The world of network management is no longer fully connected by wires and safely ensconced behind a firewall locked in the glass doors of the data center. The internal network is now accessible from outside – telecommuters and business travelers frequently access corporate data and facilities from mobile devices such as cellphones, PDAs or pocket computers like iPaqs or Blackberries, and laptop computers. The proliferation of mobile computing technologies over the last five years has made it difficult to keep up with security requirements for these devices. There are two main areas of vulnerability in mobile computing: Bluetooth security and physical loss or theft of the device. Securing these points can be a challenging aspect of network communications management, but it is vital to the security of the core network as well as the integrity of the user’s equipment and data. Policy requirements, hardware and software solutions and user education should be combined to reduce the risk of network compromise through misused mobile computing devices.
Physical loss or theft of a mobile computing device is simultaneously the simplest and the most potentially devastating security breach. One commonly lost or stolen mobile computing device is the laptop, on which we will be focusing in this scenario. How common is laptop loss or theft? According to FBI statistics cited on Attrition.org, very – 1 in 10 laptops will be stolen within the first year of use and not recovered (Attrition.org, “Laptops”). Laptop loss is also extremely common, with an average almost 5,000 laptops being left in taxis a year in London alone (Attrition.org, “Laptops”). While the recovery rate for lost laptops is far higher than that for stolen laptops at almost 60% in London (Attrition.org, “Laptops”) there is still substantial chance of data loss or security compromise. The top-level business cost of a stolen laptop is the replacement cost of a new laptop and additional software licenses if required ($1,500-$5,000). However, in the absence of a comprehensive and well-enforced data and network access policy, the costs can be far greater. Ernst and Young, a high-profile accounting and Sarbanes-Oxley auditing firm which is in the forefront of the operations transparency push, had a laptop which contained the personal information of an undisclosed number of clients stolen from an employee’s vehicle (Vance, 2006). Ernst and Young has claimed that the laptop was encrypted, but has not yet disclosed the full extent of the data loss. Smaller organizations, which often have fewer security resources or defined security procedures, can prove an even greater risk. The theft of a laptop from an employee of Colorado’s Metropolitan State College is a demonstration. The laptop in question, which was unencrypted, held the names, Social Security numbers and other personally identifying information of 93,000 current and former students – a full nine years worth of enrollment (MacMillan, 2006). This data was being used to both write a grant proposal and as a research data set for the employee’s Master’s thesis (MacMillan, 2006). This theft, although it has not yet been implicated in any identity theft cases, has the potential to become a serious problem.
In order to protect the network and associated data from damages related to physical loss or theft, there are two needs to fill. The first is the security of the network and the data contained within it; the second is the physical security of the device itself. If the first requirement is met sufficiently, the second requirement becomes less immediate, although still very important. Network security and data safety should be paramount when designing a network which is hardened against physical loss or theft of equipment. Hardware can be replaced easily, as can software, but the security breach caused by lost data or insufficiently secured network access can be much more difficult to fix and potentially embarrassing for the company as a whole or even cause for litigation. A data security policy should address the following questions: Can company data be stored on a mobile computing device? If yes, how should it be encrypted? What is the remote access method for the internal network resources? What is the encryption level of the equipment itself? (“Supporting Mobile Users”, 2005, 8-9). Network security should be ensured from both sides – not only should the mobile computing device be protected, but the network structure itself should be.
Unless there is a business case for doing otherwise, I recommend as a policy that no company information or customer data is to be stored on mobile computing devices, but rather accessed on the network through a secure access protocol. All devices should be secured at a minimum by a username/password entry on startup or wake from sleep, along with a standard public-key encryption on all identifying information on the laptop and a disabling of the saved passwords feature wherever possible; for devices used to access highly sensitive data, more robust user verification methods such as biometrics or passkey-generating devices, like an RSA SecurID tag, should be used. For access to corporate networks, including data and voice communications networks, the most secure method possible should be used. For data access, a VPN (virtual private network), carefully designed with authentication processes such as RADIUS or passkey generators for user access, user connect timeouts and limited access protocols should be used, with no open dial-up, FTP or other unsecured access available (“Supporting Mobile Users”, 2005, 9). Mobile computing devices should also be fully guarded against viruses and Trojan horses with up to date antivirus software, in order to avoid a “zombie” device replacing itself onto the corporate network (“Supporting Mobile users”, 2005, 9).
Securing physical access to a device and preventing loss or theft wherever possible is a second front in protecting network security. Hardware solutions are the simplest fix for the problem of physical access control. This includes devices such as Kensington locks for laptops, which secure the laptop to a table or other hard to move object and startup user authentication systems which require a hardware device (“dongle”) to be present before starting the machine (“Supporting Mobile users”, 2005, 9). User education is most important in this area; teaching users to not leave equipment unattended or in a vehicle, be aware of their surroundings and not carry equipment in a bag which looks like a computer bag, and other measures to prevent the loss or theft of equipment, as well as spelling out a specific user responsibility policy in the event of lost equipment, can greatly reduce the risk of hardware loss or theft.
On the network side, there are a number of measures the network implementation team can take to prevent intrusion via lost, stolen or equipment. First among these measures is a robust and up to date firewall system which screens all outside connections, and includes such features as intrusion detection/prevention (IDS/IPS); also required is an antivirus program which is propagated to each host across the network (Rudius, 2004).
