What Is Endpoint Security?

Endpoint security is the practice of securing endpoints or entry points of end-user

devices such as desktops, laptops, and mobile devices from being exploited by
malicious actors and campaigns. Endpoint security systems protect these endpoints
on a network or in the cloud from cybersecurity threats. Endpoint security has
evolved from traditional antivirus software to providing comprehensive protection
from sophisticated malware and evolving zero-day threats.

Organizations of all sizes are at risk from nation-states, hacktivists, organized crime,
and malicious and accidental insider threats. Endpoint security is often seen as
cybersecurity's frontline and represents one of the first places organizations look to
secure their enterprise networks.

As the volume and sophistication of cybersecurity threats have steadily grown, so has
the need for more advanced endpoint security solutions. Today’s endpoint
protection systems are designed to quickly detect, analyze, block, and contain attacks
in progress. To do this, they need to collaborate with each other and with other
security technologies to give administrators visibility into advanced threats to speed
detection and remediation response times.

How endpoint protection works?

Endpoint security is the practice of safeguarding the data and workflows associated
with the individual devices that connect to your network. Endpoint protection
platforms (EPP) work by examining files as they enter the network. Modern EPPs
harness the power of the cloud to hold an ever-growing database of threat
information, freeing endpoints of the bloat associated with storing all this
information locally and the maintenance required to keep these databases up to
date. Accessing this data in the cloud also allows for greater speed and scalability.

The EPP provides system administrators a centralized console, which is installed on a

network gateway or server and allows cybersecurity professionals to control security
for each device remotely. The client software is then assigned to each endpoint—it
can either be delivered as a SaaS and managed remotely, or it can be installed
directly on the device. Once the endpoint has been set up, the client software can
push updates to the endpoints, when necessary, authenticate log-in attempts from
each device, and administer corporate policies from one location. EPPs secure
endpoints through application control—which blocks the use of applications that are
unsafe or unauthorized—and through encryption, which helps prevent data loss.

When the EPP is set up, it can quickly detect malware and other threats. Some
solutions also include an Endpoint Detection and Response (EDR) component. EDR
capabilities allow for the detection of more advanced threats, such as polymorphic
attacks, fileless malware, and zero-day attacks. By employing continuous monitoring,
the EDR solution can offer better visibility and a variety of response options.

EPP solutions are available in on-premises or cloud-based models. While cloud-

based products are more scalable and can more easily integrate with your current
architecture, certain regulatory/compliance rules may require on-premises security.

What we will be checking as an IT auditor?

 Endpoint protection policy/ Vulnerability Policy containing Endpoint protection.
 Review and approved policy during the reporting period.
 Penetration Test performed?
 Internal scans performed?
 Is it endpoint protection tool automatically monitoring endpoints and servers and creating
logs or reports?
 Are these endpoint protection tool reports reviewed? (Quarterly review)
 Follow up on endpoints which are not compliant.
 Alert or notification sent to appropriate team.
 Advance Host monitor and tests the server availability and performance and scans – Power,
Disk health, Fans, Free disk space, CPU Usage and Free memory and sent alerts if threshold
cross the key metrics for in scope systems.
Encryption: We will check if servers, laptops, workstations are encrypted with 128 bit and 256 bits.

 We must check if Bit locker is enabled for windows.

 We must check if File vault enabled for Mac devices.
 We also must check if servers are encrypted.
 Linux devices are the most secure devices.
Portable devices: We must confirm that portable devices are not used or only used company
approved portable devices, where scans are performed before usage. Avoid using company portable
devices in personal systems. We must confirm if the data stored in
portable device is encrypted and password protected.

 Control – All confidential information at rest and in transmit is

encrypted (Automated control)

- Information security policy and reviewed and approved

during reporting period.
- USB attempting to system and showing as “Not readable”
or Pop up showing “device is blocked”
- Validated In scope applications utilize tools to encrypt
confidential data at rest and transmit.
- APPLICATIONS – Encryption – Enabled

E.g.: USB, Drives, CDS etc

Vulnerability management : Vulnerability management is the process of

identifying, evaluating, treating, and reporting on security vulnerabilities in
systems and the software that runs on them. This, implemented alongside with
other security tactics, is vital for organizations to prioritize possible threats and
minimizing their "attack surface."

