Are users behind the greater security risk attributed to laptops
and mobiles? Kevin Townsend reports on what you can do to increase
the safety of your mobile data
Most of us commute daily to offices. For white-collar workers,
commuting is the transporting of bodies to be close to information
they work on. Yet the transfer of matter is slow, costly and
inconvenient while the movement of information is instantaneous,
inexpensive and convenient. It is economically inevitable that we
will reverse our current practices and start to move data to bodies
rather than bodies to data.
The technology is already in place: mobile computing. Wireless
devices connected to the Internet mean that we can bring the full
scope of office-based information to our fingertips wherever, and
whenever we like. The economics are irrefutable. But the
practicality is a different matter.
The main problem is security. Users are already wary about using
the Internet - and the feeling of insecurity is heightened where
access is made via a mobile telephone or personal digital assistant
(PDA). But the economic rewards from mobile computing are so great
that this is an issue every user must face and defeat.
There are two fundamental types of mobile use: retail and
workforce. The former can be characterised by e-banking, Tesco
Online or Amazon. It is where an unknown customer interacts with a
Web site and makes a purchase or conducts some other transaction.
This mode requires the Internet as its communication channel and
Web technology for its delivery.
Road warrior
The latter mode is characterised by the "road warrior" - a
company's own workforce that doesn't operate from a fixed location
but requires instant access to corporate data. This mode will
inevitably use the Internet for communications but is not
constrained to Web technology for its delivery.
What the road warrior needs is direct access to corporate
applications, probably via a virtual private network (VPN) over the
Internet. Such a network uses encryption to provide a secure
tunnel. The data is as exposed as anything else on the Internet -
but the encryption protects it and can provide authentication,
confidentiality, integrity and non-repudiation.
The road warrior is more static than the "retail" user and is more
likely to use a powerful laptop, perhaps connected via a mobile
telephone. The security technology available is effectively the
same as that for any static PC user.
But it is completely different for the retail user who could access
the Internet directly with a mobile phone while walking down the
high street or via a PDA in the car park of a motorway service
station. The retail user relies on small devices
with limited resources and a wireless connection.
The limited resources are the key. While a standard PC is generally
shipped with a large screen and 128Mbytes of Ram, a mobile device
typically has a small screen and 8Mbytes of Ram or less. In short,
a mobile device will have:
- a less powerful CPU
less memory (Rom and Ram)
restricted power consumption
a smaller display
a different input device (eg a phone keypad, voice input,
etc).
The traditional browser-based access to an image-rich HTML or
XML-based data source via mobile devices simply doesn't compute for
PDAs. Suppliers have consequently been forced to develop a new
approach. Currently, the standard is Wap, which provides mobile
Internet access to simple text information.
iMode alternative
But there is a rival called iMode. This is a mobile Internet access
service provided by DoCoMo, Japan's largest mobile communications
operator with more than 36 million subscribers. The iMode service
was launched in 1999 and by April 2001 it had gained more than 22
million subscribers. The revenue stream is phenomenal, and DoCoMo
recently announced a Yen50bn (£28m) investment programme to
"upgrade its iMode Internet-capable wireless system", and a new
relationship with enterprise software specialist SAP to "conduct a
series of feasibility studies regarding the joint development of
mobile business solutions".
At the moment, iMode is not important outside of Japan but it seems
clear that it has the potential to provide a serious competitor to
Wap in the future. In the meantime, mobile e-business computing is
limited to Wap.
Secure layer
Wap's security lies in its transport layer, WTLS. This is heavily
based on the Internet's TLS, which is still better known as Secure
Sockets Layer, or SSL. There have been suggestions that WTLS has
some inherent insecurities - but they are probably no greater than
any of the other inherent insecurities in computing. To all intents
and purposes, WTLS provides secure encryption for Wap-based
devices.
Unfortunately, it is not end-to-end encryption. Data is encrypted
on the Wap device and remains encrypted until it reaches the Wap
gateway. Here it is decrypted to allow forwarding to the right
address and, although it may subsequently be re-encrypted, it is
available as plain text while on the gateway server. This is known
as the "encryption gap" - and is a security weakness that should be
addressed by future Wap versions. In the meantime it is a potential
problem.
Having said that, it is clear that technology is providing a
satisfactory degree of security for the mobile user. The encryption
gap pales into insignificance when compared to what has been
described as the "policy gap".
The security policy comprises the rules and regulations governing
how a computer system may be used. It is augmented by security
software. For example, a company policy might state that users are
not allowed to load software from an alien floppy disc (for obvious
viral reasons).
While in the office, this can be well policed. First of all, staff
will be reluctant to break the rules in front of colleagues.
Second, it can be supported by software that can recognise and
reject foreign discs. In short, at the office, security policies
can be maintained.
But what about the hotel room? Or the study at home? How do you
prevent the executive working at home over the weekend on his home
computer from loading a game off a magazine CD-Rom or surfing the
Internet and visiting sites that filtering software prohibits in
the office?
