[ISN] Four questions to ask to stay secure in an anywhere, anytime world

From: InfoSec News (isnat_private)
Date: Thu Sep 18 2003 - 22:28:16 PDT

  • Next message: InfoSec News: "RE: [ISN] Should Microsoft be Liable for Bugs?"

    http://www.computerworld.com/securitytopics/security/story/0,10801,84781,00.html
    
    Story by Scott Olson
    WholeSecurity Inc.
    SEPTEMBER 18, 2003
    COMPUTERWORLD
    
    We live in an era that increasingly demands anywhere, anytime access 
    to all of our business resources. What started with giving pagers to 
    our most critical employees has evolved into ubiquitous use of cell 
    phones and Wi-Fi access almost anywhere, even in McDonald's. 
    
    Most recently, we've seen a trend toward Internet-enabled 
    applications, Web mail, intranet portals and new Secure Sockets Layer 
    (SSL) virtual private networks (VPN). More employees want access to 
    their e-mail, data and applications wherever they are. 
    
    If you work in a large organization, chances are that you have 
    anywhere, anytime access to corporate data and resources through one 
    or more of the following applications: 
    
    * Web mail: Microsoft's Outlook Web Access, IBM's iNotes products and 
      other programs allow access to e-mail from any machine connected to 
      the Internet. 
    
    * Internet-enabled applications: Companies like Citrix Inc. and 
      Computer Associates International Inc. offer products that enable 
      access to corporate applications and data from any computer with 
      Internet access. 
    
    * SSL VPNs: These VPNs don't require provisioned software on the user 
      PC, but rather they allow employees to connect from any device with 
      Internet access.
    
    Organizations that use these types of software realize significant
    benefits. Companies can reduce hardware and software costs, decrease
    IT management overhead associated with provisioned software and reduce
    help desk costs by providing a more user-friendly environment in which
    resources can be easily accessed. All of this adds up to a
    significantly lower total cost of ownership for these technologies.  
    Managers recognize the value of this type of access, and employees are
    demanding it.
    
    But now the question is, how do the IT and security managers protect
    these connections? It's hard enough to secure corporate laptops, which
    for the most part are out of the direct control of the IT staff. The
    problem becomes more difficult when the IT manager is faced with
    protecting completely unmanaged, noncorporate systems used by
    employees who are logging in from home, from a business partner's
    machine or from a public kiosk.
    
    The growing trend of Trojan horses and other eavesdropping software
    makes anywhere, anytime access to company data risky. IT managers need
    to understand and address the threat that exists on the endpoint to
    ensure that anyone accessing corporate data is protected, even if they
    are using a machine that's not owned by the company. As companies
    embark on this challenge, they should consider the following
    questions:
    
    1. Why is endpoint security important for my organization?
    
    What do Sobig.F, Bugbear.B, Fizzer and Blaster all have in common?  
    They are all new versions of worms and malicious code that were
    released in 2003 and put back doors and monitoring programs on the
    infected computers. In essence, these new threats put the hacker at
    the keyboard of the PC that had been compromised. Attacks today are no
    longer simply propagating themselves and causing mischief, such as
    denial-of-service attacks or harming system resources. These new
    attacks are intended to enable the online criminal to watch the user
    and steal any data, identity information or intellectual property that
    they may access. Internet companies, banks and Fortune 500 companies
    have all fallen victim to these threats.
    
    2. How can I be sure that the endpoint is free of eavesdropping and
    remote-control devices, such as keystroke loggers and Trojan horses?
    
    Companies should consider adopting on-demand security that can be
    delivered to any computer in a matter of seconds and that can provide
    universal compliance with security policies on the endpoint in much
    the same way that SSL has done for the network.
    
    It is no longer sufficient to rely only on signature-based software to
    catch and stop worms and malicious code. Not only are these solutions
    reactive, but it is a challenge to keep antivirus software updated to
    address each new threat (the Microsoft Blaster worm alone had eight
    variants in a matter of weeks). Organizations should look for and
    implement behavioral-based security software that doesn't rely on
    signature updates to catch and stop these threats.
    
    3. How can I protect systems that I don't manage or own?
    
    At a minimum, companies should evaluate and implement software that
    provides endpoint security in conjunction with their clientless access
    to data and applications. This security solution should be
    downloadable to the machine and should identify and eliminate threats
    that could compromise the connection back to the corporate LAN. This
    software should also be able to work in an environment where end users
    don't always have full privileges to the machine.
    
    4. How can I provide anywhere, anytime access while preserving the
    user experience?
    
    IT managers should look for and require security software that doesn't
    put the burden of security knowledge on the end user. Requiring the
    user to make security decisions means that the software will be less
    effective and may also result in increase costs due to an influx of
    help desk calls. The security software that is implemented should be
    transactional in nature and therefore shouldn't require significant
    installation, configuration or reboot to work. The software should
    work within the time frame of the transaction and therefore should be
    able to download and scan in a matter of seconds.
    
    IT managers who address these questions will be best positioned to
    embark on the critical first steps of ensuring security in an
    anywhere, anytime world while still realizing the significant benefits
    of remote applications.
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Fri Sep 19 2003 - 01:39:28 PDT