Securing Endpoints Outside the Perimeter

At this point, it’s safe to say your mobile endpoints (laptops, tablets, and smartphones) will venture outside the perimeter of your network. The concept of the disappearing perimeter is well established these days; however, little is said about securing endpoints outside the perimeter.
How likely is this scenario? You have user with a mobile device that wants to check Facebook, Gmail, download/upload something to their cloud storage and they cannot do so on the internal network. You’ve blocked those for good reason. So what do they do? They hop on your guest network or a mobile hotspot and do what they want to do outside the controls of your internal network. Outside the perimeter, you’re no longer inspecting traffic, applying updates to your anti-malware solution, blocking known malware command and control (C2) servers, applying data loss policies (DLP) to data in motion, etc. Without these controls, they visit a site and get hit with drive-by malware. The trojan then connects to the C2 server, pulls down key loggers, rootkits, etc. This user then hops back on your network. Your IPS/IDS may or may not catch it but regardless you now either have an infected machine on your network and you know about it and the user has downtime and money is spent reimaging the machine or your IPS/IDS doesn’t block the connection attempts and now there is a threat on your network you don’t know about. Granted, you can force internet access only through the VPN but I know of very few organizations that enforce this due to the restrictive nature it puts on end users.

So what can you do about it? With the power of cloud security solutions, you can now have a lot more visibility and control of your endpoints off the corporate network.

One of the more exciting cloud security products these days are cloud proxy solutions. You either push a PAC file or an agent that enforces the PAC file to route all traffic through a cloud proxy. This cloud proxy can also replace your traditional hardware-based, on-site proxy. What this gives you is your typical network controls regardless of where the user may be (coffee shop, hotel, the office, a remote office, home). Most cloud proxy solutions allow you to block known C2 servers in realtime, block websites via policy, data loss prevention for data in transit, break open SSL traffic, export log files to your SIEM for correlation, import and export threat intelligence, plus run the gamut of useful reports and metrics you would want to run.

Another important piece to securing the endpoint is being able to manage your endpoint anti-malware/anti-virus/host DLP/app whitelisting solutions. Most all solutions now have agents that can sit in your DMZ to push and receive the latest hash files and policies for when your endpoints are off network.

For smartphones and tablets, all of these controls can be wrapped up in your mobile device management (MDM) solution as well.

The final piece is being able to manage group policies, installed applications, permissions, patching – essentially anything related to endpoints in your domain. While Microsoft has a solution that sort of works in SCCM 2012, there are more robust solutions available to help you manage this for devices off the enterprise network.

I’ll say one last thing before wrapping up this post is these controls are built upon a solid foundation of doing the basics well – basics like asset management, assuming your other controls are effective (or in place) like HDLP, anti-malware, proper device configuration, encryption, MDM, etc. Without getting a solid foundation in your information security program, no amount of controls (a.k.a. money) will lower risk to an acceptable level.

With security services in the cloud finally becoming a reality, there are more robust ways to allow your users to work off network, still be secure, not lose visibility to your endpoints, and not have to backhaul all traffic through your VPN. Users are now more productive and happier all while being more secure and not losing visibility to your endpoints when they’re off the network.

Prevent Cyber Fraud with Two-Factor Authentication

Cyber fraud is on the rise right now. Those of us in the information security field commonly see business email scams (as detailed here by the FBI – https://www.ic3.gov/media/2015/150122.aspx). The scams range anywhere from spoofing the CEO’s email address and requesting a wire transfer to business email accounts being compromised and from there reset banking information to transfer money out.

As stated in this NPR story (http://www.npr.org/sections/alltechconsidered/2015/09/15/440252972/when-cyber-fraud-hits-businesses-banks-may-not-offer-protection), if you are a business and are the victim of banking fraud, the bank isn’t on the hook to reimburse you for your losses.

So I cannot stress enough – implement two-factor authentication for your email, social media, banking, and remote access. It is easily the best way to reduce risk right now. If someone compromises your accounts, at least you are still control of the second factor and they cannot get in.

The website TwoFactorAuth (https://twofactorauth.org/) has compiled a great list of websites that use two-factor authentication. And if  you are new to two-factor authentication, LifeHacker has put together a great intro to two-factor authentication (http://lifehacker.com/5938565/heres-everywhere-you-should-enable-two-factor-authentication-right-now).