“Why wash your hands?” “How to Protect yourself and others.” These are headlines that I recently ran across while browsing daily news updates. For months, we’ve been bombarded with advice and guidance on how to stay healthy during the COVID-19 pandemic. While the guidance may vary, the topic of handwashing and avoiding hand contact (i.e. handshakes) has remained constant.
For years, medical practitioners and health organizations like the CDC have provided direction on proper handwashing techniques, which for some, finally seem to be hitting home with the increased health concerns that currently encompass us. The handwashing guidance shouldn’t come as a surprise. I’ll spare you the gory details that the CDC so eloquently discusses on their website, but in short, as humans, we do a lot of “stuff” with our hands and along the way, our hands inevitably pick up germs.
Endpoints, or employee laptops and workstations, especially laptops, are no different. We do a lot of “stuff” with our endpoints and along the way, they pick up germs or “get dirty.” This risk has increased as more and more employees have moved outside of the safe confines of the hardened and secure office space into the unknown cybersecurity risks due to COVID. While touching your face with a handful of germs can ultimately make you sick, reconnecting that dirty endpoint to your corporate network can lead to devastating consequences. The purpose of this article is to highlight some, but certainly not all, activities or best practices that should be incorporated into an effective endpoint security strategy.
What is Endpoint Security?
We see lots of questions surrounding endpoint security, including the following, which will be addressed throughout this article:
- “How does endpoint security work?”
- “What is the endpoint?”
- “What are the types of endpoint security?”
- “What is the best endpoint protection?”
- “How do you implement endpoint security?”
- “Is endpoint security an antivirus?”
Endpoint security is a collection of activities, solutions, and tooling that are designed to secure an end user’s computing device. That device could be a stationary desktop computer, a portable laptop, a virtual machine, or a mobile device. For the purpose of this article, an endpoint is a device that a human, user, or employee uses to perform a task, whether that be for business or pleasure.
The objectives of endpoint security or endpoint protection include protecting the user, the software, and the data from attacks, compromise, human error, and data leakage. While the primary objective is to protect the endpoint itself, introducing an infected endpoint into a larger environment, such as a corporate network, can exponentially increase the effects of the blast radius that may have initially been confined to just one endpoint. Clearly, the end goal of achieving an effective endpoint security strategy is not just to protect the endpoint, but to protect the broader environment in which the endpoint operates.
How Can I Achieve Endpoint Security?
Do I Really Need Antivirus?
I’ll start with antivirus (AV) even though it makes me sound like I’m stuck in the ’90s. For those of you that have looked into or purchased next-gen antivirus (NGAV) solutions, you already know and understand acronyms such as the following:
- EPP (Endpoint Protection Platform)
- EDR (Endpoint Detection and Response)
- Terms like Unified Endpoint Security
For those of you that don’t understand those terms, it might be good to spend a few minutes on your favorite web browser and do a little research. In short, malicious activity on your endpoint isn’t only caused by viruses. Files can be modified, credentials that you didn’t even know were on your endpoint can be accessed, permissions can be modified with the ultimate goal of comprising your endpoint or exfiltrating data. While viruses have taken the blame for that activity in the past, it’s not always a virus that is responsible for the malicious behavior that is detected on your machine. There really needs to be a shift in thinking from antivirus to anti-malicious behavior.
While an EPP solution is typically packed with tooling and solutions to detect and block threats to an endpoint, EDR is there to provide enhanced detection capabilities to detect malicious behavior, anomalies, generate alerts and enhance capabilities to respond and remediate. Ideally, users need a solution that provides both EPP and EDR capabilities. Depending on the size of your security team, you may want to find a solution that combines both solutions into one to simplify deployment, management, and monitoring. Fortunately, there is no shortage of options. If you attend security conferences, you’ve probably seen an explosion in security solutions and offerings over the past few years with endpoint security being an area that has experienced rapid growth.
If you’re running Mac and Linux, you’re not immune. Contrary to popular beliefs, malicious behavior doesn’t just occur on Windows boxes. If you’re spending the money to protect your Windows boxes, make sure you’re investing in your entire workforce and inventory. Personal experience has shown that bad things can and do happen to Mac and Linux, just like they do to Windows. Mac end-users can just as easily download files that can unknowingly be packed with malware, PUP (potentially unwanted program), and adware. While NGAV solutions aren’t bulletproof, and they certainly don’t represent a complete endpoint security strategy, they do represent one more line of defense and one more set of eyes on your growing, diverse, and widespread technology environment.
Why is Patch Management Important?
