Laptops. PDAs, tablet PCs, email pagers and mobile phones - their proliferation among your employees, customers and suppliers is vast, and their role in everyday commerce and the production and transport of data is equally extensive. So why are these devices often excluded from an organization is IT security policy?

Whatever the reason for this, it simply cannot continue, particularly as these devices are being connected to the corporate network for data and internet access, and regularly come into contact with external resources, unscreened software and potential risk from malicious attack and theft.

'With the increasing need for information to be available wherever we are, along with the advent of faster and more reliable wireless machines, growth continues to be strong.' says Philip Whitmore, senior manager at PnicewaterhouseCoopers' global risk management division.

Summary

Mobile devices are growing at an incredible rate within companies as well as among consumers and corporate customers.

The popularity of PDAs is a particular problem for IT departments implementing security policy.

Passwords alone are not always enough of a safeguard to protect a mobile device if it leaves the possession of its owner.

Encryption of data and entire drives, controlled using additional hardware is a robust way of protecting data.

The issues of mobile device security

According to RSA Security's technical director Dag Stroman, there are three main areas that must be considered when rolling out mobile devices arid the infrastructure to support them.

The first is that wireless networking gives you access to data over the air, so you need to protect the data while it is being transmitted and you need to authenticate both ends of the process, the client and the server, he says.

The second is that mobile devices create a new threat to internet communication. Devices are cheap and can be carried around casually with no apparent way of securing them. Everything from the smallest mobile phone right up to laptops. The security issues with all of them are similar. If you store valuable data on them you have to take steps to secure it.

The third important thing is that we are beginning to use these devices as a means to authenticate our own identity. Either to the corporate network or to third parties such as banks for online banking.' says Stroman. 'Therefore they must be trustworthy, and possession alone is not enough to achieve this.'

Any password can he cracked. So passive certificates tied to a device give no guarantee that the person holding the device is the rightful owner of the personal information and financial data tied to it. 1-lowdo I know if someone has seen what my username or password is over my shoulder?' says Stroman. 'If physical access can be gained to a device. it's likely that someone without a great deal of technical knowledge can bypass passwords and other logical control measures within a few minutes.' says PwC's Whitmore. 'Bypassing a laptop's password security can be a trivial exercise.

However, it is precisely this form of security that most laptop users rely on to protect the information on their computers. Similarly, controls offered within the hardware of most makes. Such as power-on or BIOS passwords, can usually he bypassed just as easily with nothing more than a screwdriver or a paperclip.

Once you're in. it's a gold mine. Not only do you have access to sensitive and confidential information stored within files such as Microsoft Word and Excel documents, but it's likely that all the information needed to gain remote access via a virtual private network (VPN) or dial-up remote access facilities back into the company can be extracted without too much difficulty.

Unfortunately, it's all too similar for PDAs, which usually do not provide much more of a challenge than laptop computers to break into. And they often yield just as in such valuable in formation as a laptop,' says Whitmore. However, it is precisely this form of security that most laptop users rely on to protect the information on their computers.

One option is to use biometric security such as fingerprint scanners, but these too are subject to technical problems, not least the inability to always present an unblemished fingerprint to the system. By definition, biometrics are not exact enough for widespread use. If you scratch your finger then the print can be significantly altered to stop that print from being accurately recognized by a reader on a laptop, for example,' says Stroman. The better use for biometrics on these devices will be in conjunction with a secondary feature such as a smart card, PIN or password.'

Stealing mobile computers and their data

It's a problem that has been exposed over and over again in the tabloid press - a government minister leaves his laptop in the back of a cab, containing details of our new top-secret nuclear submarine, only for it never to be seen again.

Mobile devices, particularly laptops, represent a means by which even the most stringent security policy can be blasted wide open. You can have all the data access controls in the world, but if someone with access then manages to lose a device with those files on you're in trouble. 'Thieves regularly target laptops and PDAs not only because of the value of the device itself but more importantly because of the potential value of the information they contain,' says Whitmore.

