Endpoint

Sharpening Endpoint Security

Of all the IT elements that you must secure in your organization, the endpoints are the most elusive. A flaw in an end user device can lead to a breach at the very core of your business, so hardening those endpoints is key to preventing those breaches.

Endpoints are as hard to define as they are to protect. The term traditionally referred to desktops and laptops, but endpoints now encompass smartphones, tablets, point-of-sale machines, bar code scanners, multifunction printers and practically any other device that connects to the company network. Without a well-conceived strategy, keeping track of and securing these devices is difficult and frustrating.

Endpoints are also more vulnerable than they've ever been. Zero-day attacks via Java and Adobe Flash, exploit kits waiting for unsuspecting end users and targeted phishing attacks demonstrate that attackers have moved away from targeting servers and are taking laser aim at endpoints. As a result, security pros must worry less about the perimeter and more about the most fragile and volatile piece of the IT infrastructure: endpoints -- and the unpredictable end users whose behavior can put the business at risk.

"Businesses must get serious about protecting their internal networks," says HD Moore, chief security officer for vulnerability management firm Rapid7 and chief architect of the Metasploit penetration testing framework. "We've known for a decade that hardening networks with firewalls isn't enough, yet companies still leave their networks flat and unprotected inside the firewall. The security of the internal network really starts to matter just as much as the external."

While server security is critical, locking servers down is easier than securing endpoints. Servers serve one or two core functions, letting IT build security controls around those functions. Endpoints serve many functions, and even when they're outfitted with security controls, users often change them, and attackers also can fool users into skirting security practices.

Security awareness among users is a primary aspect of meeting the endpoint security challenge. Training users on how to spot certain types of attacks and instilling a sense of caution is key to his approach. Companies must also adopt endpoint hardening techniques, new endpoint security products and network-based security controls. Even then, attackers may break through, but with protection and monitoring in place, companies can detect and remediate attacks before it's too late.

The Basics Of Host Hardening

For most IT pros, endpoint protection equates to antivirus and anti-malware products. But endpoint protection actually starts with "host hardening," implementing best practices to secure endpoints before they're handed to end users or before any third-party applications are added.

These include practices such as the principle of least privilege, whereby users are granted only the account privileges they need to do their jobs; segregation of duties, which requires more than one person to make critical changes; and need to know, under which access to resources is limited to those who must have it.

Some IT shops buy cleverly marketed products that promise off-the-shelf endpoint security using anti-malware and sandboxing. In most cases, attackers can easily bypass those defenses. Readily available exploits and tutorials help attackers identify hosts that haven't been properly configured or ones where users have made changes -- disabled antivirus protection or installed vulnerable software, such as Java -- that increase the vulnerability of the host.

chart: admin priveleges allowed in user environment

Failing to follow the least privilege principle can cause major problems, particularly when users are given admin privileges on their desktops, laptops and mobile devices. Sixty percent of respondents to the Ponemon Institute's recent 2013 State of the Endpoint survey say they allow administrative rights in some or all of their user environments (see chart, above).

Our report on on strategic security is free with registration. This report includes 43 pages of action-oriented analysis, packed with 38 charts.

What you'll find:
  • Drivers for analytics and BI
  • The most valuable security practices
  • How to use mobile device management software to enforce security
Get This And All Our Reports

Users often are given admin rights when an IT environment is being created and is still small, then they resist losing those privileges later on. When IT environments are set up with the endpoint administrative rights disabled, power users and executives often fight for those privileges, saying they regularly install software or make system changes.

There are other ways security organizations lose control of administrative rights; however it happens, letting users act as admins creates the potential for local administrator, domain-level and service accounts to be compromised.

For example, say the CEO's administrative assistant falls for a phishing scam and clicks on a link that takes her to a site that exploits the latest Java zero-day vulnerability. The malware installed on her system now has the same admin rights that she does. If there's software running on the system with a shared domain-level service account -- or if the administrator password on the administrative assistant's computer is the same across many of the desktops in the company -- the malware can spread from her system to practically every system in the company.

If the user in this scenario hadn't had admin rights, it would have been more difficult (though not impossible) for the malware to spread. Security consulting firms like mine look for these users with administrative privileges when we do penetration testing. An attacker needs only one vulnerable endpoint to spread laterally throughout a company, pivoting from endpoint to endpoint, siphoning data.

Policy configuration best practices on desktop, laptop, and even tablet and smartphone operating systems limit the impact of, and even prevent, successful attacks. These practices include password age, history and complexity requirements; account lockout provisions; system and user activity audits; firewall configuration; logging; and putting unique local administrator passwords on each host.

You can limit endpoint vulnerabilities by understanding the policy options for the various platforms, configuring them appropriately, and monitoring them so that you know when they fall out of compliance with company policy.

chart: which security practices provide the most value to your company?

Previous
1 of 3
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
manovrao
50%
50%
manovrao,
User Rank: Apprentice
3/6/2013 | 10:43:37 AM
re: Sharpening Endpoint Security
Find the best security softwares from the below link,
http://www.matousec.com/info/p...
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
The Year in Security 2018
This Dark Reading Tech Digest explores the biggest news stories of 2018 that shaped the cybersecurity landscape.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-20735
PUBLISHED: 2019-01-17
** DISPUTED ** An issue was discovered in BMC PATROL Agent through 11.3.01. It was found that the PatrolCli application can allow for lateral movement and escalation of privilege inside a Windows Active Directory environment. It was found that by default the PatrolCli / PATROL Agent application only...
CVE-2019-0624
PUBLISHED: 2019-01-17
A spoofing vulnerability exists when a Skype for Business 2015 server does not properly sanitize a specially crafted request, aka "Skype for Business 2015 Spoofing Vulnerability." This affects Skype.
CVE-2019-0646
PUBLISHED: 2019-01-17
A Cross-site Scripting (XSS) vulnerability exists when Team Foundation Server does not properly sanitize user provided input, aka "Team Foundation Server Cross-site Scripting Vulnerability." This affects Team.
CVE-2019-0647
PUBLISHED: 2019-01-17
An information disclosure vulnerability exists when Team Foundation Server does not properly handle variables marked as secret, aka "Team Foundation Server Information Disclosure Vulnerability." This affects Team.
CVE-2018-20727
PUBLISHED: 2019-01-17
Multiple command injection vulnerabilities in NeDi before 1.7Cp3 allow authenticated users to execute code on the server side via the flt parameter to Nodes-Traffic.php, the dv parameter to Devices-Graph.php, or the tit parameter to drawmap.php.