[ISN] Remote worker security still lax

From: InfoSec News (alerts@private)
Date: Wed Feb 06 2008 - 00:04:23 PST


http://www.infoworld.com/article/08/02/05/Remote-worker-security-still-lax_1.html

By Matt Hines
InfoWorld
February 05, 2008

Despite having a greater awareness of the security risks posed by 
careless computing habits and personal Internet activity carried out on 
corporate laptops, many remote workers continue to do things that 
imperil the safety of themselves and their employers, according to a new 
report from Cisco.

As part of its annual study on the security awareness and online 
behavior of remote workers -- based on interviews with 2,000 
telecommuters carried out by researchers from InsightExpress -- Cisco 
experts said that people appear to have acquired a false sense of 
security when it comes to the use of their company-issued computers and 
other corporate IT assets.

Despite the fact that the IT security community has done a much better 
job in recent years of keeping people informed of the latest and 
greatest malware attacks and social engineering schemes, remote workers 
keep falling for the same types of tricks as they always have -- in part 
because they believe that they are now protected by more advanced 
security technologies, said Patrick Gray, special assistant to the CTO 
at Cisco.

In fact, in just one year's time, the number of respondents to the 
survey who expressed a belief that the Internet is "getting safer" 
increased from 48 percent 12 months ago to more than 56 percent in 2008. 
The trend was particularly evident in some parts of the world where 
Internet use is growing the fastest, and where people believe that their 
governments are going to greater lengths to protect individual users, 
such as Brazil (71 percent), India (68 percent), and China (64 percent). 
In Brazil, for instance, where banking-password stealing Trojan virus 
attacks have finally been thwarted by stricter legal penalties for those 
creating the threats, people may falsely assume that it is now safe to 
let down their guard, according to Gray.

"The awareness of security threats has grown across the board, but 
somehow, because of that, we do see the emergence of this false sense of 
security," said Gray. "Companies have done a great job of securing 
themselves at the perimeter, but where they're really falling down is 
with what is going on within their own networks and what is going 
outbound. They are blocking a lot more potential threats, but there's a 
lot of risky behavior on their networks as well."

One of the biggest problems contributing to the situation is the fact 
that many workers feel it is acceptable for them to use their work 
computers for their personal activities, such as shopping, interacting 
with friends, and searching the Web for popular information, the expert 
maintains.

By using their company-issued devices to head to corners of the Internet 
where attacks are more prevalent -- such as on e-commerce sites, 
social-networking portals, and independent Web properties, workers are 
putting their employers at risk of exploit by malware and other threats, 
he said.

The report found a 3 percent year-over-year increase in terms of the 
number of remote workers who felt that it was acceptable to use their 
corporate devices for personal use, such as Internet shopping, 
downloading music, and social collaboration.


Business versus personal use

With the rise in attacks being delivered via hacked Web sites and 
popular destinations including social-networking sites, people need to 
begin shifting their behavior and keeping their work machines separate 
from their personal lives, Gray contends.

"At end of day it's not their computer, it's a business tool, and people 
need to understand how much risk their activity poses for their 
employers, and that they need some level of separation in terms of their 
personal use," he said. "Companies may not want people going to the mall 
in the middle of the day when they could be doing work, but they might 
not want to allow them to use business tools to do things like 
e-commerce either."

IT workers participating in the study also highlighted the issue with 55 
percent indicating their belief that their companies' remote workers are 
becoming less diligent toward security awareness, an 11 percent increase 
from the year before.

In addition to the growing number of threats being hosted on 
social-networking sites such as MySpace, Gray said that the personal 
data that people share about themselves and their employers on the sites 
poses a significant risk for the creation of targeted attacks.

If an attacker can go to a site like LinkedIn and get a firm grasp on 
someone's role in an organization and figure out who they might 
communicate with in the firm, it could be fairly easy for them to create 
an attack that easily tricks the individual into opening an infected 
e-mail, according to the expert.

However, it would appear that even suspicious e-mail arriving from 
unknown senders, long the favorite delivery channel for malware and 
links to phishing sites, continues to stand as a problem.

While the numbers of workers in the United States who are willing to 
open strange e-mails and attachments is far lower at 27 percent than in 
places like China (62 percent) and even the United Kingdom (48 percent), 
many people are still capable of falling for the time-honored ruse.

In one interesting twist on the issue of corporate device use, Cisco's 
report found that more people than ever are also using personal devices 
that are not under the control or management of their IT departments to 
access their companies' networks and electronic files. Some 49 percent 
of those people responding to the survey admitted using their own 
machines to do so, an increase from 46 percent one year ago.

Perhaps the only way to improve the situation will be for companies to 
enact stricter usage policies for their remote works regarding 
corporate-owned devices and embracing continued education for end-users 
about the nature and prevalence of threats, Cisco officials maintain.

"We need to continue to highlight the problems; companies are doing a 
much better job than they used to, but with all the blended threats, 
they need to reload and strengthen the human firewall, which is really 
the last line of defense," Gray said. "The companies that do the best 
job have ongoing continuing education for users that tells them that 
their computer is a business tool and who use monitoring tools to ensure 
that their security policies are being followed."


___________________________________________________      
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn 



This archive was generated by hypermail 2.1.3 : Wed Feb 06 2008 - 00:14:41 PST