Many mobile workers without basic security measures

By Bill Brenner, Senior News Writer 08 Feb 2006 | SearchSecurity.com

IT news and analysis for CIOs Digg This!     StumbleUpon     Del.icio.us

Online attackers are finding that the best way to hit a company is through mobile devices used by their growing remote workforces. That's because many enterprises aren't requiring that laptops and other devices undergo adequate security checks before accessing the corporate network.

U.K.-based research firm Dynamic Markets Ltd. reached that conclusion after surveying 500 enterprise IT managers across the U.S., U.K., Germany and France last November on behalf of South Jordan, Utah-based LANDesk Software Inc., a vendor of configuration and security management products.

More on mobile security The security pitfalls of wireless devices Three ways to manage a successful mobile workforce

"What surprised me about the results was the number of respondents whose companies are still affected by viruses and worms that can be stopped by basic security procedures," said Kevin Auger, security solutions manager for LANDesk. "This, despite all the increased spending on IT security and the vigilance companies have devoted toward the threats."

Because of what LANDesk described as inadequate security measures, more than 65% of respondents said they continue to experience security breaches and are looking for additional methods to secure their networks beyond AV software. Sixty percent of respondents also said their organizations not only can't scan devices as they attempt to connect to the network, but also can't quarantine systems that don't meet corporate security requirements.

While more than 85% of respondents said their workforce is now mobile or field-based, 46% admitted the only way they can enforce security settings on laptops and mobile devices is when those devices are physically within the corporate environment. Meanwhile, 23% said they must rely on their users to apply security patches themselves, and 22% said they have computers or laptops operating outside the corporate network that can't be managed over a virtual private network (VPN).

Respondents said network security breaches are most often cased by:

• Unauthorized mobile devices and laptops being connected to the organization's network;
• Users making changes to or disabling security settings; and
• Outdated patches or AV signatures.

SearchSecurity.com asked several IT professionals if the survey results reflect their experiences. Reaction was mixed.

"Unfortunately, I think [the survey response] is pretty realistic," said Eric Case, support systems analyst for the University of Arizona's Department of Chemical and Environmental Engineering in Tucson. "One of the things I do is run WSUS [Windows Server Update Services] and approve security updates. When a laptop is connected to the network, it sees new updates and pulls them in."

But Case works in a university setting where people are using their own devices to access the network. His department can secure the devices it owns, but when it's someone else's laptop, trouble can ensue despite the department's best efforts. "We're still looking at how to deal with the security of devices we don't own," Case said.

He offered an example of where the survey really hit home: A colleague was recently deploying the patch for the Windows Meta File (WMF) flaw and came across a machine whose primary user was away on vacation. He looked up and saw the mouse pointer moving around the screen. "It turned out someone was using Metasploit to try to get at other boxes," Case said.

Attacks can be slowed down or prevented, Case added, but the threat is still there and there's always the chance an attack will succeed, especially in a university environment where many devices aren't under the IT department's direct control.

The responses were more shocking to Tom Kroll, network systems and security administrator for Chicago-based law firm Hinshaw & Culbertson LLP.

"One thing that surprised me was the response to the question about security breaches," he said. "I don't understand what the respondents' definition of a security breach is, but for 42% to have problems with users disabling security settings, that's unacceptable. I'd be ticked off if that were happening here."

Kroll was left wondering if respondents had misunderstood the question, which asked, "Which of the following have caused security breaches in your company?" Forty-two percent of respondents in the U.S. blamed it on "users making changes to or disabling security settings."

"For the most part, my users are not interested in shutting down virus scanning," Kroll said. "I want to know more about what's behind the question. Are we talking about virus scanning? People should be written up for that."

But if it's a case where the user makes a mistake via Internet Explorer (IE), Kroll said, "That's more understandable. I could see a situation where someone changes a setting to get a Web page to work in IE. A box might pop up saying 'click this box' to fix the problem with the page and the user clicks it without realizing they've disabled security settings."

Auger said respondents may well have been referring to accidental setting changes.

"It may not be a malicious thing on the user's part," he said. "They may change configurations at home so some home program like gaming can work, but then they might forget to put the settings back.

Still, he said, "It did surprise us that so many organizations would let users change things like that in the first place."

Tags: Mobile technology and management,  Enterprise information security management,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Mobile technology and management Data centers and virtualization management guides for CIOs Sidekick data and 'balloon boy' Mobile data protection options for enterprise CIOs E-waste: A blight on the environment and a company's good name Videoconferencing equipment, software can help firms cut costs Mobile device management guide: Keeping IT on the run HD videoconferencing a way of life for some VIPs VoIP security and converged networks: A Special Report for CIOs VoIP savings seen in productivity and long-distance charges Wireless investments key to future success Enterprise information security management Leveraging log management for IT and business process efficiency Information security and risk management guides for CIOs Talking swine flu and Conficker with the CIO of the CDC Network access control: Security advice for enterprise CIOs Evaluating network access control: NAC policy enforcement matters Enterprise risk management quiz for CIOs Network access control now addresses multiple needs Enterprise risk management solutions for CIOs Gartner: Future IT security jobs to focus on risk management strategy Avoiding gotchas of security tools and global data privacy laws

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary