Welcome to the second piece in our series on modern IT operations. If you missed the first one, you can catch up here.
A guide to
securing your endpoints
Proven techniques for IT professionals
In 1971,
a mischievous program called Creeper made its way through ARPANET, displaying the taunting message, “I’m the creeper, catch me if you can!” This prompted the creation of Reaper, the first antivirus software ever designed.
Fast forward to today, and the landscape of cybersecurity has transformed dramatically. Modern threats are far more sophisticated and pervasive, necessitating eg. advanced endpoint detection and response (EDR) systems that not only hunt down threats but also analyse and adapt to new tactics.
This five-step guide is designed to equip you with the strategies and insights needed to strengthen your defences and maintain the integrity of your endpoints.
This five-step guide is designed to equip you with the strategies and insights needed to strengthen your defences and maintain the integrity of your endpoints.
Step one: control your endpoints
The first step to endpoint security is to manage your endpoints effectively. This means always overseeing all devices and managing who gets to access them.
Utilizing a cloud-native approach with technologies like Entra and Intune allows for comprehensive control, ensuring your endpoints are managed in the office, at home, or on the move.
With Conditional Access, you can proactively safeguard endpoints by ensuring only compliant devices can access company data. The role-based access control (RBAC) in Entra ID and Intune enables granular management, ensuring individuals have the right access. Audit and sign-in logs are invaluable for tracking all actions and access across your network.
Step two: patch your software
The next step is to patch your software diligently. Keeping all software up to date is crucial in reducing the risk of security breaches through known vulnerabilities.
This helps avoid incidences like the widespread WannaCry ransomware attack in May 2017, which exploited a vulnerability in older versions of Microsoft Windows, affecting companies like FedEx and Telefonica, impacting over 200,000 computers globally, and causing significant disruptions. It could have been mitigated by diligent patching.
Establish an uncompromising approach to patching. Every component, from operating systems to drivers, firmware, and third-party applications must be consistently updated with the latest security patches. This systematic updating is essential, as it addresses vulnerabilities that cyber attackers are keen to exploit.
If you’re on mobile, click here to view the illustration in full.
A map of the countries initially affected by the WannaCry ransomware attack, which impacted over 200,000 computers globally. Original image: TheAwesomeHwyh.
How to patch properly
Start with the operating system: Ensure all endpoints are running versions supported by the manufacturer and apply the latest security patches. This shields against known vulnerabilities and equips your systems with the newest security features.
Don’t overlook the fundamentals: Pay close attention to drivers and firmware (BIOS), which are often neglected yet critical for system security. Regular updates to these components can dramatically improve hardware performance and stability, closing off vulnerabilities that could otherwise be exploited.
Secure Third-Party Applications: Every application added to your network increases your exposure to potential attacks. Keeping these applications updated is crucial. While manual updates can be labour-intensive, employing automation tools or third-party patching solutions can streamline this process, ensuring quick and effective management of vulnerabilities.
Step three: Authentication
The next step to achieve a high level of endpoint security is to ensure proper authentication methods. This ensures that only authorized personnel can access your system’s most sensitive data and resources. This step protects against unauthorized access and builds a trust framework essential for any secure network.
The Twitter hack in July 2020, where attackers exploited weak security measures to access and manipulate high-profile accounts, revealed the dramatic consequences of inadequate authentication practices. Among the high-profile Twitter accounts hacked were Joe Biden, Elon Musk, ad Bill Gates. The scammer got away with 120.000$ worth of Bitcoin. This breach highlights the critical need for Multi-Factor Authentication (MFA) and the importance of educating employees about social engineering risks.
If you’re on mobile, click here to view the illustration in full.
Authentication methods include possession of eg. badges, unique knowledge, or biometrics.
How to build a strong authentication foundation
Use a multifaceted approach that integrates both traditional security measures and advanced technologies, from complex passwords to biometrics and multi-factor authentication (MFA), all designed to ensure that only authorized parties can access critical assets.
Multi-Factor Authentication (MFA): MFA significantly reduces the risk associated with compromised passwords by requiring users to verify their identity using multiple factors before gaining access. This method significantly minimizes the consequences of human errors, such as misplaced passwords or lost devices, making it a vital component of modern cybersecurity defences.
Passwordless technologies: Passwordless systems, such as Windows Hello for Business, utilize biometrics and PIN or hardware keys. This reduces the risk of phishing, password theft, and brute force attacks by eliminating passwords, which are often the weakest link in security. It also enhances user experience by eliminating the need for users to remember complex passwords.
Certificate-based authentication: By employing digital certificates, you can establish a secure and dependable method for verifying identities, bolstering your defences against a spectrum of cyber threats. Certificate-based authentication represents a powerful tool in securing access to corporate networks, applications, and other critical resources.
Step four: Detect and respond
To fortify your defence further, employ detection and response mechanisms. Detection involves monitoring your systems and networks for any signs of suspicious activity that might indicate a security breach or an impending attack. Response mechanisms can include both automated responses and manual intervention by your security teams. Together, detection and response capabilities enable you to quickly identify and mitigate cyber threats.
