Forget hacking, a significant proportion of unauthorised
access to systems occurs when someone sits down at sombody else's
computer. In our increasingly litigious and regulation-bound
society, e-mail messages have become one of the primary forms of
evidence about employee activity, and "someone else must have sat
down at my PC" has become a typical defence to accusations of
improper online behaviour.
Risks would be much lower if all users could be relied on to log
out or lock their PCs when leaving their desks. A timeout ensures
that users are automatically logged out of an application session,
or their PCs are locked after a specified period of inactivity.
This limits the window of opportunity for someone to misuse someone
else's active sessions.
Timeout standards are like password length and complexity -
increasing them can provide only a limited benefit before users
start complaining about the inconvenience. Companies should manage
the introduction of timeouts carefully to minimise end-user dissent
and emphasise to the workforce that the timeout protects not only
the organisation but also the individual.
The "right" length for a timeout depends on the information
being accessed, work patterns, and the physical environment. Inside
a corporate office, time limits can be longer. Devices carried into
unsecured environments need shorter timeouts. Microsoft Windows
lacks the flexibility to vary the timeout value, so it should be
set for the most risky environment that the device will be exposed
to.
Data valuation
Timeouts should be based on an estimate or assessment of the
maximum value of the information assets accessible from that
device: the higher the value, the shorter the timeout. Timeout
periods for systems connected through virtual private networks
should be lower, generally by five minutes.
When sensitive data is accessed in a public space, the monitors
are sometimes physically shielded so that only the operator can see
the screen. In such situations, a timeout value of less than five
minutes may be necessary, although in practice, such a short
timeout is inconvenient for a workstation. Any further protection
of unattended PCs requires the use of "proximity" tokens.
A user wears the token around their neck, and the token
automatically logs out the user or locks the PC when the user gets
too far away from it. These tokens are highly appropriate wherever
shared PCs are used to access critical applications, such as in
hospitals and clinics.
Proximity tokens are convenient and effective in preventing the
"someone else used my PC" defence common in call centres and on
factory floors. However, these benefits can easily be circumvented
if users leave the tokens on their desks.
Smartcards are also ineffective against the unattended PC
problem. Users can easily leave their smartcard in the reader when
they leave their desk. Short timeouts are appropriate here. There
is no point in investing in smartcard technology if it can be
easily circumvented.
Incentive schemes
This problem can be reduced by giving users incentives to take
their tokens with them when leaving their desk, which may allow
longer, more user-friendly timeouts. This is most easily done by
making the token also serve as the identity badge. Smartcards can
have multiple functions, serving as the electronic key for physical
access control and even operating as a stored value card for the
vending machine.
Timeouts are not appropriate for all situations, because they
have the potential to disrupt normal operations. Short timeouts can
encourage bad behaviour. For example, sharing passwords so that one
person's PC can be unlocked after a timeout when that person is out
of the area.
In this case, there may be compensating controls. Physical
access to that area may be restricted and all PCs are in view of
several pairs of eyes, minimising the risk of an individual using
another's PC.
Organisations need to assess both their business needs as well
as those of their employees to determine the solution that is most
appropriate. The technology exists to make a difference. However,
only with careful consideration will the examples outlined above
prove beneficial.
- Ant Allan is a research vice-president at Gartner