By Rick Cook

June 19, 2007 — CIO — A recent buzzword in security is endpoint: any device that can connect to the corporate network, ranging from a desktop workstation to a laptop, PDA or even cell phone. As the number of endpoints increases, firewalls and antivirus software are no longer adequate protection.

New tactics by criminals and new kinds of malware are probing networks for vulnerabilities. And increasingly, they are finding them.

Fundamentally, experts say, endpoints are receiving more attention because of a sea change in the way computer networks are attacked.

In any attack, the first step is to get inside the organization’s security perimeter. Traditionally, that has been done through an external threat, such as an infected e-mail message. Although there are still plenty of virus-laden e-mails, they are becoming less effective as attack vectors.

“Generally, security companies have done an excellent job on external threats,” says Bill Piwonka, vice president of product management at Centennial Software, a maker of security software and sponsor of the blog WatchYourEnd.com.

One result is that e-mail viruses are becoming less effective. “From January 2006 to January 2007, the rate of infected e-mails fell from about one in 40 to one in 330,” says Ron O’Brien, a senior security analyst at security software maker Sophos. “As a vector for infection, e-mail has declined.”

“In the past,” Piwonka says, “the greatest threats were from outside, through the Internet or e-mail. Now you’ve got hackers and malicious intent of people trying to gain access to organizations in other ways. They are looking at ‘where are the other points of vulnerability for our systems and data?’”

Says O’Brien, “The average user has become educated enough not to click on an attachment in unsolicited e-mail. So malware writers have shifted means of distributing viruses, Trojans and worms.” Much of that activity has focused on steering people to infected websites, but a growing percentage involves other kinds of threats, such as phishing. According to Kaspersky Labs’ Viruslist.com, as of January 2007, phishing attacks were more common than viruses in e-mail messages.

However, an increasing number of attacks are attempting to bypass the firewall and antivirus programs by coming at the corporation from unsecured angles. While external threats are as virulent as ever and need to be guarded against with firewalls and other defenses, it is more important to pay attention to internal weaknesses.

“The fact there are now so many pluggable devices absolutely creates new areas of exposure,” says Piwonka.

Of course, internal and external threats can work synergistically. For example, peer-to-peer networks are an internal problem, because they are deliberately installed on corporate systems, but they are a threat because they can be exploited externally to breach security. 

Vulnerabilities Everywhere

And there are a lot of vulnerabilities.

“In 2006 we did a survey of 30 customers of different sizes, from a few hundred workstations to tens of thousands of workstations all around the world,” says Amir Kolter, CEO of security software vendor Promisec. “That was almost 200,000 endpoints.”

According to Kolter, the results were depressing. “All of [the customers] had internal threats,” he says. “The total number of threats was higher than we ever expected.” In addition, the number of companies with a given vulnerability was often much higher than the percentage of computers showing that vulnerability. Thus, says Kolter, while only 4 percent of the total endpoints surveyed had peer-to-peer software installed, 22 percent of the companies surveyed had one or more endpoints with this vulnerability.

While the percentages of computers with problems may seem low, keep in mind that it takes only one vulnerable computer in an organization to compromise the entire network.

Some of what Promisec found were the old vulnerability standbys: versions of Windows without the latest patches, antivirus software that needed signature files updated, and so on. However, some of the endpoint threats Promisec found were less traditional, and less obvious.

Promisec found 10 major areas of problems. Not all the companies had all the problems, but all of them had at least one. In some cases the endpoint threat could be completely eliminated, such as computers without the latest security updates. In others, such as unsecured USB devices, the solution is to control the vulnerability, typically with software-enforced policies.

1. USB Devices
The largest threat in the Promisec study was undocumented or unsecured USB devices. About 13 percent of the surveyed endpoints had them.

This isn’t just a theoretical concern. A 2005 Yankee Group survey found that 37 percent of the companies surveyed believed USB devices were used to compromise corporate information.

