Microcosm of a massive security problem

A few weeks ago, I gave a presentation to a number of companies about the future of endpoint security. During this presentation, I had the opportunity to ask these folks a number of questions about their IT infrastructure and their plans for it.

There were only about 20 organizations represented, so this was far from a statistically significant research project. Nevertheless, there were some interesting trends:

1. Only one of the organizations was upgrading its endpoint to Vista. It turns out that the one company is a Microsoft business partner so it has to do so. Others said they have no reason to move to Vista and will consider a move to Windows 7 when it arrives in 2009.

2. Seven organizations were experimenting with desktop virtualization, and many of the others were interested in doing so. It seems like this technology has a very bright future.

3. None of the organizations was taking advantage of the Trusted Platform Module (TPM), a security chip that is embedded in all new PCs. Users complain that they like the security functionality but that TPM is simply too complex to roll out to nontechnical users.

4. All of the organizations represented used full-disk encryption on their laptops.

5. None of the organizations was using any type of port blocking technologies (i.e. security tools that limit the use of devices connected to USB and other ports), though most were interested in looking at this.

6. About half of the organizations let end users use their company-issued PCs for personal use. The other half had policies and technology safeguards in place to preclude them from doing so.

7. Most of the organizations had implemented or planned to implement Network Access Control (NAC) technologies, but many were confused with the current status of this technology.

The audience was made up of pretty sophisticated organizations with ample security resources, yet even these security professionals were quick to admit that endpoint security remains complex, confusing, and full of vulnerabilities. In this regard, my small informal discussion with security professionals was a valid microcosm of the massive problem we face.

[pctec100]

My organization falls right in line with that assessment except for port blocking. I'm surprised to hear none are not using it.

I implemented port blocking and removable media encryption (using Pointsec Protector) about 6-8 months ago. We previously blocked the use of any removable media. Now we are able to provide the same level of encryption on it as we do on our hard drives. It's been a big hit with our users because we've expanded their capabilities and our security team likes it too because of the granular policy control it allows and the detailed reporting.

[sciwag]

Jon & pctec100,

I was wondering if you could be more specific as to why these organizations think TPMs are "too complex" for nontechnical users. Everyone I have talked to to date say they are incredibly easy to activate, roll out and manage.

TIA

[phenrycissp]

This kind of feedback is priceless, thanks for sharing. I make it a point of gathering as much real world feedback at my own speaking gigs as well. With respect to port blocking technologies, following multiple data breaches where a USB stick was the enabler of that security breach, awareness around data loss and theft finally seems to be growing. However, when I ask attendees at my events why they haven?t deployed port blocking technologies, the most popular excuse I hear is that it is to administrative intensive.

Let me dispel that myth - in my forensics lab I am entrusted to secure Terabytes of client data while it is under analysis and I realized that my greatest risk of client data exposure was data leaving my lab via removable media. I am currently testing Sanctuary Data Protection technology from Lumension Security which allows me to control specifically who can write what data and to which devices. This covers all of removable and storage media (USB thumb drives, CDs, DVDs, WIFI, Bluetooth and FireWire). Just as importantly, it allows me automatically encrypt any data written to the removable media and storage devices to mitigate data loss in transit issues and it addresses my chain-of-custody needs with a complete audit trail so I can track where the data is stored and where it?s being transferred to. It also prevents malware introduction into my network from these devices. Anyone concerned with administrative burden needs to try a current generation solution where deployment of the agents is simple and the centralized management eliminates the administrative burden of legacy solutions.

Paul A. Henry
MCP+I, MCSE, CCSA, CCSE, CISSP-ISSAP, CISM, CISA, CIFI, CCE
Forensics & Recovery LLC
www.forensicsandrecovery.com