Current Issue
 This Issue
    
 Advertising
    
 Services
    
Site Navigation

  Features - August 2008

title.jpg

By John Buchanan

Meeting planners are known for obsessive attention to detail, but one detail that escapes many is the vulnerability of sensitive information, such as the top-secret details of a new product or financial information that will be reviewed at a meeting, as it moves through a dangerous landscape of airports, hotels and meeting rooms. Few planners or their companies, experts say, appreciate the extent of the risk they face today — and the threat is growing worse by the minute.

“The consistent threat that is affecting our customers today is malicious activity and the intent to compromise intellectual property or steal information for the benefit of making money,” said John Addeo, practice director, advanced security, at Raleigh, NC-based Dimension Data, a global systems integration Addeo.jpgand consulting firm for advanced security. “As long as there is a supply chain for malicious code and a demand for information, the threat will continue to propagate itself. The threat continues to increase and there is no foreseeable end to it.”

The reason, Addeo explained, is that in the information age, nothing is more inherently valuable, or more aggressively sought by any means available, than information. “A while back, I heard the gentleman speak who runs information technology for the Department of Homeland Security,” Addeo said. “And he put it in a way that I’m going to paraphrase, but he called it ‘an incurable disease of criminal intent.’ That’s really what it is coming down to. As long as people can make money by stealing sensitive information, the threat will continue to exist.”

A consensus exists among information security experts that as many as nine out of every 10 U.S. companies are either unaware of the severity of the threat, or unprepared to deal with it. More often than not, companies mistakenly believe that if they have firewalls and antivirus programs in place, they are protected. Nothing could be further from the truth. “We almost always find systems that are at risk of being compromised within that red zone of a known vulnerability or a known threat, but with very little security control measures,” Addeo said.

Mobility Increases Vulnerability
The basic problem today is that more and more information resides in more and more places outside of a traditional internal information network. That simple fact alone puts most businesses at peril. The more offsite meetings they hold, the more mobile information is — and the more likely a damaging data leak will occur.

“The key threat issue today is mobility,” said Skip Taylor, vice president, product marketing, at leading information security solutions provider Fiberlink in Blue Bell, PA.

“More and more people are becoming more mobile. Companies are giving everybody laptops now. The benefit is obviously increased productivity. The challenge, though, is that all of the tools they invest in are designed to monitor activity on their local area networks (LAN). For example, as I sit at my desk, people can see what’s on my PC. My IT organization can make change-control occur and I don’t even know that it has happened if it’s a security patch update, antivirus or whatever. But the point is that when I leave and I Callahan.jpggo to an offsite meeting, all of a sudden all of that automation and visibility that IT had over my device and the data that’s on my device is lost. They can’t see, they can’t touch and they can’t change me anymore.” This typical exposure is called the “mobile blind spot.” It means that the most typical security investments made by IT departments do not reach devices that are no longer connected to the LAN, either physically or through a virtual private network (VPN).

Research firm IDC has found that “60 percent of the data that the average user needs is already on their laptop,” Taylor said. “The point I get from that statistic is that I’m more likely to not have to go back to the LAN for data, because more than half the time I have what I need.” That statistic is even truer of salespeople, for example, who now carry vast amounts of sensitive product and customer information on unsecured laptops. Taylor believes that 90 percent of all companies fall short of what Fiberlink sees as a minimum acceptable standard for security of mobile data on laptops.

That vulnerability is expanded exponentially today because the most common threat is not from the well-planned theft of information as the result of a sophisticated attack, such as hacking. “The vast majority of data loss today isn’t someone trying to steal the information,” said Susan Callahan, vice president of business development and marketing at Philadelphia-based Safend, a provider of software that protects sensitive data across a wide range of applications, from desktop PCs and laptops to PDAs and smart phones. “It’s from what I call an ‘oops’ incident — ‘I lost my portable USB drive that contains sensitive information.’ But regardless, IT companies need to protect that data. And they need to understand that the boundaries within which the data reside have greatly expanded because of mobility.” That is particularly true in the hyper-mobile environment of corporate meetings and conventions, she said.

Meetings Magnify Risk
Taylor agreed that by definition, the typical meeting environment and its inherent mobility magnify the risk of important information being compromised, one way or the other. “The questions meeting planners need to ask are, if attendees have sensitive information, where is it going? Is it leaving the device, such as a laptop? Shanahan.jpgDo attendees at the meeting get copies of sensitive data? Are they using public Wi-Fi? If they are, that could lead to someone getting access to their company’s VPN down the road. And if someone can steal access information, they can later get into the corporate network and have access to everything that is there.”

