IT departments have long understood the need to prevent viruses, spyware and other malicious applications or activity from compromising security and disrupting business continuity.
Now the rapid emergence of Web 2.0 is beginning to redefine how individuals interact with the internet, and the related technologies pose a range of new threats. Web-savvy users who have local administration rights for their work computers are downloading applications such as Instant Messaging (IM), peer-to-peer (P2P) file-sharing applications and Voice over Internet Protocol (VoIP) services to help them communicate, share files and work collaboratively online – for both official and unofficial business.
In September 2006, a Sophos online poll asked IT administrators to evaluate what kind of software applications they would like to prevent their users from being able to access and use. The results, shown in Figure 1, reveal that administrators have a clear desire to be able to exert more control and to prevent users from installing and using unwanted applications. For example, 86.1 percent of respondents said they would like the opportunity to block VoIP applications which allow internet telephony, with 62.8 percent going even further and indicating that blocking is essential.
The extent of the problem can also be seen in a recent report which discovered that 50 percent of workplace users download free IM tools from the internet with 26 percent of employers unaware of their actions.
The challenge of unauthorized software
Current business defenses inadequately protect against the new set of threats posed by this user behavior. The difficulties presented by some legitimate software applications raise particular challenges over and above “straightforward” protection against malware. To increase security and productivity IT departments need to restrict the rights to non-essential applications, and control the usage of those that are authorized for business purposes, but in practice this presents a significant challenge.
A key part of the challenge is that many users have to be allowed to be local administrators, being given privileges necessary to download applications that they need to do their job, for example downloading updated Adobe Acrobat software. However, this means that they can also download a variety of other software that they might want to install and use. This makes life particularly difficult for the IT Administrator: malicious software would be blocked by antivirus software but applications like IM are not malicious in any way. They are not being installed automatically by stealth and are not attempting to self-replicate or steal confidential information.
Nevertheless, the unauthorized or uncontrolled installation and use of such software by employees on business computers presents a real and growing threat in four major areas:
- Legal, compliance and security breaches
- Extra IT support burden
- Network and system overhead
- Employee productivity issues.
Legal, compliance and security breaches
Regulations such as the UK’s Data Protection Act and the US’s Sarbanes-Oxley Act and HIPAA (Health Insurance Portability and Accountability Act) place additional requirements on IT administrators to maintain and protect data integrity within their networks. So the installation of unauthorized applications can pose significant legal risk as well as security risks.
For example, uncontrolled use of IM poses a severe legal, regulatory and security risk because the content of IM chat often includes attachments, jokes, gossip, rumours and disparaging remarks, confidential information about the company, employees and clients, and sexual references. In addition to the legal risk, IM poses a security risk with IM-based malware attacks growing exponentially. Similarly, P2P applications are on the increase and are notorious vectors for malicious code such as remote command execution, remote file system exploration or file-borne viruses.
Extra IT support burden
If not properly tested and deployed by the company IT department uncontrolled applications can cause stability or performance issues on company computers. Apart from the additional support headache that this unnecessary troubleshooting gives IT administrators, it also represents a significant waste of IT’s most precious resource – time.
Network and system overhead
The corporate network bandwidth and computer processor power consumed by unauthorized applications can have a direct negative impact on network resources and availability. For example, distributed computing projects harness the “spare” processing power of millions of computers to help create models or simulations of scenarios such as climate change.
