A dress code for your network

Endpoint security has traditionally been all about securing networked corporate PCs, and the occasional remote dial-in user; a demanding, but well-understood and manageable task. But the rise of mobile working has moved these goal posts a very long way.

Mobile access is now a reality for most organisations, but the indisputable advantages that this practice brings in terms of increasing flexibility and efficiency are accompanied by a far less welcome increase in complexity for security professionals trying to stop malware coming in through a host of mobile access devices, including laptops, PDAs and smartphones.

"Companies need to offer employees home and remote access in order to compete in the business world and get the most out of them," says James Edwards, senior technical engineer for ZyXEL. He adds that if employees don't feel 100 per cent, the option to work from home will maintain productivity.

In addition, business continuity is now a growing concern for businesses. "If companies feel threatened by terrorist attack, say, or a flu epidemic, then they can now offer home workers secure reliable access," adds Edwards.

For already stretched IT security pros, the threat from mobile end points is multi-faceted and dynamic: it is not just viruses that are a cause for concern.

Spyware, as we saw over the past year, has become a major problem. Security firm ISS estimates that the removal of malware costs around £30 per infected corporate machine. The most recent "State of Spyware" survey carried out by Webroot confirmed that, in the UK, the average computer scanned for spyware contained 21 separate infections.

These grim statistics were echoed by ICSA Labs, which estimates that the average financial loss to organisations as a result of a virus disaster was more than £75,000 in 2004, a 31.3 per cent increase on the previous year.

Clearly securing endpoint devices – whether PCs inside the network or any one of the plethora of remotely connected smartphones, PDAs or laptops – is very important, as the cost of clearing up after a breach can be frighteningly expensive, both in terms of financial loss and the negative impact on a firm's reputation.

But despite these risks, mobile working is here to stay. As more and more workers are connecting to the corporate network from outside, security pros need to ensure that they are given secure access to the mission-critical backend systems they need to access. Add to this mix the fact that access is increasingly required by contractors and other companies, and it becomes clear that controls are crucial to stop these remote workers from becoming unwitting accomplices in any hacker attempt or virus infection.

Effective endpoint security can block these backdoors into corporate networks by providing the same levels of security regardless of whether the user is at home or in the office. It is clear that many laptops, especially those of "road warrior" salespeople, spend a lot of time away from the safe confines of the corporate network. They connect to insecure networks and could be compromised, opening a pathway into the internal network to a hacker.

But desktop computers should also have protection. These machines, despite being within the corporate infrastructure, are not isolated or as secure as traditionally assumed.

"Desktop PCs no longer only connect inward to the LAN, but also outward to the internet," says Shirley O'Sullivan, EMEA leader for wireless LAN and security at Nortel. "The internet is a possible path for subverting your directly connected PCs, using them to smuggle a trojan into your system or to access confidential data."

Anton Grashion, security strategist at Juniper Networks, argues that endpoint security should go beyond just checking that the endpoint device is up to date with patches.

"It has to blend the user's identity (and, by extension, their role and what they are allowed to do) with a policy that can enforce the appropriate access commensurate with the risk for a given set of resources," he says.

Knowing who is doing what on your network is an increasing concern for businesses. Research carried out by analyst firm Quocirca found that 77 per cent of organisations perceived the biggest threat to their infrastructure was human incompetence and disgruntled employees, as opposed to those who named threats from increasingly complex viruses and other malware (56 per cent).

"The concept of end-point security is founded upon the principle that most threats focus on technology weaknesses in the end user's equipment and that this problem is compounded by the difficulty in enforcing security policies on equipment which is often out of the office (laptops, PDAs and so on)," says CA's director eTrust Strategy, Mike Small.

"While these are real issues, they are only part of the full picture, and it is important to avoid tunnel vision."

He added that the focus of endpoint security has traditionally been on the technology threats, but the human risk, especially from insiders, can be more important since the insider has access to the buildings as well as knowledge of the systems and hence their weaknesses.

Given these concerns, it is advisable to deploy endpoint security system in tandem with proper authentication controls. Faizel Lakhani, vice-president of marketing at ConSentry Networks, says that the authentication component is being driven by the fact that the LAN has become like electricity – that is, everyone needs it and attempts to use it, but unlike the utilities where the flow of information is one-way, people are using the LAN to gain access to information that they should not.

"Authentication becomes critical to ensure access is only provided to those that need it," he says. "Contractors only have access to the systems they need and the CEO has access to the applications and resources they need. This can only be done as part of first authentication. The need to do this is coming from regulations, fear about negative publicity from released information, or competitive impacts of leaked information."

Grashion adds that, when assessing any endpoint security solution, it is important to test systems before committing to buy them. "Any such decision needs to be based on the true performance and capabilities of any enforcement and remediation technology, and not a comparison of datasheet claims," he says.

Lakhani says there are three important criteria for assessing the suitability of an endpoint security system. First, security professionals need to ask themselves whether the solution is agnostic to the endpoint software, or does it require a specific endpoint installed? Second, does it leverage the existing deployed identity infrastructure and switching products, or do these have to be replaced? And finally, does the solution have the ability to scale beyond just admission control to access control across the network?

The notion that the enterprise infrastructure can be protected by a secure perimeter is no longer valid, according to Small. "The increasingly interconnected nature of organisations' IT systems makes the boundary impractical to define. This means the onus is upon each component within the IT infrastructure to be able to defend itself," he says.

It is clear that endpoint security is of little value in isolation and can only work effectively as part of an increasingly complex corporate security puzzle. If the endpoint is strongly secured and able to defend itself, it should make identifying and eliminating threats to core infrastructures easier. This will increase IT security professionals' insight and control of security threats and free up time to focus on other important matters.