Endpoint. No, it’s not the next Avengers movie but it almost has as many points of reference in it. The “Endpoint” used to mean where the connection from an ISP entered a building. From there on, everything was behind the organization’s protections- firewalls, proxies, hardware level filters, etc. If anything did manage to get past all that, then you would have traditional anti-virus on the individual workstations on-site.
However in an age where there are millions of devices directly connected to the internet, each with a potential treasure trove of data on it, the Endpoint has changed from a single defensible position to a swarm of individual outposts. As a result, there are dozens of products on the market now designed for Endpoint Security, but realistically what do they cover? What does the Endpoint need to be defended against?
What is the Endpoint?
In the case of standard wired workstations at an organization’s physical presence, they essentially exist behind the Endpoint in a safe zone. However when we have laptops, mobile devices, tablets and other types of connected devices, these all then have the potential to have their own independent Internet connection as well as some method of talking to the Internal network. The degree of this connection can vary wildly depending on the purpose of the device- from an Exchange connection to access work emails all the way up to a full VPN tunnel. When this happens, compliance to the requirements of the organization is a critical need that must be managed properly and with proper notifications if anything is not up to speed.
Mobile Device Management (MDM) is one such methodology. There are a large number of different software packages, including Microsoft’s own ActiveSync, that have some level of MDM active in them. In the case of ActiveSync for example, a device that has become compromised or lost it can be remote wiped to prevent a potential theft of data. Other products are capable of applying standard policies such as websites that are not allowed, geofencing to only allow access within a specified area, regular reporting of device status (and potential rooting), and in some cases remote access to allow for troubleshooting directly on the device.
But all of this doesn’t really answer one critical question- what makes an Endpoint like a Mobile device or even a laptop that much different than a standard workstation? Three key items:
Location is one of the easiest to understand in this case. When a device is all but chained down to a desk, it’s very difficult to take a full workstation off to a coffee shop let alone work on it while waiting for your order. Let’s say for a moment that you’re out and about, travelling for work and you’re at a major coffee franchise that shall remain nameless. You’ve been working for a good half an hour and need to go to the bathroom. So you lock the device, put it in your bag and take the whole thing with you. Up until this point, that’s all a very safe and secure method- keeping eyes on the equipment at all times when in a public area. Unfortunately this still could be taken and ran with. The person that took the laptop would potentially be able to guess the password if a lockdown policy was not in place or if it was not a member of a domain. If the storage on the laptop isn’t encrypted, it would be even easier because they could take the drive out, pop it into another machine and go from there. However with proper Endpoint Security, it would be possible to put in a report to your organization and before the person even gets to the next block there could be tracking active on the laptop and/or a remote wipe scheduled to run as soon as it powers up.
Types of Data present on devices like this also make the above normally risky maneuver much more lucrative. In some cases, users will connect up to the main network, download whatever files they need to work on, then continue their operations via the use of local programs. This means that potentially critical data could be out in the wild for someone to just plug a USB drive in and download the files off for any sort of use. Again, Securing the Endpoint means removing the ability for users to simply plug in a USB stick or burn a disc to offload data.
But one of the biggest risks when it comes to devices like phones is the average person’s attitude for them- they are extremely personal and their method of using the device shows it. If you ask the average person, they would likely tell you that they have considerably more personal information on their mobile than they do almost anything else- in a very real sense, it can almost be considered an extension of the person. However when that mobile device contains information such as bank accounts, social security numbers, and other Personally Identifiable Information (PII), not only does it potentially put other employees’ information at risk, but their own as well if they have banking apps or other things on a device that is used for work. In the cases of certain MDM’s, they are able to create ‘partitions’ or other holding zones on the device- carving out specific areas for organizational data to live. If the device becomes compromised, they can remove that particular area without removing the rest of the user’s data, or again just remote wipe the entire thing.
Why do we need to protect the Endpoint? Put simply- because we are one. The Endpoint has effectively moved from a room in the middle of an office building to our bags, our pockets and our desks. Each of these locations has the potential to be a foothold into a much larger breach, so we need to do our utmost to protect ourselves and our organizations as much as possible. Despite its importance however, Endpoint Security is only one part of the overall Security picture and InfoSec Institute can assist with articles such as this, certification courses and best practices- be sure to check them out!
- https://www.mcafee.com/enterprise/en-us/security-awareness/endpoint.html What is Endpoint Security
- https://docs.microsoft.com/en-us/mem/configmgr/mdm/deploy-use/manage-mobile-devices-with-exchange-activesync Device Management with Exchange and Configuration Manager
- https://www.gsa.gov/reference/gsa-privacy-program/rules-and-policies-protecting-pii-privacy-a Rules and Policies- Protecting PII- Privacy Act
- https://www.forcepoint.com/cyber-edu/endpoint-security What is Endpoint Security
- https://www.fedscoop.com/disa-cloud-endpoint-security-telework-mildrive/ DISA expands cloud services, endpoint security as telework continues