Centralized Firewall vs Firewall-per-Store for Retailers

A centralized firewall for an array of stores is applied when they operate as a closed system. A closed system implements a block-all policy whereby all inbound and outbound data traffic is discarded except for explicitly specified exceptions: a ‘white list’. This benefits retailers by ensuring that unknown data traffic flows are eliminated, allowing only those approved.

Firewalls deployed at each site can be configured in a default-deny manner as well. However, they cost retailers more in hardware and operations (e.g., configuration and patch management). Even in managed services, these costs are passed on to the retailer one way or another. And, more managed firewalls means more potential for configuration mistakes.

Blue Ridge implements a closed-system via our VPN technology that we developed for military and other national security organizations over 15 years ago. It is far in the way the most time-proven VPN solution commercially available. However valuable one considers the various government certifications our VPN solutions have achieved, the most important metric is the fact that there have been no reported vulnerabilities or security breaches in all this time. This unrivaled record is absolutely attributed to the technology. We would be delighted to explain the cryptographic differences between our technology versus those developed by all other vendors.

Download our ‘Retailer Network and PoS Security Overview’

Public IP Addresses vs Private IP Addresses

PCI compliance requires periodic scans of all publicly addressable IP addresses in a retailer’s network. A third party must conduct these scans. The price they charge retailers is based on the number of public IP addresses within the scope of the PCI. Retailers save money by reducing the number of nodes that fall within the scope of this PCI requirement.

Blue Ridge significantly reduces this scope with the VPN appliances that it deploys at each store. These devices use whatever private IP address they dynamically acquire from whatever ISP router is at each store. The ISP router is considered ‘out of scope‘ because the VPN appliance represents the line of demarcation between what falls within and without of PCI scope. Retailers can gain some additional savings by not having to pay for public IP addresses from the various ISPs and carriers.

Blue Ridge is not unique in offering VPN appliances that operate with private IP addresses. However, all of the implementations by other major vendors require something called ‘Dynamic DNS’, which is easily susceptible to denial of service attacks. And, we know of at least one major vendor whose implementation is subject to more serious security vulnerabilities that can enable cyber criminals to crack their encryption. That said, we know of no publicly reported security breaches of this kind.

Download our ‘Retailer Network and PoS Security Overview’

Secure All of a Retailer’s Customer Data Traffic vs Just PAN Data Traffic

Other customer data will eventually be covered under PCI. Numerous reports from the security industry tell of cyber criminals stealing more than just primary account number (PAN) data. PAN data is the primary focus of PCI. Cyber criminals can sell PAN data at a higher price if accompanied by other customer data that facilitates data theft. We expect that the PCI Council will be compelled to expand the scope of PCI to include this other customer data. As retailers deploy new or upgrade existing store IT services and execute PCI compliance tasks, they should identity other sensitive customer data vulnerable to theft and consider securing that data before the PCI council mandates it. The incremental cost of securing this other data while doing so for PAN data can be trivial. However, retrofitting such additional security can be considerably more costly.

Blue Ridge has spent most of its 15 years serving customers that are high-value targets in government, military, finance, healthcare, and others. When it comes to high assurance security providers, there are those that ‘play it on marketing content’ and those that live it. Blue Ridge develops its own network appliances and computer security software in-house because most commercially available tools are too operationally complex to operate and they fall short of our high assurance security standards.

As Hanover Foods, TJ Maxx, Forever 21, and others can attest, mere PCI compliance does not equate to high assurance security. And with Blue Ridge, high assurance security does not equate to an unaffordable solution.

One Network Segment per Store vs Multiple Segments

Retailers can significantly reduce their PCI compliance costs through network segmentation. Consider all of the different devices in a store. Perhaps two to five of them handle PAN data. None of the others do. If all endpoints are on the same network segment, then all must be PCI compliant, and retailers must prove this is so.

As of now, PCI compliance only concerns PAN data. Therefore, retailers should create at least two network segments per store: one for point of sale (PoS) machines, and the other for all else.

