Mobile menaces

Notebooks are becoming vessels for corporate data as the desire for mobile workforces in the Middle East grows at pace. However, unlike a network or desktop, such devices can easily escape a CIO’s watchful eye. However, there are measures IT managers can take to ensure mobile devices remain secure.

  • E-Mail
By  Alicia Buller Published  August 1, 2004

|~|mobile-security200.jpg|~|Mobile technology, as useful as it is, is subject to multiple threats|~|The mobile revolution is upon us. Laptops are flying off the shelves and notebook sales in the Middle East experienced 40% growth in Q1 2004 compared to the same period in 2003. Furthermore, global Wi-fi hotspots are tipped to triple to 30 million by the end of 2004. Increasingly, evidence suggests that users want to work where and when they want, taking advantage of the 33% increase in productivity that Gartner Group believes mobile computing affords. But while notebooks add flexibility to working lives, they also add vulnerabilities. The very same features that have made laptops increasingly popular — small size, light weight and mobility — also make notebooks easier to steal. In addition to the physical issues surrounding mobile technology, there’s also the risk of connecting to unsecure wireless networks. “Wireless and security are two words that should go hand-in-hand. Once you go wireless anybody can connect to you physically. [Unprotected laptops] can see each other and talk to each other. Wireless networks require extended, layered security measures,” says Samih Farid, regional personal computer division manager at IBM. On top of physical and network threats, there’s also the risk that the owners of mobile technology pose to corporate security as humans can often be the weakest link in the security chain. Vigorous corporate security policies need to be put in place so users are aware of the dangers of leaving a laptop unattended, while they also need to be warned about not updating virus patches, for instance. “The biggest security threat today is remote users. With a growing number of users logging into corporate networks from home, the malicious code and spyware that viruses leave behind on unprotected systems are proving to be a major headache for companies,” says Mosen Malaki, programme manager of communications at IDC, CEMA. “Workers who log into corporate networks from home or other remote locations often do not have the same defences [as corporate desktops] and are increasingly vulnerable to having their systems infected by viruses and hackers,” he adds. To ward off the long list of mobile security risks, companies need to get smart on their security policies by introducing different layers of protection to fend off the multi-faceted threat. The good news is that there’s plenty of products and services on the local market targeted at this growing concern. With care, it’s possible to combine these to gain a level of security that’s synonymous with that of a well-maintained corporate network. Firstly, any notebook that is left unattended should be secured with a strong lock, such as the industry-standard Kensington Universal Notebook Security Cable (US$44). “An unsecured notebook can be very easily carried off while the owner is distracted. To prevent this, notebooks should be physically locked down by means of steel locks if they are going to be left at any time, including in car boots and users’ homes,” says Farid. “Locks should be included with every notebook issued to staff,” he advises.||**|||~|sunilsunil200.jpg|~|Sunil Kumar, IT manager at the Ritz Carlton|~|Other devices aimed at deterring and alerting theft incidents include ‘asset tags’ from Dell. The vendor stamps its notebooks with user details and if this tag is removed it reads ‘stolen property’. “No one wants to buy a laptop that is obviously stolen. The tags are very hard to remove, you’d need to go to a official vendor-approved tag-remover,” says Andrew Nicholson, client product manager for notebooks at Dell, UK. The vendor also offers an intrusion alert with its notebooks that tells users and systems administrator immediately if individual computer components are removed. Theft is not the only physical threat associated with notebooks. In addition, there’s also the added knocks that come with lugging mobile technology around, plus the change in temperature that a laptop is exposed to when on the move. Notebooks from IBM include a range of features specifically targeted at counteracting the extreme working conditions of mobile computing. Made out of titanium, the laptops can stand extreme heat and pressure, plus they have a built-in anti-shock system that detects when the laptop is in freefall and releases a type of internal ‘airbag’ device prior to impact. And it’s not just the physical laptop unit that is danger-prone, it’s also the data held inside. So the latest IBM laptops also include a hard-drive that’s suspended on springs so that it doesn’t get sabotaged in the event of a fall. If, in spite of all precautions, a notebook is stolen then there are many levels of protection available that can ensure an unauthorised user doesn’t gain access to sensitive company data. “Effective security requires a multi-layered and determined approach,” says Farid. “A company’s data is one of its most valuable assets, but handcuffing a notebook PC to the owner is not a realistic measure in assuring that the data stays confidential. Instead, a notebook must be set up to require specific user identity and password verification before it becomes usable,” he adds. But gone are the days when just having a password system was enough to keep a company safe. Without having a strictly-enforced password policy, staff can default to using simple passwords such as spouse’s names or other easily guessed words. Most new notebooks from the major vendors can only be powered-up with a special basic input output system (BIOS) boot password. This function is usually activated in the notebook’s BIOS by an option called Set Power-On password. Many BIOS’ also allow users to add an extra password to prevent access to the BIOS setup menu. This feature is the absolute minimum security a notebook should have, but the most it will do to deter a thief is hold them up for a while. Fortunately, Dell, IBM and HP are just some of the vendors that offer new smart card technology to render password-cracking virtually impossible. The smart card is a key that has to be inserted into the laptop and activated with a password to turn it on. This double layer of security is particularly effective in deterring thieves as the criminal would have to have knowledge of the passwords and access to the smart card, as well as the laptop. Dell is one of the first vendors in the Middle East to offer integrated smartcard technology with its laptops, a concept that brings down security costs. “Our D-Family notebooks 400, 600 and 900 now come equipped with integrated smart card readers. This two-factor authentication is essential to protect company data. BIOS passwords are rarely enough to prevent unauthorised access to systems,” says Nicholson