|
Gene Spafford, professor of Computer Science at Purdue University and leading
computer security expert, once said, “The only truly secure system is one that
is powered off, cast in a block of concrete, and sealed in a lead-lined room
with armed guards.” Laptops, by virtue of their nature, ie, mobility, are the
other extreme. And, therefore, they are more susceptible to security
threats-theft, damage, hacking, or data leakage.
No surprise then that a large number of corporate crimes and data loss
incidents are being linked to laptops. As per industry sources, almost 57% of
corporate crimes are ultimately linked to stolen laptops used to steal data
stored on the computer-via the laptop's own modem settings-or used to break into
secure servers where hackers can steal, alter, or destroy business-critical
data.
As per the Gartner group, when the cost of lost productivity and replacement
of data, software, and hardware are considered, the typical loss for a stolen
notebook is $6,285. However, the average loss rises to $61,881 when the value of
the information on the laptop is included, as pointed out by the Computer
Security Institute (CSI)/FBI Computer Crime and Security Survey.
Safeware Insurance, which sells insurance protection against computer theft
and other damages, reports that more than 600,000 laptop thefts occurred in
2004, totaling an estimated $720 mn in hardware losses and $5.4 bn in theft of
proprietary information. With the ever-growing mobile workforce and a sizeable
chunk of the corporate data residing in laptops, the loss of data residing in
the laptop is a factor overriding physical loss.
According to Dhiren Savla, CIO, Kuoni Travels, “In the current scenario, most
of the business-critical data is stored on computers-more so in the case of the
senior management.” As a result, the cost of the laptop is insignificant when
compared to the data/IP residing within it.
For Rana Gupta, director, SafeNet, besides IP and valuable business
information, there is a lot of day-to-day work residing in the laptop. Loss of
information like emails, contacts, etc will also mean loss of productivity.
According to Sunil Chandna, CEO, Stellar Information Systems, when on the move
there is a lot of dynamic data that gets generated and stored on the laptop,
which, if lost, would not be available back on the enterpris network.
“With an increasing number of executives using laptops, there is a higher
risk of data leakage. Considering the latent value of information for companies,
it's critical to provide adequate security for all data that is mobile,”
explains Arun Gupta, Group CTO, Shopper's Stop.
With the quantum of impact expected to grow manifold in the coming years,
CIOs are waking up to the big bad world outside the relatively secure confines
of their office network that the laptop opens the door to. While they can't
avoid it, they certainly can brace the reality with measures that can help
mitigate security-related risks.
Laptop vs Desktop
So, is the laptop inherently more prone to security issues than the desktop?
SK Srinivasan, president, SKS Consulting, points out that essentially being a
client-level gadget that facilitates connectivity and usage of an enterprise
network, all the risks relating to workstations/PCs are also relevant to a
laptop. Additionally, on top of these common risk factors are the additional
risks that arise owing to its mobility.
Usage outside the office environment puts greater security risk as employees
spend more time with the laptop and often not inside the office environment. The
concern also stems from the fact that a notebook can easily fall into
unauthorized hands, putting confidential data at risk. According to Jayant
Saran, manager, KPMG, Forensic, laptops allow for increased security threats for
organizations in multiple ways. “Access from home over open Internet lines,
accessing unsecured wireless networks where firewalls may be compromised,
downloading of malware, physical theft, and loss of the laptop could affect data
security for enterprises,” he explains.
Security Issues
The security issues can be broadly categorized into three-the device
(laptop), the data within, and the element of trojans/virus/worms, etc that can
infect a laptop that has accessed an unsecured network.
Unlike desktops, laptops are more vulnerable and are easy to steal. According
to CSI/FBI, laptop theft is one of the top three computer crimes along with
viruses and hacking. This is further compounded by the loss of data, leading to
breach of data confidentiality. Laptop theft is the main data breach cause,
according to Symantec and the Ponemon Institute.
The biggest instances of lost laptops are during traveling, especially the
inability to distinguish between two laptops in a mêlée.
