Have a Plan for Mobile Security
July 20, 2006
Mobile Security: Keeping your mobile workforce secure takes a little common sense mixed in with the same care you'd take with your own grandmother.
Recently the question was asked: "How would you secure grandma's computer, and how is that different from a corporate laptop?" If you're assuming all employees have the wherewithal to operate a company computer better than your grandmother, you probably need to review your security policies.
The question of "what to install" is much deeper than simply patches and antivirus, and it applies equally to Windows and Linux. Certain aspects of endpoint security tend to be overlooked when companies are deploying laptops for their workers. The leading source of information leakage and security breaches is a lost, stolen or hacked employee computer. Laptops are especially dangerous, as they tend to have stored passwords for a company's internal network services, including VPN access. Here are a few suggestions for items that must not be overlooked.
Obviously, but we can't leave it out. Whatever the flavor of antivirus your company uses, it simply must be installed before handing over an employee's computer. Ideally it's incapable of being disabled by anyone but an administrator. There exists free antivirus scanning software for Linux as well, but it's really optional until Linux becomes more popular.
We aren't condoning ZoneAlarm or any of the scam software that notifies you of normal traffic to coax a subscription. We mean host-level IP filtering. Windows XP SP2 has a firewall that still allows all user-initiated connections to succeed. It's akin to carrying your own NAT device with you everywhere: you can get out, but nobody can get in until you've invited them. Both Linux and Windows machines need this protection. Linux has iptables, and no employee computer should go unprotected.
It is a matter of debate whether or not you should worry about filtering outbound traffic. For most purposes, no, you should not. Its really more hassle than it's worth. As long as you abide by the next notion, this shouldn't be necessary.
Everyone using a laptop or desktop computer in a corporate environment should be running as a non-privileged user. The Windows Administrator account should never be used, and in Linux one should never run as root. It seems simple, but many companies simply give in to demands of users to be able to install their own software. Giving a user the Administrator password is fine, assuming he only uses it to install software, but adding a user account to the Administrators group is just inviting trouble. Nearly every virus and spyware application relies on Administrator privileges to take hold on a system. Take that away, and users' rate of infection magically decreases, and it decreases quite significantly.
Spyware and Adware
If spyware is capable of tracking your browsing habits to create a marketing profile, doesn't it logically follow that it's capable of tracking saved passwords and corporate login URLs? You bet it does, even if the user isn't running as an administrator. Spybot S&D (Search and Destroy) is a free application available for Windows machines. Recently they added real-time monitoring capabilities to spybot. It will run as a service and check for known spyware and adware applications continually. Spybot is capable of cleaning a system and ridding it of all known traces of these viruses that are not noticed as part of most antivirus monitoring.
Patches Patches Patches
While it's true that some worm outbreaks spread by exploiting a fundamental flaw in an operating system that nobody knew about, most of the time they use well-published vulnerabilities. Generally speaking, the OS vendor has already released a patch that will prevent most outbreaks before the outbreak actually occurs. The outbreak still occurs, so it's clear that people aren't patching regularly.
Linux has a very similar problem. For someone to gain root access on a Linux machine they generally have to break in with a user account first. User-level break-ins normally happen in one of three ways. The first and most common method is via an installation of some free PHP code, perhaps some forum or CMS software that will remain nameless. Remote users simply need to send some crafty text to the Web server, and they're in. This method isn't directly applicable to securing your workstations, since you users probably won't be running a Web server. The second method, however, is. When a user runs an outdated version of their favorite Web browser, chances are high that some security vulnerabilities exist. Stumble upon the wrong site, and suddenly you have a user-level compromise.
You may be thinking that user-level compromises aren't such a big deal, especially on Linux machines. Sadly, that is not the case. The number one reason for hacking Linux and Unix servers is for the sole purpose of sending tons of spam. That, and the third type of compromise: root access to completely control a machine. If the OS isn't up to date, any user can simply download and run an exploit and escalate to root privileges. In both Windows and Linux, the next step may be to install monitoring software in an attempt to discover what networks this computer connects to. Needless to say, patching is the most important aspect of end-user workstation security.
Focusing on preventing virus/worm/spyware infection is necessary because of the information that may be stored on an employee's computer. A determined attacker probably can't be stopped, but we're not dealing with targeted attacks here. The random scanning and probing done by botnets and worms are the most common method of infection, even though it can be stopped easily. Many people, especially Linux users, will advocate the shunning of Outlook and Internet Explorer. While this will certainly help limit exposure, you can remain relatively secure by simply using common sense and securing your employee's mobile workstations the same as you would your grandmother's.