Too many meeting planners and attendees are unaware that as Wi-Fi becomes more widely available and more popular, the information security threat grows in direct proportion. The most common threat is one known as an “evil twin.” That means a counterfeit Wi-Fi access point has been created to steal data from nearby users, such as in an airport or hotel. Believing they have identified a strong Wi-Fi connection, users log in, only to have their user name and password lifted in what is an astonishingly easy and quick process.

“People who are in these facilities are using open Wi-Fi connections that typically have no security,” Taylor said. “Once an evil twin can capture their user name and password, that gets used either to capture information at the moment, or they can sell that sign-on information in the open market.”

In addition to a global market for corporate information, there is also a global market for information on how to steal information, Taylor said. He recently did a search of YouTube to discover how many options were available for learning how to hack into WEP, the security tool used by 46 percent of U.S. companies to encrypt Wi-Fi. He found 154 providers of information and techniques for breaking WEP. “They were free, and some of them bragged that they could teach you to do it in 14 minutes with three simple lessons,” Taylor said. “It’s really amazing, and very, very easy. So, more and more companies are realizing they need to move to stronger encryption.”

A related threat in the Wi-Fi environment is the theft of a MAC (media access control) address, the unique numeric security code permanently assigned by the manufacturer that confirms that a user and device are authentic to the IT network. Yet another threat germane to the mobile environment of offsite meetings, in places like hotels and convention centers, is malware, or malicious code that is built to attack laptops and break Wi-Fi encryption algorithms. “Malware attacks the applications that would prohibit someone from entering into my laptop, like a firewall,” Taylor said. “Malware can attack a firewall and make it easier to break in. But other malware is also designed to help capture sign-on information, similar to an evil twin. The malware just collects the information and then reports it back to the intruder the next time the Internet is connected. So, malware is more invasive today and you have to be more proactive and have applications that watch that.”

Still another vulnerability unique to meetings is the use of a third-party computer, such as one rented from a hotel or conference center for the sole purpose of helping to facilitate a presentation. “Let’s say you’re talking about launching a new product,” said Matt Shanahan, senior vice president, marketing and strategy, at solutions provider AdmitOne Security in Issaquah, WA. “A lot of times what people will do with that rented hotel computer is log in to get to the Internet to get to a site that has the information they are actually presenting. And that’s when a key logger can get information.” A key logger tracks the keys typed into a keyboard as a way of stealing log-in information and gaining access to information. It is among the most widespread threats these days, Shanahan said.

The key issue to face such a challenge is user authentication, he said. “What’s important is that any time you’re using an open network or a shared device to access corporate information through the Internet, you need to have the appropriate security levels in place,” he said. “For example, you should be using an SSL, or secure socket layer connection. That encrypts data that goes back and forth within the network.” SSL lines are typically set up within a company’s IT network and are not provided as third-party services by hotels and other meeting venues.

Knowing What You Don’t Know
For meeting planners who do not deal in information security issues on a regular basis, the most important principle is a simple one: They usually do not know what they don’t know about potential information security vulnerabilities in their specialized world. “Not knowing what devices are on your network then puts you in a situation where these devices aren’t implemented into security life cycle management,” Addeo Midgley.jpgsaid. “So, you’re not managing the vulnerabilities. They have been forgotten about. And it’s usually the weakest thing in the system that becomes exploitable. So, not knowing what you have and understanding its life in your network is one of the biggest risks organizations face.”

Meanwhile, the problem gets bigger every day. In 2006, 600,000 laptops were stolen in the U.S., according to Stephen Midgley, senior director, global marketing, at solutions provider Absolute Software in Vancouver, British Columbia, Canada. “And as more information becomes more mobile, in environments such as meetings, laptop theft is increasing,” he said. A new study by the Ponemon Institute reports that more than 12,000 laptops are lost in large U.S. airports each week. Moreover, nearly 70 percent are never reclaimed. Dr. Larry Ponemon said that “53 percent of people admit to carrying business confidential information and 65 percent of those people do not take appropriate steps to safeguard their information.”

Under such circumstances, Addeo said, a surprisingly large percentage of companies simply do not know “where information lives within their organization. If there is not a policy that is mandated and enforced, we find that a lot of the intellectual property of organizations will reside on portable devices that are taken through airports and hotels and all these places.” A shocking majority of companies, he said, do not even properly assess the risk, much less put proper protections in place. “Every organization we go to knows that they have had laptops go missing,” he said. “But if you ask them what information was on them, they can’t tell you. So, there are real world consequences to these losses — especially if you don’t know what was on these devices.”

