Whitepaper: The Peril of Unsecured Endpoints

Dec. 16, 2004
Guidance on how to limit risk - but not productivity on endpoint decices - desktops, laptops and notebook computers

The Threats

Servers and the data they house are generally secure. The same is only partially true for desktop computers residing within the enterprise and permanently connected to the corporate network. It is not at all true for mobile PCs. For those users, neither physical nor data security exists to a satisfactory degree, presenting a never-ending danger to the business. What is at risk? Consider these facts presented by various industry pundits and market research firms:

* Two-thirds of critical business data resides on employee workstations or notebooks, NOT on servers (1)

* Around 90 percent of mobile devices lack the necessary security to prevent hackers from gaining access (2)

* "Everyone has been focusing on the [wireless] access point as the intrusion point. But no one is looking at the client." (3)

* Each year, more than one million mobile computers were lost or stolen - and according to the FBI, less than 2% of them are ever recovered. (4)

* A laptop theft results in an average loss of $89,000 (5)

How Bad Is the Situation?

According to the Aberdeen Group, enterprises in the United States spent more than $3.5 billion managing security vulnerabilities in 2002. Of this, 92 percent was in the form of IT staff time, with the other eight percent spent on technology solutions. In the first quarter of 2003, revenue growth among providers of data security technology grew 12.7 percent while revenue in the CRM shrank 17.4 percent, compared with the same quarter one year earlier.

Corporate security remains the top priority of IT professionals, according to IDC. Forty per cent of IT managers surveyed by IDC rated IT security as their highest priority. Worldwide, the total IT security market, including software, hardware, and services, is expected to reach $45 billion in annual revenue by 2006, compared with revenue of just $17 billion in 2001, according to IDC. (6) Wireless Poses the Greatest Threat

With thousands of public wireless hotspots now available in airports, hotels, restaurants and coffee shops, corporate policies must be created defining best practices and identifying under what circumstances connectivity is allowed. Unfortunately, even the strictest corporate policies for secure mobile computing are meaningless if they cannot be enforced. Prohibiting wireless connectivity completely, for example, still does nothing to stop users from purchasing and using readily available aftermarket wireless devices.

Enterprises are looking for solutions allowing them to define, implement, and deploy security policies for mobile computers that can provide flexibility by location for each employee. For example, an enterprise security policy might allow wireless connectivity while at headquarters, but only to the secure corporate WLAN. Attempted access to rogue networks should be detected and stopped automatically, without user intervention. However, wireless access at a coffee shop might be allowed, as long as the user is running a kernel-level firewall and using a VPN.

Perhaps The Meta Group sums it up best: "Given the heavy grassroots push for adoption of wireless LAN technologies, IT organizations must be proactive in establishing a corporate-wide wireless policy. A policy must either eliminate wireless use or force compliance across enterprise deployments, including guidelines on governance, security, and enforcement." (7)

Risks Associated with Mobility

Although mobile users are not always connected to trusted networks, their portable computers almost certainly contain sensitive data they have downloaded from the corporate network. Even data stored on corporate servers may have heightened security requirements. The risk of theft of sensitive information through removable storage devices such as CD-RW's or USB thumb drives is multiplied when users are mobile. Similarly, a device or even an entire network could be infected with a virus introduced on a thumb drive, or through a mobile device with outdated anti-virus software. Another risk is the use of dangerous network applications such as peer-to-peer file sharing, which often introduces malware (viruses, worms, Trojan horses, keystroke logging programs and the like) to the device.

Where Could It Happen?

The possibilities are endless. Mobile and wireless devices are alluring targets for hackers. Organizations are seeing a critical need to control a notebook PC's ability to connect based on its location. Beyond that, corporations must protect the data assets resident on these mobile devices by controlling access to the PC's I/O ports.

Security Threats Are Everywhere

At work: WLAN-friendly Windows XP automatically enables wireless notebooks to connect to a neighboring business' network without the user's knowledge. Sensitive files can be copied onto CD's or thumb drives, against policy.

Away from the office: When the wireless card or radio is activated, networking ports are not closed to block unwanted access to the mobile computer's file shares. Users run peer-to-peer applications that introduce security threats.

At public hotspots and other locations where mobile users access the Internet: Hackers use port scanners to find ports left open by traditional desktop firewalls, and run scripted, peer-to-peer attacks that subvert the notebook's inadequate protections, gaining access to confidential data. In addition, hackers can gain access to VPN sessions, thereby gaining trusted access to the network.

At home: Most often, wireless home networks are unprotected and accessible to neighbors and hackers. Moving from one end of the house to the other may cause the machine to associate with a rogue, neighboring access point, with resultant access to files and, potentially, the corporate network.

