November 28, 2006

Out of sight, of out mind. Many IT departments carefully watch their employees in the office, but they fail to monitor just what software their users are installing or what hardware (think thumb drives and iPods) they're plugging into their desktop or laptop machines at home -- or who else may have access to those machines.

The rash of laptop losses and thefts at major corporations and government agencies over the past year has red-flagged the problem of securing data when it leaves company premises. But what about the machines that sit in home offices where telecommuters work daily, or company executives work after-hours? And what happens when a user's home is broken into and his laptop or PC stolen?

"The problem companies face with home workers is that the security boundary with the Internet has been extended to hundreds, even thousands of remote locations," says Geoff Bennett, director of product marketing at StreamShield. "The odds of a weak point are multiplied exponentially."

Ironically, top execs can be the biggest weakest links in the home-user chain. "The CEO and CFO want to store sensitive information locally on their laptops because they don't want to worry about VPNing in," says Consilium1's Kelly.

Few IT organizations have the means to restrict user-access when it's not on-site: Home users may leave their machines connected to the company network, or give passwords out to family or friends. And watch out for those technologically precocious kids in the house.

"In one instance, a CEO's kid got on his machine and renamed critical financial files. The firm was unable to do a planned stockholders' meeting as a result," says Rob Enderle, principal analyst with the Enderle Group. "End point security remains important especially if the equipment isn't on premise."

Security assessments are rarely, if ever, done of the homes of these users, Enderle says.

And now, as home users increasingly become the targets of phishing attacks and botnet attacks, the company-issued laptop and the user's home PC with VPN access can leave the corporate network at risk. "If their machine has turned into a zombie and has access through a VPN to the corporation, the corporation is clearly exposed," Enderle says.

Most zombie infections use keylogging, which captures password information. And a zombie PC also becomes a spam pipeline, says StreamShield's Bennett, which can wreak havoc since most corporate email systems are configured to filter inbound, not outbound, spam.

"The assumption is that one's own employees are not likely to send spam. But a compromised PC will act as a spam relay," he says, which could result in the company's legitimate email being blacklisted by other organizations.

One way to lock down home users is to eliminate VPN access and instead use biometric, multi-factor authentication to email and "the most limited set of resources needed to do the job," Enderle says.

A home security audit is also helpful, as well as training home users how to best protect their computer and the company network. "And the computer accessing the corporate resources should remain administered and patched, and protected to a degree sufficient for the level of access the remote employee has."