Telecommuting -- a security threat?
It is the worst nightmare of every network administrator: A single employee, working from home, inadvertently opens a gaping hole in the corporate computer system — big enough for a hacker to get deep inside and view valuable trade secrets.
Microsoft Corp. security officers and federal law-enforcement agents are investigating just such a scenario, raising new questions about corporate security at a time when millions of workers are just as likely to log in from home or the road as from a cubicle at company headquarters. (MSNBC is a Microsoft-NBC joint venture.)
The high-profile attack on Microsoft, disclosed last week, should serve as a wake-up call for companies that increasingly permit or encourage employees to work remotely, whether to ease road congestion, cut real estate costs, boost productivity or create more flexible working conditions.
"Security is always a major concern -- that and risk management of every kind," said Gail Martin, executive director of International Telework Association & Council, which promotes telecommuting. About 16.5 million Americans telecommute to a regular job at least once a month, a figure growing by about 20 percent annually, according to research done for the group.
"Telework is here to stay, believe me," Martin said. "We are no longer a manufacturing country -- we're an information society, and you can do it anytime, anyplace."
While telecommuting conjures up the image of a research analyst or consultant logging on from home in pajama and slippers, the reality of telework, broadly defined, includes everything from overseas contract workers putting in a second shift while the home office sleeps, to "road warriors" who may have no fixed permanent office and do much of their work from a hotel room on a laptop. In today's tight labor market, many companies find they have to reach far outside their traditional markets to meet staffing needs, and hiring remotely based employees frequently is the best solution.
And increasingly, particularly at hard-charging companies like Microsoft, the concept of telework needs to be expanded to include employees' logging hours at home on nights and weekends, checking e-mail and working on projects.
"The person who is the telecommuter today may be in the office but be working from home after hours," said Gil Gordon, a consultant who helps companies set up telecommuting programs. "All these kinds of mobility are to a certain extent blending together."
Microsoft has no companywide policy on telecommuting and has never been known as a company that encourages the practice of regularly working from home. But Microsoft is emblematic of a whole breed of new-economy companies with cultures that encourage workers to stay in touch by logging on to the corporate network from wherever they are, often blurring the distinction between work and home life.
"There is a general desire among Microsoft employees to enthusiastically get their work done, and if they can do that from home, that's fine," said Rick Miller, the company spokesman handling most media inquiries about the hack attack. "It's fairly regular for me to put in a day’s work, go home and at least get on for an hour to check mail and do work."
He declined to discuss specific security measures for remote workers but said, "We have a state-of-the-art security infrastructure in place on our network. When you come in to the network (remotely) you are still part of the network, and those security measures would not change."
While hackers, thieves and spies can and do find ways to get through even the tightest physical security systems (just think of those missing hard drives that turned up in a break room at Los Alamos National Laboratory) employees working remotely open up a whole new level of security concerns, experts say.
"Typically you have a number of tiers of defense you're sitting behind when you're inside the corporate walls," said Zach Nelson, chief executive officer of MyCIO.com, a unit of computer security heavyweight Network Associates. "Some of them may be virtual, like a firewall, and some of them are physical, like a badge. ... Once you break outside those bounds, you're looking at the exact opposite of that."
High-speed Internet access lines, which have become increasingly common for home workers, create even more risk because they are always connected to the network, making it more likely their computers will be discovered by hackers running automated port scans and looking for vulnerable machines.
Nelson recommends at least three levels of security for remote workers, including antivirus software, a personal firewall system and encryption of valuable data, as well as some kind of automated system to check for security breaches and keep the defense network updated. (Not surprisingly, that is exactly the service that MyCIO.com offers.)
But Nelson and other experts were reluctant to blame Microsoft for lax security. Microsoft, they point out, is surely one of the world's most attractive targets for hackers, possibly even more enticing than the Pentagon, which was attacked more than 22,000 times last year, according to the Detroit News.
"Every hacker on the planet has tried at one time or another to break Microsoft," said Paul Saffo, a technology forecaster with the Institute for the Future. "They're like the house with the biggest plate glass windows in town. Every kid with a rock is going to try to throw one through it."
He observed that to a security officer, the "dream computer" is the one all alone in a locked room, disconnected from any other machine and turned off.
"You cannot have absolute security on any computer," Saffo said. "It's a process of balancing the legitimate needs of use and security. In the long run there is no doubt that you have to opt in favor of flexibility for employees. That's how you get the best work out of them."
"There's always a balance in security," agreed Nelson. "If the world's largest software company can be compromised, then any company probably can and has been compromised."
John Edwards, president of the telework council, said the Microsoft incident underscores the need for companies to adopt comprehensive policies governing remote workers.
"We are not in favor of people not having ad hoc telework programs," he said. "One of the dangers is that people just decide to go out and do it."
For Microsoft, the security breach creates a damaging public relations problem just as the software giant is making its biggest strategic transformation in years, trying to convince developers and customers that it is the company best positioned to create and develop a new generation of Web architecture, dubbed Microsoft.Net.
"Hopefully this will be a wake-up for Microsoft in the way it handles its security and source code management, and hopefully it will make some changes," said Chris Le Tocq, a research director with Gartner Group.
Miller, the Microsoft spokesman, said the security breach had nothing to do with any vulnerability in a Microsoft product, and he said there was "no reason to believe that any customer has been or will be affected by the incident."
Miller added that while the hacker may have viewed source code for an unidentified product "years" from shipping, the attack had nothing to do with the .Net initiative.
"These are two totally separate issues," he said. "Customers and partners can rest assured that iron-clad security is a fundamental building block of the .Net infrastructure."
http://zdnet.com.com/2100-11-525218.html - October 31, 2000