Among the other device-related risks, Chandna points out that as they're
frequently on the move, laptops are more prone to physical damage by falling and
breaking or damage owing to weather conditions like humidity.
The next level of security breach arise from the threat of unauthorized
access, both intentional and unintentional. It is easy for the employee or
anyone else to access the data outside the office where many activities are not
easy to track. According to Anurag Arora, country manager, Business Notebooks,
PSG, HP India, organizations typically use similar-looking notebooks to ensure
no divisions creep up among users based on the design ID of the notebook. This
can potentially lead to easy attempts for unauthorized access, especially when
different levels of access are shared.
Arora further points out instances of unauthorized users transferring or
removing the data as a security threat. Dumping the data on an external storage
device or a floppy is difficult to track without expert help. “At a very basic
level, it is very easy to access information stored within a laptop. In case the
data is not encrypted and a laptop is stolen, it is fairly easy to access all
the information sitting on the machine,” points out Saran.
There is a growing number of malicious code attacks trying to use mobile
devices, including laptops as carriers, and the threat of information leakage
through them. These devices can be used to copy and print sensitive company data
without authorization and/or load and execute unauthorized software that
contains executable code containing viruses, trojans, etc that can create havoc
on the company's network.
Additionally, thanks to its mobility factor, there are the additional
wireless connectivity risks including Bluetooth and unsecured WLAN connection,
thereby exposing the laptop and the data within to potential risk. According to
Rana Gupta of SafeNet, one can have Bluetooth devices that can connect to the
laptop through the Bluetooth ports for a malicious attack. Even smart phones,
which have the capability to downloading stuff from the Internet and have
Bluetooth, can also be a threat.
 |
 |
| “For connecting
to the Internet, enterprises should encourage their on-the-move employees to
connect via the corporate network instead of an ISP”
-Alok Gupta, director, Unistal Systems |
“Organizations
typically use similar-looking notebooks to ensure no divisions creep up
among users based on the design ID. This can potentially lead to easy
attempts for unauthorized access”
-Anurag Arora, country manager, Business
Notebooks, PSG, HP India |
Accessing an unsecured network is a sure shot way of inviting worms, viruses,
malware, trojans, phishing attacks, etc. While the same is true for a desktop as
well, the difference is that the chances of access to an unsecured network are
more in case of a wireless network. As Hilal Khan, CIO, Honda Siel, points out,
“The nature of the attacks remains the same, but these threats are more prone in
a laptop.” The reason for this is that within office premises, the devise sits
behind a high level of security and is constantly governed and monitored by the
enterprise network. Once the device moves out of office premises, the same level
of security is not always maintained.
As Radhakrishna Pillai, CIO, IT, SRL Ranbaxy, points out, if the laptop has
been given remote access to corporate networks, both laptop theft/lost cases as
well as unauthorized persons getting access to the laptop can easily get access
to the corporate network.
Disposal of HDD without comprehensive cleaning is a security hazard not many
are aware of. “Most users believe that their data is deleted when a hard drive
is formatted and/or initialized. In fact, formatting the hard drive merely
creates a new blank indexing scheme for the operating system making all the
sectors available for the writing of new files, leaving the existing data
intact,” explains Arora.
Plugging the Holes
According to Gupta, as long as there is an entry point for an external
device to communicate with the laptop, it is a potential threat. Therefore, it
is important for CIOs to plug these entry points. This requires zeroing in on
the data leakage opportunities.
Security of a laptop can be enhanced in different ways. Restricting
unauthorized access can be the first step. Even taking the simple measure of
having a password for booting will help in protecting data. Also, as per Saran,
passwords should be applied at the BIOS level and at the operating system level.
Other measures can be the use of biometrics scanning, strong power-on passwords,
secure USB keys, disabling of USB ports, CD/DVD drives, etc.
