|
Desktop Security
The final frontier
 A
strong fortress is of no use if the entry points are not well guarded, says
Irshadh Rasheed.
Desktops, notebooks, PDAs and other endpoint computing devices have changed
the corporate computing environment dramatically in the last few years. Corporate
networks are not restricted to the office anymore. Employees access their organisation’s
network from any part of the world through a variety of technologies. Any location
from where the corporate network is accessed has become the endpoint of a network
perimeter. Employees have learned to manage computing environments independently,
accessing the Internet, downloading and installing applications and sharing
all types of files with fellow employees and clients. Securing this corporate
computing environment is becoming complicated and resource-intensive as the
dynamically changing environment is exposed to new threats from black hats.
‘Security in-depth’ is one of the fundamental principles
for information security programs. However, the emergence of a large number
of gateway and unified threat management products for protecting the corporate
network and thereby hosts from hacking attempts, virus, worms, spam and so on
have provoked the debate whether gateway security products can replace endpoint
security products. Anti-virus and personal firewalls are amongst the widely
deployed desktop security software. The cost of deploying and pushing the anti-virus
updates, firewall rules and patches to all desktops in an organisation is high
compared to the few gateway security servers which sit on the perimeter of the
corporate network. Do the benefits in terms of manageability, cost and resources
outweigh the risks? Are desktop security products obsolete? Can gateway security
products replace endpoint security? Understanding the recent spate of security
incidents and threats of corporate desktops being exposed may provide answers
to these questions.
Reported security incidents are only the tip of the proverbial iceberg. Many
incidents go unreported considering the embarrassment and the loss of reputation.
Security threats
 Desktops
are not simply exposed to plain vanilla viruses and worms. The variety of malicious
programs has increased dramatically and new and innovative channels are used
for their introduction and propagation.
-
These programs get installed
on desktops when employees access Web sites infected with malicious
code, access and share infected files and install seemingly harmless
third-party software from hackers. Spyware is used to gather information
about the user and send it to third parties around the world.
Browsers are the easiest targets of spyware, which hijack user
sessions to malicious Web sites and content.
- Employees
download and use peer-to-peer file sharing and other applications on their
desktops though there is no business reason for using these programs. P2P
networks are soft targets for distributing viruses and worms. Though these
applications may be blocked on the corporate network, employees may use these
applications at home. Instant messaging (IM) applications are becoming an
accepted business tool across the corporate world. Viruses and worms can spread
through file sharing via IM applications.
- Mobile storage devices are convenient for transferring
files among colleagues. Apart from stealing information, these
devices may act as a medium for transferring malware from home
or client computers to the corporate network.
- The need for secure configuration
of endpoints is often overlooked. Trusting the internal network
and employees are the fundamental reasons for this. Sharing folders,
giving anonymous access to them and running unnecessary services
help propagate viruses and worms within internal networks.
Attackers do not have to work hard to penetrate the well-secured network perimeter
anymore. All that is required is to find an insecure endpoint inside the corporate
network or one roaming outside the corporate firewall. Attackers can use this
as ‘Patient Zero’—an ignition point to spread viruses, worms,
spyware, Trojans and other malicious programs in the corporate network.
Endpoint security is not dead
|
What is required to protect
organisations from the current trend of threats is the good
old mantra in security, ‘Defence in-depth’—layered
security, each layer providing barriers for entry into the
corporate network
|
Perimeter protection, epitomised by firewalls and other gateway
security products can be easily circumvented if malicious programs emanate from
an endpoint device trying to log on to the network from any part of the world.
Gateway security products cannot provide protection against a malicious program
that enters the organisation through ways other than the gateway. Internal attacks
are becoming more prevalent and devastating. What is required to protect organisations
from the current trend of threats is the good old mantra in security, ‘Defence
in-depth’—layered security, each layer providing barriers for entry
into the corporate network. The need to protect the endpoint devices is felt
more than ever by security managers.