Download our ‘Retailer Network and PoS Security Overview’

Single Vendor, Multiple Solutions vs Multiple Vendors with a Single Solution Each

Retailers are faced with network, network security, and computer security issues. They must ensure that the ‘data gets to payment processing on time’ by selecting ISPs/carriers that deliver the most bandwidth reliably and for the most value. These transports must be managed in real time and issue resolution often involves proving to an ISP/carrier that they are a fault. This ‘data in motion’, at least the PAN data, must be encrypted, which may or may not involve another service provider. The PoS machines in each store must be PCI compliant and free from malware. So, endpoint security represents another area requiring solutions.

Blue Ridge Retail Solutions cover all of the above. If anything goes wrong, its our job to fix it 24 x 7. In providing holistic solutions that cross multiple IT disciplines, we have been developing synergies and continue to do so between our network security appliances and computer security software. They can be inter-dependent, or simply exist in one because it offers a better approach than addressing it in the other.

Wi-Fi Risks: Detection vs Prevention

The first example of a synergistic solution was inspired by one of our retailer customers concerned with rogue Wi-Fi devices. PCI compliance requires quarterly Wi-Fi scanning of stores. Blue Ridge does not and probably never will offer Wi-Fi scanning for this purpose. Conducting such scans creates ineffective data analysis work, costs retailers thousands per year, and ultimately does not prevent data theft. Continuous Wi-Fi scanning with 24 x 7 alerts would be effective. But these services cost considerably more than quarterly scans.

Blue Ridge developed an enhancement to our computer security software, which runs in our customers’ Windows-based PoS machines to enforce PCI compliance settings and block malware attacks. The enhancement makes the presence of a rogue device irrelevant, Wi-Fi or not. It does so by leveraging its kernel-level control over the PoS to ensure that only the payment application software can access PAN data. In other words, even a rogue software process running with local admin rights on such a PoS machine cannot access the PAN data. This means that a rogue device or a rogue store clerk are prevented from accessing the PAN data. Protecting other customer data too is just a policy rule change to us and retailers.

And remember, PCI compliance requires that payment applications encrypt data transmissions. So, if a rogue software process can access the data, and a rogue store clerk cannot, and a rogue Wi-Fi device cannot, then Blue Ridge is preventing the problem at far less cost to retailers than reacting on a quarterly basis to Wi-Fi scanning reports.

Download our ‘Retailer Network and PoS Security Overview’

PoS Protection from Malware: Traditional AntiVirus Software Only vs Adding Zero-Day Protection Software

Any breach of PAN data, or any customer data, is a nightmare to any retailer, regardless of whether a PoS machine was compliant or not. In tests after tests after tests of AntiVirus products, laboratories are reporting that traditional signature-based antivirus products, essentially what nearly all retailers have, detect an average of about 20% of new malware attacks. When labs throw in some heuristics features, average detection rates double to around 45%. After 30 days, average test results on the same malware samples improve to almost 60%. Antivirus vendors enable optional features in their products for lab tests they sponsor, which achieve test results over 85%. But, security industry experts say that these features are generally too complex to use in the field, saying nearly all enterprise organizations use nothing but the default settings, even the vendors themselves. Unfortunately, many vendors get away with sponsoring lab tests where their product is tested against large amounts of old malware (more than 3 months) to inflate their detection rate.

The bottom line is simple: the antivirus software found on retailer PoS machines has at best a 50-50 chance of detecting a malware attack when it happens. For machines not running with local admin rights, their antivirus software may later detect and remove the malware weeks or months later, after it has stolen every customer records that traversed that machine. Retailers ought to be demanding better!

Blue Ridge offers computer software either as a managed service or as something retailers can manage themselves. Our AppGuard Enterprise Plus and AppGuard security software delivers nearly 100% protection from malware attacks without distracting store clerks from their jobs.

PCI compliance seems to require traditional, signature-based, antivirus software, despite lab test results. Our security software is compatible with almost all of the antivirus products that a retailer is likely to be using. Retailers can reduce costs by replacing expensive, name-brand antivirus with less expensive, sometimes more effective alternatives. Even if the less expensive is less effective, our software stops what it misses. More savings can be realized when the PCI Council rules on whether retailers may use newer, more effective anti-malware technologies in lieu of traditional ones.

