BP Exposing 18,000 Laptops To The Internet

I think I’m reading this differently than you are. Here’s a quote from the article.

“We’ve moved 18,000 of our 85,000 laptops to an environment where they link to the internet by default,” he said, adding that BP believes it can “harden them” to the dangers of the web.

I read the word “it” as meaning “BP” not as “open exposure to risks.”

Here’s where I think they’re coming from (keep in mind, I’m a university mathematics professor and not a security guy):

Their employees connect into a secure LAN at work. These employees don’t understand that the reason that their computer is safe from attack at work is that they are behind a firewall and perhaps are protected by other goodies on their LAN. These employees thus get SLOPPY when they’re at lunch and make a less secure connection at a wi-fi hot spot. To protect the employees, the firewall and other protections are put on their machines. Thus, they no longer need the extra protection at work and are now more secure elsewhere.

Just my reading of the story. (Again … I may be way off here.)

That’s a valid argument, and it’s surely the reason they decided to do what they did. The problem is that they are then relying on a software firewall (and whatever other host security) to defend corporate-owned systems.

What’s on those laptops? Is anything on those systems that shouldn’t be handed out to the Internet? Probably.

Many systems are compromised from the inside via a user clicking on something and infecting themselves. What often happens then is the system then calls home over some arbitrary port and lets the master system know it’s ready for use.

Well, on a LAN the security staff has the ability to watch outgoing connections and try and stop this. They can inspect traffic on common ports to try and ensure that only legitimate traffic is flowing.

What can they do when the systems aren’t behind their own control device? Nothing. They rely completely on the host security of the laptop itself, and those systems are routinely compromised by sophisticated malware.

And god forbid the main firewall gets turned off, or a new zero-day exploit hits the Internet. Security at that point can’t deploy and IPS signature to “patch” the problem. Each of the 18,000 systems would have to be updated in order to get the latest defense.

All in all, the reason a network firewall has remained a primary security layer for all these years is because they are effective; you have a choke point for all traffic in and out. With this new system it’s like each system is fending for itself.

I mean, it’s true that they should be able to do that, but it doesn’t mean you throw them into the fray in order to test their strength. It’s just a bad risk management decision in my opinion.

Only completely trusted and full deny-by-default systems would be safe to attempt this with. A trusted system is much more secure than a merely hardened one, and I would still put it behind a firewall anyway, because they are still subject to human errors in configuration.

I dont think this is a bad thing. My company is a fortune 100 company and we’re in the midst of the same kind of effort.

The idea of “hard and crunchy on the outside, soft and gooey in the middle” is a terrible, terrible idea for security in the modern world.

the problem is that as computers are more mobile, corporate computers are frequently not always behind corporate firewalls. Employees take laptops home, to starbucks, to panera, and to hotels and airports. If you put all your security eggs in one basket (the perimeter firewall) then your laptops will be toast.

They’ll get compromised in the wild, and then your employees come back to the office, their PC’s will spread whatever they came back with all over the corporate LAN.

Not good.

The problem with laptops is that by definition, they wont always be in the corporate protection envelope. They WILL be out in the wild, otherwise the employee could just use a desktop and stay in the office all day.

Modern companies typically have many partnerships and relationships with consultants and contractors, many who need to bring their own computing equipment to work with them. Letting a consultant attach a non-corporate device to the network is asking for trouble, both in terms of information theft, corporate espionage, and again in terms of code infection.

Having layered infrastructure where nothing is unprotected is a great mitigation strategy for operating a large modern business.

The trick here is that they need to differentiate between “not putting laptops on the LAN”, and “keeping laptops on the Internet when they have the option not to be”.

In other words, if these mobile users come back to corporate and have the option to get behind a firewall (but not on the internal network), but the security team choses to keep them directly connected to the Internet for hours or days at a time, then they have a major issue and auditors are going to rock them.

But if they put them in some seperate “dirty” network, behind a firewall, while they are able to use such a thing, and simply mandate that they aren’t allowed on the internal LAN, then more power to them.

That’s what needs to be cleared up. If it’s the former then they have an issue; if it’s the latter then it’s a great idea.