Wolves At The Door

Stopping big, bad hackers from targeting mobile workers.

Hackers beware! if you think the telecommuters at Lexis-Nexis are easy targets, youd better think again. These telecommuters are not the kind who disable anti-virus software to download the latest version of Napster, thereby creating holes that hackers can use to access their companys network. Armed with strict security policies, firewalls on laptops, virus-scanning software and secure dial-up accounts, all Lexis-Nexis employees—from assistants to the CEO—are so tough about security that theyre more likely to wear combat boots than bunny slippers when working from home.

"Were well aware of the exposure telecommuting brings," said Leo Cronin, director of information security at Lexis-Nexis, an information services division of Reed Elsevier plc., in Dayton, Ohio. "That is why we have several policies in place that give us control over their environment. The majority of our employees are well aware of the risks [to the company] if they break the policies."

Sound paranoid? Cronin doesnt think so. The recent, high-profile attack on Microsoft Corp. via a pilfered telecommuter ID in October was a wake-up call for Cronin and a growing number of corporate security managers like him. The message: At a time when employees are just as likely to log in from home or the road as from a cubicle at company headquarters, securing employees laptops and other mobile devices, and protecting corporate servers and networks from telecommuter-enabled breaches, is more critical than ever.

So, savvy organizations such as Lexis-Nexis, the state of Arizona and Conqwest Inc. are taking action by implementing a combination of strategies to limit their exposure. Those strategies include developing and enforcing strict policies that tell telecommuters what they can and cannot do on their machines and how to physically protect them. They also involve taking advantage of security technologies such as VPNs (virtual private networks), firewalls, anti-virus scanning and call-back software that can be used to locate stolen laptops. And, perhaps most important, theyre enforcing selection processes—backed up with training—that ensure only those capable of following the rules are allowed to telecommute.

"Telework is a privilege, and our end users understand that they need to constantly prove to us that they are capable of working remotely," said Lee Lane, statewide security manager for the state of Arizona, in Phoenix; like Lexis-Nexis, the state has begun enforcing strict telecommuter security controls. "If we cant ensure the security of their connection or their willingness to follow our policies, then they cant telecommute."

Caught napping

unfortunately, security experts say, not enough IT managers have heard the same wake-up call Cronin and Lane have. While companies have finally begun to busy themselves instituting security measures to block external threats to their Web sites, mobile systems that access corporate systems are still largely unprotected at most companies, experts say. As more professionals, managers and executives have taken their PCs and other mobile devices on the road to keep up with competitive e-business pressures and as telecommuters working from home have proliferated, security breaches traceable to mobile workers have begun to cost enterprises real money. In fact, security problems related to telecommuting contributed to the $66.7 million in losses due to theft of proprietary information identified in a 1999 survey of 273 companies conducted by the Computer Security Institute and the FBI.

Despite the potential security risks, the tide toward telecommuting is not likely to ebb any time soon. In fact, experts say, its only going to grow. According to the International Telework Association and Council, in Washington, about 16.5 million Americans telecommute at least once a month. That figure is growing by about 20 percent annually. The association estimates that there may be as many as 30 million regular telecommuters by the end of 2004.

Selecting the right people

in the last six years, the state of Arizona has seen the number of employees who telecommute at least once a week grow to about 3,000 from 71 state agencies. To protect security, the state insists, first, on standard security software for all PCs, whether theyre in the office or remote. All employees must sign an agreement that they will install the latest version of McAfee anti-virus scanning software from Network Associates Inc. and use the state network for business-related purposes only.

Second, the state doesnt let just anybody telecommute. Arizona officials joke that the telecommuting selection process is even more competitive than the procedure for getting hired as a state employee. Those who wish to work from home must first get approval from managers and a recommendation letter reviewed by John Corbett, the states telework programs administrator. Once accepted into the telework program, the employee must meet with his or her manager for training. Employees must read a workbook containing the states policies and security requirements and sign an agreement stating that they understand all the states policies before they are allowed to telecommute. The 3-hour process also includes watching a video detailing security and other telecommuting measures. Anyone who breaks those rules has his or her telecommuting rights taken away.

Analysts say putting potential telecommuters through a selection process is important because once an employee goes home, IT loses control. "Many organizations focus on securing the devices, not the employees," said Jeff Johnson, an analyst with Meta Secur e-Com Solutions Inc., in Atlanta. "By carefully choosing whom you will allow to telecommute, you are limiting your risks."

Watching telecommuters

just as important as choosing the right employees is implementing the right security policies (see chart, Page 83). At Lexis-Nexis, Cronin and John Davalos, director of infrastructure systems support, regularly review policies in place for the companys 5-year-old telecommuting program. Those policies include asking the companys 2,200 telecommuters to physically protect devices, advising the use of power-on passwords and the installation of personal firewalls.

Lexis-Nexis policies also dictate how users handle sensitive files and documents. Telecommuters are required to store confidential files on servers, not on desktops. If a sensitive document must leave the office, it must be encrypted, the policy says.

Cronin and Davalos have also established guidelines and implemented software—which they declined to identify—that control access between authorized users and the corporate network.

