Endpoint Security [Paperback]

Mark Kadrich (Author)

Book Description

ISBN-10: 0321436954 | ISBN-13: 978-0321436955 | Publication Date: April 9, 2007 | Edition: 1

<>

A Comprehensive, Proven Approach to Securing All Your Network Endpoints!

 

Despite massive investments in security technology and training, hackers are increasingly succeeding in attacking networks at their weakest links: their endpoints. Now, leading security expert Mark Kadrich introduces a breakthrough strategy to protecting all your endpoint devices, from desktops and notebooks to PDAs and cellphones.

 

Drawing on powerful process control techniques, Kadrich shows how to systematically prevent and eliminate network contamination and infestation, safeguard endpoints against today’s newest threats, and prepare yourself for tomorrow’s attacks. As part of his end-to-end strategy, he shows how to utilize technical innovations ranging from network admission control to “trusted computing.”

 

Unlike traditional “one-size-fits-all” solutions, Kadrich’s approach reflects the unique features of every endpoint, from its applications to its environment. Kadrich presents specific, customized strategies for Windows PCs, notebooks, Unix/Linux workstations, Macs, PDAs, smartphones, cellphones, embedded devices, and more.

 

You’ll learn how to:

 •  Recognize dangerous limitations in conventional

endpoint security strategies

 •  Identify the best products, tools, and processes to secure your specific devices and infrastructure

 •  Configure new endpoints securely and reconfigure existing endpoints to optimize security

 •  Rapidly identify and remediate compromised

endpoint devices

 •  Systematically defend against new endpoint-focused malware and viruses

 •  Improve security at the point of integration between endpoints and your network

 

 

Whether you’re a security engineer, consultant, administrator, architect, manager, or CSO, this book delivers what you’ve been searching for:

a comprehensive endpoint security strategy that works.

Mark Kadrich is President and CEO of The Security Consortium, which performs in-depth testing and evaluation of security products and vendors. As Senior Scientist for Sygate Technologies, he was responsible for developing corporate policies, understanding security trends, managing government certification programs, and evangelization. After Symantec acquired Sygate, Kadrich became Symantec’s Senior Manager of Network and Endpoint Security.

 

His 20 years’ IT security experience encompasses systems level design, policy generation, endpoint security, risk management, and other key issues.

 

 
 Foreword         

 Preface

 About the Author          

Chapter 1          Defining Endpoints        

Chapter 2          Why Security Fails       

Chapter 3          Something Is Missing   

Chapter 4          Missing Link Discovered

Chapter 5          Endpoints and Network Integration          

Chapter 6          Trustworthy Beginnings 

Chapter 7          Threat Vectors  

Chapter 8          Microsoft Windows        

Chapter 9          Apple OS X      

Chapter 10        Linux   

Chapter 11        PDAs and Smartphones

Chapter 12        Embedded Devices     

Chapter 13        Case Studies of Endpoint Security Failures        

Glossary          

Index   

 

 

Editorial Reviews

About the Author

For the past 20 years, Mark Kadrich has been a contributing member of the security community. His strengths are in systems-level design, policy generation, endpoint security, and risk management. Mr. Kadrich has been published numerous times and is an avid presenter.

 

Mr. Kadrich is presently president and CEO of The Security Consortium (TSC), a privately held company whose mission is to provide better security product knowledge to their customers. TSC performs in-depth testing and evaluation of security products and the vendors that provide them. As CEO and chief evangelist, Mr. Kadrich is responsible for ensuring that the company continues to grow successfully. After the Symantec acquisition of Sygate Technologies, Mr. Kadrich took a position as senior manager of network and endpoint security with Symantec. His role was to ensure that the Symantec business units correctly interpreted security policy during their pursuit of innovative technology solutions.

