Road Warriors on Trojan Horses

##AUTHORSPLIT##<--->

Ensuring end user compliance reduces the cost of network security.

In ancient days, the people of Troyopened their gates to a splendid woodenhorse—which turned out to be filledwith Greek soldiers bearing maliciousintent. Once inside the walls of Troy’spreviously unassailable fortress, theGreeks swarmed out of the horse’s belly towreak havoc within the city.

The networks at educational institutionstoday may bristle with firewalls, intrusiondetection systems, and antivirus software,but attacks of malicious code continue todisrupt educational processes and administrativefunctions. The cost of repairing thedamage from these attacks is increasing asthe quantity, speed of contagion, andseverity ofworms and viruses increases.

The problem stems from an unfortunateconvergence of three factors: the proliferationof mobility through laptop adoption,ubiquitous access to the Internet through lesssecure means, and the disappointing persistenceof operating system vulnerabilities. Atthe same time, public Internet access points—whether wired or wireless—are seldomgoverned by security policies as stringent asthose guarding internal networks.

Now, as wireless access gains increasingpopularity, the threat of contamination isnot restricted to public Internet access.Trouble can also emerge from “rogue”wireless access points, set up internally bynetwork-savvy community memberslacking safeguards of the campuswideinfrastructure, as well as the frequentmigration of laptops to unprotected homenetworks during vacations.

A Curious Conundrum

Reversing a fundamental assumption thatinformation technology yields productivitygains and cost savings, the more educationalinstitutions spend on security, the moresupport staff and resources are required.The Yankee Group (www.yankeegroup.com) estimates that the cost of patching asingle user averages $243 a year, with costsrising as the number of users increases.

While the rapid growth of threats andthe faster disclosure of vulnerabilitiescertainly fuel this inversion, it also appearsthat most security solutions have, untilrecently, focused on threat containmentrather than threat reduction. This has led toan explosion in perimeter security productssuch as internal firewalls, and bruteforcetechniques such as shutting off ports.Not only is protecting the security perimetermuch more difficult when every legitimatemobile user is the perimeter, but mendingindividual devices on the edge becomes ahighly labor-intensive and expensive task.Simply stopping a virus or worm attack isnot enough to reduce the burgeoningcost ofsupport; it actually escalates the cost.

Balancing Risk and Responsibility

Both network administrators and technologymanufacturers are working hard toaddress the challenge of threat reduction.Most colleges and universities distributeCDs filled with the latest patches and theappropriate client-based software forstudents to install onto their devices.Online support pages are also frequentlyupdated with notices and software tools.

Manufacturers are introducing newfeatures to old standbys. IP firewalls areaugmented with internal firewalls, whichcan cordon off parts of the network occupiedby infected machines. Wirelessnetwork gateways are outfitted with device-scanning capabilities, and antivirus softwareis distributed faster and more easily.

Interestingly enough, while mostuniversities and colleges have deployedsome, if not all, of these products, most stillexperience a high incidence of networkbreaches that lead to costly cleanup efforts.The situation is perilously unbalanced: Theuser community possesses the ability tocontrol the level of risk, yet it d'es not bearthe responsibility for security breaches. Atthe same time, network administratorshave little control over user computers, butbear the responsibility for eliminatingsecurity risks and cleaning up after attacks.

“Not only is protecting the security perimeter difficult whenevery legitimate mobile useris the perimeter, but mendingindividual devices on the edge becomes a highly laborintensiveand expensive task. Simply stopping a virus orworm actually escalates the cost of support.”

However, the addition of a “hostintegrity” approach may alleviate thisimbalance. Host integrity solutionspossess the following two characteristics:

  • An ability to enforce the updates ofspecified patches and antivirus definitionson user machines.
  • A mechanism that allows the supportdesk to delegate to the users the task offixing infected or vulnerable machines.

These two capabilities allow networks torun healthier machines. But many usersdisregard administrator requests to uploadcritical security patches or new definitionfiles, or often fail to turn on antivirus software.Thus, some kind of enforcement anddelivery mechanism on the host is necessaryto complement and strengthen existingsecurity products by removing or decreasingthis element of human error. A solutionwith the following characteristics effectivelytakes security policy compliance out of thehands of the users and puts it back into thehands of the network administrators:

  • they can identify machines that areinfected or possess vulnerabilities
  • they can deny network access to usersuntil the latest antivirus files andpatches are applied
  • if required by the administrator, theycan automatically initiate the downloadingof the specified files and fixes.

This approach yields several benefits:

First, infected computers never enter thenetwork; therefore, cannot spread maliciouspayload to other computers. Second,computers with the latest security updatesfor their operating system are less vulnerableto viruses and worms. Third, organizationscan enjoy the full benefits of antivirussoftware with the assurance that theclient components are operational, properlyconfigured, and current. Finally, shouldan attack succeed in penetrating thedefenses, fixes are easily distributed toafflicted computers so that network downtimeis minimized.

Conclusion

As security boundaries continue to blur,rendering irrelevant the terms “outside”and “inside,” institutes of education mustfind security solutions that complementexisting perimeter defenses. Hostintegrity solutions are increasingly necessaryas user computers are recognized asthe principal risks to network security.With mechanisms in place to ensurecompliance by end users—as well as lowcostdistributed methods to repair theircomputers—the soaring cost of networksecurity may decline. And in today’s environmentof tight budgets, that is onegenuine “gift horse” organizations cannotafford to decline.

Irene SandlerIrene Sandler is marketing manager forCisco Clean Access (www.cisco.com).Previously, she was the director of marketingfor Perfigo Inc., a provider of network securityand control solutions, which wasacquired by Cisco last year.

Featured

  • students using digital devices, surrounded by abstract AI motifs and soft geometric design

    Ed Tech Startup Kira Launches AI-Native Learning Platform

    A new K-12 learning platform aims to bring personalized education to every student. Kira, one of the latest ed tech ventures from Andrew Ng, former director of Stanford's AI Lab and co-founder of Coursera and DeepLearning.AI, "integrates artificial intelligence directly into every educational workflow — from lesson planning and instruction to grading, intervention, and reporting," according to a news announcement.

  • toolbox featuring a circuit-like AI symbol and containing a screwdriver, wrench, and hammer

    Microsoft Launches AI Tools for Educators

    Microsoft has introduced a variety of AI tools aimed at helping educators develop personalized learning experiences for their students, create content more efficiently, and increase student engagement.

  • laptop displaying a red padlock icon sits on a wooden desk with a digital network interface background

    Reports Point to Domain Controllers as Prime Ransomware Targets

    A recent report from Microsoft reinforces warns of the critical role Active Directory (AD) domain controllers play in large-scale ransomware attacks, aligning with U.S. government advisories on the persistent threat of AD compromise.

  • Two hands shaking in the center with subtle technology icons, graphs, binary code, and a padlock in the dark blue background

    Two Areas for K-12 Schools to Assess for When to Work with a Managed Services Provider

    The complexity of today’s IT network infrastructure and increased cybersecurity risk are quickly moving beyond many school districts’ ability to manage on their own. But a new technology model, a partnership with a managed services provider, offers a way forward for schools to overcome these challenges.