11/29/2009 12:36:33 PM

Viruses, worms, and spyware are an Internet pandemic and a major source of concern for IT organizations large and small. The financial losses that can be attributed to these kinds of attacks are considerable, especially in organizations where a Microsoft monoculture exposes both client computing devices and mission-critical servers to common attacks. The “incident potential” is so great that many organizations are now forced to invest a higher percentage of their IT budget to containing malicious code than ever before, at the expense of other, potentially revenue-generating, investments.

Even with greater investments in security talent and technology, the task of keeping malicious code (malware) at bay is daunting. A relentless barrage of viruses and worms are released nearly daily from a sophisticated underground network of black hats, who collaborate to distribute, experiment with, and automate malicious code. Today, even the most modestly skilled miscreant can mount fast-spreading, email-based attacks with enormous damage potential. Moreover, while email remains the predominant method for malware delivery, so-called blended threat attacks use any and every means possible to launch attacks from computers they infect, including file shares, file transfers, and even established VPN connections.

Equally insidious are the spyware developers, companies who earn a profit by installing unsolicited software on computers of unsuspecting web visitors, which they then use to deliver unsolicited advertising to users on behalf of their affiliates, or to eavesdrop and gather personal and possibly sensitive information they can use or sell in whatever manner they choose, to whomever they choose. These nefarious activities are compounded by the fact that spyware often inhibits computer performance and user productivity and is difficult to remove without rendering computers unusable.

Protecting an enterprise against these threats is complicated by employee mobility and location, diversity of equipment used to connect to the workplace, and equipment ownership. On one hand, gateway solutions to combat malware are only effective if traffic is inspected by the gateway, so having users at external systems connect to a trusted network using VPN technology is attractive. But mobile users who connect via WiFi hotspot and hotel or home broadband access networks, using devices not administered by a company’s IT organization, may not have adequate safeguards against all forms of malicious code. Here, VPN connections may end up serving as backdoors into an organization; malware, for example, can be installed using file shares once a direct network connection is established over a VPN tunnel.

Increasingly, organizations are implementing endpoint or admission control techniques. These techniques are the virtual corollaries of immigrations and naturalization agencies. Just as no individual is allowed entry into a country unless visa and immunization criteria are met, no user is permitted access to a network unless a set of security criteria is met. Organizations now seek to verify more than the user’s authenticity. Admission control can verify whether anti-malware measures and personal firewalls are installed, executed, and configured properly; and whether traffic from this computer will be subject to all forms of inspection – anti-virus, appropriate content, authorized access, etc. – mandated by security policy. If your device isn’t up to muster, you simply aren’t allowed in.

Various forms of admission and endpoint control are now available for organizations to consider and implement. Some require agents, and work well with IPsec VPNs or “internal” Ethernet or WLAN connections. Others use “temporary” agents (e.g., ActiveX controls) and work well with SSL VPNs. Vendors offer different endpoint and admission control feature sets, to make secure access possible from any system, anywhere. Endpoint and admission control are arguably long overdue, so take stock, identify your requirements, and begin negotiating with your vendor(s) today.

Originally published in Interop Preview 2005