Keeping a static infrastructure protected is challenging enough, but these days you also have to make sure laptops, notebooks, netbooks, tablets, PDAs, and phones are all up to snuff. In addition, users are making connections with these devices that are likely not secure.
But don't fret: There are several ways for administrators to mitigate the risks posed by mobile devices and remote connectivity. In the first part of this series, we'll explore what these risks are. Then, in Part 2, we'll find the solutions.
The first step is to identify technologies and practices that can put your company at risk. I've categorized these risks into the following areas:
- Unauthorized network access
- Unsecured or unlicensed applications
- Viruses, malware, spyware, etc.
- Social engineering
Loss of data or devices
We've all seen the news reports about laptops being lost or stolen -- along with names, Social Security numbers and financial data. Several sources claim that 12,000 laptops are lost at major airports each week: Simple math extends that to more than 600,000 laptops per year. One report says that, of that number, only 30% the machines are recovered by the owner, and half of the owners say their laptops contain sensitive customer data or business information. And now that PDAs and smartphones can store more data, the problem will only get worse.
But mobile devices aren't the only things that can be lost or stolen. It's also important to plan for the physical security of servers. If an intruder can get physical access to a server -- either to hack a login or to steal the disk drive of a domain controller -- it makes their job much easier.
What to do: While you can't prevent people from losing tthese devices, you can guard the contents by encrypting drives, file systems and email. You should also require a password or PIN to boot the drive or to access files or email. Since this technology is readily available, it's amazing that so few companies implement it.
Unauthorized network access
Unauthorized network access means either an external intruder accessed a computer on your network or an employee accessed data that he or she should not have. At TechEd North America, I attended a presentation by security expert Marcus Murray. Murray provided interesting demonstrations of how hackers access network resources.
For example, attackers need to compromise only one machine, and they hope they can get to a machine where a domain admin has logged in. They can use tools for dumping password hashes to log into a domain controller with the hashes from a privileged account.
There are many ways to compromise one machine, like recovering a laptop from an airport or social engineering. To do this, the attacker only needs to trick one user into going to a malicious website or downloading an evil application, tool or game. Attackers use very convincing email messages with legitimate-looking company logos and links to convince people to connect and provide personal information. Tools such as a "Trojan listener" are then downloaded for the attack. Marcus claimed that the tools used in his demo were undetectable, so you can forget about your antivirus and anti-spyware software protecting your machines.
Furthermore, a company's vulnerability is increased by employees who access company resources from unsecured networks such as free hotel Wi-Fi, a customer or partner company's network, or even a home networks. In addition, coffee shops, libraries, government buildings and some city downtown districts offer free, unsecured Wi-Fi.
What to do: You can't keep employees from using unsecured networks, clicking on hacked websites or getting fooled by free stuff on the Internet. Therefore, you should take the following precautions:
- Restrict NT LAN Manager (NTLM) authentication. A lot of applications still us it, however it's not secure.
- Use a smart card and similar authentication mechanisms with two-factor authentication. For example, a smart card or USB key device can store the certificate and authentication information and require a PIN. If the user loses the mobile device, an intruder can't log on without the smart card. Even if the intruder has the device and smart card, he would need to know the PIN. Of course, most software requires only a four-digit PIN, but the user would typically not lose both devices in the same place. Other methods include biometric devices such as fingerprint readers.
- Require a strong password. Some time ago, a Microsoft security expert described how long it would take a brute-force attack to crack passwords of various lengths. On average, a password of eight characters would take several years to crack. I know of one company that requires a 12-character password, which needs to be changed only once a year. Guessing the password is difficult, and this practice reduces the need for users to remember new passwords. But even with strong passwords, users still stick password notes under their keyboards.
Unsecure or unlicensed applications
Unlicensed apps can cost a company a lot of money in legal costs. There are even websites that offer rewards to employees who turn in their employers for running unlicensed software.
What to do: Prevent installation of software on user workstations. This is easily done via Group Policy using AppLocker for Windows 7 and Windows Sever 2008 R2, and Software Restriction Policies for Windows XP and Windows Server 2003 and 2008. Note that you can't rely on User Account Control (UAC) in Vista and XP to prevent application installation without admin credentials. This is because Microsoft intended developers to be able to get around UAC and force installation of software with elevated privileges.
Regardless of the risks, one thing is for sure -- you can't count on users or paper policies keep your enterprise safe. Users don't think about these vulnerabilities, and they often consider any type of policy an intrusion on their time and privacy. Users also complain that after they load antivirus software, two-factor authentication, and email, file and drive encryption, their devices slow down.
The most secure environment would not have a network at all and never go out on the Internet. Obviously, that wouldn't allow the business to run, so there has to be a middle ground -- a way to be secure but still let users do their work and keep the business going.
ABOUT THE AUTHOR:
Gary Olsen is a systems software engineer in Global Solutions Engineering at Hewlett-Packard. He authored Windows 2000: Active Directory Design and Deployment and co-authored Windows Server 2003 on HP ProLiant Servers. Olsen is a Microsoft MVP for Directory Services and formerly for Windows File Systems.