END POINT SECURITY: A TOOL TO PROTECT STAND ALONE SYSTEMSIntroduction:
End-points are standalone systems which connect to different networks or physical I/O devices like USB flash drives, Memory Card, CD Drives, Camera, IPod, PDA, MP3 players, External Hard drives and so on to transfer data to/from an Endpoint. End point may be a desktop PC, Laptop or servers which stores data. Traditionally end points were safeguarded against threats by firewalls in the network gateway or Anti-virus scanners at central server. With the increasing use of mobile and portable storage devices connecting to end points every day, the need of end point security increased. The significant increase in the memory capacity of storage devices and its relevant reduction in cost make it more preferable to use. Today the iPods are having memory over 100GB. If this device is connected to company system to steal the data or employee credit card details, makes huge loss. The purpose of end point security is to prevent this from happening. The use of mobile devices like Laptops or iPhones which are directly connected to the network passes the perimeterized security layers easily, so we need a de-perimeterized security approach (creating a secure architecture to protect core systems and data against leakage using defense-in-depth approach) which shifts the focus to the device itself with own local security software. By adapting to this, we not only safeguard potential devices but also we safeguard the computer network by unsafe devices, using techniques such as access control and quarantine (Andrew H., Brian B., Gerry P., 2009).Threats to Endpoints:
- Data loss
- Data Theft
- Virus, Malware or spyware infection through the removable devices.
- Unauthorized and unsecure data transfer to and from endpoints (confidential data has been copied to USB drive)
- Anti-virus software
- Personal (host-based) firewall software
- Personal (host-based) intrusion detection software
- Anti-spyware software, patch management, vulnerability assessment.
- Behavior-blocking software and Secure Remote Access
- Access Control based on Network Admission Control (NAC) or Network Access Protection (NAP)
A list of endpoint security software categories includes:
If one uses the multi-agent approach, it makes it costly and time consuming for administrators to update, monitor, test, and manage security policy for every applications, including all the required software and signature updates. Hence, these software packages are combined and merged into a single product called Endpoint security which provides the required security solutions (including management and administration), for single host or in other sense the whole network.
The total revenue of the endpoint security products in 2007 was around $5.6 billion which is 14% growth than 2006. In 2008, total revenue was around $6.4 billion resulted in 13% annual growth (Andrew H., Brian B., Gerry P., 2009).End Point Security In Business Perspective:
In old school of thought, Perimeterized security principles were enough to protect network. All valuable information was inside the network all we needed was a central security management which provides security for entire network from all of those bad people that exist on the Internet. But, the company's sensitive and valuable information does not always remain inside the company. 54% of the organizations allow remote access to some staff and 100% in the case of huge organizations (Information Security Breaches Survey, 2008). The problem with this network architecture is that, it is like some pieces of candy hard on the outside and soft and squishy on the inside. Humans (employees) are the weakest link of security. Employees with access permissions to the internal network can store the details to any portable devices or access through laptops. They can take information out of perimeterized layer hence, it is not sufficient (Moore F.C, 2010). "Gone are the days when the good people were on the inside, the bad people were on the outside and we put a firewall in between to keep everyone where they should be" (Greg Masters, 2010) Michael Oldham, CEO of Marlborough says. "Mobility has shattered the perimeter of the corporate network. The border now exists in each iPhone, BlackBerry, Smartphone, laptop, employee home PC, internet kiosk, partner PC, etc. that a corporation allows to connect to their network. Security to protect this has become more important than ever and has taken on new aspects (Greg Masters, 2010)." Even though perimeterized approach servers its core purpose of blocking the unwanted traffic entering intranet, we need a mechanism that collaborates with traditional technology (COA-Collaborative oriented Architecture) (Jericho Fourm, 2008) to enhance the security features of the organization.
The business need for security is to protect both the network and data from a single, central location. Business is also demanding more connectivity outside the enterprise. Since, endpoints are where the typical enterprise conducts most of its business, and disruption to endpoints is a huge impact to enterprises in terms of cost and lost productivity. Companies that allow remote access are twice likely to have eavesdropping of network traffic (Information Security Breaches Survey, 2008). There is a real need of securing end points in form of access control and device access policies (Edmead. M., 2009).
