Read Time: 6 Minutes
In the previous post we explained that endpoint security is the ability to Protect, React and Recover. Today we’ll be discussing more in depth the Protection part – how you can make sure your environment is shielded from threats in the first place.
1. Remember that there’s no such thing as a safe operating system, software or hardware
Don’t be tempted to believe that any one operating system or hardware is immune to threats. Unfortunately, the idea of a “safe” computer is a misconception that can lead to serious security holes in the corporate environment. Endpoints that are thought to be safe are often not protected or even monitored, so there is a high risk that when they are exploited (which is usually just a matter of time) they will become a gateway to the rest of the network. So remember that all operating systems, the software on them, and the hardware they are running on are vulnerable. They should all be protected and monitored.
2. Use a security product with an intrusion prevention system
To protect your endpoints effectively, ensure that they have the best protection by using security software that features an intrusion prevention system, meaning software that monitors for suspicious activity and for behavior that resembles malware. This will help protect endpoints and the network from new and emerging malware that hasn’t yet been identified by security labs. Also check for software with a real-time protection network that shares information about the newest threats with all the endpoints connected to it.
3. Use encryption even for inside communications
You probably only think of encrypting communication channels when it comes to external communication over the Internet. But it’s a good practice to secure the communication channels even within the Local Area Network. As mentioned, one compromised endpoint is a threat to the whole network – plus, there’s the unfortunate possibility of insider attacks. That’s why keeping all communication channels safe should be a priority.
4. Protect the home office and mobile office
Protecting company-provided laptops and mobile devices for employees who work remotely is a manageable challenge. A bigger problem though, is protecting user-owned devices like smartphones, game consoles and even home computers or USB sticks. Take for example, an employee using his home computer for work-related tasks. The computer may have outdated security software, or perhaps no protection at all, and it’s also used by other family members who know nothing about IT security. If this computer gets infected, it could infect all the devices that connect to it. If the corporate administrator allows it to connect to the corporate network, it could also spread the infection there (often even though the VPN). Yes, this is a worst-case scenario, and based on this we could ban all connections from external devices to make sure it doesn’t happen. But in reality, sometimes exceptions are needed.
This is why it’s a good practice to provide your employees security software for their own computers, smartphones and tablets, and propose regular scans and audits for those. Even better, add them all in a centrally managed environment where you can easily monitor them – for example, F-Secure Protection Service for Business.
5. Value and protect the user accounts
A user account should not be considered just a way to bind email addresses to employees. A user account means all the files, resources, information, privileges and network access that belong to one user. Think of it like a personal bank account. You can easily imagine the effects of misused or stolen account access rights and the losses that could follow. Imagine that this bank account also has access to other accounts, or all the money in the bank – a recipe for disaster. Make sure that user accounts are safe, hard to penetrate and without value to the attacker.
Protecting user accounts means making sure employees use strong, unique passwords and that they change them regularly. (It’s a good idea to provide employees a password manager tool to help them create and store their passwords.) It also means having devices and computers automatically lock themselves after a few minutes of not being in use.
6. The right to use and not abuse
Managing the level of privileges that users have on the endpoint system or corporate network is very important. Malware tries to perform various operations when it infects a system. It tries, for example, to create or change files or registry values, copy itself to network shares, and create or end processes. But in order to do these operations, it needs privileges. Therefore to minimize the impact of a malware infection on the network, user privileges must be limited to user needs. Employees need to have enough rights on the system so they can work and use work-related services, but no more than is necessary. Such limitations however, can cause dissatisfaction, so training employees about malware effects and policy enforcement can help them understand the need for restrictions.
IT administrators should have a user account for reading emails, browsing the web, etc, but administrative chores should be done on a separate account, or even on a separate computer, reserved only for those special functionalities. Administrative accounts can be even segmented into different functional groups to limit accounts even further. There should be a clear overview of the account permissions and restrictions. These measures offer better control over accounts and less chance for a widespread infection scenario.
7. Many users, many different needs
The bigger the corporate environment, the more types of users there are to handle. This means taking into account their needs in the working environment while still taking measures to ensure maximum security. An accountant’s software, for example, is completely different from a developer’s software. This can mean special firewall exceptions or even file exclusions from scanning. Usage of browser plug-ins or social networks in the work environment are potential risks but nevertheless sometimes needed in areas like marketing, accounting, and research and development. To avoid the risk of malware exploitation, a company could limit their usage.
In certain situations, separate computers can also be used to lower the risk of infection. For example, an accountant could do the Internet banking on a separate computer only for that purpose – or at the very least, use a separate Internet browser only for online banking.
8. Train your employees and keep them alerted
Last, but definitely not least. Making sure your staff is educated about security threats and proper security hygiene is extremely important. If employees are aware of threats and how to avoid them, not only will they be able to use better security practices, it will also be easier for them to understand the restrictions you enforce on the endpoints. Hold an information sharing event where employees are briefed on what can happen if they are not careful. Educate the employees, for example, on the dangers of social networks, spam and phishing attacks, what exploits are and the damage they can cause, and how attackers use social engineering techniques to infiltrate corporate networks. It’s also a good idea to train them to watch their phone bills for strange charges, in case mobile malware that sends SMS or calls to premium numbers has infected their phone.
Sending timely emails to briefly update employees about the latest threats and outbreaks is also a great idea, which in addition helps you to be aware of the latest malware and its tactics so you can better protect against it.