Endpoint security: The weakest link

Endpoint security: The weakest link

Remember the short-lived game show The Weakest Link? The weakest player was eliminated, much like we see in the real world.

But when you are thinking about security, you really do have to continually find and eliminate the weakest link, because that is the first thing the attackers will go after. If there is one thing that we know about hackers, it's that they don't give up easily. There is too much money at stake, so they are continually searching for the next weak link in the chain. And this time they've found a doozy.

    Requires Free Membership to View

    Login

    When you register you’ll also receive the latest news, advice and technical tips designed specifically for midmarket IT leaders like yourself. Our award-winning editorial team will give you immediate access to emerging business and technology trends.

    Scot Petersen, Editorial Director, SearchCIO-Midmarket

    By submitting your registration information to SearchCIO-MidMarket.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchCIO-MidMarket.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

More on security
Security resource center

Systems management essentials for SMBs
Over the past year or so, we've increasingly seen the endpoints being specifically targeted on the consumer side and the corporate side. Once an endpoint is compromised, the bad guys have free rein on the internal network to steal information, compromise more machines, and/or turn these devices into zombies that are ready-to-launch denial-of-service attacks, send spam and phishing messages.

The endpoint is a juicy target for a few reasons :

  • Insecure operating system. Since a majority of the world runs Microsoft Windows, finding client-side vulnerabilities has been like shooting fish in a barrel for the bad guys. Many SMBs don't patch immediately, so common exploits become big issues.

  • Human behavior. End users love to click on stuff. They open messages from people they don't know, divulge private information to strangers, download random software and click on ads and links without regard to what lurks behind. Most users I've come across can't help it. They also know they shouldn't have done something after the damage is done. But it seemed like a good idea at the time.

  • Increasing mobility. In today's mobile world, most people have laptops, and they keep private information on them. Not only is there a thriving market for "hot" laptops, but if a bad guy is specifically trying to compromise your company, one of the easiest places to start is by pilfering a laptop.

So how can a small or medium-size company defend against these increasingly common attacks? Here is a five-point plan to begin addressing the issue:

  1. Education. Users need to constantly be reminded about what they can and can't do with their machines. This is especially important for employees with laptops, given that they are likely connecting into the network from remote locations, which are not as controlled as your own internal network.

  2. Desktop security suite. Amazingly enough, there are quite a few SMBs that have not deployed antivirus, antispyware and personal firewalls on their devices. If you don't have all of your Windows machines protected, walk away from your machine right now and don't come back until it's done. This will eliminate most of the attacks that we already know about. Macs should also have protection, by the way.

  3. Password-enable your screensaver. Many machines are compromised because employees walks away and don't lock their computers. These are easy pickings for anyone who has physical access to a machine. After five minutes max, your machine should lock and require a password to be opened.

  4. Encrypt data on your laptops. The best way to find yourself on the cover of The Wall Street Journal is to lose data on a large number of customers. And privacy breaches are not restricted to only large enterprises. Apple Computer Inc. already offers the ability to encrypt the data in Mac OS X. There are many third-party tools (from PGP Corp. and SafeBoot NV, for example) to encrypt data on Windows.

  5. Implement default-deny. Even if a machine is compromised, if it can't send data back to the bad guys, then it's not much use to them. If you block all inbound and outbound ports that are not specifically required for applications on your routers and firewalls, you are cutting off the ability of the bad guys to utilize the machines.

None of these techniques are overly hard or new. But you need to do them and be consistent about it. There are lots of more advanced techniques that can also make a difference (like network admission/access control, Secure Sockets Layer virtual private networks, strong authentication, etc.), but first things first. There will always be the next weakest link. Make sure your endpoints aren't it.

Mike Rothman is president and principal analyst of Security Incite, an industry analyst firm in Atlanta. Reach him via email at mike.rothman (at) securityincite (dot) com.

This was first published in August 2006

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.

Back to top