Leading security vendors refer to endpoint protection by different names, some
of which are network access protection, total access protection or network admission
control. All these products provide the following benefits:
- They improve the defences of healthy and compliant
endpoints by ensuring that the ones connected to the network are always updated
with the latest patches, signature updates, firewall rules and secure operating
system configuration.
- They identify, quarantine and heal non-secure endpoints.
Endpoint security products have evolved over the last decade
from plain vanilla anti-virus agents to integrated software agents that can
provide anti-virus, anti-spyware, firewall and patch update capabilities to
them. The latest endpoint security products provide the following features:
- Basic protection from malicious programs (Virus,
worms, Trojans, spyware and so on)
- A personal firewall permits only specific programs
to interact through the network. They close all unnecessary ports.
- Intrusion detection/ prevention programs provide
intrusion detection and prevention capabilities to endpoints.
- Patch update software ensures that the operating
system and other key software are updated with the latest patches.
- Operating system configuration involves configuring
the operating system securely based on the organisation’s security policies
and OS hardening standards.
- Policy compliance ensures that all PCs that access
the network are clean before they are allowed to enter the network.
- Client lock down prevents users and attackers from
disabling endpoint security or enforcement of network access policy. The ability
to deliver comprehensive, assured endpoint security and policy compliance
enterprise-wide enables threats to be defeated.
- E-mail protection quarantines suspicious e-mail
attachments and helps prevent address book hijacking.
- Easy and fast remediation offers a quick resolution
for out-of-compliance endpoints, so users stay productive and don’t call
the help desk while they’re getting into compliance.
|
Security incidents
- 70 percent of large organisations suffered
at least one security incident or an intrusion in the year 2004, according
to the Computer Emergency Response Team (CERT). Many of them involved
hijacked endpoints that were used to propagate distributed denial-of-service
(DDoS) attacks, phishing expeditions, worm outbreaks, malware and spyware.
- IDC estimates that 67 percent of all computers
have some form of spyware.
- Keyloggers were used in an attempt to
transfer $420 million from a London branch of Japanese bank Sumitomo
Mitsui.
- 40 million credit card numbers stolen
at Card Systems was attributed to the deployment of a malicious script
in one of their systems.
- 6,000 keyloggers were released in the
wild this year up from 3,753 last year.
- Hacking of Lowe’s Companies Inc involved
installation of a program on the retailer’s central system to hijack
credit card information.
|
Interaction & integration
Endpoint security products were neither network-aware nor of what is happening
in other endpoints. The best strategy to protect the entire network is interaction
and co-ordination between endpoint security software and its management components
and gateway security products. Integration with network gateway products—from
VPNs to switches to wireless points—ensures that non-compliant PCs are
quarantined and brought back into compliance before they are given access to
network resources.
Cost–TCO and more
Any software that gets loaded on to user desktops comes at
a huge cost. This is not just about the Total Cost of Ownership, but also about
the cost of managing them across the organisation. Companies prefer best-of-breed
solutions for each component of endpoint security—anti-virus, personal
firewall, anti-spyware— regardless of the vendor. Supporting multiple vendors
on the desktop can be a nightmare and an expensive one at that. Each additional
piece of software or agent requires more effort to manage it. Security managers
should evaluate using unified suites available from leading vendors as these
can provide huge savings in the long term in terms of deployment resources,
upgrades, compatibility concerns, troubleshooting time and annual support contracts.
Moreover, endpoint security products available from gateway security product
companies offer greater interaction and integration than pure third-party endpoint
security products.
Implementing technology components in the endpoints alone may not be enough
for foolproof security. The most important aspect is employee awareness and
training about various security threats and ways to mitigate them in their own
devices. It is the combination of technology, people and processes that can
ultimately provide protection to corporate information from preying hands.
Irshadh Rasheed is Senior Consultant, Ernst & Young.
He can be reached at irshadh.rasheed@in.ey.com
|
