Copyright © 2005 Information Systems Audit and Control Association. All rights reserved. www.isaca.org.
A Network Is Threatened
by Its Own Endpoints
By Mitchell Ashley
The Changing Network Perimeter
Traditionally, the network perimeter was the first and
primary line of defense from outside, untrusted networks and
devices. It was the first and last point of contact for security
defenses protecting the network and usually consisted of one
or more firewalls and a set of strictly controlled servers located
in a portion of the perimeter referred to as the demilitarized
zone (DMZ). When networks were relatively static and
unchanging, the perimeter was the gateway to the outside
world and, conversely, the outside world’s gateway to an
organization’s network.
Everyone is familiar with attacks that originate from outside
the network perimeter, but security threats to networks no
longer come only from outside. While still necessary,
protecting the perimeter is not sufficient to conform to security
best practices. Because traditional perimeter security systems
must allow for a wide range of network traffic through
firewalls, sophisticated hackers have discovered ways around
them. While firewalls can block certain types of unauthorized
network connections and traffic, they have little effect on
attacks that may be embedded within web site traffic, peer-topeer applications or even more deceptive types of attacks.
Many recent worms have been effective at subverting firewall
and antivirus solutions because they hide within legitimate
network traffic and sometimes trick end users into assisting in
their propagation.
Today, networks are much more porous, as a result of
wireless, VPN and dial-up access. Peer-to-peer messaging,
music- and file-sharing programs connect individual desktop
computers to open virtual networks that pass unabated through
the perimeter defenses surrounding most networks, such as
firewalls, antivirus and other security defenses. As a result,
organizations have been forced to rethink their approach to
network security, which now includes all endpoint devices
connecting to the network—externally and internally.
The Rise of Internally Launched Attacks
Although much of the industry is still focused on external
hacks, internal threats are on the rise and need to be taken into
account. International Data Corporation (IDC) estimates that
more than 60 percent of all serious threats (i.e., a threat that
damages revenue generation, decreases profitability, lowers
worker productivity, violates intellectual property, breaches
regulatory compliance or endangers customer trust) come from
internal sources, including employees, contractors, consultants,
systems integrators, partners, distributors and even customers
who have privileged access to a corporation’s resources.
IT departments should expect that the next worm to attack
the network could come from someone within the
organization. Because insiders have established a certain
degree of trust, they already have legitimate access to
corporate resources. That is not to say that such an attack
JOURNALONLINE
would be intentional or that the employee would even be
aware of what was happening. Regardless, the likelihood of
being attacked from inside the network has increased
dramatically.
Most businesses have suffered financial losses from worms,
Trojan horses, viruses and spyware. An Aberdeen Group study
shows that revenue losses attributed to Internet-based business
disruptions now average US $2 million per incident, with
almost one business disruption incident per organization per
year. Midsized businesses (revenues of US $500 million)
experience a loss rate of more than US $335,000 per incident.
Even small businesses (US $10 million in revenue) feel this
impact, with losses averaging US $6,700 per incident.
Many of these Internet-based business disruptions result from
attacks that originate inside the network. It is becoming
common for organizations to fall victim to internal attacks
launched from visitor laptops (those of contractors, vendors or
business partners), machines connecting through VPN or
modems, wireless devices or employee desktop computers.
These are referred to as endpoints, and it is the dirty little secret
of network security that endpoint devices are not really secure.
Attackers are increasingly taking advantage of these
unsecured endpoints. Many of the worms and Trojan horses
and much of the spyware attest to this shift in the nature of
attacks. Network and security administrators are grappling
with exploits such as Download.Ject that take advantage of
browser deficiencies. At the same time, they are deluged by
the many variants of MyDoom, Beagle, Sasser, Netsky, Sober,
Sobig, Phatbot, Witty, Blaster and many others.
Attacks Leveraging User Behavior
This shift toward exploiting the endpoint is somewhat of a
natural progression. Historically, attackers have sought to
exploit operating system or application software that contains
vulnerabilities or is improperly configured. Many of the
commonly deployed security defense systems are directed at
preventing such attacks by blocking malicious traffic or
reporting known vulnerabilities that need to be repaired.
More recently, attacks are increasingly leveraging end-user
behavior. Many common—and even desired—end-user
activities can be exploited to facilitate an attack. For example,
attacks can be launched when the end user clicks a link on a
web page or within an e-mail that appears to be legitimate.
Successful attacks of this type bypass traditional defenses,
such as firewalls and antivirus solutions, and give direct,
immediate access to core network devices and other endpoints.
By leveraging end users, attackers have an almost unlimited
number of unsecured corporate and home computers by which
to gain access to business and government networks.
How do the new worms and Trojans leverage the end user
as part of the attack? In the case of MyDoom, malicious
payload is delivered when end users open a zip file. Sober.D
relies on end users clicking a link to download a security patch
contained in what seems to be a security e-mail bulletin,
thereby delivering the worm directly to end users’ devices.