Download our ‘Retailer Network and PoS Security Overview’

Managed Services vs Self-Managed

Perhaps this is the biggest benefit for you.    There is only so much time in the day, but there are many projects.   We can allow you to focus on your sales while we handle all of the above.  Our pricing includes this AND the equipment which should save you money in the long run and let you get more done.

Learn More about Blue Ridge Retail Solutions

Download our ‘Retailer Network and PoS Security Overview’

877-528-2823

Porous Compartmentalization within Web Browsers Undermines SSL VPN

Researchers at DefCon 2009 recently published a comprehensive study on the unexplored opportunities for malware makers on attacking the interoperability of applications and their plug-ins, particularly web browsers. I recently posted an article on this blog articulating the nature and significance of these risks that indicate that web browser vulnerabilities are at least one or two orders of magnitude more numerous than previously thought. In short, the data interactions of any single web browser tab or window ought to be private and unadulterated by any other software object within the web browser. It isn’t so and will not be for a long time. Note, malware within a web browser is and manipulates other software objects.

Many information security practitioners recommend the use of two or more separate web browser applications to better compartmentalize web activities from others until the promise of web browsers spawning separate processes per tab/window is convincingly demonstrated over time. This slight digression raises another point about endpoint policy enforcement and authentication (two sub-sections below).

SSL VPN More Vulnerable to Malware Infested Computer Risks

But malware on a computer with IPSec or any other form of VPN is just as susceptible, right? Yes and no! Yes, malware intended to steal information can do so on either. However, with SSL VPN, the malware need only adapt to eavesdropping on web communications, whereas with IPSec VPN the malware must do so for all relevant applications. Similarly, altering or conducting additional activities is easier too. Further, an SSL VPN session can literally be hijacked, such that remotely controlled malware can continue to covertly use it without an end-user’s knowledge.

SSL VPN End-user Convenience versus Enterprise Security

More important than the above comparative susceptibility, however, end-users can use ANY computer to launch an SSL VPN session. Detecting malware after infestation, particularly on machines that run with local admin rights, is nearly pointless with the increased use of 3rd generation Rootkit based malware. Cyveillance recently found signature-based tools failed to detect over 71% of the malware samples they gathered in the wild that were less than a month old to test. I recently wrote another article concerning the data leak risks to organizations allowing employees to work from employee owned computers.

Man-in-the-browser malware is among the toughest to detect and deter.  Sophisticated attacks from compromised or malicious websites, for example, employ public key cryptography to effectively obfuscate their malware attack code as it enters or leaves a computer (e.g., “Lucky Sploit” Malware ToolKit). If the attack code limits its operations to within the web browser, the chances of its detection are far, far less than if it tries to ‘venture out of the browser’.   So SSL VPN communications are easier for malware to compromise than IPSec.

SSL VPN vendors offer browser plug-ins to assess the status of security software on a computer. This says nothing about the state of the computer an hour, day, or a year earlier. With today’s stealthy malware, endpoint health assessment must ultimately be a continuous, cradle to grave, practice. Employees understandably would have reservations about their employers continuously monitoring an employee-owned computer.

SSL VPN Must Require a Dedicated Web Browser that is Site-Locked

Cross site scripting attacks, for which no near term, practical defense yet exists, utterly confuse web browsers and their end-users such that they do not know whom they are communicating. An organization that must use SSL VPN can enforce policies that site lock a web browser to one or more SSL VPN gateway IP addresses. Malicious and mischievous end-users can circumvent policy enforcement tools not specifically designed to prevent this, however. Browser applets cannot do so continuously.

SSL VPN vendors could theoretically employ web browser applets that rigorously interrogate a web browser seeking an SSL VPN session to determine whether or not it truly is the designated web browser. Frankly, I don’t know if the vendors actually offer such a capability yet, or whether this proves effective. And keep in mind, the article reference above concerning browser/plug-in/library object interoperability, as well as object integrity shortcomings (not all web browsers provide for digitally signed validation of software objects), SSL VPN plug-ins and other software objects present and are subject to other problems.

Regardless, SSL VPN gateways do not effectively authenticate computers (not to be confused with end-user authentication). So, if one ignores the risks from the host computer, dedicated, site-locked web browsers can reduce risks.