Connecting to the corporate network: Mobile users who fail to run anti-virus software or neglect to keep signature files up-to-date infect the corporate network with a virus or worm when they reconnect connect to the environment. Users bring in viruses on USB thumb drives or diskettes.

Guidance on Endpoint Security Enforcement

The best way to reduce the risks associated with today's mobile, wireless workforce is through enterprise endpoint security enforcement. The idea behind this approach is simple: protect network and mobile data by enforcing client security policies which address new and inherent security risks as the enterprise shifts from stationary, wired networking to mobile computing.

Why would an organization want to do this? Consider the employee who is issued a new notebook PC to replace his or her aging desktop PC:

* When in the office, connected to the network via a wired connection on a desktop docking station, the security policy should allow unrestricted use of the notebook PC's hard drive, and access to only those portions of the corporate network for which the employee has appropriate rights.

* In the evening, as the employee works from home via a cable modem or DSL connection, the same security policy might disable the PC's wireless communications capability but keep the Ethernet cable port active

* If the employee happens to be at a location with public Wi-Fi access, (many coffee shops, airports, etc.), the security policy could also enforce VPN usage or disable all advanced networking, and allow access to only the local hard drive, preventing access to and from removable thumbdrives and other external file-storage devices

Though these measures might seem draconian, they are not at all unusual - and are highly desirable - for certain organizations, such as the government, the military, or within sensitive corporate environments. Endpoint security enforcement solutions provide a way to implement these long-desired tightly controlled, and highly adaptive security policies.

Policies are the Cornerstone

How is this done? An enterprise endpoint security enforcement solution creates granular policies - as many as necessary for an enterprise's diverse user groups - that are automatically downloaded to all endpoint devices (desktops, notebooks and tablet PCs) and stored in encrypted form on each device. This policy distribution capability should be able to reside outside the corporate firewall and, in fact, should be able to reside anywhere. No SSL links should be required for secure policy transfer, to improve accessibility and reduce performance issues.

The solution should be self-defending, making it impossible for a privileged end-user to bypass or otherwise defeat the security policy. This must include provisions for ensuring that the user cannot turn off the policy enforcement engine or otherwise cause it not to function.

A truly effective endpoint security solution should reside in the operating system kernel at the Network Driver Interface Specification (NDIS) driver layer for each network interface card (NIC). In fact, this is the strong recommendation from Microsoft itself. This ensures much higher security than first-generation firewall technology based solely on packet filtering or dirty hooks.

Additionally, the endpoint security solution should keep track of policy enforcement actions, as well as attempted attacks and activities, reporting back to an auditing service to ensure compliance with corporate policy as well as regulatory requirements.

Finally, such a solution should support a highly scalable security policy distribution architecture enabling existing IT staffs to keep thousands of enterprise users regularly and securely updated. It should integrate into the organization's Active Directory, NT Domains, and/or LDAP directory stores, instead of requiring yet another user database.

Key Components

The threats discussed earlier indicate there are four key areas that must be addressed by an enterprise endpoint security enforcement solution:

* Mobile security enforcement

* Wireless connectivity control

* Enterprise-managed endpoint integrity checking

* Removable data storage device control

Each of these will be discussed briefly.

Mobile Security Enforcement

Enterprise endpoint security enforcement solutions must manage where and under what circumstances users are allowed to communicate, to protect critical data. This can be accomplished through a security software implementation integrated into the NDIS driver for each network interface card. Unsolicited traffic is stopped at the lowest levels of the NDIS driver stack by means of stateful packet inspection technology. This approach protects against unauthorized port scans, SYN Flood attacks, denial-of-service and other protocol-based attacks, in a way that optimizes security decisions and system performance. . .

Some managed firewall products purport to run 'deep inside the operating system kernel', but in fact use Transport Driver Interface (TDI) filters or hook drivers for security protection. TDI filters operate higher in the network protocol stack than NDIS intermediate drivers, so they can miss lower-level protocol attacks. As for hook drivers, Microsoft recommends they "should not be used in Microsoft Windows XP and later versions" of their operating system because [they also run] "too high in the network stack." Microsoft goes on to conclude "[t]o provide firewall functionality on Windows XP and later, you should create an NDIS intermediate miniport driver to manage packets sent and received across a firewall."(8)

Wireless Connectivity Control

Many IT managers believe they do not have a wireless connectivity problem because a) they do not allow wireless in their organization, or b) they have implemented a secure wireless network for their users, In fact, both situations require endpoint-based connectivity control. In the first instance, where wireless is not allowed, IT needs a way to enforce this. Since virtually all portable computers are wireless-capable, they can easily circumvent the prohibition.