The Equifax Data Breach showcases what might happen without proper detection & response mechanisms. In 2017, Equifax, a major credit reporting agency, suffered a massive data breach that exposed sensitive personal information, such as Social Security numbers and birth dates. This breach was primarily due to an exploited vulnerability in their web application framework that was known and patchable months before the attack. However, the breach remained undetected for 76 days, largely because of a failure to detect suspicious traffic due to an expired digital certificate.
If you’re on mobile, click here to view the below illustration in full.
An EDR solution is able to detect and respond to incoming or ongoing threats.
How to build strong detect & respond measures
In cybersecurity, detecting and responding to threats swiftly and effectively is paramount. This involves continuously monitoring for signs of suspicious activity and having the capability to react promptly when a potential threat is identified.
Implement an endpoint detection and response (EDR) solution: Solutions like Microsoft Defender for Endpoint are essential for automating the detection and resolution of simpler incidents. They integrate with platforms like Sentinel, which can automatically resolve these incidents, allowing for more complex situations to be managed and escalated to your security team for deeper analysis.
Use antivirus software effectively: Software like Microsoft Defender Antivirus protects your endpoints from viruses, malware, ransomware, and trojans. Keep your antivirus definitions updated regularly, ideally multiple times a day, to stay ahead of new threats.
Employ DNS filtering: DNS filtering is an effective tool for enhancing your defence measures. By implementing a DNS filter service, you block access to known malicious sites automatically, preventing them from compromising your network.
Step five: Hardening
Hardening is the last vital step in a healthy endpoint security strategy. Hardening refers to securing your systems by minimizing potential vulnerabilities that attackers can exploit – often called reducing the system’s attack surface. This involves disabling unnecessary services, applying the principle of least privilege, and configuring security settings according to the best practices. Proper hardening makes it much more difficult for attackers to find and exploit weaknesses in your systems.
If you’re on mobile, click here to view the illustration in full.
Full disk encryption, access rights, application control, and firewalls are among the hardening techniques you can employ to secure your endpoints.
Hardening techniques
Implement Full Disk Encryption: Starting with Full Disk Encryption, like BitLocker along with TPM 2.0, ensures that data on your hard drives is secured against unauthorized access, especially crucial in scenarios involving physical device threats.
Activate and Manage Firewalls: Enforcing strict rules on both inbound and outbound network traffic through active firewalls helps you monitor and control data flows, establishing a robust defence against intrusion.
Privileged Access Management (PAM): PAM is vital in managing and monitoring the elevated access and permissions granted to users. This reduces risks associated with local admin accounts, which could potentially serve as entry points for attackers.
App Protection Policies: Manage how applications interact with your data across all endpoints. These policies help prevent data leaks by ensuring that company data is only accessible through secure and managed applications.
Application Control Technologies: Tools like Windows Defender Application Control (WDAC) and AppLocker allow you to specify which applications are allowed to run on your endpoints blocking unauthorized software and reducing the risk of malicious scripts.
Leverage Virtualization-Based Security: This technology uses hardware virtualization to protect the core parts of your operating system, providing an additional layer of security against sophisticated attacks.
Secure Boot: Ensure your devices only boot using software that’s trusted by the manufacturer, protecting against rootkits and other boot-time threats.
Restrict File Types: Limit the use of potentially dangerous file types, particularly scripting languages that could execute malicious scripts.
Implement Attack Surface Reduction Rules to help reduce potential attack vectors by blocking risky scripts and other exploitable content from running.
Utilize Location Services: For mobile devices, location services can help you track and manage devices, enhancing security for devices that might be lost or stolen.
Privileged Access Workstations (PAW): For sensitive operations, restrict administrative access to dedicated workstations that are highly secured, minimizing the risk of lateral movement within your environment.
Conclusion
Securing your endpoints is a critical component of maintaining the overall security and integrity of your network. By effectively managing access, keeping your systems patched, employing robust authentication measures, and continuously monitoring for threats, you can significantly enhance your defences. System hardening further ensures that your network remains resilient against potential breaches, making it difficult for attackers to exploit vulnerabilities.
Finally, do not overlook the fact that the first line of defence against many cyber threats is the user. Incidents often occur when users unknowingly provide their credentials to attackers through phishing attempts or by accessing and downloading harmful content from untrusted websites.
By incorporating regular security training, you empower users to recognize and respond appropriately to such threats. Effective training can drastically reduce the likelihood of breaches, complementing the technical security measures you’ve implemented based on this guide. Equip your users with the knowledge they need to act as an informed and vigilant defence against cyber-attacks.
Each step outlined in this guide is designed to form a comprehensive security strategy that will protect your digital assets and keep your operations running smoothly.
Effective training can drastically reduce the likelihood of breaches, complementing the technical security measures you've implemented based on this guide. Equip your users with the knowledge they need to act as an informed and vigilant defence against cyber-attacks.
To learn more