SSL VPN Depends on End-users Properly Responding to Man-in-the-Middle Attacks

Indirectly, the preceding sections imply man-in-the-browser attacks, whereby malicious software objects unknowing operate within the browser to eavesdrop, manipulate, and even hijack a session. Man-in-the-middle attacks, however, generally exploit end-user ignorance. Most end-user click on a web browser’s continue button when a prompt says the ‘certificate for this server is invalid’, trying to alert the end-user to the attack. Like opening email attachments, organizations can tell end-users not to do so, but they do. And, they will click that ‘continue’ button too. Endpoint policy enforcement tools can ensure end-user discretion is eliminated. But then, we return to the challenge of the SSL VPN gateway authenticating the browser, the computer, and the end-user too.

Side-story: Years ago, I showed a marketing colleague something on my computer display. It was a prompt from my web browser, alerting me to some web server’s invalid certificate. She agreed to make a quality screenshot of it. Almost immediately, she questioned why her display was so different from mine. She had clicked ‘continue’ on the prompt and said she always does so. The poor thing then endured one of my lectures.

Remember, end-user authentication is essential and most forms in use are vulnerable to man-in-the-middle attacks. One-time pass code systems authenticate the end-user but not the SSL VPN gateway. Out-of-band authentication (e.g., cell phone text message) is a worthy mechanism if it at least implicitly authenticates the SSL VPN gateway too. Client VPN software completely eliminates dependence on end-users making the correct security choice.

SSL VPN Fine Grained Filtering Compared to IPSec and Local Ethernet Switches

SSL VPN gateways perform proxy operations insofar as remote access user computers do not communicate directly with anything on the other side of the SSL VPN gateway. This proxy server functionality benefits organizations because it can filter out risky content such as HTML ‘put’ arguments that would try to write something to a server. Such filtering reduces the exposure of important servers to the endpoint population. Most SSL VPN gateways include such capabilities. As to what percentage of deployments actually makes significant use of it, I cannot say.

One might ask, however, how many organizations employ a proxy server between local end-users and their important servers? After all, Ethernet switches do not do so. Any endpoint, remote or local, is a potential malware infested threat to all enterprise servers. How commonly do they internally deploy an SSL VPN gateway for this purpose? Are SSL VPN gateways sufficiently compatible with ALL of the enterprise applications employed? Doubtful!

Enterprise content filtering is becoming more and more comprehensive. They perform both proxy and non-proxy filtering of traffic. Does it make sense to effectively manage two sets of proxy servers: one for local endpoints and SSL VPN gateways for remote computers? Deploying a single system for both local and remote computers is considerably more practical. From this perspective, there are operational savings from using a layer 2 client VPN solution for remote access to protect important servers from the risks from client endpoint exposure.

SSL VPN Offers Lower Operations Costs

Presumably, SSL VPN does not require installation of persistent client software, sparing organizations of installation and software testing requirements. However, SSL VPN vendor value-add capabilities, which help make their data sheets and marketing materials look impressive, often do install persistent client software. When features require local admin rights for first-use, then persistent client software is in play, which can fail, be exploited, and must be patched/updated from time to time. I wrote of this in a white paper called the “Case for Agent-based NAC Solutions”. This tends to undermine the argument that SSL VPN doesn’t require client side testing and life-cycle support but Client VPN software does.

Client VPN, however, always requires software installation. I can appreciate the dilemma of small medium businesses lacking a centralized software distribution and configuration management system.
However, those that do have them, such as federal organizations that must comply with Federal Desktop Core Configuration (FDCC) requirements and large commercial organizations can push out software installations quite easily.

So, it comes down to known operations costs versus unknown security losses. SSL VPN represents a massive data leak risk. Yet, with the inability to detect malware infestations, man-in-the-browser attacks, and man-in-the-middle attacks, how would an organization plausibly know what data they are leaking daily, particularly if unknown computers are used for SSL VPN connections?   No easy answer, so turn this perspective around to a basic security question: do you know where your data and documents are, and where they’ve been? Many security practitioners argue if this answer is grossly unknown, then one cannot assert having good security. SSL VPN exacerbates this challenge.

