How to keep information secure beyond data center walls

Almost every IT manager knows the importance of protecting his company's computer systems from hackers, spammers, viruses and worms. As a result, the vast majority of enterprise-based infrastructures are well protected and reasonably secure.

But with the rise of telecommuting, working at home offices and mobile network access, some of the biggest threats to your organization's security don't come from direct attacks on enterprise computing assets within data center walls, but rather from indirect security breaches bouncing in from PCs, laptops and even PDAs used by a company's remote workers at home and on the road.

Hackers don't need to directly target big corporate and government systems anymore. Any computer connected to the Internet that hackers can invade and control without the owner's knowledge will do. From there, they can use the invaded machine as a launching point to attack any other machine on the Internet.

But poorly protected machines that have access to big corporate and government systems are particularly valuable to hackers. And even if they don't use an employee's computer to infect your network, they can use the hijacked machine in ways that can expose your organization and employees (especially senior managers) to considerable embarrassment and even legal liability.

Hackers locate vulnerable machines by using network scanners. These scanners find such machines in the same way a burglar will try the doors of a building to see which ones are unlocked. Sometimes hackers will target the IP addresses and DNS addresses of a certain organization or individual, but they can also set the scanner to check a random range of IP addresses. Once a hacker builds a collection of vulnerable IP addresses, he can do no end of harm. Worse, many hackers swap their collections of IP addresses, multiplying their opportunities to create havoc.

1pixclear.gif
Advice
Brad Powell
1pixclear.gif

When hackers attack

When a hacker uses a hijacked machine for an untoward purpose, the trail will lead back to the compromised machine and its owner -- an unwitting accomplice. Hijacked machines can spread spam; participate in mass denial-of-service attacks; propagate viruses and worms; and store illegal porn, pirated software, purloined intellectual property and even the equivalent of hacker burglar tools. Any of this can be hard to explain when investigators confront the machine's owner with evidence of how his good little PC joined the criminal underworld. If your company happens to own such a machine, it could very well expose you to legal liability for failure to take reasonable precautions to secure it from misuse.

Inadequately secured PCs can also enable identity and information theft. Everyone has heard about hackers stealing credit card numbers from compromised Internet browsers. But valuable data such as personal finance and tax information, business contacts and appointments, legal documents and home security system controls could also be exposed in other applications residing on the hacked machine. If a hacker finds an e-mail box stuffed with messages from what appears to be the user's employer, that's a tip-off that the hacker has found a ramp into a potentially rich target for mayhem. All he has to do is to monitor the exposed machine for remote access activity into your corporate network through the Internet or VPN. From there, the hacker can get into your network through techniques such as stealing log-in information, VPN passwords, encryption keys and other information.

High-speed Internet access via DSL and cable modem has been a real boon to hackers. It speeds their work, and it is always turned on. But opportunities for hackers are expanding even further with the emergence of wireless networks.

Most organizations recognize the risks of setting up inadequately secured wireless networks. It's all too easy for malefactors in the next building or parking lot to listen in on wireless network traffic. Home wireless networks have led to a mushrooming of unintended wireless hot spots throughout residential areas. But if eavesdropping on home wireless traffic worries you, you should also be concerned about your organizations' road warriors' casual use of wireless hot spots in airports, coffee bars and other places where information workers congregate.

Defense in depth

While there will probably never be any way to achieve absolute security, there is a lot you and your remote employees can do to reduce risks. This is a defense-in-depth approach that involves technical fixes as well as educating remote and mobile users on prudent remote computing practices:

  • On the data center side, first recognize that the vast majority of remote users need access to only a limited number of basic services, usually e-mail, intranet Web services and personal file access. So make it a practice to restrict the privileges of remote users to basic resources unless they can demonstrate a need to access more sensitive information. An internal auditor, for example, will have a different set of privileges than a marketing manager. Here, you can use standard directory tools to tailor access privileges to the needs of individual users.
  • Use strong authentication technologies such as rapidly changing digital token devices, smart cards and one-time passwords to prevent theft of useful passwords and to prevent replay attacks. Don't let employees automatically forward e-mails to private e-mail accounts.
  • For VPN software, always enable encryption features and configure the client side of the VPN to disable any other interface (dual network interface cards) and to not respond to local network prompts when the VPN is active. Also, disable features such as automatic password and log-in routines, since such stored information is vulnerable to hacker theft.
  • Outside your walls, provision every remote user with corporate standard firewall and antivirus software and arrange for automatic weekly updates. In addition to the firewall installed on individual systems, remote users with multiple networked devices, if connected to a home network, should also have a firewall gateway system to add another barrier to hacker intrusion.
  • Train your remote users on the fundamentals of secure remote system usage. Inform them of the hazards of using a limited number of passwords to access a wide variety of services, and encourage outlandish creativity in coining passwords.
  • Make it a rule that if your employees use wireless devices, they must turn off wireless access features when they're not in use and buy equipment that has advanced features such as wireless encryption, MAC address restrictions and passive operation modes.
  • Encourage users to report any incident that might indicate a security problem on their remote or office systems along with prompt notice of any lost access cards, stolen or lost equipment, etc.

In the final analysis, despite the best efforts of electronic outlaws, the growth in the remote and mobile workforce is inevitable and the benefits of supporting business computing anytime, anywhere remain compelling. The key is to develop defenses in depth that enable computing mobility with reasonable security.

Copyright © 2003 IDG Communications, Inc.

  
Shop Tech Products at Amazon