[ISN] Katie Bar The Door!

InfoSec News isn at c4i.org
Fri Oct 1 06:13:07 EDT 2004


By Keith Ferrell
September 29, 2004

The more technologically sophisticated non-IT employees become, the
bigger their potential threat to the enterprise. A little knowledge
has always been a dangerous thing, and when it comes to employees and
technology, a little technology knowledge can add up to big dangers.

Look at wireless LANs (WLANs), for example. A recent survey revealed
that 84 percent of companies that have deployed wireless WLANs have
not experienced security problems. But there is an interesting
footnote to these findings. The primary drivers for WLAN introduction
were the promise of increased productivity and demand from end-users.  
In other words, employees who have grown accustomed to grabbing e-mail
at a coffee-shop hotspot want the same level of convenience at the

And therein lies the potential for - and the potential peril of - a
cascade of hardware and software that flows, not just through our
businesses, but also through our home and private lives.

The technological overlap between cubicle desktop and kitchen table
has never been larger. Employees use mobile devices to carry work
home, and they often use personal devices and technologies to enhance
their business productivity at the office.

As noted, most enterprise WLANs are operating securely. What gives
many IT specialists pause is the security of that coffee-shop hotspot
or home Wi-Fi network, where exists the possibility of inadvertently
revealing sensitive business information and passwords or picking up a
virus or worm.

In a recent column, Wayne Rash pointed out that a high percentage of
worm infections are the result of laptops that acquired the worm at
home or from other off-site location and were then brought to the
office. The worm bypasses company security by entering the business in
the employeeis briefcase.

The solution? Require employees to reboot laptops before attaching to
the network. The challenge? Getting employees, accustomed to leaving
their laptops always on, to adhere to the policy.

Camera-equipped telephones are another device prompting more than a
few security concerns. Camera phones can open enterprise secrets to
spies and can expose businesses to unwanted privacy and harassment

The solution? Prohibit employees from bringing camera-equipped phones
to work. The challenge? Finding employees willing to leave their
phones at home or even in the car.

A little software knowledge can cause problems, as well. Case in
point: Instant Messaging. IM entered business by way of commercial,
public programs that employees had begun using at home. Using IM at
work was as easy as home use, but home use generally doesn't carry the
security and privacy, compliance, and liability risks that the
programs can pose for business.

The solution? Take a look at the IM guidelines recently released by
the Federal Deposit Insurance Corp. (FDIC). The guidelines include
banning certain programs and increasing 'information security
awareness training.' The challenge? Ensuring that employees fully
understand the difference between technologies that they're used to
and those that are permitted at work.

The situation is only going to grow more complex, as advanced
technologies become more and more accessible and affordable for
consumers. This is why forward-looking enterprises are applying a lot
of effort to creating, disseminating, and enforcing technology
policies that apply to off-site device usage, as well as to at-work

The target of such policies is those employees who've already got 'a
little knowledge.' What they need now is a lot of education.

More information about the ISN mailing list