control, and governance
May 2010
Beginning at the Endpoint
Faced with an ever changing mix of new technologies, auditors should make these devices the starting point in security reviews.
Sajay Rai, CPA, CISSP, CISM
CEO
Securely Yours LLC
Philip Chukwuma, CISSP
Chief Technology Officer
Securely Yours LLC
Changes in the IT industry occur at a dizzying speed. Desktop and laptop computers are now giving way to 21st century smart phones and devices. All these new technologies have one thing in common — they store and enable access to information.
While organizations have been busy hardening their perimeter to secure their internal networks, they have largely ignored endpoint devices — the weakest link in protecting IT infrastructure. Recent examples of endpoint breaches include a Blackberry with 3,200 patient records taken from Marian Medical Center in San Diego in April 2009 and a hard drive with 200,000 names missing from Jackson Memorial Hospital in Miami in March 2009.
These breaches should raise the awareness and concern level within every organization. Such incidents can result in financial and reputational losses for organizations. Moreover, they illustrate why every internal audit department should include a periodic audit of endpoint security in its audit plans.
ENDPOINT SECURITY RISKS
An endpoint is any software or hardware that has an IP address, transmits data to another device, processes or displays information, or accesses a network or computing infrastructure. Any device that can connect to an organization’s network is an endpoint. Endpoints include devices such as desktops, laptops, and servers, as well as smart phones, radio frequency devices, routers, firewalls, switches, hubs, network attached storage, and voice-over-IP devices. Moreover, desktops and laptops generally have one or more wired network cards, Wi-Fi network cards, multiple CD/DVD ROMs, multiple USB ports, modem ports, an Ethernet connection port, and in some cases, Bluetooth and PCMCIA cards. Each of these items constitutes a potential security risk.
Securely Yours LLC estimates that about two-thirds of an organization’s critical data resides on endpoints. The risks to organizations associated with endpoints are as diverse as the endpoints themselves, including:
The mechanics of how secure an endpoint is may differ from one device to another, but the strategy to protect an organization’s endpoints should be consistent. Endpoint security should start with an enterprisewide policy that defines the intent to protect the organization from vulnerabilities. It is not sufficient to just develop a policy; the policy must have an enforcement mechanism. In many industries, regulatory changes that require the protection of personally identifiable information and personal health information are making organizations address endpoint security. Internal auditors should assess whether the organization is addressing endpoint security by identifying all the different types of endpoints in its environment, identifying the risks associated with each type, and defining the remedy or mitigation for those risks.
SECURITY SOLUTIONS
Because most organizations are faced with endpoint risks, internal auditors should assess the effectiveness of the solutions their organization has implemented to mitigate these risks. Today, most organizations should at least consider security solutions such as whitelisting, data loss prevention (DLP), and security over mobile computing devices and email.
Whitelisting
Antivirus software and personal firewalls continue to play an integral part in endpoint security. These technologies identify vulnerabilities with known signatures. Once these signatures are identified, the products deny access and quarantine the malware. Antivirus vendors continuously modify the signature database, but it is the organization’s responsibility to deploy these virus signatures on desktops and laptops.
In today’s world of instant messaging, blogging, and dynamic social engineering websites, most organizations are unable to keep up the pace of updates to antivirus programs and personal firewalls required to secure endpoints. A recent survey by Internet security firm Websense estimates that 95 percent of Web users encounter blogs, message boards, and chat rooms that contain malware, spam, and scareware. Social networking sites are also becoming a source of malware distribution to unsuspecting visitors.
For total endpoint protection, antivirus and firewall solutions are not enough. Endpoint security should include whitelisting. When mainframe computing was common, only applications and software identified on a whitelist could run on a mainframe. Whitelisting provides the same ability to identify applications that may run on an endpoint and prevent unauthorized applications from being used. In addition, whitelisting enables organizations to monitor threats in real time.
Data Loss Prevention
An effective endpoint security strategy also includes addressing all the interfaces on the endpoint. Organizations lose critical information through USB or equivalent devices. Employees can copy sensitive and protected information on these devices and remove such information from the premises. To stop this from happening, DLP should be part of the organization’s security strategy.
The DLP is typically implemented as a client/server architecture. The DLP server contains the policy that defines access control for the endpoint interfaces, while the client at the endpoint communicates with the server and provides endpoint information through software “agents.” The same agent installed on the endpoint gathers both whitelisting information as well as DLP information. This allows the client at an endpoint to stay “thin,” as only one agent needs to be installed, and also lowers the cost of the agents.
The server architecture provides the logging and reporting capabilities that are necessary for effective security. While whitelisting prevents unauthorized software from running on the endpoint, the data loss engine prevents unauthorized access to the interfaces. Any intrusion or unauthorized access is logged and reported.
Mobile Computing Devices
Another aspect of endpoint security is addressing mobile computing devices. Organizations issue laptops and smart phones to their employees to facilitate faster business decisions. These mobile devices carry sensitive company and customer information that if lost can result in reputational and financial loss and, in some cases, legal and regulatory sanctions. One strategy for protecting data on endpoint devices includes full disk encryption (FDE), a technology that encrypts the data on a mobile device so that it can only be accessed with the appropriate decryption key. Many organizations also deploy solutions that enable them to delete data remotely from an endpoint device.
Email
Endpoint security cannot be completely addressed without discussing email. Although users may not be able to access the endpoint ports directly, they still may be able to steal data by sending an email attachment. DLP solutions can secure email and prevent users from sending sensitive data to an external entity.
AUDITING AN ENDPOINT ENVIRONMENT
The first step to auditing an endpoint environment is to understand the organization’s policies and how the policies address endpoint security. Second, internal auditors must understand the technologies deployed to implement endpoint security. This is probably the toughest task because some auditors may not be qualified to conduct such reviews. In such cases, it may be best to augment the audit staff with outside experts, because these technologies change rapidly.
Some endpoint solutions have an integrated, risk-based monitoring dashboard. Organizations that have implemented continuous or automated audits may want to start deploying the endpoint agents on those nodes that they audit regularly and let the agents continuously feed data to the dashboard. This strategy may prove to be a good investment if it reduces total audit costs in the long run and provides greater assurance that the organization’s endpoints are secure.
To comment on this article, email the authors at sajay.rai@theiia.org.
Send ITAudit article ideas to Steve Mar at steve_mar2003@msn.com.