ENDPOINT RISK ASSESSMENT SAMPLE REPORT · ENDPOINT RISK ASSESSMENT SAMPLE REPORT: PREPARED FOR ACME CORPORATION – OCTOBER 2017 P. 7 The following sections contain benchmarking details

Prepared for:

Acme CorporationSeptember 30, 2017

ENDPOINT RISK ASSESSMENTSAMPLE REPORT

absolute.com

ENDPOINT RISK ASSESSMENT SAMPLE REPORT: PREPARED FOR ACME CORPORATION – OCTOBER 2017

P. 2

WHY PERFORM AN ENDPOINT RISK ASSESSMENT?

The Center for Internet Security suggests that five simple steps can prevent up to 80% of cyber-attacks. The steps include:

• Maintaining an inventory of authorized and unauthorized devices• Maintaining an inventory of authorized and unauthorized software• Developing and managing secure configurations for all devices• Conducting continuous (automated) vulnerability assessment and remediation• Actively managing and controlling the use of administrative privileges

This assessment provides customers with a complete picture of current controls and capabilities related to endpoint protection, and provides detailed recommendations to ensure that information is properly safeguarded. Absolute benchmarks the control environment based on best practices as defined in NIST 800-53 rev. 4, SANS CIS Critical Security Controls, and HITRUST CSF. Absolute also defines an identified risk mitigation action plan and effective monitoring solutions because, in the end, having appropriate policies, procedures, controls, tools, and properly trained employees are all key elements to ensuring that an effective cyber security program is in place.

CONFIDENTIALITY

This document contains confidential information of a proprietary and sensitive nature. As such this document should be afforded the security and handling precautions that a confidential document warrants. This document should have a controlled distribution to relevant parties only, and should not be copied without written permission.

Absolute treats the contents of any deliverable as confidential material, and will not disclose the contents of this document to anyone without written permission.

absolute.com


P. 3

TABLE OF CONTENTS

EXECUTIVE SUMMARY .....................................................................................................................................................................4

BACKGROUND SCOPE AND OBJECTIVES .................................................................................................................. 4

MATURITY SCORING ................................................................................................................................................. 5

RISK AND CONTROL MATRIX .................................................................................................................................... 6

CONTROL AREA DETAILS ..................................................................................................................................................................7

DEVICE INVENTORY MANAGEMENT .......................................................................................................................... 7

SOFTWARE INVENTORY MANAGEMENT .................................................................................................................... 9

CONFIGURATION MANAGEMENT ............................................................................................................................... 12

VULNERABILITY MANAGEMENT ................................................................................................................................ 14

MALWARE DEFENSES ............................................................................................................................................... 15

DATA LOSS PREVENTION .......................................................................................................................................... 16

SUMMARY OF RECOMMENDATIONS ................................................................................................................................................19

absolute.com


P. 4

Windows 8.1 (64 bit)

Windows 7 (64 bit)

Windows 7 (32bit)

Windows 10 (64 bit)

Microsoft Windows 8.1 Pro

Microsoft Windows 8.1 Enterprise

Microsoft Windows 7 Professional

Microsoft Windows 7 Enterprise

Microsoft Windows 10 Pro

Microsoft Windows 10 Enterprise 2015 LTSB

Microsoft Windows 10 Enterprise

0 2,000 4,000 6,000 8,000 10,000 12,000 14,000 16,000 18,000

EXECUTIVE SUMMARY

BACKGROUND SCOPE AND OBJECTIVES

Acme Corporation is comprised of 14,787 employees at seven medical campuses in the Washington, DC area. Acme Corporation offers a full range of services, including a primary care physician network, outpatient services, and home health care. Acme Corporation currently has 18,475 Absolute Control licenses, using the Absolute platform for nearly 8 years.

Acme Corporation has utilized Absolute primarily for asset tracking of desktops and laptops and has not utilized many of the application’s other functionalities.

Absolute conducted this assessment based on interviews with IT and Security personnel; reviewed policies and process documentation, and via the deployment of Absolute to 19,706 endpoint devices.

Acme Corporation currently uses Windows 7 as its standard operating system for endpoint devices, but a Windows 10 migration plan is scheduled for 2018.

OPERATING SYSTEMS

9

17

26

2

5

13

2

2

58

15899

2662

ACTIVE DEVICES

19,706

Anti-Malware Encryption SCCM

Devices with applications: 16061 Encrypted devices: 15817 Healthy devices: 15745

Note: Active devices reported includes retired 983 devices that the Absolute agent has not been removed.

82% 80% 80%

absolute.com


P. 5

Our assessment of endpoint control areas is based on best practices as defined by:

• NIST 800-53 rev.4• SANS CIS Critical Security Controls• HITRUST CSF• HIPAA

The goal of the review is to protect critical endpoint assets, infrastructure, and information by strengthening your organization’s defensive posture through continuous, automated protection and monitoring of your sensitive information technology infrastructure to reduce compromises, minimize the need for recovery efforts, and lower associated costs.

MATURITY SCORING

We assessed the maturity of each of the foundational control areas using a model based on Capability Maturity Model published by Carnegie Mellon University. The model utilizes the following five levels:

1 - Performed - Controls are ad-hoc, unpredictable, poorly controlled and reactive.

2 - Managed - Controls are planned, documented, and performed in a repeatable but reactive manner.

3 - Defined - Standardized controls and proactive processes are defined at an organizational level.

4 - Quantitative - Controls and processes are managed using statistical and other quantitative techniques.

5 - Optimizing - Controls and processes are continuously improved thru incremental and innovative technological.

SCORE

1 2 3 4 5

Device Inventory Management

Software Inventory Management

Configuration Management

Vulnerability Management

Malware Defenses

Data Loss Prevention

Note: Arrows in green represent future maturity state via recommended remediation activities described in this report.

2.75

1.5

2.9

2.4

2

1.7

absolute.com


P. 6

RISK AND CONTROL MATRIX

The matrix below illustrates Absolute’s high-level analysis of the potential business impact and the remediation complexity. The matrix guides management to effectively plan and allocate the resources needed to mitigate each of the risks. The matrix considers the following factors:

Business Impact: Potential savings, improved control environment, potential process efficiencies

Remediation Complexity: The estimated complexity of the recommended remediation activities based on the required resources, communication, coordination, and process implementation required.

RISK # CONTROL AREA RISK DESCRIPTION

1 Device Inventory Management Automation and Accuracy

2 Device Inventory Management Asset Inventory Completeness

3 Device Inventory Management Asset Inventory Lifecycle – Acquisition

4 Device Inventory Management Asset Inventory Lifecycle – Retirement

5 Software Inventory Management Software Sun-setting

6 Software Inventory Management Standard Operating Procedures

7 Software Inventory Management Remote Access Applications

8 Software Inventory Management Peer to Peer Applications

9 Software Inventory Management Cloud Applications

10 Software Inventory Management FTP Applications

11 Configuration Management SCCM Status

12 Configuration Management Gold Disk Updates

13 Vulnerability Management Scanning Tool Definitions

14 Malware Defenses Removable Media

15 Data Loss Prevention Endpoint Scans for ePHI

16 Data Loss Prevention Encryption Not Enabled

Remediation recommendations for each of the risks are located at Summary of Recommendations.

REMEDIATION COMPLEXITYLOW

LOW

HIGH

HIGH

IMP

AC

T

13

3

12

15 14

9

5

8

11

7

6

16

4 1

10

2

absolute.com


P. 7

The following sections contain benchmarking details and details of identified issues and recommendations for each of the control areas reviewed.

CONTROL AREA DETAILS

DEVICE INVENTORY MANAGEMENT

The objective of the Device Inventory Management controls is to maintain a complete, accurate, and timely inventory of all endpoint devices connected to the enterprise network.

NIST 800-53 rev.4 Reference – CM-8 (a, c, d, 2, 3, 4), PM-5, PM-6SANS CIS Critical Security Controls Reference – 1.1, 1.2, 1.3, 1.4, 13.5, 15.1, 2.3HITRUST v8 Reference – 07.a – Inventory of AssetsHIPAA Reference – 164.310(d) (1); 164.310(d) (2) (i)

Acme Corporation’s IT Management team maintains endpoint inventory within Absolute as well as its IT ticketing system, ServiceNow.

SUB-CONTROL MATURITY SCORING

Absolute reviewed the following sub-control areas in determining the maturity of the Acme Corporation Device Inventory Management control area:

SUB-CONTROL AREA BENCHMARK ACME CORPORATION RATING

Level of Automation

Management utilizes automated tools to track and manage endpoint devices.

Acme Corporation IT utilizes automated tools (Absolute and ServiceNow) to track and manage endpoint devices. The absence of integration between the two systems to ensure that the number and information between the two systems reconcile.

3

Lifecycle

Devices are tracked thru each stage of the endpoint device (Acquisition, Installation, Changes, and Retirement)

Devices are tracked using automated tools at the time of imaging. Opportunities to integrate tracking at the time of procurement exist. Additionally, opportunities to improve the integrity of tracking information at the time of retirement exist.

2

Asset Inventory Information

Endpoint devices are tracked in a complete and accurate manner, including the following minimal data elements: Network Addresses; Machine Names; Purpose of each system; Asset Owner/Department responsible; if device is portable or not.

Most asset groups in the organization are tracked within Absolute, but some currently are not. Additionally, information on the Asset Owner/Department responsible are not being recorded within the Absolute database.

2

Security of Asset InformationThe asset database is properly protected and backed up in a secure location.

The Absolute asset database is maintained in a secure environment. 4

Device Inventory Management Maturity Score 2.75

absolute.com


P. 8

IDENTIFIED RISKS

1 – AUTOMATION AND ACCURACY

Risk Description: The absence of integration between Absolute and Service now results in differences in the information tracked, and the number of devices tracked between the two systems.

Impact/Risks:• Reduced integrity and accuracy of asset databases.• Reduced ability to respond to security incidents in a timely and effective manner.• Reduced ability to reconcile and manage software licensing expenses.

Recommendations:• Perform initial reconciliation of endpoint assets and associated information between the Absolute and Service Now

databases.• Implement the use of API to feed information between the Absolute and Service Now databases.• Establish periodic reconciliation procedures to ensure the integrity and accuracy of the asset databases.

2 – ASSET INVENTORY COMPLETENESS

Risk Description: Endpoint asset information for multiple groups within the organization is not recorded or maintained within the asset inventory databases (Service Now or Absolute) in a consistent manner.

Impact/Risks:• Incomplete endpoint inventory increases the risk of unauthorized or potentially unprotected endpoints.• Reduced ability to respond to security incidents in a timely and effective manner.• Reduced ability to reconcile and manage software-licensing expenses.• Reduced ability to maximize ROI for endpoint asset expenditures.

Recommendations:• Identify all endpoint assets that have not been recorded and input in Absolute and Service Now.

3 – ASSET INVENTORY L IFECYCLE – ACQUISIT ION

Risk Description: There is a lag in time to record endpoint asset information into Absolute at the time of acquisition, as it is manually entered when the device is being imaged.

Impact/Risks:• Reduced Acme Corporation’s ability to identify and recover devices that are lost or stolen prior to issuance to end

users.

Recommendations: • If available from the device vendor, have the Absolute agent installed prior to delivery.

4 – ASSET INVENTORY L IFECYCLE – RETIREMENT

Risk Description: The Absolute agent has not been consistently removed as part of the endpoint asset retirement process of the 19,693 endpoint devices listed in the Active Devices Report, 980 (5%) had usernames without “Acme Corporation”, indicating that devices that have been previously retired and a non-Acme Corporation user is in possession of the device.

RETIREMENT HEALTH

# of active installed Absolute Agents 19693

# of active devices with Acme Corporation username 18710 (95%)

# of active devices without “Acme Corporation” in username (Retired) 983 (5%)

absolute.com


P. 9

Impact/Risks:• Reduced integrity and accuracy of asset databases.• Reduced ability to reconcile and manage software licensing expenses.

Recommendations:• Work with your Absolute Technical Consultant to generate a list of devices that should be removed from the

Absolute environment.• Work with your Absolute Technical Consultant to submit Agent Removal requests for devices that should not have

an active license.• Configure alerts to identify devices reaching their end of life or end of lease.

SOFTWARE INVENTORY MANAGEMENT

The objective of Software Inventory Management controls is to maintain a complete, accurate, and timely inventory of software on all endpoint devices connected to the enterprise network to prevent the risk of machines running software that is unneeded for business purposes, introducing potential security flaws, or running malware introduced by a computer attacker after system compromise.

NIST 800-53 rev.4 Reference – CM-1, CM-2 (2, 4, 5), CMNPM-5, PM-6SANS CIS Critical Security Controls Reference – 2.1, 2.2HITRUST v8 Reference – 10.h – Control of Operational Software



Application Monitoring

Procedures are in place for performing periodic scanning for unauthorized software and the generation of alerts when discovered on a system.

Scanning for unauthorized software on endpoints does not occur.

0

Application Whitelisting

Technology is used that allows systems to run software only if it is included on the white list and prevents execution of all other software on the system.

Application whitelisting does not occur on endpoints.

0

Software Data Elements

The software inventory system tracks the version of the underlying operating system, the applications installed on it, version number and patch level.

Operating system and applications with version number and patch levels installed on endpoints are tracked within SCCM. The software reporting functionality of Absolute was not used by Acme Corporation.

3

Software Inventory Integration

The software inventory systems to verify that the information is tied into the hardware asset inventory so that all devices and associated software are tracked from a single location. The inventory is tied to vulnerability/reporting threat intelligence services to fix vulnerable software proactively.

The software inventory information is tied to the asset inventory information within Service Now. The software reporting functionality of Absolute was not used by Acme Corporation.

3

Software Inventory Management Maturity Score 1.5

absolute.com


P. 10

IDENTIFIED RISKS

5 – SOFTWARE SUN-SETTING

Risk Description: There is not a sun-setting process in place to identify old or outdated software on endpoints and remove. Thirty devices were identified running SQL 2005, which is not supported by Microsoft.

Impact/Risks:• Software is running that is not needed for business purposes.• Increased risk of security flaws or malware.• Increased risk of zero day vulnerabilities.

Recommendations: • Create a listing of authorized software.• Scan endpoints to identify software that is not authorized and remove from endpoints.• Utilize application whitelisting functionality in SCCM.• Leverage Absolute alert functionality to identify and remediate endpoints with unauthorized software.

6 – STANDARD OPERATING PROCEDURES

Risk Description: Standard operating procedures for managing software on endpoint devices is not readily available and communicated.

Impact/Risks:• Procedures for loading and maintaining software on endpoint devices may not be performed in a complete and

consistent manner.• Software license expenses may not be properly controlled, resulting in over installations or maintenance of unused

software.• Increased risk of security flaws or malware.

Recommendations:• Standard operating procedures for managing software on endpoints should be drafted, approved, and

communicated.

7 – REMOTE ACCESS APPLICATIONS

Risk Description: Absolute verified that the applications listed were not part of the basic application deployment. The presence of these applications indicates a possible vulnerability to your network if these types of applications are not permitted on your endpoints.

NAME PUBLISHER NUMBER OF ENDPOINTS

TeamViewer TeamViewer GmbH 94

mRemoteNG http://www.mremoteng.org/ Next Generation Software/ Unknown Publisher 77

LogMeIn Client LogMeIn, Inc. 13

RemoteTCPResetEx SolarWinds.net 4

TeamViewer Portable PortableApps 2

Risk/Impact:• Remote Access applications may present a risk to your environment.

Recommendations:• Work with your Absolute Technical Consultant to identify devices with applications that are of concern.• Notify end users of compliance issues if any are found.

º This could be done directly from the console using End User Messaging (EUM).

absolute.com


P. 11

• Leverage Absolute device freeze functionality for endpoints that do not comply with stated policies within an appropriate period.

• Utilize Absolute Software reporting capabilities to monitor for remote access applications on endpoint devices.

8 – PEER TO PEER APPLICATIONS

Risk Description: Absolute detected two instances of peer-to-peer applications on Acme Corporation endpoint devices.

NAME PUBLISHER NUMBER OF ENDPOINTS

Transmission-Qt Transmission Project 1

qBittorrent The qBittorrent project 1

Risk/Impact:• P2P applications may present a security risk to your environment.

Recommendations:• Work with your Absolute Technical Consultant to identify devices with applications that are of concern.• Notify end users of compliance issues if any are found.

º This could be done directly from the console using End User Messaging (EUM).• Leverage Absolute device freeze functionality for endpoints that do not comply with stated policies within an

appropriate period.

9 – CLOUD APPLICATIONS

Risk Description: Absolute identified 1,148 Cloud Sharing applications on 577 endpoint devices that could be a possible vulnerability to your network or to maintaining data security.

NAME PUBLISHER NUMBER OF ENDPOINTS NUMBER OF APPLICATIONS

DROPBOX Dropbox 421 835

Microsoft OneDrive Microsoft 108 179

iCLOUD Apple 63 94

BoxSync Box 14 22

Google Drive Google 14 18

Risk/Impact:

Recommendations:• Work with your Absolute Technical Consultant to identify devices with applications that are of concern.• Notify end users of compliance issues if any are found.• This could be done directly from the console using End User Messaging (EUM).• Leverage Absolute device freeze functionality for endpoints that do not comply with stated policies within an

appropriate period.

10 - FTP APPLICATIONS

Risk Description: Absolute identified the existence of FileZilla, an FTP application on 131 endpoint devices.

Risk/Impact: FTP inherently transfers data in the clear (not encrypted). Per HIPAA Technical Safeguards of the Security Rule, it is an addressable requirement that data transfers are encrypted.

Recommendations:• Determine if FileZilla is configured to ensure that the transmission of ePHI is encrypted.

absolute.com


P. 12

• Implement policies that require business justification and approval of FTP applications.• Leverage Absolute to monitor endpoints for unauthorized FTP application usage.• Implement remediation workflows to remove unauthorized FTP applications.

CONFIGURATION MANAGEMENT

The objective of Configuration Management controls is to ensure that formal configuration management procedures and change controls of endpoint devices are maintained, to decrease malware footholds on the network, and provide business value.

NIST 800-53 rev.4 Reference – CM-1, CM-2 (1, 2), CM-3 (b, c, d, e, 2, 3), CM-5 (2), CM-6 (1, 2, 4), CM-7 (1), SA-1 (a), SA-4(5), SI-7 (3), PM-6SANS CIS Critical Security Controls Reference – 3.1, 3.2, 3.3, 3.6, 3.7HITRUST v8 Reference – 10.k - Change Control ProceduresHIPAA Reference – 164.308(a) (4) (i); 164.312(a) (1)



Standard and Secure Configurations

Procedures for ensuring that standardized hardened versions of the underlying operating system and the applications installed on systems.

The Configuration Standards Policy is in place, but standard operating procedures for specific hardware and software configuration standards used have not been documented or communicated.

1

Security Patching

Automated patching tools and processes that ensure security patches are installed within a defined timeframe of their release for both applications and for operating system software.

SCCM is used to ensure that security patches are installed on a monthly basis.

4

Software Sun-settingProcedures to remove outdated, older, and unused software from systems that cannot be patched.

There are no procedures in place to remove outdated, older or unused software from systems that cannot be patched.

0

Change ManagementA secure image is issued to build all new systems that are deployed in the enterprise.

The SCCM team maintains different secure images for use based on the planned usage of the device.

3

Secure Master Images

Master images are stored on securely configured servers, with integrity checking tools and change management procedures to ensure that only authorized changes to the images are possible.

Master images are stored securely. Integrity checking tools are currently not used to monitor master images for unauthorized changes.

3

Deviations from Standard Configuration

Deviations from the standard build or updates to the standard build are approved by a change control board and documented in a change management system.

Deviations from standard builds are approved via change control ticket. Updates to the standard build goes thru technical review board. Software patches do not go thru change control.

3

Configuration Procurement Standards

Standard purchasing practices are in place to negotiate contracts to buy systems configured securely out of the box using standardized images, which should be devised to avoid extraneous software that would increase their attack surface and susceptibility to vulnerabilities.

Devices are imaged in-house by Acme Corporation.

2

Remote Administration

Remote administration of servers, workstation, network devices, and similar equipment is performed over secure channels. Protocols such as telnet, VNC, RDP, or others that do not actively support strong encryption should only be used if they are performed over a secondary encryption channel, such as SSL or IPSEC.

Remote administration is performed using strong, end-to-end encryption.

4

absolute.com


P. 13


Configuration Management Tools

Configuration management tools such as Active Directory Group Policy Objects for Microsoft Windows systems or Puppet for Unix systems are utilized that automatically enforce and redeploy configuration settings to systems at regularly scheduled intervals.

SCCM is used to enforce and redeploy configuration settings to systems at regularly scheduled intervals.

4

Mobile/BYOD Configuration Management

Formal process and management infrastructure for configuration control of mobile devices is in place.

Formal policies and processes are in place for configuration of BYOD devices.

4

Configuration Management Maturity Score 2.9

IDENTIFIED RISKS

11 - SCCM STATUS

Risk Description: Absolute identified 302 Acme Corporation endpoint devices with a SCCM status of “unhealthy”. 166 of the 302 devices did not have a last known healthy date reported within the Absolute console. Additionally, five endpoint devices were identified without an SCCM client installed.

SCCM Go to report

Windows Devices Healthy Unhealthy No Data

19,700 80% 2% 18%With active DDS agent Installed and working Health check failed Not reporting or no policy

Healthy 15,745

Absent 129

No Data 3,524

Unhealthy 302

Impact/Risks:• Endpoint software applications may not have recent patches.• Increased risk of malware.

Recommendations:• Work with Absolute to leverage Application Persistence to ensure that SCCM clients on endpoints are always

installed.• Periodically reconcile SCCM status report with SCCM reporting information to identify endpoints that have not been

receiving patches or with unhealthy status and remediate.• For devices that are unreachable via SCCM issue an End User Message requesting the user reach out to their IT

support team for remediation.

12 - GOLD DISK UPDATES

Risk Description: IT Management does not update baseline or gold disk copies of images as new patches are released. The patch updates are made to the gold disk copies on a quarterly basis. Reliance is placed on the SCCM tools to include all approved patches when imaging a device.

absolute.com


P. 14

Impact/Risks: • The baseline or gold disk does not include the latest patches, if endpoint devices are imaged without anti-virus

scans and remediation performed, vulnerabilities could be exploited.

Recommendations: IT Management should implement a process to patch baseline or gold disks are patched with the same frequency as when patches are issued to endpoint devices.

VULNERABIL ITY MANAGEMENT

The objective of Vulnerability Management controls is to reduce any significant delays in finding or fixing software with critical vulnerabilities, which provides opportunity for persistent attackers to break through, gaining control over the vulnerable machines and getting access to the sensitive data they contain.

NIST 800-53 rev.4 Reference – RA-3 (a, b, c, d), RA-5 (a, b, 1, 2, 5, 6)SANS CIS Critical Security Controls Reference – 4.1, 4.2, 4.3, 4.4, 4.5, 4.6, 4.7, 4.8HITRUST v8 Reference – 10.m – Control of Technical VulnerabilitiesHIPAA Reference – 164.308(a) (8)



Automated Scanning Tools

Automated vulnerability scanning tools are used against all systems on the network on at least weekly or more frequent basis. Prioritized lists of the most critical vulnerabilities to each responsible system administrator along with risk scores that compare the effectiveness of system administrators and departments in reducing risk are outputs from the scans.

Rapid 7 Nexpose is used on servers and webservers on a weekly basis. Trend-Micro anti-virus is used for endpoint devices.

3

Vulnerability Scanning Procedures

The activities of the regular vulnerability scanning tools are logged and correlated with other event logs.

Vulnerability scanning activities are logged and correlated with Solar Winds.

4

Vulnerability UpdatesVulnerability scanning tools being used are regularly updated with all relevant important security vulnerabilities.

Scanning tools are being updated, but we identified that one of the update servers was not configured to receive regular updates.

2

Vulnerability Scanning Log Management

Procedures in place to carefully monitor logs associated with any scanning activity and associated administrator accounts to ensure that all scanning activity and associated access via the privileged account is limited to the timeframes of legitimate scans.

Vulnerability scanning logs are monitored 3

Scanning Authentication

Vulnerability scanning is performed in authenticated mode either with agents running locally on each end system to analyze the security configuration or with remote scanners that are given administrative rights on the system being tested.

Scanning is performed in authenticated mode. 3

Patching TimelinessThe delay in patching new vulnerabilities and ensure that the delay is equal to or less than the benchmarks set forth by the organization.

Patching delays are configured to be equal to policy.

5

Vulnerability Management Maturity Score 2.4

absolute.com


P. 15

IDENTIFIED RISKS

13 - SCANNING TOOL DEFINIT IONS

Risk Description: Acme Corporation uses Trend Micro Office Scan for anti-virus protection of endpoint devices. Absolute generated a custom report that identified over 1,200 endpoint devices with old anti-malware definition dates on 6.5.17. The list was provided to Acme Corporation IT Management for remediation. Absolute generated the custom report again on 6.26.17, identifying 128 endpoint devices with old anti-malware definitions. Additionally, eight endpoint devices were identified using non-standard anti-virus products.

Impact/Risks:Recent vulnerabilities may not be identified and remediated, increasing the risk of vulnerabilities being exploited.

Recommendations: Anti-virus products should be well maintained and can be a critical component to maintaining device and network security. Additionally, we recommend the use of both Software policies and Alerts to detect any suspicious or at risk behavior such as out of date AV definitions or devices that do not contain an AV product.

MALWARE DEFENSESThe objective of Malware Defenses tools and processes are to ensure that anti-virus protection is in place for all endpoint devices listed and approved in the asset inventory database.

NIST 800-53 rev.4 Reference – SI-3 (a, b, 1, 2, 5, 6), MP-1, MP-7SANS CIS Critical Security Controls Reference – 4.1, 4.2, 4.3, 4.4, 4.5, 4.6, 4.7, 4.8HITRUST v8 Reference – 09.j Controls Against Malicious Code

HIPAA Reference – 164.308(a) (5) (1), 134.308(a) (5) (ii) (B)



Malware tools

Automated tools that have been deployed to continuously monitor workstations, servers, and mobile devices for active, up-to-date anti-malware protection with anti-virus, antispyware, personal firewalls, and host-based IPS functionality.

Trend-Micro is the enterprise anti-malware client. A full scan is performed on endpoints on a weekly basis

3

Anti-Malware Updates

Procedures in place to employ anti-malware software and signature auto-update features or have administrators manually push updates to all machines on a daily basis.

Updates to the clients are pushed every two hours.

3

Media Device Configuration

Policies and procedures for the configuration of laptops, workstations, and servers ensure they will not auto-run content from USB tokens (i.e., “thumb drives”), USB hard drives, CDs/DVDs, Firewire devices, external serial advanced technology attachment devices, mounted network shares, or other removable media.

Policies or procedures to prevent auto-run content from removable media are not in place.

0

Malware Defenses Maturity Score 2

absolute.com


P. 16

IDENTIFIED RISKS

14 – REMOVABLE MEDIA

Risk Description: There are not any technical and nontechnical safeguards (e.g., policies, procedures, rules of behavior) to restrict the use of information system media that utilize auto-run content from USB tokens (i.e., “thumb drives”), USB hard drives, CDs/DVDs, Firewire devices, external serial advanced technology attachment devices, mounted network shares, or other removable media. Policy S-025-09, Protection of Data on Portable Devices and Removable Media defines removable media, but does not restrict its use.

Impact/Risks: • Malware that can give attackers unauthorized access to a device, transfer information from the device to an

attacker’s system, and perform other actions that jeopardize the confidentiality of the information on a device.• Theft or lost removable media devices.

Recommendations:• Revise and Communicate polices (Protection of Data on Portable Devices S-025-09) and Removable Media to end

users that restrict the use of unapproved media devices.• Configure endpoint devices (including desktop computers) to prevent writing sensitive information to removable

media, such as CDs or USB flash drives, unless the information is properly encrypted.• Limit the use of portable storage devices to only approved devices including, for example, devices provided by the

Acme Corporation, devices provided by other approved organizations, and devices that are not personally owned. • Restrict the use of portable storage devices based on the type of device, for example, prohibiting the use of

writeable, portable storage devices, and implementing this restriction by disabling or removing the capability to write to such devices.

• Ensure that anti-virus products are configured to scan temporary directories.• Ensure that approved media devices are encrypted.

DATA LOSS PREVENTION

Data Loss Prevention controls utilize a comprehensive approach covering people, processes, and systems that identify, monitor, and protect data in use (e.g., endpoint actions), data in motion (e.g., network actions), and data at rest (e.g., data storage) through deep content inspection and with a centralized management framework. Absolute’s focus for this is assessment is data at rest for endpoints.

NIST 800-53 rev.4 Reference – SC-28(1), CA-7SANS CIS Critical Security Controls Reference – 13.2, 13.4, 13.5HITRUST v8 Reference – 07.a Inventory of Assets, 09.o Management of Removable Media, 06.h Technical Compliance Checking, 01.x Mobile Computing and CommunicationsHIPAA Reference – 164.310(d) (1) (2) (i) (iii)



Mobile Device EncryptionProcedures are in place to deploy approved hard drive encryption software to mobile devices and systems that hold sensitive data.

Policies and procedures are in place to encrypt mobile device hard drives that hold sensitive data. Policies are in place to require portable devices that contain sensitive data to be encrypted but endpoints are not configured to facilitate the requirement.

3

Data at Rest Scanning

Periodic procedures are in place to perform scans of endpoints using automated tools to determine whether sensitive data (i.e., personally identifiable information, health, credit card, and classified information) is present on the system in clear text.

Procedures are not in place to scan endpoints for sensitive data.

0

absolute.com


P. 17


USB Devices

Policies are in place to configure systems so that they will not write data to USB tokens or USB hard drives.

If such devices are required, validate threat enterprise software is used that can configure systems to allow only specific USB devices (based on serial number or other unique property) to be accessed, and that can automatically encrypt all data placed on such devices. An inventory of all authorized devices must be maintained.

Policies are in place to require that USB devices are secure, but procedures to configure systems to prevent writing data to USB tokens or USB hard drives are not.

2

Data Loss Prevention Maturity Score 1.7

IDENTIFIED RISKS

15 –ENDPOINT SCANS FOR EPHI

Risk Description: Procedures are not established to scan endpoints for the existence of ePHI.

Results from Absolute’s Endpoint Data Discovery Scan are listed below.

Risk Exposure Go to report

Risk Score Estimated Cost Exposure (USD)

3,083 $261,509,987Across all devices Total across all devices

Riskiest DevicesIdentifier Username Estimated Cost Exposure (USD) Risk score Cloud Storage

1 4CJUSJW32DA12WZ30116 $3,249,466 9,384,957 No2 4CJUSJW32DAA2WZ38490 $2,693,491 6,026,048 No

3 4CJUSJW32DA12WZ32593 $2,390,451 4,546,287 No

4 4CJUSJW32DAA2WZ33730 $1,909,429 2,674,822 No

5 4CJUSJW32DA12WZ33801 $1,780,949 2,269,212 No

Endpoint Data Discovery Match Scores Go to report

Total match scores for policy groups

DDS 6 48,924,303

Impact/Risks: Increased risk of breach scenario.

Recommendations:• Utilize Absolute’s Endpoint Data Discovery capabilities to identify endpoints with the existence of ePHI. • Leverage device grouping capabilities to segregate and monitor endpoint devices based on job function and if ePHI

is handled and monitor based on risk.• Develop procedures to investigate and remediate endpoints with ePHI.

? ?

absolute.com


P. 18

16 – ENCRYPTION NOT ENABLED

Risk Description: Absolute identified 193 Acme Corporation endpoints that did not have full disk encryption enabled, or installed.

Encryption Status Go to report

Encrypted Not Encrypted Not Detected No Data

80% 1% <1% 18%Installed and encrypted Installed and not encrypted Unknown or missing Not reporting or no policy

Check Point Full Disk Encrpytion 15,868

Bitlocker Drive Encryption Driver 213

-- 63

Other Product 4

No Data 3,558

Not Detected 63

Impact/Risks: Increased risk of breach scenario.

Recommendations:• Leverage Application Persistence to remotely install and persist your critical encryption applications (Check Point,

BitLocker).• Work with your Absolute Technical Consultant to generate a list of devices that need encryption installed or enabled. • Establish alerts within the Absolute console to identify devices that are not encrypted in a timely manner.

absolute.com


P. 19

SUMMARY OF RECOMMENDATIONS

RISK RECOMMENDATIONS

1 – Automation and Accuracy

• Perform initial reconciliation of endpoint assets and associated information between the Absolute and Service Now databases.

• Implement the use of API to feed information between the Absolute and Service Now databases.

• Establish periodic reconciliation procedures to ensure the integrity and accuracy of the asset databases.

2 – Asset Inventory Completeness • Identify all endpoint assets that have not been recorded and input in Absolute and ServiceNow.

3 – Asset Inventory Lifecycle – Acquisition • If available from the device vendor, have the Absolute agent installed prior to delivery.

4 – Asset Inventory Lifecycle – Retirement • Work with your Absolute Technical Consultant to generate a list of devices that should be removed from the Absolute environment.

• Work with your Absolute Technical Consultant to submit Agent Removal requests for devices that should not have an active license.

• Configure alerts to identify devices reaching their end of life or end of lease.

5 – Software Sun-setting

• Create a listing of authorized software.• Scan endpoints to identify software that is not authorized and remove from endpoints.• Utilize application whitelisting functionality in SCCM.• Leverage Absolute alert functionality to identify and remediate endpoints with unauthorized

software.

6 – Standard Operating Procedures Standard operating procedures for managing software on endpoints should be drafted, approved, and communicated.

7 – Remote Access Applications • Work with your Absolute Technical Consultant to identify devices with applications that are of concern.

• Notify end users of compliance issues if any are found.o This could be done directly from the console using End User Messaging (EUM).

• Using Absolute Device Freeze take action on devices that are not willing to comply with stated policies after being provided appropriate time to comply.

• Utilize Absolute Software reporting capabilities to monitor for remote access applications on endpoint devices.

8 – Peer to Peer Applications • Work with your Absolute Technical Consultant to identify devices with applications that are of concern.


• Freeze devices that are not willing to comply with stated policies after being provided appropriate time to comply.

9 – Cloud Applications

• Work with your Absolute Technical Consultant to identify devices with applications that are of concern.


• Freeze devices that are not willing to comply with stated policies after being provided appropriate time to comply.

10 – FTP Applications • Validate the business need for use of FileZilla on the 131 identified endpoints.• Determine if FileZilla is configured to ensure that the transmission of ePHI is encrypted for

each of the 131 users.• Take appropriate actions to ensure that only authorized users utilize sufficient encryption

(SFTP) when using FileZilla.

absolute.com


P. 20

RISK RECOMMENDATIONS

11 – SCCM Status • Work with Absolute to leverage Application Persistence to ensure that SCCM clients on endpoints are always installed.

• Periodically reconcile Absolute SCCM status report with SCCM reporting information to identify endpoints that have not been receiving patches or with unhealthy status and remediate.

• For devices that are unreachable via SCCM issue an End User Message requesting the user reach out to their IT support team for remediation.

12 – Gold Disk Updates IT Management should implement a process to patch baseline or gold disks are patched with the same frequency as when patches are issued to endpoint devices.

13 – Scanning Tool Definitions Anti-virus products should be well maintained and can be a critical component to maintaining device and network security. Additionally, we recommend the use of both Software policies and Alerts to detect any suspicious or at risk behavior such as out of date AV definitions or devices that do not contain an AV product.

14 – Removable Media • Revise and Communicate polices (Protection of Data on Portable Devices S-025-09) and Removable Media to end users that restrict the use of unapproved media devices.

• Configure endpoint devices (including desktop computers) to prevent writing sensitive information to removable media, such as CDs or USB flash drives, unless the information is properly encrypted.

• Limit the use of portable storage devices to only approved devices including, for example, devices provided by the Acme Corporation, devices provided by other approved organizations, and devices that are not personally owned.

• Restrict the use of portable storage devices based on the type of device, for example, prohibiting the use of writeable, portable storage devices, and implementing this restriction by disabling or removing the capability to write to such devices.

• Ensure that anti-virus products are configured to scan temporary directories.• Ensure that approved media devices are encrypted.

15 – Endpoint Scans for ePHI • Utilize Absolute EDD capabilities to identify endpoints with the existence of ePHI. • Leverage EDD device grouping capabilities to segregate and monitor endpoint devices based

on job function and if ePHI is handled and monitor based on risk.• Develop procedures to investigate and remediate endpoints with ePHI.

16 – Encryption Not Enabled • Leverage Application Persistence to remotely install and persist your critical encryption applications (Check Point, BitLocker).

• Work with your Absolute Technical Consultant to generate a list of devices that need encryption installed or enabled.

• Establish alerts within the Absolute console to identify devices that are not encrypted in a timely manner.

COPYRIGHT© Copyright 2017 Absolute. All Rights Reserved. This is unpublished material and contains confidential information and is subject to a confidentiality agreement. The unauthorized possession, use, reproduction, distribution, display, or disclosure of this material or the information contained herein is prohibited.

The methodologies and processes used in the conduct of this engagement are considered proprietary intellectual property of Absolute, and may not be disclosed without written permission from Absolute. Absolute authorizes you to copy this report for the purposes of disseminating information within your organization or any regulatory agency. Endpoint-Risk-Assessment-Report-101717

Documents

ENDPOINT RISK ASSESSMENT SAMPLE REPORT · ENDPOINT RISK ASSESSMENT SAMPLE REPORT: PREPARED FOR ACME CORPORATION – OCTOBER 2017 P. 7 The following sections contain benchmarking details