A signed agreement among business partners helps, but guarantees nothing. Incidentally, it can also discourage disclosure. Persuading them to implement better information security practices (i.e., spend more) can be fruitless.

Despite the difficulties, we often need an agreement signed to help facilitate avoiding the following risks posed by our business partner endpoints:

• Infect our mission critical servers (Risk 1)
• Leak data via malware (Risk 2)
• Leak data via removable media (Risk 3)
• Leak data via high-risk endpoint hard drives (Risk 4)

Limit server access to partner endpoints of acceptable risk.
Limit access to machines not just people. Limiting access based on both identity and health requires network access control (NAC) technology, such as Microsoft Network Access Protection (NAP).

• Try to limit access to machines that process as little data, documents, or media from the outside world as practical (Risk 2). This also means denying access to endpoints running p2p and other software.
• Ensure that anti-virus and anti-spyware software are running, up-to-date, and frequently conduct full scans (Risk 2)
• Try to require other anti-malware tools because signature-based anti-malware products are becoming more ineffective every week (Risk 2).
• Deny access to endpoints with promiscuous removable media settings (Risk 3)

Data stored on partner endpoints must be encrypted.
Fixed and mobile PCs can be physically compromised. Limit server access to endpoints with full disk encryption (Risk 4). Second, also limit access to machines that require two factor authentications to utilize the endpoint (Risk 4). If your partner’s disk encryption solution can ensure that write operations to removable media are encrypted, then you might ease up on removable media settings requirements (Risk 3).

Consider limiting partner server access to thin client machines.
One can be very confident that no malware is operating within a freshly rebooted thin client machine (Risk 1). This can also be the most effective, albeit Draconian, risk mitigation to data leaks (Risk 2, 3, and 4). BTW, you could also have them access mirrors of your mission critical servers instead (Risk 1).

Traditional anti-virus products detect only 30% to 50% of malware.
One of the Black Hat presenters noted that one BotNet alters its malware executables every 10 minutes. This makes it nearly impossible for anti-virus vendors to maintain up-to-date signatures to intercept such malware.

Malware attacks are very focused on client computers (i.e., endpoints).
Malware attacks will stay this way for many years to come, exploiting vendor software mistakes. Implement patches and isolate PCs without them. Remember, clever end-users without admin rights can install software. Perform periodic audits because these same end-users generally neglect patches.

Most software vendors use poorly designed safeguards to secure their product self-updates.
One Black Hat researcher predicts that hackers will exploit these weaknesses. Organizations that can utilize patch management systems for their endpoints on and off-enterprise might consider disabling all self-update capabilities on individual applications. Good news: the presenter complimented Microsoft on the cryptographic design of its update mechanisms.

Web browser security risks will get worse before they improve.
More malware infestations occur via web browsers than any other attack vector. In the coming year, researchers warn, recently exposed HTTP based attacks using IFrame/Jscript will dramatically increase in volume with costly consequences, enabling hackers to hijack:

• HTTPS sessions, which are the bread and butter of all e-commerce
• Home routers and cable modems.

Presently, there is little one can do to defend against these attacks without disabling a web browser’s scripting capabilities, which removes the Web 2.0 features that end-users value.

The standard-bearers for the newly designed HTTP version 5 appear to regard security as an after-the-fact detail. As web browsers implement the new conveniences of version 5, they will also be introducing new opportunities to exploit web browsers. Recommendation: assume your web browsers will be compromised and focus on containing the risk.

Man in the middle (MiM) attacks on SSL VPNs and HTTPS will continue to increase.
These attacks not only threaten to compromise information privacy but also threaten information integrity. Hackers can alter private content without leaving a trace of evidence behind. SSL VPN and HTTPS depend on the most vulnerable and most exposed object on the endpoint: the web browser. In formulating security policies, regard web browsers as untrustworthy.

Ideally, organizations would use single application appliances to isolate one security service from any failure in another security service. But, there are compelling economics behind all-in-one machines that have actually integrated the applications for simplified management and reduced up-front costs. Consequently, we have seen a strong trend away from many best of breed devices to a single all-in-one device.

All-in-one appliances do require more frequent security patches, however. These must be implemented quickly because all services on the device may be at risk of compromise. Fortunately, an all-in-one device reduces the patching scope from many devices to one device, figuratively speaking.

What we have not seen in the industry is recognition of the increased risks: one vendor programming mistake in an all-in-one appliance can bring all security services down. And secondly, with all-in-one devices, one may overlook what may be a single-device perspective in the system management options. Remember, availability, bandwidth, geography, and end-user population size tend to require two or more all-in-one devices be deployed. So, if there are five or more devices overall required, be sure to assess the ease of administration of five or more such devices before selecting a vendor.

When there are hundreds of remote access VPN end-users, one should consider implementing it on a separate device in front of the all-in-one device to improve scalability and security. Remember, remote access VPN computational loads are not just a function of aggregate bandwidth but also of the number of user-sessions.

Without endpoint administrative privileges, an end-user cannot add or modify files and registry settings in many “sensitive” places. The “Program Files” directory is one of them. This is where software applications are typically installed. Some application installations, such as client security software, must add or modify files in yet more “sensitive” places. In theory, these write-privilege limitations prevent end-users from installing peer-to-peer, recreational, pirated, and other unauthorized software. In reality, however, most such software can be installed elsewhere in the endpoint by these end-users, and run normally.

So, how do end-users circumvent these software installation restrictions? They do little more than just point and click!

