Keeping your endpoint data safe: some simple precautions

Sysadmin blog People are out to get you. Your business, your users, your systems and your data all have value to someone.

You could be targeted because you have something that someone specifically wants, or because attackers are hoping to find bank account details or email addresses to spam, or because they want your compute power for a botnet.

Few companies have the luxury of being able to dedicate one or more members of staff to security, but there are some easy layers of defence that everyone should have in place.

Security does not earn money so it tends to be something companies attend to after an incident. But remember you may very well be blamed for not having identifed the risks.

Black magic

A unified threat management solution is one defence option. This is a gateway that has black wizardry to protect you from spam, intrusions and viruses, as well as controlling content or network traffic.

It is one of those balance calls: you won't stop everything (impossible) but for a reasonably small outlay you will be ahead of many people out there and become a less easy target.

This sort of device should alert you to something going on that you would normally not be aware of. For example, I have seen laptops plugged into a corporate network whose user had administrator access, clicked on a few dodgy websites at home and ended up being a spam relay box.

Seeing an alert come up warning of large numbers of connection attempts on port 25 to an overseas address is an easy way to catch this.

Ye of little faith

Endpoint security is another area where it might seem like you are dishing out cash for nothing.

Microsoft Windows 7 and below have this covered fairly well with Microsoft Security Essentials for your anti-virus needs and Windows Defender for spyware. Windows 8 has Windows Defender built in and does both anti-virus and anti-spamware.

One of the most common methods of getting something unwanted is via an infected USB. Blocking USB devices is of course one line of defence, but if you are not in a highly secure environment you will just annoy your staff, who probably don’t want to see or believe the risks.

I have seen malware that launches via the autorun.inf file, which can mean users are running the malware on every PC they decide to plug into.

Fear of phones

The latest threat on the block is mobile malware. Android phones are still the worst, hands down, so if you can possibly avoid it, don't provide them to staff. iPhones, Windows phones and BlackBerrys are much safer in that regard.

Enforcing a PIN or password on devices is the most basic level of protection and should be employed wherever possible.

It is worth having a look at a mobile device management platform. It can report on what apps are installed on your mobile fleet, allow you to remote-wipe when someone leaves their phone in the back of a taxi, and can help identify devices that are not running the latest operating system version.

Knowing whose device is jailbroken is also a good thing. Remember the RickRoll worm? 

If you care about protecting your data when users are sharing it, don't use open, free services such as DropBox. The ideal solution is something that can be hosted on premises (so you know where your data is), has optional security mechanisms (so you can control who sees the data), and has killable time-bomb links (so you can pre-determine when data should no longer be available).

A year after he left the company company-sensitive information was still being emailed to him

The rogue user is another danger area. I have seen a few in my time. One example: a staff member set all his emails to be forwarded externally, and a year after he left the company to work for a competitor, someone worked out that company-sensitive information was still being emailed to him.

At the other end of the scale is someone who left but knew another person's password. Weeks after leaving the company he logged in via webmail and began abusing staff.

Flashing red lights and sirens should be going off in your brain about this. Policies prohibiting sharing passwords with other staff members and a regular forced change of password should avoid these situations.

Beware the mafia

Making sure that accounts are disabled as people walk out the door for the last time is a very small price to pay to avoid a potential high risk of damage.

It is also worth educating users with reminders and tips. It is obvious to us, but a random email asking for their login details will often have users happily clicking a link that goes to "http://yourcompany.russianmafia.com" and entering their company username and password.

An attacker who has targeted a staff member or company can do huge amounts of damage and companies of all sizes are at risk."

These are just some of the basic approaches you should consider to protect everyone. You want to be thinking about them now rather than when it is too late. ®