Endpoint security is a double-edge sword: protected systems can still be breached

Endpoint protection can be a double-edged sword. That is because overloading endpoints with too many clients, not keeping OS patches current, and lacking reliable visibility to endpoints all combine to increase, rather than reduce, the risk of a breach.

In fact, conflicting layers of security on an endpoint is proving to be just as risky as none at all. That’s based on a new study that finds that the greater the endpoint complexity, the more unmanageable an entire network becomes in terms of lack of insights, control, and reliable protection.

One of the most valuable insights from Absolute Software’s 2021 Endpoint Risk Report is that the most over-configured endpoint devices often can’t identify or manage risks and breaches. Absolute used anonymized data from nearly five million Absolute-enabled endpoint devices active across 13,000 customer organizations in North America and Europe to gain new insights into endpoint risks and manage them.

Endpoints comprise high-priority attack vector

Well-managed endpoints gain increasing importance as bad actors become increasingly skilled at finding security gaps in endpoints and capitalizing on them for financial gain. They’re searching for vulnerable corporate networks containing marketable data that can quickly be exfiltrated and sold on the Dark Web. Absolute’s study shows how overly complex endpoint controls and out-of-date OS patches put an organization’s most sensitive data at risk.

The pandemic quickly created a surge in endpoint device demand. This trend continues to affect organizations today, as 76% of IT security decision-makers responding to the survey say their organizations’ use of endpoint devices increased since the beginning of the COVID-19 pandemic. Moreover, 82% of IT security decision-makers had to re-evaluate their security policies in response to work-from-home requirements.

All this occurs as a decades-long reliance on server-based domain controllers to define the interdomain trust perimeter has proved hackable by bad actors. Once a domain controller is breached, bad actors can move laterally across any system, resource, or endpoint on the network. Organizations that stand the best chance of prioritizing endpoint security and surviving a breach are the same ones that apply urgency and reliability standards to ensuring dial tones on their employees’ cell phones are always on.

Sensitive data for sale

End-points attract special attention as they contain key data, such as Protected Health Information (PHI). Such data is selling for up to $1,000 a record on the Dark Web today, according to Experian. Bad actors concentrate their efforts on endpoint devices containing PHI and Personally Identifiable Information (PII) because it’s among the most challenging types of data to track and the easiest to sell.

Absolute’s survey found that, on average, 73% of all endpoint devices contain sensitive data, with Financial Services and Professional Services data leading all industries in this regard, residing on 81% of all endpoint devices containing sensitive data. For purposes of the survey, sensitive data is defined as any information that could create a data breach notification (e.g., credit card data, protected health information [PHI], personally identifiable information [PII]).

Above: Sensitive data resides in vulnerable endpoints. Financial service apps are a major target.

Image Credit: Absolute Software

Sensitive data is running rampant across endpoints today, made more vulnerable by organizations relying on dated technologies, including the interdomain controllers mentioned earlier. It’s not surprising that Absolute finds nearly one in four, or 23%, of all endpoints have the unfortunate combination of highly sensitive data residing on endpoints that lack sufficient security (a further one in four, or 25%, aren’t entirely protected either).

Software conflicts compromise endpoints

Adding too many conflicting software clients to each endpoint weakens an entire network. That’s because the software conflicts between each client create gaps and lapses in endpoint perimeters. Bad actors using advanced scanning techniques can find and capitalize on them.

What does this vulnerable endpoint clutter look like? There are an average of 96 unique applications per device, including 13 mission-critical applications on the average endpoint device today. Software client sprawl on endpoints is increasing, growing to an average of 11.7 software clients or security controls per endpoint device in 2021. Nearly two-thirds of endpoint devices, 66%, also have two or more encryption apps installed.

Endpoint devices’ software configurations are becoming so overbuilt that it’s common to find multiple endpoint software clients for the same task. Evidence discloses that 60% of devices have two or more encryption apps installed, and 52% have three or more endpoint management tools installed today, while 11% have two or more identity access management (IAM) clients installed.

Above: Endpoints today are overbuilt with a confusing mix of software clients.

