How To Secure and Manage Mobile Computers

Securing and managing mobile computers is a great way to build and improve your customer relationships. It requires regular contact and interaction with clients and their gear. Because your job is to maintain security, you have a valid reason to keep up with your customers' growth and expansion plans -- and to keep a foot in the door to offer more work and services as changing needs indicate.

In the wake of recent, widespread virus infections -- including Blaster and SoBig -- many small and medium businesses (SMBs) have had to clean up their laptops. While most SMBs protect their internal office networks with firewalls and other anti-virus tools, their mobile computers are largely unprotected. Even large companies were vulnerable; some saw entire sales teams forced offline by computer-virus attacks.

Here's your opportunity. As an independent system builder, you can help customers decide which mobile computers need managing, and how those machines can be best managed. Once your customers' laptops are properly secured, you can then establish regular regimens to keep the machines safe and secure. You can also offer "emergency response" services, so that if specific threats or vulnerabilities appear, you can fend them off immediately.

Interested? There are basically two approaches you can take:

1. Manual Update: You use remote access to your customers' laptops for updates and management.

2. Automatic Update: You use special-purpose management tools to both track customers' laptops and provide access to "update packages" via e-mail or the Web on an as-needed basis.

I'll explore these two approaches later in this Recipe. But regardless of which approach to laptop management you choose, there are three steps you'll need to follow to get started: First, take an inventory of both your customers' laptop machines and their current security posture. Second, work with your customers to establish a security baseline for their laptops; make sure they're safe from current sources of threat or infection. Third, ensure that proper communications and services are implemented to protect customers' laptops -- and the networks they connect to -- from unauthorized access, eavesdropping, and infections.

Let's dig in. In the sections that follow, you'll find a recipe for laptop management, starting with the required tools and ingredients and continuing with step-by-step instructions for necessary tasks and activities.

Inventory Ingredients

For the initial inventory and security posture analysis, you'll need at least some of the following tools and techniques:

• A system inventory/management tool and a security-evaluation tool. A good example of the former is the PC-Duo modular desktop-management software from Vector Networks. One good example of the latter is Microsoft's Baseline Security Analyzer, though lots of other great PC- and Web-based security scanners are also available. These tools help you document what you'll be working with, and illustrate what kinds of threats and vulnerabilities need mitigation.
• Automatic update services. These are for customers who want sophisticated, automatic update services. Products in this category include like Fiberlink's Global Remote or VPNterprise. These products are designed to impose, enforce, and maintain formal security and communications policies for laptops and other mobile equipment.
• Software- and systems-management packages. Enterprise packages including Microsoft's Systems Management Server, Tivoli's management framework, and CA UniCenter can be adapted for remote management. These packages typically incorporate update packaging and distribution mechanisms -- including e-mail, Web push, and FTP -- that work with onboard management clients on remote machines. Once updates for laptop operating systems, applications, security patches, and so forth have been made available, these enterprise software packages can be set to require mobile computers to keep current with and apply them the next time users log-in.
• Computer files to document customer laptops. This means first giving each system a unique name. Second, it means documenting each machine's operating system; applications; type of Internet link; security settings and components (firewalls, anti-virus software, anti-spam tools, etc.); plus installed updates, patches, and fixes. Although it may seem like out-and-housekeeping, this is an important step because it identifies the machines you'll be working with, and describes their current configurations and contents.
• Remote-control software and addressing information to help access customer laptops. This means working with a product like Symantec's client/server package pcAnywhere, or the Web-based package GoToAssist. Alternatively, you can build e-mail attachments or Web-accessible downloads for laptop users to access to help drive the update delivery process from their end.
• A set of requirements for laptop users' Internet and corporate network access. It it helps you to understand what's needed, think of this list as a security policy document for remote and internet access from mobile equipment. Thus it could easily be captured in a Word document for customer review and approval. As you create this document, be especially attentive to the needs for access to sensitive or proprietary data, since it mandates use of secure communications software like a virtual private network (VPN). It's unsafe to assume that unencrypted e-mail or other basic IP service traffic (such as Telnet and FTP) is secure. It's normal to require remote users to use secure methods for such access.
• A report template. You'll use this to deliver initial assessment and remediation advice to customers who wish to secure their laptops. You'll also use it to keep those laptops secured thereafter. See Microsoft's Protect Your PC security advisory for key elements in a minimal set of such elements. You can also use security-scan reports and inventory information you accumulate during assessment scans to structure your customer report, and to supply much of its contents.
• An inventory form. You'll use this to capture descriptive information about systems, software, and security components either already in use or which you'll propose to establish proper security. For each item, be sure to capture name, version, updates already applied, and a URL for vendor information or update notification.

