Course 10 - Network Security Fundamentals | Episode 5: Protecting and Hardening Network Endpoints: Concepts, Strategies, and Management - CyberCode Academy

Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:00):
Welcome back to the deep dive.

Speaker 2 (00:01):
You know, if you're involved in cybersecurity, you know that
the fundamental war zone has well, it's completely changed. For decades,
the priority was building this impenetrable fortress, you know, around
the central server room, the mainframe. But now the perimeter
is just gone.

Speaker 3 (00:18):
That's the critical shift. Today the security battle is fought
well everywhere else, everywhere. In our mission in this deep
dive is to really distill the core strategies of what
we call endpoint.

Speaker 2 (00:30):
Security, so securing the network right where people are actually
using it.

Speaker 3 (00:34):
Exactly. We're talking about protecting every single device that connects,
no matter how small or how strange it might seem.

Speaker 2 (00:41):
Okay, let's set the stage here, because this shift wasn't random.
If we go way back, say pre nineteen eighties, what
was the model for computing.

Speaker 3 (00:50):
It was the host terminal model. Just picture a massive central.

Speaker 2 (00:54):
Supercomputer taking up a whole floor.

Speaker 3 (00:56):
Yeah, exactly, and users would access it using what we
now called dumb terminals.

Speaker 2 (01:01):
Dumb terminals meaning they had no real computational power.

Speaker 3 (01:04):
None at all. They were just input and output screens,
a keyboard and a monitor. So if you wanted to
attack the network, you had one option, go asher the
central host.

Speaker 2 (01:15):
The fortress was the only target. But then the PC
revolution happened, Apple, Microsoft, IBM, and that just changed computing forever.
It pushed all the power out.

Speaker 3 (01:25):
It did we shifted into what's called the client server model,
a truly distributed system. All of a sudden, the computational
power moved onto the user's desktop, the endpoint, the endpoint,
and this distributed the targets across the entire organization.

Speaker 2 (01:38):
And this is the key insight for attackers, right. Since
every endpoint now has power and is a gateway to
the network, it's often easier and I guess lower risk
to target a user's phone than to try to breach
the main server directly.

Speaker 3 (01:53):
It absolutely flips the risk reward ratio for them. I mean,
the weakest link problem just gets amplified tenfold when every
device is its own little computer.

Speaker 2 (02:02):
So defending the modern endpoint is well, it's non negotiable.

Speaker 3 (02:05):
Absolutely, So let's define that.

Speaker 1 (02:06):
What is a modern endpoint. It's way more than just
a desktop computer, now, isn't.

Speaker 3 (02:10):
It oh far beyond? I mean, you have the traditional stuff,
your laptops and desktops, but then you have this whole mobile.

Speaker 2 (02:15):
Frontier smartphones, tablets.

Speaker 3 (02:17):
Yep E readers, smart watches, even smart bands. Yea, even
if they connect indirectly through Bluetooth before they hit Wi Fi,
they're still a vector we have to think about.

Speaker 2 (02:27):
But this is where it gets really interesting and frankly
a bit frustrating for security pros. It's the IoT category
the Internet of things.

Speaker 3 (02:34):
Yes, the non traditional devices.

Speaker 2 (02:37):
Things that were never designed with security as a primary concern,
like smart TVs and conference rooms, eah VAC systems, industrial
controllers on a factory.

Speaker 3 (02:46):
Floor, and those IoT devices are often a huge risk.
They might be running ancient operating systems or have default
passwords that are incredibly easy to guess. A vulnerability there
can give an attacker a surprisingly easy way onto the
corporate network.

Speaker 2 (03:01):
Maybe come the back door.

Speaker 3 (03:02):
They absolutely do.

Speaker 2 (03:03):
So if we have this giant, sprawling mess of devices,
some of which we can't really secure, like that old
industrial controller, how do we stop one compromised device from
taking down the whole system?

Speaker 3 (03:16):
You use containment and that requires network segmentation.

Speaker 1 (03:20):
Okay.

Speaker 3 (03:20):
The basic idea is you break up your network into
smaller isolated subnetworks using what are called virtual local area networks.

Speaker 2 (03:29):
Or VLANs, So instead of one big open plan office,
it's more like a building with lots of separate lockdown floors.

Speaker 3 (03:36):
That's a perfect analogy. The immediate benefit is containment. If
an attacker compromises a vulnerable device, say a smart thermostat,
they're stuck in that small segment.

Speaker 2 (03:47):
They can't just pivot and start looking for the finance
servers exactly.

Speaker 3 (03:50):
Those critical assets are segregated on a completely different vland.
For those really tricky IoT devices, the best practice is
to put them on their own special isolated.

Speaker 2 (04:01):
Vland, give them just enough access to function and nothing more.

Speaker 3 (04:04):
Nothing more. It's all about limiting that lateral movement.

Speaker 2 (04:06):
Okay, that makes sense for containment. Let's move into active defenses.
The baseline, of course, is anti malware software. What's a
surprising fact about who often gets targeted and will neglects this.

Speaker 3 (04:18):
What's often overlooked is that information security professionals you know,
says Evans, There are prime targets.