 

Mr. Kadrich was senior scientist with Sygate Technologies prior to the Symantec acquisition. In his role as senior scientist, Mr. Kadrich was responsible for developing corporate policies, understanding future security trends, managing government certification programs, and evangelizing on demand. Mr. Kadrich joined Sygate through the acquisition of a start-up company (AltView) of which he was a founding member. As a founding member of AltView, Mr. Kadrich was the principal architect of a system that scanned and contextualized the network, the endpoints on it, and built a detailed knowledge base. Eventually known as Magellan, the system could determine what endpoints were on a network, how the network was changing, what endpoints were manageable, and if they were being managed.

 

As CTO/CSO for LDT Systems, Mr. Kadrich assisted with the development and support of a Web-based system used to securely capture and track organ-donor information. Mr. Kadrich was director of technical services for Counterpane Internet Security. He was responsible for the generation of processes that supported and improved Counterpane’s ability to deploy and support customer-related security activities Mr. Kadrich was director of security for Conxion Corporation. As the director of security, his role was to plot the strategic course of Conxion’s information security solutions.

 

Prior to Conxion, he was a principal consultant for International Network Services (INS), for which he created a methodology for performing security assessments and interfaced with industry executives to explain the benefits of a well-implemented security program.

 

Mr. Kadrich is a CISSP, holds a Bachelor of Science degree in Management Information Systems from the University of Phoenix, and has degrees in Computer Engineering and Electrical Engineering (Memphis, 1979). Publications contributed to include TCP Unleashed, Publish Magazine, Planet IT, RSA, CSI, and The Black Hat Briefings.

 

Excerpt. © Reprinted by permission. All rights reserved.

Preface

"That was some of the best flying I've seen to date –

right up to the part where you got killed."

Jester to Maverick in the Movie Top Gun

Introduction

I suppose that's the thing that bothers me the most: the fact that we think that we're doing great right up to the moment that the network melts down. Over the years we've seen the number of security tools deployed on our networks increase to the point where we are completely surprised when our computing environments are devastated by some new worm. But how can this happen you ask? How can we be spending so much money to increase our security and still be feeling the pain of the worm de jour? And not just feeling this pain once or twice a year, we're feeling it all the time.

To begin to answer this question, all one has to do is pop 'vulnerability' into Google and sit back and wait. My wait took a mere .18 seconds and returned over 69 million hits. Adding the word 'hacker' added an additional .42 seconds but did have the benefit of reducing the pool of hits to a tad over 4.2 million. Over 4 million pieces of information in less then half a second and for free! Now that's value.

So, getting back to our problem and looking at the results pretty much sums up our present situation. We're buried under all sorts of vulnerabilities and we're constantly struggling to get on top of the things. The problem of patching vulnerabilities is so big that an entire industry has sprung up just to address the problem. The problem of analyzing and generating patches is so big that Microsoft changed its release policy from an "as needed" to a "patch Tuesdays".

What are they really trying to address with the patches? One may think that it's about protecting the endpoint. What we're going to call endpoint security. This is a big topic of discussion. If we go back to Google and type in 'endpoint security' we get a little over 2.5 million hits. We can reduce that stratospheric result by typing in the word 'solution'. Now we're down to a much more manageable 1,480,000 hits.

So what's the point? The point is that there are a lot of folks talking about the problem but they're doing it from the perspective of a vendor customer relationship: a relationship that is predicated on them selling you something, a solution, and you paying them for it. The shear motive of profit motivates vendors to produce products that they can sell. Marketing departments are geared toward understanding what people need and how to shape their product in a way that convinces you that they can fill your need. How many times have you gone back to visit a vendor web page only to be surprised that they now address your problem? Look at how many vendors moved from PKI (Public Key Infrastructure) to SSI (Single Sign On) and finally to IM (Identity Management). Why? Because nobody was buying PKI because of the enormous expense so the marketing departments decided to switch names or "repurpose" their product. Now it was about "leveraging their synergies" with the multiple sets of user credentials and promises of vastly simplified user experiences. When that tanked the marketing people invented IM. Yep, that's what I said, they invented IM so they could once again distance themselves from a failed marking ploy and get more people to give them more money. Profit.

Ask any CEO what his or her mission is and if they don't reply, "to maximize shareholder value" I'll show you a CEO soon to be looking for a new job. It's all about making sales numbers and generating profit. The more profit, the happier vendors and their shareholders are.

Now don't get me wrong, profit is a good thing. It keeps our system working and our people motivated. But when the system of generating profit still refuses to produce a good solution one must ask, "what is the real problem that we're trying to solve here?" I don't want to be part of the solution that says that the problem is how to maximize shareholder value; I want to be part of a solution that says that the problem was understanding a well defined set of criteria that ensured that my enterprise and the information that it produced were safe, trustworthy, and secure.

But for some strange vendor driven reason we can't seem to do that.

Overview

This book makes the assumption that if we've been doing the same thing for years and we continue to fail then we must be doing something wrong. Some basic assumption about what we're doing and why we're doing it is incorrect. Yes, incorrect. But we continue to behave as if nothing is wrong. The pain is there but now the problem is that it's so ubiquitous that we've become desensitized to it. Like the buzzing the florescent lights make (yes, they do make an annoying sound) or the violence on TV, we've just gotten so used to having it around we've come up with coping mechanisms to deal with it. Why hasn't anyone asked why the pain is there in the first place?

This book does.

This book is different because it uses a basic tenant of science to understand what the problem is and how to manage it. This book uses a process control model to explain why securing the endpoint is the smartest thing you can do to manage the problem of network contamination and infestation. We'll explain the differences between endpoints and how to secure them at various levels. We start with the basic tools and settings that come with each endpoint, move to those required tools such as antivirus, and progress to endpoints that have been upgraded with additional security protocols and tools, such as 802.1x and the supplicant, that enable a closed loop process control model that enforces a minimum level of security.

Intended Audience

If you're a security manager, security administrator, desktop support person, or someone that will be or is managing, responding or responsible for the security issues of the network, this book is for you. If your job depends on ensuring that the network is not just 'up' but functional as a tool for generating, sharing, and storing information, you'll want to read this book. If you've ever been fired because some script kiddie managed to gain access to the CEO's laptop, you'll want this book on your shelves. If you're worried about Barney in the cube next to yours downloading the latest 'free' video clip or the latest cool chat client, you want to buy this book and give it to your desktop administrator.

Intended Purpose

Many books describe how systems can be exploited or how vulnerabilities can be discovered and leveraged to the dismay of the system owner. If you're looking for a book on hacking, this isn't it. If that's what you want to do, this is the wrong book for you. Give it to your admin friend since I'm sure they're going to need it after you go get your book on hacking. So, Instead of the "hacker's eye" view, we're going to give you something a bit more useful to you: the practitioners eye view.

This book not only shows you what to look for, it also tells you why you should be looking for it. Yes, in some places it is somewhat of a step-by-step guide, but we believe in the axiom "give a man a fish and he eats for a day, but teach a man to fish and he eats for the rest of his life." It's a corny saying but it gets the message across pretty well.

We intend on teaching the reader how to configure his or her network to be secure by addressing the issue at its root: the endpoint.

This book also takes a look at how we got here in the hopes that we won't make the same mistakes again. Some of my reviewers took offence at chapter 2 because I placed a portion of the blame for much of our situation squarely on the shoulders of the vendors that have been crafting our solutions. Yes, there are open source security tools but they don't drive our security market.

My hope is that when you are done with this book that you will understand why I believe a closed loop process control model works and how to apply it in your day-to-day security solutions.

On Ignoring Editors, Who is "We", and "Them"

Editors are wonderful people. Many writers hate editors because they change the magnificent prose that the author has spent hours generating and refining. They reinterpret what the author has said and change the way the ideas are presented to the reader by changing the order of words or the use of tone. Some authors hate that. Not me. I'm a rookie and I'm lazy. This is a bad combination for a writer so I don't mind some constructive criticism. Usually.

We.

A simple word that when used by an author is supposed to imply that an intimacy between the author and the reader exists when the reader is engaged in the pages of the book. When an author says "we" it's supposed to mean that small group of people that the reader is tied to by the story line of the book.