Alok Gupta, director, Unistal Systems, says that using powerful anti-data
leakage software can stop copying of data through any port like USB, infrared,
LAN, etc. Apart from the above basic security measures, disabling the guest
accounts in windows, renaming administrator accounts, restraining from using
auto logging into website setting in the laptops, etc will help to protect the
misuse in case of theft or loss.
 |
 |
| Bluetooth
devices and smart phones, which have the capability to download stuff from
the Internet and have Bluetooth, can also be a threat”
-Rana Gupta, director, SafeNet |
“When on the
move there is a lot of dynamic data that gets generated and stored on the
laptop, which, if lost, would not be available back on the enterprise
network”
-Sunil Chandna, CEO, Stellar Information
Systems |
Even after plugging the access points, if an unauthorized person gets access
to the data, the next step should be to ensure that the data is redundant. To
protect data, the hard disk should be encrypted with centralized management.
This will make all the data residing in the laptop incomprehensible and,
therefore, redundant for the unauthorized person. Tools like Safe Boot can carry
out the job of encryption.
According to Gupta, the Internet still remains a key 'threat' for laptops.
Therefore, secured Internet connection is a must to protect data. For connecting
to the Internet, Gupta suggests, enterprises should encourage their on-the-move
employees to connect via the corporate network instead of an ISP.
Also, some of the must-haves in terms of technology tools are the latest
virus definitions, updated firewall rules, anti-malware, anti-spyware, etc which
will help in securing the laptop. It is critical to ensure that the anti-virus
and other solutions that are there in the enterprise network are installed in
the laptop and that they can't be disabled. If it is a Windows machine, then
updated operating system patches will help, suggests Saran.
From a productivity improvement and data loss prevention standpoint, Alok
Gupta suggests usage of data loss prevention software and automated
OS/Application restoration, in case of OS corruption.
Physical security of the laptop is equally important; laptops should be
locked using Kensington lock. There are some track and trace solutions also
available in the market today, like Unistal's 'Locate laptop', which can help
trace a lost or stolen laptop. Locate Laptop can locate reportedly stolen
laptops leveraging on the World Wide Web. Gupta says that physical security
comes with discipline and alertness on part of the owner.
Therefore, upping the ante on the alertness quotient is the key.
However, all said and done, one can't ignore the fact that any security
measure is as good as the weakest link. Therefore, certain best practices need
to be adhered to. Some of these include ensuring that the firewall rules and
virus definition files are regularly updated, the password is not shared with
anyone and is not be written anywhere, hardening of policies disallowing any
software installation, having a proper password policy, clearly defining
different levels of access for different users in the organization, taking
periodic backup, etc. To ensure all this happens, the enterprise should devise a
laptop policy and comprehensively cover laptops in its security policy.
While Chandna maintains that considering the way laptop penetration in
enterprises is increasing, having a laptop policy is of paramount importance, he
also warns CIOs to steer clear of designing a generic laptop policy. “Different
types of policies should be designed for different levels and types of users as
there is 'no one size fits all',” he adds.
Depending on the user profile, the information stored in the laptop has
different levels of risks involved. Both the data in a sales manager's laptop
and that in a CEO's laptop are critical, but the nature and level of criticality
are different. “One has to consider the data stored in the laptop for defining
the security requirement rather than considering the replacement cost of the
hardware,” explains Pillai.
Arora gives yet another perspective as he states that in an attempt to fight
security threats, there can be a tendency to make password policies strict,
leading to uncomfortable usage. “Today, it is important for firms to give users
an easy to use, reliable, and secure notebooks to use. It is important to have a
portfolio of security technologies and features built into hardware, firmware
and software that work together to address critical aspects of IT security,” he
adds.
With all the security provisions, enterprises may compromise the freedom and
flexibility that notebooks are being used for. Ensuring that the fine balance
between security and flexibility does not get snapped off is a tight rope for
CIOs today. Maybe one can take a bit of solace from Scott McNealy's infamous
classic pronouncement “You have zero privacy anyway. Get over it.” It may be a
bit stretched, but it, nevertheless, has turned out to be quite ominous of the
state of over obsession with security in the world of enterprise mobility.
Shipra Malhotra
shipram@cybermedia.co.in Page(s) 1
|
