When employees travel on business, companies must ensure that their mobile computing does not put corporate data at risk.
Business travel is integral to the bottom line for most large companies. As a result, the number of business trips taken by U.S. workers alone tops 237 million annually. Travelers typically have a laptop in tow to help them get the job done. That flotilla of computing power may boost productivity, but it also exposes companies to an ocean of risk. Companies need to understand the threats they face and make sure that they have adequately armed their mobile fleet with the technological tools that can protect against these threats.
Categorize the Data
The first step toward secure travel is to ensure that employees are not carrying any files, documents, or data that they don’t absolutely need, says Mark Lobel, a partner in PricewaterhouseCoopers’ security services practice. That simple precaution minimizes the likelihood that the loss of a laptop will expose sensitive customer or employee information. And that’s critical because the loss of such data could hurt the company’s reputation and put it in violation of the more than 20 federal and state privacy-disclosure laws.
There can be serious financial repercussions to losing this type of information. Persons whose information has been lost may demand that the company pay for credit monitoring, Lobel says, which can cost as much as $100 per person. Multiply that by the thousands of people involved, and it becomes a significant issue. (Research from The Ponemon Institute found total costs from a data breach to be $140 per lost customer record.) On top of that, if laws have been broken, such as the exposure of health-related information, criminal penalties may loom for corporate executives.
So, Lobel says, long before road warriors leave the office, organizations need to consider how information is classified, and it’s imperative that they have controls “that define how the information is protected when it’s created, when it’s stored, and when it’s destroyed.”
With that classification complete, the company can more readily assess if there is any sensitivity to the information kept on a notebook, Lobel says. If the information needs to be on the laptop, the company must provide controls commensurate with the categorization of that data.
While it’s important to limit the amount of sensitive information carried, it’s also critical to physically secure the computing device. Nearly every laptop made today features a small slot on its side known as the Kensington Security Slot. Locks made by Kensington and other vendors fit into the slot, allowing laptops to be cabled to a sturdy or immovable object. Some of the locks are alarmed so that if the steel cable is cut, an alarm will sound. Laptop locks such as Kensington’s MicroSaver Retractable, which has a steel cable that can be retracted into an easily carried compact case, are available through computer stores and online retailers starting at about $30.
John Livingston, the CEO of Absolute Software, is a frequent business traveler. He keeps his laptop locked up when he can, but he says that simply keeping a laptop out of sight removes the temptation for somebody to steal it. “If I’m traveling in a vehicle, I make sure it’s in an area of the vehicle where it can’t be seen,” he says.
“In a hotel room you can hide it under your bed” if no safe is available, he says. While these may seem like minor measures, Livingston asserts that in most cases where laptops or other electronics disappear from hotel rooms, it’s because they were left out in the open.
Whether it’s because users are careless or thieves are determined, laptop thefts are not uncommon. Statistics from Safeware Insurance indicate that more than 600,000 laptops were stolen in 2004, with hardware losses alone estimated at $720 million and associated losses from theft of proprietary information estimated at more than $5 billion. Those statistics highlight the importance of measures that pick up where physical security leaves off. That means looking for ways to retrieve stolen hardware and to prevent thieves from accessing the data in the meantime (the latter is addressed in the next section).
Companies can buy software that makes it possible to find where a stolen computer has been taken. One such program is Computrace, made by Livingston’s company. Livingston explains that the “Computrace Agent” is hidden on the hard drive of a computer. This agent cannot be seen or, in most cases, deleted from the drive, even if the hard drive is formatted. The agent “phones home” to a monitoring center regularly when the computer goes online.
“We get the very bare bones of information in an anonymous format” from this agent, Livingston says. This information, which includes the serial number, date, time, and an IP address or telephone number, identifies the machine and its approximate location.
If a user notifies the monitoring center that the computer has been stolen or lost, “we ask the machine for additional information to help us pinpoint its position and help with the recovery process,” Livingston says. The information from the beacon can be passed to the company’s law enforcement liaison team, mostly former police officers, which works with local police departments to recover the laptop. Last year, Livingston says about 1,000 computers were recovered using Computrace.
The company has found that local law enforcement agencies are often happy to help out. That’s because many computers are stolen by theft rings, Livingston says. “We’ve probably broken over 100 theft rings that were actively stealing computers out of an organization,” he says.