Speaker 1 (04:23):
The people with the keys to the kingdom.

Speaker 3 (04:25):
Right attackers know they hold the high level credentials, privileged access,
maybe even the master encryption keys. Compromising an INFOSECT machine
is a massive win for an attacker.

Speaker 2 (04:36):
So we need to protect the protectors. If you're someone
with that kind of elevated access, what's a simple mandatory
control you should be using.

Speaker 3 (04:44):
You have to use dual administrator accounts, no question. Your
daily account for email, browsing, writing docs should be a
standard user.

Speaker 2 (04:54):
Account zero special privileges zero.

Speaker 3 (04:57):
You then have a completely separate privileged administrator count that
you only use for administrative tasks.

Speaker 2 (05:02):
That seems so simple, but it offers huge protections.

Speaker 1 (05:05):
So why don't more people do it?

Speaker 3 (05:06):
It's convenience, pure and simple. Switching account. It feels like friction,
you know, but that tiny bit of inconvenience saves you
from a total loss of confidentiality if your daily account
gets fished. The trade off is a no brainer.

Speaker 2 (05:17):
Agreed. So how do big organizations make sure this anti
malware gets deployed everywhere?

Speaker 3 (05:22):
Automation is everything. You have to rely on automated methods
like group policy in a Windows world or package managers
for Mac and Linux. You need one hundred percent coverage.

Speaker 2 (05:33):
Because one unprotected machine can ruin everything.

Speaker 3 (05:36):
So it's a one week link. Yeah, what about mobile phones?
Do you really need traditional anti malware on your personal phone?
That just gets company email.

Speaker 2 (05:44):
It's a debate, but organizations should at least mandate the
use of content blockers on mobile devices.

Speaker 3 (05:50):
Why content blockers specifically to prevent malvertizing.

Speaker 2 (05:54):
That's malware that gets distributed silently through web ads and
it's a huge attack vector, especially on MOTI where patching
isn't always immediate.

Speaker 3 (06:02):
Okay, so the software is installed, how does the network
actually enforce this? How does it keep a sick machine
from infecting everyone else?

Speaker 2 (06:09):
That is the job of network access control or NAC.
NAC basically checks a device's security health before or sometimes
after it connects. There are really two ways to go
about it.

Speaker 3 (06:21):
Let's start with the proactive, the sort of gatekeeper approach. Right.
Proactive NEAC is the strictest a device has to pass
a security check. Is antimolware installed? Is it patched? Is
a firewall active before it gets any network access at all?

Speaker 2 (06:37):
That sounds great for security, but in our CIA triad,
what's the immediate trade off?

Speaker 3 (06:42):
It hits availability. If a user is traveling and can't
update their antivirus, they're locked out. They can't work. But
the organization is choosing to prioritize confidentiality and integrity.

Speaker 2 (06:52):
Over that, And what's the other approach, the reactive one.

Speaker 3 (06:55):
That's reactive NEC here systems are monitored while they're connected.
If malware is detected, or if a machine starts acting suspiciously.

Speaker 1 (07:03):
Like trying to scan the whole network.

Speaker 3 (07:04):
Exactly, that computer is immediately kicked off the network and
put into quarantine until it's cleaned up.

Speaker 2 (07:09):
Okay, So if NEC is the bouncer at the door,
what tools do we use for surveillance inside the really
high value rooms.

Speaker 3 (07:15):
That's where you bring in host based intrusion detection and
prevention systems hids or hips.

Speaker 2 (07:22):
And these aren't for every computer, are they.

Speaker 3 (07:24):
No? No, these are specialized systems you deployed to protect
a single high value asset, a server with your company's
secret formula. For instance, a HID does incredibly granular monitoring
right on that device, logs events, system files to make
sure nothing changes without authorization.

Speaker 1 (07:41):
That sounds robust.

Speaker 2 (07:42):
So let's pivot now from active defense to endpoint hardening,
which is more about preventing the attack before it can even.

Speaker 3 (07:49):
Start hardenings of philosophy. Really, it's about reducing your possible
attack vectors.

Speaker 1 (07:54):
Your attack surface.

Speaker 3 (07:55):
Exactly, if a service isn't running, an attacker can't exploit it.
The whole goal is to disable or remove every single
unnecessary feature, service and application. If it's not providing business value,
but it is providing risk, get rid of it.

Speaker 2 (08:08):
Let's use a classic example of this trade off, telmeet
ah telmet.

Speaker 3 (08:12):
Yes, it's an old, completely insecure protocol. It sends passwords
in all data in plaintext.

Speaker 1 (08:18):
So anyone listening can.

Speaker 3 (08:19):
Just read it anyone. Disabling the telnet client is a
standard hardening step. Now, some user might call the help
desk saying they can't connect to some ancient device, but
the huge gaining confidentiality far outweighs that minor inconvenience.

Speaker 2 (08:35):
It really hammers home that your network is only as
secure as the single least secure device connected to it.

Speaker 3 (08:41):
That's the mantra.

Speaker 1 (08:42):
So what are the.

Speaker 2 (08:43):
Key hardening methods we should all be thinking about.

Speaker 3 (08:46):
Number one, and it can be tedious, is patch management.
You have to patch systems, but and this is critical,
you have to use a change control system to test
those patches first.

Speaker 2 (08:56):
Because you don't want the cure to be worse than
the disease.

Speaker 3 (08:58):
Right. You don't want a security update breaking a critical
application next up is strong triple A authentication, authorization and accounting.

Speaker 2 (09:06):
So complex passwords, disabling old accounts like the guest account,
all of.

Speaker 3 (09:11):
That, and aggressively closing any open ports of protocols that
you don't absolutely need.

Speaker 2 (09:15):
I'm also seeing a big push to isolate applications from
the operating system itself.

Speaker 3 (09:20):
Yes, using containers or virtual machines VMS to sandbox applications
is huge. It's isolation. If a vulnerability is exploited inside
the app, it's trapped inside the container. It cant affect
the host os.

Speaker 1 (09:34):
What about just you know, someone walking up to a computer.

Speaker 3 (09:37):
Simple stuff. You need strong account lockout policies. Yeah, too
many failed password attempts, the account locks, and for every
single device mobile included, enable automatic screen locking after just
a minute or two of inactivity.

Speaker 2 (09:50):
And the final piece of hardening, making sure that even
if an attacker gets in, the data they find is
useless to them.

Speaker 3 (09:56):
That's encryption, robust encryption. You need it for data at
rep so data on a hard drive or a flash drive,
and for data in transit using protocols like TLS or
ip SEC when systems talk to each other.

Speaker 2 (10:08):
Everything we've talked about works for PCs. But the final
and maybe most complex frontier is the mobile phone. It's
this blend of personal data and critical business data.

Speaker 3 (10:18):
It is, and that's why Mobile Device Management or MDM
is absolutely essential. I mean, any organization with a BYOD
bring your own device policy is operated with massive risk
if they don't have an MDM solution.

Speaker 2 (10:29):
If a phone with company secrets on it gets lost
or stolen. What's the mdm's single most important feature.

Speaker 3 (10:35):
The ability to perform a remote.

Speaker 2 (10:37):
Wipe instantly, delete all the corporate data instantly.

Speaker 3 (10:40):
But MDM also enforces all those baselines we talked about,
screen locks, strong password requirements, account lockouts.

Speaker 2 (10:47):
And how does it handle the thousands of apps a
user could install.

Speaker 3 (10:51):
Through application control, you can either whitelist or blacklist apps.
Whitelisting is super restrictive. Only approved apps are allowed, like
the Apple app.

Speaker 1 (11:00):
Store MODEU blacklisting.

Speaker 3 (11:01):
Blacklisting allows most things, but specifically blocks apps that the
company has identified as malicious or risky. Either way, the
goal is just to reduce that risk, and.

Speaker 2 (11:11):
There are plenty of platforms for this out there.

Speaker 3 (11:13):
Oh yeah, Tons, Microsoft Enterprise Mobility, VMware's air Watch, and others.
The real key is just matching the solution to your
company's specific security needs.

Speaker 2 (11:22):
This has been a really productive deep dive. I mean
we've established the old perimeter as a memory, and real
security now is all about defense in depth. Right at
the device level. We've hit active protection, anti malware, NAC
HIDSS and then hardening, which is all about reducing the
attack surface.

Speaker 3 (11:40):
It really just highlights that every new connection, every new
device you add, is a brand new perimeter that you
have to consciously go out and defend.

Speaker 2 (11:48):
So to wrap this up and reinforce the learning, let's
leave you the listener with a quick review exercise. Okay,
you discover a legacy industrial control system. It's a critical
IoT device. It has to stay connected to your network,
but you know its security is terrible. Which two security
measures we talked about are immediately required to minimize the
risk this one device poses to your entire corporate network.

Speaker 3 (12:12):
Think about two things. How do you limit its ability
to spread damage and how do you limit what an
attacker can even do on it? To begin with, the
answers are in aggressively using vlance segmentation and then extensive hardening.

Speaker 2 (12:25):
So you wall it off and you turn off everything you.

Speaker 3 (12:27):
Don't need exactly disable all those unnecessary services in ports.

Speaker 2 (12:30):
Always keep those endpoints locked down. Thanks for diving up
with us. We'll see you next time.

All Episodes

Course 10 - Network Security Fundamentals | Episode 5: Protecting and Hardening Network Endpoints: Concepts, Strategies, and Management

Episode Transcript

Popular Podcasts

Stuff You Should Know

My Favorite Murder with Karen Kilgariff and Georgia Hardstark

Dateline NBC

.css-15opob5{left:0;position:absolute;top:0.8rem;} All Episodes

.css-14f5ked{margin:0;word-break:break-word;display:-webkit-box;-webkit-box-orient:vertical;box-orient:vertical;-webkit-line-clamp:2;overflow:hidden;}Course 10 - Network Security Fundamentals | Episode 5: Protecting and Hardening Network Endpoints: Concepts, Strategies, and Management