By Patterson, Tom
Security Management , Vol. 37, No. 9
What are the odds of someone breaking into an office, getting past security and the receptionist, figuring out the cipher lock to the computer room, chain-sawing into the network file server, and then carting away all of the hard drives from a company server completely unnoticed? In most companies, the chances are pretty slim because they keep their most important asset - their data - stored on computers that are well-protected. Unfortunately, thieves no longer need to break into offices to steal sensitive data. Company employees are bringing the information right to them.
As notebook computers gain in popularity, the amount of sensitive information processed on them also increases. Notebooks, which are completely portable, can be used anywhere and anytime. Chief executive officers keep their notes on them; finance professionals take the company's financial information home for the weekend; and the contracts staff has the details of the current deal stored for easy access when traveling. But the sheer convenience of the notebook is also its biggest problem.
Sensitive information leaving the relative safety of the office presents a serious security risk, and that risk is deepened by the logistics of business travel. Hotel room break-ins are a fact of life; weary business travelers may leave their notebooks on trains or planes; and travelers have always been targeted by thieves because of their unfamiliarity with their environment and the large amount of material and luggage they carry around. A several-thousand-dollar notebook computer increases the attraction. Tack on a potentially priceless amount of data stored on that same six-pound package and the attraction takes a quantum leap upward.
Many corporate users do not believe that their data is of worth to anyone else, so they take minimal precautions. For protection, they delete sensitive information from the hard drive and store it on floppies, which are then stored in the convenient pockets of the notebook's carrying case. Even if the users are aware enough to store the floppies separately, the deleted files can still be recovered with one of the dozens of computer utilities that are available.
Using the password features of most commercial software is another precaution that is not fail-safe. People write programs that can crack password codes, These programs are distributed to other "crackers" via computer bulletin boards. Making the cracker's job easier are the users, many of whom use the same password for their network user identification and to protect their files on the notebook. Once the password is cracked, the thief can try the modem that is built into the notebook, load the communications software that has the phone number for the office network in its dialing directory, and see what other information is available from the company's computers.
The problem. In the past, when mainframe computers were used to process sensitive information, the computer programmers who ran them added security systems to keep e in formation safe. When sensitive information was stored on minicomputers, programmers developed security systems to protect them. Both of these computing environments were easy to control because all processing and storage was accomplished at the system or host level - the terminal was merely a window into the mainframe with no (or limited) processing or storage capacity.
As the processing power of PCs increased, so did the lack of control. Their inherent flexibility and adaptability allowed users to define their data, formats, and software themselves. But users also had to rely on themselves to secure sensitive information. No programmer came with the PC. After a few years of catch up, however, security was possible. Today, more than twenty-five companies make devices that simply plug inside a PC and keep information safe.
When laptops were invented, a few of those companies shrank their security devices down, opened up the laptop, squeezed their hardware anywhere they could, and - presto - secured the laptop. …