In one case last year, a beacon from a stolen machine was tracked to a warehouse in McKinney, Texas. Local police were thrilled to help; Livingston says they believed there was criminal activity taking place at the warehouse but had no evidence to get a search warrant. The Computrace lead helped them get one, and when the police arrived on the scene, they found drugs, stolen vehicles, unregistered weapons—and stolen computers.
Companies also need to ensure that if a computing device falls into the wrong hands, the thief won’t be able to read, use, or sell the proprietary data it contains. There are several ways to keep data safe while it’s on a laptop: remote deletion, access control, and encryption.
Remote deletion. Services such as those offered by Computrace can contact the software agent inside a laptop when it comes online and remotely command it to erase all the data from the computer’s hard drive. This ensures that even if the computer is never recovered, nobody is able to access the data on it.
Access control. The time between the realization that a computer has gone missing and the deletion of its data could be enough for the contents to be compromised. Therefore, it’s necessary to control access in the strongest way possible and to encrypt sensitive files or the entire hard drive.
Biometrics. Some newer laptops, such as IBM’s newest line of ThinkPads, are incorporating biometric authentication in the form of fingerprint readers directly onto the machine. Slide your finger across the sensor and, once authenticated, you’re logged securely onto the computer.
Portable USB devices that provide authentication are available as well. For example, Silex Technologies offers easily carried fingerprint sensors that can be used to control access to a mobile computer. Its Combo-Mini (reviewed in “Technofile,” February 2005), which will block access to anyone whose fingerprint is not enrolled on the computer, can be carried on a keychain.
Portable fingerprint readers have limitations—for example, in tests for the Combo-Mini, some fingerprints were difficult to enroll—but they do make it much more difficult for thieves to access a laptop’s data. The Combo-Mini retails for about $179.
If you’ve got a little extra room in your laptop bag and don’t mind carrying a full-size mouse, AuthenTec offers the APC Biometric Mouse Password Manager. This optical mouse plugs into the laptop’s USB port and can register as many as 20 fingerprints, so multiple users can use the mouse to switch to their accounts—a handy feature particularly if using Windows XP, which allows multiple users to have their own accounts on a single computer. Both the mouse and the biometric access control functions performed admirably in my tests, with little difficulty enrolling users.
An added benefit is that passwords for applications and Web sites can be added so that these can be accessed instantly with a touch of a finger. The current version supports only the Internet Explorer browser, though the company says it will release a software upgrade this year to allow Firefox users to save passwords as well. The optical mouse can be found at online and brick-and-mortar retailers for about $50.
For anyone who wants to use the strongest level of biometric authentication while on the road, the Panasonic Iris Recognition Authenticam is a portable camera that controls access, as its name implies, through enrolled irises. Enrolled users look into the camera, which doubles as a CCD camera that can be used as a Web cam for videoconferencing, to get authenticated to the computer. Like the biometric mouse, the camera’s biometric functions can be used to replace Web site and application passwords. The Authenticam retails for about $215.
Encryption. Some travelers may simply want to protect a few files or folders that contain sensitive documents. This can be easily done; there is no shortage of products available to password-protect files, folders, or even entire hard drives.
Data Encryption Systems offers a free, downloadable version of its DESlock+ encryption product. The PGP Corporation, a venerable name in encryption, also offers a range of products, from those designed for a home desktop user to enterprise editions designed for thousands of users. Home versions lock down files, folders, e-mail, and even some instant messaging traffic; enterprise versions, which require some centralized management of encryption keys, can encrypt entire hard drives.
If you’re using Windows XP, encryption at the file and folder level is built in. For those with Windows XP Pro, a feature called Encrypting File Systems (EFS) lets you encrypt any file or folder by simply right-clicking the file or folder’s icon and selecting Properties, General, Advanced Attributes. Check the “Encrypt contents to secure data” box and you’re done.
The encryption in EFS is tied to the user’s account name, so if you use a password to access your XP account, you won’t need to take any extra steps; any encrypted document is instantly decrypted when you open it, and any files dragged into an encrypted folder are automatically encrypted.
If you’re using XP’s home edition, right click on the file or folder icon and choose Properties, Sharing. Then check the “Make this folder private” box.
