Endpoint Device Security: Implications of Remote Work Environments
In today’s world, information is everywhere and can be accessed from almost anywhere. With the shift to remote work environments, it can now be especially challenging for organizations to manage and control employee endpoint devices (e.g. laptops, workstations, and smart phones) that are operating outside of the traditional security perimeter. Users are connected to home networks, using personal devices to access work information, and constantly wanting to add / change software, install new applications, etc., without always understanding the potential risks they may be creating.
Unfortunately, attackers know this and are increasingly targeting endpoint devices because they are often less secure and are most likely storing valuable, sensitive data. Reports show that 70% of security breaches originate at endpoint devices through vulnerabilities like phishing and compromised credentials or out of date systems. Adding to this challenge, Absolute’s annual Endpoint Security Trends Report revealed that since the onset of the COVID-19 pandemic, there has been a 41% increase in the amount of sensitive data (PII, PHI, PFI) located on endpoints. In March and April of 2020, phishing and adware attacks soared from 2,000 to 90,000 direct threats per week.
Because of this trend, many security departments are shifting their focus to data security and working to protect organizational data wherever employees may be working. In fact, endpoint detection and response technologies was recently highlighted as one of the top 6 key technologies that will have a significant impact on the future of information security in higher education in the recent EDUCAUSE Horizon Report.
Below are a few recommendations that your organization may want to consider as you work to secure the sensitive information of your customers and implement endpoint protection.
Having an up to date inventory of all endpoint devices and assets is critical. It is only possible to secure devices you know about, so keep track of devices used to access any organizational systems.
Endpoint Vulnerability Management
Successful management of devices includes patching and vulnerability management, and ensuring all patches are applied and updates implemented in a timely manner. Central IT can deploy tools to ensure all software is secured and up-to-date, and manage anti-virus/anti-malware software to actively identify and mitigate known threats.
The average patching delay across Windows 10 enterprise devices is more than three months. With unpatched software vulnerabilities such a common attack vector for cybercriminals, this responsibility should not fall to the end users as there are too many opportunities for error. Unmanaged remote endpoints are a significant risk to an organization. In order to verify the ongoing security of employee workstations and laptops, it is a good practice to test and review the image of an organizational device that has been in use for a year (especially if used remotely) and compare that to a newly configured device. How effective has your organization been at ensuring devices are patched and updated? Remember the 70% of breaches that originated at the endpoint? Well 35% of those breaches were caused by existing vulnerabilities!
Endpoint encryption including disk encryption on laptops, mobile devices, and removable media protects any sensitive data stored on the device and renders it unreadable to unauthorized users that may gain access to the device.
Allowing users to access sensitive data from remote devices but restricting that same data to be stored on those endpoint devices without sufficient protections can greatly improve an organizations ability to protect that data. Use of virtual private networks (VPNs) allow remote workers to securely access organizational resources using managed public applications. If users are forced to connect to the company network in order to access the sensitive data, this reduces the need for the critical information to be stored in multiple places.
It can also be important to limit what other networks or systems endpoint devices can access. This way, if a laptop or workstation is compromised, the attackers can’t easily gain access to other organizational networks or systems. For example, employee-owned mobile or BYOD devices should not use the same network as servers hosting customer data.
Endpoint Detection and Response
Currently it takes an average of 197 days for an organization to detect a breach. Deploying an endpoint detection and response tool can help your organization have better visibility into malicious attacks that may have made their way past endpoint security measures.
Keep Compliance in Mind
Are any of the activities that users are now performing from their home office potentially a compliance risk? For example, are they now processing customer payments via a remote workstation instead of on a payment card terminal in the office? As much as possible, departments should try to replicate the office environment and strictly follow defined processes to ensure additional risks or compliance failures are not unknowingly introduced via employee endpoint devices.
Users are the first line of defense against network breaches. Employees should be aware of information security best practices and how to avoid making common security mistakes. Make employee training a priority and also verify all users are aware of organizational policies and procedures, including your acceptable use policy.
The COVID-19 pandemic has forever altered the attack landscape, and remote work environments are not going anywhere. The need for organizations to be able to manage and protect endpoint devices is critical.
Some additional guidance from the Offensive Security team:
[Roell]: Endpoint protection is a vital layer of defense-in-depth security strategies. Because endpoint devices can serve as a “bridge” into an organization’s trusted networks, traditional security perimeters arising from remote and bring-your-own-device are more difficult to maintain. Endpoint protection can prevent or alert of attacks when the source is the end-user, allowing the organization to mitigate compromises before they propagate into other security domains. Endpoint protection can also serve to deny attackers the “safe-haven” that an unmonitored user device can provide and make it more difficult for attackers to maintain persistence.