Threats to endpoints include viruses, Trojans, worms, Distributed-Denial-of-Service and spyware, Man-in-Middle attacks. Newer threats are evolving everyday by exploiting the weaknesses or vulnerabilities, the security devices like firewalls, Network Intrusion Detection systems provide good security until these devices can inspect and clean the traffic before it enters to the network. These network based security solutions cannot detect let alone attacks, they cannot watch it (Edmead. M., 2009). As the workforce is becoming more mobile and the usage of laptops and PDAs makes security architecture more vulnerable, it is now time to get down securing endpoints comprising of all mobile devices and portable storage devices. While many corporate IT departments attempts to secure their laptops with anti-virus and personal firewall, these defenses are not enough to keep up with the malicious attacks that course through the internet on an hourly basis (Orgen E., 2009).
A solution to resolve organizations weakest link is endpoint security. When deployed properly, this solves the problem of
- Inability to manage Anti-Virus in computer workstations, Laptops and Phones.
- Inability to ensure Anti-Virus is updated.
- Restrict users from accessing the organization's Network from unauthorized computers.
- Secure end devices against port scans, denial-of-service attacks, Trojan horses, malicious code injections and other cyber attacks while accessing from home or a public wireless networks
- Ensure security and integrity of Wireless Local Area Network, PDAs wireless hotspots and instant messaging accesses.
- installation and maintenance of defenses and the associated rules and policies
- Enables direct B2B integration of ERP systems with partners enabling better exchange of data and co-operative working.
- Allow direct electronic interaction with customers.
- Allow legal, commercial, and quality-of-service borders to align with the network and infrastructure implementation, paying only for the bandwidth and infrastructure the business actually needs.
- Allow contractors to access the data they need directly as if they are physically connected with the office.
- Enable business flexibility, cost-effective bandwidth and infrastructure provision (white paper, 2007).
- Lower your security management costs and improve you return on investment by leveraging the centralized management capabilities
By deploying the endpoint security products:
Threats facing consumers are more insidious and almost originate from internet. The mutant nature of threats makes the challenge difficult because every attack is little different and hard to counter it down only with Anti-virus software or any single function product. Nowadays, attacks are coming from highly trafficked and trusted websites. The social sites like facebook and orkut, e-market place like eBay, advertising network of Google and yahoo are the main target to the hackers because of its broadcast reach of the malicious programs (Cascadia Labs, 2010). According to Internet statics and numbers, 72.5% of internet users (2009) buy online in UK (Internet Statics and Numbers, 2009).
Endpoint security suites use multiple counter measures to thwart these attacks and provide far superior protection to anti-virus only products. Each end point security suit includes different techniques like protecting against drive-by downloads, other types of malware and potentially unwanted applications like adware; provide two-way firewalls and intrusion protection for additional layers of defense; and apply behavioral detection to thwart risky "zero-day" threats that can challenge traditional virus-detection engines to provide defense-in-depth to keep system safe.
Direct email-based attacks on end users pose one of the greatest threats, once compromised; end-user systems not only expose local data to cybercriminals, but also can provide them with access to other, more sensitive systems on the same network. Therefore user must inadvertently allow their computer to attack by clicking on an email link or opening an attachment - or sometimes simply by opening or previewing the email message itself. Phishing and spear phishing begins with acquiring an email address. End user needs an integrated solution that delivers total protection, but is easy to deploy and manage. Endpoint security provides stronger protection that protects data, ensures greater compliance, and lowers operational costs, stops malware, rootkits, spyware, exploits, bots, spam, and hacker attacks. Key functions included in endpoint security product are: Anti-Virus, Anti-spyware, IDS, Firewall and Access control mechanisms. There are various products available with very good and polite performance like Kaspersky Internet Security 2010, ESET smart Security 4 home edition, AVG Internet Security 8.5 and so on. User friendly features of many products - do not slow down boot up time, no noticeable delays while opening documents, do not use much of operating memory which slows down the system operations, gets into function when system is free and perform scans quickly. This takes less effort to use by novice users and easy to manage and update all at once without performance overhead (Cascadia Labs, 2010).Endpoint Security for Technical People:
The worldwide acceptance and usage of mobile devices provided a challenge for the IT organizations: balancing the productivity and efficiency of mobile devices with the requirement to protect sensitive information from data theft and breach. Many organizations have overcome the security issues by IT Asset use policy and also with the encryption. But these are reliant on end user diligence to remain effective while organizations today still struggle to compensate the Human Factor which is the weakest link of IT security. Increased productivity and flexible work schedule remains secure mobile computing as a greatest strength to organizations. Instead of forcing end users to comply the IT asset policy, end point security strategy uses managed technology to secure mobile devices themselves (white paper, 2010).
