Endpoints are the assets the workforce uses to interface with an organization’s digital ecosystem. Endpoints include desktops, laptops, workstations, and mobile devices. Current cyberattacks target endpoints as frequently as networks. Implementing baseline security measures on these assets provides a critical layer of threat management. As the modern workforce becomes increasingly mobile, it is essential for these assets to interface and function securely.
The endpoints of which our computing environments largely consist are no longer static devices that exist in the health care organization’s main network. Organizations commonly leverage virtual teams, mobility, and other remote access methods to complete work. In some cases, endpoints rarely make it to the corporate network. It is important to build cybersecurity hygiene practices with these characteristics in mind.8
|
|
Sub-Practices for Medium-Sized Organizations
2.M.A | Basic Endpoint Protection Controls | NIST FRAMEWKORK REF: PR.IP-1, DE.CM-4, PR.DS-1, PR.IP-12, PR.AC-4 |
Table 2 describes basic endpoint controls with practices to implement and maintain them.
Table 2. Basic Endpoint Controls to Mitigate Risk at Endpoints
Control | Description | Implementation Specification |
Antivirus (AV) |
Technology capable of detecting known malicious malware using signatures, heuristics, and other techniques |
|
Full disk encryption |
Technology capable of encrypting an entire disk to make it unreadable for unauthorized individuals |
|
Hardened baseline images |
Configure the endpoint operating system in the most secure manner possible |
|
Patching |
A process ensuring regular patching of endpoint OS and third-party applications |
|
Local administrative rights |
The provisioning of privileged access to users for installing or updating application and OS software |
|
Organizations should reference Cybersecurity Practice #5: IT Asset Management to determine whether their endpoints meet IT asset management (ITAM) requirements. Examples include maintaining a proper inventory of endpoints, reimaging endpoints as they are redeployed, and securely removing endpoints from circulation when decommissioned.
Lastly, ensure that you train your workforce on the need to report any lost or stolen endpoints to your cybersecurity department. Reporting should occur promptly so cybersecurity departments can execute the proper incident response procedures, outlined in Cybersecurity Practice #8: Security Operations Center and Incident Response.
Sub-Practices for Large Organizations
2.L.A | Automate the Provisioning of Endpoints | NIST FRAMEWKORK REF: PR.DS-5 |
It is challenging to manage thousands of endpoints consistently, especially when endpoint provisioning processes are manually executed. Most organizations do not have the necessary resources to run such an operation.
Value-added resellers (VARs) that sell endpoints through your supply chain can preconfigure endpoints before delivering them to your enterprise. To implement preconfiguring, the organization must build a “gold image,” with a series of checklists and configuration procedures, and provide it to the V!R/ This approach helps to ensure a consistent and resilient deployment of endpoints.
In some cases, vendors provide the ability for an organization to provision devices centrally. For example, Apple provides this service for its devices through its Device Enrollment Program (DEP). The DEP enables an organization to simplify enrollment and endpoint security management. The organization enters the serial number or order number of the new device in the DEP, initiating a series of device configuration tasks that are specific to your organization’s requirements. Further information is available in !ppl e’s DEP Guide.10
2.L.B | Mobile Device Management | NIST FRAMEWKORK REF: PR.AC-3 |
Mobile devices, such as smartphones and tablets, present their own management challenges. Multiple security configuration options exist for these devices, and organizations should configure the devices consistently to comply with organizational security policies.11
Mobile device management (MDM) technologies manage the configuration of devices connected to the MDM system. In addition to configuration management, they may offer application management and containerization. All three are important to consider, especially for organizations that allow the use of personal devices in business operations.
Because most mobile devices travel on and off the organization’s network, it is important to consider cloud-based MDM systems to enable consistent check-in. If cloud-based systems are not available, then the onsite MDM systems must be accessible over the internet through virtual private network (VPN) connectivity or in the organization’s demilitarized zone (DMZ). The following paragraphs further describe the capabilities of MDM systems.
- Configuration management: At minimum, ensure that passcodes are in place and encryption is enabled. Ensure that each device locks automatically after a predefined duration (perhaps 1 minute). Implement device wipe functions after a series of unsuccessful logins (consider 10 unsuccessful logins). Limit the amount of time that an e-mail can reside on the mobile device (consider 30 days maximum). Consider leveraging an “Always on VPN” to protect the device when users connect to unsecured wireless networks. Consider prohibiting the installation of unsigned applications.
- Application management: Malicious applications reside in app stores and may appear to be legitimate, such as PDF readers or Netflix apps, when they really contain malicious code that provides access to data elsewhere on the mobile device. MDM solutions use whitelisting or blacklisting techniques to limit the installation of these malicious applications. Consider both, especially for devices that run on the Android platform, which is an open platform that accepts a wide range of applications.
- Containerization: Organizations with BYOD policies should consider containerization technologies. These technologies segment and process business data on a mobile device separately from personal data. Containerized business applications exist only in a hardened container on the mobile device. Examples of such business applications include e-mail, calendaring, and data repositories. Containerization allows the organization to wipe the container and clear business data from the device when the workforce member leaves or changes position in the organization. It also limits the risk that personally downloaded malicious applications will access business data.
