Browser weakness compromises remote users

If the Jericho Forum's deperimeterisation security model is to work, users and suppliers will have to tackle the problem of...

If the Jericho Forum's deperimeterisation security model is to work, users and suppliers will have to tackle the problem of providing access to corporate networks from an increasingly wide range of devices.

Currently, most business users connect securely to a corporate network via desktop PCs within the boundary of a company. Mobile access, though increasingly common, is far less secure. Members of the Jericho Forum are planning to look at the security impact of connecting various types of devices to a corporate network. For deperimeterisation to take off, every device needs to be treated as inherently insecure.

The draft manifesto identified a number of problems with today's mobile technology, including the possibility of virus attacks and the risks of removable media (such as compact flash memory). Removable media, just like floppy discs on the PCs, could, for example, be used to introduce viruses.

The draft document also highlighted some progress in addressing mobile security, for example, that mobile phones require two levels of user authentication via the Sim and and Pin code.

Hardware used to run personal productivity programmes, such as word processors or web browsers, pose another set of risks. Hewlett-Packard, IBM, Intel and Microsoft, through the Trusted Computing Platform Alliance (TCPA) have approached the problem by working on how to secure the PC from buffer overflow attacks.

The Jericho Forum believes such an approach may have some benefit in securing PCs. However, the draft manifesto criticised the TCPA for developing a specification that is too functional. "They are attempting to meet the needs of everyone," it said.

Suppliers also promote thin-client as a way to secure networks but Jericho Forum members believe thin-client will have limited appeal. "Until decision-makers adopt thin-client as their productivity platforms, the technology will remain niche," they said.

Jericho Forum member John Meakin, group head of information security at Standard Chartered Bank, wants to see technology evolve to the point where users could access data securely from a public internet kiosk.

Although it is unlikely that users would want to connect via an internet kiosk, the security needed to achieve this would be more than sufficient to secure online access for remote users.

Such access is not yet possible, according to Meakin, because of weaknesses in browser security. Browsers store information that, to be fully secure, should be removed when the user logs off. Unless the information is removed from the computer's memory, a hacker could access it.

Read more on IT risk management