Endpoint Protection

First it was the cuts in private sector firms and now it is the public sector. The easiest and quickest cuts that make a difference to the bottom line are to remove people who are usually the largest cost item. Sadly redundancy is now a major occurrence in a working life. I know of many capable, intelligent and hard working people who have been made redundant two or three times in their lives sometimes more. It is increasingly a tool of organisations to quickly get rid of people. In general, redundancy is never executed against the legal guidelines which results in court cases and compromise agreements.

So what has all this to do with Information Security. The removal of staff from an organisation is currently the biggest threat to an organisations information. Redundancy or whatever method is used can result in animosity, resentment, and malicious intent on the part of the former employee. Of course most organisations are understanding and sensitive to emplyees and most follow the rules. However, sales of DLP software has been rising and the most sited reason for purchase is protection of contact databases, intellectual property and sales information from disgruntled employees.

The threat is real and active and who knows how much critical informaiton has been taken by upset and revengeful emplyees without anyone knowing. Please add any comments to this post on your experiences of cost cutting and data loss.

On the 12th December, it was widely reported that another laptopn was taken from MOD Headquarters in central London. This would not normally cause worry as all laptops are encrypted. However, the encryption key was also taken so exposing the information to the thief. It is not known if there is any exposure whilst investigations proceed. However, news items referred to the laptop as a ’secret data laptop’ which gives an indication. It was only in July thsi year (as reported in this blog) that 658 laptops have been stolen from the MOD in the last four years.

Below is one report on the story but the BBC also have reported it

http://www.pressassociation.com/component/pafeeds/2009/12/12/secret_data_laptop_stolen_from_mod_headquarters?camefrom=regional

St Albans City and District Council is the latest organisation to lose four laptops with personal data on over 14,000 voters. Files contained names, addresses, dates of birth, signatures, postal vote forms and statements which is all the information required to obtain a bank account.

Councillors were recently debating the loss and how the laptops could be stolen from the actual offices. Even though the data was protected, the portable devices were not physically secured. This goes against council policy of portable devices being physically as well as logically protected.

It also begs the question as to why personal data was held on portable devices. Such data should only be accessed on central resources and users prevented from copying to local devices.  We shall see what lessons will be learned and then forgotten til the next time.

The council needs to develop an information classification with associated policies on protection. A simple Data Loss Prevention product would have prevented the personal data from being copied in the first place but, had it been copied then the data would have been encrypted. It is noted that one of the laptops was left for months on an unused desk with no one knowing that held all this data. This is why an information audit and classification is required to start to get some control.

This story has been widely reported so use these links for more detail (such as there is)!!

http://www.stalbansreview.co.uk/news/4760711.St_Albans_councillors_debate_laptop_theft/

http://news.bbc.co.uk/1/hi/england/beds/bucks/herts/8363514.stm

http://www.stalbansreview.co.uk/news/4743799.St_Albans_council_worker_claims___Laptop_was_ignored_for_months_/

The Information Commisioners Office (ICO) or the privacy watchdog has published figures on data breaches that makes disturbing reading. What’s more is that the ICO  is getting so concerned that it will be introducing fines on comapnies and public bodies that recklessly or deliberately break the rules. Fines up to half a million may be imposed on losses of information. In total, 434 organisations reported data security breaches in the past 12 months, up from 277 the year before. This is what Deputy information commissioner David Smith said: “The majority of organisations get data protection right, but regrettably a significant minority of management teams are failing to take data protection seriously enough. Unacceptable amounts of data are being stolen, lost in transit or mislaid by staff. Far too much personal data is still being unnecessarily downloaded from secure servers on to unencrypted laptops, USB sticks, and other portable media.”

Well what a surprise! But what is really interesting and scary is that there are fines coming! But I thought that if you breached the Data Protection Act then you would be fined or sued anyway. However, what is clear is that this affects all businesses; large or small; SMB or large multinationals. So Data Loss Prevention is for all organisations that have personal data stored but it is not sufficient to just use device control, the ICO is saying any data loss from any channel! So does that mean that first generation products that really only do encryption and device control will be replaced by the second generation products that provide device, IM, and all the goodies? I think this is a call to action for vendors to smarten up their act and work with others to gain functionality rather than buy and try to integrate. You can read some more here http://news.bbc.co.uk/1/hi/uk_politics/8354655.stm

Latest reports on conficker infections include not only Ealing Council (see previous post) but also Oxford Brookes University, Manchester City Council and Whipps Cross University Hospital NHS Trust. Prior to this, the Houses of Parliament and Ministry of Defence were infected.

So AV has been proved to be powerless with this worm and even the DLP vendors do not have any defence as they tend to focus on information passing out of the organisation. Application control should be a part of a DLP solution to stop worms from running and spreading to the rest of the organisation. In most cases it is not as AV and most DLP is focused internally not at the endpoint which is the highest risk. Maybe Windows 7 will save us but how many will implement the application control features and AV and DLP. Not many I fear - Take a look at our sponsors product and if implemented will protect against zero day attacks and Conficker worms as well as the normal DLP features.

