Computers and mobile devices using wireless networks or other end points by company employees are posing increasing threats to their organizations' computer systems, although there are ways IT managers can reduce risk, according to an analyst Thursday at the Gartner IT Security Summit 2005 in London.
IT managers do not have much control over end points, and even the devices used on those end points may be employees' home computers, said Jay Heiser, research vice president with Gartner. Those employees are also demanding more services and flexibility for an ever wider array of devices, increasing demand on IT departments, he said.
"IT doesn't want to be nursemaiding a bunch of users on laptops," Heiser said. "The risks seem to be expanding faster than our ability to deal with them."
Heiser's presentation came during the last day of the two-day conference, which focused on a range of information security issues such as authentication, mobile security, and access.
Several methods can be employed to reduce the risk of users on questionable end points, Heiser said. Patching, protecting portals, and gateways along with an awareness of an organization's system architecture are key.
Authenticating with user names and passwords isn't reliable, since sniffer programs can pick up new ones despite long lengths or frequent expiration dates, Heiser said. If a user can't be authenticated on a system, then "you might as well live with the worms," Heiser said.
Limiting the software on end-point machines helps reduce the complexity, Heiser said. "Only allow what is absolutely necessary to get the job done," he said. Also, the tighter the configurations are, the lower the chance for a security failure.
It's expected that as mobile phones and personal digital assistants become more complex, they are more likely to suffer the same ails, although now it is expensive to encrypt them. "Tomorrow, we expect to see worms on mobile phones," Heiser said.
Encryption can help preserve data loss, but that data should also be backed up, he said. The trend is moving toward automated back-up in clear text, he said.
Other options for more secure end points entail pushing lightweight code to the end points, treating those machines as just terminals. Programs can run Active X or Java, but would be shielded from the host system, ideally isolated from them, Heiser said.
A universal configuration management system -- one that ensures every machine is up-to-date rather than a sporadic "vitamin" approach -- will help ensure integrity, he said. All it takes is "one bad apple to ruin the barrel," Heiser said.