After double-clicking on the Limewire set-up executable, for example, the end-user is asked to click “Ok”, “Next”, or “Continue” on several prompt windows. One such prompt window generally presented to the end-user concerns the destination of the installation, which normally defaults to within the “Program Files” directory. However, this prompt usually includes an “Browse” or “Custom” button that allows an end-user to specify a different location. The end-user merely needs to point to a directory within the user directory space such as “Desktop” or “My Documents”, for example. Most undesirable applications will operate fine in these locations. And, for the most part, these applications will run okay even if their executable has been renamed. Such end-users might rename limewire.exe to be winword.exe (wouldn’t interfere with Microsoft Word) to avoid detection, for example.

Some good news on the side, these installations alone cannot inject a rootkit into the host. Bad news, if such software has a Trojan embedded within it, the “bad guys” will have a logical presence within the host from which they might exploit a vulnerability to infest “sensitive” places in the endpoint. But, while this is a threat not to be ignored, the threat of malware (i.e., Trojan) infested end-user installed software installation is not the most immediate risk that requires action from IT personnel. There are far more numerous and impacting security breach reports from peer-to-peer software sharing “sensitive” documents on the host to anyone on the Internet. Additionally, end-users generally fail to keep the software they install up to date with the last security patches provided by the vendors. The SANS Institute reported in November 2007 that hackers are increasingly targeting such client software. So, any application running on a endpoint that interacts with the outside world generally increases the exposure of that endpoint and the organization that hosts the endpoint. Now, outside of Microsoft, Apple, Adobe, who amongst the other software vendors have been targeted enough to motive themselves to invest heavily in hardening their software? Answer: be afraid, be very afraid! This is especially so if endpoints in your organization possess sensitive data or documents that could generate bad press, law suits, and regulatory attention.

Considering the above risks and others, do you know what software is running on your organization’s endpoints? Do you know what software the endpoints run when they are off the enterprise? Please do not rely on firewall, router, and other logs to discover unauthorized client software. These applications are increasingly using common network ports, encryption, and even obfuscation to avoid detection and to ensure privacy.

The bottom line for organizations is that their IT personnel need application control capabilities whether their end-users have endpoint administrative privileges or not. If trade-offs have been accepted allowing end-users to have administrative privileges, then IT application controls must be capable of superseding those privileges. And worth repeating, IT personnel require monitors and controls that provide them operational awareness for endpoints both on and off the enterprise.

Many factors can interfere with the proper operation of these and other security tools such as anti-spyware, personal firewalls, and disk encryption.

Consequently, IT personnel must have a means to monitor the state and activity of these tools to determine:
• Is it running?
• Are protective services enabled?
• Is the software up-to-date?

For signature (a.k.a., fingerprints) based tools such as anti-virus and anti-spyware:
• Are signatures up-to-date?
• Is it conducting a ‘full scan’ frequently enough?

End-users, software patches, other software installations, and sometimes malware can stop these tools from running or disable them. Default settings do not always automatically download and install software updates. As a rule of thumb, a survey of an endpoint population will typically reveal that 5% to 20% of them do not have their client security software running and enabled.

Even more common, however, signatures for anti-virus and anti-spyware agents are often out-of-date by days or weeks. These days, hackers can create dozens of variants of previously known malware that require new signatures to be stopped by anti-virus and anti-spyware agents. These variants can be generated in minutes by hackers with ordinary skill levels. So, signatures should never be more than 48 hours old. Frankly, they should be less than 12 hours young, or younger.

With regard to the frequency of signature updates, consumer anti-virus and anti-spyware may actually be superior to enterprise equivalents. This is because the enterprise typically purchases a server from the vendor that relays all signature updates to the clients from the vendor. Default settings for client agent signature updates may exclusively rely on these servers for updates. Why should the anti-virus and anti-spyware servers be in the loop at all for signature updates? If an agent must go through them, does that mean they must logically connect to the corporate LAN to get signature updates? Does that mean off-enterprise endpoints could go days or weeks without signature updates? Yes it does! Fortunately, most of these products allow agents to get their signature and product updates directly from the vendor. Make certain your anti-virus and anti-spyware products are configured in this manner.

Perhaps the most overlooked information security requirement in the enterprise concerns how often anti-virus and anti-spyware agents perform a ‘full scan’ of their respective host. A typical enterprise will find that the frequency for ‘full scans’ are measured in weeks not days.

Wait a minute, if both anti-virus and anti-spyware capabilities are enabled, why should one care about ‘full scans’? The answer is simple. If you were to prompt your anti-virus agent to check for signature updates right now and it downloaded some new signatures, then you would know that none of the files in your endpoint have ever been scanned with respect to those new signatures. So, opening any document or media file in the endpoint could potentially trigger the most awful malware infestation ever imagined. Malware payloads might lay dormant for days or weeks before their required trigger, such as opening an email attachment. Even if already triggered, and if the endpoint is already infested, if a ‘full scan’ finds the original malware payload because the hacker foolishly neglected to delete it, you would at least know that the endpoint may be untrustworthy.

Why should anyone care about the above? The answer is disturbing. Today’s sophisticated malware is all the more likely undetectable to whatever tools are available and familiar to typical desktop administrators. Such software can steal intellectual property, sensitive customer data, internal financial information, end-user credentials to mission critical servers, attack those servers, and spread malware to other endpoints. All this can generate bad press, regulatory investigations, loss of customer/partner confidence, increase IT operations costs, and slow down business processes. Clearly, with malware increasingly undetectable and lethal to an organization, prevention is critical. So, are you getting the most out of your anti-virus deployment?