Here’s something to do the next time you're waiting in line at the airport security checkpoint: Count how many of your fellow travelers have a computer with them. On a recent business trip I figured two out of three passengers were packing laptops. If your job description happens to include protecting your company’s information, that 66 percent is a worrying statistic. Unlike the servers and desktop machines back at the office, laptops on the road are beyond the control of the IT department. Each one represents a bundle of valuable data and, in many cases, a set of keys to the enterprise network (in the form of remote access credentials). This article describes some of the challenges that businesses face as they struggle to keep mobile data secure, and provides some practical suggestions on how to achieve that goal.

A Tale of Two Hotels

Just to be clear on the scale of the problem, consider a couple of data points. First, the Travel Industry Association of America (TIA) estimates that Americans will make more than 140 million business person-trips in 2004 (one person-trip = one person traveling 50 miles or more for business purposes, one way, away from home or including one or more nights away from home). However, as you probably know from personal experience, business laptops also travel quite frequently on non-business trips, and the TIA estimate for the number of those we will take in 2004 is over one billion.

The second data point, on which there are few statistics but some solid anecdotal evidence, is that laptops are now targeted by data thieves. Take the case of the research employee who flew to a conference in Europe and left her laptop in a hotel room for a few hours. During that time the machine was taken apart, the hard drive removed, cloned, and the whole thing put back together, none of which was discovered until some time after the employee returned to the office. The value of the cloned data to a competitor? Several millions of dollars. And it's unlikely anyone other than a competitor would have gone to that much trouble to acquire it so stealthily.

Of course, breaking into hotel rooms is a risky business, which is why an unethical competitor, or any other malicious interloper, might first try a much safer tactic: access the victim's hard drive when he or she connects to the Internet from a hotel room. Unfortunately, at too many hotels today, this is a very easy procedure. Consider the view provided in Figure 1. This is a screen shot of Windows Explorer in the act of exploring guest computers connected to the Internet at an up-market hotel in Washington, D.C. (it has a AAA Four-Diamond rating).

Figure 1: Business files exposed on a hotel network.

There's a lot of potentially valuable information here. The machine appears to belong to someone in sales and marketing. The exposed files and folders could be a gold mine for a competitor. Ironically, the 'good stuff' is easy to find because most of us label our files and folders in a logical way, thus providing a handy road map to an intruder. If this hard drive belonged to one of your employees, a competitor might zero in on the '04estimates' folder or the 'sales projections' document. Note that this type of industrial espionage does not require sophisticated hacking tools, just a basic knowledge of Windows and its built-in capabilities.

Obviously, this hotel has a security problem, not the kind of security problem hotels normally worry about--making sure guests are physically secure--but a security problem nonetheless. Before we talk about how to solve this problem, it will be helpful to understand how it arose in the first place. The most likely answer is probably the simplest one: nobody thought about what would happen if, in order to provide guest rooms and meeting rooms with high speed Internet access, you connected all of the rooms to a network that was then connected to the Internet. After all, that is how many offices, and an increasing percentage of U.S. households, connect to the Internet.

Indeed, computer networks were invented so that multiple machines could share expensive resources, from mass storage to expensive printers to broadband Internet uplinks. The problem arises when you try to apply a traditional 'open' network architecture to a hotel facility. Hotel guests are not the same as co-workers or family members and they need a different kind of network, one that is 'closed,' allowing them to access the Internet without exposing their hard drives to strangers.

Unfortunately, failure to provide a closed network in a place like a hotel produces problems that go beyond industrial espionage. In Figure 2 you can see a guest computer at another up-market hotel, during a medical conference. You don't need to be an expert in the privacy regulations imposed by HIPAA to know that this screen shot could be evidence of, or a prelude to, a privacy violation.

Figure 2: Medical files exposed on a hotel network.

As in Figure 1, the names of the folders and files tell the story: data that should be private is exposed to strangers. Bear in mind that in some hotels, where there is wireless Internet connectivity, those strangers are not just other guests but can include someone parked outside with a Wi-Fi laptop. Indeed, the Washington hotel mentioned earlier was found to have the signal on its wireless access points turned up so high you could log on from two blocks away. How could someone who is not a guest log on to the hotel network? The answer is depressingly simple. Because the hotel provides the wireless service to guests at no charge, the hotel decided to skip the authentication process completely and require no room number, no access code, nothing.

