As a security professional I have had the opportunity to attend, appear on panels for and speak at security-related conferences and trade group meetings. It is always exciting to learn about the latest trends in the security field and to network with other security practitioners. However, during one recent event the question was raised, "What else can we do as security professionals?"
The answer is simple: Spend time educating and speaking to people outside of the profession. We know and understand the risks and vulnerabilities that businesses face on a daily basis, but if we are to have any impact at all, we must explain these risks and vulnerabilities to individuals outside of the profession. Since corporate professionals working at home on personal computers comprise one of the biggest threats to a corporate network, training home users on the fundamentals of computer security is an excellent place to start.
Many corporate professionals have broadband Internet access at home and will often use it to connect to corporate assets. Many of these professionals have the misconception that their home computers are not going to be a target for hackers. This could not be further from the truth. An "always-on" Internet connection, whether it is DSL, cable or T1, is a target for hackers. These hackers will do one of several things:
- Break in and look around;
- Break in, look around and steal information;
- Break in, look around and destroy information;
- Break in, look around and store illegal information, such as child pornography or stolen credit card numbers, on the computer;
- Break in, look around and use the computer to mount attacks on other systems.
Since the home computer has been used to create or access proprietary information it will contain information valuable to an attacker, such as usernames and passwords, R&D information and personnel information.
All home users should be trained in how to install and maintain an anti-virus program. Many people that work from home have all their corporate contacts in their e-mail address books. Some viruses infect the computer and send themselves on to everyone in the address book, often infecting corporate systems as well. Many excellent anti-virus programs exist, but they must be updated on a regular basis. Most anti-virus programs will automatically check for updates and install them when they are available.
It is also important to train end users to recognize the difference between a hoax and a real virus alert. Hoaxes often clog networks with unnecessary traffic. The individuals that create virus hoaxes are extremely creative. Instead of writing code that sends a virus to everyone in a user's address book, they just ask the user to do it. Key point: If an e-mail requests a user to forward it on to "everyone in your address book," it is a hoax.
Many hoaxes will try to sound authoritative by quoting legitimate companies: "Microsoft just released that this is the most serious virus threat to date." The problem with these quotes is that companies like Microsoft do not release virus warnings. Neither do Intel or AOL, which are also frequently quoted in hoax e-mails. Users can check the legitimacy of virus warnings at any of several useful Web sites. One popular site is
www.purpotal.com, whose slogan, "The Bunk Stops Here," says it all. Other sites include www.snopes.com, www.hoaxkill.com and www.vmyths.com.
It is imperative that home users purchase and install a personal firewall product. Commonly used products include Zone Labs' Zone Alarm and Black Ice Defender. These products not only protect the computer from attack, they monitor which applications on the computer are trying to access the Internet. This is important because many types of Trojan programs exist that will attempt to send personal information to a server on the Internet. Some of these Trojans also broadcast themselves to the Internet so hackers can find them and connect to them. Any home user or business that has an "always-on" connection and does not have a firewall in place can be assured that their proprietary and personal data has been viewed and/or stolen. It is important to note, however, that firewalls are not the "be all and end all" security solutions many believe them to be. Nearly all firewalls have vulnerabilities, and if they are not patched, the firewall may as well not exist. Additional security measures need to be implemented.
An additional layer of protection can be offered by password protecting key documents. This includes Adobe Acrobat files, Office documents and Zip (compressed) files. If users maintain this type of security, they must understand that they are only defending against the curious or casual attacker.
Password protected files are not secure for two reasons. For one thing, users often choose a password they already use or a simple password that is easy to remember and therefore easy to guess. The second reason is that password-cracking tools exist for nearly all applications. Many of these tools are free or inexpensive. They are generally offered as "password recovery" tools that provide absent-minded users with ways of recovering valuable documents. Security professionals need to be aware of these tools because they can prove useful when investigating inappropriate employee activities. To learn more about some of these tools, visit www.lostpassword.com and www.password-crackers.com.
If password protecting important files is not a secure way of protecting data, what can the average user do? The answer can be found in one word: encryption. But the implementation of a valid encryption program can be difficult. This is why encryption has not become widely implemented among home users.
Encryption is "simply" the conversion of data into an unrecognizable and unreadable form. Decryption then takes this unreadable form and converts it back into a readable format. The problem lies in the fact that this encryption/decryption process is accomplished using complex mathematical algorithms. Because of the complexity of the encryption process, unscrupulous developers will play on consumers' ignorance to sell their products. Several Web sites can help provide an understanding of some basic concepts. One of these sites, "Snake Oil Warning Signs: Encryption Software to Avoid," is useful, although several years old. It can be found at www.interhack.net/people/cmcurtin/snake-oil-faq.html. Another resource is the Cryptography FAQ, which can be found at www.faqs.org/faqs/cryptography-faq/.
Another reason that encryption is not more widely implemented is that it is not readily available. A quick tour of an electronics store and a computer superstore revealed no stand-alone encryption products. However, multiple products can be found on the Internet.
Encryption products will allow users to protect their data at rest (stored on their local hard drive) and/or in transit (e-mail messages and attachments). There are several ways to encrypt data at rest. A simple way is to encrypt specific files or folders. Microsoft's encrypting file system provides this functionality in Windows 2000 and Windows XP.
Another, more seamless way to encrypt files or folders is to use on-the-fly encryption. On-the-fly encryption consists of an encrypted partition that appears as a normal drive to the user. This drive receives a drive letter and files can be added or deleted from it in the normal fashion. The drive can be "unmounted" so the data it contains becomes encrypted. Multiple tools exist that can provide this functionality, including BestCrypt, DriveCrypt and PGPDisk, which is included in the commercial versions of PGP. To provide security to data in transit, most encryption tools provide the following two options.
1) Encrypt the data or file and send to a specific recipient. As easy as this task sounds, it can be somewhat cumbersome to perform (which is why everyone is not encrypting their e-mail and attachments). The recipient of the encrypted data must generally have the sender's public key, a passphrase or a password in order to decrypt the data. These items must be provided to the recipient prior to sending them any encrypted data, and they must be provided to them in a secure fashion. The recipient must also have a copy of the program used to encrypt the file.
2) Because this process can be confusing and cumbersome, many encryption programs allow for the creation of self-decrypting files. These are encrypted files that decrypt themselves when the recipient enters the appropriate password or passphrase. These files are usually created as Zip or executable files, so they can be sent as e-mail attachments. One note of cautionÃ¢â‚¬â€many corporations block compressed and executable files at the firewall in an effort to reduce the introduction of viruses into the corporate network.
Choosing a Product
When evaluating encryption products it is important to look for one that is well established, has been tested and examined for many years and provides extensive support. Multiple resources exist for well-established products including books, Web sites and newsgroups. One such product is PGP (Pretty Good Privacy). Free versions can be downloaded for non-commercial, individual use. Commercial versions of PGP are available from PGP Corporation, www.pgp.com. An excellent primer on PGP, "PGP The Easy Way," can be found at http://home.mpinet.net/~pilobilus/EZ_PGP.htm.
Security professionals need to understand that corporate users that work at home can endanger the security of corporate assets. By educating these users in fundamental concepts of network security including firewall use, virus and anti-virus concepts and encryption technologies, we will go a long way in protecting corporate assets. It is also important that security professionals understand and practice these procedures in an effort to lead by example. If we do not use these technologies appropriately, how can we expect the average user to do the same?
John Mallery is chief technology officer for Clarence M. Kelley and Associates Inc., a private investigation firm headquartered in Kansas City, Mo. He manages the firm's technical service offerings, network security consulting and computer forensics. John can be reached at firstname.lastname@example.org.