That is unless the author isn't using the second person as a construct. For instance, the writer could mean the "we" of the group exclusive of the reader as in "we hacked into this computer to find evidence of kiddy porn". The reader is clearly not included in that group of "we".

So, why have I brought this up at the beginning of a book that's about endpoint security you might be asking? Because I made the mistake of using the word "we" throughout the book without explaining who "we" was each and every time. I thought it was obvious who "we" is.

My editor hated that. Politely, concisely, but nonetheless, she hated it.

Every...

Product Details

• Paperback: 384 pages
• Publisher: Addison-Wesley Professional; 1 edition (April 9, 2007)
• Language: English
• ISBN-10: 0321436954
• ISBN-13: 978-0321436955
• Product Dimensions: 9.2 x 7.1 x 0.9 inches
• Shipping Weight: 1.6 pounds (View shipping rates and policies)
• Average Customer Review: 3.6 out of 5 stars  See all reviews (5 customer reviews)
• Amazon Best Sellers Rank: #2,053,504 in Books (See Top 100 in Books)

More About the Author

Discover books, learn about writers, read author blogs, and more.

Customer Reviews

Most Helpful Customer Reviews

8 of 8 people found the following review helpful:

3.0 out of 5 stars A confusing book with sound observations but an unworkable premise and prescription, July 18, 2007

By 

Richard Bejtlich "TaoSecurity" (Metro Washington, DC) - See all my reviews
(REAL NAME)   

This review is from: Endpoint Security (Paperback)

I really looked forward to reading Endpoint Security. I am involved in a NAC deployment, and I hoped this book could help. While the text does contain several statements that make sense (despite being blunt and confrontational), the underlying premise will not work. Furthermore, simply identifying and understanding the book's central argument is an exercise in frustration. Although Endpoint Security tends not to suffer any technical flaws, from conceptual and implementation points of view this book is disappointing.

This is a tough review to write, because the non-product-specific chapters (1-7) are conceptually all over the map. Let me start with the items I found true and useful in Endpoint Security. I appreciated this perception on p 15: "I don't agree with the notion that the perimeter has disappeared. It's just moving too fast to see." This is true on p 20: "[B]asic engineering processes aren't at work in the security industry... We continue to suffer failures, and we have no way of knowing when our security solutions are successful." And this, on p 33: "[W]e've failed the first test because we can't describe secure... because we don't understand the problem well enough, we don't have a way to predict success; the converse is that we can't predict failure." And this, on p 34: "[W]e, the security industry, are not using sound engineering or the scientific method to figure out what is wrong. Worse yet, we continue to make the same mistakes year after year. We rely on the vendors to tell us what the solution should be instead of turning the formulation of a solution into a science." I loved this, on p 39: "[M]any people honestly believe that the network is too complex to understand and that 'security' is the purview of hackers and vendors. I've actually had security people tell me in meetings that their network is too large, too distributed, and too complex to identify all the endpoints on it!" By now I was excited; I thought we had a winner.

In reality, on page 1 I knew Endpoint Security was going to have problems. The author starts by using an HVAC system as a process model. He completely ignores that an HVAC system is not being attacked by intelligent adversaries. If your model does not account for the creativity, persistence, and rule-breaking of an intelligent adversary, then your model will fail in the real world. For example, on p 39 the author says "This is not how engineers do things, and for all practical purposes, no matter how we got here, we are engineers." This is not true; if we are engineers at all, we are combat engineers -- and our systems are being assaulted. Building on the HVAC idea, the author tries to introduce control theory and closed-loop process control (CLPC) (without really saying what an "open" loop looks like). I say "tries" because his "explanation" makes no sense, despite the use of examples. I found the coverage on Wikipedia to get to the heart of the issue quicker and clearer. For example, the author mentions "PID" on p 55 and 64, but only expands the acronym on p 73 to show PID means proportional-integral-derivative. On p 46 he mentions "proportional process control methodology" as if the reader should know what this means. I found myself wondering if several sections were written out of order, and I only pieced together the argument by flipping around.

