Handbook of Information Security Management:Physical Security

Previous Table of Contents Next


Section 10-3
Microcomputer Physical Security

Chapter 10-3-1
Protecting the Portable Computing Environment

Phillip Q. Maier

Today’s portable computing environment can take on a variety of forms: from remote connectivity to the home office to remote computing on a standalone microcomputer with desktop capabilities and storage. Both of these portable computing methods have environment-specific threats as well as common threats that require specific protective measures. Remote connectivity can be as simple as standard dial-up access to a host mainframe or as sophisticated as remote node connectivity in which the remote user has all the functions of a workstation locally connected to the organization’s local area network (LAN). Remote computing in a standalone mode also presents very specific security concerns, often not realized by most remote computing users.

PORTABLE COMPUTING THREATS

Portable computing is inherently risky. Just the fact that company data or remote access is being used outside the normal physical protections of the office introduces the risk of exposure, loss, theft, or data destruction more readily than if the data or access methods were always used in the office environment.

Data Disclosure

Such simple techniques as observing a user’s remote access to the home office (referred to as shoulder surfing) can disclose a company’s dial-up access phone number, user account, password, or log-on procedures; this can create a significant threat to any organization that allows remote dial-up access to its networks or systems from off-site. Even if this data or access method isn’t disclosed through shoulder surfing, there is still the intermediate threat of data disclosure over the vast amount of remote-site to central-site communication lines or methods (e.g., the public phone network). Dial-up access is becoming more vulnerable to data disclosure because remote users can now use cellular communications to perform dial-up access from laptop computers.

Also emerging in the remote access arena is a growing number of private metropolitan wireless networks, which present a similar, if not greater, threat of data disclosure. Most private wireless networks don’t use any method of encryption during the free-space transmission of a user’s remote access to the host computer or transmission of company data. Wireless networks can range in size from a single office space serving a few users to multiple clusters of wireless user groups with wireless transmissions linking them to different buildings. The concern in a wireless data communication link is the threat of unauthorized data interception, especially if the wireless connection is the user’s sole method of communication to the organization’s computing resources.

All of these remote connectivity methods introduce the threat of data exposure. An even greater concern is the threat of exposing a company’s host access controls (i.e., a user’s log-on account and static password), which when compromised may go undetected as the unauthorized user accesses a system under a valid user account and password.

Data Loss and Destruction

Security controls must also provide protection against the loss and destruction of data. Such loss can result from user error (e.g., laptop computers may be forgotten in a cab or restaurant) or other cause (e.g., lost baggage). This type of data loss can be devastating, given today’s heavy reliance on the portable computer and the large amount of data a portable computer can contain. For this reason alone some security practitioners would prohibit use of portable computers, though increased popularity of portable computing makes this a losing proposition in most organizations.

Other forms of data loss include outright theft of disks, copying of hard disk data, or loss of the entire unit. In today’s competitive business world, it is not uncommon to hear of rival businesses or governments using intelligence-gathering techniques to gain an edge over their rivals. More surreptitious methods of theft can take the form of copying a user’s diskette from a computer left in a hotel room or at a conference booth during a break. This method is less likely to be noticed, so the data owner or company would probably not take any measures to recover from the theft.

Threats to Data Integrity

Data integrity in a portable computing environment can be affected by direct or indirect threats, such as virus attacks. Direct attacks can occur from an unauthorized user changing data while outside the main facility on a portable user’s system or disk. Data corruption or destruction due to a virus is far more likely in a portable environment because the user is operating outside the physical protection of the office. Any security-conscious organization should already have some form of virus control for on-site computing; however, less control is usually exercised on user-owned computers and laptops. While at a vendor site, the mobile user may use his or her data disk on a customer’s computer, which exposes it to the level of virus control implemented by this customer’s security measures and which may not be consistent with the user’s company’s policy.


Previous Table of Contents Next


-->
The CISSP Open Study Guide Web Site

We are proud to bring to all of our members a legal copy of this outstanding book. Of course this version is getting a bit old and may not contain all of the info that the latest version are covering, however it is one of the best tool you have to review the basics of security. Investing in the latest version would help you out in your studies and also show your appreciation to Auerbach for letting me use their book on the site.