Do SSL VPN Security Weaknesses Matter to Organizations?

The primary purpose for SSL VPN deployment is to provide low operations cost remote access to organization employees so they can access and input data so their employers benefit from increased productivity. Ideally, organizations also consider security a primary factor in SSL VPN deployment, seeking private communications without tampering by outside parties and reduced exposure of the application servers to malice. Given that most of my concerns regarding SSL VPN security have been expressed for years and SSL VPN continues to be so widely employed, is SSL VPN security really a priority among IT decision-makers, or are those professionals really unaware of them?

If One Must Use SSL VPN, Invest in Computer Protection

Blue Ridge offers several computer protection products, AppGuard, AppGuard Enterprise, and AppGuard Enterprise Plus. They protect computers from malware attack code of all ages whereas anti-virus/spyware products found on nearly all enterprise computers are only effective at stopping malware over a month old and used extensively by cyber criminals in the wild. Equally important, from both the end-user and enterprise administrator, they are considerably more ‘usable’ than alternatives from other vendors.

Secondly, encourage your end-users to use one web browser for SSL VPN, and FOR NOTHING ELSE. Consult your SSL VPN provider for its most robust mechanisms for rejecting other web browsers. The dual browser strategy reduces the risks from man-in-the-browser threats.

For More SSL VPN Risk Mitigation, Invest in Computer Protection AND Control

The above recommendation depends upon the voluntary compliance of end-users to NOT use the SSL VPN dedicated web browser for OTHER purposes. Organizations can eliminate this dependence with AppGuard Enterprise Plus, which can lock-down web browsers in the manner implied above, even when end-users operate their computers with local admin rights.

The AppGuard Enterprise Plus solutions can also provide IT personnel considerable operational awareness into the state of their endpoint population to identify and quantify their risks. Further, AppGuard Enterprise Plus can then enforce the subsequent security configuration policies from these audits to dramatically reduce endpoint exposure to attack and data leaks. They can also assess and remediate numerous and common problems in 3rd party security software products. Studies typically reveal that one out of every four enterprise computers are at greater risk because a security software product is out-of-date, disabled, or otherwise underutilized. AppGuard Enterprise Plus identifies and corrects these issues to maximize the value of these investments and minimize endpoint risks. AppGuard Enterprise Plus can also snuff-out unwanted software applications (e.g., peer-to-peer, rogue instant messengers, etc.), assess/implement Microsoft security patches, as well as conduct custom script based assessments and configuration changes uniquely required for an endpoint population.

AppGuard Enterprise Plus is designed NOT to replace typical endpoint management tools but supplement them so organizations do not have to buy into the expensive and sticky all-in-one promises of the big vendors. Consequently, IT personnel do not have to abandon their proficiency with their familiar tools and learn how to use something else.

As much employee work is conducted on employee-owned computers, employers are justifiably concerned about the security of these computers. Some employees are opposed to their employer managing AppGuard Enterprise Plus agents on their home computers but are more open to a trustworthy third party, such a Managed AppGuard Enterprise Plus.

For Organizations with Much to Lose, Little to Spend, and a Need for Truly Secure Remote Access for Telecommuters/Teleworkers

Supplementing the above endpoint security solutions, Blue Ridge offers the BorderGuard VPN product and a Managed VPN managed security service to deliver highly secure and end-user friendly remote access. These solutions have been deployed world-wide for over a decade.

They employ IPSec VPN technology that employs a proprietary key exchange process, which is largely responsible for the lack of any reported vulnerabilities or security breaches for over a decade. If one goes to the National Vulnerability Database and searches on the keyword ISAKAMP, an acronym associated with all other IPSec offerings, no other vendor can boast such a record.

The key exchange process, called security enhanced Internet key exchange (SE-IKE) envelopes the entire key exchange process within mandatory mutual public key authentication, which literally double encrypts each key exchange message with two different RSA keys. Consequently, SE-IKE is immune to protocol attacks, man-in-the-middle attacks, and others, whereas all other IPSec and SSL VPN offerings are not. Note, most IPSec deployments of other vendor offerings utilize shared secret keys, which expose their VPN to virtually undetectable man-in-the-middle attacks if just one of their unpatched VPN appliances/routers is compromised. Unlike SSL VPN, Blue Ridge VPN solutions eliminate dependence on end-users making correct security decisions.

