In a world of constant IT security combat between hackers and security practitioners, advancement in newer hacking and intrusion methods puts pressure on corporate IT teams to strengthen IT security. On the other side of the battle, hackers and malicious computer jocks are continually striving to get better at breaching enterprise IT infrastructure and secure organizational networks.
Security branches out into all areas of IT, and IT pros need to secure the entire IT infrastructure, including the network, data center, storage devices, workstations, firewall, Web servers, and applications. With much recent focus on data center security, what organizations tend to inadvertently neglect is endpoint security. Although many organizations have multiple sorts of internal corporate policies and federal compliance norms calling for endpoint security measures, IT administrators have to do more to be protected against the entire breadth of the endpoint threat landscape.
First, IT pros have to acknowledge the fact that endpoint security breaches and attacks are increasing each day. While motives vary from industrial espionage, targeted and financially motivated attacks, insider sabotage, and sometimes even unintentional or accidental attacks, these breaches ultimately lead to exploiting endpoint vulnerability in enterprise workstations and devices.
ENDPOINTS ARE STARTING POINTS OF SECURITY THREATS
Common threat sources and threat actions well known in the IT security world today include:
- Hacking – Use of backdoor or command and control server, use of stolen credentials, brute force attacks, SQL injection, data loss
- Malware – Spyware, backdoor, password dumper, RAM scrapper
- Misuse of access/employee privilege – Privilege abuse, unapproved hardware, software, email misuse, data mishandling
- Physical – Tampering, surveillance
- Social – Phishing, pretexting, extortion, bribery
Many of these threats can be induced via insecure corporate endpoints. So, what can be done to prevent these attacks? While there may be security appliances and software built for endpoint security that IT administrators can deploy in an IT environment for monitoring and preventing threats, this article will discuss some best practices and strategies for enhancing endpoint security and ensuring workstation endpoints stay protected and secure.
There are many sources of vulnerabilities in workstations that render them potentially insecure to threat agents. Notably, there are two key areas that need better understanding and insight towards the possibility of endpoint compromise to help us prepare a strong and robust security approach. These are software issues and user issues.
SOFTWARE EXPLOITS ON ENDPOINTS
Software issues are some of the most common security vulnerabilities that plague enterprise IT environments, with many types of software run on workstations based on different user and business requirements. Organizations do employ compliance regulations to allow only secure and required software on employee workstations, but users tend to disregard the regulations and install freeware on their systems. Even software as simple as system utilities intended to facilitate work requisites could potentially expose a system to security threats.
To mitigate threats, IT teams should:
- Monitor software usage, applications, and services running on employee workstations.
- Scan workstations regularly to perform software inventory and identify wanted and unwanted software.
While monitoring workstations will help identify and uninstall untrusted software, software authorized for business use could still be the cause of security exploitation. IT administrators should focus on patch management and keep business software up to date by patching with product upgrades, enhancements and security, and bug fixes provided by the software manufacturer.
There are three different types of software that can act as the cause of endpoint vulnerability:
- Known and patchable software
- Known and unpatchable software
- Unknown software
PATCH BEFORE THEY HATCH
The first type of software, known and patchable, is software that has known vulnerabilities and can be patched with security updates from the vendor. These can be further differentiated as:
- Products that are trivial to patch, either because they are easily patched, or the quantity of updates is manageable.
- Products that are difficult to patch, or that have a high frequency of patches, and sometimes both. An example of this type of software would be Java™ Runtime Environment (JRE) version 7. From version 5 through 7 there have been over 380 vulnerabilities and Oracle® Java has released up to 14 updates to fix these issues.
The second type, known and unpatchable software, is impossible to patch because there are no known patches for the vulnerabilities and the security loopholes they contain. IT pros can consider the Java update version JRE7u21.There are known vulnerabilities in this version, and Oracle has not yet released updates, putting existing users at security risk with no option to patch the software.
As for unknown software, issues can be identified with periodic system scanning and an automated inventory update. Once discovered, based on the accepted internal organizational IT security policy, IT administrators may choose to permit usage or not. If permitted, the software must then be patched, otherwise it could become a source of vulnerability exploits.
IMPACT OF MALWARE
Malware is “malicious” software that gains unwarranted access into the corporate network via corporate endpoints, causing undue damage and disruption of services and operations, and posing a threat to secure information. Malware can be introduced by direct download, email attachments and links, Web drive-by, or remote injection.
Malware exposes systems to security breach and attacks, causes applications and services to fail, results in data leakage and theft and stolen credentials, impacts business productivity, and causes many more insidious security risks, threats, and policy violations.
ARE WE SAFE FROM THE MALWARE NIGHTMARE?
Statistically, the answer is “no.” The Verizon® 2013 Data Breach Investigations Report cites malware as the source of 40% of breaches that occurred in 2012. This enormous number is second only to hacking attacks and its impact is colossal, damaging corporate assets and business services and even exposing and leaking secure and confidential information.
To add to international malware woes, The Advanced Cyber Attack Landscape report from FireEye® indicates that malware has become a multinational activity with callbacks sent to command-and-control servers in 184 countries in 2012 alone. In fact, these numbers have increased approximately 50% since 2011.
