BACKGROUND AND KEY RISKS:
An endpoint is a device that provides access to the internet or a company’s internal network, at times from outside a network’s firewall. The definition of what an endpoint is continues to grow as more and more devices come online (Internet of Things). For the purpose of Penn’s Internal Audit office, we define “endpoint” as a physical or virtual desktop, laptop, or mobile device that grants access to Penn’s network. Securing endpoints is essential because each device has the potential to be an entry point for malicious actors.
Once an adversary gains access to a device, it is possible for them to move laterally throughout the organization to gain higher-level access. This type of breach can lead to exposing or stealing sensitive data, causing service disruptions to critical systems used by end users to conduct routine business, or otherwise exploiting Penn’s environment. Since endpoints are in the hands of end users, it is equally important to develop end user training, policies, and procedures as it is to implement technical solutions for endpoint hardening.
WHAT MANAGEMENT CAN DO:
- Implement an Asset Management inventory system. If you don’t know what devices are out there, you don’t know your attack surface or what needs to be secured. Visibility of all devices should be a priority if teams want to ensure proper endpoint security hygiene.
- Deploy an endpoint security solution (e.g., CrowdStrike) on all Penn managed devices. Strongly encourage non-Penn managed devices to have virus or malware protection installed or enabled (e.g., Windows Defender).
- Ensure a routine patch management process is in place, including a process for when zero-day vulnerabilities arise. Configure applications to update automatically where applicable. The scope of patch management should include operating system patches, hardware updates (drivers, firmware), and third-party application updates.
- Ensure all devices require authentication for access either via password, PIN, biometrics, or hardware such as YubiKeys. Penn managed devices ought to have a lock screen timeout when a machine is left unattended for a defined period of time, for example 15 minutes.
- Adhere to the principle of least privilege. Restrict administrative access to only those who need it (IT administrative personnel) on Penn managed devices. Change the local administrative password using strong password requirements. Store local administrative passwords in a secure password repository.
- Create separate administrative accounts for approved IT personnel and implement stronger password requirements for those accounts. Store the administrative passwords in a secure password repository.
- Implement an application approval process, so that applications installed on endpoints are approved by appropriate teams such as Security, Procurement, Applications and Endpoint management. This ensures no malicious software is requested to be installed on machines and can be cost effective if certain applications require a license or subscription.
- Require full disk encryption for all operating system disks (e.g. BitLocker, FileVault). Strongly recommend requiring encryption of non-OS drives such as USB flashdrives.
- Implement a cloud based file storage solution such as OneDrive for Business, so that users may easily save data to a repository that is backed up. Should data be saved outside of these locations, implement a process that backs up data in the event of a managed machine swap or failure.
- Implement a Mobile Device Management (MDM) solution to ensure personal devices do not have unmanaged access to critical systems or data.
- Leverage configuration management tools such as Group Policy Management, BigFix, SCCM, Intune or JAMF to configure Penn managed devices according to an industry baseline standard of security best practices (e.g., NIST, CIS benchmarks, Microsoft Security Baselines).
- Configure the firewall on endpoints either via the built-in firewall or a third-party application.
- Implement training that informs end users of the importance of the following: patching, where to save personal data for back up, never share passwords, how to scrutinize phishing scams, as well as Penn’s acceptable use policy.