Jim Cady’s 15-year-old son was playing the computer game Doom on his PC when it happened. Suddenly, instead of seeing the climax to the battle he had been expecting, a screen from the neighbour’s Quicken home accounts system unexpectedly flashed up on his monitor.
Cady, the CEO of security appliance vendor WatchGuard, knew what was responsible: Both he and his neighbour run 802.11x standard wireless networks in their houses. Cady now takes more care with WatchGuard’s corporate accounts when he is working from home.
Such incidents graphically illustrate one of the many security vulnerabilities faced by an increasingly mobile workforce, whether working from home or some other location in the field: Hand-held computers can be lost, laptop computers stolen, home PCs left unprotected against viruses, and wireless networks cracked with ease.
As a first step, organisations need to re-examine their security policies, says Steve Malde, general manager of business solutions at communications and IT services provider BT. In many cases these policies will be years old, but organisations need to consider how they could redraft them to mitigate the new dangers posed by ‘agile working’.
The answer in many cases, according to Malde, is a greater level of automation combined with a higher sense of compulsion among staff to follow security policies. For example, all staff at BT, whether in the office or in the field, have the latest anti-virus ‘signatures’ automatically downloaded to their machines once or twice a month. For particularly dangerous outbreaks, the company sends out an update as soon as the signature is available.
Just a few years ago, this task would have entailed physically inserting a CD-Rom into each PC or device and virtually re-loading the application – a time-consuming task. Today it only requires the signature files to be added to the existing application. This means that the download is relatively quick and easy and does not require any user intervention.
But while Malde is happy to pay £163.50 a year for a Norton Anti-Virus software subscription to protect his home PC, many mobile workers will be reluctant to purchase and install their own anti-virus protection, leaving their machines exposed – and potentially, therefore, the systems of their employer. This risk will be multiplied if other people in the household use the PC.
Open sesame
One of the easiest ways for unauthorised users to access mobile systems is through password access. A hacker with access to a stolen laptop could, potentially, gain access to corporate systems with a few simple calls to that company’s IT help desk. Ex-hacker Kevin Mitnick – who served five years in prison for his crimes – frequently posed as an insider in order to gain access, or the information required to gain access, into targeted organisations’ systems.
In order to prevent this from happening, BT forces staff to change their passwords every month in order to limit the potential damage that a malicious hacker could cause. This is combined with a multi-stage authentication process for logging in to certain systems. Users are asked for a user name and PIN number, followed by another user name and password.
If the user gets the details wrong three times at either stage, the account is locked and the user has to call the help desk, offering additional authentication information. The idea is that if a malicious hacker cracks the first stage, then they will find themselves locked out when they try to crack the second stage.
Another growing danger to mobile systems is remote access Trojans (RATs) – a variant of the Trojan horse program that tags onto users accessing corporate systems remotely. When inadvertently activated, they can give a malicious hacker control of a PC or server over the Internet. This was how one hacker – believed to be based in Russia – broke into the corporate network of software giant Microsoft in October 2000.
And it is not just laptops and PCs that are risk from remote access Trojans, but servers carrying known security vulnerabilities that systems administrators have never patched. Once a server is cracked, a hacker can easily upload a remote access Trojan and use that server for his own ends.
These sorts of threats should encourage organisations to consider outsourcing their security requirements, says Malde at BT, even if only at the level of vulnerability and risk assessment. Regular scans and ‘white hat hacking’, where consultants test the level of security in customers’ corporate systems by attempting to hack into them, can uncover potential security flaws before the real hackers discover them.
After all, says Malde, hackers run automated scans for vulnerabilities against a wide range of Internet protocol (IP) addresses around the clock. Often, what they are looking for is out-of-date web server or other Internet software for which a number of known vulnerabilities exists that they can exploit. By hiring a third-party to scan for such vulnerabilities, an IT director can make sure that systems administrators are not taking short cuts on security, since implementing patches can be a laborious process.
Risk reduction
The security problems posed by the devices employees use to access corporate networks, in particular handheld computers such as Palm Pilots or PocketPCs, remains somewhat unknown, however. At present, the risks are purely theoretical, says Cady of WatchGuard. “A worker might go to lunch and swap a virtual business card with someone wirelessly, go back to the office, put it in the cradle, synchronise with their PC and in that way introduce a Trojan horse program to the corporate network,” he explains.
And it is not only handheld computers that carry such a threat, says BT’s Malde. Many laptop computers also have infrared ports that need to be appropriately secured as well, but many are not.
Taking this risk further, one of the greatest areas of potential growth for agile workers is access to corporate applications, such as email or databases, via their mobile phones. However, mobile phones have few built-in security measures and even more mobile phones are lost or stolen every year than handheld or laptop computers. The main difference, of course, is that when a mobile phone is stolen, the biggest loss of data is the directory of telephone numbers in its memory. But when a laptop is mislaid, the data lost will be far more sensitive and extensive.
“The biggest issue with laptop workers is loss of the laptop,” says Peter Hough, vaulting services manager at disaster recovery specialist SunGard Availability Services. Furthermore, mobile workers are much more likely to ‘have an accident’ with their laptops and handheld computers than office-bound workers.
This means that some form of back-up strategy is an absolute necessity. The most ‘clued-up’ of organisations are the major auditors, says Hough, because they do high value work on client’s sites and understand the need to avoid losing data and ensuring that the sensitive information is kept safe from prying eyes if their laptops are lost or stolen. “In terms of security, organisations are writing into policies things like ‘you must not leave your laptop in the back of your car’, to try and cut down on the disasters. But in terms of back-up, they tend to go for a more automated approach,” says Hough.
SunGard uses software that back-ups the users machine to an organisation’s central server automatically, in the background, from the moment they log on. The back-up software can be configured to back up only certain files and also only back up those files that have changed since the last time back-up was performed – not only ensuring that back-up takes place, but also dramatically reducing the amount of time and bandwidth it takes to perform the operation.
There are other techniques the software uses to further help reduce the time and bandwidth required to do back-ups, adds Hough: “Take the example of a team of auditors out in the field. If they all have the same file on their laptops, once its got a back-up of one copy, when it comes to the next auditor’s laptop it recognises that it’s already got that file and that it doesn’t need to back it up.”
Of course, no amount of backing-up can mitigate the disaster of lost data if a laptop is mislaid or stolen. At BT, says Malde, it is corporate policy to encrypt sensitive documents – although as most PC encryption packages are password protected, it will provide only temporary protection to a determined hacker.
And at the same time that staff are out on the road or working from home, an ‘agile business’ is also likely to play host to a number of outside consultants and contractors, who might hold sensitive information about the organisation on their own laptops.
Giga Information Group analyst Michael Rasmussen suggests that they should be made to read and sign-up to an organisation’s security policy before even being allowed over the threshold. In addition, they should also make sure that references are followed up and full background checks conducted.
This may sound extreme, but is backed up by experience. One of BT’s clients, says Malde, unwittingly employed a known hacker to do some development work. It was only later that they found out that he had installed a number of illicit ‘back doors’ into the software that he had written. And it was only luck that ensured that they found out about it before the hacker was able to remotely exploit his handiwork.
By enforcing policies and ensuring employees follow them, other organisations could also avoid the same fate.