A lot of talk about IT security revolves around “hackers” gaining illicit access to a corporate network. Somehow, malicious code finds its way onto a server buried in back room, causing havoc or stealing invaluable data when activated. But less attention is given to the main conduits through which this access is first obtained. The code needs to have come from somewhere to get into the corporate network, and that usually means an endpoint.
Endpoints are all the devices that interface between the network and the outside world, either for inputting or outputting data. At first glance this looks like it would mean desktop PCs, notebooks and now increasingly smartphones. A lot of definitions even narrow the focus down to devices in these categories that are used remotely.
However, just because you’re sitting inside a company office’s walls doesn’t mean your endpoints are safe from attack. Mobile devices might have been compromised when used remotely, and anything with access to the Internet – including the web, email, and apps – can become a vulnerability.
The focus on devices that people actively use to access network resources is also too narrow. The range of things that provide interfaces between the outside world and the network is growing all the time. The Internet of Things has particularly featured in the news, due to the rapid arrival of consumer and industrial sensors, smart home widgets, door locks, climate controllers, and security cameras – some of which have questionable security consideration given to their design.
But there are other devices that wouldn’t immediately occur to you as an endpoint, and one of the most important and prevalent in companies is the network printer. This is likely to be quite a powerful device, with a capable processor, a sizeable allocation of dynamic memory, and local storage for print jobs. It will also sit inside the corporate network with relatively unfettered access. As a result, a compromised network printer could be just as much an endpoint risk as an infected PC.
The key challenge is people
For all the reasons just mentioned, endpoint security is crucial for keeping your company data safe, and that poses a host of challenges. A lot of attention is given to the technical aspect of how hardware and software contributes to the risks, with the recent Spectre and Meltdown CPU bugs just the latest concerns to gain widespread media attention.
However, as significant as technical loopholes are, the weakest link in any endpoint security provision is the behaviour of the people themselves who use those endpoints. You can have the most patched, up-to-date endpoints, but if someone has chosen a weak password, or written it down somewhere accessible, the endpoints they use will be vulnerable. A dodgy website or phishing email could lure them into running code that installs malware locally, and then they will be compromised.
Servers will generally have a limited range of functions and rarely be used as an endpoint, except during maintenance or new software installation. Client devices, on the other hand, are intended to be as flexible as possible, capable of running a wide variety of software, including some applications that may not have been available when the endpoint itself was manufactured. This is why your company’s network security is only as good as its endpoint security.
Why a firewall is not enough
You may answer all this by saying “but my company has an industrial strength firewall, that should take care of it”. However, it’s worth considering exactly what a firewall is and how it provides its protection. As the name suggests, a firewall acts as a secure layer between the network and the outside world. Like a fireproof barrier between rooms or sections of a vehicle, it’s designed to prevent direct damage being caused by access through the main conduit between your internal company network and the outside world.
The problem is that if endpoints are compromised the other side of the firewall, inside the company’s LAN, then the firewall could provide no protection at all. This is a bit like the way the German tank battalions simply drove around the Maginot line to invade France via an alternative route during World War II. With a network firewall, you also need to know what an attack looks like, so new forms or attacks that disguise themselves as “normal” traffic won’t be detected.
The best firewalls will contain some ability to detect traffic that can tell the difference between everyday network usage and activities that are suspicious. But the firewall creator will have had to make a judgement about where the line between “suspicious” and “nothing to worry about” sits. Stateful firewalls will analyse network packets and compare these to known characteristics for various traffic types. Only traffic that matches known types is allowed through.
However, it’s entirely possible for an attack to mimic a legitimate traffic format, so the firewall can’t tell the difference. This is why so much more security provision will be required on top of the firewall, to tackle the traffic at its source or destination inside the local network – the endpoint. The latter will need to be further protected by additional access controls and multifactor authentication to circumvent weak passwords. Data loss prevention software can detect abnormal activity at the endpoint level and stop the removal or corruption of important information.
In summary, the endpoint is the true front line of security, and it’s a battleground that is continually expanding. New endpoint types are emerging, providing new possibilities for nefarious access to the interior of the corporate network. But with the right endpoint security provisions, the threats can be neutralised.
Protect your business from cyber threats and discover more about endpoint security with our How to secure your network from its weakest component: people article