at Dell. HP also offers add-on security features for its notebooks. HP ProtectTools include smart cards and high-level integrated security chips that create unique encryption keys (random numbers) and store them in silicon, making it tough to crack open the data. IBM, along with HP and others, also offers biometric smartcard technology as an add-on. Biometric smart card readers require a user’s fingerprint to boot up the system, creating yet another barrier for the opportunistic thief. “Biometric cards are a safe bet and they’re not as expensive as you might think — the HP Iris 2005 is only US$25 more expensive than the standard smart card,” says Vishnu Taimni, product manager for notebooks and pocket PCs at HP Middle East. Once a company has protected the physical data on its laptops, it also needs protect itself against the threat that home users connecting remotely to the corporate network can pose. The first point to consider is access control. “The problem is that when people take their laptops away from the office and log on from elsewhere, they are no longer connected to the corporate LAN and may not be getting all the security updates. How do you ensure that people coming back from a holiday after two weeks have updated their anti-virus patches or kept in line with the company’s security policy?” asks Simon Denman, EMEA product marketing manager for OfficeScan at Trend Micro. To address this problem, Trend Micro’s OfficeScan offering provides network admission control functionality. The vendor has embedded a Cisco trust agent into its software that communicates with a Cisco router when a user device attempts to access the network. “The whole idea behind this is that no PC will be able to get access unless it’s up to date with the company’s security guidelines and antivirus patches. This idea of ‘policy enforcement’ is gaining ground in the market,” says Denman. “Networks worms, such as Sasser, have been causing havoc recently. Unlike traditional viruses that tend to require some interaction to be activated, the new network viruses exploit vulnerabilities in the browser software or network, which means they can propagate automatically… It’s a typical scenario — someone comes back into the office and his PC is vulnerable and it creates a entry-point in the company for the virus,” he adds. In addition to ensuring only protected devices can access the network, a company also needs to deploy an industry-standard firewall on its devices to protect against viruses and intruders. Increasingly vendors are attempting to integrate the bulk of essential security technologies into one. “Mobile users need to have the corporate security policy enforced upon them,” says Ahmed Etman, technical manager for the South Gulf, ISS. It is also essential to deploy at least 128-bit encryption tools to ensure that data can’t be accessed in transmission between the home user and the corporate network. Encryption technology scrambles data so that even if a hacker manages to access company information it will be useless and illegible. The main way to ensure this is to deploy a virtual private network (VPN). “Once authorised for access, a connection should be established through a VPN to ensure complete privacy of the data exchange,” says Farid. “The security of the connection can be guaranteed through the correct use of the right standards, such as the 802.1x wireless security protocol and wireless LEAP (light enhanced protocol). Most 801.11 devices sold today include 64-bit or 128-bit wired equivalent privacy (WEP) encryption capabilities. WEP encryption has the equivalent level of privacy that is ordinarily present in a wired local area network (LAN),” he adds. One regional organisation that doesn’t compromise on security is the Ritz-Carlton Bahrain Hotel & Spa. Earlier this year, the hotel successfully completed a large-scale wireless implementation and deployed ample security measures. “Security is so important. It’s essential for business travellers so that they’re confident that no one can read the company information they send out,” says Sunil Kumar, the Bahraini hotel’s IT manager. “Customers are always asking us how secure we are and do we have a firewall in place, for example,” he adds. The hotel now boasts wireless access in its lobby, business centre and executive club lounge, in addition to wired internet access in every room. The Ritz-Carlton’s network hardware was provided and implemented by Bahrain’s Almoayyed Data Group. Its software was implemented by Intertouch, a specialist hotel communications company based in Australia. “Intertouch provides us with a basic local server for basic connectivity, but all authentication of users and information is first passed through the Intertouch-hosted wireless area network (WAN) server in Malaysia. This makes the network very secure,” says Kumar. The hotel has also deployed a custom-made secure firewall from Intertouch to help protect its customer’s assets. In addition, it has deployed Cisco network switches so that computers within the hotel can’t communicate with each other unless access is approved — this applies to room-to-room or wireless-to-wireless. Wireless access costs US$19 for two hours and US$40 for 12 hours. Another security precaution Kumar has taken is to implement a disposable scratch-card access scheme for wireless connection in the hotel, this means that even the hotel has no knowledge of the user’s password — and if the card is lost then access is immediately cancelled. This is more secure than the hotel handing out its own passwords to users. As comforting as all this new technology is, it has to be remembered that technology is never effective without the correct processes housed around it. A company needs to educate its staff on the importance of complying with security procedures. An organisation can have all the passwords in the world but if the employees tell each other what they are, for example, then the technology will let the company down. “A company should create its own information security policy based on its needs, then it should initiate a gap analysis programme with an external security consulting group to realise the technology and processes it needs to put in place to bridge the gap,” says ISS’ Etman. “Central management should clearly designate security responsibilities and privileges to select staff and put in place penalty measures for abusing the security policy. For any policy to be effective, it must be enforced,” he adds. Notebooks are increasingly being used as the main carriers of corporate information because their performance can now match that of desktops. In light of this, Etman believes technology alone is not enough to ward off the many veiled threats currently facing mobile technology. “Everybody is subject to misusing technology, so security awareness and education is important. Security is reliant on three major factors: technology, people and processes. If you don’t meet the security standards and best practices in all three axis then you won’t succeed,” advises Etman. ||**||

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code