Organizations need to address broader issues such as
- Types of end point devices need to be protected and different routes of infection.
- End points need to be monitored and controlled
- Need to face zero-day threats
There are various ways of protecting these issues like Anti-malware, Anti-virus, Access control packages, personal Firewalls, host based IDS/IPS and many such effective technologies. Every measure taken provides security which is restricted to its scope. If many technologies are deployed, there will be performance issues, availability issues, more management and support issues when the products do not support each other. Reliance of many products constrains the organization's ability to respond to threats and manage security efficiently (sophos, 2008). Without centralized control over different products, violations cannot be detected, so protection is virtually impossible. Without core reporting, it will become difficult to assess attacks and exploits and apply remediation. Since, an integrated approach which provides functionality from threat protection to compliance and to provide knowledge-driven security that is automated and actionable (McAfee Tops, 2010).
Network access control prevents noncompliant systems from affecting business by stopping them before they get in to corporate network. Policy auditing feature of end point security simplifies and automates compliance reporting by validating across systems and security solutions.etect and Block Malware:
Detection of malware and defending it from execution is achieved by deploying separate products for firewall, antivirus and anti-spyware. Each provides different functionality toward requirement. Firewall can block unwanted traffic, control which applications are allowed to access resources and make system invisible to hackers. Antivirus is used to identify and stop viruses, uses a combination of detection techniques such as heuristics and signature matching. This not only block known malicious program but it also can help control programs such as peer-to-peer file sharing applications that are increasingly targeted to compromise endpoint systems. Anti-spyware stops infiltration of worms, Trojans, keystroke loggers and adware to provide real time protection against spyware installation and also removal of previously installed spyware. For all these, it is important for administrators to have central control over endpoints (Check Point, 2008).Secure Data:
As securing data on endpoints is crucial since it is so easy to lose a Laptop or other mobile devices. Encryption is old technology that makes data unreadable to anyone except those having knowledge. Port/device controls the use of distinct port on an endpoint. This can prevent unauthorized transfer of protected data from an endpoint to a personal storage device and vice versa.
This Figure shows the process to allow/deny access of portable devices to the system. This process is divided into three stages as shown in the figure. Initially, user connects the portable device to the system protected by end point security software for example, GFI, End Point Protector. At the second stage, the device is detected and verified against the policies deployed by the software. In this stage, the access/level of access to the device is determined. Third stage deals with the permitted access or displays an error message indicating denied access of the device.
Host based IPS is another major component of end point security; protects from known and unknown zero-day threats by combining signature and behavioral intrusion prevention protection. HIPS reduce patching frequency and urgency and increases performance and productivity, protects data confidentiality and supports regulatory compliance.Policy Compliance:
Even though best technologies to mitigate malware and secure data, endpoints can still be compromised if virus signatures or service patches are out of date. That's where network access control (NAC) comes in. This do a policy check on each endpoint for security policy and enforcement rules created according to the asset and operation of the organization by administrators. Distributed enterprise networks require policy compliance to work with authentication systems from multiple vendors. This is a unified system should support 802.1x authentication to enable NAC in multivendor environment. In the case of unmanaged end points, on demand compliance enforces policy without the need of installing agent software, providing session confidentiality for those devices, and detects and disables spyware (Check Point, 2008).Ensure Secure Remote Access:
VPN is most commonly used technology to establish secure remote access to any network. This provides secure tunnel which is encapsulated from other network traffic this prevents eavesdropping and data tampering. Secure VPN provides authentication mechanism of tunnel endpoints during connection setup.Minimize end-user impact:
It is important that endpoint security do not interfere end users' ways as they work. Most endpoint security suits need loading of three to five or even more agent modules into PC which affects memory usage and deter in performance by consuming more CPU cycles. This may cause problems to end user in using the system itself. It annoys the user when they expected to patch or update the signatures and other maintenance. Some agents provide easier management, less intervention and better performance leads to stronger endpoint security (Check Point, 2008).
