Defending against insider infections
| Provided by |
analysis The recent spate of viruses has exposed the dangers of providing network rights to laptops that operate both on and off the network. Non-corporate-controlled PCs represent the biggest challenge, hence security organisations must employ both technology and policy to protect network resources.
Meta trend: Security management will evolve into three functional areas: user, event, and configuration management. User management aggregation (identity management, provisioning) will mature rapidly (2004). Security event management consoles (collecting intrusion detection system, firewall, and host events) will remain out of the mainstream until 2005. Security configuration consoles (central distribution points for firewall, personal firewall, and eventually server configurations/policies) are the least mature, with viable integrated products appearing in 2006/07.
Numerous Meta Group clients are reporting virus infections that traverse well-designed perimeter defenses in the briefcases of consultants and other roaming users. Corporate laptop users should be protected with standard antivirus (AV) software, personal firewalls, and regular security patch management. But what about end users not under the IT management umbrella? Most organisations have a small army of consultants, outsourcers, business partners, customers, and other visitors that require network access in some form. Even organisations with a federated corporate or security structure must validate security compliance (e.g., patch levels, AV update level, security software installed, security process such as AV and firewalls running) on affiliate PCs before granting network rights. Best-practice security organisations are employing both written policy and technical means to ensure their network is safe from these roaming -Typhoid Marys."
Before any technical solutions are deployed, IT organisations (ITOs) must first establish a clear policy and ensure that security compliance and acceptable usage education are embedded in the process. Computing facilities provided for non-contracted visitors should include instructions on how to use, help desk contact info, and brief security/acceptable-usage guidelines. For contract visitors, security policy compliance should be a contractual obligation with clear penalties for non-compliance. Shifting liability to the outsourcers/contractors creates an incentive for their ITO to prevent problems. However, embedding security compliance in business contracts will require consultation with the business and legal departments and may not be possible to append existing contracts. The ITO must perform random audits to ensure compliance before a security incident, particularly if no automated compliance technology is deployed.
| Best-practice security organisations are employing both written policy and technical means to ensure their network is safe from these roaming -Typhoid Marys". |
Policy-oriented approaches
Options for short-term -guests" include the following:
On-site outsourcers/contractors are the easiest to manage. The ITO should supply outsourced staff with corporate-issued and -managed PCs and treat such workers as employees (from an IT perspective). The corporate PC may be a rotated -loaner" machine for shorter-duration staff. ITOs should ensure that loaner PCs are locked down to prevent tampering, software installation (i.e., spyware), and infection. A best practice is to reformat the hard drive and install a new image on a loaner PC before re-issue to ensure it is secure, user levels are appropriate, and no residual confidential information is present.
Security configuration auditing
Consultants may require deeper penetration into the corporate network than guests, but typically for shorter duration than outsourcers. Although the aforementioned options will work for consultants, ITOs are increasingly looking for options that enable access to non-corporate PCs while still ensuring security policy compliance. However, ITOs should beware that forcing security policy compliance on non-owned PCs is still more an art than science. There are no silver bullets here. By 2006/07, we expect network vendors like Cisco to supply standard enforcement points (i.e., using Radius/802.1x) built into the network and Microsoft to provide configuration information (i.e., Next-Generation Secure Computing Base for Windows) for reporting/remediation. Until then, users will have to use a combination of tactical vendors and homegrown logon scripts.
The first option is to leverage existing configuration/asset management tools (e.g., from Configuresoft, Ecora, Novell, LanDesk, and Mobile automation) or security policy manager tools (e.g., Symantec ESM) that typically use lightweight/temporary agents to report on PC configuration. ITOs can use logon scripts to check for the agent and dynamically install it -- with approval from the end user -- if necessary. These tools typically can report only on compliance and cannot deny network access for non-compliance unless combined with logon scripts.
| A best practice is to reformat the hard drive and install a new image on a loaner PC before re-issue to ensure it is secure, user levels are appropriate, and no residual confidential information is present. |
The most comprehensive, but also most intrusive, option is to install full corporate-issued client software such as a security-compliance-checking firewall and AV clients on visitor machines. PC AV software agents (e.g., from Symantec, Trend, McAfee, Sophos, CA) can automatically synchronise with AV policy management and download new signature files. Personal firewall software (e.g., from Sygate or McAfee) can perform numerous security policy checks and allow remediation-only access until necessary changes are complete. Installing permanent software on non-corporate-managed PCs is problematic because of potential conflicts with other security software issued by the consultants' ITO. One solution is to take an initial image of the PC, re-image with a corporate build, and then return the original ghosted image at the end of the assignment. This type of solution is acceptable only for long-term relationships and needs the cooperation of both companies' ITOs. Because of cost, administrative burden, and degree of intrusiveness of automated configuration auditing, the majority of organisations will select the more policy-oriented approaches previously described instead.
Business impact: Network visitors can easily defeat even the best-designed security perimeter. Securing the network from non-corporate-managed PCs is difficult and costly. Business must work with the ITO to determine a cost-effective security strategy aligned with business goals for collaboration and actively support written IT security policies.
Bottom line: ITOs must inform visitors of their responsibility for security and acceptable usage compliance and, when possible, formalise this in business contracts and end-user agreements. Due to technical limitations of checking and enforcing policy compliance on non-managed PCs, ITOs should prohibit all visitor PCs from the trusted network and provide managed PCs or isolated outbound network facilities for visitors when a significant business need exists.
| More from META Group | ||||||||||
| ||||||||||
