Yesterday The Register pointed to an article on WashingtonPost.com that talks about how federal laptops must use encryption. That’s one small step towards securing laptops, but as I was saying the other day, I think there are a lot of other precautions that are flat out missed when it comes to corporate security and laptops.
Sure you can encrypt the drive, you can install firewalls, web application firewalls, and anti-virus, but can you protect it from spyware? Lots of spyware is not detected by anti-virus for some reason (to this day, I really don’t get why). Instead they sell different products which are not standard, or worse, let the user fend for themselves. So they end up downloading stuff like Microsoft’s Defender or Ad-aware (if they know to be paranoid about it). I haven’t yet seen one corporate laptop with anti-spyware installed by default for users.
If I can run arbitrary code on a laptop (whether that be an executable or even something as simple as XSS), that could be disasterous for corporate security. The scary part is even without admin rights, XSS still poses a threat, as Jeremiah will discuss. Anyway, my point is, the goverment made a step in the right direction but it was a very small baby step that doesn’t address some of the largest issues with laptop security and mobile computing platforms in general.