These BorderGuard solutions can use either the PKI credentials facilitated by their central management system or utilizes 3rd party PKI credentials such as DoD CAC and HSPD-12.

BorderGuard remote access differs considerably from SSL VPN and other IPSec offerings in another prominent ways too. Each remote access connection or tunnel is a truly layer 2 connection whereas SSL VPN and other IPSec offerings are not. Any application/communication protocol that can traverse Ethernet, does so problem-free through a BorderGuard tunnel, which is like a secure Ethernet extension-chord. And lastly, BorderGuard tunnels add considerably less bandwidth, latency, and jitter overhead. Case in point, BorderGuard tunnels secure satellite VOIP communications among Iraqi ministry and other government facilities. Other well-known products had added too much overhead, leaving only BorderGuard solutions operational.

Related Articles:

Flaws in Web Browser Security Undermine SSL VPN Security

PC Malware Driven Security Breach Disclosures—A Case of Worms

Data Leak Prevention and Network Access Protection (NAP)

Websites Unknowingly Attacking PCs

Is a PC Using a Limited User Account (LUA) Safe from Drive-by Download Attacks?

Business Protection from AntiVirus-Failure Caused Fraudulent Bank Transfer Losses

Employee Owned Computers are Data Leak Risks to Employers

Never Ending Vulnerabilities for Web Browsers

2. Your vendor will not sign up to a security SLA. Security breaches are a common occurance these days. There are many well publicised breaches that have cost millions of dollars to cleanup and untold dollars in customer confidence. Yet, for you to compete effectively requires real-time access to store and customer data to make sure shelves are stocked and customers can fly through the checkout lanes. However, the constant movement of data increases your exposure to the risk of data loss. A security SLA will ensure your network provider keeps up with the latest PCI-DSS requirements and will help you sleep better at night. 

3. The quality of Vendor support declines as your contract ages. All vendors promise good customer service, but few can deliver. How long does it take to make a change to your network configuration? How responsive is your Support Representative? When was the last time you received a call from your vendor just to ‘check in”? Is 24×7x365 Level 1 support included in your contract? Retailers are constantly challenged to deliver outstanding customer service. You should receive nothing less from your network provider.

4. Your network prevents you from rolling out innovative revenue generating programs. With consumers spending less during these lean economic times, retailers must get creative in how they capture and maintain the customer relationship. Inevitably this means developing loyalty programs that require customer data during an in-store transaction. If your network is incapable of rapidly delivering data, you will likely be unable to introduce the types of programs that diferentiate you from the competition. A next generation fast, low cost data network will provide the foundation for deploying data intensive programs that increase sales and keep customers.

5. You are constantly hit with unexpected charges and expenses. Running on tight margins, retailers especially, need to have a handle on their network costs. Providers that get your business with a low monthly bid just to “nickel and dime” you throughout the term of the contract make the budgeting and reporting processes difficult at best and create an environment of distrust. Look for data network providers that charge a fixed monthly fee, regardless of the number of network changes or helpdesk calls. Also negotiate with the provider to deploy your network with no up front capital expenses.

Blue Ridge Can Significantly Lower Your Store Connection Costs and Increase Connection Speeds

At a Black Hat Europe Conference last April a team of researchers released tools that can automate attacks on MPLS and Ethernet backbone technologies.  According to one of the researchers,”These technologies do not provide any security themselves, but just rely on the assumption that the underlying network is secure.”

As MPLS VPNs evolved from proprietary networks to supporting internet-based services, so did their risk of attack increase. German researcher Ray says,”Enterprises that use these VPN services should be aware they are vulnerable. Perform risk analysis and encrypt your traffic.  ”Just because it’s called MPLS VPN [doesn't mean] you should [automatically] trust it.”

Many retailers followed their service providers advice and simply migrated from Frame Relay and ATM networks to MPLS.  However, over time the majority of problems meant to be solved by MPLS no longer exist, and holes in the technology are being exploited. 

