I'm taking a short emergency break from my ongoing series on security policy document library elements to sound a note of caution regarding the handling of traveling employee laptops.
In the wake of recent discussions with several Fortune 500 companies whose internal networks were safe from the onslaught of Blaster, Welchia, SoBig and others, but some or all of whose traveling sales or technical staff got infected by same, I've started to recognize that security policy for laptops is pretty darn important. Although these companies were able to withstand big impacts from these worms, others weren't so lucky. Entire groups or departments of salespeople or technical staff found themselves essentially disconnected from e-mail and network access for anywhere from a full day to as long as a week, depending on how soon they could get their machines repaired and recovered.
In light of this situation, I can't stress enough how important it is to develop and implement security policy for laptops, and to keep remote and roving workers as safe as those behind corporate firewalls and other infrastructure elements. To that end, I'm going to refer to a recent posting by Microsoft (yes, that paragon of security itself) that actually makes a great starting point for laptop security policy, then add a few additional recommendations.
- Use an Internet firewall
- Get computer updates
- Use up-to-date antivirus software"
If followed, this simple prescription would have protected all of the people whose machines were essentially taken out of service by these worms.
The missing details, of course, require some expansion of this simple but effective list:
- Choosing the right Internet firewall depends on other corporate policies, vendor selection and so forth. In passing, let me mention that an out-of-the box default install of Norton Internet Security in August produced a machine that showed no vulnerabilities whatsoever (zero!) to security scans from Steve Gibson Research, SecuritySpace.com and even Norton's own more exhaustive Web-based scan.
- Getting updates is not the issue; installing them is what really counts. Companies should either impose the policy of enforced access to automatic update services from vendors, or provide regular image delivery or patching services of some kind to employees to make sure they're running the latest, greatest, and safest OS and application images.
- Picking and using antivirus software likewise depends on other policies and vendor selections and again should be combined with automatic updates and e-mail warnings to download signature files when automatic update intervals don't suffice to maintain proper levels of protection.
- Other elements of security policy, such as remote access mechanisms, VPN use, access controls and privileges, and so forth also need to be consistently enforced to prevent unauthorized access to internal systems and resources.
- Some type of entire drive or directory-based encryption is strongly advised to protect information.
With these simple policy elements in force, laptops needn't pose any more of a threat to security than other systems in use.
Please feel free to e-mail me with feedback comments, or questions at firstname.lastname@example.org.
About the author
Ed Tittel is Vice President of Content Services at iLearning, a CapStar company based in Austin, Texas. As creator and series editor for Exam Cram 2, Ed's worked on numerous titles on Microsoft, Novell, CompTIA and security certifications, including Security+, CISSP and TICSA.
For more information on this topic, visit these resources:
- Security Policies Tip: Making your laptops traveling fortresses
- News & Analysis: Survey: Laptops, e-mail top list of remote-security headaches
- Best Web Links: Securing mobile/handheld devices
This was first published in September 2003