"We cannot be there to watch over all of our telecommuters," Cronin said. "But we have taken steps to implement policies and controls that will provide a barrier between a cracker and confidential data."

While IT managers cant control everything telecommuters do, some companies are using technology to remind remote workers of the need for security. At Conqwest Inc., in Holliston, Mass., CEO Michelle Drolet said that even though shes unable to watch over her employees shoulders to make sure theyre following company policy, shes come up with a "Big Brother" way to constantly remind them of her presence. Conqwest, a software VAR, developed a proprietary security policy program called e-Minder, which forces remote users to keep thinking about security. Every time a mobile worker logs on to the corporate network via the companys VPN, e-Minder automatically launches a screen reminding users to change their passwords or update their anti-virus scanning software.

The software can be updated and uploaded every time a user logs on to the corporate network, so that it can be changed whenever a new security threat crops up. To connect to the corporate network, users must read the policies and click on an "I Accept" button before they are allowed to continue. These policies include installing NetworkIce Corp.s BlackIce personal firewall product and saving only nonsensitive files such as e-mail on mobile devices. Users who decline to accept the rules are refused access to the network.

Since first developing e-Minder for internal use, Conqwest is now selling it to others.

"This ensures that our employees know and understand the rules," Drolet said. "Wed like to allow our employees to be able to walk and talk the same whether theyre a telecommuter or an employee working out of our corporate offices, but thats just not possible. Telecommuting means additional measures must be taken."

Tools, too

even with the best qualification and telecommuting security policies in place, IT managers agree that a combination of tools—from VPNs to callback software—must be in place to secure the mobile users and the enterprise resources to which they connect.

At present, telecommuters at Lexis-Nexis are not allowed to access corporate systems via the public Internet. Instead, they must use a proprietary phone number that dials into the corporate network, where they are required to authenticate their identities twice using passwords and user IDs. Lexis-Nexis also requires telecommuters to use only company-issued hardware and software. IT preloads laptops and desktops with security tools and software such as WebSense Inc.s WebSense Enterprise Management product, which is used to block certain Web sites that pose security threats. Employees must sign a written agreement stating that they will not install additional software on company-owned computers.

VPNs, personal firewalls and authentication software arent the only tools IT managers can use to secure mobile users. With the Microsoft attack fresh in mind, IT managers are using tools to help them prevent hackers from obtaining a user ID and password—often by stealing a laptop—and imitating legitimate users to access their corporate networks. The state of Arizona uses so-called callback tools such as ProCommPlus from Symantec Corp. to ensure that its laptops are dialing in from authorized phone numbers. Using the software, when telecommuters dial in to the corporate network, the number from which theyre calling is checked. If the network does not recognize the number from which a user is dialing, it will deny access. If it does, the network initiates the call to the mobile user to establish the session.

Other software tools are set up to occasionally dial out to a software manufacturer, which then checks to see if the PC has been reported stolen. If it has, the software attempts to record the number its calling from and alerts law enforcement organizations of its location. (For more on this type of software, see story, Page 73.)

Broadband, big risk

while technology is part of the answer to cutting security risks posed by telecommuters, in some cases, IT managers say, it can open the door to hackers a bit wider. Take high-speed Internet access lines such as DSL (digital subscriber line) and cable modems, which have become increasingly popular with at-home workers. They can raise security risk because they are always connected to the network, making it easier for telecommuters computers to be discovered by hackers running automated port scans and looking for vulnerable machines. With that risk in mind, many organizations are proceeding cautiously before allowing telecommuters to use broadband connections. Lexis-Nexis, for example, is permitting only a select few telecommuters to use DSL or cable modems while it conducts a pilot VPN program. Lexis-Nexis is looking at VPN options but will not offer any option to telecommuters until the security is right, including strong two-factor authentication and personal firewalls, Cronin said.

"A little over a year ago, there werent a lot of these types of attacks going on, but now with the advent of DSL and cable modems, attacking an enterprise via telecommuters is now one of the cool things for hackers to do," said Johnson of Meta Secur e-Com.

Although concerned about telecommuter-related security risks, many IT managers are worried about relying on technology fixes for another reason: They dont want to confuse the very end users theyre trying to protect by loading them down with the latest and greatest security technologies.

For instance, Gerry Cullen, director of special projects at Detroit Diesel-Allison BC Ltd., in Vancouver, British Columbia, kicked around the idea of installing RSA Security Inc.s SecureID smart-card product on all telecommuter laptops before backing off out of fear that telecommuters would lose the cards. And at Lexis-Nexis, Cronin and Davalos considered installing encryption engines on laptops but then became concerned that end users would forget the keys to unlock files.

"The concern we have is that the cure can be worse than the disease when it comes to encryption," Davalos said. "We dont want to secure to the point where legitimate end users cant access files."

In the long run, analysts say, a successful telecommuting program means a balance of education, technology and policies. And the first step, IT managers said, is to constantly be on the lookout for potential attacks on telecommuters, even if that means being seen as a bit overzealous.

"Im an IT manager," said Arizonas Lane. "Im paid to be paranoid."