Maintenance Ingredients

For the subsequent security maintenance work you do for client laptops, these ingredients will be helpful:

• Scanning and inventory tools, as described above. You'll continue to use these to help keep configuration data, system, software, and security inventories up-to-date as you make regular and emergency customer visits.
• A calendaring and scheduling program or service. For example, the calendar in Microsoft Outlook is workable for if you have fewer than 100 customers. You'll use this to remind yourself when it's time to perform routine scheduled scans and maintenance for your customers.
• A documented security process or procedure. Use this to document all relevant security alerts, bulletins, and vendor notifications. This way, you can easily determine when client updates are needed. You'll also use this process to help you decide whether a customer requires an emergency response or can wait until their next scheduled update.
• Remote control software. Two examples are Symantec's pcAnywhere, mentioned above, and Danware Data's NetOp Remote Control. You'll use this to access your customers' laptops over the Internet. By the way, you don't need this software if you've already acquired a mobile-computing management solution like Fiberlink's, or a system-management platform; these packages already include built-in software management, distribution, and remote access.
• Disk space. How much? Figure on 2 GB to 3 GB on a special staging server or laptop management system, enough to keep all current patches, fixes, updates, and service packs on hand. In fact, because more space is always better than less, consider allocating a drive exclusively for such use. with per-customer or -machine directories to make access and upkeep easy. If you set up e-mail or Web based delivery, this simplifies your job anyway. Here also, mobile management solutions normally require a dedicated staging machine, but build and manage such directories automatically. li>

As you learn more about the specific needs of your customers' laptops, you'll probably need to add ingredients to this list. That's fine. The better a job you do of identifying a customer's specific needs during your initial assessment and ongoing maintenance, the more protection you can provide them in the long run.

Initial Assessment, Step-By-Step

Now that we have our components assembled, let's take a look at the five steps involved in performing the initial assessment of your customer's mobile-computing security:

• Describe for your customer the services and capabilities you offer. Help them to understand the value of secure, well-protected laptops; you may want to package this as a Web page or downloadable white paper. Schedule an initial meeting.
• Visit the client and establish a method for accessing and taking inventory on all the customer's mobile computers in need of protection. Identify all of the customer's mobile computers, networks, Internet links, and security components in use. Document how the customer's mobile systems behave and communicate when used remotely, beyond the reach of in-house networks. Use your inventory to capture information about each system, device, or component you'll later be scanning or examining.
• Begin scanning to take inventory of the customer's laptops and mobile equipment, both on and off any in-house networks. Document everything you find, especially results that suggest or demand remediation. Also, identify patches, fixes, or service packs that must be applied; then rank them in priority order.
• Once the scanning and inventory are complete, work through the data you've collected to create per-system reports and remediation advice for your customer. Describe the current state of security, urgent vulnerabilities, and required remediation. Create a remediation plan that includes a budget to cover all costs, including labor, plus any necessary hardware and software expenses.
• Do whatever is necessary to establish a safe, sound security posture. Once you've hit that goal, the initial assessment and remediation phase ends.

Ongoing Maintenance, Step-By-Step

Once assessment and remediation end, regular maintenance and emergency-response drive your ongoing client relationships. The four most important steps involved are listed below. Remember to repeat these steps as scheduled or needed -- this is no "fix it and forget it" activity!

• Sign up for security bulletins, alerts, and advisories from all vendors or organizations whose operating systems, software, hardware, or security components your customers use. Also, sign up for one or more general security advisories, such as those from CERT, FedCIRC, and NTBugTraq, to augment vendor coverage. Stay current on patches, updates, and other items you can push out to customer laptops to keep their security protection up-to-date.
• As bulletins or advisories appear, examine them carefully for security coverage, particularly where patches or fixes are involved. Determine their priority: Critical items or vulnerabilities need to be dealt with as soon as possible, while items that shouldn't cause significant exposure to loss or harm can wait until regularly scheduled updates. To gain local access to necessary files, tools, and other materials, download them to a staging server or some other computer. Or compile a list of bulletins or alerts, and their download links, and make this list readily accessible to customers.
• Perform scheduled updates following customer schedules or contract obligations. Perform emergency responses as needed.
• Schedule regular consultations with you customers to review their security needs and plans. Also use these meetings to keep up with platform migrations, hardware introductions, and other foreseeable changes. An annual general security and platform audit is worth building into your client contracts, as is formal notification and the opportunity to provide input as clients work through IT infrastructure changes. Your job is to evaluate needs and plans, and to provide information and advice as it relates to security and computer management.

Here's another thing to consider: Depending on the number of customers you service -- and their levels of ability and sophistication -- you can handle mobile-computer management by creating well-documented, nicely-linked Web pages that tell customers how to take care of themselves. It's the ultimate form of manual update. Alternatively, you can sell clients highly-capable, highly-automated systems built around mobile or systems management products that handle everything automatically without forcing clients to do anything.

Ultimately, you'll discover what's optimal for each customer based on the costs they can bear and your ability to implement more complex offerings. But somewhere between helping customers do it themselves, you can find a mobile-computing security solution that fits both their needs and their pocketbooks.

ED TITTEL is a technology writer who has contributed to more than 100 computer books; a trainer; and a consultant who specializes in IT certification and information security.