Road Warriors on Trojan Horses: Ensuring End User Compliance Reduces the Cost of Network Security

Article excerpt

In ancient days, the people of Troy opened their gates to a splendid wooden horse--which turned out to be filled with Greek soldiers bearing malicious intent. Once inside the walls of Troy's previously unassailable fortress, the Greeks swarmed out of the horse's belly to wreak havoc within the city.

The networks at educational institutions today may bristle with firewalls, intrusion detection systems, and antivirus software, but attacks of malicious code continue to disrupt educational processes and administrative functions. The cost of repairing the damage from these attacks is increasing as the quantity, speed of contagion, and severity of worms and viruses increases.

The problem stems from an unfortunate convergence of three factors: the proliferation of mobility through laptop adoption, ubiquitous access to the Internet through less secure means, and the disappointing persistence of operating system vulnerabilities. At the same time, public Internet access points--whether wired or wireless--are seldom governed by security policies as stringent as those guarding internal networks.

Now, as wireless access gains increasing popularity, the threat of contamination is not restricted to public Internet access. Trouble can also emerge from "rogue" wireless access points, set up internally by network-savvy community members lacking safeguards of the campuswide infrastructure, as well as the frequent migration of laptops to unprotected home networks during vacations.

A Curious Conundrum

Reversing a fundamental assumption that information technology yields productivity gains and cost savings, the more educational institutions spend on security, the more support staff and resources are required. The Yankee Group (www.yankeegroup.com) estimates that the cost of patching a single user averages $243 a year, with costs rising as the number of users increases.

While the rapid growth of threats and the faster disclosure of vulnerabilities certainly fuel this inversion, it also appears that most security solutions have, until recently, focused on threat containment rather than threat reduction. This has led to an explosion in perimeter security products such as internal firewalls, and brute-force techniques such as shutting off ports. Not only is protecting the security perimeter much more difficult when every legitimate mobile user is the perimeter, but mending individual devices on the edge becomes a highly labor-intensive and expensive task. Simply stopping a virus or worm attack is not enough to reduce the burgeoning cost of support; it actually escalates the cost.

Balancing Risk and Responsibility

Both network administrators and technology manufacturers are working hard to address the challenge of threat reduction. Most colleges and universities distribute CDs filled with the latest patches and the appropriate client-based software for students to install onto their devices. Online support pages are also frequently updated with notices and software tools.

Manufacturers are introducing new features to old standbys. IP firewalls are augmented with internal firewalls, which can cordon off parts of the network occupied by infected machines. Wireless network gateways are outfitted with device-scanning capabilities, and antivirus software is distributed faster and more easily. …