In the second instance, it is easy for an organization's users to inadvertently connect to a neighboring WLAN, thus bypassing all the security built into the corporate WLAN. Access point connectivity should be controlled by group and location, allowing authorized network and service access while preventing connection to rogue, or unauthorized, access points. Even if the corporate WLAN is secure, hotspots and home networks often are not, and any data that happens to be on the endpoint is at risk.

Enterprise-Managed Endpoint Integrity Checking

Several aspects of the mobile PC must be checked to ensure safe operation. If the integrity checks pass, connectivity is allowed. Should any integrity check fail, connectivity is restricted until integrity issues are resolved, by either notification or updating.

For example, as part of a mobile security policy, antivirus integrity checking verifies that the endpoint's antivirus software is running and current with the latest virus signatures and definitions. By establishing integrity rules to automatically place policy violating devices into a safe, quarantine zone, infection of other network users is prevented.

* Policies can mandate immediate remediation, restricting a user to specific updates until the mobile endpoint is in compliance

* Customized messages should be used to alert the end-user that action is being taken for a reason, and they need not call the help desk.

* Additionally, integrity rules should be able to trigger other policy settings based on time, location, connection status, etc.

Storage Device Control

Endpoint policy enforcement products should enforce corporate policies regarding storage of information onto locally attached USB thumb drives or writeable CD drives. Such control could also prevent theft of data from unattended desktops and notebook PCs. Control should be enforced by location, depending on the threat profile. Such control could include any of the following:

No local data device control. All local storage devices are available.

Local data storage devices disallowed. Only the local hard drive is available; all other local storage media are disallowed. (Data cannot be copied to a USB device, for example.)

Local data devices disallowed except CD/DVD drives. Only the local hard drive and any CD/DVD drives are available. Users can access data stored on CDs or DVDs, and can write to CD-R/RW or DVD+/-R/RW devices. All other local storage media is disallowed.

In Summary

An enterprise endpoint security enforcement product should effectively and efficiently balance security and productivity for all users, regardless of whether they are connecting to the Internet or the corporate network via a desktop or mobile device. The following table shows the most critical features and benefits of such a solution.

Endpoint Security Enforcement Product Features

Operating system kernel-layer managed stateful firewall: Ensures a much higher level of security than first-generation firewalls based solely on packet filtering or hooks at higher levels of the protocol stack

Highly scalable security policy distribution: Keeps thousands of enterprise users regularly and securely updated both inside and outside the corporate network's managed security perimeter

Location-based controls: Allows security permissions to change dynamically as users move across different networks and encounter different risks worldwide

Protects mobile endpoints at the network adapter, regardless of how they connect to the Internet: Assures safety of data contained on mobile PC hard drives by shutting down all output devices and ports

Centralized IT control of WiFi connectivity: Simplifies compliance with corporate security policy guidelines

Advanced WLAN control (up to and including complete radio silencing): Allows management of every phase of an organization's wireless deployment

Endnotes:

1 Gartner ITxpo Symposium, October 2002, Orlando, Fla.

2 Gartner Wireless & Mobile Summit, Spring 2004, Chicago, IL

3 Ryan Crum, wireless security specialist at PricewaterhouseCoopers, as quoted in Living in Wireless Denial, CIO Magazine, September 15, 2004 Issue

4 Craig Crossman, May 2004.

5 FBI and CSI Statistics for 2002

6 IDC, Feb. 4, 2003.

7 Meta Group 7/10/03

8 Microsoft Corporation, Network Devices and Protocols: Windows DDK, June 6, 2003

About Senforce Technologies Inc.

Senforce is a leader in policy-enforced endpoint security. Senforce Enterprise Mobile Security Manager (EMSM) ensures central management and control of all computing clients regardless of a user's location or method of accessing the Internet. It provides protection against exposure and risk caused by intrusion, unauthorized access, loss, theft, malware/viruses, unauthorized downloads or software removal, altered security or configuration settings, and more. Powerful standards-based core technologies ensure a higher level of security and management than available previously. The company is headquartered Draper, Utah, with executive offices in the Silicon Valley, California, and sales offices in Illinois, New York, and Washington, D.C. Senforce is privately-held and funded by Thomas Weisel Venture Partners, vSpring Capital, Rocket Ventures, American River Ventures and EsNet Group. The company serves customers primarily in the government, corporate, financial and healthcare sectors. For more information, visit www.senforce.com or call 1-877-844-5430.