We have a tendency in cybersecurity to make everything a big deal. As a cybersecurity advisor, I try not to be that person that is yelling, “the sky is falling and the world is coming to an end”. But, if I had to pick only three ‘big deals‘ it would be user security awareness, the prevalence of data and assets being accessible, and lastly, endpoint security.
The threats against the endpoint are many. And even if there were zero vulnerabilities and zero exploits, the risk to the endpoint is still great. If this risk to the endpoint is combined with the means of accessing sensitive or confidential data, or the ability to install software, or the ability to pivot laterally or horizontally within the environment this risk suddenly becomes critical.
The risk to the endpoint for most organizations is critical and should be prioritized as such. But how do you protect the endpoint? Is installing antivirus enough? What other controls can be applied without degrading the productivity of the endpoint user? Do additional controls justify the cost? In this article, I will attempt to propose an endpoint security strategy that can be used from small to large businesses that will greatly reduce the risk to the organization and justifies the cost and process improvements.
We will cover the threats to endpoints, followed by the best-recommended controls, process improvements, and conclude with additional security controls that should be considered for mobile endpoints.
Threats
As alluded to in the beginning the of this article, even if there were no threats to the endpoint the risk is still great. But the fact of the matter is that there are a lot of threats to the endpoint. Let’s cover some of these threats so that we can consider how to build better controls to improve the risk posture of the business.
* Malware: software specifically designed to disrupt, damage or gain unauthorized access to a computer system. It comes in all forms and can be inclusive of some of the other categories mentioned below.
* Keyloggers: Software or hardware that records the keystrokes of users and stores or uploads the data for malicious attackers.
* Botnets: Software that installs and then listens for control commands from other control software located outside the company network. Computers infected with botnet software can use computing resources, participate in illegal activities, and even download further software upon command.
* Ransomware: Software that holds a computer hostage with the threat of deleting or removing user access unless a payment is made to the malicious party. This is usually done through the use of encryption.
* Remote Access Toolkits (RAT): Software that allows remote attackers to have full remote access and control of the user’s systems. This includes a remote desktop session and taking over the process controls. It can even be used to watch what the user is doing.
(Not addressing a list of other endpoint impacts that could be considered ‘threats’ like ‘adware’. As these things are a point, but not the level of severity of the others. )
Best Practice
At the core of a good endpoint security strategy are some core tenets that can be found as ‘industry accepted’. These are practices that at large, have been tested, accepted, and approved by most of the security industry practitioners.
Privileged Access – The number one biggest improvement for endpoints is removing privileged access for users that don’t need it. There is a large fear and concern for organizations that have yet to take this step. I’ve heard the concern hundreds of times. It’s that users ‘need’ it. But when pressed into the ‘why’ it cannot be answered. That is fear. It’s an understandable fear that if access is removed from users they won’t be able to do their jobs and there will be a huge productivity loss, employee culture will be negatively impacted, support calls will go way up, and in the end, this will cost more. The anticipated result of this equation looks like
(Cost of removing privileged user access is GREATER than the risk of users having privileged access.
The truth is that this equation cannot be completed until the cost of removing privileged user access is figured out. I understand this can feel like a large undertaking but with a process approach, the risk can be greatly reduced and even improve the relationship with the users. This process is out of the scope of this article, but in summary, it can be accomplished at a business unit by unit, and tested by a small sample group of users. The first pass of this process is a pass or fail by the business unit with the goal of identifying as many groups that can have privileged access removed without impacts. The second pass is revisiting the units that failed and accessing the cause of this failure and reviewing the opportunities of what can be done to change the requirement of privileged users access.
To be bold, from my personal experience across many industries over the course of decades, most users don’t need privileged user access. The ones that do should be included as apart of a privileged access management program. So the cost of not reviewing the need now will greatly increase the cost of including the users in this program later.
I don’t sell fear – I’m commonly challenged by potential clients to hack into their systems. They understandably feel like I’m trying to sell them fear and I should justify my reasoning by proving their systems and data are at risk. I don’t want to sell fear. I decided before I started consulting on cybersecurity that I would not sell fear. Fear can be a natural byproduct of the unknown. I don’t take challenges to hack into potential clients computer networks because I want our relationship to be built on a common goal and strong partnership, not based on obligation if I were able to succeed.
So instead I offer some approaches I would take to attempt to get administrative rights and access to the business crown jewels. One approach I would always attempt to getting access to shared credentials. There are two common sets of shared credentials I almost always find. One is this:
Common Local Admin Password – It is common that all the local administrator accounts on the endpoints have the same password. If this password can be guessed (and it often can be with a slow and low attack when network access is gained). The password can also be identified by breaching an endpoint through a phishing attempt and waiting for a network system to attempt a connection using the credentials. It can also be found in a password repository accessed by the desktop administrators of the company.
If the password is identified, it can be used to pivot to every endpoint within the company sharing that local credential. It can then be used to pivot on to get application access, other network access, and privileged access other users have.
It is best practice to apply separate passwords to each local endpoint so that they don’ share a common local administrator password.
Application Whitelisting – As a part of a strong cybersecurity program a data classification exercise should be performed. As an output of this exercise, it should be identified what systems ingests, process, or store classified data. If endpoints are included on this classification index you should apply application whitelisting technology to control what applications can execute on the system. When the scope of application whitelisting is reduced to the scope of only required system the administrative overhead and vendor costs can be minimized and easily justify the cost. When whitelisting is attempted to be rolled out company wide it can be painful to implement, and even more painful to maintain.
Malware protection – The value of desktop anti-virus has reduced over the last decade, but it is still there. When combined with other security practices, this technology can provide a lot of protection for ‘known’ threats and has brought with it the maturity that requires very little attention. This technology can even be found to sometimes be included by vendors as a value add.
Attachment Sandbox – When we consider where and when malware enters endpoints we can quickly find it often comes from Internet downloads of documents and phishing (including spear phishing) attempts. One of the greatest and most beneficial evolutions in cybersecurity has been the sandbox.
Security Sandbox: A contained computing environment that prevents files and processes from escaping and gaining access to other system processes, hardware resources like memory space, and hard drive locations. This sandbox is usually a virtual environment and is wiped when after the process is complete.
The security sandbox will usually be combined with threat detection. This is a network technology that inspects documents based on their hash value and known reputation. If it is unknown, the sandbox places the document in a secure container and opens the document and monitors its behavior to see if it’s malicious or not. If the sandbox identifies a malicious behavior or indicator it will notify the security administrator. This is not a perfect solution but is a powerful one. One of the shortcomings is our driver to not slow down the delivery of email. So often a sandbox will be configured to send the unknown file to the user and replicate the file for testing in the sandbox. If the unknown file is identified as malicious, it will add that threat detection signature dynamically to prevent other files from being delivered but the first file will be delivered to the user.
Security Controls
Focusing on what additional controls can be applied to reduce the risk of endpoints require us to examine our choices on how we can address risk. These options are:
1. Accept – When the cost to apply controls exceeds the tolerable amount the risk can be accepted. The risk should be documented as part of a process and reviewed regularly.
2. Remediate – This is fixing the issue. Sometimes this means patching the vulnerability, updating the application, closing the hole. Once remediation is complete, the risk will no longer exist.
3. Mitigate – Takes steps to reduce the risk with the addition of controls or posture. This might mean placing a firewall that blocks FTP in front of a server with security findings on an exploitable version of FTP.
4. Transfer – This is shifting the risk to another party to take care of or transferring the risk to something like an insurance policy.
5. Avoid – This is the most overlooked option in today’s connected world. This essentially is questing if the system that has the risk needs to exist at all, or even be connected to the point the risk is there. Air gapping or taking a system offline for processing can help avoid risk.
Process Improvements
Risk is influenced by more than just improving security controls. Often less looked at is the opportunity to lower the impact.
“risk equals impact multiplied by probability weighed against the cost” (techtarget.com)
We can lower the impact to endpoints by making some process improvements on the way data is stored, processed, and retained. Endpoints, from a hardware standpoint, often don’t have a high cost. This means from a pure hardware cost risk standpoint it doesn’t justify the investment of high cost or high complexity security solutions. The true risk to the endpoint is then:
* Availability: Productivity loss due to the endpoint computing resources not being available.
* Data: Loss, ransom, or integrity impact to the information assets on the endpoint.
The number one greatest gain to overall security is to limit or prevent data being stored on the endpoint. When you remove data from the risk equation, it almost always comes out as low risk. The data is the pudding. Build policies and procedures that educate users on how to save data and files to shared network space or cloud resource. Train them to never save confidential or sensitive information to the desktop. Implement a governance process that checks for locally saved data on the endpoint. One way to do this is having a script run and provide the size of the ‘My Documents’ folder on the desktop machines. This can be an easy and quick indicator if the user needs to be reminded of the correct process.
If you can’t remove data from the endpoint, you can still greatly reduce risk by implementing a backup process. The backup process should focus on backing up only directories that are used to save user data. The fewer directories that need to be configured for backup, the smaller the data set is. The smaller the data set is the more frequently a backup cycle can be scheduled. The more frequent the backup cycle, the less opportunity there is for data to be unrecoverable.
Mobility
Whenever data or company assets leave the building, they leave a control boundary. Leaving the control boundary introduces additional risks to consider as apart of your security program.
As mentioned above, if there is no data on the mobile devices there is no data risk. The only risk if the device is stolen and can be leveraged in an attempt to gain network access.
Even if you limit the data on the mobile device to public or internal you are still greatly reducing the risk. One additional controls that have become common practice for mobile devices is encryption.
Encryption technology has come from a long way in recent years from a sci-fi fantasy idea to a real-world practical application that is simple to set up and administer. Even popular operating system manufacturers are now including it for free with their platforms.
This technology makes it extremely difficult for a malicious party to access data stored on the encrypted device. Matter of fact, if there is an investigation on the lost or stolen asset if you can prove it was encryption, the case can usually be closed out.
Summary
Endpoints are a critical part of your cybersecurity program and should be considered a priority. You can address this risk by approaching them with a strategy that addresses the core threats and risks to these devices.
By improving user awareness and having some processes in place you can feel confident that endpoints are protected to meet an acceptable level of risk.
Recent News
Here are a few cases of how endpoint security and a solid strategy can benefit Minnesota companies.
Doctor’s Office Records Erased
Ransomware hits Baltimore Government
6,500 Patient Records
Recent Comments