This level of encryption is typically enough to protect data from the eyes of another user or a thief, but if the data is extremely confidential, you might want to look for a stronger product. Some biometric access control products, such as those mentioned earlier, can provide secure encryption.
You’ve made sure that you’ve only brought the data you absolutely need, and you’ve done everything possible to ensure that it’s secure. Now you need to consider how data will be secured when you remotely send and receive it while on the road, particularly when using a wireless connection.
Brian Hernacki, an architect with Symantec Research Labs, notes that wireless access—including Wi-Fi, Bluetooth, and infrared technologies—is now routinely built into laptops, and is often turned on by default, to make it easier for nontechnical people to connect wirelessly. But lowering the bar means that risks rise, he says. “When the bar gets that low that everybody can simply do it,” he says, “there are a lot of people using this service who are not so security aware.”
There are two major threats to wireless users: unencrypted channels and fake access points. Both could allow an attacker to see the data you’re sending or receiving, meaning that passwords and credit card information could be at risk.
Unencrypted channels. “If you’re at a wireless hotspot and you’re checking e-mail, potentially you’re connected over an unencrypted channel,” Hernacki says. That means that someone could, with a few freely available tools and a bit of know-how, have access to your data.
This could provide attackers with more than just access to your Hotmail account. “If they’re clever and capture a password and user name, these can be used to attack other systems,” he says, since people tend to use the same credentials at many sites.
One way to mitigate this threat is to connect only to wireless networks that are secured with one of two encryption protocols: Wired Equivalent Privacy (WEP) or Wi-Fi Protected Access (WPA). WEP, the older of the protocols, is less secure than WPA, but it’s adequate for most users—and certainly better than nothing. What these encryption protocols do is secure the data between the laptop and the access point; typically after that, other security features (for example, virtual private networks, or VPNs) take over.
If you want to use the stronger encryption level, one glitch is that support for WPA is built into Windows XP but is missing from older versions of the operating system. Help is available from antivirus vendor McAfee, Inc., which offers a free tool called WPA Assistant. This tool allows those with Windows 98, ME, and 2000 editions to access WPA-encrypted networks.
WPA Assistant is easy to use. Simply download it from McAfee’s Web site and add your preferred access points. On my home network, which is protected by WPA, I downloaded this tool onto a laptop running Windows 2000 that I wanted to add to the network. Next, I typed in the name of my home network, and added the WPA key used to secure the network. The process took only minutes, and the additional layer of defense (previously I had to rely on WEP) gives the network greater security.
Evil twins. Users must be aware of another problem that can arise with wireless due to the way the systems are configured. “The way wireless works is, it wants to communicate so badly with somebody that it’ll create its own network just so it can connect to something,” says Richard Rushing, chief security officer with AirDefense. Windows XP, for example, constantly scans for an open network (that is, one that is not encrypted and which will allow anyone to join), and then connects to it, typically without asking the user first.
This doesn’t have to be the case. The feature known as Wireless Zero Configuration in Windows XP can be easily disabled so that a user must decide which network to connect to, and then take steps to connect to it. (See “Technofile,” December 2005, for more on how to disable this feature.)
There are additional risks to having the Wireless Zero Configuration running. Rushing says that XP adds previously accessed networks to a list of preferred networks, and by default it prioritizes beginning with the last-accessed network. That could lead to trouble. In many cases, networks are simply named after the wireless router used, such as Linksys. So, XP might see a Linksys network—even if it’s not the same one connected to previously—and connect to it, believing it’s the same one. But it could be a stranger’s (or hacker’s) network instead of a trusted home or work network.
“Hackers know this,” Rushing says. They can set up their laptop to act as a wireless access point, give the network a name that won’t arouse suspicion—say, Linksys or Starbucks—and wait for victims to connect. Any machine that makes that connection is then routing its communications through a fake access point known as an evil twin.
What’s especially pernicious about this is that it bypasses encryption protections. “If I connect to one of these illicit access points and send my data to them, it doesn’t matter if the channel between me and the access point is encrypted,” says Brian Hernacki, “because now the access point has access to the data underneath.”