Be Proactive
In order to protect the information flowing through their offsite meetings, companies must adopt a proactive stance that involves a comprehensive solution.

“The process should include putting protection measures in place in multiple areas,” said Callahan. “For example, companies should encrypt their hard drives, on desktops and laptops.”

Encryption is no longer a prohibitively expensive undertaking, she said, and the investment in encryption is a form of insurance — and a lot cheaper than the bottom-line cost of a major information leak. The average cost of a leak of corporate data is $6.3 million, according to researchers at Ponemon Institute, Callahan said.

“It’s also important to enforce the encryption,” she said. “That is very important, because if employees are left to their own discretion as to when they should encrypt data, they don’t do it. So, employees who have any access to sensitive information that is on the go must encrypt that data.” Furthermore, she said, Arbel.jpgencryption today must extend to removable media, such as USB or thumb drives, DVDs and CDs.

Because so much data is in motion for corporate meetings, Callahan said, clear policies also have to be put in place for what is allowed and what is not. For example, companies should prohibit certain kinds of information, such as product or customer data, from being transferred to removable media such as USB drives. Among the capabilities Safend offers is the ability to enforce such policies by blocking the transfer of specific kinds of information. “But the first step is to go in and inspect all data that is being moved around and transferred, in order to create a policy and monitor it, with the ability to lock data and prevent its transfer,” she said. “That is very important.”

Chen Arbel, a security expert from Israel who is now vice president of strategic development at Aladdin Knowledge Systems in Arlington Heights, IL, sets a very specific standard for mobile data. Companies must adopt a combination of full disk encryption and what is known as two-factor authentication, which means adding an additional layer of security beyond a typical user name and password. In most state-of-the-art applications, the second authentication factor, such as a certificate or “token” provided by a specialized and highly secure Web-based application, essentially ensures virtually foolproof security.

Unfortunately, Arbel said, too many companies still think the cost of encryption and two-factor authentication is too expensive to justify the investment. “They say, ‘We have thousands of employees. Are you expecting us to do this for everybody?’ And my answer to them is that if you truly care about your company, your employees and your customers, the answer is yes.”

To drive home his point, Arbel demonstrates to skeptical clients that he can hack into a company laptop and then into its IT network within 90 seconds. “And I’m not even that good at it, compared to the people out there doing it for a living,” he said. “So, to be safe, meeting planners need to demand full disk encryption and two-factor authentication when they have sensitive information traveling on the road. And the critical consideration is two-factor authentication. That demand should also come from employees, who should not wait for it to come from above, because they have sensitive data that they carry with them to and from these meetings.”

Help Is On The Way
For companies that elect to pursue specific solutions, there are many good options available today. The Extend360 application from Fiberlink, for example, monitors a wide range of security applications and events on laptops while a user is exposed to the mobile blind spot away from the LAN. Extend360 also identifies malware threats. It is a comprehensive suite of best-in-class solutions that can address information protection, encryption, data backup and recovery.

Absolute Software offers a ComputraceComplete application that can remotely delete data from a lost or stolen laptop, then trace its whereabouts and facilitate its recovery approximately 75 percent of the time. While in use, ComputraceComplete allows corporate IT departments to know what is on the laptops and that the data is safe. In June, Absolute launched an extension of the product for use with PDAs and smart phones that use the Windows Mobile operating system. Its capabilities mimic those of its laptop product, including the ability to wipe data from a lost or stolen PDA or smart phone.

Because sophisticated, Web-enabled PDAs and smart phones are becoming more prevalent all the time, and often replace laptops as the repositories of important mobile information, the ability to protect them is critical.

Trust Digital, of McLean, VA, offers encrypted security applications for PDAs and smart phones that can be used across a wide spectrum of proprietary technology, not just Windows Mobile, said Dan Dearing, vice president of marketing and product management. Trust Digital also provides the capability for wiping clean lost or stolen devices.

But regardless of which solution a particular company might adopt, it is the underlying commitment to information security that is most important, Addeo said. “Security needs to become a habit,” he said. “It needs to be pervasive in everything that is done, from the ‘siloed’ information approach that a lot of companies deal with — the network group, server group, the systems group, the desktop group, the applications groups. These groups all need to all come together and start to work together and make information security a habit, and something that is done from the start, rather than trying to fix behavior after the fact.”    C&IT

padlocks-492.jpg