Put down this magazine, get a drink, then come back. If your laptop is where you left it, consider yourself lucky. In a survey of 503 security professionals, 134 reported instances of laptop theft, with a dollar loss of $11,766,500--nearly $88,000 per incident, with the bulk of the damage from the loss of proprietary information. (Find a copy of the survey here.) Imagine all that private data lost forever or, worse, broadcast over the Internet. Now imagine explaining to your boss why your company's trade secrets are on the Web.
Laptops are undeniably convenient, but they're prone to malicious hacking and theft. We'll examine three facets of laptop security: protecting the software and communication channel; protecting the hardware; and protecting your data. Of course, conventional desktops can benefit from these security measures too, as even heavy tower computers have been known to walk off.
Keep in mind that there is no such thing as 100 percent protection from attacks and loss. However, attacks can be deterred if you implement antivirus, firewall and authentication software. Recovery services, VPN tunnels and hard-drive encryption will also help.
Safe Communication Channels
The fundamentals of secure remote computing include making sure your users aren't being attacked or spreading viruses and that they have secure connections to the corporate LAN. First, all your laptop users need personal firewalls, which will repel some common attacks. Personal firewalls also can "hide" a PC by not letting it respond to connections or pings, by blocking ports and protocols, by performing host-based intrusion detection, and by designating which applications may access the Internet. Keep in mind that you want a centrally managed firewall; end users should not make any decisions on security--you dictate the policy, they follow it (for more on personal firewalls, see our Buyer's Guide).
We have found that firewalls with application control are better at blocking Trojans than are firewalls that block only ports. That's because Trojans can operate by making outbound connections on common ports. Firewalls alone, however, won't protect against viruses. For this, you need antivirus software, preferably a package that checks often for new signature definitions.
Glossary
SECTOR SLACK: Say a volume uses a cluster size of 64K, and a user stores several files, each 40K. When Windows 2000 allocates space it gives each file its own cluster, with the space left over being--you guessed it--sector slack.
The next step in securing software is to verify that the laptop user is legit. There are a few options here. One is to force the user to enter a login password upon start-up or after an idle period, in either the OS log-in screen or on BIOS boot. If passwords don't give you a secure feeling, biometric authentication, such as retinal scans, fingerprint or voice analysis, is a possibility. Keep in mind, however, that many biometric devices plug into serial or USB ports and are one more thing for a laptop user to lug around, lose or break. Acer, MicronPC and other vendors offer laptops with fingerprint scanners built in (see InformationWeek's "Fingerprints and Notebooks: Hand in Hand").
Voice analysis seems like a nice option, as many laptops have a microphone port, but can be problematic. In noisy environments, for example, the computer might not pick up the sound, and laryngitis or a bad cold might lead to a frantic helpdesk call.
As for connecting to the corporate network, two words: Use encryption. First, determine what needs to be encrypted. If all your users will do is access Web-based programs, you can get away with HTTPS. You can also encrypt e-mail by using SSL over IMAP or POP3, which makes sending and receiving e-mail over the Internet more secure by encrypting the entire session, from host to e-mail server (for a secure appliance e-mail solution see "In the M2000, Mirapoint Makes a Mighty Message Server"). There are two major forms of e-mail encryption, S/MIME and IMAP/POP3 over SSL, and they serve two different needs. S/MIME encrypts or signs the message, but not the session. IMAP/POP3 over SSL secures the login and session, but on the next hop the data can be transmitted in plain text. IMAP over SSL is very simple and requires no user intervention, but not all client software supports it. If you want all your traffic to be encrypted, or if some of your programs do not support encryption, a VPN is the way to go. Virtual private networks let remote users access internal resources without making these resources publicly accessible. (For more on VPNs, see "Add Some FiberLink to Your VPN Diet.")
In addition, disable split tunneling so that, while the VPN is active, all network traffic flows through the VPN, not just traffic destined for the corporate network. Some VPN clients come bundled or integrated with a personal firewall, which can simplify deployment and management. Most VPN clients support integration with smartcards, USB tokens and biometric devices for certificate handling and authentication.
All these firewall, antivirus, authentication and VPN systems will mean an increased demand on your helpdesk and more software to keep up to date, and each may require separate administration servers and management interfaces. Factor these issues into your cost analysis (for more on securing remote users, see "Telecommuting: Keeping Data Safe and Secure").
REPORTS
Analyize In-Line NAC strategies and products.
ANALYTICS Plan and design your enterprise blade server deployments
2009 IT Salary Survey: Meager Raises, Solid Prospects
Though raises are notably smaller than a year ago, and job security’s shrinking, IT careers are looking safer than many others in this economic downturn. Get all the findings in InformationWeek's 2009 IT Salary Survey. Available FREE for a limited time.
REPORTS
ANALYTICS
Follow 
