As a security professional I have had the opportunity to attend, appear on panels for and speak at security-related conferences and trade group meetings. It is always exciting to learn about the latest trends in the security field and to network with other security practitioners. However, during one recent event the question was raised, "What else can we do as security professionals?"
The answer is simple: Spend time educating and speaking to people outside of the profession. We know and understand the risks and vulnerabilities that businesses face on a daily basis, but if we are to have any impact at all, we must explain these risks and vulnerabilities to individuals outside of the profession. Since corporate professionals working at home on personal computers comprise one of the biggest threats to a corporate network, training home users on the fundamentals of computer security is an excellent place to start.
Many corporate professionals have broadband Internet access at home and will often use it to connect to corporate assets. Many of these professionals have the misconception that their home computers are not going to be a target for hackers. This could not be further from the truth. An "always-on" Internet connection, whether it is DSL, cable or T1, is a target for hackers. These hackers will do one of several things:
- Break in and look around;
- Break in, look around and steal information;
- Break in, look around and destroy information;
- Break in, look around and store illegal information, such as child pornography or stolen credit card numbers, on the computer;
- Break in, look around and use the computer to mount attacks on other systems.
Since the home computer has been used to create or access proprietary information it will contain information valuable to an attacker, such as usernames and passwords, R&D information and personnel information.
All home users should be trained in how to install and maintain an anti-virus program. Many people that work from home have all their corporate contacts in their e-mail address books. Some viruses infect the computer and send themselves on to everyone in the address book, often infecting corporate systems as well. Many excellent anti-virus programs exist, but they must be updated on a regular basis. Most anti-virus programs will automatically check for updates and install them when they are available.
It is also important to train end users to recognize the difference between a hoax and a real virus alert. Hoaxes often clog networks with unnecessary traffic. The individuals that create virus hoaxes are extremely creative. Instead of writing code that sends a virus to everyone in a user's address book, they just ask the user to do it. Key point: If an e-mail requests a user to forward it on to "everyone in your address book," it is a hoax.
Many hoaxes will try to sound authoritative by quoting legitimate companies: "Microsoft just released that this is the most serious virus threat to date." The problem with these quotes is that companies like Microsoft do not release virus warnings. Neither do Intel or AOL, which are also frequently quoted in hoax e-mails. Users can check the legitimacy of virus warnings at any of several useful Web sites. One popular site is