7th Space reports ESET, the leader in proactive threat protection, has been included in leading analyst firm Gartner’s “Magic Quadrant for Endpoint Protection Platforms,” published May 4, 2009.1

ESET is the only company with over 50 VB100 awards and continues to lead the industry with the highest detection rates and zero false positives - the winning formula in malware protection.

The BBC reports that a man from New Zealand found that his MP3 player which he bought from a shop in Oklahoma contained sensitive information about military personnel. The data contained names and telephone numbers of soldiers including details of pregnant personnel and even some mission information.

The data is thought to date back to 2005 and isnt thought to compromise national security. There were also similar breaches in Afghanistan in 2006 where shops outside the main US base had stolen flash drives containing sensitive data.

In the current climate of data mobility, some level of encryption and security policy is becoming vital to protecting sensitive data.

A worm known as Kido, Conficker or Downadup has quickly replicated across vulnerable Windows computers in a recent outbreak utilising clever tricks to propogate more successfully.

The worm is thought to have moved from 3 million to 10 million infected computers in a short time and is continuing to rise exponentially. The worm is thought to have left a bot-net for its creators to utilise though there appears not to have been any attempt to use it yet.

The register speculates that the MOD may also have become victims of the worm with noticeable disruption for 2 weeks and counting to admin based workstations.

The worm is able to spread via USB sticks and also attempts login and password brute force attacks for access to networks, files and folders etc.  Microsoft has provided updates and a malicious software removal tool to counter its spread.

As attempts to prevent worms from their spread become more advanced so we see the creators use more advanced techniques to circumvent these strategies. Most notably here this worm is utilising vulnerable endpoints as a major tool in its success shining more light on the need for networks and its users to protect themselves against malicious mobile data.

SearchSecurity.com reports on recent Windows vulnerabilities causing certain Endpoint software packages to struggle with the handling of a new exploit. A  zero day exploit affecting Microsoft Windows via an XML flaw was found to return mixed results amongst Endpoint software packages as some failed to contain the attack.

“Only Kaspersky Lab’s Total Space Security 6.0 stopped the exploits cold by blocking URL access. Sophos Endpoint Security and control detected the URL, but only issued a warning without blocking it. However, it did detect and block the exploit.

Symantec’s Endpoint Protection 11.0.2 failed to detect the URL or the exploit, but detected and quarantined the malware payload. Trend Micro’s Officescan 8.0 SP1 R3 performed similarly, but failed to quarantine one of the malware’s two components, apparently because the attack thwarted its ability to gain the necessary permissions.

Both McAfee’s Total Protection for Endpoint and AVG’s Internet Security Network Edition 8.0 failed to detect and stop the attack at any of the three stages.”

The market for endpoint protection has been rapidly evolving over the years and emerging from the traditional virus protection has come two new areas namely Data Loss Prevention (DLP) and Content Monitoring and Filtering (CMF). Both these areas have been adopted by Gartner to support their 2008 Magic Quadrant. It is clear that anti-virus and its associated companions of Spam protection, phishing prevention, etc is not enought to protect an endpoint. Large vendors try to spice up their ‘endpoint’ offerings with PC tune ups, backups, in order to maintain their price points or way to expand the footprint of software into the customer. A term suitably named as ‘bloating’ out the customer.

It seems that the fragmentation into nebulous components of offerings is required in order for software vendors to maximise their revenue opportunity and to expand their foot print within the customer to ward off competition. But how many of the multitude of products actually do what the customer needs which is a combination of many things in order to protect, manage, control, monitor, capture the vital information resident on or passing through the endpoint. I would argue that none of the current vendors who have based their current offerings on out-dated network security models provide what the customer really needs.

In reality, protecting data from entering or leaving an organisation begins and ends with the endpoint. It is here that thorough protection is required and where the battle is won or lost. Even if that endpoint is a laptop or a virtual desktop then the same logic applies. However, just protecting at the point won’t sell network scanning, database security and all the add-ons so frequently mentioned. In addition if the protection is managed at the endpoint then the need for heavy backend infrastructure is nullified.

Here is a list of functionality that true, customer-oriented endpoint protection and control should have as standard. Included should be the monitoring, control and prevention of any method of moving data off the corporate network via an endpoint such as USB sticks, CD/DVD writing, HTTP uploads, IM, email, etc. There should be targeted and configurable encryption. There should be sophisticated search facilities to look for any text, credit card numbers, whether embedded in files to multiple and compressed levels. It should have inventory collection, audit capability and collection. It should have executable protection for malicious code. It needs to have ICA filters, prevention of copying forbidden files onto the endpoint. I think you get the picture that endpoing protection is all of these in one package not broken out seperately - A customer does not know which of these he may need or not need but all of the above attributes are required for a complete endpoint protection capability.