The recent spate of viruses has exposed the dangers of providing network rights to laptops that operate both on and off the network.
– Security organizations must employ both technology and policy to protect network resources.
– User management aggregation (identity management, provisioning) will mature rapidly (2004).
– Security event management consoles (collecting intrusion detection system, firewall, and host events) will remain out of the mainstream until 2005.
– Security configuration consoles (central distribution points for firewall, personal firewall, and eventually server configurations/policies) are the least mature, with viable integrated products appearing in 2006/07.
Numerous META Group clients are reporting virus infections that traverse well-designed perimeter defenses in the briefcases of consultants and other roaming users.
Corporate laptop users should be protected with standard antivirus (AV) software, personal firewalls, and regular security patch management. But what about end users not under the IT management umbrella?
Most organizations have a small army of consultants, outsourcers, business partners, customers, and other visitors that require network access in some form.
Even organizations with a federated corporate or security structure must validate security compliance (e.g., patch levels, AV update level, security software installed, security process such as AV and firewalls running) on affiliate PCs before granting network rights.
Best-practice security organizations are employing both written policy and technical means to ensure their network is safe from these roaming “Typhoid Marys.”
Before any technical solutions are deployed, IT organizations (ITOs) must first establish a clear policy and ensure that security compliance and acceptable usage education are embedded in the process.
Computing facilities provided for non-contracted visitors should include instructions on how to use, help desk contact info, and brief security/acceptable-usage guidelines. For contract visitors, security policy compliance should be a contractual obligation with clear penalties for non-compliance. Shifting liability to the outsourcers/contractors creates an incentive for their ITO to prevent problems. However, embedding security compliance in business contracts will require consultation with the business and legal departments and may not be possible to append existing contracts.
The ITO must perform random audits to ensure compliance before a security incident, particularly if no automated compliance technology is deployed.
The first step organizations should take is to identify and classify all non-corporate-managed users based on the trust level of network resources they require and the duration of that access.
Creating a “guest network” that is isolated from the corporate network. If the type and number of internal applications needed by guests are predictable, ITOs can route users outside the organization on the guest network and back into a secure portal (i.e., Citrix, Sybase) that includes host integrity/policy checking prior to providing access. On-site outsourcers/contractors are the easiest to manage.
Another best practice is to reformat the hard drive and install a new image on loaner PC before re-issue it to ensure it is secure, user levels are appropriate, and no residual confidential information is present.
ITOs can use logon scripts to check for security agents and dynamically install it – with approval from the end user – if necessary. These tools typically can report only on compliance and cannot deny network access for non-compliance unless combined with logon scripts.
More info: [url=http://techupdate.zdnet.com/techupdate/stories/main/Defending_Against_Insider_Infections.html?tag=tu.scblog.6673]http://techupdate.zdnet.com/techupdate/stories/main/Defending_Against_Insider_Infections.html?tag=tu.scblog.6673[/url]