The complex world of endpoint security
Jeff Melnick is a Sales Engineer at NetWrix Corporation and in this interview discusses the intricate world of endpoint security, offers tips for IT security managers dealing with an influx of new devices, tackles the (in)security often presented by home workers and provides insight on current and future online threats.
Based on your experience, what is the biggest challenge in protecting endpoint clients in vast organizations?
The biggest threat to endpoint security, in my opinion, is the sheer volume of devices on the market, particularly USB compatible devices, and the variety of access ‘levels’ that are required for employees in different parts of the organization. Combine that with legacy systems that may not be able to cope with those vulnerabilities and I think you have a real challenge. Often a major problem with endpoint security is the users themselves.
The more restrictive a company is, the more ‘clever’ the employees become in attempting to defeat those restrictions. Take for example, internet monitoring. If the policies become too restrictive the employees will attempt to bypass the network in order to access the internet more freely, either by taking their laptops home to bypass those filters or they use cellular modems (either using dedicated Air cards or by tethering their blackberries or similar devices) or using Wi-Fi to bypass the restrictions. Obviously bypassing the filters defeats the purpose of having them.
There are certainly monitoring solutions that lock down your internet searching at the client level so you can’t bypass it as above. In some cases though I’ve seen this hamstring legitimate work and often requires a lengthy process to white list certain sites, which can be particularly difficult in procurement and safety departments for example, who are often looking for solutions that can be a bit ‘out of the box’. Then you have users attempting to download information at home and transfer it to their work machine via USB storage devices, and sometimes transferring viruses and malware along with it. Several branches of the US Military currently limit or outright ban any use of USB devices. They have obviously taken a very hard line approach to security issues, which given all of the hardship caused by the Wiki Leaks website is certainly understandable.
What tips would you give to an IT security manager that has to control a large influx of new devices such as iPhones and iPads coming into the organization and are used to access confidential information?
While an outright ban on their use is probably the ideal situation, these devices are going to creep into your organization whether you want them to or not, and the more popular they are, the faster you’re going to see them. In my experience, Director-level and above employees are often the worst offenders and the first to go out and get these devices which makes an outright ban on their use impractical if not a political nightmare. I remember asking a VP of Operations who purchased an iPad the first day they became available what he was going to use it for. His response, “I don’t know yet but it sure is cool”.
That having been said, they can have legitimate uses and you need to incorporate them into your Corporate Policies and make sure they are locked down like any other mobile device carrying sensitive data. Given the increasing power and performance of these devices and the increasing amount of data they may contain combined with their smaller size and desirability, seeing them lost or stolen at some point is a serious possibility.
Consumer devices like iPads and iPhones are inherently insecure out of the box to make them more user friendly but they can be locked down fairly effectively using the newer Apple OS’s, and fairly easily when using the newer versions of Exchange or even additional third party applications. Certainly a local password (with a similar password policy to other devices on your network, including an inactivity counter), configuration for a local wipe to prevent brute force password guessing, and the ability to remote wipe the device if lost or stolen are critical. The devices support local data encryption as well as encryption of data in transmission using a variety of network protocols and I’d obviously recommend you take advantage of that capability as well. Now you can even go so far on the iPad to make sure users are denied access to certain applications such as YouTube, the iTunes store and the Web Browser and deny them the ability to install their own applications.
I think the bottom line is that these devices should be treated as business tools and potential security liabilities, not novelties.
How can we make sure that endpoint devices of home workers are used securely and adhere to corporate security policies?
This is a difficult question. You have to constantly balance the needs of the employee against the needs of the organization. A draconian, ‘total lock down’ approach is great but it removes a lot of flexibility from the employee and can make it very difficult if not impossible for the helpdesk to service remote equipment if the user is having a connection problem. One of the biggest problems I see with remote workers is password management. Many IT groups will simply set the remote employee’s credentials to ‘never expire’. This prevents credentials on the local machine from getting out of sync with the network credentials and causing havoc for the user. Unfortunately we all know the downsides of allowing such loose password management.