Mobile and remote users pose as great a threat. Such users
who have unknowingly compromised devices can get into the
network via a virtual private network (VPN), dial in or connect
their laptops to the LAN when returning to work and infect or
reinfect the network. Visitors and contractors regularly connect
to the network with their own endpoint devices and spread
contamination through attacks present on their computers.
In these situations, attacks enter behind perimeter defenses
and have a wide-open network on which to spread. Not only
does this make it easier for attacks to enter the network, but
frequently security administrators must respond to the same
attack multiple times. Beefing up the defenses at the network
perimeter does not necessarily decrease the likelihood of this
type of attack occurring.
Antivirus and Firewalls Are Not Enough
Until recently, it was common for attacks directed at end
users to be delivered as a virus within an e-mail. But the new
generation of attacks leverages vulnerabilities, web sites and
peer-to-peer applications as well. Even devices with up-to-date
antivirus solutions are not protected from attacks exploiting
these pathways.
Is better antivirus software needed? Are personal firewalls
the solution? IT organizations are in a rush to determine what
is required beyond these traditional solutions. Vendors argue
that product upgrades, enterprise-managed versions of their
product, and even OS upgrades that include antivirus and
personal firewalls are the answer. But, it is not about locking
down the endpoint device. It is about protecting the network.
End users often knowingly or unknowingly disable security
applications (such as antivirus or personal firewalls), neglect to
install up-to-date security patches, improperly configure
security settings, install restricted software (peer-to-peer, file
sharing or instant messaging) or are subject to spyware
contamination. All of these threats have historically been
beyond the control of IT administrators.
Bottom line: one cannot assume users can secure their own
devices; administrators must protect the network from all
endpoints—foreign and domestic. In short, endpoint devices
must be considered suspect, and administrators must regain
control over them.
Protecting the Network Through Endpoint Compliance
Rethinking endpoint security means that the security of
endpoint devices must be viewed from a network perspective.
A new class of endpoint solutions works to protect the network
from unsecured and unknown devices. This approach views all
endpoint devices attempting to connect to and use the network
as suspect.
Endpoint solutions protect against these dangers by
prohibiting devices from accessing the network until they meet
the necessary security requirements. These solutions test
devices for compliance with the organization’s security policy
in the areas of antivirus, personal firewall, patches, security
settings, and required and restricted software. They also ensure
that worms, Trojans, viruses or spyware have not already
compromised the device. Devices that meet the security
requirements are allowed access to the network and are then
retested during their connection to ensure continued
compliance. Those devices that fail compliance testing are
quarantined, and their users are provided with direction and
resources for updating the device with the necessary patches
and security setting.
Endpoint compliance includes devices under the control of
the organization, such as corporate desktops and laptops, as
well as foreign endpoints that are not under the organization’s
direct control. Foreign endpoints include laptops and desktops
that may be brought into the organization by visitors,
contractors or employees. Also, devices that the organization
may never physically see, such as employees’ and contractors’
home computers and devices attaching to the network via
WiFi, are considered foreign. While most IT shops tend to
focus their efforts on securing corporate-owned endpoints,
foreign endpoints and corporate-owned devices need to be part
of any organization’s endpoint security program. In fact,
foreign endpoints pose a greater risk than corporate-owned
machines, because their security is unknown and likely to be
inadequate or nonexistent.
Network endpoint compliance must be addressed from an
external and internal perspective. The external perspective
entails controlling the access of devices that connect to the
network remotely, such as through a VPN, dial-up or WiFi. All
external endpoints accessing the network should be tested prior
to gaining full access to network resources. Noncompliant
devices may receive only limited access through a quarantine
policy, or may have no network access until they meet
endpoint security requirements. For example, the IT
administrators may not want people updating their home
computers through the corporate VPN.
The internal perspective pertains to controlling the access of
the devices that connect directly to the internal LAN. This
includes devices at a central location as well as devices at
smaller or remote offices. Similar to external machines, these
devices should be cordoned off into a separate quarantine
network with only the access necessary to receive virus
definitions, update software or receive updates from a patch
management solution.
Endpoint compliance means more than checking for the
latest patches and antivirus files. Endpoint compliance
requirements should include a wide range of security settings
on the device. Examples of security requirements that should
be considered for each endpoint include:
• OS updates, hotfixes and critical updates
• Windows automatic update settings
• Antivirus software installation and up-to-date virus
definitions
• Personal firewall and up-to-date firewall rules
• Installed software, programs or services
• Registry entries
• Prohibited software, including peer-to-peer and spyware
applications
• Application security settings, including macros
• Browser application, version and security settings
• Storing local credentials, such as user IDs, passwords and
.NET credentials
An example of an endpoint compliance scenario is when
the Download.Ject Microsoft Internet Explorer exploit was
discovered. Many organizations are shifting to different
browser technology or may require that Javascript be disabled.
