NetWrix’s own Jeff Melnick sits down with Help Net Security Editor and Chief Mirko Zorz to discuss the intricacies of endpoint security, offering tips and tricks to IT administrators for ways to improve their security in their own environments.
Based on your experience, what is the biggest challenge in protecting endpoint clients in vast organizations?
The biggest threat to endpoint security, in my opinion, is the sheer volume of devices on the market, particularly USB compatible devices, and the variety of access ‘levels’ that are required for employees in different parts of the organization. Combine that with legacy systems that may not be able to cope with those vulnerabilities and I think you have a real challenge. Often a major problem with endpoint security is the users themselves.
The more restrictive a company is, the more ‘clever’ the employees become in attempting to defeat those restrictions. Take for example, internet monitoring. If the policies become too restrictive the employees will attempt to bypass the network in order to access the internet more freely, either by taking their laptops home to bypass those filters or they use cellular modems (either using dedicated Air cards or by tethering their blackberries or similar devices) or using Wi-Fi to bypass the restrictions. Obviously bypassing the filters defeats the purpose of having them.
There are certainly monitoring solutions that lock down your internet searching at the client level so you can’t bypass it as above. In some cases though I’ve seen this hamstring legitimate work and often requires a lengthy process to white list certain sites, which can be particularly difficult in procurement and safety departments for example, who are often looking for solutions that can be a bit ‘out of the box’. Then you have users attempting to download information at home and transfer it to their work machine via USB storage devices, and sometimes transferring viruses and malware along with it. Several branches of the US Military currently limit or outright ban any use of USB devices. They have obviously taken a very hard line approach to security issues, which given all of the hardship caused by the Wiki Leaks website is certainly understandable
What tips would you give to an IT security manager that has to control a large influx of new devices such as iPhones and iPads coming into the organization and are used to access confidential information?
While an outright ban on their use is probably the ideal situation, these devices are going to creep into your organization whether you want them to or not, and the more popular they are, the faster you’re going to see them. In my experience, Director-level and above employees are often the worst offenders and the first to go out and get these devices which makes an outright ban on their use impractical if not a political nightmare. I remember asking a VP of Operations who purchased an iPad the first day they became available what he was going to use it for. His response, “I don’t know yet but it sure is cool”.
That having been said, they can have legitimate uses and you need to incorporate them into your Corporate Policies and make sure they are locked down like any other mobile device carrying sensitive data. Given the increasing power and performance of these devices and the increasing amount of data they may contain combined with their smaller size and desirability, seeing them lost or stolen at some point is a serious possibility.
Consumer devices like iPads and iPhones are inherently insecure out of the box to make them more user friendly but they can be locked down fairly effectively using the newer Apple OS’s, and fairly easily when using the newer versions of Exchange or even additional third party applications. Certainly a local password (with a similar password policy to other devices on your network, including an inactivity counter), configuration for a local wipe to prevent brute force password guessing, and the ability to remote wipe the device if lost or stolen are critical. The devices support local data encryption as well as encryption of data in transmission using a variety of network protocols and I’d obviously recommend you take advantage of that capability as well. Now you can even go so far on the iPad to make sure users are denied access to certain applications such as YouTube, the iTunes store and the Web Browser and deny them the ability to install their own applications.
I think the bottom line is that these devices should be treated as business tools and potential security liabilities, not novelties.
How can we make sure that endpoint devices of home workers are used securely and adhere to corporate security policies?
This is a difficult question. You have to constantly balance the needs of the employee against the needs of the organization. A draconian, ‘total lock down’ approach is great but it removes a lot of flexibility from the employee and can make it very difficult if not impossible for the helpdesk to service remote equipment if the user is having a connection problem. One of the biggest problems I see with remote workers is password management. Many IT groups will simply set the remote employee’s credentials to ‘never expire’. This prevents credentials on the local machine from getting out of sync with the network credentials and causing havoc for the user. Unfortunately we all know the downsides of allowing such loose password management.