Only the introduction of end-point security - the ability to force mobile computers to secure themselves - offers end-users the freedom to embrace mobility and IT department's robust protection for sensitive information. Endpoint security also allows users to audit, verify, and enforce compliance with comprehensive policy auditing and flexible network access control providing Efficient and effective overall security for all stand alone systems and endpoints in the organization.
- Andrew H., Brian B., Gerry P., (2009) "Endpoint Security: Proactive Solutions for Network wide Platforms, ESET, Available: http://nod32.com/download/whitepapers/EndpointSecurity.pdf [date accessed: 28-02-2010].
- Cascadia Labs, (2010) "Consumer Endpoint security suits" Product Digest, Available at: www.cascadialabs.com/reports/Cascadia_Labs_Kaspersky_KIS_2010.pdf/ [Date Accessed: 12-2-2010].
- Check Point, (2008) , "Check Point Endpoint Security: Meeting the challenge of securing endpoints by unifying essential components in a single agent" Available at: http://www.re-systems.co.uk/Check_Point_Endpoint_Security_whitepaper.pdf [Date accessed: 5-3-2010].
- Edmead. M., (2009), "Developing a Collaborative Endpoint Security Solution: Why perimeter security is not enough...", Whit Paper, Available at: http://www.kace.com/resources/Developing-a-Collaborative-Endpoint-Security-Solution [Date accessed: 15-2-2010].
- Greg Masters, 2010, "An explosion in smartphones, laptops, USB sticks and other portable devices has brought new security challenges, reports Greg Masters" Available at: http://www.scmagazineus.com/on-the-go-mobile-security/article/161696/ [date accessed: 14-03-10].
- Information security breaches survey, (2008) Princewaterhousecoopers, Availabe at: http://www.pwc.co.uk/eng/publications/berr_information_security_breaches_survey_2008.html [Date accessed 16-2-2010].
- Internet Statics and numbers, 2009, Tech Crunchies, Available at: www.techcrunchies.com/what-percent-of-uk-internet-users-buy-online/ [Date Accessed: 13-03-10].
- Jericho Fourm, (2008), "EndPoint Security" version 1.1 Available at: http://www.opengroup.org/jericho/COA%20-%20Endpoint%20Security%20v11.1.pdf [Date accessed: 14-2-2010].
- McAfee, (2010), "McAfee Total Protection for Endpoint", Available at: http://www.questnbs.com/McAfee_PartnerPage_Links/Datasheets/McAfee_total-protection-for-endpoint_Datasheet.pdf [Date Accessed: 12-2-2010].
- McAfee Tops, (2010), "McAfee Tackles the Complexities of Endpoint Security" Available at: www.mcafee.com/us/local_content/brochures/bro_tops.pdf/ [Date accessed: 20-2-2010].
- Moore F.C., (2010) "End Point Security, Securing the final three feet", East Carolina University, Available at: http://www.infosecwriters.com/text_resources/pdf/Endpoint_security_CMoore.pdf [Date accessed: 12-2-2010].
- Orgen E., (2009), " Endpoint Secuirty: Moving Beyond AV", Orgen Group, Available at: http://www.preventia.co.uk/resources/white%20papers/lumension/Endpoint-Security-Moving-Beyond%20AV-Application-Whitelisting.pdf [Date Accessed: 20-2-2010].
- Sophos, (2008), "Assessing endpoint security solutions: why detection rates aren't enough",White Paper, Available at: http://www.bestnetworksecurity.com/.../sophos-endpoint-assessment-whtppr.pdf/ [Date Accessed: 2-3-2010].
- White Paper, 2007, Jericho Forum, Availabe at: https://www.opengroup.org/jericho/Business_Case_for_DP_v1.0.pdf [date Accessed: 4-03-2010].
- White paper, 2010, Absolute Software, Available at: http://whitepapers.techrepublic.com.com/abstract.aspx?docid=1130885 [Date Accessed: 15-02-2010]