When I'd woken up in the morning with the headache and all the signs of a major allergy attack, I'd first popped an allergy pill. Then I gulped down a huge mug of coffee as I started the drive to work. I still had the headache an hour later when I arrived. I next went for the headache pills and a huge latte. I added a healthy dose of nicotine into the mix just for good measure. Nothing seemed to be working, and now I was throwing handful after handful of M&Ms into my mouth.
I knew that trying to drown the headache in caffeine, nicotine and chocolate was probably the worst treatment method, but we don't always act rationally. I had a problem, no solution was coming to me, and I was feeling frustrated.
Laptops present a security dilemma. They are among the best productivity devices ever created, but they may also be the single largest security threat to corporate and government networks. Their utility means they aren't going away anytime soon, but their vulnerability means things can't continue as they are. Like security managers everywhere, I read about incidents such as laptops that contain vital and sensitive information being stolen, and I shudder.
But I certainly appreciate the value of a laptop. Mine goes everywhere I go, and I connect it to a variety of networks wherever I am. Security Willies Lately, employees of the state agency I work for have been starting to tune in to how nice a laptop can be for getting work done while on the road.
But I have enough experience that this productivity enhancement gives me the security manager willies. When I worked in the private sector, we had a major security breach involving a remote laptop connected via a home DSL connection. A hacker had compromised the home network, gained administrative privileges and changed the password. He then achieved remote access through the VPN and tried to hack into a corporate database. It was then that we noticed we had an intruder.
The laptop had been compromised through a known vulnerability. The machine had been in the field for a year without being properly patched and updated. Even though this happened years before such incidents had to be disclosed to consumers, it got upper management's attention. After long ignoring the screams and pleas of the security and IT teams for a way to secure and manage remote laptops, the company suddenly coughed up the funds to buy remote management software.
That was a step in the right direction, but the laptops that we allow staffers to check out when they travel can be used wirelessly through a broadband provider. I know of only one company that manages wireless laptops in a truly secure fashion, and even it faltered at first. A friend of mine works at a large telecommunications company. When it first enabled wireless connectivity on the sales force's computers, the salespeople couldn't use it to log into the corporate network. To do that, they had to revert to the old dial-up connection to a VPN. For the security team, this was preferable because it was highly secure, using RSA Security Inc.'s SecurID technology. But for the sales force, the painfully slow dial-up connection discouraged any laptop use on the road. Instead, they tended to work out of the local sales offices, where they could authenticate to the local network. The whole purpose of giving them laptops was lost.
Eventually, the company started to provide secure broadband wireless connections for the sales force. The cost, of course, is beyond what we can afford at this small state agency. As always, we have to figure out how to enable our workforce on a shoestring budget. We have a technologically unsophisticated workforce to boot, so however we do this, it has to be simple. Our employees don't know the difference between one network and another. All they know is how to turn the laptop on, make sure the network cable or card is plugged in and log in.
The Dilemma So, here I sit, pondering the dilemma. Between sips of latte and handfuls of M&Ms, I start to think out loud. We can start by building a secure laptop image that has all unnecessary services turned off. The image should include these features: a personal firewall that is set to automatically update over the Internet; antivirus software (that prohibits spyware, preferably) that's also set to automatically update; an up-to-date operating system and applications, set to automatically update; an alternative browser, such as Mozilla's Firefox; a disabled guest account; and a user account that has restricted permissions so that the user can't save anything to the hard drive or install any programs.
We could also supply a USB flash memory device for holding confidential data, which would have to be password-protected and encrypted, and a connection to the state network via a Cisco VPN client, with IPsec encryption.
We might want to allow all other network connections, including wireless, but I'll have to think about that one.
The only other thing I can think of to do is to train users in the secure methods of logging in remotely and safeguarding data and the equipment that holds data. Even if we could make the laptops as secure as possible, we would still have to rely on the people who use them to safeguard them. I don't like that answer, but I'm afraid it's all we've got.
What do you think?
This week's journal is written by a real security manager, "C.J. Kelly," whose name and employer have been disguised for obvious reasons. Contact her at mscjkelly@yahoo.com, or join the discussions in our security blogs: computerworld.com/blogs/security
To find a complete archive of our Security Manager's Journals, go online to computerworld.com/secjournal.