Endpoints

01/01/2012


Endpoints – the New Point of Attack


In the ninth of his weekly series for Cambridge Network members, BS7799 and IT governance expert Alan Calder explains the ABCs of business security and compliance. This week he looks at endpoints.



The Problem


Handheld and laptop computing and communications devices (notebook computers, PDAs, BlackBerries, Cellphones, etc) are improving workforce productivity and speeding up customer responsiveness. Anytime, anywhere, always-on computing – the unwired world frees us from our desks, reduces fixed overhead and puts us out there in the face of the customers with all the facts we need at our fingertips.

We love it.

The sales figures prove we do: Cellphone, PDA and wireless laptop sales are skyrocketing, their usefulness hugely increased by their capacity to connect to the home office network. And so the deployment of wireless access points (secure or otherwise) continues increasing geometrically. New services, new technologies and new solutions are launched every week.

The digital Malevolency also loves it.

Handheld and laptop devices take the end point of an organization’s secure perimeter way beyond that perimeter, into areas that the security officer or network administrator can’t physically reach. The Malevolency can. Aided and abetted by manufacturers who distribute wireless devices with a default security configuration of zero (nada, nothing), the Malevolency’s fastest route of attack on your ‘safe’ home office network is now through all those unsafe endpoint devices.



The Risks


Malevolency attackers are opportunistic. They exploit the most common vulnerabilities, in the most widely used systems. This means that your Blackberries, Microsoft wireless notebooks, Symbian SmartPhones, Nokia Cellphones and Handsprings become standard targets – particularly when they’re being used in a busy area, with lots of other similar devices, where the chances of catching a really interesting, insecure endpoint opportunity is that much greater.

Wireless Access Points (in coffee shops, hotels and convention centres) are the new watering hole; when the ruminants venture out for a latte, the predators are crouched in the long grass, waiting for a free ride into a juicy corporate network. 



The Impacts


The impacts are no different from those resulting from any other breach of your ‘secure’ home office system – except that this attacker could be half a continent away. Viruses, worms, Trojans and many autonomous hacking exploits can be uploaded from a handheld to your main system. All the data can be compromised and confidential stuff exposed, stolen, sold. Compliance issues are just as frightening. Recovery is just as difficult.



 What do we do about it?


There’s the ‘sysadmin’ solution: rolling out centrally controlled, expensive software to enforce policy on endpoint devices. It’s expensive, time consuming and fundamentally anti-flexibility.

Then there’s the ‘teach and trust’ solution. Teach users what to do, ensure that devices are securely configured, patched and guarded, build some internal incident response capability, then trust them. It’s far less expensive, at least as effective, and far more enabling.

And technology is supposed to enable, isn’t it?


Next week: Security Models



Alan Calder’s company provides businesses with consultancy support and advice on governance and information and wireless security. Visit www.itgovernance.co.uk/page.service, e-mail alan@itgovernance.co.uk or telephone + 44 845 070 1750

PROTECT YOUR
BUSINESS
THIS WINTER