8Network Security December 2007

Home invasion: securing home access to business networks

The idea of corporate network security is fairly well established and continues to mature and improve. Firewalls, intrusion detection systems (IDS)/intrusion prevention systems (IPS), content filtering and anti-malware gateway products help to ensure that the organisational perimeteris established. To some degree, they can also make sure that the data tra-versing that perimeter is also protected.The real question is: what is the perimeter?

Of course, there are endpoint controls on most corporate systems. Personal firewalls, peripheral blockers,and anti-malware client products help to ensure that each computer connecting to the network is likewise protected. To some degree, they can also make sure that data is protected. However, these controls are generally found only on equipment that the company owns. What else might be out there for consideration?

Drivers for home workingThere are common cases where third-party equipment connects to the corporate network, as various vendors and contractors often need some kind of connectivity through the corporate network to provide their services. Organisations may provide requirements,

sometimes contractually, to address and ensure appropriate controls are in place on these systems. Some third parties with the necessary resources or technology may have a process to scan equipment before connection. These processes may be manual or automatic. Others may just provide connectivity that bypasses the corporate network, allowing an external connection to their home networks. The question remains, what about data?

“Unless employees are true road warriors performing an outside sales or support function, they may only have access to a desktop at work”

A reasonably layered set of controls is needed to offer a sufficient degree of protection to the typical organisa-tion from external threats. However, much research over the years shows that internal threats – specifically internal users bent on intentionally wreaking havoc – may be a greater cause for concern. One area in partic-ular that has garnered more focus in recent years is the accidental exposure of access or data by insiders when they are away from the protection of the corporate network. Many busi-nesses rely heavily on a mobile work-force to sell products and services, so

corporate resources are often connect-ing from remote locations through unknown infrastructures. Some use controls such as scan-on-connect solutions that will confirm an endpointis authorised and properly configured before allowing connectivity.

However, not all employees who may need to work remotely receive corporate assets such as laptops. More and more, with support costs increasing,many organisations are beginning to reconsider who receives such equip-ment. Unless employees are true road warriors performing an outside sales or support function, they may only have access to a desktop at work. That helps to reduce the company’s expenses.

Today, with the increasing competitionand complexities in many industries, it is not uncommon for more and more back-office employees to be required to work longer hours. This is further compounded by the desire for many to be able to have the flexibility to telecommute, at least part of the time, so they can spend more time with their families while still meeting corporate goals. Should an employee without a laptop require external access to work, there are controlled solutions in place, such as web mail clients and remote application gateways.

A perfect storm for securityThese can provide a cost-effective solution for less mobile employees to be able to manage their increasing workloads without being chained to their desk, but they often inadvertentlyintroduce a new threat to the organi-sation’s data and resources by bringing

Kenneth Newman, ISACA

No, this isn’t another physical and information security convergence article. The home invasion this article refers to is when users are on the business network and on their own networks at the same time. The invasion is the frequency with which remote access has become a common standard. It also is the challenge of trying to introduce consistent controls into that extended environment. This article focuses on the risks and challenges associated with remote access to cor-porate systems and data, as well as possible solutions for mitigating those risks.

HOME INVASION

9December 2007 Network Security

them into direct contact with their own home computer environments. There was a time when most homes generally had only one PC and a slow, not-always-on, dial-up internet connection. Today, that has changed radically.

PCs have become as commoditised as toasters and, with so many options for consumer connectivity, prices are dropping and bandwidth is increas-ing. At the same time, security has remained an elusive patchwork of cobbled together solutions that must be constantly updated and maintained.It shouldn’t be surprising that many home users, probably including employees working for the same organ-isations as readers of this publication, don’t maintain home PC security as their first priority. They use their PCs to surf the web, send email and down-load music, and they probably have no idea what viruses or malware they may have picked up along the way.

These conditions contribute to a perfect storm for security. The situationinvolves fast, always-on connections with heavy use, often by multiple parties, with minimal controls and a sense of acceptance that PCs are just quirky. Sometimes they slow down or act strangely, but that doesn’t mean they’re infected in any way. In other words, it’s the perfect breeding ground for germs.

From that environment, probably over an unencrypted wireless access point, they’re going to connect to your network and access your company’s data. This keeps most security pro-fessionals up at night. While home users know their computers aren’t appropriately secure, that knowledge is not curbing their unsafe computer practices.

Options for home workingFor example, according to a recent survey by ISACA (formerly the Information Systems Audit and Control Association), white-collar workers feel more secure with the security measures in place at work than

they do with their home computer. Yet, almost half of the respondents email business documents to themselves so they can work on the documents from their home computers.

Let’s explore some of the possible options that have been proposed or implemented to manage this grow-ing problem in a bit more detail. Obviously, one solution is simply to not provide remote access. This may work in very isolated models, but generally doesn’t meet the business needs of most organisations.

For those employees with remote access, some organisations provide fully configured, secured laptops with the appropriate virtual private network (VPN), anti-malware and personal firewall clients, along with hard tokens, so they can be assured that the connections are coming from trusted environments. There are, of course, expenses associated with managing such devices and risks to data that still exist when they are off the corporate network. An interesting variation in this is an idea that one security expert recently passed on to this author: provide a static virtual image on an encrypted USB stick as the only means of remote access.

