Although businesses have been tasked with addressing a number of remote assets associated with off-site resources such as a sales force that’s often mobile, the number of remote endpoints has grown exponentially. The laptops and mobile devices needed to facilitate working from home full-time for a large percentage of their workers given recent global events has exploded. Companies across all spectrums are challenged with establishing and maintaining an appropriate security posture holistically across their entire Information Technology environment.
While one recent primary driver for this increase in the remote workforce may be the current pandemic, at least one recent study suggests that 67% of organizations who responded expect that work from home (WFH) policies which have been implemented in response to the pandemic will remain in place either long-term or perhaps permanently. As such, it’s imperative that organizations not only address these issues in the short-term, but also incorporate practices to provide acceptable remote endpoint security postures in their strategic governance plans moving forward with the expectation that this is the new normal.
Endpoint security is often divided into three (3) distinct phases with specific goals and actions present within each phase. The phases are:
An effective endpoint security program will address all three phases. This blog post will focus on the first phase and how to address them utilizing AT&T’s Managed Vulnerability Program and the solutions we offer. Please note that this is in no way meant to classify the Prevention phase as the most / more important than the other two endpoint protection phases. Future blog posts will expand on this to address the other two phases of endpoint security and together will collectively address this issue in its entirety.
Prevention is a pre-attack phase that focuses on thwarting the exploitation of security weaknesses. Activities include establishing and maintaining accurate and up-to-date hardware / software inventories, as well as providing that the inventoried assets have highly secure configurations and all relevant patches applied. The high-level activities making up this phase are illustrated below:
In essence, these activities are often the foundation of all Vulnerability and Patch Management Programs.
By executing periodic discovery scans using scan engines supplied with vulnerability management solutions, organizations are able to maintain accurate and up-to-date asset inventories. In addition, the solutions that include the ability to deploy passive scan engines are especially helpful in maintaining an asset inventory given their ability to constantly monitor network traffic and alert in near real-time as they identify unknown assets on a network. Note that while passive scan engines are helpful, they’re not a requirement in maintaining effective asset inventories. By executing regular discovery scans on an aggressive cadence, a similar result can be achieved with active scan engines alone. Keep in mind that by comparing discovery scans, or utilizing alerts generated by passive scan engines, businesses can also use this activity to help identify any rogue devices that may be present within an environment.
This is not only a best practice that all organizations should implement, inventories and rogue device detection are a requirement included within many common security frameworks and compliance mandates (i.e. PCI DSS 2.4, CIS control 1 for inventories and PCI DSS 11.1 and CIS control 15 for rogue wireless device detection).
While asset inventories can be derived by either discovery scans from active scan engines, or deploying passive scan engines that constantly monitor network traffic, maintaining accurate software inventories requires the equivalent of an authenticated scan to compile a complete list of software installed. This type of scan can be achieved by utilizing either an active scan engine, or by deploying a host agent. While this can be accomplished by either method, AT&T Cybersecurity recommends the use of agents where possible in order to provide that updates to the inventory occur periodically throughout any given day.
Vulnerability scanning / Patch detection
The ability to detect vulnerabilities associated with outstanding patches and insecure configurations that require remediation on assets is crucial to highly securing endpoints regardless of where those systems are deployed. Scheduling regular vulnerability scans is key to maintaining a current list of outstanding patches and configuration changes that need to be deployed. One common question we’re often asked by our clients is “How often should scanning occur”? AT&T Cybersecurity’s standard recommendation is that business critical and externally facing assets should be scanned at least daily. All other assets should be scanned at least weekly.
Why do we recommend that you scan so often? Keep this in mind, that as of August 14, 2020 there had been 10,363 security vulnerabilities associated with CVEs published so far in 2020 alone. In comparison in 2019 there were a total of 16,033 published vulnerabilities that were associated with CVEs. Given that new vulnerabilities are identified nearly every day, a daily scan cadence for business critical assets and those exposed to the Internet is not in our opinion overly aggressive. Especially since scanning in this manner is not intrusive or impactful when the scans are properly tuned.
While unauthenticated scans can identify outstanding patches on services exposed to the scan engine, the preferred method is to execute authenticated scans that are able to identify all needed patches regardless of whether the software includes active use of networking ports. In addition to being able to identify patches that haven’t been installed associated with software that doesn’t include a networking component, authenticated scans will help to greatly enhance scan engine accuracy and reduce the number of issues classified as potentials since the solution doesn’t have to rely on service fingerprinting.
Configuration scanning is an equally important component of any Vulnerability and Threat Management Program. While many companies focus on staying current with patches their various platforms require, insecure configurations can be just as risky. While most vulnerability scanning solutions will identify common insecure configurations, complementing vulnerability scans with regularly scheduled configuration scans that baseline an asset against specific security controls, organizations can help to greatly reduce an asset’s potential risk.
Incorporating compliance scans that baseline assets against common security frameworks such as NIST or CIS (and potentially some specific internally defined security controls), provides that businesses maintain their desired risk profile over time.
The final element to the Prevention phase is remediation of all issues identified in both the vulnerability and configuration scans. Remediation activities are most often a combination of efforts to both deploy outstanding patches, configuration changes, and possibly even compensating controls. Of these, the preferred options are applying patches and / or implementing configuration changes that address the vulnerabilities identified in the scans. That being said, there are circumstances in which that may not be possible. In these instances, compensating controls may be an option to help reduce the risk associated with vulnerabilities identified in the vulnerability and configuration scanning activities.
An important thing to remember is that once remediation occurs, it’s not complete until a validation effort confirms the remediation effort was effective. Most often, remediation validation can be achieved by rescanning an asset. When doing so, the subsequent scan should indicate that the remediation efforts were effective in addressing the associated issue. Remediation validation can also be achieved using manual testing methods, but an automated scan will not only often provide the validation …it will also provide a memorialized audit trail documenting its effectiveness.
While this blog entry is ostensibly directed towards the protection of remote endpoints, these recommendations are also applicable to all endpoint deployments whether they are on-premise, in the cloud, or remote. Regardless of an organization’s cybersecurity maturity, the activities defined above can be employed to help monitor the security and compliance posture within any environment and to help maintain an acceptable risk profile.