Endpoint protection -- that is, the locking down of your workstations -- means different things to different people. To some, it's patches and strong passwords. To others it's host intrusion prevention and data loss prevention. Whatever your perspective, desktop protection is reaching a tipping point. With the threats and complexities associated with enterprise Windows environments, something's got to change.
Think about it. Generic hardening, patching and antivirus just aren't doing the trick. I'm convinced that desktop protection is broken. The problem is not so obvious in small businesses, but ugly stuff tends to come out in larger enterprises. McAfee's recent
A big mistake I see enterprise administrators making with endpoint protection is not having a good grasp on where sensitive information is actually located and how it's currently at risk. Sensitive files may be accessible on Windows endpoints. How do you know? We also tend to forget the fact that not all information is sensitive or critical. You may not need to spend the same amount of effort locking down data at the endpoint if no sensitive information is stored locally.
You have to be careful, though. Just because you tell users not to store files locally doesn't mean that they're listening. I often see Windows desktops chock full of sensitive information when the "policy" was to store everything on the network.
In addition, even if a particular device is not used to process, access or store sensitive information, an attacker can still use it as a stepping stone to gain unauthorized access. My point is that endpoint protection is not so cut and dry. You've got to think things through if you're going to truly lock down the right endpoints in all the right ways.
So, what can you do?
1. Figure out what's where on your endpoints. You'll be surprised at how much information -- and access to virtual private network and remote desktop connections -- is available on any given Windows system. All that's required for an endpoint breakdown is for malware to take hold or for someone with ill intent to find or steal a laptop or tablet.
2. Understand what risks are present. You cannot secure what you don't acknowledge, so make sure you have clear visibility so you can make informed decisions on what needs to be done. The only way to know where things stand is to perform an in-depth security assessment of your environment.
3. Finally, and perhaps most importantly, implement the appropriate controls to keep things in check. Policies, endpoint security standards and a solid incident-response plan are a given, but don't overlook more advanced technical controls -- or even different endpoint architectures. This could be something as simple as seeking out applications that support data execution prevention and ASLR (address space layout randomization) or something as drastic as User Account Control or whitelisting of applications via AppLocker or third-party products. I'm convinced these controls are going to become more and more important as malware grows in complexity. DLP and even identity and access management are playing a bigger role in endpoint protection, as well. Finally, whole disk encryption from third-party vendors is a must for Windows laptops and other physically unsecure desktops.
As you move forward, don't overlook the reality that your mobile devices are becoming your new desktop. This means thinking long and hard about deploying a mobile device management (MDM) system from vendors such as Good, Mobile Active Defense and MobileIron.
As rudimentary -- and boring -- as endpoint protection may seem, you've got to get it right. Why not start now and come up with a long-term plan to do it well so you'll be prepared for the onslaught of endpoint threats we don't yet know about.
ABOUT THE AUTHOR:
Kevin Beaver is an information security consultant, expert witness, and professional speaker at Atlanta--based Principle Logic LLC. With over 22 years of experience in the industry, Beaver specializes in performing independent security assessments revolving around information risk management. He has authored/co-authored 10 books on information security, including The Practical Guide to HIPAA Privacy and Security Compliance and Hacking For Dummies. In addition, he's the creator of the Security On Wheels information security audio books and blog for IT professionals on the go. Beaver can be reached at www.principlelogic.com, and you can follow in on Twitter at @kevinbeaver.
This was first published in September 2011