As more people work outside the traditional office environment, endpoint devices are emerging as one of the biggest potential weaknesses in the corporate security chain. In fact, according to the International Data Corporation, up to 70% of all successful network breaches originate from endpoints.
Unsecured endpoint devices are vulnerable to a number of risks, including:
· Phishing attacks
· Malware and ransomware
· DDoS attacks
· Macro and script exploits
· Advanced persistent threats from organized groups
Outside the safety of the office firewall, these endpoint devices can serve as the backdoor to unauthorized access by external actors. Hence, endpoint security is more important than ever to guard against external threats and possible breaches of sensitive data.
In this article, we’ll discuss the best practices for endpoint security that you can incorporate as part of your overall network security regimen. These suggestions are applicable whether in-office, or working remotely.
14 Best Practices for Good Endpoint Security
1. Secure every endpoint
As one of the gateways to your network, it pays to secure and keep track of every device that connects to the system.
- Maintain an inventory of all endpoint devices, and make sure to keep it updated.
- Ensure that each device has the appropriate safeguards and the latest patches.
2. Encourage stronger passwords
Once the devices are secured, encourage the users to practice good password practices.
- Make longer, complex passwords mandatory for everyone.
- Enforce periodic password changes and ban the habit of reusing old passwords.
3. Keep endpoints encrypted
Add an additional layer of protection beyond passwords
- Encrypt the device’s disk or memory so that it remains inaccessible even when lost or transferred to another unit.
Did you know: In 2018, 37,000 customers of Ireland’s largest telecom provider had their data compromised because of a stolen company laptop, which had been decrypted by a faulty security update the previous day.
4. Enforce least privilege access
Limit access and device privileges
- Non-administrator should be the default access unless otherwise needed.
- Don’t assign admin privileges to regular users to prevent unauthorized executable code from being loaded onto devices.
5. Run continuous endpoint scans
Keep track of every device connected to the network in real time
- Practice constant location awareness, especially for mobile assets like smartphones and laptops that are vulnerable to loss or theft.
6. Implement automated patching
Make it automatic instead of relying on users
- Push patch updates during downtimes unless absolutely critical.
- Make sure it applies to third-party patches as well.
Did you know: An unpatched copy of Microsoft Outlook was behind the 2018 data breach of 1.5 million health records in Singapore, including records of the country’s Prime Minister.
7. Enable Multi-Factor Authentication
- Use MFA to prevent account theft from other sources.
- Add a second layer of verification when logging in from unrecognized locations.
8. Have a strict VPN access policy
- Virtual private networks can be exploited, exposing the network to spoofing, sniffing or DDoS attacks.
- Ban or limit VPN usage so that access is only at the application layer, limiting the risk of a network-level attack.
9. Account for BYOD cases
- If employees are allowed to work using their own devices, have a policy that outlines the security rules and consider using a guest access account.
- Emphasize their end-user responsibilities, as well as protocols for device loss or theft.
Did you know: A faulty BYOD policy was to blame for the 2017 data breach of South Korea’s largest bitcoin exchange, which compromised 32,000 users and saw $30 million in cryptocurrency being stolen in a few hours.
10. Practice system hardening
Limit access to the device’s configuration and settings to reduce IT vulnerability, attack surface, and possible attack vectors.
- Have a hardening standard to provide benchmarks for different devices and operating systems.
- Define traffic pathways between the endpoint devices and the network, so that other listening ports (UDP or TCP) can be closed.
11. Implement application control
This security practice restricts unauthorized application executions that present risk.
- Take advantage of application control programs like Microsoft’s AppLocker to limit app executions based on the path, publisher or hash.
- Have a whitelist of permissible programs, files and executions.
- When an application is granted access, enforce additional rules to block unnecessary communication between network segments.
12. Segment the network
Split it into subnetworks for better performance and security
- To avoid being overwhelmed by the scope, start by establishing a privileged area and go from there in small but well-defined increments.
- Keep interpersonal, inter-departmental and organizational factors in mind when segmenting the network so that regular business processes are not impacted.
- Have a separate infrastructure for managing and updating privileged resources.
- Remember to segregate the configuration systems for privileged machines from the configuration management of regular devices.
Did you know: The Department of Homeland Security endorses network segmentation as a necessary part of any organization’s network security.
13. Make use of SIEM tools
Security Information and Event Management software allows real-time monitoring of the network
- Due to the diverse range of endpoint devices, SIEM solutions are now considered part of standard corporate security.
- A good SIEM solution should not only log events, they should have a good ruleset to flag possible incidents and turn them into actionable items.
14. Practice caution when using cloud storage
- Treat the cloud as another endpoint that could be accessed by external parties.
- Give distinct credentials for each user, and always use TLS (HTTPS) to transport data.
The Weakest Link
Up to 90% of data breaches are caused by human error. This problem is compounded in endpoint devices, which are vulnerable to being phished, hacked, lost or stolen. Because employees will be in charge of laptops and mobile devices, the safety and security of your network lies partly in their hands.
Employee education is therefore your first line of defense. A strong, clear set of policies regarding devices can prevent data loss or intrusion before it even starts. These guidelines will ensure that all members of the organization are aware of their vital role in protecting the company’s data.
Employee Education Guidelines
Secure the device
· Always keep devices locked when leaving the desk or when the screen times out.
· Use a strong, complex password and change it regularly.
· Ensure that device and memory encryption are always enabled.
· Make sure the antivirus software is frequently updated.
· Always perform a virus scan when connecting external storage media.
· Use only approved and licensed applications.
· Keep personal usage separate from the work environment. Just like people don’t use company credit cards for their personal expenses, make employees aware of the distinction between personal and work usage.
Protect the pathways
· Ensure that the proxy (URL filtering) solution is installed and enabled.
· Avoid connecting company devices to unsecured Wi-Fi connections.
· Look for the HTTPS when connecting to ensure that connections and data transfers are protected by SSL/TLS.
· Practice social awareness, and be wary of suspicious sites, phishing and social engineering ploys.
Make security part of the company culture
· Do not connect unapproved devices to official systems.
· Remove unauthorized software and plugins from the device and the browser.
· Immediately report all instances of device alerts, loss or theft.
· When in doubt, ask IT.
Have a Device Recovery System in Place
Sometimes even the best safeguards are not enough. When devices are outside the physical security of the office, they can be lost or stolen. In fact, 15% of data breaches are caused by lost or missing devices. This where a device recovery platform like Prey comes in.
A good device recovery system allow you to:
· Manage all devices remotely
· Track their present or last-known location in real time
· Remotely lock devices
· See device status, firmware, and update
· Wipe data when required
· Do it all from a single application instead of multiple disparate ones
Endpoint Security is a 50/50 Responsibility
Since employees are in charge of endpoint assets, half of the responsibility for endpoint security is literally in their hands. Once you’ve done your part in securing the system and the network, make sure they do theirs.
Have a clear set of rules, encourage good device ownership, and make security an ingrained part of the company culture. After all, the organization’s safety and security is everyone’s responsibility.