Business and government employees use their home computers for productive work-related activities. They handle documents with customer data, intellectual property, insider information, and where SSL VPN is employed, they interact with mission critical servers with more of the same. So, given that the security posture of these computers is unknown, the issue of using employee owned computers comes down to one question: do you feel lucky? Well, do ya?

Our good friends from Secunia have often reported that over 90% of consumer computers have at least one application with an unpatched critical vulnerability. The folks from Adobe, whose software is on nearly every computer, are not only taking heat for the numerous critical security vulnerabilities found regularly in their software but they are also heavily criticized for how slowly their released security patches are actually implemented via their software update process. And as if that wasn’t bad enough, Adobe is just one of 100’s of software vendors whose auto-update process is vulnerable to man-in-the-middle attacks that cyber criminals can exploit to secretly install malware into computers.

So, most home computers lack critical security patches. Unfortunately, anywhere from one third to two thirds of all home computer users are logged in with local admin rights. The notion of limited user accounts (LUA) is as foreign to most users as is an ancient, extinct language. Though LUA does not deter drive-by download attacks that can result in systematic data leaks of any document, password, or credit card number that ever traverses a computer, it does effectively prevent 3rd generation rootkit based malware from infesting a computer. Practically speaking, these little nasties are undetectable.

A major reason for running computers with local admin rights stems from the convenience enjoyed from installing software at a whim. Even sophisticated computer users have considerable trouble determining if an installation file contains malicious code. There’s no practical means for ordinary computer users to make such a determination. They must download software from reputable web portals. If children are free to install software, how concerned were they about where they got the software and whether or not it might be infested with a Trojan?

This leads to another home computer concern. Some don’t even have any anti-virus/spyware software at all. One should expect 25% of the computers in an enterprise to have at least one problem with their anti-virus/spyware, such as failure to conduct full scans, enabling of real-time scanning, out-of-date virus definitions, etc.  On home computers, we can only say this must be much worse.

But, what concerns me more than that is the hyper-inflated faith most home computer users have in their anti-virus/spyware software. How many people know that their anti-virus/spyware software relies on signature-based detection technology that cyber criminals elude with astonishing ease. The anti-virus/spyware vendors take roughly a month to detect new malware, develop a new malware signature, and finally to distribute the new malware signature to all computers. On the other hand, half of new outbound malware (i.e., the malware that penetrates a computer, not the malware that has already been implanted into a computer) made by cyber criminals is abandoned within 48 hours. Botnets alter the signatures of their outbound malware every 10 minutes. They employ these tactics to render anti-virus/spyware computer protection useless. Detecting malware within a downloaded software install file, forget it!

I often marvel at how many people say their computers have never been infested with malware. Because their anti-virus/spyware has not cried ‘danger Will Robinson’, they assume they have not been compromised. If their computers have always operated without local admin rights, they could be correct. Otherwise, they may never know.

And many home computers have peer-to-peer (P2P) software running on them 24 x 7.  So, any resident work document may be accessible to an entire P2P network of computer users.

Ultimately, if an organization considers data leak prevention a priority, and if real value is derived from the use of employee owned computers, then organizations should consider buying extra operating system and security software licenses, burning boot disks accordingly, and giving them to employees free of charge to re-image their computers and protect them with security software such as AppGuard.

Posted: Thursday, August 20th, 2009 - Endpoint Security
RSS 2.0 - Comment - Trackback