Remember the short-lived game show The Weakest Link? The weakest player was eliminated, much like we see in the real world.
But when you are thinking about security, you really do have to continually find and eliminate the weakest link, because that is the first thing the attackers will go after. If there is one thing that we know about hackers, it's that they don't give up easily. There is too much money at stake, so they are continually searching for the next weak link in the chain. And this time they've found a doozy.
The endpoint is a juicy target for a few reasons :
- Insecure operating system. Since a majority of the world runs Microsoft Windows, finding client-side vulnerabilities has been like shooting fish in a barrel for the bad guys. Many SMBs don't patch immediately, so common exploits become big issues.
- Human behavior. End users love to click on stuff. They open messages from people they don't know, divulge private information to strangers, download random software and click on ads and links without regard to what lurks behind. Most users I've come across can't help it. They also know they shouldn't have done something after the damage is done. But it seemed like a good idea at the time.
- Increasing mobility. In today's mobile world, most people have laptops, and they keep private information on them. Not only is there a thriving market for "hot" laptops, but if a bad guy is specifically trying to compromise your company, one of the easiest places to start is by pilfering a laptop.
So how can a small or medium-size company defend against these increasingly common attacks? Here is a five-point plan to begin addressing the issue:
- Education. Users need to constantly be reminded about what they can and can't do with their machines. This is especially important for employees with laptops, given that they are likely connecting into the network from remote locations, which are not as controlled as your own internal network.
- Desktop security suite. Amazingly enough, there are quite a few SMBs that have not deployed antivirus, antispyware and personal firewalls on their devices. If you don't have all of your Windows machines protected, walk away from your machine right now and don't come back until it's done. This will eliminate most of the attacks that we already know about. Macs should also have protection, by the way.
- Password-enable your screensaver. Many machines are compromised because employees walks away and don't lock their computers. These are easy pickings for anyone who has physical access to a machine. After five minutes max, your machine should lock and require a password to be opened.
- Encrypt data on your laptops. The best way to find yourself on the cover of The Wall Street Journal is to lose data on a large number of customers. And privacy breaches are not restricted to only large enterprises. Apple Computer Inc. already offers the ability to encrypt the data in Mac OS X. There are many third-party tools (from PGP Corp. and SafeBoot NV, for example) to encrypt data on Windows.
- Implement default-deny. Even if a machine is compromised, if it can't send data back to the bad guys, then it's not much use to them. If you block all inbound and outbound ports that are not specifically required for applications on your routers and firewalls, you are cutting off the ability of the bad guys to utilize the machines.
None of these techniques are overly hard or new. But you need to do them and be consistent about it. There are lots of more advanced techniques that can also make a difference (like network admission/access control, Secure Sockets Layer virtual private networks, strong authentication, etc.), but first things first. There will always be the next weakest link. Make sure your endpoints aren't it.
Mike Rothman is president and principal analyst of Security Incite, an industry analyst firm in Atlanta. Reach him via email at mike.rothman (at) securityincite (dot) com.