Endpoint
6/11/2013
12:52 AM
Connect Directly
Twitter
Twitter
RSS
E-Mail
50%
50%

12 Endpoint Security Myths Dispelled

Mistaken beliefs that hold back endpoint protection

It has been years since the security pundits have taken up the mantle to dispel the myth that antivirus alone is enough to protect the typical endpoint. And while that misconception does hang on in certain quarters, to a large degree it has been discussed ad nauseum. But there are plenty of other misapprehensions and delusions out there about endpoint security that are ignored in the process.

Dark Reading recently talked to a spate of security experts to get them to weigh in on some of the other myths that get in the way of smart endpoint protection strategies. Here is the dirty dozen.

1. Macs Are Inherently Safer Than Windows Machines
Macs have long had a reputation for virus immunity, but that very misconception paired with mainstream growth for the platform during the past five years have created a dangerous combo.

"The growing amount of Mac users and the few Mac owners that install AV makes Macs increasingly appealing to cybercriminals," says Simon Hunt, McAfee vice president and CTO of endpoint security. "They have realized there is an open population of fast machines just begging to be attacked."

Grayson Milbourne, security intelligence director at Webroot, echoes Hunt's points and adds a couple additional points to consider.

"While the numbers on malware [that] target Mac's OS X are dwarfed in comparison by those which target Windows, this past year was the most active ever for discoveries of new Mac malware and this is a trend we expect to see continue," he says. "Another important fact to remember is that Web-based threats, such as phishing sites, function regardless of the OS being used."

2. Protection Has To Be On The Device
True, endpoint security does start on the device. But that's not necessarily where it should end, says Jay Botelho, director of product management for WildPackets.

"A common misconception about endpoint security is that the practice requires monitoring software on each endpoint device," says Botelho, explaining that network monitoring and controls also play an important role in maintaining the security of endpoint devices. "If a user brings in a device from home that has been infected with some type of Trojan horse, and then connects this device to your corporate network, you have a problem. With a network monitoring and analysis solution that looks at your interdevice traffic, inside the firewall, you will instantly detect when the infected device starts the process of trying to infect other assets on your network."

3. Endpoint Protections Good Enough For Auditors Aren't Good Enough
Simply relying on compliance to drive endpoint security strategy can give an organization a false sense of security, says Ashok Devata, senior manager for product marketing for RSA, who explains that regulations lag behind the threat landscape by months and even years in some cases.

"Passing a regulatory audit for endpoint doesn't mean that the endpoints and the data in them are secured," Devata says. "Zero-day malware detection/analysis and content-aware DLP monitoring are some of the basic tools required for protecting endpoints against the latest threats, and [yet] regulatory audits don't prescribe such controls."

4. More Signatures Doesn't Mean Better Protection
Antivirus vendors have long duked it out over marketing superiority by fighting over who has more signatures. But Alex Harvey, security strategist for Fortinet's FortiGuard Labs, says that the number of signatures alone should not be how you measure AV effectiveness.

"It's important to understand that more AV signatures does not mean you are better protected against threats," Harvey says. "'Smart signatures will often detect multiple variants of one malware by detecting behaviors and patterns that all variants share. What is more important is the number of malware protected against, rather than signatures."

5. AV Is Outdated And Useless
For all of the bad rap that AV gets within the industry, it isn't useless, says Sean Bodmer, chief researcher of counter-exploitation intelligence at CounterTack.

"Antivirus engines do catch a fair deal of commodity threats and provide better protection versus having nothing in place for at least a baseline level of protection," says Bodmer, who says that even though AV is considered as antiquated compared to other tools out there, it "still serve[s] a purpose for subscribers who cannot afford enterprise-level or next-generation solutions. AV is always better than no protection, no solution is 100 percent, and anyone who says differently is drinking the wrong Kool-Aid."

6. Some Endpoints Aren't Important Enough To Be Attacked
No matter how seemingly insignificant the user or the endpoint, they're all subject to attack in this day and age.