Security vulnerabilities, in turn, refer to technological weaknesses that allow

attackers to compromise a product and the information it holds. This process
needs to be performed continuously to keep up with new systems being added to
networks, changes that are made to systems, and the discovery of new
vulnerabilities over time.

Step 1: Identifying Vulnerabilities

At the heart of a typical vulnerability management solution is a vulnerability

scanner. The scan consists of four stages:

1. Scan network-accessible systems by pinging them or sending them

TCP/UDP packets
2. Identify open ports and services running on scanned systems
3. If possible, remotely log in to systems to gather detailed system
information
4. Correlate system information with known vulnerabilities

Vulnerability scanners are able to identify a variety of systems running on a

network, such as laptops and desktops, virtual and physical servers, databases,
firewalls, switches, printers, etc. Identified systems are probed for different
attributes: operating system, open ports, installed software, user accounts, file
system structure, system configurations, and more. This information is then
used to associate known vulnerabilities to scanned systems. In order to perform
this association, vulnerability scanners will use a vulnerability database that
contains a list of publicly known vulnerabilities.

Properly configuring vulnerability scans is an essential component of a

vulnerability management solution. Vulnerability scanners can sometimes
disrupt the networks and systems that they scan. If available network bandwidth
becomes very limited during an organization’s peak hours, then vulnerability
scans should be scheduled to run during off hours.

If some systems on a network become unstable or behave erratically when

scanned, they might need to be excluded from vulnerability scans, or the scans
may need to be fine-tuned to be less disruptive. Adaptive scanning is a new
approach to further automating and streamlining vulnerability scans based on
changes in a network. For example, when a new system connects to a network
for the first time, a vulnerability scanner will scan just that system as soon as
possible instead of waiting for a weekly or monthly scan to start scanning that
entire network.

Vulnerability scanners aren’t the only way to gather system vulnerability data
anymore, though. Endpoint agents allow vulnerability management solutions to
continuously gather vulnerability data from systems without performing network
scans. This helps organizations maintain up-to-date system vulnerability data
whether or not, for example, employees’ laptops are connected to the
organization’s network or an employee’s home network.

Regardless of how a vulnerability management solution gathers this data, it can

be used to create reports, metrics, and dashboards for a variety of audiences.

Step 2: Evaluating Vulnerabilities

After vulnerabilities are identified, they need to be evaluated so the risks posed
by them are dealt with appropriately and in accordance with an organization’s
risk management strategy. Vulnerability management solutions will provide
different risk ratings and scores for vulnerabilities, such as Common
Vulnerability Scoring System (CVSS) scores. These scores are helpful in telling
organizations which vulnerabilities they should focus on first, but the true risk
posed by any given vulnerability depends on some other factors beyond these
out-of-the-box risk ratings and scores.

Here are some examples of additional factors to consider when evaluating

vulnerabilities:

 Is this vulnerability a true or false positive?

 Could someone directly exploit this vulnerability from the Internet?
 How difficult is it to exploit this vulnerability?
 Is there known, published exploit code for this vulnerability?
  What would be the impact to the business if this vulnerability were
exploited?
 Are there any other security controls in place that reduce the likelihood
and/or impact of this vulnerability being exploited?
 How old is the vulnerability/how long has it been on the network?

Like any security tool, vulnerability scanners aren’t perfect. Their vulnerability
detection false-positive rates, while low, are still greater than zero. Performing
vulnerability validation with penetration testing tools and techniques helps weed out
false positives so organizations can focus their attention on dealing with real
vulnerabilities. The results of vulnerability validation exercises or full-blown
penetration tests can often be an eye-opening experience for organizations that
thought they were secure enough or that the vulnerability wasn’t that risky.

Step 3: Treating Vulnerabilities

Once a vulnerability has been validated and deemed a risk, the next step is
prioritizing how to treat that vulnerability with original stakeholders to the
business or network. There are different ways to treat vulnerabilities, including:

 Remediation: Fully fixing or patching a vulnerability so it can’t be exploited.