To save you the same trouble, the author's premise is that networks need a "basic proportional control," meaning "protocols, hardware, and software ... [that] automatically reconfigure themselves based on our dictated policy" (p 79). NAC is a means to "close the loop" by having a "basic proportional control" that ensures "each time the endpoint connects to the network... it represents a minimum level of compliance with corporate security policy" (p 175).

The huge conceptual holes in Endpoint Security are 1) the assumption that "feedback" for CLPC is reliable and trustworthy; and 2) compliance = integrity = trustworthiness. Regarding 1, the author is in one place bashing vendors, and in another relying on vendors to produce anti-virus, IDS, and other mechanisms to be reliable -- or else his model fails! For example, p 62 states "we can make some basic assumptions about our network: A) We have a system for probing our network for vulnerabilities; B) We have some way of identifying intrusion attempts." While A is possible to some degree, it is impossible to simply "assume away" the problems of B. An IDS isn't a thermometer that accurately reports temperature.

Regarding 2, Endpoint Security states on p 78 that answering the following questions "yes" means a "minimum level of trust." In brief, they are patched? firewalled? anti-virus? authorized applications? and authorized user? Unfortunately, answering "yes" to these questions does very little to presume the endpoint is trustworthy. Sadly, the author mocks Microsoft's (correct) stance on this issue. On p 172 Microsoft says "Network Access Quarantine Control is not a security solution. It is designed to help prevent computers with unsafe configurations from connecting to a private network, not to protect a private network form malicious users who have obtained a valid set of credentials."

Conceptual issues aside (and there are more, like calling embedded devices or handhelds "threats" instead of "assets" with "vulnerabilities" and "exposures"), Endpoint Security has practical problems. Each chapter on specific technologies features sections called "initial health check." The idea is to run these "tests" to validate integrity in case you don't start with a clean build. That is a recipe for disaster, and some of the book's recommendations are laughable. If your rootkit detection methodology relies on comparing netstat and Nmap output, you're going to lose. The Windows chapter is decent, but looking at a handful of registry keys is no way to assess security. (Check out Harlan Carvey's recent book instead.) The Linux chapter is sad; who uses Xandros as a commercial Linux distro? Why not use Red Hat Enterprise Linux (emphasis on Enterprise). Who remotely administers a Linux box with VNC? Mac OS X is not a FreeBSD variant; kernel mode rootkits written for FreeBSD will not work on Mac OS X. Worse, the author cannot recommend any host integrity tools (p 119); if this is true, how can the integrity of a host be assessed? Using those five criteria mentioned earlier? Forget it.

Worst of all, the author builds his entire model on implementing CLPC via NAC, relying on "closing the loop" as "the missing link" to security nirvana. Yet, when we read the product specific chapters (Windows, Linux, Mac OS X, PDAs/Smartphones, and Embedded) only Windows can "close the loop." Is this for real? Build a model and then say it can't be done right now? I appreciate the desire to look ahead, but why did I just read this book?

I didn't give this book 2 stars, because I reserve that rating for books with glaring technical errors. Endpoint Security gets 3 stars for its sound observations of the security space (listed above), but I found the rest of the book not worth reading (although I read the whole thing). I cannot fathom how the reviewers and editors of this book allowed such a confusing argument and unworkable premise and prescription to be published.

PS: The story about the "Patent Office" on p 13 is an urban myth; Google "Charles Duell".

6 of 6 people found the following review helpful:

3.0 out of 5 stars A few sound points but otherwise all over the place, October 1, 2007

By 

Chris Gates (NoVA, USA) - See all my reviews

This review is from: Endpoint Security (Paperback)

I think that Richard Bejtlich hit the nail on the head with his review. The book makes some sound points, like "we rely on the vendors to tell us what the solution should be instead of turning the formulation of a solution into a science" and "as devices connect to or leave the network, the perimeter changes, and so our security policy must adapt" but these aren't necessarily new ideas. The sound points are heavily diminished by the book's lack of focus. Its hard to say that he jumps around in a chapter because "the chapters" are laid out well and cover what they say they are going to cover but I kept reading waiting for him to get to the point of how to make my network and endpoints more secure. I got to the end of the book and I don't feel we ever got there.

