Defending Against Insider Infections

The recent spate of viruses has exposed the dangers of providing network rights to laptops that operate both on and off the network. Non-corporate-controlled PCs represent the biggest challenge. Security organizations must employ both technology and policy to protect network resources.

META Trend: Security management will evolve into three functional areas: user, event, and configuration management. User management aggregation (identity management, provisioning) will mature rapidly (2004). Security event management consoles (collecting intrusion detection system, firewall, and host events) will remain out of the mainstream until 2005. Security configuration consoles (central distribution points for firewall, personal firewall, and eventually server configurations/policies) are the least mature, with viable integrated products appearing in 2006/07.

Numerous META Group clients are reporting virus infections that traverse well-designed perimeter defenses in the briefcases of consultants and other roaming users. Corporate laptop users should be protected with standard antivirus (AV) software, personal firewalls, and regular security patch management. But what about end users not under the IT management umbrella? Most organizations have a small army of consultants, outsourcers, business partners, customers, and other visitors that require network access in some form. Even organizations with a federated corporate or security structure must validate security compliance (e.g., patch levels, AV update level, security software installed, security process such as AV and firewalls running) on affiliate PCs before granting network rights. Best-practice security organizations are employing both written policy and technical means to ensure their network is safe from these roaming “Typhoid Marys.”

Before any technical solutions are deployed, IT organizations (ITOs) must first establish a clear policy and ensure that security compliance and acceptable usage education are embedded in the process. Computing facilities provided for non-contracted visitors should include instructions on how to use, help desk contact info, and brief security/acceptable-usage guidelines. For contract visitors, security policy compliance should be a contractual obligation with clear penalties for non-compliance. Shifting liability to the outsourcers/contractors creates an incentive for their ITO to prevent problems. However, embedding security compliance in business contracts will require consultation with the business and legal departments and may not be possible to append existing contracts. The ITO must perform random audits to ensure compliance before a security incident, particularly if no automated compliance technology is deployed.

The first step organizations should take is to identify and classify all non-corporate-managed users based on the trust level of network resources they require and the duration of that access. There will likely be three classifications of visitors:

• Guests: Short-term visitors who simply need to access the Internet to replicate e-mail, access Internet applications, and potentially download files
• Consultants: Temporary workers who work on-site and require access to resources inside the firewall such as corporate application and files
• Outsourcers/contractors: Permanent IT workers who work on IT systems

Policy-Oriented Approaches
Options for short-term “guests” include the following:

• Providing phones jacks and desks for simple outbound dial access. As applications get fatter, dial will become less and less useful for real work. Dial-up should be prohibited for users with network access, due to the potential to create a network back door.
• Providing a secure kiosk or loaner PC with restricted network rights and restricted/locked PC settings. File transfers to loaner PCs should be via e-mail, CD, or USB storage devices with AV software forced to scan all incoming files.
• Creating a “guest network” that is isolated from the corporate network.
• If the type and number of internal applications needed by guests are predictable, ITOs can route users outside the organization on the guest network and back into a secure portal (i.e., Citrix, Sybase) that includes host integrity/policy checking prior to providing access. This solution can also be exploited by employee remote access.

On-site outsourcers/contractors are the easiest to manage. The ITO should supply outsourced staff with corporate-issued and -managed PCs and treat such workers as employees (from an IT perspective). The corporate PC may be a rotated “loaner” machine for shorter-duration staff. ITOs should ensure that loaner PCs are locked down to prevent tampering, software installation (i.e., spyware), and infection. A best practice is to reformat the hard drive and install a new image on loaner PC before re-issue it to ensure it is secure, user levels are appropriate, and no residual confidential information is present.

Security Configuration Auditing of Non-Managed PCs
Consultants may require deeper penetration into the corporate network than guests, but typically for shorter duration than outsourcers. Although the aforementioned options will work for consultants, ITOs are increasingly looking for options that enable access to non-corporate PCs while still ensuring security policy compliance. However, ITOs should beware that forcing security policy compliance on non-owned PCs is still more an art than science. There are no silver bullets here. By 2006/07, we expect network vendors like Cisco to supply standard enforcement points (i.e., using Radius/802.1x) built into the network and Microsoft to provide configuration information (i.e., Next-Generation Secure Computing Base for Windows) for reporting/remediation. Until then, users will have to use a combination of tactical vendors and homegrown logon scripts.

The first option is to leverage existing configuration/asset management tools (e.g., from Configuresoft, Ecora, Novell, LanDesk, and Mobile automation) or security policy manager tools (e.g., Symantec ESM) that typically use lightweight/temporary agents to report on PC configuration. ITOs can use logon scripts to check for the agent and dynamically install it - with approval from the end user - if necessary. These tools typically can report only on compliance and cannot deny network access for non-compliance unless combined with logon scripts. Most tools can automatically or manually force policy remediation, but ITOs should not attempt any changes on visitors’ laptops, and instead should merely report on exceptions or revoke network access. These solutions are relatively expensive (i.e., $20-$100/PC) and practical only if existing tools can be leveraged across the corporation. Moreover, creation and maintenance of the multiple scripts necessary for compliance checking/enforcement of numerous combinations of security software (instead of simply checking for corporate standard software) are difficult and time consuming.

The most comprehensive, but also most intrusive, option is to install full corporate-issued client software such as a security-compliance-checking firewall and AV clients on visitor machines. PC AV software agents (e.g., from Symantec, Trend, McAfee, Sophos, CA) can automatically synchronize with AV policy management and download new signature files. Personal firewall software (e.g., from Sygate or McAfee) can perform numerous security policy checks and allow remediation-only access until necessary changes are complete. Installing permanent software on non-corporate-managed PCs is problematic because of potential conflicts with other security software issued by the consultants’ ITO. One solution is to take an initial image of the PC, re-image with a corporate build, and then return the original ghosted image at the end of the assignment. This type of solution is acceptable only for long-term relationships and needs the cooperation of both companies’ ITOs. Because of cost, administrative burden, and degree of intrusiveness of automated configuration auditing, the majority of organizations will select the more policy-oriented approaches previously described instead.

Business Impact: Network visitors can easily defeat even the best-designed security perimeter. Securing the network from non-corporate-managed PCs is difficult and costly. Business must work with the ITO to determine a cost-effective security strategy aligned with business goals for collaboration and actively support written IT security policies.

Bottom Line: ITOs must inform visitors of their responsibility for security and acceptable usage compliance and, when possible, formalize this in business contracts and end-user agreements. Due to technical limitations of checking and enforcing policy compliance on non-managed PCs, ITOs should prohibit all visitor PCs from the trusted network and provide managed PCs or isolated outbound network facilities for visitors when a significant business need exists.

META Group originally published this article on 12 November 2003.