When it comes to protecting federal interests from the security risks of telecommuting from employee-owned Windows PCs by providing or insisting that they use a recommended anti-virus suite is similar to asking someone wearing protected by nothing but a helmet to walk into a hot combat zone. Yes, the helmet can do some good. But, for the most part, it is a symbolic, worthless protection. There is however a practical solution to federal telecommuting.

This blog post was inspired by an article at GCN (Government Computer News) called “5 Top Security Suites for Teleworks”, 17 June 2010.  The author Carlos Soto reviewed leading consumer anti-virus/spyware software so that federal agencies inclined to subsidize or somehow require the use of such software on employees telecommuting via home computers could choose the best software for the job.  On the surface, its sound advise.  A safer PC reduces federal data leak and malware intrusion risks, right?  But, what if this advice is akin to encouraging federal agencies to doing something foolish such as going into harm’s way with a target on your back and nothing but a helmet?

Employee-owned Windows PCs are more likely to be already infested than not. And those not, soon will be. Consider this, Cyveillance and AV-Comparatives measured the effectiveness of numerous antivirus products against newly created malware finding average detection rates of 25% and 44% in 2010, respectively.

And as more than half of these PCs operate with local admin rights accounts, they may well be infested with rootkit based malware. Such infestations are detectable when sloppy code is used by cyber criminals. Otherwise, where 3rd generation rootkits are used (available on the black market cheap), when the AV asks the OS for a list of files in a directory to be scanned, for example, the AV receives an incomplete list because the OS has been ‘brainwashed’ and coerced to lie on behalf of the malware.

So, if federal agencies intend to practice safe telework, its not simply a matter of are employees practicing safe-computing from now on but whether they have always practiced safe-computing.

While an employee’s computer is untrustworthy until you know otherwise, this has no bearing on the integrity of the employee itself.

I’m afraid matters are even more complicated. More and more households have multiple computers operating within a home network. One infected PC leads to infections of the others. However, from the federal agency perspective, the ‘other’ infected PCs are a severe data leak risk. They can launch a DNS poisoning attack, an SSL man-in-the-middle attack, a man-in-the-browser attack, or numerous others that effectively steal sensitive data from all other computers in the home network. In other words, federal agencies must consider home networks untrustworthy.  In short, federal telecommuting solutions must regard both the employee-owned computer as well as the employee-managed home network as untrustworthy!

There’s yet more. Each of us values convenience. What percentage of federal telecommuting employees are saving work documents on their home computers? Each employee home computer represents a potentially embarrassing security breach.  For these reasons and others, agencies that can afford to provide telecommuters with laptops. Ones hopes these include properly configured full disk encryption based on two factor authentication. Anything less means not only data loss from a lost or stolen laptop but also another potential security breach.  A key walk-away point to consider here is that any data or document that is free to leave the enterprise becomes a potential liability to it as well, or in other words, an asset to be managed but usually not.

Getting Practical

Blue Ridge offers a solution called Pixie that allows for the safe use of employee-owned computers with virtually no malware or data leak risks. An employee inserts the Pixie USB device into their PC, Pixie generates a virtual workspace, securely connected to the enterprise via a virtual VPN appliance, and when the employee is finished doing whatever one might do from a typical Microsoft Office environment with access to all of the user’s network drives, no data or document from the telecommuting session remains on the employee’s PC. No malware from the employee’s PC sneaks in, and no sensitive data or document leaks out from the federal government leaks.  If you’d like to know more about how this works, look at this page on Pixie Telework.  If you’d like to speak with another federal organization already using Pixie, contact us and we’ll make an introduction.

Posted: Monday, June 21st, 2010 - Endpoint Security
RSS 2.0 - Comment - Trackback