Security vendor Rapid7 recently surveyed its customers and found that 54% either don't use or don't know if they use code-execution prevention on users' endpoint devices. When I saw those results, I realized I don't know if my company does either. Is there an easy way to determine which systems have code-execution prevention capabilities in place? And what are the benefits of doing so if we don't?
Ask the Expert
Have an application security or platform security question for Michael Cobb? Send it via email
The findings of the Rapid7 survey and other similar surveys on the use of common security controls reveal that a worryingly high percentage of administrators don't know exactly what controls they currently have in place, especially when it comes to endpoint devices. And of those that do, there are clear signs that they don't fully understand how the controls work or how they should be configured. The number of respondents who answered "Don't Know" to certain questions also shows that many don't keep proper records of security control configurations, indicating a lack of policies and procedures.
While most organizations have antivirus software (AV) installed on employee devices, too many use it as their only means of endpoint device protection rather than relying on it as a first line of defense. Simply put, AV is not able to stop all malware. So along with regular patching to prevent known exploits from being a threat, administrators must deploy additional controls to decrease the chances of attacks against users being successful.
An important group of threat-mitigation technologies enterprises should consider are those that prevent malicious code execution. Data Execution Prevention (DEP), Structured Exception Handling Overwrite Protection (SEHOP), Address Space Layout Randomization (ASLR), and Return-Oriented Programming (ROP) are all strategies that help close attack vectors such as buffer overflows and memory corruption and limit damage from malware that attempts to run code from memory locations that only Windows and other programs should use. Underscoring Rapid7's findings, 54% of respondents either don't deploy these code-execution prevention controls or don't know if they have been enabled on their employees' machines.
The easiest way to manage and deploy these controls is to use Microsoft's Enhanced Mitigation Experience Toolkit 4.0 (EMET), which provides a graphical user interface that allows administrators to apply a variety of mitigation technologies to applications and processes that don't use them natively -- whether they're from Microsoft or from other vendors. It also has built-in enterprise deployment support so administrators can use Group Policy or the System Center Configuration Manager to deploy, configure and monitor which systems have code-execution prevention capabilities in place across the enterprise.
Though these mitigation technologies will never stop malicious code exploitation completely, network administrators should understand how code-execution prevention techniques work and deploy them across their organization. Protecting employee devices is critical to any enterprise's overall security as hackers continue to view them as the weakest link. According to the 2013 Verizon Data Breach Investigations Report, 71% of attacks and breaches in 2012 involved compromised employee devices -- more than any other asset category. Ensuring EMET's mitigation technologies are deployed across every device will make it much harder for attacks to successfully exploit these vulnerabilities.
This was first published in January 2014