When it comes to securing your network, there is nothing quite so troubling to IT professionals as the remote worker...
-- that person sitting at home, downloading who knows what and connecting with the corporate system.
"They're a huge concern, because you don't have the same control over them as you do over a stationary location within your enterprise," said Paul Schmehl, adjunct information security officer at the University of Texas at Dallas. "You don't know where they've been."
There are, however, a few steps that organizations can take to help protect themselves from the careless road warrior and home office worker accessing the corporate system through a virtual private network (VPN).
"The real key is just making sure the thing stays up to date," Schmehl said. "We've used login scripts to make sure they have antivirus. Updating is the critical piece. The way to do that is scheduling. Don't give the user the burden of remembering themselves."
The cornerstone of any good security policy rests in education, and that is especially true for remote workers, Schmehl said. While he's seen pushback from IT folks who don't believe most users are capable of understanding security, Schmehl said it's not necessary to give them all the technical details.
"If they don't understand the risks, they're a walking time bomb," Schmehl said.
On the other hand, organizations also need to be wary of crying wolf, he said. Sending too many alerts or e-mails every time there's a minor worm will only make people start ignoring you, Schmehl said.
"Lately, it seems like there's this attitude in the industry that, if you have good edge security, you're OK," Schmehl said. "Slammer and Mydoom have proven that's a fallacy. Security doesn't stop at the edge. It starts there."
There are some new products available that might ease some troubled minds, however.
Three new antivirus products allow connections to the corporate network through the VPN only if the application determines that antivirus software is installed and up to date.
"If you want to come into the corporate playground, you have to prove you won't infect the other kids," said Ed Skoudis, senior security consultant with International Network Services in Santa Clara, Calif.
Trend Micro Inc., in Tokyo; McAfee Security, Sunnyvale, Calif.; and Symantec Corp., Cupertino, Calif., work with Checkpoint's VPN solution to double-check remote users for antivirus protections.
"That's a brand-new kind of idea," Skoudis said. "I think it's going to be the wave of the future. It gives us the ability to do enforcement of antivirus on our most dangerous users. In [the] past, we didn't have that ability."
As with so many things, there is a tradeoff. If the antivirus tool can't get an update, remote users can't get into the system, Skoudis warns.
"That's the price you pay," he said.
IT security is without question an ongoing cost. Education requires an initial outlay of money but, as time passes, employees forget and new workers are hired.
"It's a leaky bucket; that's what info security awareness is," Skoudis said. "It will decay with time, but security by its nature decays over time."
Remote workers' browser security settings should be at high, and organizations should keep a careful eye on patch management as well, which can be difficult with home users, with PCs that the IT department doesn't have control over. Software distribution for a large number of users across VPN links can be very difficult, so it is imperative that they know to get security updates from Microsoft, Skoudis said.