Best practices for endpoint security, Part 1

We do what we can to protect the endpoints of our networks, but it seems like there is always a new threat or new situations to worry about. Security experts Faycal Daira and Bob Foley offer their best practices for endpoint protection. This week we cover antivirus, device control, and host-IPS and behavioral protections. Next week we'll cover location awareness, network access control and application control.

I recently reached out to Faycal Daira, CTO of SkyRecon Systems, and Bob Foley, president of Matrix Global Partners, to get their best practice tips on endpoint security. SkyRecon Systems is a top European developer of behavioral security software solutions, and Matrix Global Partners is the leading systems integrator for StormShield, SkyRecon's endpoint security solution. Together Daira and Foley have many years of experience in helping their customers tackle the tough job of keeping millions of endpoints protected, and they now share with you their tips on antivirus, device control, host-IPS and behavioral protections, location awareness, network-access control (NAC) and application control.

Network access control in a nutshell

The first tip pertains to the select of an endpoint security solution: regardless of what tool(s) you select, look for native support of Active Directory (AD) and the ability to support the types of devices that you have. This will make it so much easier to control everything from one vantage point.

Step 1: Identify Users/Workstations

AD security groups are by far the most versatile for which to match your security policy. A simple and basic approach is to define the following groups in AD:

*Workstations: laptops/desktops

* Security groups: IT admins/users/guests

Of course, you can define additional groups as needed to provide more granularities with your security policies.

Step 2: Document your security policies in a table

Security policies table

To help complete the above table, here are some best practices for each endpoint security project. Keep in mind that you will want to review them individually but then combine them into a single set of policies that can work hand-in-hand together to provide the best possible protection and control.

Best practices for antivirus

* Schedule a full scan once a week as a minimum, preferably at lunch time. For the laptops, a full scan should be triggered every time they make a connection to the corporate network.

* Enforce full scans on removable devices when each is plugged in.

* The AV signature updates should be performed every three hours.

* Configure the workstation to directly download signature updates from the AV vendor's public online server(s) in case your internal AV server is offline due to hardware or software issues.

Best practices for device control

* Wi-Fi must be disabled inside the corporate network. This should also be applied to all workstations, laptops and servers. Wi-Fi USB keys can be found everywhere for $20, and these need to be controlled.

* Modems, Bluetooth and infrared must be disabled to prevent any communications that are not controlled by corporate policy.

* U3 features in USB keys must be disabled as they can be used as a falsely-detected (fake) CD-ROM drive, enabling malware to corrupt this component to run automatically on the workstation. When browsing removable devices on the endpoint, the U3 CD-ROM can be mistaken to be the real CD-ROM drive.

* Audit all devices that are plugged in and capture all activity when files are written to removable devices. This will allow you to monitor the extraction of information, giving you a view into how your USB devices are used. With this information, additional policies can be set based on your findings.

* Block access to any executables and scripts from removable devices and the CD or DVD drives. This will prevent any malware from running as a result of any unknown vulnerability being exploited before it gets patched.

* Encrypt all of the data written to high-volume removable storage devices such as CD, DVD and USB backup volumes.

All these controls and restrictions must have the capability to be temporarily disabled. This should be available through a built-in challenge/response or Captcha. This ensures that the temporary exception is controlled by the IT staff and can be managed to exist for a specified/limited amount of time.

Best practices for host-IPS and behavioral protections

* Keylogger protection: Most malware programs include some form of a keylogger engine to recover passwords, credit card numbers and other personal data. Be sure to enable keylogger protection as part of your host IPS policy.

* Network monitoring: Set the policy to monitor any application attempting to make network connections. Unauthorized connections can help to detect a malware process attempting to call home.

* Rootkit protection: Using a predefined whitelist of the drivers loaded by Windows, you can detect malware that appears on the surface to be valid but in fact has been signed with stolen certificates from the driver's hardware or software vendor (such as CF Stuxnet with the Realtech certificate).

* Prevent DLL injections: The favorite technique used by malware programs to prevent the antivirus product from removing them is to inject themselves in a running DLL. Antivirus can't remove or quarantine a DLL that has already been loaded. Typically, malware will load itself in system processes like winlogon.exe or explorer.exe.

Using a learning mode or testing mode for intrusion prevention and behavioral protections is mandatory in order to be able to conduct a test-drive of the protection such that exceptions can be made for false-positives. This improves the level of trust when deploying the software as well, especially when it comes time to upgrade or install a new application as this is the action that will mostly trigger a false-positive.

Buffer overflow protections are now mandatory. A good example is the recent vulnerabilities targeting Microsoft Windows and Adobe Acrobat. The timeframe to receive the fix can be up to one month when exploit in the wild are on Internet in a matter of hours.

More next week

Many thanks to Faycal Daira and Bob Foley for the advice above. Next week we'll cover the best practices for application control, location awareness and NAC.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2010 IDG Communications, Inc.