Securing the (Increasingly) Mobile Client

Enterprise deployments of notebook PCs, tablet PCs, and PDAs continue to grow by leaps and bounds. In fact, researcher Gartner Inc. recently predicted that, by the year 2010, 80 percent of key business processes will involve the exchange of real-time information involving mobile workers.

Small wonder, then, that ensuring the security of these miniature powerhouses has emerged as Priority No. 1 at so many organizations. This article will examine the business risks that today’s Internet threats pose, the evolving threat landscape, and the need for a proactive approach to securing every mobile client.

Business risks are on the rise

Anyone who doubts that Internet threats create real business risks should peruse the 2004 E-Crime Watch survey, conducted among security and law enforcement executives by CSO Magazine, the U.S. Secret Service, and Carnegie Mellon University’s CERT Coordination Center. The survey found a significant number of organizations reporting an increase in electronic crimes and network, system, or data intrusions in 2003. Forty-three percent of respondents reported an increase in e-crimes and intrusions versus the previous year, while 70 percent reported at least one e-crime or intrusion was committed against their organization.

Respondents said that e-crime cost their organizations approximately $666 million in 2003. When asked what types of losses their organizations experienced last year, 56 percent of respondents reported operational losses, 25 percent stated financial loss, and 12 percent declared other types of losses.

The E-Crime Watch survey underscores the contention that, as business-critical information increasingly resides on mobile machines, effective client security is necessary to protect intellectual property and ensure uninterrupted business. Security administrators are being challenged with managing the security on these remote systems (or, at the very least, ensuring that systems that connect to the enterprise network are properly authenticated). While providing greater access to the outside world (e.g., mobile workers, remote offices, contractors, partners, and vendors) is a business necessity, effectively managing such an environment can be a major headache.

And it’s not only intellectual property that’s at risk. Consider this sobering statistic: although the annual CSI/FBI computer crime and security survey showed a drop in the number of companies reporting stolen laptops in 2003, more than half of respondents in the past several years reported that they had been victimized.

At the same time, IDC predicts that, by 2008, 50 percent of the PCs in the United States will be laptops (up from 29 percent in 2004), which means there'll be plenty of targets out there.

Threats are evolving too

All this is occurring against the backdrop of a continually evolving threat landscape. Today, so-called blended threats, such as Blaster and Sobig.F, are increasingly sophisticated. Blended threats combine the characteristics of viruses, worms, Trojan horses, and malicious code with desktop, server, and gateway vulnerabilities to carry out an attack. These threats are difficult to prevent because they are designed to elude the security products commonly deployed across today’s enterprises.

Blended threats differ significantly from traditional viruses and worms, especially in the speed with which they spread. For example, the Slammer worm infected computers worldwide in only 10 minutes. What makes them different is their intent to cause damage, their use of multiple paths of infection, and the efficient way in which they propagate by discovering and exploiting security product interoperability and network vulnerabilities.

A blended threat scenario

Blended threats like Blaster often find clever ways to bypass an organization’s perimeter security measures. For example, it’s very common for a blended threat to initially infect a computer located outside the firewall -- like a laptop computer accessing the Internet over a home office connection through a local ISP. When this infected PC establishes a VPN connection to a corporate system, an organization’s perimeter security system is completely bypassed.

Next, the blended threat sits in memory and waits to attack open file shares and Web server vulnerabilities over the VPN connection. This allows the threat to infect corporate systems, distribute a mass mailer virus, deliver its payload, and so on.

Again, the important point here is that the threat never even encounters perimeter security defenses. And because the threat uses many different methods of propagation, antivirus measures alone won’t stop it.

A proactive approach

Protecting an enterprise’s mobile clients calls for a security strategy that includes four critical elements. First, an alert system must provide warning against new and emerging threats. Second, the right technologies must be implemented to protect the mobile devices. Third, a plan must be set in place to respond when an attack occurs. And fourth, a comprehensive system must be established to manage ongoing security issues. Let’s look at these elements in some detail.

Proactive protection starts with an effective early warning system. Enterprises need to become aware of new threats early -- and know what actions need to be taken to prevent them from infecting mobile client computers.

As we’ve seen, perimeter defenses can’t be relied on to stop threats that are transmitted from remote or mobile clients over a VPN connection. That means clients must be equipped with protection capable of stopping those threats before they can infect core systems.

It’s also important to understand that antivirus protection alone is not enough to protect remote and mobile computers. Antivirus only scans files at the file system level. It doesn’t include a firewall or intrusion prevention “traffic light” for monitoring inbound and outbound traffic. That means antivirus can only provide partial protection against blended threats that use multiple methods of propagation. To stop these blended threats, a combination of antivirus, firewall, and intrusion prevention capabilities is needed.

Moreover, these different capabilities have to communicate and work together. Disassociated point products on remote and mobile computers aren’t integrated and can’t communicate with each other to effectively block blended threats. Proactive response can be especially difficult with mobile and remote machines that are disconnected from the central network much of the time.

It’s also important to capture threat activity that occurs on remote client machines and use that information to improve one’s overall security posture. In addition, organizations need a way to “push” content updates to all of their client machines quickly -- regardless of where they’re located or how often they’re connected.

Client computers also create obvious problems when it comes to maintenance and management. Trying to maintain separate antivirus, firewall, and intrusion detection products on mobile client computers can be a difficult, time-consuming, and expensive undertaking. What’s needed is a way to manage and maintain all different client security capabilities efficiently.

To effectively arm its employees’ notebook PCs, tablet PCs, and PDAs against today’s evolving threats, an enterprise must be capable of bringing these machines inside its “sphere of control.” And the best way to do that is by deploying an integrated, proactive client security framework, one that allows the antivirus, firewall, and intrusion prevention components to work together to deliver comprehensive protection. Such a framework will provide protection even as the number of mobile clients continues to grow.