SMBs missing out on desktop security

SMBs are not securing their employees' desktops, leaving their networks open to security breaches, according to experts.

Small and midsized businesses are placing too much trust in their internal systems, leaving their doors open to security breaches.

"While SMBs protect the parameters of their corporate networks, what's disturbing is they trust internal users a lot. Many (internal) desktop systems are not patched and wide open," said Gerry Chng, manager of Ernst & Young's technology and security risk services.

"But whenever we talk to them about the lack of internal security, they say they need to trust their employees. Our view is that you must have prudent trust. A piece of information meant for one group of workers may not be meant for another," he said.

Chng revealed that there was an SMB retailer in Singapore which had its prices posted on a competitor's Web site. The information came from the retailer's Intranet, he said. "A lot of these threats come from the lack of internal defense."

"The most common security threat arising from the lack of internal defenses among SMBs is spyware."
--Steve Lam,
Ernst & Young security expert

The most common security threat arising from the lack of internal defenses among SMBs is spyware, said Steve Lam, another security expert from Ernst & Young.

"You could only install spyware manually by clicking on some buttons in the past, but recently, we've been seeing a lot of spyware that install on their own," he said.

"These spyware (programs) make use of vulnerabilities within Web browsers to install themselves on computers. The old logic of telling employees not to run unfamiliar programs does not help to prevent the kinds of spyware we see today," he added.

Lam explained that there are many kinds of spyware, including pop-up boxes with misleading messages asking users if they want to patch their computers. "Once you click on the 'yes' button (to patch the PC), the spyware installs by itself."

Such spyware programs are major threats, because they do not go through the usual channels protected by firewalls, Lam noted.

Other spyware programs include browser toolbars that add new features to Web browsers such as "cute icons". Another example would be those that are bundled with freeware such as Kazaa, a popular file-sharing program, Lam said. "Behind all those, spyware is being installed."

The lack of user awareness on spyware is the main cause of its pervasiveness, Lam added, pointing to an October 2004 study by American Online and US-based National Cyber Security Alliance (NCSA).

In that study, 80 percent of 329 Americans surveyed had spyware after their PCs were scanned for the purpose of the study. In contrast, 47 percent of them thought they were free from spyware before their PCs were scanned.

The lack of user awareness on spyware is the main cause of its pervasiveness.

The lack of user awareness is also underscored by the fact that 85 percent of respondents who thought they had spyware could not name the spyware programs in their machines.

The intention of spyware is not just to create nuisance, Chng said. There is a business case as well, because spyware allows advertisers to find out more about the surfing habits of users.

With this information, advertisers can push out targeted ads to computer users for commercial purposes. SMBs should be concerned, because the privacy of their employees, as well as their business activities, could be threatened, he warned.

Worms and viruses, Chng said, could potentially dampen business productivity much more than spyware. "The prominent ones last year were the Netsky and Bagle worms," he said.

According to a study by research firm Gartner, worms and viruses topped the list of security threats among large enterprises. Conducted in May this year, the study polled 133 North American organizations with global operations and revenues exceeding US$750 million.

Chng recounted an experience with a company, which received requests from employees to clean up the Netsky and Bagle worms. The employees had thought their colleagues were infected with the worms, when they were not.

"What Netsky and Bagle did was to pick two addresses in a user's e-mail address book and send out spoof messages from one e-mail address to another other," he explained.

"The originator of the e-mail messages was from someone outside the organization who had the e-mail addresses of the 'affected' employees."

The good thing that emerged from this single incident is that the company is now spending more time monitoring security bulletins for an hour a day, and to plug the loopholes when necessary, Chng said.

Nib the problem in the bud
The root of most security breaches today is the lack of a patch management program, particularly at the desktop level, Chng said. "Businesses are missing the whole picture of (security at) the workstations."

This has led to instances where vulnerable desktop PCs are used as part of larger rogue networks to launch denial of service (DoS) attacks, aimed at crippling other servers by flooding them with massive volumes of network traffic.

