A signed agreement among business partners helps, but guarantees nothing. Incidentally, it can also discourage disclosure. Persuading them to implement better information security practices (i.e., spend more) can be fruitless.

Despite the difficulties, we often need an agreement signed to help facilitate avoiding the following risks posed by our business partner endpoints:

• Infect our mission critical servers (Risk 1)
• Leak data via malware (Risk 2)
• Leak data via removable media (Risk 3)
• Leak data via high-risk endpoint hard drives (Risk 4)

Limit server access to partner endpoints of acceptable risk.
Limit access to machines not just people. Limiting access based on both identity and health requires network access control (NAC) technology, such as Microsoft Network Access Protection (NAP).

• Try to limit access to machines that process as little data, documents, or media from the outside world as practical (Risk 2). This also means denying access to endpoints running p2p and other software.
• Ensure that anti-virus and anti-spyware software are running, up-to-date, and frequently conduct full scans (Risk 2)
• Try to require other anti-malware tools because signature-based anti-malware products are becoming more ineffective every week (Risk 2).
• Deny access to endpoints with promiscuous removable media settings (Risk 3)

Data stored on partner endpoints must be encrypted.
Fixed and mobile PCs can be physically compromised. Limit server access to endpoints with full disk encryption (Risk 4). Second, also limit access to machines that require two factor authentications to utilize the endpoint (Risk 4). If your partner’s disk encryption solution can ensure that write operations to removable media are encrypted, then you might ease up on removable media settings requirements (Risk 3).

Consider limiting partner server access to thin client machines.
One can be very confident that no malware is operating within a freshly rebooted thin client machine (Risk 1). This can also be the most effective, albeit Draconian, risk mitigation to data leaks (Risk 2, 3, and 4). BTW, you could also have them access mirrors of your mission critical servers instead (Risk 1).

Rene would have had to work a lot harder at his USB thumb drive based theft if Countrywide had deployed some technology to keep unknown machines off its LAN. The most basic approach limits admission to machines that are part of their Windows domains.

Today’s enterprise, however, requires access to networked resources for contractors and others with their own PCs. The Countrywide administrators could have created non-domain credentials for these guest workers. The individual server applications would refer to any one or more of a variety of tools in the typical enterprise to handle these authentications between the individual server applications and the endpoints/end-users.

This provides nice but not great compartmentalization. It does not prevent machines from sending malicious data to the application servers or other client machines. It also does not prevent eavesdropping.

Administrators could implement a more robust form of compartmentalization involving 802.1x via their Ethernet switches. This enables the Ethernet switches to regulate what part of the network a particular PC may utilize based on the identity of the end-user or machine.

Unfortunately, 802.1x can only limit network admission based on who the machine or end-user is, not what is the apparent risk of that machine being on the network. If a machine has absolutely no preventative measures in place to mitigate important security risks, then it should not be admitted.

So, Countrywide had employed technology on all employee PCs to disable USB storage devices. Clearly they were concerned with data leaks. So, this implies that they would not want machines with enabled USB storage capabilities onto their LAN.

Network admission control (NAC) is an excellent technology for satisfying such a risk mitigation policy. I recommend Microsoft NAP because it scales better than alternatives, requires less infrastructure upgrades (if any) than alternatives, and it’s extremely extensible.

To those charged with reducing the risks of data leaks, you require two hammers. One resides on each PC to disable or regulate write-operations to USB thumb drives. The second hammer, NAP, prevents endpoints without the first hammer from accessing networked resources.

Many factors can interfere with the proper operation of these and other security tools such as anti-spyware, personal firewalls, and disk encryption.

Consequently, IT personnel must have a means to monitor the state and activity of these tools to determine:
• Is it running?
• Are protective services enabled?
• Is the software up-to-date?

For signature (a.k.a., fingerprints) based tools such as anti-virus and anti-spyware:
• Are signatures up-to-date?
• Is it conducting a ‘full scan’ frequently enough?

End-users, software patches, other software installations, and sometimes malware can stop these tools from running or disable them. Default settings do not always automatically download and install software updates. As a rule of thumb, a survey of an endpoint population will typically reveal that 5% to 20% of them do not have their client security software running and enabled.

Even more common, however, signatures for anti-virus and anti-spyware agents are often out-of-date by days or weeks. These days, hackers can create dozens of variants of previously known malware that require new signatures to be stopped by anti-virus and anti-spyware agents. These variants can be generated in minutes by hackers with ordinary skill levels. So, signatures should never be more than 48 hours old. Frankly, they should be less than 12 hours young, or younger.

With regard to the frequency of signature updates, consumer anti-virus and anti-spyware may actually be superior to enterprise equivalents. This is because the enterprise typically purchases a server from the vendor that relays all signature updates to the clients from the vendor. Default settings for client agent signature updates may exclusively rely on these servers for updates. Why should the anti-virus and anti-spyware servers be in the loop at all for signature updates? If an agent must go through them, does that mean they must logically connect to the corporate LAN to get signature updates? Does that mean off-enterprise endpoints could go days or weeks without signature updates? Yes it does! Fortunately, most of these products allow agents to get their signature and product updates directly from the vendor. Make certain your anti-virus and anti-spyware products are configured in this manner.

Perhaps the most overlooked information security requirement in the enterprise concerns how often anti-virus and anti-spyware agents perform a ‘full scan’ of their respective host. A typical enterprise will find that the frequency for ‘full scans’ are measured in weeks not days.

Wait a minute, if both anti-virus and anti-spyware capabilities are enabled, why should one care about ‘full scans’? The answer is simple. If you were to prompt your anti-virus agent to check for signature updates right now and it downloaded some new signatures, then you would know that none of the files in your endpoint have ever been scanned with respect to those new signatures. So, opening any document or media file in the endpoint could potentially trigger the most awful malware infestation ever imagined. Malware payloads might lay dormant for days or weeks before their required trigger, such as opening an email attachment. Even if already triggered, and if the endpoint is already infested, if a ‘full scan’ finds the original malware payload because the hacker foolishly neglected to delete it, you would at least know that the endpoint may be untrustworthy.

Why should anyone care about the above? The answer is disturbing. Today’s sophisticated malware is all the more likely undetectable to whatever tools are available and familiar to typical desktop administrators. Such software can steal intellectual property, sensitive customer data, internal financial information, end-user credentials to mission critical servers, attack those servers, and spread malware to other endpoints. All this can generate bad press, regulatory investigations, loss of customer/partner confidence, increase IT operations costs, and slow down business processes. Clearly, with malware increasingly undetectable and lethal to an organization, prevention is critical. So, are you getting the most out of your anti-virus deployment?