Four questions to ask to stay secure in an anywhere, anytime world

[InfoSec News <isn () c4i org>]

http://www.computerworld.com/securitytopics/security/story/0,10801,84781,00.html

Story by Scott Olson
WholeSecurity Inc.
SEPTEMBER 18, 2003
COMPUTERWORLD

We live in an era that increasingly demands anywhere, anytime access 
to all of our business resources. What started with giving pagers to 
our most critical employees has evolved into ubiquitous use of cell 
phones and Wi-Fi access almost anywhere, even in McDonald's. 

Most recently, we've seen a trend toward Internet-enabled 
applications, Web mail, intranet portals and new Secure Sockets Layer 
(SSL) virtual private networks (VPN). More employees want access to 
their e-mail, data and applications wherever they are. 

If you work in a large organization, chances are that you have 
anywhere, anytime access to corporate data and resources through one 
or more of the following applications: 

* Web mail: Microsoft's Outlook Web Access, IBM's iNotes products and 
  other programs allow access to e-mail from any machine connected to 
  the Internet. 

* Internet-enabled applications: Companies like Citrix Inc. and 
  Computer Associates International Inc. offer products that enable 
  access to corporate applications and data from any computer with 
  Internet access. 

* SSL VPNs: These VPNs don't require provisioned software on the user 
  PC, but rather they allow employees to connect from any device with 
  Internet access.

Organizations that use these types of software realize significant
benefits. Companies can reduce hardware and software costs, decrease
IT management overhead associated with provisioned software and reduce
help desk costs by providing a more user-friendly environment in which
resources can be easily accessed. All of this adds up to a
significantly lower total cost of ownership for these technologies.  
Managers recognize the value of this type of access, and employees are
demanding it.

But now the question is, how do the IT and security managers protect
these connections? It's hard enough to secure corporate laptops, which
for the most part are out of the direct control of the IT staff. The
problem becomes more difficult when the IT manager is faced with
protecting completely unmanaged, noncorporate systems used by
employees who are logging in from home, from a business partner's
machine or from a public kiosk.

The growing trend of Trojan horses and other eavesdropping software
makes anywhere, anytime access to company data risky. IT managers need
to understand and address the threat that exists on the endpoint to
ensure that anyone accessing corporate data is protected, even if they
are using a machine that's not owned by the company. As companies
embark on this challenge, they should consider the following
questions:

1. Why is endpoint security important for my organization?

What do Sobig.F, Bugbear.B, Fizzer and Blaster all have in common?  
They are all new versions of worms and malicious code that were
released in 2003 and put back doors and monitoring programs on the
infected computers. In essence, these new threats put the hacker at
the keyboard of the PC that had been compromised. Attacks today are no
longer simply propagating themselves and causing mischief, such as
denial-of-service attacks or harming system resources. These new
attacks are intended to enable the online criminal to watch the user
and steal any data, identity information or intellectual property that
they may access. Internet companies, banks and Fortune 500 companies
have all fallen victim to these threats.

2. How can I be sure that the endpoint is free of eavesdropping and
remote-control devices, such as keystroke loggers and Trojan horses?

Companies should consider adopting on-demand security that can be
delivered to any computer in a matter of seconds and that can provide
universal compliance with security policies on the endpoint in much
the same way that SSL has done for the network.

It is no longer sufficient to rely only on signature-based software to
catch and stop worms and malicious code. Not only are these solutions
reactive, but it is a challenge to keep antivirus software updated to
address each new threat (the Microsoft Blaster worm alone had eight
variants in a matter of weeks). Organizations should look for and
implement behavioral-based security software that doesn't rely on
signature updates to catch and stop these threats.

3. How can I protect systems that I don't manage or own?

At a minimum, companies should evaluate and implement software that
provides endpoint security in conjunction with their clientless access
to data and applications. This security solution should be
downloadable to the machine and should identify and eliminate threats
that could compromise the connection back to the corporate LAN. This
software should also be able to work in an environment where end users
don't always have full privileges to the machine.

4. How can I provide anywhere, anytime access while preserving the
user experience?

IT managers should look for and require security software that doesn't
put the burden of security knowledge on the end user. Requiring the
user to make security decisions means that the software will be less
effective and may also result in increase costs due to an influx of
help desk calls. The security software that is implemented should be
transactional in nature and therefore shouldn't require significant
installation, configuration or reboot to work. The software should
work within the time frame of the transaction and therefore should be
able to download and scan in a matter of seconds.

IT managers who address these questions will be best positioned to
embark on the critical first steps of ensuring security in an
anywhere, anytime world while still realizing the significant benefits
of remote applications.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.