This is the ideal treatment option that organizations strive for.
 Mitigation: Lessening the likelihood and/or impact of a vulnerability being
exploited. This is sometimes necessary when a proper fix or patch isn’t yet
available for an identified vulnerability. This option should ideally be used
to buy time for an organization to eventually remediate a vulnerability.
 Acceptance: Taking no action to fix or otherwise lessen the
likelihood/impact of a vulnerability being exploited. This is typically
justified when a vulnerability is deemed a low risk, and the cost of fixing
the vulnerability is substantially greater than the cost incurred by an
organization if the vulnerability were to be exploited.

Vulnerability management solutions provide recommended remediation

techniques for vulnerabilities. Occasionally a remediation recommendation isn’t
the optimal way to remediate a vulnerability; in those cases, the right remediation
approach needs to be determined by an organization’s security team, system
owners, and system administrators. Remediation can be as simple as applying a
readily available software patch or as complex as replacing a fleet of physical
servers across an organization’s network.

When remediation activities are completed, it’s best to run another vulnerability
scan to confirm that the vulnerability has been fully resolved.

However, not all vulnerabilities need to be fixed. For example, if an organization’s

vulnerability scanner has identified vulnerabilities in Adobe Flash Player on their
computers, but they completely disabled Adobe Flash Player from being used in
web browsers and other client applications, then those vulnerabilities could be
considered sufficiently mitigated by a compensating control.
Step 4: Reporting vulnerabilities

Performing regular and continuous vulnerability assessments enables organizations

to understand the speed and efficiency of their vulnerability management
program over time. Vulnerability management solutions typically have different
options for exporting and visualizing vulnerability scan data with a variety of
customizable reports and dashboards. Not only does this help IT teams easily
understand which remediation techniques will help them fix the most
vulnerabilities with the least amount of effort, or help security teams monitor
vulnerability trends over time in different parts of their network, but it also helps
support organizations’ compliance and regulatory requirements.

Staying Ahead of Attackers through Vulnerability Management

Threats and attackers are constantly changing, just as organizations are

constantly adding new mobile devices, cloud services, networks, and
applications to their environments. With every change comes the risk that a new
hole has been opened in your network, allowing attackers to slip in and walk out
with your crown jewels.

Every time you get a new affiliate partner, employee, client or customer, you open
up your organization to new opportunities, but you’re also exposing it to new
threats. Protecting your organization from these threats requires a vulnerability
management solution that can keep up with and adapt to all of these changes.
Without that, attackers will always be one step ahead.

Checks performed by IT Auditor:

1) Vulnerability management policy/ Reviewed during the reporting period

2) Scans are performed in production environment/ reviewed quarterly and report review.
3) Monitoring tools like IDS/IPS are used.

Quarterly – population (4)- sample size- (2) – We must check if review was performed as a part of
TOD & TOE for each quarter.

If scans are performed automatically, will see frequency of scans and will check scans are performed
as per schedule or not.

 Cyber liability insurance certificate – Control requirement

Patch Management: Patch management is the process of distributing and applying updates to
software. These patches are often necessary to correct errors (also referred to as
“vulnerabilities” or “bugs”) in the software.

Common areas that will need patches include operating systems, applications, and embedded
systems (like network equipment). When a vulnerability is found after the release of a piece of
software, a patch can be used to fix it. Doing so helps ensure that assets in your environment
are not susceptible to exploitation.

Patch management is important for the following key reasons:

Security: Patch management fixes vulnerabilities on your software and applications that are
susceptible to cyber-attacks, helping your organization reduce its security risk.

System uptime: Patch management ensures your software and applications are kept up-to-date and
run smoothly, supporting system uptime.

Compliance: With the continued rise in cyber-attacks, organizations are often required by regulatory
bodies to maintain a certain level of compliance. Patch management is a necessary piece of adhering
to compliance standards.

Feature improvements: Patch management can go beyond software bug fixes to also include
feature/functionality updates. Patches can be critical to ensuring that you have the latest and
greatest that a product has to offer.

 We have check if patches are updated for all the systems and servers regularly or at least
once in the reporting period as per the control requirement (Hotfixes)