The short answer is that he recommends using system hardening (baselining) and a NAC device to ensure secure configurations to protect your endpoints. He says end point devices are anything that extend outside your perimeter, the author breaks these up into:
Windows, Non-Windows, Embedded (printers, routers), mobile phones & PDAs, Palm, blackberry, windows CE/windows mobile, and Symbian OS. I had a couple of issues with his using a NAC as the end all, be all solution. For the sake of argument I'll concede that a NAC solution should protect my LAN from someone walking in an plugging in an unauthorized device or keeping a client that does not meet my specifications off the LAN by quarantining them (even though Ofir Arkin has spent plenty of time proving this isn't necessarily the case). What the NAC solution doesn't protect against is a public facing server with a vulnerability, those million client side "i got you to click on my link" exploits, or protect the network from any mobile devices (AV ends up being our only solution minus any baselining we can do).

I had issues with his unwaivering trust in NAC solutions and those agents that most of the time make that happen. Ch 6 starts off interestingly enough talking about how he doesn't trust software VPN solutions because they can have flaws but all throughout ch5 we are told to use NAC solutions that require a closed source agent to be installed on the endpoint. What gives? I'll take a mature open source solution over a relatively young closed source solution any day.

The book has chapters (8-12) on baselining Windows, OS X, Linux, Embedded Devices (Printers), and Mobile Devices. While not technically incorrect, its adds very little to existing information and is certainly not enough information to confidently lock down any of the systems mentioned. The Mobile Device threat and mitigation section which is probably the biggest threat to the current network is covered much better in BlackJacking. I was also disappointed to see nmap version 3.00 being used for scanning. Nmap v3.0 is years out of date.

My last set of gripes is with the author's assertion that we need to change our network diagrams (page 60). He says that we should throw out the Visio type diagrams and go with an engineering/circuit board type diagram. I found myself having to keep flipping back to see what the symbols meant. He gave the example of if you asked 3 network engineers to draw a diagram of a network you would get 3 different diagrams, but I would say that it doesn't matter if they use a firewall with a wall and flame or a wall with hatch marks 9 out of 10 times everyone will recognize that as a firewall where his version of a firewall that is two triangles with their point's meeting may not be recognized. The informIT site used to have Chapter 3 as a preview so you could see for yourself (wasn't working when I wrote this).

The book does have some good points, the idea of the ever changing perimeter that includes mobile devices as endpoints is a good way of looking at the current problem we have on hand. I also agree with the author on page 69 that "we have many security tools that can function as integral and derivative controls, but these tools are acting independently of each other and are not tied to a central controllable proportional process." I think he raises some good points but doesn't quite deliver on a solid way to fix those points in the book.

4 of 4 people found the following review helpful:

3.0 out of 5 stars I struggled with this one, September 16, 2007

By 

Stephen Northcutt (Kauai, HI USA) - See all my reviews
(REAL NAME)   

This review is from: Endpoint Security (Paperback)

The thing that does this book the most damage is the cover, the quote at the top says if you can read only one book before deciding on a NAC solution, make it this one.

Trust me, don't make this the one book you read. There is some good stuff in this, but I found I kept thinking, "and your point would be?"

Now, I need to be honest, I gave up somewhere in chapter 11, but I read the first half of the book twice thinking it would go better the second time.

One of the problems is the way the book uses charts and graphics, I am looking at figure 2-1 on page 27 for the third time and I would still be hesitant to say I "get it" enough to try to explain it to anyone else. On the next page is a terrible graphic of a fat plastic blob in a bikini with a caption saying sexy bikini-clad beauty. By the time I got to page 60 with the symbols that look a bit like circuit design, and have titles like "bang-bang", and "peer connector traffic neutral" I was done with pictures.

Don't get me wrong, there is good material in this book, I am sure the author knows his stuff, but you will have to struggle with cognitive dissonance to dig out the pearls.

If you happen to see this book in the book store, the forward by Howard Schmidt is a fun read.