Complete Transcript of Interview – Randy: Abrams – ESET
Let’s Talk Computers Radio Talk Show
Host Alan Ashendorf
March 22 2008
Alan: With the high cost of gasoline, more businesses are allowing their employees to work offsite. They call them, “Remote Workers.” But, what kind of security risk does this pose? Our guest today is Randy Abrams, Director of Technical Education with ESET. Welcome back to Let’s Talk Computers, Randy.
Randy: Thank you, Alan. It’s great to be here again.
Alan: It seems that businesses are solving one problem, but they are opening the door for a totally different problem and I’m not sure which one’s worse.
Randy: There are a variety of risks associated with having remote workers. One of them is unintentional loss of data, for instance, a laptop gets stolen and that can be managed by using encryption. There’s “whole disk encryption” – so somebody who steals a laptop can’t get to the data.
Another potential area that data can be lost in is the use of USB drives, or Thumb drives. That can be managed, as well. There are drives out there now that include “biometrics,” so you have to use a fingerprint, a thumbprint to get the data off of the drive. That way, if it’s lost, the corporate data is not compromised.
Another risk is kids at home. If you let other people at the house use this work laptop, they may go out to websites that they shouldn’t go to or install programs that they shouldn’t, (even unintentionally) that can compromise the data on the computer. In that case, encryption doesn’t really help much, because it’s already unencrypted.
So, there are a variety of tools out there that can help. It has to do with policies that will manage what programs are allowed to run on the computer. But, policy also is a non-software device that companies have and employees should follow. The policy should be that the work computer is used for work, unless there is some sort of extenuating circumstance.
Alan: It’s like the computer goes out the door; it’s already been set up with some kind of template that says, “This is our security policy.” And now it’s in the hands of a user who is going to be using it do work. Or, as you mentioned, they maybe doing some things at home, like surfing the Internet or answering emails - who knows?
And at that point, all bets are off, because they may just turn off any kind of protection or they can circumvent just about anything and it just leaves the door wide open to all kinds of malware threats, key logging and everything else.
Randy: It’s true. One thing that can help with this, in order to manage the risk is not using an “Administrator Account” for the user. When the laptop’s on the network at work, there is an Administrator Account that the Network Administrator can use to install software and so forth. However, if the user is logged in as a standard user and not an administrator, then they are not going to be able to turn off a lot of the security software that is on the computer.
Alan: Well, I have seen companies that basically will take a brand new laptop and it has XP on it and because XP Service Pack 2 has a firewall built into it, they think it’s secure and out the door it goes! That really is not the best way to look at it, is it?
Randy: No, security requires defense in depth and you can’t think that a firewall or a firewall and anti-virus, alone, are going to prevent anything bad from happening. They certainly help, especially if you have good quality security products that help, but there’s a bunch of different aspects to it.
In fact, user education is one of the main aspects of it. A user might take their laptop to a conference, then connect to the wireless at the conference facility and not realize that they are transmitting user names and passwords for a variety of types of services in plain text over the wireless.
Alan: Well, I know as Director of Technical Education at ESET, you go to these conferences and you see some of the security lackness. And I guess, you just shake your head and walk away?
Randy: One of my favorites, actually, is to go to the hotel business center computers, where people have decided to use the computers that the hotel provides, and to look at how well they are secured. In some cases, the computers are pretty well secured, but in many cases, they are wide open.
I have found a resume for a guy who claims to have increased sales by millions of dollars in one year. I have found pictures of people’s weddings, their babies, Halloween pictures. At one hotel, I found a confidential security related document that actually referenced a former cyber security Czar of the US – and it was marked, “CONFIDENTIAL,” all over it.
Alan: And I have seen cases where at hotels, in particular they just put in a router and they just leave it wide open – so that anybody can use it without problems. And they don’t even password protect the router, itself.
Randy: Without a password protection on the router, itself, and anybody can really own the router. They can take control of the router and actually deny the rest of the guests’ service. But even worse, they can change the DNS on it, which means that people could be routed to websites they didn’t know they were going to, that were fake.
Alan: The key is – the education. The IT department has to be educated as to what needs to be done and then the user needs to be educated. It’s kind of like a partnership, isn’t it?
Randy: That’s exactly right. For a small business owner, it makes sense to get a good quality consultant to help them figure out what they need to know in terms of security. And then, have a variety of resources to provide the users with education, too. And then, I was happy to help with that. They can always email me at askeset@eset.com if they have any questions at all. If I don’t know the answers, one of my specialties is in knowing people who do know the answers and finding the answers.
Alan: Randy, what do you see as typical problems that remote workers are causing businesses?
Randy: For remote workers, the issues I am most aware of that happen are their computer getting infected while it’s on the road and then coming back into the company and infecting the rest of the company. That’s one of the big ones. Another one is the use of insecure wireless technologies and people being able to take advantage of those insecure wireless technologies and then hack into the computer that way.
Alan: Well, I can see with a large corporation where they already have security policies in place, where they would be more secure. I would think that a small to medium sized company where anyone is just taking home a laptop and using it on the Internet, maybe sending files back to the home office, using FTP or file sharing. Those would be the ones that would be less secure and possibly cause more problems.
Randy: What you said about FTP is pretty interesting, because inherently, FTP is a completely and totally insecure protocol. When you are logged onto a server, using FTP, your user name and password are not encrypted. So, if your user name and password for that FTP session are exactly the same as your log-on for your computer, someone using simple “packet-snifting” software now has your user name and password for your domain account.
