Tip

Endpoint security may not keep your enterprise safe

Many people believe that every network device and endpoint should be responsible for its own security. As a result, desktop security is often set up in layers, so that if malicious software manages to get through one point, there's another point of protection.

While this is a popular method -- and it deserves your attention -- I contend that endpoint security is worthless for virulent malware (the kind you buy endpoint security products to protect against). If you haven't stopped malignant code at your perimeter, then you've already lost the battle, and your efforts ought to be toward cleanup and getting back to a known-good environment.

Endpoint security agents are just another thing to manage on top of other software packages that require planning, deployment, maintenance, tracking, relicensing, upgrading and removal. You need to learn how to use security software because a misconfigured product is not only worthless; it's also negligent behavior and an invitation to attack. It's also another expense for your company. In today's era of tightened budgets, you're probably under pressure to make IT look a little more like a profit center and a little less like a cost center.

In addition, have you ever heard the old saying, "An ounce of prevention is worth a pound of cure?"

There are many reasons why it's better to stop malware of any kind from getting into your network than relying on desktop programs to stop it. Internally, firewalls have as many holes as Swiss cheese. For instance, ports are opened to access old versions of QuickBooks, and users need Remote Desktop Protocol to access lab machines from their desktops. These firewalls are meant as a last line of defense -- and they're not even great at that.

Furthermore, human error can cause disastrous results. Regardless of how many times (and how many ways) you tell someone not to open email attachments from unknown second party, the very second they see a cute puppy face, they're double-clicking even if Hosni Mubarak sent it to them. (No, they're probably not old friends.)

Think of the human body -- you'd rather keep out harmful foreign substances completely than fight them internally. Your network should operate similarly. Individual desktops shouldn't have to stave off potentially life-threatening infections to your network.

Edge protection is where you should be defending your network. Spend your efforts and money making sure the malware never gets into your network in the first place.

ABOUT THE AUTHOR
Jonathan Hassell is an author, consultant and speaker residing in Charlotte, N.C. His books include RADIUS, Hardening Windows and, most recently, Windows Vista: Beyond the Manual.

This was first published in March 2011

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.