Search in ISMS Guides


Wednesday, August 29, 2007

Information Security Policy Controls to Reduce the Risk of Home-based Employee Access

Attackers follow the weakest link

The never-ending battle to secure the corporate desktop against viruses, unauthorized software, and spyware now consumes significant resources for many companies. However, as organizations continue to adopt security best-practices to protect their networks, attackers are increasingly targeting the weakest link - the home internet user. Recent studies are now confirming that attacks against user's home computers present increasing risks to business.

Two "mega" trends are making it nearly impossible to ignore the home PC in the corporate security battle. First, the number and frequency of remote workers is growing rapidly. Second, rapidly-evolving threats against the users home PC and the prospect for large financial gain are creating new opportunities for hackers.

Attacks on home PCs on the rise

According Symantec's September 2006 Internet Security Threat Report, home users are the most targeted attack sector, accounting for 86 percent of all targeted attacks. Newer, more sophisticated attacks are using blends of adware, spyware and phishing attacks to lure users to download new malicious code that is becoming harder to detect. As attack vectors move from corporate networks to personal computers, newer attacks are exploiting vulnerabilities in end-user applications such as web browsers and desktop applications, rather than servers and firewalls.

Most compromised home PC become part of an increasing army of "botnets". According to the Symantec report, in the first half of 2006 the company identified more than 4.6 million distinct, active bot network computers and observed an average of 57,717 active bot network computers per day during this period.

As the internet crime business has moved from simple bragging rights to big business, the second largest target are financial services businesses. For example, in October 2006 both the U.S. Securities and Exchange Commission (SEC) and Canada's Investment Dealers Association noted a drastic increase in on-line stocking trading fraud over the last few months. On-line brokerage accounts are being compromised at an alarming rate by keyloggers and other spyware. According to one report, ETrade Financil suffered more than $18 million in losses from fraudulent online trades within a 90 day period.

A home user's PC that is compromised provides several avenues of attack against businesses, including compromised logon credentials, exposure of confidential information (via file-sharing or uploading), and coordinated SPAM and DDOS attacks using botnets. With these attacks escalating, businesses must now consider how the security of a remote PC or laptop may pose a threat to their business.

Security Policy Considerations

So what types of information security policy controls can an organization put in place to help reduce the risk of corporate data being exposed in a home based attack? Let's look at the most common areas of risk and examine some possible security policies.

Password Controls - Networks and systems are still vulnerable to weak passwords and compromised login accounts. Having strong password controls, especially for any accounts with remote access to the network, is critical for protecting the network. An increasing number of breaches are occurring where attackers are gaining access to legitimate login information from third party business partners, and then using these credentials to steal information. Password complexity requirements, password histories, and password expirations are all critical controls to be put in the password policies.

A related password security policy is to prohibit users from using their corporate userids and passwords on public web sites that they may access from home. While sharing passwords between web sites is common for users who must remember a number of different passwords, a compromised on-line brokerage account can lead to a compromised network account if login credentials are shared.

Restricting Data Transfer - Organizations should restrict users from taking sensitive information out of the corporate network and making copies of the data to use at home or one the road. Using flash drives and other portable devices, it is easy for users to make copies of sensitive data and move them to laptops or home PCs. In 2006 alone, there have been over 50 different reported cases of stolen laptops that contained sensitive corporate data.

Organizations can help restrict the flow of sensitive information by auditing or restricting access to USB drives or CD-ROM backup drives. Only certain privileged users should be allowed to remove sensitive information from the company network or physical locations. When sensitive data is removed, it should always be password protected and stored in encrypted format.

Requiring basic PC protection - Organizations should consider updating their Acceptable Use policies to require that users accessing corporate networks from home employ basic security measures on their PC including, at the minimum, Anti-virus and spyware detection. While this type of policy is very difficult to enforce using today's technology, organizations can start by requiring users to sign an agreement that they have these controls in place as part of a provisioning process for remote access. Organizations can aid users by providing access to pre-approved software that has been shown to be effective in the home environment.

User Education and Awareness - Of course, educating users is still one of the most effective controls for reducing the risk of home-based security incidents. Many organizations with a large base of users are including education on protecting the home PC as part of their standard corporate security awareness. Not only does this type of education help reduce corporate risk, is gives the end-user a reason to be motivated to learn about information security principles.

Some organizations now require their users to pass a basic security awareness quiz before being allowed access to corporate resources. It would be appropriate to add the knowledge of how to protect home-based PCs and laptops as part of a standard body of knowledge required for remote access to company information.


Information Security Policies Made Easy, Version 10 - A complete library of information security policies, including policies for personnel security.

Information Security Roles & Responsibilities Made Easy, Version 2 - An extensive library of documented information security requirements for various organizational roles.

Privacy Management Toolkit, Version 1 - A complete resource for managing customer and employee privacy based on OECD Fair Information Principles.

Other Security Policy and Data Privacy Whitepapers

No comments: