In 2006, the specters of avian flu and global terrorism loom over the nation’s corporate boardrooms. Fear of disease and/or of physical attack has motivated management to depend more heavily than ever before upon Internet-enabled technology. In an effort to preserve business survivability many organizations are providing remote access via wireless technologies to their employees.
The remote-access phenomenon has in fact become a cultural reality in what might be called The Age of the Telecommuter. As demonstrated by the recent Veterans Affairs Administration compromise of 26 million veterans’ records, the telecommuter’s laptop has become one of the greatest operational risks threatening all networked-intermediated organizations. The 2005 E-crime Watch Survey –produced by the U.S. Secret Service and the U.S. Computer Emergency Response Team – noted that 80 percent of U.S. cybersecurity incidents emanated from outside of the enterprises surveyed.
The dramatic increase in telecommuters has increased cyber risk immensely, with the compromised telecommuter becoming the digital insider. The securing of telecommuter PCs, personal data assistants (PDAs), and other specialized devices has become the most critical of tasks.
Strengthening the Weakest Link
Security is only as strong as the weakest link in the chain and, in the post-9/11 world, that chain is becoming increasingly frail. Once a hacker finds the weakest link in a network, he may, through the use of a backdoor Trojan, launch malicious code and vandalize, alter, move, or even delete files. A single compromised computer in a network could lead to the possible contamination of the entire network. Virtual private networks also are at risk of being compromised by hackers. The current modus operandi of many hackers is to attack remote computers through wireless systems so they will be able to use the virtual private network as their own.
If the criminal does not exploit the wireless connection, the next easiest way to attack a system is through a “sick” or compromised client computer. Therefore, if security administrators cannot rapidly remediate the vulnerabilities on every computer server and client, all other internal controls may be rendered useless. There is considerable evidence to suggest that the majority of large corporations are over-reliant upon perimeter security. Moreover, because of the vast number of devices involved and the geographical reach of most modern organizations, they find it impossible to maintain real-time situational awareness of the “hygiene/security” of their various technology assets. This reactive stance in the field of security represents a tremendous operational risk.
As business transactions are pushed outside of the traditional enterprise boundaries, critical data is often exposed. A combination of policy, procedure, and technology is required to mitigate if not totally eliminate the risks involved. Today, telecommuter security begins with an Acceptable Use Policy for Remote Access that emphasizes the rules of proper cyber-hygiene as well as proper computer use that must be followed. A few examples: Instant messaging should not be allowed. Virus scanners and software patches should be updated on a weekly basis. Laptop hard-drives must be encrypted. And no one should use a specific computer except the person authorized to do so.
Common Sense and Modern Realities
In addition, certain technologies can and should be put to use that can reduce the possibility of the hacker becoming a digital insider. Virtual private networks, two-factor authentication, and encryption are just a few of the tools needed for survival in this amorphous realm.
Even with those and other security tools available, there are several specific common-sense rules that should always be followed in securing today’s increasingly mobile workforce. Among the most important of those rules are the following: (1) Users should be aware that almost all devices enter and leave a secure network several times a day; (2) once a device is out of compliance with the organization’s information-security policy, it must be restored quickly; (3) a rogue device may easily become a transit point for numerous hackers and thus can compromise the integrity of the entire network; and (4) telecommuters must remain in compliance with the organization’s information-security policy even when they are using non-corporate computers.
To deal with these and other challenging realities, information security officers must acquire technology that can, among other things: (a) authenticate devices before they enter a network; (b) impose a quarantine if and when needed; and (c) subsequently restore a rogue device to a compliant state.
The information-security challenge is likely to become even more complex in the future, for at least two reasons: existing holes in an organization’s network security are likely to be kept open by criminal “crews” through the use of backdoor Trojans; and many organizations lack the resources needed to fully determine how compromised their networks have become. In an era of zombied client computers and zero day attacks, it is obviously imperative that senior managers focus their efforts on developing and implementing a layered security program that includes, but is not limited to, proper systems administration and policy management.
Today, the weakest link in the security chain is the telecommuter. In order to preserve the secure enclave in cyberspace, it is crucial not only to recognize the modus operandi of elite hackers but also to ensure, through continuing oversight and policy management, employee compliance with the rules governing the use of all remote devices.
Thomas Kellerman is a Cyber Security Analyst and serves as a member of the Financial Action Taskforce Against Child Pornography, The Anti-Phishing Working Group and is an active member of the American Bar Association’s working group on Cyber-crime. He is a Certified Information Security Manager (CISM). He formerly held the position of Senior Data Risk Management Specialist on the World Bank Treasury Security Team, and was responsible for Cyber-intelligence and policy management within the World Bank Treasury.