Total information security for retail data networks is possible.  Solutions using PKI technology, unique digital certificates with mutual mandatory authentication between security appliances, end-to-end data encryption and data integrity checking can provide a standalone data network solution or act as the security layer for
an existing MPLS VPN network.

Retailers need to re-examine wide area networking technologies and topologies as they seek to optimize the security, reliability and cost of their current data network.

Blue Ridge Military Grade VPN, Fully Managed Solution

The table below lists the findings, states the potential impact, and prescribes one or more countermeasures.

1. Changing security settings on computers

• (Risk) Increases exposure to malware and hacker attacks that can disclose sensitive information/credentials and implant malware
• Lock-down security settings with an enterprise solution that continuously monitors and enforces policies on and off the enterprise network, and if necessary, supersedes privileges of end-users running PCs with admin rights

2. Use of unauthorized applications

• (Risk) End-user installed software is frequently unpatched and vulnerable to attacks that disclose sensitive information, implant malware and use PCs as attack platform.
• (Risk) End-users might install software laced with malware that disclose information and use PC as attack platform
• Deploy enterprise application control solution that operates on and off the enterprise network, and if necessary, can supersede end-user admin rights
• Monitor and/or block application launches from user-space (e.g., desktop, ‘My Documents’, etc.), a common home for unauthorized applications. This also blocks drive-by download attacks via web browser

3. Unauthorized network/facility access

• (Risk) Information disclosures and compromise of critical resources
• Implement two-factor authentication: PKI (included with Windows Server 2008), Smart Cards
• Implement Microsoft Network Access Protection, using either 802.1x or IPSec mode
• Enforce fine-grained resource access policies and logically compartmentalize server resources that cannot be readily PKI-enabled

4. Sharing sensitive corporate information

• (Risk) Employees that do not perceive a personal financial loss from information disclosures are major risk to the organization. No solution is 100%!
• Consider secure thin client computing that includes an IPSec client, two-factor PKI authentication, and no general purpose Internet access (content filtering)
• Where general purpose computing is unavoidable: audit, audit, audit!
• Ban removable media (write) and web based email, lock-down PCs, and then decide upon exceptions

5. Sharing corporate devices

• (Risk) Exposes organizations to greater potential for malware infestation and information disclosures
• Lock-down PCs with enterprise solution that fully operates on and off enterprise network
• Supplement PC anti-malware with non-signature-based tools, balancing security with usability
• Audit, audit, audit!

6. Blurring of work and personal devices, communications

• (Risk) Unknown computing devices risk information disclosures and may unwittingly be used to attack networked resources.
• Implement Microsoft Network Access Protection (NAP) to at least compartmentalize information assets into different ‘risk zones’.
• For handheld computer devices, seek out and require system health agents (SHA) to access anything from your NAP enabled intranet.
• By compartmentalizing and effectively regulating all possible conduits to your information assets, you stand a much better chance of implementing various forms of content filtering to prevent bad stuff from coming in and limit what may go out.
• Deploy USB computers. End-users boot their untrustworthy PC from these USB devices, rendering the health of these PCs moot. Its effectively a secure thin client on a stick (see item 4 above)

7. Unprotected devices, computers left logged on and/or unlocked

• Implement and enforce computer settings that automatically log-off idle PCs.

8. Storing logins and passwords on the computer or in obvious places

• (Risk) Compromised credentials lead to information disclosures
• Implement two-factor PKI-based authentication.
• Implement Microsoft NAP in 802.1x or IPSec mode, leveraging PKI smart cards
• PKI enable as many server based resources as practical
• For all other server based resources, rely on your Microsoft NAP implementation to compartmentalize them into ‘risk zones’ that require authentication

9. Losing portable devices containing data

• (Risk) Lost devices are most common source of data loss
• Implement disk encryption solution that automatically encrypts removable media.
• Device control solutions with very fine-grained options can be more trouble than worth.
• Limit handhelds’ access, leverage Microsoft NAP

10. Allowing unsupervised roaming around offices by non-employees

• (Risk) Information disclosures and malware implantations
• Physical security should be addressed by physical security professionals.