Comments on: Endpoint Security’s Shifting Focus

By: ITKE Update: Cool new things around the site - ITKE Community Blog

ITKE Update: Cool new things around the site - ITKE Community Blog — Thu, 26 Aug 2010 15:58:11 +0000

[...] what the enterprise IT community thinks about certain timely topics in IT, from tape storage to the shifting focus of endpoint security. Search through the Open IT Forum tag to get what today’s enterprise IT professionals are [...]

By: mitrum

mitrum — Wed, 11 Aug 2010 06:15:29 +0000

I disabled USB ports and CD/DVDROM, Blue tooth, micro SD, MMC etc. in my organisation.

By: chippy088

chippy088 — Mon, 09 Aug 2010 21:43:54 +0000

I agree with Tom on this one.

Control through Active Directory can only help to control normal users. If you can set a control, it can be unset. I have the knowledge to circumvent many controls, and write scripts that get information from the system and have had to do it for clients.

Disabling physical ports and devices is only viable if the user doesn’t boot in safe mode. A thumb stick with an OS on it can be booted (sometimes) this way, Passwords for access to bios functions are a must.

I think the safest way for security is using Virtual machines. 90% more effective in controlling users trying to bypass security controls, as the local physical devices are not used in saving/printing.

Mobile devices are a bigger headache. They have to be controlled, but be flexible enough to allow comms from off site access points.

By: tomliotta

tomliotta — Sat, 07 Aug 2010 01:00:37 +0000

We tend to have other forms of control. We don’t block USB/CD/DVD, either because most of the PCs can’t operate without them (e.g., mouse/keyboard devices are USB and no dedicated mouse/keyboard ports exist) or because it’s almost trivial to simulate on disk (even a simple DOS SUBST command can “substitute” a directory for a CD/DVD drive letter). And who needs a printer to get copies of documents if I can view them on my PC monitor, while simultaneously recording hi-res video on my cell phone?

We run all common protection methods, e.g., AV, etc., and perform regular audits over automated monitoring. We authenticate and authorize according to job/position. We maintain a security policy and publicize it, along with notification of changes.

As a software vendor of network security, auditing and compliance products, we’re in a position where many employees can know more details about how to cause trouble than there are safeguards available. We’ve tended over the past decade to move towards a focus on relationships with employees and less on obstacles made of software or hardware mechanisms.

Fundamental safeguards will always be in place. This protects from mistakes made by the best of us. But clear authentication combined with authorizations that are capability- and object-based, for employees who have a solid relationship with their employer and who always have access to a good security policy, into systems with strong monitoring, all tend to make most issues disappear.

Certainly, there is a potential for serious malicious damage by insiders. OTOH, I’ve yet to see any other environment where that wasn’t true anyway.

Tom

By: jinteik

jinteik — Sun, 01 Aug 2010 07:51:27 +0000

yeah my office does the same too last time…they disable the USB port and CD/DVDROM not only in windows but in the BIOS and lock up the bios..

as for printer, only some computers are allowed to print.

we don’t allow any vendors to connect their laptop to our networks.

we too dont allow OWA and there is no wireless device in our office.