Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Dude, Where's Your PC?

Audit exposes lost computers at counterintelligence agency, need for better inventory management

It's 5 p.m. Do you know where all of your company's computers are?

The U.S. Department of Energy's Counterintelligence Directorate doesn't. In fact, the intelligence agency -- which is tasked with protecting sensitive data and operations against espionage by foreign entities -- is missing 20 computers that may contain classified data, according to an inspection report issued last week by the DOE's Office of the Inspector General.

At least 14 of the computers were known to have processed classified information, the report says. The Counterintelligence Directorate's inventory records "were so imprecise and inaccurate that [the agency] had to resort to extraordinary means to locate an additional 125 computers."

"Based on these findings, we concluded that Counterintelligence was unable to assure that the computers for which it is accountable, and the often highly-sensitive and/or classified information they processed, were appropriately controlled or were adequately guarded from loss and theft," the Inspector General concluded.

In a time when a single lost laptop can cause a nationwide news scandal, the DOE report seems scary. In the corporate environment, however, such lost inventory is an everyday occurrence. In fact, most large enterprises would be proud to say they are able to account for all but 20 of their computers.

"There was a Gartner study not too long ago that said at any given time, most enterprises can tell you the location and the user of only about 65 percent of their machines," notes Ben Haidri, vice president of marketing and business development at Absolute Software, a PC asset tracking and theft recovery service that currently monitors over a million machines worldwide. "That means more than a third of PCs and laptops aren't accounted for."

This problem, which Absolute calls "PC drift," is usually the result of worker mobility, which causes IT to lose track of machines as employees change locations, departments, or job responsibilities.

"With constant organizational changes personal computers have gone missing in large companies on a regular basis," agrees Rob Enderle, principal analyst at Enderle Group, an IT consultancy. "They may walk out the door with departing employees, employees may simply not turn them in when they get new ones.

"The big picture is that no one really knows what has been happening to these 'lost' products, and most people typically assume it is a problem with the inventory reconciliation," Enderle explains. "However, in today's world I think such an assumption needs to be challenged -- and under current disclosure rules, it probably must be."

While many of the "lost" PCs probably are still inside the enterprise, analysts estimate that as many as 3.5 to 5 percent of the missing machines are stolen, usually by employees. Gartner estimates that about 70 percent of office product thefts are perpetrated by insiders.

"If an insider takes a machine, it's usually to use it themselves -- as opposed to stealing the data or selling the hardware -- but you can never really be sure at that point," Haidri says.

Like most large enterprises, the DOE's Counterintelligence Directorate used a PC inventory application to track the location and disposition of its desktops and laptops, although the report does not disclose which product it uses. And, like most enterprises, the agency found that some of its inventory escaped the tracking of that application.

"The problem with most of those tools is that that they don't start from the node and go up," Haidri says. "They sit on a server somewhere and poll the devices. There are a lot of things that can go wrong with that -- you lose communication with the node, or somebody deletes the agent software when you're doing an upgrade."

Another problem is that there's not much integration between the IT asset management function and the security function, experts say. In most companies, the two groups work separately, and they use different tools, which makes it difficult to locate machines that might be suspected of causing a security breach.

So while many companies look at products for full-disk encryption for laptops or "kill" products that let users remotely wipe out a hard drive that is lost or stolen, many of them still don't know where all of their machines are, experts observe.

"There are lot of encryption tools you can get, and tools that will let you work on a problem post-theft," says Haidri. "We [Absolute] have all those tools. But there are some customers that want to solve that problem by knowing where all their devices are. That's where you see IT asset management and security coming together."

— Tim Wilson, Site Editor, Dark Reading

  • Absolute Software Corp.
  • Enderle Group Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

    Recommended Reading:

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    COVID-19: Latest Security News & Commentary
    Dark Reading Staff 7/2/2020
    Ripple20 Threatens Increasingly Connected Medical Devices
    Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
    DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
    Dark Reading Staff 6/30/2020
    Register for Dark Reading Newsletters
    White Papers
    Current Issue
    How Cybersecurity Incident Response Programs Work (and Why Some Don't)
    This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
    Flash Poll
    The Threat from the Internetand What Your Organization Can Do About It
    The Threat from the Internetand What Your Organization Can Do About It
    This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2020-07-02
    Apache Guacamole 1.1.0 and older may mishandle pointers involved inprocessing data received via RDP static virtual channels. If a userconnects to a malicious or compromised RDP server, a series ofspecially-crafted PDUs could result in memory corruption, possiblyallowing arbitrary code to be executed...
    PUBLISHED: 2020-07-02
    A vulnerability in the web-based management interface of Cisco Unified Communications Manager, Cisco Unified Communications Manager Session Management Edition, Cisco Unified Communications Manager IM & Presence Service, and Cisco Unity Connection could allow an unauthenticated, remote attack...
    PUBLISHED: 2020-07-02
    In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, when users run the command displayed in NGINX Controller user interface (UI) to fetch the agent installer, the server TLS certificate is not verified.
    PUBLISHED: 2020-07-02
    In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the Neural Autonomic Transport System (NATS) messaging services in use by the NGINX Controller do not require any form of authentication, so any successful connection would be authorized.
    PUBLISHED: 2020-07-02
    In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller installer starts the download of Kubernetes packages from an HTTP URL On Debian/Ubuntu system.