The rogue networks--usually known as botnets--can also be used to send out spam e-mail messages in large numbers. Typically, employees will not notice any anomalies with their machines connected to a botnet. This makes security breaches of this nature particularly stealthy.

Patch management essentials
Patch management refers to the process of keeping servers and workstations up to date with the latest security patches issued by software vendors. This allows you to plug the loopholes in software such as web browsers and servers, business applications and operating systems, keeping your corporate network safe from snoopers and viruses.
Keep up to date on the latest security patches by subscribing to security bulletins issued by software vendors, such as the following:
  - Microsoft
  - Sun
  - Oracle
  - SANS Institute
  - Secunia
  - US-CERT
  - Symantec
  - McAfee
  - ICSA Labs
  - CA Security Advisor
Download the patches and decide which servers and workstations need immediate attention. Public servers should be patched first, followed by internal systems.
Have a consistent desktop configuration for all employee PCs for a uniform environment to conduct patch testing.
For application patching, start with the most commonly used modules within the application.
Consider deploying patch management software to automate the software maintenance process.
Rid yourself of the "install and forget" mentality, unless you want viruses and hackers knocking on your door.

The reticent attitude towards patch management among businesses, Chng said, stems from past experiences, where patching has led to application failure.

"Recently, there have been a number of patches for Internet Explorer, and what we've seen is that some (Web-based) applications are closely tied to the browser's functions," he said.

So when a browser's capabilities are changed as a result of patches, the Web application will not work, he explained. "As a result, they are now taking a defensive stance with patching."

"If you look at the whole IT environment, not patching your systems is fine if your employees do not communicate with the external world. But today, a Web browser is a channel where spyware can propagate," he added.

Kenyon Engineering, a Singapore-based engineering firm with 30 employees, is not taking chances with desktop security. "We have configured the desktops to download Windows patches automatically without the user's knowledge," said Tao Chong Meng, the company's IT manager.

This can block out the potential spyware and viruses that take advantage of loopholes in the Windows operating system, he said. "However, nothing is full-proof. We've been hit by viruses before, as the antivirus programs failed to download updated virus definitions on some occasions.

"By the time we realized it, it was too late. We were already hit by the virus," added Tao.

Assess your priorities
What businesses should do is prioritize which servers or workstations need to be protected, Chng said. "The public servers are the most critical, and vulnerabilities have to be patched immediately."

For internal servers, companies can buy some time to patch the systems, especially if they have segmented the servers for public and internal use, he noted.

Workstations, including those owned by telecommuters, need to be patched as well. "How companies can help themselves before deploying patches is to have a consistent configuration for all workstations right from the start," he advised.

This means not allowing desktop users to install different versions of a software program for a uniform desktop environment--a necessity in evaluating the effects of a patch on existing systems before deploying it company-wide, Chng said.

Before deploying a patch, businesses should also prioritize specific modules within an application, starting with the ones most commonly used by employees," he said. "By doing this, they can quickly know if a large part of an application works after a patch.

"The hacking world 10 years ago was about bragging rights--hacking into Web sites and putting their names on them. But increasingly, we've been seeing a lot of hacking with commercial aims in mind," Lam added.

Today, financial gain is the motivation. "They want to make money with hacking so you see a lot of worms and trojans acting as spam gateways and passwords sniffers to collect credit card numbers and other information that they can sell," said Lam

He added that hackers looking for bragging rights are more interested in servers than desktops, which are of no value to them. "You can't brag that you've managed to hack into a workstation."

"Today, each workstation can serve as a zombie in a network of spam gateways. That's why we are seeing a shift from (hacking) servers only, to servers and workstations as well," added Lam.

Servers are typically well-protected through years of education about IT security, Lam said, while desktops have been long neglected.

"Hackers have found workstations to be soft targets for penetration. Their value as zombies and information gateways are better than that of servers," he noted.