Defensive Measures

Fortunately, not all hotels are like that. At the end of the article you will find some tips on finding less dangerous places for you and your data to stay when you are on the road. However, it may not be fair to lay all of the blame for egregious security lapses like those in Figures 1 and 2 on the hotels involved. If the owners of those machines had used some basic precautions, their files would not have been so exposed. Even though the lax security of the network would have allowed an attacker to probe for holes, two simple measures could have kept them out. You would be well-advised to use these measures yourself when traveling with your company laptop, and establish them as company policy if you are responsible for the security of company data.

First, file and printer sharing should be turned off. You may well use file and printer sharing on your laptop when you are plugged into the office network, but you either don't need them or shouldn't use them when you're connecting to the Internet from a hotel or wireless hot spot where they only serve to make it easier for someone to get to your hard drive. Second, a personal firewall should be installed on the laptop and turned on. There is a basic firewall built into Windows XP, but it is not turned on by default. When the laptop leaves the office the XP firewall should be turned on, and you should probably supplement it with a good third-party personal firewall (these are a must for operating systems other than Windows XP). Both Zone Alarm and Sygate Personal Firewall work well without asking too many questions of the user.

You can check how well these two measures work before you go on the road by using one of the testing services, such as Sygate's S.O.S. test (http://scan.sygate.com) or Shields Up (accessible from here http://www.grc.com). If your laptop is properly configured for travel it should pass these tests and be a lot harder for others to detect or explore than the ones shown in the pictures. Indeed, while the hotels at which those pictures were taken were clearly doing a poor job of protecting the data on their guests' computers, the guests themselves should have been doing a better job. If a lawsuit were to result from the harmful exposure of sensitive information on one of these machines it is hard to say where the courts would lay the bulk of the blame. Attorneys for the plaintiff, with their natural tendency to look for deep pockets, might try to pin blame on the hotel, but the owner of the computer could also be judged negligent for failing to take either of the two basic security measures we have outlined.

Going Further

If you are serious about the security of your information there are five more measures you should take. The first of these is something you must do before you leave for the airport: back up your data. Having a laptop stolen while traveling is bad enough but failing to keep a replacement copy of your data only adds insult to injury. The second additional measure is more of a strategy: decide which data on your laptop are the most valuable then a. store them on removable media, and/or b. consider leaving them behind. Nowadays you can store hundreds of megabytes of data on a removable card device the size of a postage stamp. Why not use one of these for your most important documents and keep it separate from the laptop when not in use? Or leave the really valuable data back at the office, behind the company firewall, where you can access it via VPN.

Which brings us to the third extra precaution, the use of a VPN or Virtual Private Network. When you are on the road you should not be checking email through an unencrypted link. Your company should be providing VPN access to company email so that none of the messages are transmitted 'in the clear.' Likewise, remote access to data and applications on company servers should be via a VPN (the hotel Internet service provider for which I work, STSN, actually certifies corporate VPNs to make sure they work properly at hotels that use STSN for broadband connectivity).

The fourth 'extra' step is to make sure you are running an anti-virus application that has been freshly updated. In fact, some VPN clients can be configured to deny access to machines that do not have current anti-virus installed and operational. They can even check to make sure you have an active firewall in place. The final precaution is a lot less technical: don't leave your laptop unattended. If you can't stand the thought of taking it to dinner with you, put it in the safe in your hotel room. If there is no safe in the room, the front office will have one that you can use. If you choose to lock your laptop in the trunk of your rental car but do this BEFORE you reach your destination (yes, some thieves do watch restaurant parking lots to learn which trunks to pop).

Final Steps

All of these measures make sense regardless of where you travel, but you can further boost the security of your mobile data if you stay at hotels that use a 'closed' network, as opposed to the 'open' ones shown earlier. For example, all of the hotels listed at www.stsn.com/hotel_locator.php use a closed network so that you won't be able to see the hard drives of your fellow guests and they won't be able to see yours. In fact, the STSN hotel network architecture is so different from a typical network that it recently received its own patent. The secure hotel architecture is supplemented by dedicated back hauls from hotels to the Internet via secure points-of-presence, toll-free 7x24 support, and a VPN certification program that ensures your company's VPN will work securely over the STSN network.

As companies continue to tighten their perimeter security, fine-tuning their firewalls and access controls, the bad guys are bound to keep looking for the weak link, the easy way in. Increasingly, the chink in the enterprise security armor is the laptop that leaves the office. Now is the time to make sure yours is well-protected.

Roundup of laptop data protection tips for travelers.