Mobile devices are as essential to our lives and work as Ritchie McCaw is to the All Blacks in a World Cup final, that is practically a given.
Laptops, for example, allow people to go online, access work resources, solve issues remotely, and do any task they would normally do at their desk almost anywhere on the planet.
Hardly ground-breaking stuff maybe, but the problem Kiwi enterprises have with laptops, according to Emmanuel Carabott, Security Research Manager, GFI Software, is that securing these devices can be a bit of a headache.
While an organisation might have a very good patch management and vulnerability assessment policy, Carabott believes such policies may be difficult to enforce on devices like laptops because they may not be connected to the network when assessments are made.
“Laptops are great when you’re on the move but most people find workstations more comfortable to use,” adds Carabott, speaking to Computerworld New Zealand.
“This means that unless they need to transfer data from their laptop to the office network, that laptop might not be connected to the network for quite some time – missing out on important vulnerability assessments and critical patch updates.”
According to Carabott, who boasts specialist expertise within enterprise security, laptops are a great target for malicious attackers, with a stack of increasingly sophisticated methods used to thwart security policies.
“What do I mean?” asks Carabott, “like a lot of people with a job that requires us to be available at all times in case of emergencies, and regardless of where we are, I will always try to connect to any open access point to get Internet access.
“How many times have you been at an airport or in a hotel and have not tried to connect to a wireless access point? I’d say the majority will say ‘never’.
“Even if there are no emergencies we still feel we need to be proactive and be ready. Work apart, we still want to be connected: to stay up to date on what is happening, to communicate with family, co-workers and friends, to check email, update our social media profiles or simply to pass the time.”
While Carabott is stating the absolute obvious, that’s exactly the point she’s trying to make.
“It’s also obvious to attackers that people are going to try and connect to open access points,” he adds, “that’s a nice target.
“If they can infect a company-owned laptop, they might hit the big jackpot. It’s not that hard to pull off; you don’t really need a kernel level module or a signed piece of malware to succeed.
“An attacker can mimic a genuine access point and once you’ve connected, redirect you to their malicious page. They can ask you to install a client to get access to the Internet or try to exploit a browser vulnerability and install malware without user intervention.
“It’s not unusual for hotel / airport access points to redirect us to a gateway webpage. Signed or not, most people will not question an agent installation request and this is why it’s the perfect way in for an attacker.”
Carabott believes it’s also a very good reason why work laptops should be properly secured and that they are checked for vulnerabilities and missing patches regularly.
Security professionals are aware of this, understanding that a good patch and vulnerability management solution will have functionality to manage devices that are not always connected to the network.
But these devices need to be protected and that should not stop at the office door, Carabott insists.
“An employee typing their credentials on a laptop with a key logger installed by someone on the other side of the world will bring your security efforts to nothing; the effect is just as bad as if it were a workstation in the building,” he warns.
“No VPN and no encryption can protect you against that breach.”