From an endpoint perspective, all workstations should be equipped to detect malware and quarantine them. While most organizations do employ anti-virus and anti-malware software for this, cybercriminals are growing increasingly adept and resourceful and are introducing newer methods of attack. This dangerous evolution calls for advanced security and protection that involves monitoring the functioning of antivirus and anti-malware solutions.
IT administrators need to be able to monitor security events by collecting logs and correlate them for advanced incident awareness. Log management of antivirus systems and other security appliances help develop a protective and preventative security information and event management (SIEM) framework for real-time anti-malware security.
ENDPOINT THREATS FROM UNAWARE USER HABITS
Though IT security teams may educate corporate users and employees on security best practices, employee knowledge of insecure IT practices is still quite shallow. Employees often fall prey to cyber-attacks by hacktivists and rogue hackers without having an inkling of their role in the attack.
USER HABITS THAT ENDANGER WORKSTATION ENDPOINTS
Employee devices. From USB devices, thumb drives, and flash drives to other mass storage devices and cameras, there are countless potential security threats that employees bring to their workstations. These are devices that can gain direct access to official stored data on enterprise workstations, and may allow data to “leave the building,” or worse, introduce malware infections into the network.
Tablets and smart phones. As the “bring your own device” (BYOD) model is increasingly adopted by businesses, employees’ personal smart phones and tablets are fast becoming dangerous to enterprise security.
For example, Android operating systems pose threats in multiple ways:
- OS fragmentation. Not all tablets and smart phones are running the same version of Android, and not all of them get patched uniformly for security issues.
- Nosy apps. There are dozens of Android apps that access device location, stored contacts, and access to personal information. Allowing access without proper IT permissions could lead to many potential security threats.
- Data not so persistent. Unlike Apple devices, in which users can restore nearly all stored data using iTunes, Androids are not managed via desktop sync, making it difficult to restore lost data.
- Passwords with a trail. Android's graphical password system requires users to swipe a set pattern to unlock the device, leaving a touchscreen smudge that a hacker could duplicate.
BYOD may be successful for creating an employee-friendly work atmosphere, but it certainly widens the possibility of more unknown threats.
Most browsers need rescuing. Even popular browsers such as Chrome™, Internet Explorer® (IE), and Firefox® fall victim to malignant breach attempts. After all, they are still software and need to be patched with the latest security updates — as do the plug-ins and extensions that users keep adding to browsers so indiscreetly. Web browsers are not limited to workstations but also apply to tablets and mobile phones.
Beyond the vulnerability factor caused by unpatched Web browsers, security breaches can also occur when browsers lead to untrusted malware and scripts running on systems and cause threats to the level of advanced and targeted DDOS attacks.
Here are some best practices to enhance Web browser security:
- Keep browsers, extensions, and plug-ins updated and patched
- Block popup windows as they may be sources of malware incursion
- Alter the security, privacy, and content sections of the browser settings per requirement
- Configure network protocol lockdown for applications that host HTML files over non-HTTP protocols in IE
- Tighten corporate firewall rules and Web server policies to allow only trusted sources of traffic through the corporate network
- Educate users about suspicious links and URLs and fraudulent and phony websites that can steal user data, passwords, and login credentials
CONCLUSION – IT’S HIGH TIME TO ACT
Protect the IT environment from endpoint security threats:
- Patch management. Patching all software including OS, browsers, plug-ins and other third-party software is critical. IT pros should place high priority on consideration of all security updates.
- Application and website whitelisting. Ensure unknown and untrusted software cannot be executed on enterprise workstations. Use a proxy server, Web filter appliance, and Group Policy to allow only known and trusted application and website sources on the corporate network and on endpoints.
- Using host-based application firewalls. This may be the only protection for desktops and workstations by providing protection to the applications running on the same host. Admins erroneously turn off Windows® host-based firewalls, and host-based application firewalls offer twin benefits for IT security:
- Protection for host-based applications even when the primary firewall fails
- Blacklisting all untrusted applications to prevent malware identified on affected endpoints from replicating to new endpoints
Detection & Remediation
Detection and remediation is not applicable only to endpoint devices and workstations. There are many sources that threaten the security of workstations, all of which must be constantly monitored for anomalies, threats, and non-compliance.
- Systems monitoring. Monitor systems for performance issues and service reliability.
- Real-time event monitoring. Make use of logs from all workstations, operating systems, security appliances, anti-virus and anti-spyware systems, and correlate them in real time for meaningful incident awareness.
- Watching out for operational, security and policy-driven events on these entities, and being able to remediate threats in real time is the only solution to ward off zero-day attacks. Remember to monitor system logins and logouts (and on which endpoints) and USB device connections to endpoints.
- User and device tracking. Identify which users and which devices connect to which network ports and Wi-Fi access points, as these are also endpoints and put network security at risk.
- Network and traffic monitoring. Changes in device configurations, device IP addresses, and firewall rules; traffic from unexpected endpoints; and external sources can all put endpoints to risk. Monitoring of various elements in a network will help holistic visibility into the health of a network infrastructure that may impact desktop and workstation security.
Endpoint security is undoubtedly a key aspect of IT security, and IT teams must focus on aligning it with organizational policies and user activity to keep it under control. Monitor, patch, and secure endpoints before they become starting points for exploitative breaches.