Image Credit: Absolute Software

Patch procrastinating increases breach risk

Putting off patch updates on endpoint devices is like leaving the front door of your home wide open when you go on vacation. Bad actors know the OS versions that are the easiest to hack and look for organizations standardizing on them.

For example, knowing an entire corporate networks’ endpoints are running Windows 10, version 1909, is invaluable to bad actors devising a breach attack strategy. This is a version estimated to have over 1,000 known vulnerabilities.

Absolute’s survey found over 40% of Windows 10 devices analyzed were running version 1909, with the average Windows 10 enterprise device 80 days behind in applying the latest OS patches. Despite the FBI’s warnings of an increase in successful cyberattacks in health care when operating systems reach end-of-life, this industry has the highest proportion of endpoints running Windows 7, at 10%, and the lowest running Windows 10, at 89%. Financial services shows the most extended lag to upgrade, with 91% of devices two or more OS versions behind.

Above: Endpoint patching is seldom up to date. Upgrades lag.

Image Credit: Absolute Software

Formulating an endpoint protection strategy

Any business can take steps to get started protecting their endpoints. Contrary to what many cybersecurity vendors would have you believe, you don’t have to go all-in on an entire platform or a prolonged infrastructure project to protect endpoints.

There are several actions you can take today. They include:

Turn on multi-factor authentication (MFA) for all devices and applications now — and get away from relying solely on passwords. As a first step to protecting every endpoint from a potential breach, make MFA a requirement for accessing every endpoint now. Even if you have Okta or another single sign-on platform installed, still get MFA configured. Passwords are one of the most significant weaknesses of any endpoint. Devise a long-term strategy to get away from using them and concentrate on passwordless authentication for the future. Evidence shows 80% of breaches start with a password being compromised or privileged access credentials being stolen.

Adopt tools that can provide real-time monitoring of endpoint device health, scale up, and provide an inventory of the software agents on each endpoint. There are endpoint tools available that deliver real-time device health data, which is invaluable in determining if a given device has configuration problems that could lead to it being compromised. The end goal of adopting real-time monitoring tools is to capture both IT asset management and security risk assessment data by device.

Do an audit of any email security suites already installed to see how they’re configured and if they need updates. It’s common to find organizations with email security suites purchased years ago and a year or more behind on patch updates. Doing a quick audit of email security suites often finds they were configured with default settings, making them easier to bypass by bad actors who’ve long since figured out how to breach default configurations. Get all the email security suites updated immediately, change default configurations, and periodically audit how effective they are against malware, phishing, and other attacks.

Increase the frequency and depth of vulnerability scans across your network and endpoints to gain greater visibility and early warning of potential incidents. Many network monitoring applications can be configured to provide vulnerability scans on a periodic basis. If vulnerability scans are done manually, get them automated as soon as possible, along with reporting that can find anomalies in the data and send alerts.

Have your employees take more cybersecurity training programs, including those offered from LinkedIn, to stay current on the latest cybersecurity techniques. LinkedIn Learning has 752 cybersecurity courses available today, 108 of which are on practical cybersecurity. Given how advanced social engineering-based attacks are becoming, it’s a good idea to keep your organization updated with the latest training and knowledge on overcoming potential threats.

Better threat detection starts at the endpoints

For endpoint security to improve, CIOs and IT teams must re-evaluate how many software clients they have per endpoint device and consolidate them down to a more manageable amount. Today there are so many clients per endpoint that they’re causing software conflicts that accidentally create security gaps bad actors look to exploit.

Another area that needs to improve is how often endpoint devices have their OS patches updated. Ignoring software patch availability dates is unacceptable. Organizations who procrastinate on patching are practically inviting a breach — especially if they are running Windows 10, version 1909.

The Absolute 2021 Endpoint Risk Report clearly shows why endpoints also need greater visibility and control with better real-time monitoring. The cybersecurity industry needs to step up its innovation efforts and provide better asset management to the configuration level with more prescriptive threat detection and incident response. While there is a significant amount of hype swirling around self-healing endpoints, the industry needs to double down on that aspect of their product strategy and deliver because organizations will need more self-regenerative endpoints as attack sophistication increases.