By and large, corporates have solved the problem of protecting the security of workstations against malware in their own internal environment, writes Gary Wood, a research consultant at the Information Security Forum. One indication of this is the reluctance of many to upgrade to Windows Vista: the maturity, reliability and security of their Windows XP implementations make it tempting to stick with what they know.
However, ever larger numbers of users now exist outside the corporate network. They range from road warriors and homeworkers to business partners and customers accessing corporate websites.
Road warriors are associated with numerous problems, including:
- infrequent connections to the corporate network, directly or via a VPN
- poor bandwidth
- short-term connections simply to view e-mail, then disconnecting, for example
- lack of end-user knowledge and awareness
To deal with this, remote access devices need to be autonomous and self-sufficient. They should be able to update themselves from a trusted source, rather than rely on a connection to the tightly controlled corporate environment.
For example, to ensure end-users have the most up-to-date security patches, one solution is to implement the auto update patching process available in Windows, which connects to Microsoft servers once an internet connection is detected. Such solutions are also widely available from the vendors of anti-virus and other malware protection solutions.
But in addition to trusted or corporate managed devices, the modern business environment includes end-users who connect to applications via the internet, perhaps from a home PC or internet café.
What to do
To protect these employees, corporate websites need to be designed to reduce the impact of malicious code. This begins with strong user authentication solutions that can be protected, such as one-time password tokens. Other devices resistant to replay attacks include the end-user chip and PIN solutions being implemented by UK banks.
Host devices can also be scanned remotely for malicious code by software running on the website, prior to permitting confidential or sensitive transactions. Another approach is for end-users to carry encrypted USB storage devices, which also contain anti-malware software.
Once connected, websites should only deliver services based on the level of trust of the connected device. For example, full functionality should only be granted to a fully managed corporate laptop with up-to-date patches and anti-virus signatures.
The traditional boundary is being eroded and organisations need to look beyond the perimeter to protect end-users, wherever they are and whatever they are using to connect.
Gary Wood is a research consultant at the Information Security Forum
This was first published in May 2008