One way to protect against the dangers of fake access points is to use secure proxy services, which provide a secure and unbroken connection from beginning to end, says Patrick Hinojosa, chief technical officer for Panda Software and a frequent road warrior himself. A company called Secure-Tunnel offers a service in which data travels through an encrypted tunnel from end to end, and is additionally routed through the company’s proxy servers.
Even if an eavesdropper can see the transmission itself, they can’t see or decode anything inside it, says Hernacki. Moreover, the proxy server shields your IP address, meaning that transmissions can’t be tracked back to your computer.
Secure-Tunnel offers three levels of service, starting at $2.95 and going to $9.95 per month (the higher-priced services offer other functionalities, such as Usenet and peer-to-peer access). Tiered pricing means that infrequent travelers don’t have to pay for services they don’t use, while true road warriors can get discounts on annual plans.
Another option is a free tool called Personal Lite from AirDefense, which can help road warriors become aware of potentially unsafe settings on their laptops. It will also alert users if any access points look suspicious.
AirDefense Personal Lite gives pop-up alerts to risky settings, such as having the setting for “ad hoc” networks enabled (this allows someone to connect to the Internet through your computer), and suspicious connections that may indicate a fake access point. After I installed the software, I found that some of my connection settings were potentially dangerous, and after making some quick changes, the pop-up alerts disappeared.
Rushing explains that the product can help alert travelers to evil twins, because each hotspot has a unique “fingerprint” that is different from the fingerprint that an evil twin would have. “The fingerprint is made of different things such as DNS servers, IP address ranges, are there gateways at the other end, and so on,” he says. “It would be almost impossible to mimic the fingerprint” of a legitimate hotspot, and so the tool can alert when it sees too many unusual variables in the equation.
Apart from ensuring that laptops and the data on them aren’t stolen, users also have to secure them from infection and hacking as they would a desktop PC. Some of these tools are bundled with other functionality by various companies. For example, Panda Platinum Internet Security and Panda Titanium Antivirus both offer a combination of antivirus software with easy-to-configure firewalls, along with a suite of other tools (such as antispyware solutions).
These products, which retail for $79.95 and $49.95 respectively, are quickly installed and set up. Both immediately recognize and make rules for every application that attempts to access the Internet.
There is a downside to this type of bundled security product, however: size. For example, installing the full-blown version of Titanium on my admittedly aging laptop slowed boot-up to a crawl. Most of these products—including Trend Micro’s PC-Cillin—can be customized so that you only install the parts of the package you need. In the case of PC-Cillin, I installed only the antivirus software and rely on a USB firewall from Kensington.
The Kensington Personal Firewall for Notebooks (reviewed in “Technofile,” September 2005) provides firewall capability without breaking the memory bank. This plug-and-play device is on a USB token and retails for $49.99. Preconfigured settings can be accessed with a click of an icon, making it simple to add a layer of security to a mobile notebook.
Privacy screen. Not all mobile-security tools are high-tech. Patrick Hinojosa tells the story of a recent trip from Florida to Washington, D.C., where he found himself sitting next to a fellow traveler who was working on his laptop. Glancing briefly at the laptop, Hinojosa suddenly realized that this person was reading classified government information.
“A privacy screen is a good thing [to have] if working in an airport or on the plane so that people can’t shoulder-surf,” Hinojosa says of the lesson he learned from this experience.
These types of screens are widely available at computer-goods shops and online. One product that I tested was the 3M Privacy Computer Filter. The filter is a lightweight plastic sheet that can be permanently attached to the notebook’s monitor or can be held on temporarily using the small plastic clips included. When the privacy filter is in front of the monitor, the screen appears black to potentially inquisitive passersby and anyone else who is not directly in front of the computer.
My tests showed that while a passenger sitting next to me could see a small fraction of the screen, most of it was obscured, and the screen was totally invisible to someone walking down the aisle. While the filter darkens the screen slightly, it’s not enough to make viewing the screen difficult, plus it cuts glare significantly. The filters start at about $45 and increase based on the size (they’re also available for desktop systems).
Before road warriors take to the field, they need to know their enemy’s strengths, and they must prepare the appropriate defensive measures. With so much protective gear available, it’s easy to be prepared against mobile cyberattacks so that the only battle executives need to wage is against competitors.
Peter Piazza is associate editor at Security Management.