It's not just a difficult problem; it is frequently an ignored
problem. There is a tendency to assume that what happens at home is
not a problem for the company.
But this is far from true.
Last year Microsoft was infected by a trojan that enabled a hacker
to see source code in development. Nobody really knows the extent
of the harm done - Microsoft played it down. But it could have been
very, very serious. And it is believed to have happened via a
remote worker who had legitimate access to Microsoft's systems via
the corporate VPN. But the worker had been surfing the Net on his
own system, became infected and then infected Microsoft via the
secure VPN.
The biggest perceived problem for the mobile worker is theft -
physical theft of laptops and PDAs. Indeed, there have been so many
high-profile thefts of sensitive government laptops that the UK
Government is reportedly in the process of buying 15,000 special
cases that cost £1,000 each (the security services have apparently
"lost" more than 200 laptops in the last five years). Gadgets in
the cases will wipe all data on the laptop if the case is forced
open.
Viruses on PDAs
But apart from theft, most users
consider that PDAs are relatively secure. They are relatively, but
not absolutely.
"Viruses are always an area of weakness, but the risk on handheld
computers is surprisingly small," comments Craig Swallow of
handheld manufacturer Psion. "In fact, strictly speaking there
aren't any viruses that affect handheld devices, only trojans. The
majority of these are, however, harmless. Payloads range from
switching backlights on and off at irregular intervals to posting
insulting messages on the screen.
"To date, there have been no known cases of trojans that affect the
Symbian platform - and Palm has only had one seriously damaging
case, Liberty Crack, which resulted in total file deletion."
Nick Sears, vice-president of security solutions company Finjan
Software Europe, thinks we should not be complacent. "The next
devices to be attacked by malicious code will be Wap-enabled mobile
phones and PDAs, especially as they become more robust and widely
used. A real concern today is a possible attack delivered to a PC
from a PDA during its synchronisation routine - it is important to
treat code delivered from a PDA to its host PC as suspect and
subject to monitoring."
According to Sears, since these devices probably don't have the
memory to hold large anti-virus databases, more sophisticated
"lightweight" behaviour monitoring solutions that don't require a
database of known attacks will be needed "such as monitoring and
blocking code for illicit behaviour rather than static scans of
old, known attacks".
But as the power of PDAs increases - and it will undoubtedly
increase quite dramatically over the next few years - the incentive
and capacity for virus writers and hackers will grow.
"Now is the time to set the standards, before mobile devices are so
pervasive that businesses no longer have control," adds Swallow. "A
lot of people are buying palmtop devices and then bringing them
into the office for business use. Companies need to know what
equipment staff are using so they can promote better ways of
working with them."
"The real issue," says Bob Lonadier, a consultant with technology
analyst group Hurwitz, "is who owns the information on the devices.
As long as there is corporate data stored on it then the company
owns the problem of preventing it from falling into the wrong
hands."
And the only way to solve that problem is to own the device as
well. If you employ remote workers, provide the PC. If you employ
road warriors, supply them with company laptops.
"Companies need to ensure that their security policies cover mobile
users, the weakest link into their systems," explains Neil Burfoot,
consulting director of end-to-end technology company Eurodata
Systems. "Mobile security comes from a combination of people,
process and technology. There is no point installing distributed
firewalls if users then leave laptops on the train or share
passwords with others."
Mobile security lapses over the past 18 months
2000: January
A laptop computer with highly classified information disappeared
from a conference room in the US State Department's Bureau of
Intelligence and Research. It was alleged to have contained highly
classified information about arms proliferation issues and about
sources and methods of US intelligence collection
2000: May
An Ministry of Defence (MoD) laptop computer containing sensitive
data pertaining to a new US/UK jet fighter pilot project was stolen
from the luggage rack of a London Heathrow bound train
2000: September
A laptop "containing information of
value to foreign governments" was stolen from the hotel room used
by Irwin Jacobs, chief executive officer of Qualcomm
2000: October
53% of managers questioned said their department often had no idea
where company laptops were. When those laptops are in workers'
homes, many are lent to friends or flatmates," said Bindview's
security risk management in the flexible workplace survey
2001:April- An MoD laptop "packed with national security secrets" was left
in - and lost from - the back of a taxi
The 2000 CSI survey reported that 60% of US companies experienced
laptop theft (down from 69% in the previous year)
Safeware reports that 387,000 laptops were stolen last year
"The weakest link in the corporation is not a server that is in a
machine room, but a laptop that is used to connect both at work and
at home," said Arlene Brown, managing director of Network ICE
Corporation.
Laptop security in a nutshell
- Authenticate the remote user with at least two-factor access
control (eg password and token or biometrics)
Protect the laptop with a personal firewall
Use anti-virus software
Encrypt all data stored on the laptop
Install a virtual private network for communication with the
corporate network
Impose a strict security policy and make non-compliance a
disciplinary offence
Instigate a continuous staff training programme teaching good
security practice
.