been stolen. Nonetheless,
PlaceWare turned to Sybase’s Mobile Anywhere Studio software, following the
internal outbreak of a new virus.
Typically, it’s hard to tell how a virus has made its way on to an
enterprise net. Laptops, though, can be a likely source. For one thing,
it’s just about impossible to manually distribute antivirus software,
updates, and security patches to all of the remote laptops a company owns.
Meanwhile, many laptops are only “occasionally connected,” a factor that
can interfere with conventional methods of electronic software
That’s why PlaceWare adopted the Sybase product, according to Alex Lubarov,
PlaceWare’s director of IT. “PlaceWare is in the business of hosting
customers’ conferences, but security starts with employees themselves.
About 75 percent of our fleet is laptops,” Lubarov said.
“We have multiple layers of protection. We realized, though, that our
antivirus software was not letting us plug in all the security holes. We
couldn’t keep FedExing out all this stuff to users for manual updates. In
order to prevent contamination, we had to ‘call up the reserves,'” he
Meant for remote management of laptops, desktops, and PocketPC and Palm
devices, Sybase’s product has given ManageWare the ability to presage
deployment of security updates. ManageWare is also using a feature that lets
the company “remove applications from people’s workstations if they’re out
of compliance with our list of authorized software,” Lubarov said.
Alternatively, if a laptops does happen to fall into the wrong hands, it
can be a simple matter for interlopers to inject a virus into an laptop,
unless the data is protected through encryption or other means.
Beyond locks & cables
Some companies facing laptop theft rely mainly on cables, locks, and alarm
systems. Fortunately, though, a wide range of other solutions are also
available. Thse include motion detection systems, for preventing laptop
theft; encryption products, for making data unreadable; and theft retrieval
programs, for getting stolen laptops back.
It’s easier, of course, to prevent theft in the first place than to hunt
down a laptop after it’s already been nabbed. Some alarm systems are making
life harder for would-be thieves by integrating motion detection
technology. Port, for example, sells a series of Defcon alarm units for
The Defcon units are mostly useful for desktop replacement machines. The
Defcon I is a standalone unit that attaches to the laptop’s security slot
through a special cable, equipped with sensors, plus a mounting clip. If
the loop surrounding the laptop is disconnected or cut, the alarm goes off.
The Defcon III is a similar product, except that you buy it as a briefcase.
On the other hand, the TrackIT Portable Anti-Theft System is suitable to
end users-on-the-go. The system is made up of two separate units, which
communicate with each other through RF wireless. One unit is carried by the
user, whereas the other is contained in the laptop case. If the two units
get separated beyond a predefined distance, an alarm will go off on each
unit. Pricing is about $59.
Another device, Caveo Anti-Theft, adds encryption to the motion detection
alarm equation. If the user doesn’t know the code for stopping the audible
alarm, Cavio will disable the PC and encrypt all data. Caveo’s product
sells for $99.
Encryption products are designed to make data unreadable to unintended
eyes. There are two basic types of encryption software: disk encryption,
which scrambles the whole hard drive; and file encryption, used for
encrypting only e-mail or specified files.
Microsoft’s Windows 2000 and XP come with the Encrypting File System (EFS)
protocol directly built-in. Third-party vendors of encryption software
include McAfee Corp., PC Guardian, and Curtis Computer Products, which
sells Data Defender.
Vendors, though, are taking hardware approaches, too. Future editions of
IBM ThinkPad, for example, will also come with built-in encryption. “Our
encryption will be done above the bios level, but below the OS level,” said
Ronald P. Sperano, program director, Mobile Market Development, in IBM’s
Personal Systems Group.
“The mobile client is an extremely important part of the overall security
solution,” according to Sperano. Through IBM’s ThinkVantage program,
several other new security technologies for laptop PCs are now in the
works, as well.
Interesting new products are also coming to market on the hardware device
side. The new SecuriKey Personal Version. for example, is essentially a
hardware “key” with an encryption chip. The key — which is small enough to
slip into a pocket, or to wear on a key ring — pops into the PC’s USB
port. If the key is pulled out, all data becomes instantly encrypted.
SecuriKey includes two keys in each package, just in case the user loses a
key. Password protection is optionally available.
Personal Version is geared to the sort of ease of use that mobile workers
need, according to Bennett Griffin, SecuriKey’s president and CEO.
SecuriKey, though, also produces an Enterprise Version, for central
administration by network managers or other IT staff with the use of PKI
certificates. Users of the Enterprise Edition range from a VA Medical
Center in Colorado to the Episcopal Diocese of New York.
Theft retrieval programs generally revolve around stealth software, which
is loaded on to both the laptop and a remote server operated by a
monitoring service. When connected to a phone line or a network, the PC
automatically broadcasts its phone number or IP address.
Both of the University of Maryland’s thieves got caught after plugging into
the Internet. As things turned out, one of the crooks attended the
university, while the other was a student at another school. “Since then,
word has gotten out that we’re using Computrace, and we haven’t had any
further problems,” according to Aulestia, who is director of instructional
technology at the state university.
“Network security isn’t just a matter of protecting against viruses and
hackers. It’s also a matter of keeping people from stealing your
equipment,” Aulestia insisted.
Aside from Computrace, theft retrieval programs include Lucira
Technologies’ Secure PC; Cyber Angel from Computer Sentry Software; Homing
Pigeon from ZeaSoft; and Stealth Signal, from the company of the same name.
Stealth Signal is noteworthy for its support of Apple’s Macintosh OS.