2.L.C | Host-Based Intrusion Detection and Prevention Systems | NIST FRAMEWKORK REF: PR.DS-5 |
Host-based intrusion detection systems (HIDS) and host-based prevention systems (HIPS) use an intrusion protection method like that used by network-based intrusion detection and prevention systems. Deploy these technologies on endpoints to detect patterns of attacks launched against those endpoints. These attacks can originate at the endpoint’s network, or through client-side attacks that occur when using e-mail or browsing the web.
HIDS and HIPS technologies are usually deployed and managed through central endpoint management systems used to manage endpoint software and patching. Configure them to auto-update against their command servers. The command servers should be configured to regularly download fresh signatures of attack indicators.
2.L.D | Endpoint Detection and Response | NIST FRAMEWKORK REF: PR.DS-5, RS.AN-1 |
Endpoint detection and response (EDR) technologies bridge the gap between execution and processing that occurs in an organization’s fleet of endpoints. These agent-based technologies allow cybersecurity departments to query large fleets of endpoints for suspicious running processes, file actions, and other irregular activities.
EDR enables large-scale response to malware outbreaks. If malware is installed in the organization’s environment, cybersecurity professionals can “reach in and remove” the malware from thousands of devices using a single action. Finally, EDR technologies provide cybersecurity departments with forensic capabilities that supplement incident response (IR) processes.
2.L.E | Application Whitelisting | NIST FRAMEWKORK REF: ID.AM-2, PR.DS-6 |
Application whitelisting technologies permit only applications that are known and authorized to run, rather than identifying applications that not permitted to run. They are based on the assumption that it is impossible to identify and blacklist, or block, every malicious application.
Organizations should maintain a current inventory of all software on endpoints to facilitate complete and consistent maintenance and patching to protect against client-side attacks.12
Configuration of application whitelisting is complex and outside of the scope of this guide. Interested organizations should read NIST Special Publication 800-167: Guide to Application Whitelisting.13
2.L.F | Micro-Segmentation/Virtualization Strategies | NIST FRAMEWKORK REF: PR.AC-5 |
Technologies called micro-virtualization or micro-segmentation assume that the endpoint will function in a hostile environment. These technologies work by preventing malicious code from operating outside of its own operating environment. The concept is that every task executed on an endpoint (e.g., click on a URL, open a file) can run in its own sandboxed environment, thus prohibiting the task from interoperating between multiple sandboxed environments.
Since most malware is installed by launching incremental processes after gaining an initial foothold, this strategy can be effective at eliminating that second launch. Additionally, once the malicious task has completed, the microenvironment is torn down and reset. Further configuration advice is specific to the microenvironment technology deployed.
Threats Mitigated
- Ransomware attacks
- Loss or theft of equipment or data
Suggested Metrics
- Percentage of endpoints encrypted based on a full fleet of known assets, measured weekly. The first goal is to achieve a high percentage of encryption, somewhere around 99 percent. Achieving 100 percent encryption is nearly impossible, because defects always exist. Additionally, the percentage of endpoints encrypted will vary as you discover new assets, which is why you should measure it weekly.
- Percentage of endpoints that meet all patch requirements each month. The first goal is to achieve a high percentage of success. Secondary goals are to ensure that there are practices to patch endpoints for third-party and OS-level application vulnerabilities, and to be able to determine the effectiveness of those patches. Without the metric, there might not be checks and balances in place to ensure satisfactory compliance with expectations.
- Percentage of endpoints with active threats each week. The goal is to ensure that practices are in place to respond to AV alerts that are not automatically quarantined or protected. Such alerts indicate that there could be active malicious action on an endpoint. An endpoint with an active threat should be reimaged using general IT practices and managed using a ticketing system.
- Percentage of endpoints that run nonhardened images each month. The goal is to check assets for compliance with the full set of IT management practices, identifying assets that do not comply. To do this, place a key or token on the asset indicating that it is managed through a corporate image. Separate practices are necessary for assets that are not managed this way to ensure that they are properly hardened.
- Percentage of local user accounts with administrative access each week. The goal would be to keep this number as low as possible, granting exceptions only to local user accounts that require such access.
8. “CIS Control 5: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers,” Center for Information Security Controls, accessed September 24, 2018, https://www.cisecurity.org/controls/secure-configuration-for-hardware-and-software-on-mobile- devices-laptops-workstations-and-servers/.
9. “Security Technical Implementation Guides (STIGs),” Information Assurance Support Environment (IASE), accessed September 24, 2018, https://iase.disa.mil/stigs/Pages/index.aspx.
10. DEP Guide, Apple.com, last modified October 2015, https://www.apple.com/business/site/docs/DEP_Guide.pdf
11. “CIS Benchmarks,” Center for Information Security, accessed September 24, 2018, https://www.cisecurity.org/cis-benchmarks/.
12. “CIS Control 2: Inventory of Authorized and Unauthorized Software,” Center for Internet Security Controls, accessed Sember 24, 2018, https://www.cisecurity.org/controls/inventory-of-authorized-and- unauthorized-software/.
13. Adam Sedgewick, Murugiah Souppaya, and Karen Scarfone, Guide to Application Whitelisting, (NIST Special Publication 800-167, October 2015, Gaithersburg, MD), http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-167.pdf.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article