For years the primary focus of security has been securing the endpoints. If we can just protect the desktops and laptops and tablets and smartphones from malicious exploits and prevent them from being compromised, then all would well. The problem is that it’s virtually impossible to assure the endpoint is secure. That’s why you should assume the endpoint will be compromised, and focus instead on ensuring the sensitive data on the endpoint is secure.
I’m not suggesting you throw in the towel or raise the white flag on endpoint security. You still have to employ reasonable defenses, and follow established best practices. Your endpoints should have essential protection like a firewall, and antimalware software. You still want to make it a challenge and deter or block the attacks you can. You just need to also be realistic and understand that compromise is more a matter of “when” than “if”.
Protect Data at Rest
Sensitive data should be encrypted. Even if an attacker is successful in compromising the endpoint, it should not enable them to access things like confidential company data, customer information, or other sensitive data.
You should use encryption technologies like Truecrypt or PGP, or use the built-in BitLocker encryption available in many versions of Microsoft Windows. Depending on what encryption tool you use, it will either encrypt the entire hard drive, or just designated folders. If it does encrypt only designated folders, you need to ensure that users know where those folders are, and develop a habit of storing sensitive information in the appropriate location.
One issue with encryption, however, is that most encryption solutions are designed to enable seamless access for authorized users. In other words, there is no additional authentication that occurs in order to access the encrypted data—once the user is logged in, the data is accessible just like the unencrypted data. The reason that’s a problem is that most attacks allow the attacker to use the system with the same privileges as the currently logged in user—which means unfettered access to encrypted information.
Secure Data After Compromise or Loss
Encryption is like the firewall and antimalware protection—it’s a layer of protection that makes it more difficult for attackers, but it isn’t impervious. For true protection of sensitive data on an endpoint, you need a way to erase or remove the sensitive data in the event of an endpoint being lost, stolen, or compromised.
Most tablets and smartphones have features that allow the entire contents to be wiped remotely. There are also a variety of mobile device management solutions that enable IT admins to remotely erase sensitive data from a device. With Windows 8.1, Microsoft has added the ability for IT admins to erase company data remotely from Windows 8.1 endpoints as well.
Hopefully your endpoint security will protect you, and you won’t have to worry about compromised endpoints. It’s unlikely, but possible. The important thing, though, is that you assume your endpoints will be compromised, and put tools and processes in place that enable you to protect or erase your sensitive data to keep it out of the hands of the attackers.