Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

Sharpening Endpoint Security

Of all the IT elements that you must secure in your organization, the endpoints are the most elusive. A flaw in an end user device can lead to a breach at the very core of your business, so hardening those endpoints is key to preventing those breaches.

Endpoints are as hard to define as they are to protect. The term traditionally referred to desktops and laptops, but endpoints now encompass smartphones, tablets, point-of-sale machines, bar code scanners, multifunction printers and practically any other device that connects to the company network. Without a well-conceived strategy, keeping track of and securing these devices is difficult and frustrating.

Endpoints are also more vulnerable than they've ever been. Zero-day attacks via Java and Adobe Flash, exploit kits waiting for unsuspecting end users and targeted phishing attacks demonstrate that attackers have moved away from targeting servers and are taking laser aim at endpoints. As a result, security pros must worry less about the perimeter and more about the most fragile and volatile piece of the IT infrastructure: endpoints -- and the unpredictable end users whose behavior can put the business at risk.

"Businesses must get serious about protecting their internal networks," says HD Moore, chief security officer for vulnerability management firm Rapid7 and chief architect of the Metasploit penetration testing framework. "We've known for a decade that hardening networks with firewalls isn't enough, yet companies still leave their networks flat and unprotected inside the firewall. The security of the internal network really starts to matter just as much as the external."

While server security is critical, locking servers down is easier than securing endpoints. Servers serve one or two core functions, letting IT build security controls around those functions. Endpoints serve many functions, and even when they're outfitted with security controls, users often change them, and attackers also can fool users into skirting security practices.

Security awareness among users is a primary aspect of meeting the endpoint security challenge. Training users on how to spot certain types of attacks and instilling a sense of caution is key to his approach. Companies must also adopt endpoint hardening techniques, new endpoint security products and network-based security controls. Even then, attackers may break through, but with protection and monitoring in place, companies can detect and remediate attacks before it's too late.

The Basics Of Host Hardening

For most IT pros, endpoint protection equates to antivirus and anti-malware products. But endpoint protection actually starts with "host hardening," implementing best practices to secure endpoints before they're handed to end users or before any third-party applications are added.

These include practices such as the principle of least privilege, whereby users are granted only the account privileges they need to do their jobs; segregation of duties, which requires more than one person to make critical changes; and need to know, under which access to resources is limited to those who must have it.

Some IT shops buy cleverly marketed products that promise off-the-shelf endpoint security using anti-malware and sandboxing. In most cases, attackers can easily bypass those defenses. Readily available exploits and tutorials help attackers identify hosts that haven't been properly configured or ones where users have made changes -- disabled antivirus protection or installed vulnerable software, such as Java -- that increase the vulnerability of the host.

chart: admin priveleges allowed in user environment

Failing to follow the least privilege principle can cause major problems, particularly when users are given admin privileges on their desktops, laptops and mobile devices. Sixty percent of respondents to the Ponemon Institute's recent 2013 State of the Endpoint survey say they allow administrative rights in some or all of their user environments (see chart, above).

Our report on on strategic security is free with registration. This report includes 43 pages of action-oriented analysis, packed with 38 charts.

What you'll find:
  • Drivers for analytics and BI
  • The most valuable security practices
  • How to use mobile device management software to enforce security
Get This And All Our Reports

Users often are given admin rights when an IT environment is being created and is still small, then they resist losing those privileges later on. When IT environments are set up with the endpoint administrative rights disabled, power users and executives often fight for those privileges, saying they regularly install software or make system changes.

There are other ways security organizations lose control of administrative rights; however it happens, letting users act as admins creates the potential for local administrator, domain-level and service accounts to be compromised.

For example, say the CEO's administrative assistant falls for a phishing scam and clicks on a link that takes her to a site that exploits the latest Java zero-day vulnerability. The malware installed on her system now has the same admin rights that she does. If there's software running on the system with a shared domain-level service account -- or if the administrator password on the administrative assistant's computer is the same across many of the desktops in the company -- the malware can spread from her system to practically every system in the company.

If the user in this scenario hadn't had admin rights, it would have been more difficult (though not impossible) for the malware to spread. Security consulting firms like mine look for these users with administrative privileges when we do penetration testing. An attacker needs only one vulnerable endpoint to spread laterally throughout a company, pivoting from endpoint to endpoint, siphoning data.

Policy configuration best practices on desktop, laptop, and even tablet and smartphone operating systems limit the impact of, and even prevent, successful attacks. These practices include password age, history and complexity requirements; account lockout provisions; system and user activity audits; firewall configuration; logging; and putting unique local administrator passwords on each host.

You can limit endpoint vulnerabilities by understanding the policy options for the various platforms, configuring them appropriately, and monitoring them so that you know when they fall out of compliance with company policy.

chart: which security practices provide the most value to your company?

Previous
1 of 3
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
manovrao
50%
50%
manovrao,
User Rank: Apprentice
3/6/2013 | 10:43:37 AM
re: Sharpening Endpoint Security
Find the best security softwares from the below link,
http://www.matousec.com/info/p...
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19551
PUBLISHED: 2019-12-06
In userman 13.0.76.43 through 15.0.20 in Sangoma FreePBX, XSS exists in the User Management screen of the Administrator web site. An attacker with access to the User Control Panel application can submit malicious values in some of the time/date formatting and time-zone fields. These fields are not b...
CVE-2019-19552
PUBLISHED: 2019-12-06
In userman 13.0.76.43 through 15.0.20 in Sangoma FreePBX, XSS exists in the user management screen of the Administrator web site, i.e., the/admin/config.php?display=userman URI. An attacker with sufficient privileges can edit the Display Name of a user and embed malicious XSS code. When another user...
CVE-2019-19620
PUBLISHED: 2019-12-06
In SecureWorks Red Cloak Windows Agent before 2.0.7.9, a local user can bypass the generation of telemetry alerts by removing NT AUTHORITY\SYSTEM permissions from a malicious file.
CVE-2019-19625
PUBLISHED: 2019-12-06
SROS 2 0.8.1 (which provides the tools that generate and distribute keys for Robot Operating System 2 and uses the underlying security plugins of DDS from ROS 2) leaks node information due to a leaky default configuration as indicated in the policy/defaults/dds/governance.xml document.
CVE-2019-19627
PUBLISHED: 2019-12-06
SROS 2 0.8.1 (after CVE-2019-19625 is mitigated) leaks ROS 2 node-related information regardless of the rtps_protection_kind configuration. (SROS2 provides the tools to generate and distribute keys for Robot Operating System 2 and uses the underlying security plugins of DDS from ROS 2.)