Day 5 of Incite: Endpoint Hostile Takeover

Driven by the prevalence of unwanted applications, internal zombies outbreaks, and documented information leaks enabled by key loggers and spyware, users will increasingly lock down endpoint devices, despite pushback from the business users. Limitations of the Windows XP security model makes lockdown difficult in 2006, but much easier when Microsoft’s Vista operating system is ready for deployment beginning in 2007.

There is pretty much only one thing you can count on if you are a security professional: users will do stupid things. How many times have you said, “Don’t click on that unknown attachment” or “Kazaa is bad” or “eBay does not need to confirm your user information.” And how many times have you cleaned those machines of spyware and just shrugged your shoulders in resignation? Another weekend of cleaning up outbreaks that could have easily been avoided. Great fun.

Repeat after me: “Users will do stupid things.” So you need to accept it and work hard to stop issues before they start.

This is further compounded by increasing mobility. Almost all knowledge workers now carry laptops, so they can work 24 hours a day. Interestingly enough, some do. But that means they work at the coffee shop, in the airline clubs, at conferences, and in hotel rooms. Let me tell you, these public networks are literally cesspools of malware.

The most rigid perimeter in the world is of no help when a company laptop contracts a worm in the Crown Room. We need to extend the security down to the end point. But we need to do it in a manageable fashion, that is hopefully (somewhat) transparent to the user.

Of course, this being the security market, there are a ton of small companies (and even some bigger ones) chasing the endpoint security market with varied approaches. Let’s level set for a minute and go through the main options for end point security.

• Personal firewalls – Personal firewalls were really the first viable option to protect individual desktops. By controlling access to the network on each device and enforcing some policies, you can stop most simple attempts to take over the machine by brute force network attacks, prevent worm propagation and zombie activity.
• HIPS – Host intrusion prevention techniques have also made their way to the desktop, so the software on the device detects (and blocks) activity by matching a known attack signature or using an anomaly detection approach to stop atypical behavior.
• Application control – This relatively new class of products is a bit simpler to understand. Applications are either allowed or not allowed to execute based on the policy. Users cannot load (or execute) applications that are not on the “approved” list. You can also use application control technologies to shut down USB ports on computers, thus foiling the “sneakernet” attack.

Many of the endpoint security products on the market today use a combination of these techniques, since one size never really fits all. One man’s opinion is that pretty much any of the solutions are going to be good enough to make it difficult to compromise the device. Hackers, especially of the drive-by variety, opt for the path of least resistance. If the guy (or gal) next to you has nothing, who do you think is going to be the target?

The ability of application control-based solutions to simply lock down the desktop is pretty interesting. Much of the spyware that plagues your system are executables or installed by executables. Worms propagate by initiating their own nefarious executables. If those aren’t approved applications, they don’t run – thus no outbreak. You also gain more control over what business users do. Maybe you want to allow iTunes on your corporate desktops or maybe not. Controlling Kazaa or Skype is probably a good thing. Application control is simple and clean and does not really mess with the kernel.

Now for the downside. Business users are going to hate this and they will very likely make a big stink. You’ll hear all types of pushback because users like to feel in control, and locking down their desktops really takes away their control. So, this will be a good test of whether the powers that be really want a secure environment or not.

If not, it’s never too early to start polishing your resume…

Endpoint security should really be a function of the operating system. Microsoft added a personal firewall to Windows XP, which is a start. But, the reality is third party solutions will be required to perform the lock down for at least the next couple of years. The problem is that in most cases the local user needs to have administrator privileges on their XP desktop. You can get some level of control through group policy objects on Windows networks, but not enough. Windows Vista allows a lot more granularity to secure the administrator role and better safeguards in installing software, so that will help. But of course, best case Vista is a 2007 thing.

So, Security Incite believes protecting each desktop is important. If politically feasible, looking at application control is a good thing to do. You are able to stop the issues before they start. If that isn’t possible, there are network level controls that can be implemented to provide protection against worm mitigation and unauthorized access. These Network Admission Control (NAC) solutions are poised to break out this year, and will be the subject of tomorrow‘s rant.

That’s all for Day 5.