Dude, Where's Your PC?

It's 5 p.m. Do you know where all of your company's computers are?

The U.S. Department of Energy's Counterintelligence Directorate doesn't. In fact, the intelligence agency -- which is tasked with protecting sensitive data and operations against espionage by foreign entities -- is missing 20 computers that may contain classified data, according to an inspection report issued last week by the DOE's Office of the Inspector General.

At least 14 of the computers were known to have processed classified information, the report says. The Counterintelligence Directorate's inventory records "were so imprecise and inaccurate that [the agency] had to resort to extraordinary means to locate an additional 125 computers."

"Based on these findings, we concluded that Counterintelligence was unable to assure that the computers for which it is accountable, and the often highly-sensitive and/or classified information they processed, were appropriately controlled or were adequately guarded from loss and theft," the Inspector General concluded.

In a time when a single lost laptop can cause a nationwide news scandal, the DOE report seems scary. In the corporate environment, however, such lost inventory is an everyday occurrence. In fact, most large enterprises would be proud to say they are able to account for all but 20 of their computers.

"There was a Gartner study not too long ago that said at any given time, most enterprises can tell you the location and the user of only about 65 percent of their machines," notes Ben Haidri, vice president of marketing and business development at Absolute Software, a PC asset tracking and theft recovery service that currently monitors over a million machines worldwide. "That means more than a third of PCs and laptops aren't accounted for."

This problem, which Absolute calls "PC drift," is usually the result of worker mobility, which causes IT to lose track of machines as employees change locations, departments, or job responsibilities.

"With constant organizational changes personal computers have gone missing in large companies on a regular basis," agrees Rob Enderle, principal analyst at Enderle Group, an IT consultancy. "They may walk out the door with departing employees, employees may simply not turn them in when they get new ones.

"The big picture is that no one really knows what has been happening to these 'lost' products, and most people typically assume it is a problem with the inventory reconciliation," Enderle explains. "However, in today's world I think such an assumption needs to be challenged -- and under current disclosure rules, it probably must be."

While many of the "lost" PCs probably are still inside the enterprise, analysts estimate that as many as 3.5 to 5 percent of the missing machines are stolen, usually by employees. Gartner estimates that about 70 percent of office product thefts are perpetrated by insiders.

"If an insider takes a machine, it's usually to use it themselves -- as opposed to stealing the data or selling the hardware -- but you can never really be sure at that point," Haidri says.

Like most large enterprises, the DOE's Counterintelligence Directorate used a PC inventory application to track the location and disposition of its desktops and laptops, although the report does not disclose which product it uses. And, like most enterprises, the agency found that some of its inventory escaped the tracking of that application.

"The problem with most of those tools is that that they don't start from the node and go up," Haidri says. "They sit on a server somewhere and poll the devices. There are a lot of things that can go wrong with that -- you lose communication with the node, or somebody deletes the agent software when you're doing an upgrade."

Another problem is that there's not much integration between the IT asset management function and the security function, experts say. In most companies, the two groups work separately, and they use different tools, which makes it difficult to locate machines that might be suspected of causing a security breach.

So while many companies look at products for full-disk encryption for laptops or "kill" products that let users remotely wipe out a hard drive that is lost or stolen, many of them still don't know where all of their machines are, experts observe.

"There are lot of encryption tools you can get, and tools that will let you work on a problem post-theft," says Haidri. "We [Absolute] have all those tools. But there are some customers that want to solve that problem by knowing where all their devices are. That's where you see IT asset management and security coming together."

— Tim Wilson, Site Editor, Dark Reading