Sign in Subscribe
Cyber Security

Cyber Security Hygiene - Endpoints

Alex from AskAlex.How

5 min read
Cyber Security Hygiene - Endpoints

In the world of Cyber Security, endpoints refer to any IT device: laptop, desktop, tablet, phone or even servers (physical or virtual). Endpoints hold corporate data, run software and are essential to running any business process and also one of the main way that Threat Actors get access into your company.

Endpoint management

As a pre-requisite to securing your endpoints, you need to run an endpoint management platform. In this platform you would enroll all your devices, manage the base operating system image that gets deployed when a new endpoint is issued, manage what software is available to be installed on the endpoints, define compliance policies, harden the devices or isolate them from the network. I will talk in a separate post about endpoint management solutions, but know that having one is a must. Also, if you don't have a compelling reason to allow Bring Your Own Devices for team members, then don't: it's better when everyone works off a corporate device as then you can enable conditional access on users that only allows logging to corporate services from corporate devices and thus strengthening your overall cyber security posture.

Desktop computers

Personally, I have stopped issuing desktop computers when the COVID pandemic started which allowed for our workforce to work remotely and will never go back to using Desktop computers again, therefore I will leave this aside in this post but if you are still using, they are no different to a laptop in how you secure them.

Mobile devices

Regarding phones and tablets, although in my roles we had 1000s of them under management, we never did more than having them enrolled in a Mobile Device Management (MDM) system and having only approved applications published for install. Through the MDM, we would define minimum compliance requirements on the devices to allow them for corporate use, such as a minimum operating system version or not being jailbroken. I never have run antivirus or sandboxes solutions on the mobile devices and across thousands of users, devices and many years of managing them we never had an incident. However, that's not to say it doesn't happen and your environment might have stricter requirements to protect data on the device which would justify for these solutions to be used.

Laptops

Laptops are the workhorse of any employee. They are used every day, all day and everything happens on a laptop so they are one of the main assets to protect or attack. Here are some of the protections required for laptops:

  • have laptops enrolled in a device management platform. I have used SCCM in the past but now all laptops are in Intune and enrolled via Autopilot which simplifies a lot of the deployment, saves time and gives us more control.
  • always start out with an operating system image that your company maintains, which is stripped of any bloatware and maintained on a software branch that's current.
  • Define a compliance policy for laptops to allow them to connect to your corporate network: it can be a minimum operating version or branch, having antivirus or EDR running, having the firewall turned on, having updates done, having disk encryption turned on, etc.
  • Have an Endpoint Detection & Response (EDR) software/service in place. Nowadays, a general antivirus is generally not enough in a corporate environment and more sophisticated protection is required. I have used Crowdstrike in this space which is a leader in the Gartner Quadrant and generally recommended by Incident Response (IR) teams. Microsoft Defender ATP is ok, but more limited in what it can offer and does not come with a 3rd party service that helps you to respond to incidents (unless sourced separately or available in house).
  • Have a software catalogue available from where laptops can install approved software only. Remove the option for users to install software from the internet and only publish curated, reviewed and safe corporate applications. This has a significant overhead for the IT team, as every application published in the catalogue will need to be updated periodically, and there can be 100s of these, however it's far too easy for a user to go on the internet and install something that has a keylogger or a malware on the computer.
  • Remove admin privileges for business users. Under no circumstances allow users to have admin rights on their notebooks. I would go as far as saying to consider if IT staff should have any admin rights on the notebook.
  • Ensure you update the operating system on a monthly cycle at the very least and observe zero day vulnerabilities as they become available for the apps you are publishing.
  • Consolidate and rationalize applications as much as possible. Standardize on a PDF viewer/editor, a presentation tool, a spreadsheet editing software, an image editing software, etc. Users have preferences however the more applications you have to maintain, the more unlikely it is that you can patch them all in time and also that you can support them in your IT Service Desk.
  • Consider removing access to USB or allow only for certain groups that require it as part of their role. Loading data from USB can result in malware being loaded on the laptop and can also facilitate data leak.
  • Consider enforcing some web content filtering rules that block access to certain websites. There are pre built policies depending on the categories you wish to have blocked.
  • Have a patch and vulnerability program in place, which will be covered in another posts. Zero days or older vulnerabilities are the way into your endpoints, regardless of you doing all of the above. This applies for the base operating system and the software on top of it.

Servers

When it comes to servers, the best thing you can do is to not have any. Servers mean that you are responsible of setting up a set of endpoints, running a certain software and all the dependencies it has and that is generally a big job. If you do need to run servers, consider going with the cloud rather than having to maintain your own hardware servers as that adds complexity in maintaining storage, networks, Internet providers, High Availability and a lot more. The more hardware and software you maintain yourself, the less likely it is you have the talent and bandwidth to do it right. When it comes to servers, I take this approach:

  • do I have a Software as a Service option for this Enterprise requirement so that I don't need to host anything? If yes, then take it.
  • do I have a Platform as a Service option in the cloud for this requirement so that although I need to maintain a cloud environment to a certain degree, I don't need to worry about virtual machines and their entire stack? If yes, then take it.
  • do I have an Infrastructure as a Service option in the cloud that requires minimum servers to be stood up and can I have a managed service to maintain that infrastructure from the vendor? If yes, consider taking it.
  • Sometimes however you don't have the above options and sometimes the cloud isn't even an option due to compliance or regulation requirements in some industries such as financial services or healthcare, and that makes things more complex, expensive and harder to secure. Also, note that doing any of the above does not remove the risk, it shifts the way you look at it and it requires due diligence in selecting the right vendor for the service.

If you do need to run servers, then the same principles that apply to notebooks, apply to servers as well. I would add that a server never works by itself and generally there is a supporting infrastructure of load balancers, firewalls, networks, databases, and others supporting that server and the service behind. Some of these topics will be covered in a different post regarding cloud security. Servers generally require more hardening and reduction of software, open ports and disabling of services with a good guide being present here: https://www.cisecurity.org/cis-benchmarks. If you use a cloud provider however, you are most likely getting a hardened base server image, but then it matters how you maintain it.

This has been a longer post because there is a lot happening on endpoints, both from a user perspective as it's their window to corporate services and hosting a technology service.

You can subscribe if you'd like to stay up to date and receive emails when new content is published. If you'd like to work together on your IT posture, here is how I can help: askalex.how.