Whenever someone in the IT world says the word security, you experience one of two reactions: Either you sit up and take notice, furiously taking notes to avoid becoming a statistic, or your eyes glaze over while contemplating the vastness of the concept and wishing you were somewhere else.
There are many layers in security, such as physical, network, data, access and identity management, and many more. In this article, however, I’d like to focus on endpoint security. That is, ensuring that even if an intruder has access to your network, that person cannot take over a trusted endpoint within it. When it comes to securing your endpoints, you really have three main parts to worry about: patch management, endpoint configuration and antivirus/anti-malware. There is no first or last. They must each be given equal weight, or you risk missing a potential attack vector.
Patching is usually the first line of defense in endpoint security because it addresses defects in the operating system or installed software. As the list of available patches for any operating system shows, no one is safe. They all have defects. The more popular or mission-critical the operating system is, the more attractive it will be to hackers. Therefore, there will be more pieces of malware that are normally written for it.
If you were looking for a place to start shoring up your defenses, this is where I’d start. Review all vendor patches carefully as they are released, and always test on non-production systems before implementing them in the production environment. From your power-users, put together a group of ‘early adopters’ that will be your test bed for all patches. While there are many examples where beta-testing doesn’t always find all the kinks, it is an effective way to iron out the large wrinkles before you release a patch into your production environment.
In May 2017, a worldwide cyberattack, known as WannaCry, exploited a vulnerability in Microsoft’s SMB protocol. It wreaked havoc across the world, infecting more than 200,000 systems in 150 countries. Microsoft had known about the vulnerability and released a patch several months before. However, the main reason so many systems were affected was because those system owners never applied the patch. Patch management may not be glamorous, but this event showed that ignoring it can have disastrous consequences.
Patching will only get you so far. Once all the software defects are fixed, you’re still left with a few places that hackers can target to gain entry. This is where security configuration comes in. If patching deals with attack vectors that are defects, then security configuration deals with the ones that are there by design. A password’s length, complexity and age are good examples.
If the operating system is fully patched, but the primary user (who, by the way, is a local or domain admin) has a weak or old password, then the intruder has a better chance of guessing it, and essentially, masquerading as the user to do the intruder’s dirty deeds.
Passwords are just the tip of the iceberg though. Depending on the operating system, security configuration can get very deep and complex. Examples of some of these are: enabled guest accounts, elevated privileges, autoplay on removable media, etc. It is generally not a good idea to enable all of these configuration items across the board. The ones that are best for your organization depend on your level of risk tolerance and recommendations based on an internal risk assessment.
This is typically the most obvious example of endpoint protection. Many organizations use some kind of virus and malware protection. The problem is that in many cases there are a variety of different endpoint protection solutions in-place throughout the environment that are not always maintained at the same version and often even have outdated malware/virus definitions. It is important to develop a cohesive strategy to regularly update the endpoint clients and scan for infections.
In a perfect world, this is done from the console of a single vendor’s product. But as mergers and acquisitions happen, companies that were once separate with their own endpoint protection solution now become one. Sometimes you can bring the new endpoints into the fold, but other times you can’t. Therefore, it is important to be able to manage clients from different vendors in an efficient way.
Even when fully maintained, a weakness of traditional antivirus software is that it is ‘re-active’ rather than ‘pro-active’. Legacy antivirus platforms scan for viruses by comparing ‘signatures’ of known viruses with files on a computer’s hard drive. When a match is found, the file is deemed to be a virus and quarantined or deleted. The weak-link in this method is obvious: If a new virus is not yet known to the software it will not be able to detect it.
In recent years, a more dynamic approach to antivirus has emerged. It is commonly known as next generation antivirus (NGAV). This method uses threat intelligence and a vast database of attack patterns to analyze every process running on a device in order to determine in real-time whether its behavior is expected or anomalous. If a process starts to deviate from its expected behavior the NGAV will block it and alert an operator. If the behavior is deemed benign, and is approved, the system learns to expect it and doesn’t flag it in the future.
Stay Ahead of the Game with Continuous Improvement
Now that you have a handle on the primary attack vectors, your endpoints face you can relax right? Wrong! The hackers don’t sleep, so you can’t either. In the world of endpoint security, you can patch and configure and scan for malware today and be in total compliance. But if you stop there, your compliance will drift, and you will find yourself vulnerable again in short order.
Endpoint security is a never-ending cycle of analyzing, finding vulnerabilities and remediation. Your level of compliance with security protocols will always be in flux as new endpoints, patches or virus definitions emerge. The important thing is that if you maintain visibility and control of your endpoints your level of compliance will always trend upwards.
If you’d like to have an energetic and focused conversation about improving your organization’s endpoint security, Lighthouse Computer Services is here to help you get there.