The source of the infection doesn’t have to be an employee. A visitor, invited or otherwise, who gets access to a company computer can easily plug in a thumb drive. More elaborately, a computer security firm gained national attention in 2006 by loading 20 USB drives with password-stealing malware and scattering them in the parking lot and other likely locations outside a target company. Fifteen of the drives were found by employees, who plugged them in to see what was on them; in a matter of hours, the security company was getting a stream of passwords and other critical data. (The security firm was Secure Network Technologies. It was testing security at a client, and the incident was reported in a number of places, including June 7, 2006 on the Dark Reading website.) 

USB device protection under Windows is pretty limited. Basically, you can only enable or disable USB on a system. Since USB is the default peripheral connection for Windows, this is extremely limiting. However, third-party software such as Sophos, Devicelock or Promisec removes this restriction by offering policy-based management for USB devices.

2. Peer-to-Peer File Sharing
Although unauthorized peer-to-peer (P2P) file-sharing programs are often forbidden by company policy, 4 percent of the surveyed computers had such applications installed. This problem is getting worse. Not only are more peer-to-peer networks making their way onto corporate networks, but computer criminals have started using them to compromise and take over computers wholesale.

According to security software company Prolexic, P2P networks are now being used to launch distributed denial-of-service attacks against corporate websites. The company says it has seen a kind of P2P-based DDoS attack called dc++ involving as many as 300,000 compromised computers.

Unauthorized P2P software can be a major path for information leaks. So much so that a website called See What You Share has been set up just to show off the kind of information leaking out of the government by file sharing—included classified documents.

Of course, P2P file sharing is also one of the primary methods of illegally distributing copyrighted material—which can be both expensive and embarrassing if the lawyers from the RIAA come calling.

3. Antivirus Problems
About 1.2 percent of the computers in the Promisec survey had problems with their antivirus software, usually in the form of out-of-date signature files.

With the major antivirus vendors releasing between 1,200 and 2,400 updates per week (a more accurate figure than the number of new viruses, even though the numbers of viruses and updates don’t match), it’s important to keep protection current. This is particularly true because one infection strategy used by malware authors is to infect as many computers as possible in the shortest possible time before the protectors can respond. For example, on July 19, 2001, the Code Red worm infected 359,000 computers in 14 hours.

Ironically, Code Red attacked a vulnerability in Windows that had been patched more than two years earlier.

4. Outdated Microsoft Service Packs
Running Windows without the latest updates is another major problem. About 1.5 percent of the surveyed computers had failed to update the operating system to the most current service pack.

Keeping your software current is Basic Security 101 and every company tries to do it, most commonly by doing automatic updates.

However, it’s a big job to cover every desktop in the company, not to mention the laptops, PDAs and cell phones that connect to the network. Stuff slips through the cracks, and again, it takes only one endpoint with a known security flaw to compromise the entire network.

Windows service packs are a special problem, because some software inevitably has problems with them. In the case of Service Pack 2, Microsoft acknowledged that 50 major applications initially wouldn’t run with it, primarily because SP2 turned on the firewall by default. It usually takes weeks or months after Microsoft releases a service pack before all the vendors are singing off the same page. If your users need software that stops working when a new service pack comes out, a common solution is to “temporarily” forgo installing the service pack until the software company catches up. That means going back through later and checking that those systems are updated when it becomes possible—if you remember.

5. Missing Security Agents
Many companies require agents to be installed on all their endpoints. These agents may monitor network traffic, make sure patches are up to date, or track and report on stolen computers. However, requiring such agents and actually having them installed are two different things. About 1.2 percent of the endpoints that were supposed to have such agent software installed didn’t.

According to Kolter, the next five issues each showed up in less than 1 percent of the sample.

6. Unauthorized Remote-Control Software
Remote-control software is invaluable for troubleshooting hardware and software. Unauthorized remote-control software is invaluable to the bad guys as well since it offers a royal road into the computer.

In some cases, remote-control software, such as PCAnywhere, is installed by a user who wants to be able to access the desktop from elsewhere. In other cases, the installation is a rogue, with software either installed or modified to allow a third party to use the system without the user’s knowledge or consent.