Alan: And it makes it even worse, because the average worker, who is working at home or working, at say, a hotel for instance, is going to be working wirelessly. And in a lot of cases, the wireless connection is wide open, which means the passwords are going to be in the open, so to speak.
Randy: That’s why it is essential for companies that have remote workers, that they also have VPN, “virtual private networks,” – because with a VPN, the information that is being sent back and forth is encrypted, even over that wireless link.
Alan: Well, talk just a little bit about VPN. To a lot of businesses, it is like, “Uh oh, that’s a very technical or costly alternative and we will look into that sometime.” But, it’s not costly at all, is it?
Randy: No, not really - it can be a little technical to set up for some people. There are companies that can help you with this and it’s pretty cost-effective, especially when you consider what you might have to lose.
ESET just recently announced a partnership with a company called, Safe Protect. Safe Protect has what we call a “UTM” or unified threat management system. It’s a hardware box that includes VPN and anti-Spam and anti-virus – and a variety of security technologies in a box that Safe Protect can help you manage. It’s perfect for a small business that doesn’t understand the technologies, but still need the security.
There are a variety of vendors out there that provide these kinds of appliances and services. VPN makes it so that the traffic between the laptop and the corporation is encrypted, (it can’t be read), even if someone captures the packets, which is pretty simple technology, nowadays. The packets have all the data, but it is encrypted so you can’t make any sense of it. And that’s absolutely essential for a Remote Worker.
Alan: There are a number of programs that advertise that they allow you to have complete remote access to your desktop, as if you were sitting in front of your desktop. How secure are we when we are using those and what kind of potential problem could those programs possibly cause?
Randy: Those programs, as long as you have got the user name and password and all that data encrypted, that’s good. But, if it’s just the user name and password that’s encrypted when you connect, but then the data flowing back and forth isn’t encrypted, that could be a security and privacy issue for you. So, you would have to look and see that the specific program that you want to use – how well they encrypt things and if it’s constantly encrypted.
For example, say that you are at a coffee shop that has free wireless and you go to log into your email account from say like Yahoo! it is going to be an encrypted session for your login. I log in my user name and password are encrypted – bang – I get to my email and it’s no longer encrypted! So, my email could be read.
Alan: Sometimes a free wireless services that you see at airports or you see at some of these coffee shops – it may not be the free wireless service that you are logging into. You may be logging into somebody’s machine that has been set up for the sole purpose of having you to log into them.
Randy: There is what we call, “spoofing” of the SSID, which is what you see as the name of the wireless access point and people have been known to set up ones with identical names and spoof the signals, so that’s when you connect to, instead of what you thought you were connecting to.
That can be an issue. One of the things that mitigates that risk, actually, is a VPN, because although you have connected to it, assuming that you don’t have file and printer sharing turned on and you do have a firewall, your computer at that point, itself is still pretty safe. It’s the data that you will start giving out.
If you’re using a virtual private network, that can help. It’s not going to guarantee your safety; the quality of your password, the strength of your password is going to be a huge factor in how secure it is. How frequently you check for updates for, not only Windows, but all of your applications, like iTunes and Acrobat and a variety of media players – PGP; your browsers, everything.
You’ve got to keep everything patched, because the security solutions are not going to be fully effective if you have got lots of holes in various applications, where people can attack them and shut them down.
Alan: Well, I think it’s very important when somebody uses a public computer, no matter where it is, whether it’s a hotel or a Kiosh or the airport – you’ve got to remember that when you’re typing on that machine, when you get off of that machine, that information is still going to be stored somewhere – whether it could be a temporary file; it could be in RAM. Somebody can get just about any kind of information that you left on there.
Randy: That’s true; you just have to assume when you use a public computer that everything you type is public knowledge. Effectively, it could be. When you use Word or Excel, things like that, there are often temporary files left behind that can be accessed.
Alan: At ESET, what are you doing to help the Remote Worker and also help the business with the remote workers to be more secure?
Randy: Our focus really is on providing the highest quality anti-virus, anti-spyware, anti-trojan – that kind of Software. ESET NOD32 Anti-Virus covers a variety of threats. We protect the computers in the network from these digital threats. With ESET’s Smart Security, we also provide a Personal Firewall, because the Windows Firewall is a really good start; however, we can enhance your security by replacing it with the ESET Smart Security Firewall and that also includes Anti-Spam.
The other thing we do is to provide education. Like I said earlier, you can send me questions at askeset@eset.com. ESET is proactive enough and realizes that we can’t just do it with technology; it takes education, as well. And that’s why ESET has a Director of Technical Education to help our customers.
Alan: You have a full-featured Trialware copy of your award-winning anti-virus, anti-threat software on your Website, so that anyone can try it out and see the protection for themselves.
Randy: Really, it’s a trial of the full-featured Software. It’s not stripped down; it updates during that full month. It cleans, disinfects and detects, just like the regular Product – because it truly is the regular Product, you just need a different license to make it last for a year, instead of a month.
Alan: And what is the Website we should go to get a copy of your Software to try out?
Randy: Go to http://www.eset.com and you can download an Evaluation copy for yourself.
Alan: Randy, as always, it has been our pleasure to have as our guest here on Let’s Talk Computers – talking about the Remote Worker and how we can make the Remote Worker more secure. We look forward to having you back on the air again real soon.
Randy: Thank you very much, Alan. It’s always a pleasure to be here.
Visit ESET on Facebook
Follow ESET on Twitter