A second issue I see is the ability for users to install software and devices on their own, particularly USB devices. I am not a proponent of making users administrators on their own machines; however this can cause issues with not only remote but even local users. I would rather have some oversight over the software and hardware of what the users install, but if the user has some sort of connection issue and needs to install a printer, it can be a real headache. I remember at a former employer our CEO needed to go to Hotel for an important conference and he needed access to a printer, so we had to arrange an outside IT person to be on standby in this remote location on the odd chance he had any issue with installing the printer.
Recently I had a client who wanted to distribute a series of encrypted hard drives to his personnel so they could take sensitive data with them without having to use an encryption solution on all of their equipment. Even though the drives were encrypted, he needed to know immediately if one of the drives were lost or stolen so he could take appropriate measures. His biggest fear was that his employees would not want to admit their carelessness and tell him they lost a drive with sensitive data, so how could he make sure that the employee didn’t just purchase an identical drive from the same manufacturer and continue on as if nothing had happened? We were able to offer him a solution where he could white list only those 20 drives by device ID number to keep them honest. So if the employee lost the drive and purchased a new drive of the exact same make and model, it would not allow the employee to connect that drive to any computer in the enterprise. This is just another example of allowing some reasonable amount of flexibility, but with safeguards.
As we move forward and the industry takes care of some threats, new ones emerge on the radar almost instantly. Will we ever be able to get ahead in this race?
I like to be optimistic, however, much like viruses and malware, I fear there will always be some degree of ‘catch-up’ for developers and Engineers. I think people work very hard to find security flaws and we need to continue to work hard at finding and plugging these holes before they are successfully exploited.
What do you see as the biggest online security threat at the moment?
I think one of the growing online security threats is malware directed at smart phones and the increasing tablet market, either the iPad or any of the coming Google based iPad competitors. These devices are increasingly blurring the line between powerful phones and lightweight computers and people are using them for both work and play, communicating with others via a huge variety of apps that make personal and device interconnectivity easier while conducting sensitive business like banking and credit card purchases.
I really like the idea of the unrestrictive nature of buying apps either through Google or directly through developers and I think the open source nature of the Google OS is fantastic for expanding that platform. Unfortunately we’re already beginning to see Malware laced programs showing up on this platform and as Google gains greater market share, people will move more aggressively to exploit it. The Linux and Mac operating systems had far fewer virus issues than Microsoft at least in part (even if it was a small part) because of their relatively low market share which made it more difficult for a virus to propagate. In the past, as a Mac user the most likely place for you to be hit by a virus was on a Mac forum or website, where someone was guaranteed to find a large concentration of Mac users in one place.
For those who write viruses and malware the driving factor now is strictly money, the ability to steal identities, credit card and banking information. As this platform continues to expand there will be greater and greater effort put forth towards finding and exploiting their vulnerabilities. Despite the closed and very secretive approach that Apple takes, their products are also open to exploits (as they have been in the past). The difference is that most Windows users know they may be forced to re-image their machine if they stray too far off the internet path (or stumble across a valid site that has been hacked) while Apple users honestly think they are immune to viruses and exploits and may be hit particularly hard in the future. I think many people on these mobile platforms will not take the necessary precautions until there is a large scale and widely publicized data theft, but hopefully I’m wrong.
Based on the evolution of threats, what do you think your products will look like in a few years? What new features do you expect them to have?
I think they will be even more granular and even more flexible in allowing specific user’s access under specific conditions to allow employees to be able to work more effectively without becoming a security liability.
For example, our USB Blocker product is very granular in what can be blocked and what can be let through. You can block large groups of USB device types such as storage (by default) CD/DVD-ROM, iPhones, Network adapters, Bluetooth etc. However you have the ability to white list (or blacklist) devices by manufacturer, model or by individual device ID so you can allow as many or as few devices on your network as you determine to be appropriate for your needs. We further give you the ability to exclude certain users or machines from the policies and allow a Technician override code (if you want) to allow your local technicians temporary access to the USB devices so they can service the machine locally if necessary. We’re already adding in finer grained reporting and more advanced auditing capabilities, to see when and where the technician code was used for example and to see what devices have been plugged into what machines and by whom.
Moving forward we’re looking at allowing even more flexible access control levels, so we can define specifically what users can use what devices for example, and forced encryption polices to determine what devices must be encrypted or rejected. One of the other features we’re looking at is making the program ‘network aware’ so that you can configure certain devices to be accessible only while inside the corporate network for example.