Of course, you can take an extreme approach and simply lock down your network, so that remote clients cannot access it. That’s effective, but it’s not practical in today’s mobile computing environment. Or you can try to get your organization to commit to a thin-client approach, where all the applications and information remain inside your network perimeter, but that’s an expensive and long-term project. A more reasonable approach is to develop an endpoint security strategy that balances both security risks and end user convenience and productivity. Here are some thoughts that will help you get started.

Defending endpoints against attack
Even though your network is protected against malware, an effective, multilayered security approach dictates that you protect all your endpoints too — the ones behind your firewall as well as those that operate beyond or travel in and out of your perimeter. Use the same techniques that you employ for your network: antivirus detection, spyware scanning and a local firewall.

To simplify management and control, you can use an integrated suite of security tools, although many security specialists recommend a multi-vendor approach, since attackers focus on ways to defeat the major brands. In any event, perimeter security and endpoint security are both necessary.
 
Defending your network against endpoints
The last thing you need is an infected notebook or smartphone connecting to your network, bypass-ing your perimeter defenses. But, what can you do about it? The first line of defense is pretty basic: strong user authorization and authentication.

Simple passwords can be cracked in minutes by experienced hackers (making hundreds of thousands of guesses per second), so make sure your users all use strong passwords — combining capital and lowercase letters and numerals — and change them frequently.
 
Even strong passwords, however, can be intercepted or stolen, so consider implementing two-factor authentication to secure virtual private network (VPN) connections and other activities. Two-factor authentication uses a PIN or other identifier, such as a fingerprint, to authorize a hardware or soft-ware “token” to generate a one-time identifying string.
 
With strong authentication, you’ll know that the user is the person he or she claims to be. But, you still don’t know whether the particular device has the proper security configuration. That’s when you need to consider network access control (NAC), a relatively new technology that promises to remove most or all of the risk from remote connections. In fact, some form of access control is already required in order to comply with regulations like Sarbanes-Oxley, HIPAA (the Health Insurance Portability and Accountability Act) and others.
 
In general, NAC authenticates both the user and the device and performs a health check to ensure that the device is running all appropriate security software and that the software is up-to-date. If any of the software is not installed or is not properly patched, NAC refuses network access. Next, NAC scans the device, looking for malware infections. If it finds any, network access is refused. NAC can also be used to remediate a device to bring it up to standards for admission and can monitor traffic during the session.

NAC is a fast-evolving technology with enormous potential for controlling endpoint devices (includ-ing noncomputer devices like smartphones, MP3 players and printers) with fine granularity, by limiting endpoint access to specific network locations or applications, by limiting certain types of traffic or by limiting the types of connections allowed.

Progress has been made toward adopting an open-standards approach that will ensure that various brands of endpoint devices will be able to connect via various brands of NAC systems. Finally, NAC technology can be implemented incrementally and is affordable for almost any organization that wants to secure its network endpoints.

Defending against endpoint data leaks and data theft
Even authorized and authenticated endpoint users can, either maliciously or carelessly, be responsible for data theft or leakage. In fact, the leading cause of stolen information is trusted users who copy that information onto notebooks or other portable devices and then simply walk out with them. Close behind is trusted, but negligent or careless users who take sensitive information beyond your network perimeter in order to work with it, but end up losing their notebook or having it stolen.

The only way to prevent endpoint data theft and data leaks is to limit access to important data and to employ content filtering to restrict file transfers. NAC technology, as mentioned above, can include traffic monitoring and blocking. No endpoint security strategy is complete if it doesn’t control information that is being copied onto endpoint devices.

Finally, the ultimate protection against damage caused by data leaks and theft is encryption. Even if the data falls into the wrong hands, it will be useless. Today’s encryption technology is affordable and has little effect on system performance, so there is no reason not to encrypt your organization’s most sensitive data.

 

Defending against your own endpoint users
The fourth endpoint security challenge is the endpoint users themselves. Attackers rely on the unwitting cooperation of users. Careless Web browsing (clicking on suspicious links, surfing to malicious Web sites) and irresponsible e-mail behavior (opening malicious attachments) are the leading vectors used by attackers to install viruses, worms, and Trojan horses.

 

Malware attacks are growing much more sophisticated, and there’s a good chance your antimalware applications will be ineffective, no matter how frequently you update them. (In recent tests, PC World found that the best security software detected only one in four new malware samples.)

One of the most effective strategies for preventing malware problems is to modify end-user behavior. Your security program should include a strong, ongoing educational component, to teach end users why and how to create strong passwords, how to handle e-mail attachments and how to spot fraudulent activities like phishing scams and suspicious Web links.

It should also state clearly what software is permissible on your organization’s computers and include a warning to discourage misuse of your organization’s computing resources. Finally, let everyone know that all network activities, including Web browsing, are logged and monitored. You can’t remind employees of all these things frequently or emphatically enough.

A summary of steps to secure endpoints

• Use market-leading security tools — antivirus software, spyware scanner, rootkit detector, and firewall — on all client devices, and keep them up to date. Consider using software suites or devices that provide a more integrated, easier-to-manage level of protection.

• Install software patches and security updates promptly and consistently across the organization.

• Use encryption to protect all sensitive information, including data at rest.

• Make sure that all users receive adequate education and training on how to recognize and avoid suspicious attachments and links, and how to spot phishing scams.

 

• Keep yourself informed by reading articles about evolving threats, including Rich Site Summary (RSS) feeds from major security vendors and publications. Send frequent updates to all your end users.

 

• Standardize smartphones and personal digital assistants (PDAs) used by your company. Implement available security protection, including antivirus software.

 

• Establish a clear corporate policy defining the kind of information that can be stored on endpoint devices.

 

Talk with CDW’s endpoint security experts
Endpoint security is a complicated and constantly changing landscape. It’s almost impossible to keep up with all the latest threats, risks and solutions, especially if network security is just part of your responsibilities.

CDW is here to help. We have a staff of full-time, experienced security specialists who will work with you to develop and implement state-of-the-art solutions that are just right for your company. Ask your CDW account manager for details. If you don’t have an account manager, call us at (800) 985-4239.

 

View December 2008 digital edition

CDW—Executive Summary on Page 47

TrackBack URI for this entry

Name

Email

Title

Comment

smaller | bigger

Subscribe via email (Registered users only)

I have read and agree to the Terms of Usage.

Write the displayed characters

Add Comment