|
Endpoint security software has evolved
from traditional antivirus software in recognition of the
fact that pattern based antivirus scanning alone is
insufficient to protect our workstations and laptops against
the types of attacks that can compromise your workstations.
It is now necessary to employ “defence in depth” to defend
against today's sophisticated attacks:
Antivirus
Antivirus scanning is still an important component of
endpoint security, but with McAfee adding more than xxxx
signatures to their pattern files on a monthly basis, they
are simply no longer able to keep up with the rate at which
new malicious code is being released onto the internet. In
addition, downloaded files are not the only threat to
workstation security, so traditional antivirus technology
needs to be supplemented by additional defenses to provide
effective protection against all threats.
Anti Spyware
Spyware is software
that is installed by a website without a consent which
represents a threat to the user's privacy. There is no
definition of the actions that spyware performs as each one
is different and written by the author to perform specific
actions, but spyware can track and re-transmit user browsing
history and passwords and even download additional spyware.
Spyware removal is therefore essential to protect user
privacy and the confidentiality of personal information.
Anti Phishing
Anti Phishing
software helps users to spot when they have been tricked
into visiting a Phishing web site either by clicking on a
link in a Phishing email or by visiting a compromised web
site that has redirected them A Phishing toolbar tells the
user that the web site that they are visiting is not the one
that they intended to visit, which will hopefully stop them
from inadvertantly giving their online identity to
fraudsters.
Personal Firewall
Personal firewall protection is a vital component of
endpoint security. Firstly, it provides traditional firewall
protection to prevent attackers simply uploading malicious
code to your PC while it is connected to the internet.
Increasingly however, firewall security is more important to
control which applications on your PC have access to the
internet. The reason for this is that it is all too easy to
accidentally download a password stealing Trojan that will
install itself and then attempt to pass back your
confidential information to cyber criminals over the
internet using TCP Port 80 which is used by software such as
Internet Explorer and Firefox for legitimate web browsing.
To prevent this from happening, an application aware
personal firewall can restrict those applications that are
able to access the Internet vai port 80 to those that you
would want to be able to do so, which in most cases will be
your web browser and a small number of applications that use
TCP port 80 to download updates.
Intrusion
Prevention
Intrusion Prevention is is becoming increasingly important
as attackers are frequently using Java and ActiveX code to
run an exploit against a specific vulnerability that they
are looking for on your PC when you visit their web site.
Once an attack has been seen, a signature is created for it
and it can be blocked by the personal firewall when you
visit a compromised web site. In addition it is possible to
implement generic intrusion prevention by blocking the types
of code that have been found to be malicious in the past or
indeed stop them from executing in memory if they have
already installed themselves onto your PC. The mechanism
used to do this is quite complex, but in general terms good
applications have help files, and create an entry in the Add
/ Remove Programs utility in Control Panel. On the other
hand malicious applications often don’t create an entry in
the Add / Remove programs utility and perform potentially
dangerous activity such as monitoring keystrokes, and
creating connection back out to the internet. By looking out
for this type of behaviour, it is possible to identify
malicious software and remove it from your PC.
White Listing
If it was possible
to create a unique signature for every piece of software
from every known reputable manufacturer and create a
constantly updated signature file that PC’s could refer to
over the internet, it would be possible to stop any other
applications from running and remove the need (in theory)
for virus scanning. In practice however it is questionable
whether this can be achieved in the short term. It is
however viable for individual organisations to employ
white-listing to decide what applications their policy
dictates will be permitted to run on any PC and then alert
the administrator whenever a rogue application manages to
exploit a vulnerability on the workstation and install
itself.
Device Control
Many suppliers are now offering a form of device control
either bundled into their Endpoint Security products or as
an additional cost option. It allows network administrators
to control what devices (e.g. USB drives, MP3 players) can
be connected to corporate workstations and laptops. Device
control is important as restricting devices that can be
connected to company workstations to company owned USB
drives can help to minimise the ways in which malicious code
can infiltrate the organisation. In addition, if users
synchronise their music libraries to company laptops, they
can expose the organisations to issues of copyright
infringement, as well as storage overheads of backing up
users MP3 libraries on corporate backup systems. Device
control can also plays a part in data leakage prevention by
preventing users connecting I-Pods or similar devices that
can be used to remove large amounts of potentially
confidential data from company servers.
Endpoint Security is a critical component
of an organisation's protection and data leakage prevention
measures. Whilst it requires that network administrators
have a broader skill set that are required for simple
antivirus software, it is only through deploying the
pre-emptive measures included in Endpoint security products
that it is possible to protect your users against attacks
that cannot be reliably prevented using antivirus scanning
alone.
Clearview Systems are accredited partners
for Sophos Endpoint Security and Control,
Symantec Endpoint
Protection,
McAfee Total Protection for Endpoint and
Trend
Micro NeatSuite / Worry
Free Security. Our engineers will be able to advise you
which product is best suited to your needs, and can also
help with product assessment, trials and deployment to your
user base. |