JOURNALONLINE
An endpoint compliance solution would test for these
requirements and then grant or deny network access on a
device-by-device basis based on the test results. Additionally,
many peer-to-peer applications are now encrypting
communications that may pierce the firewall and send data
external to the organization. An endpoint compliance solution
can determine if endpoints have P2P applications installed or
running and prevent these devices from accessing the network.
Rolling Out Endpoint Compliance
There are three primary considerations when assessing
endpoint compliance options:
1. Is the organization seeking protection for corporate assets
only, or does it also need protection from endpoints not
under the control of the organization (i.e., foreign
endpoints)?
2. Is the organization willing to take on the burden of installing
or downloading agents on each endpoint, or does it require
an agentless solution?
3. Does the organization want to enforce endpoint
requirements only for software patches and antivirus
software, or does it want to enforce a more comprehensive
security policy? Many organizations need the flexibility to
create security requirements beyond those that come out-ofthe-box with most solutions.
Although a number of options are available for securing
internal endpoints, only a few focus on the foreign endpoint
security problem. Almost all of these require the installation of
an agent (similar to a personal firewall or VPN client) or are
limited to Secure Socket Layer (SSL) web-page-based
applications. It is not realistic, though, to assume the
organization will have the resources or the level of control
needed to install a client on every foreign device. Also, most
organizations would prefer not taking on the administrative
burden of supporting an agent regardless of whether the device
is corporate owned or foreign.
A more recent development is agentless (also called
clientless) endpoint security solutions that are network-based
and do not require the download or installation of software on
the endpoint device. Agentless solutions offer significant
advantages over the agent-centric approach. Since no software
runs on the endpoint, agentless options do not suffer the
deployment problems or the increased administration that arise
when software has to be installed and supported on each
device. Software compatibility issues, upgrade deployment and
support issues, and increased help desk calls are all avoided.
Clearly, the agentless approach offers a compelling answer to
the problem of foreign endpoints as well.
To truly ensure that endpoints are secure, a solution should
meet the following three requirements:
1. Deliver a full suite of testing capabilities—Most endpoint
security solutions check endpoints for the latest software
patches and the presence of up-to-date antivirus signatures,
but as discussed in the previous section, much more is
required to truly ensure endpoints are secure.
2. Verify that harmful software does not reside on the device—
Endpoint security solutions should proactively check
endpoint devices to determine if any worms, Trojans or
spyware have compromised them. Ultimately, this is what
endpoint security is about.
3. Provide the ability to create custom tests—More advanced
solutions have the capability to add user-created sets of
endpoint tests, allowing one to check for requirements that
may be unique to the organization.
Conclusion
Network attacks have become much more widespread and
damaging. Basic security measures that once sufficed, such as
firewall, VPN and antivirus, are proving incapable of blocking
today’s advanced threats. Furthermore, intrusions that once
originated from outside the network perimeter are increasingly
launched from within.
The dirty little secret in network security is that the
endpoints are not secure, and hackers know it. Taking a
network perspective to endpoint security is a fundamental
requirement for any organization to effectively defend itself.
Organizations cannot rely on the end user to keep the network
safe, but they can require them to comply with their
organization’s security policy before granting network access.
While it is an unfortunate state of the security market, all
endpoint devices must be treated as suspect to outsmart
the hackers.
Mitchell Ashley
is chief technology officer (CTO) at StillSecure, where he is
responsible for the product strategy and development of the
StillSecure suite of network security products. Ashley has
more than 20 years of industry experience, holding leading
positions in data networking, network security, and software
product and services development. Ashley can be reached at
mashley@stillsecure.com.
JournalOnline articles, the online-only counterpart of the Informations Systems Journal, are published by the Information Systems Audit and Control Association, Inc. Membership in the association, a
voluntary organization of persons interested in information systems (IS) auditing, control and security, entitles one to receive online access to the JournalOnline as well as an annual subscription to the
Information Systems Control Journal.
Opinions expressed in the JournalOnline and Information Systems Control Journal represent the views of the authors and advertisers. They may differ from policies and official statements of the
Information Systems Audit and Control Association and/or the IT Governance Institute® and their committees, and from opinions endorsed by authors' employers, or the editors of this Journal.
Information Systems Control Journal does not attest to the originality of authors’ content.
© Copyright 2005 by Information Systems Audit and Control Association Inc., formerly the EDP Auditors Association. All rights reserved. ISCATM Information Systems Control AssociationTM
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the
association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, Mass. 01970, to photocopy articles
owned by the Information Systems Audit and Control Association Inc., for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume,
and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the
association or the copyright owner is expressly prohibited.
www.isaca.org
JOURNALONLINE