We constantly hear about big data breaches and large-scale compromises, but did you ever step back and wonder what...
the root cause of many attacks is? Very often, the endpoint device was the initial point of compromise that allowed for lateral movement into the network, creating additional damage. While it is important to have a properly designed and secured network, the endpoint is often the last line of defense. With endpoint device security in place, the damage can be thwarted. In order to protect the endpoint, here are some actionable steps that minimize the chance of compromise.
Never log in as administrator
Users should never log in as administrator and never have administrator rights for their systems. In the past, performing basic tasks like installing software required administrator access, but a lot has changed with newer operating systems. With most operating systems, clients can still have the basic functionality they need to perform their jobs without logging in as administrator. Consider that if a user requires administrator access, maybe what he is trying to do is not required to perform his job function.
Uninstall unnecessary software
Client operating systems and applications are focused on making sure everything works properly on the system. Therefore, most default installations contain extraneous software that is not needed to run the system. Very often the extraneous software is what is targeted by the adversary and used as a point of compromise. Uninstalling or removing unnecessary software can reduce the attack surface and minimize exposure.
Patch all software
A patch is the vendor telling the world there is a vulnerability in its software; therefore, the longer a system goes unpatched, the bigger the exposure window is. While patching is always a challenge, uninstalling unnecessary software will reduce the patch surface and make patching easier. While centralized patch management is key within an organization, it is important to remember traveling laptops. If a system is off the network, it may miss the automatic patching cycle of those on the network.
Run application whitelisting
Controlling and managing what software can run, and verifying the integrity of that software, is critical to having a secure system. While application whitelisting does require a paradigm shift in many organizations, it is a valuable and scalable way to protect the endpoint. It does take some work to create a holistic list of all approved software, but it is well worth it, as having a locked down system creates a very difficult target for an adversary.
Filter out dangerous executables
A large amount of malicious content often enters a network as email attachments or Web downloads. Running attachments and downloads through filtering proxies that do not just examine the code, but run them in an isolated security sandbox, can allow for early detection of malicious code, thus filtering it before it enters the network.
Run dangerous applications in virtual machines
Two of the most dangerous applications are Web browsers and email clients. A significant amount of damage is caused by those two applications alone. One trick to dealing with dangerous applications, including Web browsers and email clients, is to run them in separate isolated virtual machines. If the content is dangerous, only the virtual machine will get infected and not the host. Once the virtual machine closes, all of the malicious code goes away. While it is better if the system never got infected, with this approach, an infection is contained and controlled for a short period of time, thus minimizing damage.
Utilize thin clients
While not scalable in all environments, utilizing thin clients is an effective way to control the damage. The problem with a traditional operating system is it only gets reinstalled when new hardware is rolled out, which is typically every three years. Therefore, if the system becomes infected, it stays infected for a significant amount of time. With a thin client, every time the system is turned on, the user receives a new version of the OS. Now if the system gets infected, it is only for a few hours, not several years.
While there is no one perfect way to protect against an attack, focusing more energy and effort on endpoint device security can better control the number of attacks and the amount of damage a successful attack can wreak on an organization.
Learn how to use VMware ESXi hosts for sandbox testing
Find out how to select the right virtualization security tools for endpoint protection