'Timeouts' needed for unattended PCs to reduce security threat
'Timeouts' needed for unattended PCs to reduce security threat
Oct 06, 2005: Analyst group Gartner has highlighted the risks of insider attacks associated with employees leaving their PCs unattended with active sessions running. Analysts advised businesses to implement 'timeouts' for all PCs to ensure that users are automatically logged out of application sessions or that PCs are locked, thereby minimising the risk of insider attacks.
According to Gartner, a significant number of unauthorised access events occur when someone sits down at another user's computer. Unattended PCs facilitate surreptitious access to sensitive data and bogus email messages. "Someone else must have sat at my PC" has already become a typical defence to accusations of improper online behaviour. However, proving that this was the case is often challenging.
"Organisations are protecting their systems and personnel against external security threats but failing to realise the very real risks that exist internally from something as basic as an unattended PC," said Jay Heiser, research vice president at Gartner. "Relatively simple solutions are available to address the problem but few organisations have implemented them."
The threats to businesses from unattended PCs include unauthorised access to personnel data (e.g. salary information); unauthorised access to read business information or, more seriously, make changes to business information (e.g. cover up fraud, increase bonus/commission by altering sales numbers); the avoidance of separation of duties and potential to bypass approvals process (e.g. same person creates purchase order and also authorises payment).
The threats to users from unattended PCs include unauthorised reading of personal email; sending emails in another person's name (usually done as a harmless prank to cause embarrassment, but could have huge professional consequences); denial of responsibility (the fact that an organisation doesn't enforce access to terminals makes it very easy for someone to claim 'it must have been someone else on my PC').
Gartner says that risks would be much lower if all users could be relied upon to log out or lock their PCs when they leave their desks. A 'timeout' limits the window of opportunity for the misuse of a user's active sessions. However, timeout standards lead to complaints from users about the inconvenience, although resistance to screen locking is reduced when the users understand that they will be held accountable for any computer misuse originating from their usernames.
"Unattended PCs represent the computer security equivalent of 'low-hanging fruit'," said Heiser. "There is little point in implementing some sort of sophisticated identity and access management system unless you can ensure that when people are logged in to systems, they stay at their PCs. Sloppy management of login sessions sends the wrong message, but tight management - including a degree of user inconvenience - sends the message 'user login sessions are important and must be protected'."
Gartner advises business to evaluate both technology and policy solutions to ensure that risks are minimised. Authentication methods that incorporate "proximity" tokens are likely to be the best way to address the underlying problem. In this instance, users wear tokens around their necks which automatically log out the users or locks the PCs when they get "too far" away. These tokens are highly appropriate wherever shared PCs are used to access critical applications, such as in hospitals and clinics. Proximity tokens are convenient and particularly effective in preventing the "someone else used my PC" defence common in call centres and on factory floors.
Timeouts may not appropriate for some situations because they have the potential to disrupt normal operations too much - e.g. a technical support area where some PCs may be required to continuously display status information or where the business being conducted requires very short reaction time, such as capital markets trading. In most office situations however, they represent a simple and effective solution to the problem of unattended PCs. The "right" setting for a timeout depends on the information being accessed, work patterns and the physical environment. For example, PCs inside a corporate office can have time limits that are longer, while devices carried into unsecured environments need shorter timeouts.
Related Article: