Endpoint Security: On the Frontline of Cyber Risk
by Ahmed Hussain, Risk Management Specialist, Supervision and Regulation, Federal Reserve Bank of Chicago, William Mark, Lead Examiner, Supervision and Regulation, Federal Reserve Bank of Chicago, and Anthony Toins, Senior Examiner, Supervision and Regulation, Federal Reserve Bank of Chicago
Endpoint devices, such as desktops, laptops, servers, routers, and mobile devices, can be susceptible to malicious cyberattacks and breaches. Endpoint devices remain primary targets for attackers and, therefore, are vulnerable points of entry to any community bank’s network. Given this, a major priority for any endpointsecurity effort is the protection of endpoint devices. These devices present a daunting challenge because they are typically under the control of and in use by employees, providing remote communication with and connection to a bank’s network. Endpoint security and related employee training represent the frontline of a multilayered, defense-in-depth strategy against cyberattacks.
The COVID-19 pandemic has exponentially increased the number of employees engaging in or transitioning to remote work, a trend likely to continue for years to come. A study conducted by the Enterprise Strategy Group (ESG) reported that 76 percent of information technology (IT) professionals on average across all respondent companies are currently working from home. Moreover, 57 percent of the IT professionals surveyed were amenable to increasing their level of remote work in the post-pandemic environment.1
The portability of endpoint devices, coupled with the surge of remote work, increases a bank’s risk exposure to cyber breaches due to potential susceptibility to theft or misplacement. One-third of remote workers believe that they have not received sufficient cyber awareness training to work safely and efficiently from home, according to the ESG study. Unclear staff guidance and understanding can further exacerbate this weakness by fostering uncertainty, thereby leading to cybersecurity mistakes.
In this fashion, IT hygiene, which “provides visibility into the ‘who, what and where’ of your environment while giving you the means to address security risks before they become issues,”2 may be lacking. In other words, a bank may not be fully able to recognize “who” is breaching the network, “what” methods are being used, and “where” these vulnerable endpoints are.
As discussed in a joint statement issued by the United States Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) and the United Kingdom’s National Cyber Security Centre (NCSC), a growing number of cybercriminals and other malicious groups are actively exploiting the current virtual environment by targeting endpoint vulnerabilities.3 A wide range of cyberthreats, such as malware, phishing, and other premeditated attacks, challenges organizations to remain technologically current and maintain diligent staff cyber awareness to ward off such incursions.
Since the beginning of the COVID-19 pandemic, an exponential increase across the spectrum of cyberattacks has challenged organizations. Some observers coined the term cyber pandemic to characterize the current evolving cyber environment.4 The Federal Bureau of Investigation (FBI) reported in its 2020 Internet Crime Report that, compared with 2019, complaints of suspected internet crime ballooned by over 300,000, to nearly 800,000 incidents, leading to aggregate reported losses in excess of $4.2 billion.5 Such malicious activity is not expected to abate in 2021, as cyberattack attempts are projected to increase to every 11 seconds, more than double the frequency of every 39 seconds noted in 2019.6 Observers project damages from cyber events could reach $6 trillion in 2021 globally.7
Federal Reserve Vice Chair for Supervision Randal K. Quarles said at the Financial Services Roundtable 2018 Spring Conference in Washington, D.C., “While we know that successful cyberattacks are often connected to poor basic IT hygiene, and firms must continue to devote resources to these basics, we also know that attackers always work to be a step ahead, and we need to prepare for cyber events.”8 Although Vice Chair for Supervision Quarles delivered these comments in a fundamentally different environment, they remain relevant today. Diligent endpoint security efforts are needed now more than ever to help identify and mitigate risks posed by cyberthreats.
What Is Endpoint Security?
Endpoint security practices are a vital component for safeguarding endpoint devices and enterprise networks. The ultimate goal is to protect the confidentiality, integrity, and availability of network information by closing the loopholes that attackers may exploit to gain unauthorized access.
The Ponemon Institute estimated that these data breaches have an average cost of nearly $4 million per incident.9 Additionally, data breaches can have detrimental impacts beyond financial costs. They can also lead to the loss of personally identifiable customer information, reputational damage to a firm, and potential legal issues. Consider the 2017 Equifax data breach, one of the largest breaches in history, affecting nearly 150 million consumers. This breach occurred as a result of a preventable lapse in basic protocols, a missed systems patch.10
According to Absolute Software Corporation, 70 percent of all breaches originate through endpoints,11 so related endpoint security measures are critical in managing cyber risks. With the increase in such incidents at endpoints, multilayered defenses are important to ensure that a bank’s network has a robust security environment. Because sophisticated cyberthreats are on the rise, IT managers and administrators need to more carefully assess the extent to which security gaps in deployed endpoint devices may expose the network to excessive risks.
As mentioned, endpoints are usually the preferred targets for cybercriminals. Remote devices are especially vulnerable due to the sheer volume of users, which fosters greater opportunities to exploit an endpoint, making them attractive targets to hackers. Endpoint devices provide points of entry to access corporate networks, so they are susceptible to cyberattacks designed to steal or encrypt data or even take control of a device to execute an attack.
Today, endpoint devices and their users pose a myriad of threat scenarios, such as zero-day vulnerabilities,12 malware, ransomware, and phishing. Hackers exploit these weaknesses to circumvent existing detection systems and take advantage of flaws in popular software. Most cyberattacks are engineered through phishing and pose the highest risk to endpoint devices. This could involve an employee downloading a suspect application or clicking on an email link or attachment that connects to malware or ransomware. Credential theft, social attacks (i.e., phishing and business email compromise), and associated events account for 67 percent of all cyber breaches.13 Consequently, traditional centralized security measures alone are no longer sufficient for protecting a mobile workforce.
Certain endpoint devices can pose more risk than others due to the nature of their use. For example, remote endpoints generally are inherently riskier and subject to cyber attacks because they are often used by employees who are traveling or working remotely and more likely to connect to less-secure public Wi-Fi. Endpoint devices such as laptops, tablets, and smartphones are, by virtue of their portable nature, at higher risk of being lost or stolen. As noted in the Figure, laptops were among the most compromised endpoints in 2019. While endpoint devices generally present a notable risk to an organization’s network, such devices enable financial institutions to serve their customers in a timely and efficient manner.
Figure: 2019 SANS Survey – Types of Endpoints Compromised
Note: Domain name system (DNS) is the system for tracking and regulating internet domain names and addresses; internet of things (IoT) is the interconnection among computing devices in everyday objects that facilitate data transfer through the internet; platform as a service (PaaS) refers to a cloud computing service platform that allows customers to develop, run, and manage applications without building and maintaining their own application infrastructure; software as a service (SaaS) is a software licensing and delivery model in which software is licensed on a subscription basis and centrally hosted; and supervisory control and data acquisition (SCADA) is a powerful computer system that allows users to monitor and control processes in real time remotely.
Source: SANS Institute, 2019 SANS Survey on Next-Generation Endpoint Risk and Protections.
Endpoint security is even more relevant as more organizations adopt “bring your own device” (BYOD) processes, which allow employees to connect personal mobile devices to an organization’s network. These personal devices tend to have additional risks associated with lack of information security control, such as downloaded malicious applications, improper password control, and storage of sensitive data, if not appropriately configured or controlled. Institutions should determine whether existing BYOD security controls are sufficient and, at a minimum, ensure that practices such as application controls, feature controls, encryption, remote wipe capability, storage control, malware protection, and proper password control are in place to protect devices from these added risks.
Cybercriminals use attack vectors as routes to infiltrate an organization’s network. To protect against these unauthorized incursions, IT administrators rely on risk assessments to monitor and document any changes to the internal network (i.e., architecture, configurations, remote workers) and external factors (i.e., heightened cyber risk environment) in order to recognize potential attack vectors in a timely fashion. Most attack vectors share commonalities, as attackers typically:
- identify a potential target;
- gather information about the target (e.g., using social engineering, phishing, malware, automatic vulnerability scanning);
- analyze gathered information to identify potential attack vectors with tailored exploitation tools;
- gain unauthorized system access to steal data or install malicious code; and
- monitor a computer or network in order to acquire information or use computing resources.
Prior to the onset of the pandemic and the widespread work from home posture, financial institutions regularly conducted business via mobile devices, which widened the network perimeter and attack surface.
In the current heightened cyber risk environment, securing endpoints is paramount and any delays could mean the loss of data confidentiality, integrity, and availability. Although endpoint devices are often connected to the enterprise network through a secure channel, such as a virtual private network (VPN), these devices remain attractive targets. As a result, bank management should consider the increased cybersecurity risks posed to the bank and its customers. The FBI reports that scammers are leveraging the COVID-19 pandemic to steal funds, personal information, or both.14 Therefore, a bank should be intentional in reminding its employees to scrutinize all emails from outside sources. While electronic messages that purport to provide information on COVID-19 may be enticing, the downside risks of clicking on a link for a false online charity, opening an attachment from known or unknown sources, or sending personal or confidential information to receive money or other benefits can be significant.
Implementing Endpoint Security
With new types of attacks and complex threats emerging each year, methodologies to protect endpoint devices continue to evolve. Today, vigilant endpoint security includes sophisticated detection and analytical tools to identify gaps that attacks could exploit and where bank defenses may lag. Many approaches and techniques may be used to initiate endpoint security using a multilayered threat protection strategy.
Effective endpoint security starts with understanding an institution’s operating environment and what applications and devices will be allowed on the network. IT administrators should identify and validate all network entry and exit points and address such exposures prior to implementation. Endpoint security threats may be countered through a network policy-based approach, especially the prevention of installation and use of high-risk applications such as file sharing, social media applications, and connections to unauthorized devices. This approach ensures that endpoint devices meet specific criteria or rules governing all endpoints before network access is granted.15 For example, all remote endpoint devices could be required to undergo a vulnerability scan prior to being allowed to connect to a bank’s network resources. In turn, this policy-based approach would allow the bank to quarantine any noncompliant endpoints before there is a network connection.
Applications of endpoint security solutions and tools are necessary components in combatting network threats. These processes work by understanding how endpoint security tools interact with potential threats and network resources. Many options are available, and several strategies may be applied when considering security solutions to deploy. IT administrators typically use an array of applications that detect advanced threats, such as malware, zero-day incursions, and fileless attacks, to protect a bank’s network.
Strategic failures often arise from inadequate understanding by IT administrators of all the possible ways an intruder could penetrate the network and the various capabilities of existing applications. IT administrators should choose comprehensive security offerings that clearly define physical and virtual devices as well as provide desired defense against modern multivector threats.16 Although no single solution offers protection from all endpoint risks, employing advanced security solutions and enterprise suites that use multiple methodologies is a prudent measure to “right-size” the degree of safeguards with cost considerations.
Institutions have a variety of standardized tools to consider when looking to properly align cybersecurity preparedness with common industry standards and practices. In a 2019 press release,17 the Federal Financial Institutions Examination Council (FFIEC) referenced several useful standardization tools that offer methods to measure inherent risks and compare them with current controls to better assess the maturity and prospective capability of cybersecurity preparedness:
- Center for Internet Security (CIS) Controls18
- FFIEC Cybersecurity Assessment Tool (CAT)19
- Financial Services Sector Coordinating Council (FSSCC) Cybersecurity Profile20
- National Institute of Standards and Technology (NIST) Cybersecurity Framework21
From a community bank perspective, addressing these challenges may seem daunting and management may find that it has insufficient staff expertise. Targeted training initiatives could bridge the knowledge gap and facilitate staff vigilance. Outsourcing IT administration is an option employed by banks; however, this choice does not absolve the board of directors and management of responsibility for oversight of cybersecurity efforts. Diligence in vendor risk management is also important to ensure that a bank has appropriate oversight and adequate controls in place to confirm that any third party provides the necessary services to achieve cybersecurity goals.22
Observed Industry Practices
There is no single solution that can prevent every attack; however, solutions properly configured and promptly implemented within an effective cyber awareness program can deter or effectively slow an attack to allow a bank to detect the attack in order to take defensive action. With a greater potential for an attack due to the surge of remote work, community banks should employ industry-recognized endpoint security measures to keep sensitive data safe. The following are several common industry practices to consider:
Identify all network endpoints
To ensure visibility into all endpoints in the network, it is important to identify and inventory all endpoints. Each one represents a door or potential vulnerability that can be exploited to gain network access.
Enforce principle of least privilege23
Least privilege is the practice of limiting user access to networks, systems, and programs to only employees needing access to complete given tasks. Under this principle, each employee is given only the minimum privileges or permissions associated with an assigned role and administrative access is limited to employees whose duties require it. This is particularly effective in limiting the spread of malware infections.
Disable unnecessary ports
Unsecured or open network ports often go unmonitored and are vulnerable to unauthorized intrusion. Additionally, neglected communication ports, such as Bluetooth, infrared devices, and modems, have been the entry point for many recent destructive cyberattacks; these ports should be identified and the configurations or settings adjusted to disable potential access. Periodic scans should be performed, especially when new hardware and applications are incorporated into the IT environment, to determine which network ports are open, what services are running, and whether internet access is sufficiently controlled.
Employ mobile device management (MDM)24
The prevalence of mobile devices (e.g., laptops, phones, tablets) comes with increased attack surfaces and threat vectors. Vigilant MDM can secure access to these devices and, when necessary, wipe a device remotely, keep software updated, encrypt data, log and track usage, prevent file sharing and downloading of unauthorized applications, and ensure that suspicious applications are opened in a secure and safe manner (i.e., sandboxing25).
Exercise application control26
Application control is a security technology that can allow or restrict communication between applications and network devices within an organizational network. In addition, to ensure that only trusted communications are passing through endpoints into an organization’s network, IT administrators can create a list of trusted programs, scripts, and processes or a list of those banned. Such lists are particularly useful for securing networks from BYODs.
Strengthen identity and access management
Practices to ensure proper identity and access management are best applied with a layered defensive approach that includes: (a) “zero-trust”27 strategies; (b) multifactor authentication; (c) strong password policy enforcement; (d) timely removal of unnecessary applications, devices, and users; and (e) periodic audits.
Implement advanced protection against attacks28
To address increased complexity associated with ever-expanding infrastructures and an increased volume of deployed endpoints, timely automated responses to cyberattacks are important to minimize the adverse effect of intrusions. Endpoint protection platform remedies, which prevent malware attacks at the point of entry, and endpoint detection and response solutions, to discover and respond to threats that elude antivirus defenses, are designed to work in tandem to optimize protection.
Patch systems promptly
Timely installation of software updates or patches can shore up network weaknesses so that they do not deteriorate into exploited endpoints.
Provide security awareness training
Security awareness is paramount given that humans are the primary targets and vectors for entry into the network, typically through phishing and other social engineering attacks. A formal educational initiative propagating cyber knowledge with periodic reminders would be appropriate to establish and reinforce cyber vigilance.
Promote location awareness29
A necessity associated with increased remote work is the capability of portable devices to allow both the user and the network administrator ability to actively or passively monitor and communicate location information in real time, thus enabling adaptability to security challenges in specific settings.
Plan for incident response
Despite diligent endpoint security efforts, breaches may occur, so management should be organized and deliberate to ensure that, when a breach is identified, corrective measures are undertaken to prevent further loss in a timely, efficient, and thorough manner.
Today, employees are working from home at unprecedented levels due to the pandemic and relying on a diverse range of hardware and software tools to execute everyday tasks. As the volume and sophistication of cybersecurity threats have steadily grown, so has the need for robust endpoint security. The portability of endpoint devices and the sheer volume of usage have heightened risk to institutional networks. Limited cyber awareness can exacerbate these vulnerabilities.
It is incumbent upon bank management to implement endpoint protection systems designed to quickly detect, analyze, block, and contain attacks in progress. To accomplish this, collaboration with technology or managed security service providers, as well as consideration of other security technologies and platforms, would give IT administrators knowledge about global threats, improving detection and remediation response times. Adopting endpoint security tools is a good place to start, but it should be part of a wider strategy of ensuring cybersecurity hygiene that includes a diligent awareness program. An evolving, well-informed, and vigilant endpoint security program will require more than a single approach and, more important, demonstrate adaptability. Together with a disciplined incident response plan to address breaches in a timely fashion, such a program can go a long way to promote data confidentiality, integrity, and availability.
Federal Reserve Governor Michelle W. Bowman summarized the current environment at the 2020 Independent Community Bankers of America ThinkTECH Policy Summit: “There are certain points in history when an event can fundamentally change how society and entire industries function. In addition to the other ways that COVID-19 has affected us, this could be one of those moments. The pandemic has demonstrated the importance and unique role of technology in responding effectively to new challenges.”30
- 1 See Bill Lundell, “ESG Research Report: The Impact of the COVID-19 Pandemic on Remote Work, 2020 IT Spending, and Future Tech Strategies,” June 16, 2020, available at www.esg-global.com/research/esg-research-report-the-impact-of-the-covid-19-pandemic-on-remote-work-2020-it-spending-and-future-tech-strategies.
- 2 See “Why IT Hygiene Is Critical to Your Cybersecurity Readiness,” CrowdStrike blog, June 14, 2017, available at www.crowdstrike.com/blog/why-it-hygiene-is-critical-to-your-cybersecurity-readiness.
- 3 See the April 8, 2020, joint statement by the NCSC and CISA, “UK and US Security Agencies Issue COVID-19 Cyber Threat Update,” available at www.cisa.gov/news/2020/04/08/uk-and-us-security-agencies-issue-covid-19-cyber-threat-update.
- 4 See Daniel Lohrmann, “2020: The Year the COVID-19 Crisis Brought a Cyber Pandemic,” Government Technology blog, December 11, 2020, available at www.govtech.com/blogs/lohrmann-on-cybersecurity/2020-the-year-the-covid-19-crisis-brought-a-cyber-pandemic.html.
- 5 See the FBI Internet Crime Complaint Center’s “2020 Internet Crime Report,” available at www.ic3.gov/Media/PDF/AnnualReport/2020_IC3Report.pdf.
- 6 See Allan Jay, “73 Important Cybercrime Statistics: 2020/2021 Data Analysis & Projections,” FinancesOnline, available at https://financesonline.com/cybercrime-statistics.
- 7 See “30 Practical Cybersecurity Statistics to Be Wary of in 2021,” Safe at Last blog, available at https://safeatlast.co/blog/cybersecurity-statistics.
- 8 Read the text of Vice Chair for Supervision Quarles’s February 26, 2018, speech, “Brief Thoughts on the Financial Regulatory System and Cybersecurity,” at www.federalreserve.gov/newsevents/speech/quarles20180226b.htm.
- 9 See IBM, “2020 Cost of a Data Breach Report,” available at www.ibm.com/security/data-breach.
- 10 See Zack Whittaker, “Equifax Breach Was ‘Entirely Preventable’ Had It Used Basic Security Measures, Says House Report,” TechCrunch, December 10, 2018, available at https://techcrunch.com/2018/12/10/equifax-breach-preventable-house-oversight-report.
- 11 See Louis Columbus, “5 Key Insights from Absolute’s 2019 Endpoint Security Trends Report,” Software Strategies Blog, September 20, 2019, available at https://softwarestrategiesblog.com/2019/09/20/5-key-insights-from-absolutes-2019-endpoint-security-trends-report/.
- 12 Zero-day vulnerability is a software security flaw that is known to the software vendor but that no patch is in place to fix. If this software flaw is left unaddressed, security holes are created that cybercriminals can exploit.
- 13 The Verizon 2020 Data Breach Investigations Report is available at https://enterprise.verizon.com/content/verizonenterprise/us/en/index/resources/reports/2020-data-breach-investigations-report.pdf.
- 14 See Calvin A. Shivers, “COVID-19 Fraud: Law Enforcement’s Response to Those Exploiting the Pandemic,” Statement Before the Senate Judiciary Committee, Washington, D.C., June 9, 2020, available at www.fbi.gov/news/testimony/covid-19-fraud-law-enforcements-response-to-those-exploiting-the-pandemic.
- 15 See TechTarget definition, “Endpoint Security Management,” https://searchsecurity.techtarget.com/definition/endpoint-security-management.
- 16 See Webroot, Inc., “Understanding Endpoints and Endpoint Security,” available at www.webroot.com/us/en/resources/glossary/what-is-endpoint-security.
- 17 The FFIEC’s August 28, 2019, press release, “FFIEC Encourages Standardized Approach to Assessing Cybersecurity Preparedness,” is available at www.ffiec.gov/press/pr082819.htm.
- 18 See “CIS Controls,” available at www.cisecurity.org/controls.
- 19 The FFIEC May 2017 CAT is available at www.ffiec.gov/pdf/cybersecurity/FFIEC_CAT_May_2017.pdf.
- 20 The FSSCC Cybersecurity Profile can be found at https://cyberriskinstitute.org/the-profile.
- 21 The NIST Cybersecurity Framework is available at www.nist.gov/cyberframework.
- 22 See Supervision and Regulation letter 13-19/Consumer Affairs letter 13-21, “Guidance on Managing Outsourcing Risk,” available at www.federalreserve.gov/supervisionreg/srletters/sr1319.htm.
- 23 See CIS, “Election Security Spotlight – Principle of Least Privilege,” available at www.cisecurity.org/spotlight/ei-isac-cybersecurity-spotlight-principle-of-least-privilege.
- 24 See CIS Controls Mobile Companion Guide, version 7, available at www.cisecurity.org/white-papers/cis-controls-mobile-companion-guide-2/.
- 25 Sandboxing is a computer security term referring to setting aside a program in an environment isolated from other programs so that security issues that arise will not spread to other areas on the computer or network.
- 26 See Check Point Software Technologies Ltd. Cyber Hub, “What Is Application Control?,” available at www.checkpoint.com/cyber-hub/network-security/what-is-application-control/.
- 27 Zero-trust is a security concept that restricts access to the network, applications, hardware, and devices to only known sources.
- 28 See Cisco Systems, Inc., “What Is an Endpoint Protection Platform (EPP)?,” available at www.cisco.com/c/en/us/products/security/what-is-endpoint-protection-platform.html.
- 29 See ScienceDirect.com definition, “Location Awareness,” available at www.sciencedirect.com/topics/computer-science/location-awareness.
- 30 Read the text of Governor Bowman’s December 4, 2020, speech, “Technology and the Regulatory Agenda for Community Banking,” at www.federalreserve.gov/newsevents/speech/bowman20201204a.htm.