A large number of data breaches and cyberattacks take advantage of known vulnerabilities that seem to be discovered daily. The good news is that the majority of those vulnerabilities can be fixed by applying patches and updates as soon as possible. Studies have shown that a large number of breaches could have been prevented if the end-user or company would have been more diligent in applying patches in a timelier manner. Larger corporations may need to exercise more prudence and care in how quickly and how often patches are rolled out to ensure patches or upgrades don’t disrupt operations. Individual users and small organizations may be better off by simply enabling automatic updates to ensure endpoints remain on the latest and greatest versions of vendor-provided software. To ensure all assets remain current and compliant with company defined patching policies, larger organizations may need to invest in 3rd party solutions that manage and monitor the deployment of patches and updates within the environment. Patch management is far too important to leave it up to the end-user to decide when and how often they decide to patch.
How Can Vulnerability Scanning Help Me?
According to one NIST definition, a vulnerability is a weakness in a system, application, or network that is subject to exploitation or misuse. A vulnerability scanner is a tool that is used to scan computers and networks for known vulnerabilities. As previously mentioned, vulnerabilities are at times discovered on a daily basis. Staying current or maintaining awareness of the latest vulnerabilities is a daunting task.
The responsibility becomes exponentially greater as a company begins to grow its digital footprint or technology ecosystem. Vulnerability scanners can ease the burden by automatically maintaining a current list of known vulnerabilities and then checking that list against the assets in your technology portfolio. Identified gaps can typically be corrected by simply applying a vendor-supplied patch that is usually identified in conjunction with the vulnerability.
If you believe your patch management program is bulletproof, a vulnerability scanner can keep you honest. The growing remote workforce introduces new complications for effective patch management as endpoints may remain turned off, never rebooted, or may not connect to corporate networks for extended periods of time. All of these use cases can lead to an endpoint remaining unpatched for both known and unknown software packages. Unpatched systems become more vulnerable with each passing day due to the frequent identification of new vulnerabilities. Connecting unpatched endpoints to an unsecured network, downloading an unknown file, or opening a malicious attachment creates an increased risk to the endpoint, the end-user, and ultimately your company.
What is Endpoint Hardening?
Over time, the internet and endpoint computing solutions have transitioned from a mindset of “share everything”, to “only share when, what and to whom you want to.” Operating systems (OS) have shifted from a philosophy of “turn off what you don’t want” to “only turn on what you need.” All of these efforts have helped to create a more secure endpoint computing solution for the majority of end-users. While these improvements have helped to create a more secure experience, out-of-the-box, there are still configurations or changes that can be made to the endpoint to make it more secure. The practice of modifying configurations within an endpoint to make it more secure is referred to as endpoint hardening.
Simple changes include turning on a screensaver that requires a username and password after periods of inactivity. More complex changes may include disallowing inbound connections, disabling the ability to create file shares, or removing the ability for remote authentication. In addition to OS modifications, changes can also be made to the software that runs on the endpoint, such as the web browser. Most manufacturers may provide guidance on tweaks that can be made to improve the security of your endpoint. Third parties such as the Center for Internet Security (CIS) have also established benchmarks to help get you started.
As your organization begins to grow, it may be wise to utilize Microsoft’s Group Policy or another 3rd party solution to help ensure configuration changes are effectively rolled out and remain in place. It’s also important to remember that not everyone in your organization may share the same level of enthusiasm about securing their endpoints. As you travel down the path of endpoint hardening, it will be helpful to develop a working group or test group to act as your testbed prior to rolling out changes to the entire company.
Developers are especially proficient in finding ways to maximize the capabilities of their endpoints. Unexpectedly shutting down services or disabling features may create major disruptions in their software development process. Validating your proposed changes with a test group that includes some of your more technical users and sufficiently advertising upcoming changes will help to minimize unwelcome surprises and unpleasant interactions.
As I mentioned earlier, while this list isn’t all-encompassing, deploying antivirus, establishing a robust patch management program, implementing vulnerability scanning, and initiating efforts to harden your endpoints are excellent steps to take in strengthening your endpoint security posture. Ensuring that endpoint security and protection are included in your security strategy is critical to the achievement of your overall security and data protection goals and objectives.
Please contact us at Linford & Company if you have any questions pertaining to endpoint security or if you would like to discuss any security compliance questions, or any of the many attestation services we provide.
Mark Larson started working in the technology industry in 1998 where he worked in a number of different roles prior to transitioning to the public accounting world in 2004 with Ernst & Young (EY). During his 6 years at EY, Mark provided both assurance and advisory services that spanned multiple industries for both public and private companies. After leaving EY, Mark filled leadership roles within Internal Audit, Technology, and Security functions for several companies. Mark specializes in SOC examinations and enjoys helping clients establish, formalize, and report on effective control environments while strengthening their security risk profile.