'A colleague of rnine was engaged during a security assessment to 'steal' laptops from a group of senior executives. One Friday at 6pm he followed the executives in question from their office to the pub across the road,

engaged them in conversation, bought them a few drinks, then a few more and then simply distracted the group while his team walked in and picked up the laptops.

The haul - six laptops and some extremely red faces, particularly when three of the group didn't notice till the following Monday that they were machineless'. So what's the solution? You could take the Draconian route and try and restrict users from carrying and saving data to their laptops and PDAs, but while this will safeguard data it will do so at the mobile device is that it and your data can he taken on the road, The more popular approach is to add additional security measures to the device to ensure that if it is lost or stolen, no one can access either the machine or the data on it.

The example we have used in the six graphics within this article is based on a technology called KeyDrive from Secure Technology it's a popular example of how a hardware key can be used to control access to data on a laptop. The KeyDrive software is installed on the device which creates an additional drive partition the hard disk. We'll call this the S:\ drive.

However, the S:\ drive is encrypted, and can only be accessed when a specific token is available. In this instance it is a USB dongle which plugs into a spare USB port on the rear of the laptop. With the key in place the drive is decrypted and is visible. Files can be read, saved, copied and deleted to and from has if it were a normal drive.

Take the key out of the USB port-and it disappears. The S \ drive reverts to its encrypted and hidden state and is removed from the drive list.

What this means is that if the laptop is stolen or lost, the thief can access the computer, but not any of the data on. the S:\ drive, which he won't even know exists. Only the holder of the USB key can do that- and you'd no more leave the key with the laptop than you would keep your PIN number in your wallet.

Secure wireless

Over the next few years, wireless network technology is going to usher in a host of security nightmares. Whether you are considering 802.11, 'WiFi' or a Blue tooth application, you are still faced with the fact that your data is being transmitted over radio and can therefore be more easily intercepted than data traveling over wires.

'In a networked environment, you have to go through a number of physical security measures such as a security guard on the front

'But if you put up a wireless network, anyone outside can get access to your network without the need to get past security.'

However, while mobile devices are the biggest catalyst for WiFi use, recent research from I-sec suggests that nearly 70 per cent of WiFi networks do not have wireless equivalent privacy (Wep) activated. Many companies are going out and buying a wireless access point to see what it can do. The problem is that they have opened a great big backdoor into their network' says Geoff Davis, managing Director of security specialist I-sec.

Many hackers have taken to driving around the streets with laptops designed to detect wireless networks in operation. Such attempts are nothing new, but the fact that a wireless network can be detected with a Pringles tube fitted with an antenna make it all the more worrying.

Even if 802.11 encryption is implemented, there are still problems. Wep has been shown to possess many vulnerabilities that indicate additional levels of security will have to be used to guarantee impregnability'.

'While their inherent lack of security has riot generally been overstated, it is possible to use wireless local are networks in relative safety,' says David Bridson, director of communications at ISS. 'Expert assessment is key This allows the organization to understand its wireless security posture and the risks and exposures discovered on its wireless networks.'

There are a number of simple steps that can be taken to improve wireless security' for 802.11 networks beyond installing a firewall. Because Wep is de-activated by default, switching it on is a good start: then you should change its default settings. But given Wep's inherent weaknesses, increasing the level of encryption would be a better idea - Companies such as F-Secure and RSA have introduced products with enhanced encryption which can boost security.

Another factor unique to WiFi is transmission strength. Bigger does not mean better when it broadcasts your network over too wide a range. Whatever your level of encryption it is far better not to allow external parties to get too close a look at the set-up of your wireless network. Once again, there are products to address this: they can adjust the signal strength to ensure that coverage is restricted.

Like it or not, mobile devices are here for the duration. The sheer volume already in circulation has ensured that they will have to play a role in future IT policy. Remember that the lack of portability desktop PCs suffer from is also an asset - it makes them harder to physically steal, something you can't say of a PDA or laptop. These devices will go missing, they will get stolen. No amount of software will stop that from happening but you can stop people from getting hold of the data within. That way the most you will lose is the cost of a new device rather than the loss of corporate secrets.

Further reading