Many companies do a good job of protecting their perimeter. They install firewalls to keep the bad guys out of their corporate network. They use anti-virus software and intrusion detection. But with the proliferation of mobile devices — from smartphones to USB keys — it’s becoming easy to bypass that perimeter security and go straight to the endpoints. And that’s why endpoint security is becoming such a critical part of an overall security strategy.
But most companies aren’t even focused on protecting laptops, let alone mobile and mass storage devices. “They consider them nothing more than desktop computers,” said Claudiu Popa, president of Informatica Security Corp. “It’s just another category in their technology inventory — they don’t realize those systems need to be differently secured than desktops because they spend time in cars and left on the kitchen counter at home.” There’s a tremendous increase in the number of break-ins that result in data theft, he added, but they take place at the employee’s home rather than the workplace.
With mobile devices, it’s possible to bypass most of a company’s gateway security and get right down to the endpoints. And that highlights the need for endpoint security, said Derek Manky, security research engineer with Fortinet.
1. Smart phones have dumb security Viruses are going to become more prevalent on smart phones, when we start seeing more interactivity between mobile devices and desktop PCs. “We haven’t got to that point where it’s a high-level threat, but it is definitely overlooked,” Manky said. “As far as administrative access, it’s not treated as a threat.”
We haven’t seen crossover viruses yet, where a virus on a smartphone crosses over to a Windows desktop, but we’ll see it in the future (a proof-of-concept crossover virus has been written for Windows Mobile). The iPhone, and the possibility of a Google phone, means there will be more new and interactive platforms. Malware can also be launched on thumb drives that can easily make their way into an organization without being noticed.
You can have good gateway security, but all it takes is one virus to infiltrate and gain access to the network, said Manky. The virus can be engineered to dial back to the hackers and open up a Trojan, so they can then gain access to corporate information. “Everything’s becoming more financially motivated and targeted attacks are a very real scenario,” he said. “If you have someone who premeditates this, it’s very possible to open up a wealth of information.”
One solution is on the mobile device itself, where it’s able to detect attacks before the user transfers them. Proper anti-virus scanning on the desktop PC eliminates anything further.
2. Data is let loose The real risk, at this point, is in terms of the data these devices can hold, said James Quin, senior research analyst with Info-Tech Research Group. When it comes to controls that can be pushed out to these units, though, there’s not a lot out there, so it’s difficult for companies to ensure these devices can stay protected. The best thing they can do is not put data on them in the first place, both through policy and the use of blocking filters.
There’s a range of software solutions out there that typically fall under the banner of USB blockers. Rather than just completely lopping off the USB ports, they can be used to control what type of USB devices can be attached — down to a specific brand or even a specific serial number.
Any data on the device should be encrypted, but there’s still limited deployment of encryption solutions, partly due to the perception that it’s expensive and difficult to manage. Microsoft’s Encrypting File System (EFS) is part of the operating system, so it’s free, but there will be management time and costs associated with it. Other solutions on the market will cost more, but could be easier to manage. “To focus on just one area of protection opens yourself up to risks,” said Quin. “If you just focus on protecting the data on the laptop, then you’re ignoring some of the network-based security risks that can occur.”
3. Networks are wide open The network plays a key role in endpoint security. One component is authentication, being able to validate the device as it tries to gain access to the corporate network, said Darren Hamilton, category business manager for ProCurve Networking with HP Canada. The second component is continuing to check on your status and behaviour on the network — because even if you authenticate, you can still plug in that USB key in your pocket.
A firewall is great, but according to Forrester, 68 per cent of attacks come from within, so that’s not something a firewall is necessarily going to pick up. There are different points of access on the infrastructure, different operating systems and different vendors, so it’s all about unifying that management.
“It’s one thing to have all these products and expensive appliances to throw at the issue, but if it’s not manageable, if it sucks up more cycles out of IT, it often goes unused,” said Hamilton. “We’re right back in the same dilemma.” Forrester says 98 per cent of companies have firewalls and 97 per cent have anti-virus — so clearly that’s not doing it.
“One of the things that has become critical to our customers is the ability to get a view of the network to understand who’s on it,” he said. “Somebody might not even realize there’s something happening on their network.” An endpoint integrity check will help reduce a lot of the risk to transient workers or non-standard employee PCs. But it’s an evolution, not an afternoon installation.
In a recent survey, Symantec found that 46 per cent of respondents said laptops and remote wireless devices have a serious impact on their business, and they’re suspecting that theft of a laptop or the intellectual property that resides on it may be a source of IT incidents. But only a third of them have a good snapshot of what’s on those devices, said Jennie Grimes, senior director of Symantec’s IT Risk Management Program Office.
“Invariably this disconnect about laptops comes up and it’s usually, from the CIO’s perspective, not a service level they want to take on because that often adds thousands of devices to their backup and patch management workload,” she said. “And yet, from a risk management perspective, it’s critical to get control over those devices, so there’s a possible tension out there right now.” When they did experience a failure, 53 per cent of the time it was related to processes, not technology.
4. Settings are set aside If you’re activating a device for the first time or the user’s role is changing within the organization, the security settings should be automatically updated based on the user’s profile.
“That’s very difficult for organizations,” said Allen Houpt, director of product management with CA. “There are a lot of human touch points — that’s pretty much done manually today and that’s where errors can occur.” And that results in lag time where the device could be compromised — lost, misplaced or stolen.
Due to compliance reasons, not everybody has the same settings on their laptops. While companies have been focused on provisioning, asset management and troubleshooting, policies tend to be fragmented. “It’s not easy to manage these things if you’ve got multiple sets of policies out there,” said Houpt.
And this is chewing into the help desk and administrators’ time. “They’re getting hammered with these issues,” he said. One company he dealt with had more than 20,000 devices — and half its help-desk issues had to do with these devices. And the company was outsourcing its help desk.
CA has products for the BlackBerry line that link into larger asset management technology, and it’s in the process of expanding that to Symbian and Windows Mobile devices.
“We inventory the environment,” said Houpt. “That needs to feed into a corporate asset management strategy, not just laptops and desktops, but mobile devices — you should be able to track licences and the costs associated with them.”
