Guarding against the threat of portable firewall circumvention

A few months ago, I put a new 10GB disk drive in my Macintosh 2400 laptop. That expanded the original capacity of the computer to the point where I could carry the basic business data for much of Harvard wherever I went — if I had a mind to do that and if the university was dumb enough to let me do it. Sounds unlikely, but all too many businesses let their travelling executives do things that are just about that dumb.

Businesses spend tens of thousands of dollars to install and operate firewalls to protect their corporate secrets from Internet intruders. But in doing so, too many seem to think that installing the firewall somehow magically makes all security problems disappear. There are a number of reasons why this borders on self delusion.

Every study that looks at the perpetrators of effective (if that is a reasonable word to use) network-based intrusion shows the majority are insiders, or outsiders working with inside help. Because firewalls do not keep out people who are already inside, they are of limited assistance in these cases.

Installing firewalls also tends to make users and sometimes network managers so complacent that they forget the basics of good network security, such as using good passwords or physical token-based authentication.

This does not mean organizations should forego the use of firewalls, but it does mean they should not assume firewalls are some sort of magic pill that cures stupidity.

Firewalls certainly do not cure the stupidity of corporate executives carrying piles of corporate and often private secrets in plain-text files on their laptops and palmtops. A lot of information tends to pile up on these machines: copies of old e-mail, spreadsheets of budgets, proposals for changing corporate direction or for new products, even auto-logon scripts for dialling in when on the road.

There might be more effective ways to find out what is going on in a corporation than to steal the CEO’s laptop, but it would take me a while to think of one.

For a while there have been products around to keep laptops from booting without entering a password, plug-in card or serial port attachment, but these can be circumvented by moving the disk drive to another computer.

There is also software that lets the user encrypt files on the disk, but the reliability of this software depends on the reliability of the user taking the time and trouble to do the encryption every time — and not writing the password on the laptop case. The only safe ways to carry corporate secrets on a laptop is to not do so or encrypt the whole disk, and there are products to perform that function. In the end, it is cheaper to lose the data due to a forgotten password than reveal the secrets to the wrong person.

Disclaimer: Harvard’s business is not curing stupidity, it is nurturing intelligence. The above is my own too-full disk.