In spite of the obvious danger, the survey found nearly 1 percent (0.82 percent) of the computers surveyed had remote-control software installed that wasn’t supposed to be there.

7. Media Files
Unauthorized media files are dangerous both because of their content and what can be hidden in them. Video and music files are an increasingly popular method of sneaking malware into an organization, including spyware, Trojans, viruses and just about any other kind of bad stuff you can think of.

One popular method is to include code in a media file that exploits security flaws in the media player. For example, the infected media file can open a malicious webpage on the user’s computer and use that to automatically infect the system—and from there the network. Since these attacks require minimal interaction from the user, often he or she isn’t even aware of what has happened.

Even the recording industry has gotten in on the game. In 2004, a company working for the record companies started seeding file-sharing sites with media files containing a Trojan that downloaded adware and opened multiple pop-up windows on the user’s computer.

Even if the files don’t contain hidden nasties, the files themselves can be problems, with copyright violations and pornography the most obvious example.

8. Unnecessary Modems
A lot of computers, especially older ones, included built-in modems whether or not they were needed. In other cases, servers have modems connected directly to outside lines for purposes of monitoring and maintenance. In either case, unneeded modems provide another path into your network, an unnecessary path that brings with it a host of potential problems.

War dialing isn’t as popular an attack as it once was, but some bad guys still use it, and an unprotected modem attached to your network is just as dangerous as ever.

A lot of these extra modems aren’t covered by the company firewall, and in fact IT may not even realize they exist. In a lot of cases, the user can simply plug the modem into the telephone system and make a direct connection to the Internet—with all the danger that implies. Monitoring and maintenance modems are typically controlled by the vendor supplying the equipment, and you’re relying on that company to make sure the security software is up to date.

While some modems may be necessary, especially for remote maintenance, it’s important to have a complete inventory of all the modems attached to the network and to make sure the ones that are attached are both necessary and properly protected.

9. Unauthorized or Unsecured Synchronization Software
Laptops, PDAs and even phones use synchronization software to keep everything updated, from calendars to contact lists. This is convenient, especially when combined with technologies like Wi-Fi or Bluetooth. However, allowing any device to synchronize can open a serious security hole, especially since many of these programs work in the background and the user may not be aware of what is being uploaded and downloaded. At the very least, this can give access to shared folders and Exchange server.

10. Wireless Connectivity
According to In-Stat and Meta Group, something like 95 percent of all laptop computers now come with built-in wireless access. In spite of the lessons of TJX’s massive loss of customer information, and the resulting dropping stock price and $12 million charge, some enterprises still haven’t secured all their endpoints with wireless connectivity.

The Need for Control

Generally, the recommended strategy is to control the threats rather than trying to totally eliminate them. While some of the threats to endpoint security, such as unauthorized peer-to-peer file sharing, can be eliminated from corporate networks, others (such as wireless and USB devices) are pretty much necessary for modern business IT.

According to Kolter, the first step in securing endpoints is to establish policies on what is allowed and what isn’t. “Set the policy according to the DNA of the organization,” he advises.

“The ultimate decision needs to be made by the individual organization,” says Centennial’s Piwonka. Often, this process has to involve users. “There are businesses out there who might say there is no business reason for anybody to use any removable storage device. The reality is, the minute you try to make that policy, someone will point out that there a legitimate business reason. How does the marketing department create images? What do your executives do if they need to share financial presentations with business partners and analysts?”

The solution is to make nuanced policies rather than flat prohibitions. You can say that only these types of devices will be used, or only these people will have them. You can also specify devices, different levels of encryption or whatever else is necessary.

Once you have policies, the next thing to do is plug the obvious security holes. Then, publicize your use policies and monitor your network to make sure the policies are being followed. In most cases, this will require software to enforce the policies.

However, the first step, as always, is awareness of the risk. That is coming. “We’re finding companies are realizing they have an exposure,” says Piwonka, “and it’s becoming more of a top-of-the-mind problem.”

Other stories by Rick Cook