The Internet has transformed many business processes in a very short period of time. Everyone from SMEs to FTSE 100 companies will have been affected by the massive growth in this now all pervasive form of communications. One of the biggest consequences of the Internet’s impact is the fundamental change in the nature of access to business systems.
Initially access issues associated with the Internet were essentially just an extension of existing methods and existing security measures. In essence, you knew who was accessing your systems and they knew what they were allowed to do. This has now fundamentally changed because the security perimeter has all but disappeared.
Previously your security perimeter was based upon informational security within the boundaries of your organisation. Now that perimeter has crumbled. Between 2002 and 2004 remote access to systems nearly doubled, going from 28% to 52%. Even more spectacularly, wireless networks mushroomed during the same period from a mere 2% to 34%.
A key driver in increased remote access is the major growth in laptop usage, with laptops predicted to exceed PC sales in 2005, and with wireless being a significant factor in laptop purchases.
Alongside these major changes in systems access, has been a continuing growth in the levels of access required. While email and intranet access remain major drivers, access to core business systems and data has also significantly grown. There are many reasons for the growth in laptop usage and remote access, including convenience and increased employee mobility. Also important is the growth in teleworking, which has been driven by employee demand, as well as government and employer initiatives. According to the Office of National Statistics (Oct 2005), there are 1.8 million teleworkers, with the majority working in different places and using home as a base.
The increasing benefits from mobile working, coupled with the convenience of wireless, will continue to drive this trend. Gartner group predicts that by 2007, 20 million people in Europe will be practising teleworking.
While these changes provide benefits for major corporate and public sector organisations, as well as for employees, they also bring a broad range of security and access control challenges. Foremost amongst these is employee ignorance and negligence regarding security.
A recent ICM European poll4 reveals some of the problems. 21% of workers allow family and friends to use company laptops and PCs to access the Internet, thus exposing the device and the network to threat; 51% of workers access the Internet for personal use; 10% admit to downloading inappropriate content; and over half didn’t know how to update their anti-virus protection. This may also explain that, while the vast majority of organisations have anti-virus (AV) deployed, nearly half had a virus related incident in the last year.
Alongside this ignorance and negligence, the nature of the threats from increased access has grown and evolved. Problems areas include:
Even though the danger of identity theft has a high visibility, with many reported cases, it is clear that the message has not noticeably affected users´ security awareness. Recent research by the Federal Trade Commission6 noted that damage and loss resulting from ID theft and cyber crime among American adults has increased to nearly $50bn annually.
This is backed up in a recent survey by RSA Security (Sept 05)7. More than 70% of respondents provided their mothers maiden name, 90% provided their date and place of birth, over half explained how they devised their passwords and nearly 85% provided their full name, address and email address.
This survey mirrors similar surveys carried out in the UK where social engineering techniques have been shown to be incredibly successful in collating all the information required for identity theft. It’s little wonder then that “phishing” attacks, where fake emails masquerade as genuine communications from banks, e-bay, etc., and ask for confirmation of personal details, are so successful.
The growth of wireless deployment has been phenomenal, but has not been matched by a corresponding deployment of security. According to the Department of Trade and Industry (DTI) survey1 only one in five organisations used any form of encryption and over half of all organisations deploying wireless had no additional security controls at all.
Awareness of the risks involved in broadcasting log-ins, passwords and key company data has lagged well behind wireless usage. These risks include breaching data protection regulations, the illegal use of wireless bandwidth by others (with all the legal implications this entails), theft of personal information (including passwords), identity theft, and opening up the corporate network to data theft and financial fraud.
Another topic much in the news is Spyware, which can be picked up by a variety of methods. You can be infected through browsing websites, through emails or from peer-to-peer and other downloaded programs.
Spyware covertly gathers user information and activity without the user’s knowledge. Spy software can record keystrokes as you type them, passwords, credit card numbers, and sensitive information. It can record exactly where you surf and your chat logs. You do not have to be connected to the Internet to be spied upon.
Another major threat to the organisation from remote access users is that the defence levels of anti-virus and personal (or hardware) firewalls may not be updated to deal with current threats. This is particularly prevalent where machines are used by more than one member of the family, where corporate standards are not being adhered to.
With most users having administrator rights, it is easy for them to switch off personal firewalls, decline AV updates, etc. For devices outside the network, it is often difficult to ensure that they are updated with patches as new vulnerabilities surface – a major task given that there were 2780 vulnerabilities reported by The United States Computer Emergency (US-CERT) for Microsoft and multiple operating systems environments during 2005.
Other policy abuses
Included amongst these are the installation of unauthorised software, which not only increases vulnerability but also moves the device outside the perimeter of IT threat awareness, with each additional program loaded increasing the level of threat. Some recent examples include Macromedia, Google search bar and web accelerator, Instant messaging (IM), CDs and Skype, all of which have had security issues. And of course the use of peer-to-peer for music and film downloads has a range of legal and security implications.
The rapid growth of wireless, remote and mobile working is creating a significant increase in the risks that organisations face. All the indications are that this growth will continue, and indeed accelerate. It is clearly time to review what actions are required to manage access risks. In this environment, attempting to “backfill” security is going to be difficult and subject to active or passive resistance from users – and much more expensive than getting it right in the first place.
What can we do about these challenges? A bite at a time is the best approach and some quick wins make it an easier case to sell to all involved. The security issues raised by increased access are just additional risks to be managed, and IT has always been about risk management. However, in many cases, the move from inside to outside of the network perimeter has not been accompanied by either risk assessment and management, or by the education of the management, staff and users involved.
