My job keeps me on the road a lot and since I work for a global company my travels are both domestic and international. As part of an experiment, I decided to see how secure companies really are when their users are on the road. So before we get started, I have to ask, "How much of your intellectual property can be at risk on roving laptops?"
A few short years ago, the predominant threat to a traveling person was the theft of their laptop. Today, with new wireless access capabilities popping up all over the world, a severe breach can be easily carried out and confidential company information can be stolen without warning.
Recently I took an old laptop of mine and outfitted it for the road (no, this was NOT a company laptop). On the laptop I had a wireless card, a wired connection, Norton Internet Security (disabled and enabled for this experiment), a packet snooper and Ad-aware and SpySweeper to remove spyware and popups. I toted this around (to the detriment of my poor back) through 17 cities in two countries. I also had a mirror image on CD so that in each location I could blow away any account previous damage and start over. In each site, I would connect to the Internet using whatever service the hotel provided, I logged all activity and just watched people trying to hack into my machine. Of course, none of the intruders actually got any useful information because there wasn't any -- but it served them right!
What really surprised me was the lack of general security at some locations. One hotel in Atlanta just added wireless at their facility. During connection, I realized that the credit card information went out in clear text! As soon as the credit card was accepted, the service stopped as there was not enough bandwidth to handle anything else. (By the way, the credit card had a $50 limit and was a prepaid Visa – so they couldn't hurt me much.) When I called the wireless provider and complained, they stated that they had not received their keys for encryption yet on the credit card side, and that WEP was sufficient for most people. (Now, there's a provider I am going to rush out and hire – NOT!) The tech manager also stated that it takes more bandwidth to handle passing keys back and forth for encrypted communication so they opted not to provide it (huh?), but there still was not enough bandwidth to surf the net.
I actually got to watch someone attach to my machine and scour for passwords and other information sending directory checks through an enabled guest account. I had fun with that one because I kept unplugging my connection and then plugging it back in. When I turned Norton on, at this particular site in Dallas I had 37 intrusion attempts to my machine within 24 hours. Scared yet? Granted, I had the machine wide open at some points and not at others. I did not have all the security patches required, but I wanted to see just what could happen with an open, unpatched machine. In each instance, I followed the links on the sign-up site, and ensuing links to see what else would load on the machine.
In total -- out of the 17 cities (24-48 hours at each location), there were:
- 227 intrusion attempts
- 321 Spyware loads (many came right off the main site to sign up for service)
- 21 attempts to get passwords
- 3 sent critical info (like credit card info) via clear text
As hotels scramble to provide "free" high speed Internet services and people use more and more wireless and other non-secure access methods -- the amount of a company's intellectual property at risk is certainly higher than it was even one year ago. The solution -- use VPN's, patch your mobile machines, and by all means -- notify your end users of safe practices when they are hauling your information all over the country. Each laptop that moves around should have a personal firewall (I have to say Norton never let me down – but there are others just as good). While we must understand the risks through continuous education, companies can not expect the same from their road warriors who may be little more than PC literate. Forewarned is forearmed!
Carrie has been involved in the computing and networking industries for nearly 20 years. She has worked with manufacturing firms, medical institutions, casinos, healthcare providers, cable and wireless providers and a wide variety of other industries in both networking design/implementation, project management and software development for privately held consulting firms and most recently Network and Software Solutions.
Carrie currently works with The Siemon Company where her responsibilities include providing liaison services to electronic manufacturers to assure that there is harmony between the active electronics and existing and future cabling infrastructures. She participates with the IEEE, TIA and various consortiums for standards acceptance and works to further educate the end user community on the importance of a quality infrastructure. Carrie currently holds an RCDD/LAN Specialist from BICSI, MCNE from Novell and several other certifications.