Security hole: Home office
Home is where the heart is. It's also where the backdoor to your enterprise is. In the wake of the hack into Microsoft Corp.'s network, many security administrators have turned their attention to what some believe is the greatest security challenge facing corporations: telecommuters.
Craig LaHote is struggling with it now, and just a week ago he had a meeting with executives about it.
"We're having a hard time controlling it. It's a real gray area with home computers accessing the network and the Internet," said LaHote, network administrator at SR Equipment, in Toledo, Ohio. "We really have a hard time enforcing policies there. We have a policy but no real way to audit [users] except basically asking them to comply."
The problem is both social and technical, experts say. For one, users on home machines behave differently, even if they're accessing work assets and if policies are in place. They tend to disable security when they can and tend to want more control over security.
It's a hard-to-define behavioral issue, one expert said.
"Technology will solve less than half this problem," said Fred Rica, a partner in the technology risk services practice at PricewaterhouseCoopers, in Florham Park, N.J. "The other portion is working with people's behavior, and I'm not sure anyone knows how to do that with telecommuters yet."
On the technical side, the rise of always-on connections such as DSL (Digital Subscriber Line) and cable at home means users will tend to leave connections open more. Without a personal firewall, such a computer is a gaping hole for an enterprise.
Hackers can either access information off the home hard drive or use that computer to find their way back into the corporate network. VPN (Virtual Private Network) connections also allow e-mail messages with dangerous payloads a free ride right into the corporate network.
"A lot of companies are talking to us about this very issue," said Fred Felman, marketing vice president at Zone Labs Inc. in San Francisco. "People plug into their DSL or cable line and walk right past security.
Or they have a VPN set up, and you're creating a secure tunnel for users who might use that tunnel to send a Trojan horse unknowingly. If that telecommuter is out on the Internet on one side and talking to the enterprise on the other side, you have no security. It's really scary to security guys."
At the same time, technologies such as anti-virus software tend to be less rigorously updated, and others, such as encryption, are hardly used at all, even if they're used at work, experts said.
It is enough to keep Jeff Uslan, security administrator at 20th Century Fox, in Los Angeles, from permitting telecommuters to access the Internet through their VPN lines. And that, Uslan said, is difficult to enforce, especially with many executives working from home.
"It's caused a lot of arguments from people who just expect Internet access at home," he said. "But I can't control them at home. I won't give them the slightest chance to open that backdoor. My greatest fear is the person screaming at me, 'How could this have happened?'"
Telecommuting do's and don'ts
Do
- Have a strictly defined policy for network access from home
- Create separate profiles for home use and work use on telecommuters' PCs
- Perform routine audits of telecommuters' practices and security software such as anti-virus updates
Don't
- Try to lock down a telecommuter's PC with work parameters
- Let telecommuters manage their security settings from home
- Try to foist on telecommuters policies they won't accept