A second area of vulnerability in network communications security is Bluetooth, a short-wave radio wireless facility. This wireless communication capability, which is fast, lightweight, easy to use and easy to implement, has become a de facto standard in connecting mobile computing devices such as laptops, phones, PDAs and pocket computers, and even peripherals like mice, keyboards and graphics tablets. Bluetooth is a very insecure protocol, however; there is no authentication required to link to another Bluetooth device in many cases unless the owner of the receiving device specifies otherwise. Leaving Bluetooth enabled and unsecured can open mobile computing equipment up to attack. This has the potential to propagate across a network like any other virus or worm, leaving the entire network vulnerable to the attack.
The first report of a Bluetooth vulnerability leading to a security exploit was discussed at the 2006 InfoSec conference (Chapman, 2006). The attack exploited unsecured Bluetooth connections to send premium rate text messages automatically, charging $5 per each message. Even professional security administrators are seemingly unaware of this loophole; F-Secure, the security company which reported the exploit at InfoSec, installed a honeytrap seeking for unsecured Bluetooth connections; it found 1,142 unsecured devices within 3 hours, with 183 in range of the transmitter (Chapman, 2006). The exploit discussed worked because an unsecured Bluetooth receiver accepts incoming transmissions from any device in range; if the receiver receives a file or program to install and the user agrees to install it, the device is left open to the file’s contents, and can, if directed to by a malicious program, transmit the file back through a laptop or other device and propagate across a network.
The security profile of the Bluetooth protocol is getting worse, not better. At HackLu2006, a European ethics and security conference, two consultants, Kevin Finistres and Thierry Zoller, demonstrated a number of methods to crack the end-to-end encryption which is established with a 2-device Bluetooth connection, deciphering the device name (a PIN-like identifier which is used to establish a connectioN) and then cracking the 128-bit security algorithm (“Bluetooth Security”, 2006). The pair then continued to crack the encryption of headsets, cameras, cellphones and other commonly used Bluetooth devices.
Bluetooth receivers are installed in many mobile computing devices – cellphones, PDAs and laptops routinely have Bluetooth integrated into the networking capability of the device, and the service can offer valuable inter-device connectivity. The proliferation of Bluetooth-enabled devices mean that common personal items such as digital cameras, personal cellphones and PDAs will often be within range of network-connected corporate assets, further complicating the security picture with devices which cannot be secured.
As Zoller and Finistere suggest, the solution to this problem is to “just turn it off” (“Bluetooth Security, 2006). Turning off Bluetooth reception capabilities when not in use is the best defense against malicious file transfer, encryption compromise or other attacks via Bluetooth. Additionally, because Bluetooth has a limited transmission range, a policy of waiting until the crowds have dispersed is a secondary security measure. Both corporate policy, careful purchasing and user education can be used to enforce this policy. First, don’t provide users with Bluetooth enabled devices if there is no requirement for wireless connectivity. A Bluetooth-enabled digital camera is not required, as a small card reader can perform the same task. Second, establish corporate policy about keeping Bluetooth turned off when not in use, and educate users about the dangers of Bluetooth security and encourage them to take the same action with their own devices. Educating users about how and when to use Bluetooth, how to secure it against incoming connections and how to avoid inadvertent interfacing with a malicious device is the best policy for utilizing this useful, but insecure, technology.
Mobile computing security is a serious issue that all network communications managers are going to encounter, sooner rather than later. It is also a developing field, with new information, new vulnerabilities and new defenses being published every day. Keeping abreast of security technology is the best defense against an increasingly complicated mobile security landscape. There is no one right course of defense against these issues: user education, policy changes, careful choice of hardware and software, and network-side enforcement of security policies must all be used for an effective defense.
(November 3, 2006). “Bluetooth Security Still Wobbly”. Retrieved April 22, 2007 from http://www.unstrung.com/document.asp?doc_id=109797
Chapman, M. (April 25, 2006.) “Bluetooth trojan leaves mobile phone users out of pocket.”
Retrieved April 22, 2007 from http://www.vnunet.com/vnunet/news/2154728/bluetooth-virus-leaves-mobile
“Introduction to the History of Lost or Stolen Laptops.” Retrieved April 22, 2007 from http://attrition.org/errata/laptops.html
McMillan, R. (March 3, 2006). “Colorado college warns 93,000 after laptop theft.” Retrieved
April 22, 2007 from http://www.networkworld.com/news/2006/030306-colorado-college-laptop-theft.html
Rudius, B (April 21, 2004). “Protecting Road Warriors: Managing Security for Mobile Users (Part One). Retrieved April 22, 2007 from http://www.securityfocus.com/infocus/1777.
“Supporting Mobile Users: Tech Republic Real-World Guide.” Retrieved April 22, 2007 from http://whitepapers.techrepublic.com.com/whitepaper.aspx?&cid=7&docid=155623.
Vance, A. (February 25, 2006). “Ernst & Young fails to disclose high-profile data loss.”
Retrieved April 22, 2007 from http://www.theregister.co.uk/2006/02/25/ernst_young_mcnealy/