Risk assessment is an excellent place to start and it should be a fundamental component of any wireless and mobile deployment. It will ensure that, not only is security factored in at the beginning of the project, but that everyone involved is aware of the risks. Review all security policies to make sure that they reflect current realities.
Passwords and authentication – Static passwords are woefully inadequate for remote and mobile users, with huge identity theft risks (particularly for wireless). The answer is to deploy strong two- factor authentication. Companies such as VASCO and Secure Computing provide low-cost, token-based solutions that can be easily deployed for remote users.
SSL VPNs – Consider using encrypted secure sockets layer (SSL) VPNs, alongside or instead of IPsec VPNs, as SSL can provide lower cost, easier to manage connections for large numbers of remote users. This is a growing area and there are a wide range of solutions from WatchGuard, Citrix, AEP, etc.
Regular Updating – Make sure that users regularly update AV and firewall software. Failure to do so, alongside password and unauthorised software related issues, makes up the majority of remote help desk problems for organisations.
Wireless – Ensure that all traffic is over VPNs and is encrypted. Don’t use Wired Equivalent Privacy (WEP) for encryption because it is poor, insecure and weak. Use WPA or WPA2 (also known as 802.11i) and ensure that users always operate with it switched on – the default for devices is with it switched off.
If you have remote wireless LANs, ensure that the service set ID (SSID) is changed from the default and is secured. Don’t change it to something blindingly obvious like your company name (or as seen by startled laptop users at a US airport “control tower”).
Implement media access control (MAC) filtering. A MAC address is a physical address, so if you restrict access to devices whose address you have authorised, you can eliminate many ID theft issues.
Obviously, make sure that any end points are securely placed (easier said than done as the DTI1 survey showed that only 23% of end points were securely placed).
Make sure that your users have a wireless firewall/VPN, to not only protect them, but also to manage encrypted VPNs from the wireless device. Companies such as WatchGuard and Check Point provide centrally manageable solutions in this area.
Bear in mind that a key requirement for remote firewalls, wireless or static, is to be able to deal with current and future threats, which include packet and, increasingly,
application level attacks. Many cheaper remote firewalls are incapable of dealing with application level attacks.
Beyond the quick fixes, we should look at the usual solutions and also the radical ones. The usual solutions are to assess risks and to defend the most serious, to get management commitment to security as a key business issue, and a realistic budget directly associated with project budgets, not as an add on. This is particularly difficult around wireless deployments, where convenience is a key driver and security is often mistakenly perceived as a detriment.
Education – A policy written in a handbook, and often currently unenforceable with remote users, leads to a disregard for all security. Positive education of the benefits of security, what to avoid, coupled with positive management reinforcement is worth a thousand handbooks.
Auditing – Another way of improving remote access security is to audit the applications that remote users are running. If they are using company equipment, you have a legal responsibility for it (Fast.org.uk). Also consider ensuring that auto update features are enabled.
Whose kit is it anyway? Many issues around protecting the organisation from remote users consist of trying to protect company equipment from the effects of use, misuse, negligence and abuse by users. This can include personal use by them, their families and sometimes also their friends.
An increasingly popular approach is endpoint security (EPS). EPS systems control the individual device accessing the network. Such systems come in varying shapes and combinations, but basically they cover three elements: policy management, access rights, network protection.
Some solutions combine anti-virus with firewall technologies. Some combine intrusion prevention, standard firewall rules and application protection. Others focus on regulating the applications running on the system. A number also manage access rights based on the security status of the device – e.g. is the connection wireless?
EPS solutions can determine the policies that the remote/mobile connection device can be used for and apply these policies. Coupled with central management, they can also ensure that firewall, AV and security patches are used when they should be.
Many EPS solutions enable you to decide which level of access to provide, based on the current level of security of the user´s machine. This approach lets you reclaim management of your remote kit, decide what policies to implement, secure it, and protect your network.
You will have to start by assessing what your risk is and then implement the most appropriate EPS solution. How does mobile working affect your business and how can you protect it? Is your main issue that you have users out there who keep coming back inside the network having been exposed to trojans and spyware, virus attacks, etc.? Is the policy issue the important thing for you? Are access rights a key factor? Are you exposed to risks from users running wireless at home or on the move?
Some products, such as Sky Recon´s Storm Shield, will allow you to determine the access right you give to users depending on where they´re connecting from (e.g. a wireless hotspot). Or you may control your access depending on the security status of the device. For example, you will probably want to restrict access for someone running a machine that hasn´t applied the latest patches.
You also need to consider the level of control you have over remote users. If staff or customers are connecting using their own machines, you will have a different level of control than if they´re using company equipment. In this case, access rights become a more important element than remote policy management.
With a range of solutions from companies such as Check Point, SkyRecon and Premeo, EPS is an increasingly important and popular route to securing and managing remote access to the network.
The continued strong growth of mobile, remote and wireless use brings security risks which threaten the whole organisation. In many companies, there is gap between the actual security risks and the internal recognition of the risks, particularly around wireless. Until there is greater management perception of the danger and effective user education, security solutions will be difficult to deploy and even more difficult to manage.
“Backfilling” security is expensive and difficult. However, the adoption of some easy-to-apply solutions and the use of endpoint security provide a potentially fresh route to ensure effective security policy management for the ever increasing number of remote users.