6 min read

The Threat From Inside

The biggest danger to computer systems comes from employees. New products address the problem.
Wells Dairy, a maker of dairy and ice-cream products with $650 million in annual revenue, began protecting its points of entry in the summer of 2001, around the time the Code Red worm started spreading. The company noticed that more home-office and mobile users wanted to connect to the company through high-speed connections. "We saw the need for a firewall on those mobile systems," says Jim Kirby, senior network architect.

The dairy installed Sygate Secure Enterprise on its notebooks, and it worked well enough that it's now considering deploying SSE on other systems. Wells, like many large companies, faces a challenge in making sure all its employees consistently update antivirus signatures to protect against new threats. Tough security policies may be the answer. Wells is looking at making SSE enforce a policy that if employees log on to the network and aren't "up to date with their antivirus software, all they'll see is an option to update it until it's done," Kirby says. That strict approach is necessary because hackers are always prodding systems to find new ways to gain access. "Now they're finding ways to drop Trojans on PCs, so you need to protect all of the systems on your network," he says.

Break-In Options

Client firewalls, which cost $20 to $80 when purchased in quantity, add a layer of protection to enterprise systems. Sygate plans to enhance SSE to include more types of devices; SSE now lets computers access the main network only if they have a firewall, antivirus software, and software patches that are properly configured. SSE also lets security managers change policies and enforcement rules depending on where a user is working and how he or she is logging on to the network. For example, if a user attempts to log on to the corporate network from a wireless cafe, the user's access to certain applications can be restricted. The software also will be able to determine if a user is logging on to a gateway that's not on a company's list of trusted gateways. If so, the software can enforce more stringent rules and restrict access to sensitive applications and data. "The ability of the technology, and the desire of companies, to clamp down on usage like this is only going to increase," De Santis says. Last week, Sygate enhanced SSE to be able to automatically restore systems to a trusted state; if patches are not up to date, the software can install them and then give the user access.

Sygate also is working on enforcement agents to run on PDAs. As more PDAs get connected, "they need to be secured in the same way laptops do," De Santis says.

Other vendors also are enhancing their end-point firewalls. Zone Labs this summer will roll out version 2.2 of its Integrity firewall, which will provide more-flexible security administration and better enforcement of security rules down to the level of files, registry keys, and even memory processes on desktops. It will let security managers quickly push out security polices to thwart new viruses and worms as they arise. Network Associates will be enhancing its ability to enforce protection on end points. Its upcoming version of ePolicy Orchestrator will be able to enforce antivirus and firewall settings before allowing users access to the network. Internet Security Systems plans to upgrade its RealSecure Desktop Protection firewall to make it easier to change security settings based on the location from which a user is logging on. "If you're logging on from home, you'll have a higher security setting than if you're logging on from the corporate network," says Chris Klaus, the founder and CTO of the security vendor. "If you're accessing the network from an Internet cafe, your settings could be set even higher."

Another potential security problem that's moving up the list of concerns is USB, or universal serial bus, ports. USB ports can be used to connect to other computers, storage devices, wireless LANs, and other systems. "You don't want to shut access off completely, but you may only want to allow your PDA to sync with your calendar," De Santis says.

The growing number of wireless devices seeking to access company networks is another concern. "It's a real hot button," says Stacey Lum, president and CEO of InfoExpress, whose CyberArmor firewall enforces security policies. InfoExpress is making its firewall easier to manage and adding policy enforcement for wireless devices. Security worries have caused many companies to limit or prohibit wireless access to their networks, he says.

To gain access to the corporate network in the future, it won't be enough for users to prove who they are by logging on with a password, a smart card, or via a biometric security system. The threats posed by new wireless devices, the growing number of mobile workers, and the ability to create a security hole by changing system settings means that devices themselves will have to prove they're abiding by a company's security policies before they're granted access, Symantec's Clyde says. "Your system is going to also have to show that it can be trusted," he says. "Your client firewall and antivirus are going to show they're up to date. Those are the kinds of things happening in the future."

Ken Tyminski, chief information security officer at Prudential Financial. Photo by Rachelle Mozman.

New threats increase the need to lock down entry points to networks, says Tyminski, chief information security officer at Prudential Financial
Security managers hope vendors will deliver on their promises, but they're being cautious. "It almost sounds too good to be true," Prudential's Tyminski says. If Sygate's upcoming software lets him better control end points and USB connections, he sees many ways he could use those capabilities, such as ensuring that users on the company's computer systems aren't running unauthorized applications, that unauthorized wireless connections to the network aren't established, and that critical patches are in place before a system logs on to the network. "Now, that's enforcing end-point policy," he says.

Besides improving security, the new products provide another benefit, Travis County's Clyde says. They'll make it easier to automate processes that provide real-time protection to desktops, notebooks, and mobile devices and automatically enforce security policies. They also will greatly enhance the ability of managers to make security part of the fabric of an organization's networks and systems. Travis says he isn't asking for much, just products "that let me secure systems and accomplish good things without causing me headaches."

Illustration by Tad Majewski
Photo Clyde by Matthew Mahon
Photo of Tyminski by Rachelle Mozman