3 min read

Laptop Lockdown

Mobility means exposure to theft, loss, and infection, but you can reduce the risks

9:00 AM -- One of the biggest problems for CIOs is knowing where computers are.

It's easy to know that a computer should be in a rack, safely locked away in a vault or happily humming in a data center. But where it gets complicated is with laptops. With today's road warriors it's easy to lose track of where your devices are and what is running on them.

This becomes especially problematic when you start talking about virus infections. One of the biggest problems with today's road warriors is that they can spend days or weeks out of an office, plugging into random networks all over the world, with varying degrees of security, only to pop back onto the corporate network with whatever software they happened to have picked up on the way. In this case, those road warriors are picking up viruses and malware of all shapes and sizes.

One easy way to mitigate this issue is to reduce the level of access that the employee has on the mobile device (not letting the local admin genie out of the bottle). Another way is to isolate laptops to an unsecured part of the network where they can do less damage until their computer has proven to be secure by being up to date with patches, anti-virus, and anti-spyware software.

This can be a powerful security measure, because it can still allow outbound access, while keeping your intranet applications and other portions of your network secure from your own infected users. Some companies may prefer to even prohibit egress traffic for unsecured computers, because those computers can send spam or submit viruses that ultimately get companies put on blacklists.

One of my employees recently had a computer stolen from his car. Several settings made it difficult for an attacker to use, including the fact that the gateway address was pre-set. Out of the followup conversations with him, several tactics came up that may help in the case of stolen computers. First, it should be very trivial to have some form of cron job that executes. When it notices it's on an unsecured network it phones home and tells the company its new IP address. In addition, keystroke loggers can be used for forensics evidence if they are combined with a phone-home script, to remotely know what the thief is doing with the computer, including user names and passwords.

Because too many companies treat laptops like a form of firewall, allowing them to be on the edge of the network, mobile computing will become increasingly important to information security. Running host-based intrusion detection, anti-virus, and anti-spyware, and removing access to your own employees, can be an administrative nightmare when new software is required. But the risks from inaction greatly outweigh the pain in providing that level of security, depending on the type of organization.

— RSnake is a red-blooded lumberjack whose rants can also be found at Ha.ckers and F* Special to Dark Reading