This eliminates the expense of owning and managing dedicated configured laptops. Once the image is created and deployed, users connect the USB key (which might also contain digital keys or certificates which could eliminate the need for hard tokens) to their home computers and load a fixed, secure environment that could effec-tively protect the corporate network against their home environment. This also reduces the risk to data exposure. If files can only be exchanged with the image, and, perhaps, the user can’t even save those files to the image, confidential data is less likely to be left on or sent to an unsecured system in the user’s home.

The travails of web mailOne very common solution is the web-based mail client. The organisation

manages its business risk by limit-ing business application access, but provides email access for productivity purposes. This may unfortunately be the current worst-case scenario from a risk standpoint. Yes, there is encryp-tion, and access control and the users are only getting to their own data. However, they’re taking it directly into their home environment. They may download, edit and upload a confi-dential file. Do they delete the edited copy locally after they are done? Do they clear their browser cache? Do they delete any temporary files? We know the answers to all of these questions are probably ‘no’. That means we’re opening a huge risk for the exposure of corporate confidential information.

Another possible option is to provide some kind of remote desktop solution offered over an SSL VPN connection.Here, the investment is spent on infrastructure to configure and host applications in a secured, internal environment that users can connect to from anywhere with the appropriate credentials. This is often combined with a malware detection solution that can scan any device attempting to connect to determine if it may be compromised. If it is, the connection is denied. If not, users are allowed to connect and work on their data. When properly connected, they are only working on the data in the hosted environment. They never remain on the remote system the users are using.

“In many cases, the problem still comes back to what risks exist in the user’s home environment and if any of these can be mitigated”

In practice, this may be more difficult than it sounds, as malware becomes increasingly sophisticated. Even if no data will be cached behind, they still must be presented to and modified by the user. The risks of a compromised browser on the user’s end still exist. So, in many cases, the problem still comes back to what risks exist in the user’s home environment and if any of these can be mitigated.

HOME INVASION

10Network Security December 2007

One other area that is starting to be explored is whether and how employ-ers might mandate user behaviour on personal home equipment. Can an employer, for example, mandate that users have the same endpoint controls and patches on all of their computers at home as exist in the office? What are the legal and privacy issues associ-ated with this? If it can be done, what kind of support and resources would be necessary to support it? What kind of controls might be put into place to test compliance? Of course, the most important question is, would it work?

Home truthsFrom experience, security managers have learned that it’s difficult to change user behaviour at work. How much more difficult will it be to change such behaviour at home? Even if the legal right may exist, in some jurisdictions, to mandate user behaviourat home, what impact would that have on the users in the long run? Managers would probably see an increase in user attempts to circumvent controls and a

general decrease in productivity. No one likes being watched or being told what to do. An attempt like this at control could very easily backfire and simply make things worse.

These scenarios and challenges might seem very familiar. This is exactly the same situation the industry has come to expect with regard to customers using ecommerce or online banking applications. User behaviour cannot be controlled. The end points cannot be trusted. Organisations apply controls accordingly, but also rely on a comfortable level of accept-able loss due to fraud. However, with home users connecting remotely, fraud is not always the paramount concern. Rather protection of intel-lectual property and confidential data - customer data - is one of the key goals. Here there is no acceptable level of loss. Whether an organisation loses one customer record, 10, 100, or thousands, it faces a significant risk to its reputation and good will. These are exactly the kind of risks that are hard to quantify and assess a financial value.

In the end, the best option continues to be effectively managing risks based on the threats and business drivers influencing the environment. Security experts need to be considering a much more extensive environment when making these considerations. Security initiatives no longer stop at the network perimeter, but actually extend into the homes of every one of the organisation’s users. They include all of an organisation’s systems, too, rather than just the ones that have been assigned to a manager. Also, remember to address any connected devices that a user’s family and friends use.

Executives who have had experience working through a merger between two organisations, where they needed to reconcile disparate technical strategies, most likely have the proper appreciation for what kind of problems this can create. While security managers will always have something to keep them up at night, proactively address-ing these issues can go a long way toward getting at least a better night’s sleep.

In this article, we tackle information secu-rity incident response, an important aspect of information security that includes technical, management and legal issues as presented in subsequent sections. To accomplish the above, we discuss roles and responsibilities, escalation process, communication, roles of engagement, information security incidents, and related legal issues. We present a detailed incident response procedure (IRP) along with a complete structural methodology that contains best practices and procedures for handling varied IS incident scenarios.

“Although most security teams will have incident response procedures in place, they may not have significant management support. Organisations will hopefully have an”

Organisations invest in preventive secu-rity measures to protect their assets from a violation of confidentiality, integrity and loss in quality of service.2 Security by prevention is not enough. Appropriate

response mechanisms are necessary when a security-related incident occurs.3 If a security incident does happen, incident response procedures are necessary to miti-gate the immediate impact of the threat, eliminate any possible consequential loss and prevent any possible future recurrence.

Most enterprises will have experienced numerous security incidents, all of which will are likely to have been investigated by respective information security teams. Although most security teams will have incident response procedures in place, they may not have significant management support. Organisations will hopefully have an IT governance methodology like ITIL, COSO, or COBIT to guide the escalation of security incidents.4,5,6 Such method-ologies will not normally encompass the

Dr Abiola Abimbola, BSkyB

As computer technology and the internet becomes rapidly dispersed, employees are encountering more ethically difficult situations than ever before. Despite the fact that organisations have developed and implemented a number of security countermeasures, computer abuse continues to be a problem.1

Information security incident response

HOME INVASION