"Most malware is opportunistic. You have processing power and an Internet connection -- that's all a hacker needs to make a few cents by using your computer to send spam or perform DDoS [attacks]," McAfee's Hunt says. "It costs nothing for them to infect you, so your machine is a pure profit generator for them."

Not only should IT avoid the thinking that goes along with this misconception, they should also be training users to understand why they might be targeted.

"Anyone can be a victim, especially if you work in or have close family or friends active in the defense, finance, or energy sectors," Bodmer says. "Today criminals have Facebook, Twitter, Snapchat, Foursquare, and so many other social media platforms that provide a nice playground for attackers looking to execute easy, yet sophisticated threats. Knowledge is power in this case, and cyberninjas know that more than anyone - -unless you work on the PRISM program."

Next page: Poor signature detection Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Doug Finley
50%
50%
Doug Finley,
User Rank: Apprentice
6/18/2013 | 4:16:06 PM
re: 12 Endpoint Security Myths Dispelled
The writing is actually worse than confusing; it's technically ignorant. For example:

GǣTrue, endpoint security does start on the device.Gǥ Since when? Endpoint security
starts at or outside the perimeter (deep packet inspection, ingress/egress), then firewall, IDS/IPS, network monitoring, heuristics engine, and so on. Once whatever protection residing on the endpoint kicks in, it means all the outer defensive layers have failed, otherwise the malware wouldnGt have appeared at the endpoint. The only exception is the one case noted in the article, where an infected device is attached directly to the endpoint.

Gǣ[T]he first thing Trojans do when they start working is to take down the endpoint security, disarm it, and render it useless.Gǥ ThatGs because AV vendors are so negligent about protecting their product from unauthorized shutdown. But they do so little good (already admitted in an earlier GǣmythGǥ) while sucking up so much CPU that they really are not worth having. No AV detects the truly dangerous attacks.

Too much effort trying to assure us that AV really is effective and worth the money and inconvenience/disruption; too little of technical value. Is this supposed to be an IT-oriented web site for dummies?
teedge
50%
50%
teedge,
User Rank: Apprentice
6/12/2013 | 1:41:01 PM
re: 12 Endpoint Security Myths Dispelled
Writing is a little confusing. You talk about the "12 endpoint myths" being dispelled then flip flop between listing myths (e.g. 5. AV Is Outdated And Useless, 6. Some Endpoints Aren't Important Enough To Be Attacked) and truths (e.g. 3. Endpoint Protections Good Enough For Auditors Aren't Good Enough, 4. More Signatures Doesn't Mean Better Protection).
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the security connected approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-7877
Published: 2014-10-30
Unspecified vulnerability in the kernel in HP HP-UX B.11.31 allows local users to cause a denial of service via unknown vectors.

CVE-2014-3051
Published: 2014-10-29
The Internet Service Monitor (ISM) agent in IBM Tivoli Composite Application Manager (ITCAM) for Transactions 7.1 and 7.2 before 7.2.0.3 IF28, 7.3 before 7.3.0.1 IF30, and 7.4 before 7.4.0.0 IF18 does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof s...

CVE-2014-3668
Published: 2014-10-29
Buffer overflow in the date_from_ISO8601 function in the mkgmtime implementation in libxmlrpc/xmlrpc.c in the XMLRPC extension in PHP before 5.4.34, 5.5.x before 5.5.18, and 5.6.x before 5.6.2 allows remote attackers to cause a denial of service (application crash) via (1) a crafted first argument t...

CVE-2014-3669
Published: 2014-10-29
Integer overflow in the object_custom function in ext/standard/var_unserializer.c in PHP before 5.4.34, 5.5.x before 5.5.18, and 5.6.x before 5.6.2 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via an argument to the unserialize function ...

CVE-2014-3670
Published: 2014-10-29
The exif_ifd_make_value function in exif.c in the EXIF extension in PHP before 5.4.34, 5.5.x before 5.5.18, and 5.6.x before 5.6.2 operates on floating-point arrays incorrectly, which allows remote attackers to cause a denial of service (heap memory corruption and application crash) or possibly exec...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.