Avoiding the risks of vulnerable endpoints - Image by rawpixel from PixabayIn today’s world of constant and escalating threats, breaches are a commonplace occurrence. PCs are a constant headache for security teams when it comes to securing IT infrastructure. Whether they are running Windows, MacOS or Linux, users inevitably change PCs to suit their needs. They add applications and store data locally. They also access unsafe web sites and receive and click on phishing emails.

This results in the security status of any given PC being always unique and unpredictable. A device may be compromised, or compromisable at any level, from the registry through to the operating system to the web browser and other applications.

Of course, there are certain precautions that can, and should, be taken to reduce these risks. These include limiting access to admin rights, running anti-virus, filtering incoming content and the black- and/or white-listing of applications. However, what if a PC’s registry operating system and browser could always be guaranteed to be in a known secure and healthy state every time it was booted? Being able to do this makes sense as PCs are increasingly used as cloud gateways to support flexible and mobile working.

All that matters when a user starts up a virtual cloud-based desktop is that the supported infrastructure on the access device is safe. Such a capability also suits other high-risk use cases where PCs are regularly shared between ad hoc users or where third-party access is required for managing remote infrastructure.

But why are PCs such a potential weak point in the IT infrastructure?

One key reason is the magnitude and complexity of software that sits on a typical endpoint such as a desktop. If you think about a full-blown operating system and all the applications and browsers that get loaded and executed on these devices, inevitably there will be vulnerabilities. As an industry we have got much better at publishing and automating the publication of vulnerabilities and subsequently providing patches. That said, the degree of complexity has inevitably meant that organisations struggle to ensure that they have patch regimes in place that can patch the entirety of their device in a robust way. This leaves a window of opportunity for bad actors to exploit.

The other point here is that PCs are typically how the user interfaces with an organisation’s IT infrastructure. But users are a weak point and unfortunately that won’t change. However, much we train our employees to understand the threat dangers, such as phishing emails, unfortunately that risk is not going to go away. Today emails continue to be one of the main attack vectors for organisations.

Are thin clients the solution?

As a result, endpoints continue to rank highly as a target. As more computing moves to the cloud, why do physical PCs persist? Why not move all your users over to thin clients?

For many user communities within organisation, they need more functionality than a thin client can give them. That might mean extensive use of offline applications or the need to run applications natively on the device rather than accessing them via an online set up. However, increased cloud options means there are an increasing number of communities within organisations that don’t need a full-blown PC or the costs and risk associated with managing them.

This creates an opportunity as organisations move to cloud and online services. They can optimise end user devices that are accessing these services from a security and cost perspective by not deploying full-blown operating systems. Traditional thin clients are also vulnerable to exploits: even a thin client or a zero client has software running that can be exploited. And the downside of traditional thin clients is that the organisation will typically have less security tools to monitor and detect that they have been compromised.

Therefore, a combination of the required need for flexible working and also legacy devices means that the PC is not going to disappear anytime soon.

Creating a secure endpoint

To overcome some of the challenges highlighted above, Becrypt has developed a secure Linux-based operating system called Paradox. The origins of the product came out of some work we did with the National Cyber Security Centre (NCSC). We were asked to create an environment that allowed organisations to share IT infrastructure from one government department to another. To do that they needed secure endpoints. All of these departments were operating off the same standard in terms of security posture of the endpoint. But they also needed the ability to identify devices across the organisation.

We were engaged to build a security-focused operating system that met that requirement for a secure endpoint. We also implemented a remote attestation protocol. It ensures devices could prove both the identity and the integrity of the device across multiple organisations and departments. This included those outside of government such as contractors and third-party suppliers and partners. In effect, we provided the assurance that devices running on Paradox were always in a known healthy state.

This work started with government and is particularly applicable for classified environments. These demand a high degree of confidence in the health of the desktops used to access private cloud services. We have now found that Paradox also maps into the private sector.

Not about replacing all the desktops

We are not looking to replace all desktops in large enterprise organisations. Where we fit is within organisations who have a high value requirement that justifies deploying Paradox. Let me give you a few use cases. Recently we deployed Paradox into a Security Operations Centre (SOC). Devices running the SOC need to be in a very secure and healthy state. We have also deployed Paradox into publicly accessible kiosk systems located at train stations and travel agencies. This provides a very simple way for organisations to push out a very secure but easy to manage software environment across a very geographically dispersed device landscape.

Remote access is another use case for Paradox. Organisations want to gain a high degree of confidence that employees are accessing services from a known healthy state. Travel kits is another good example. Often organisations are challenged with determining what device their executives can use that is lightweight when they travel. Executives, travelling with laptops, need assurance that they haven’t been tampered with. Paradox provides a very easy secure travel environment.

Patch remediation still takes too long

One key benefit is that we solve one of the big challenges that organisations have today around patch management. The average time to affect a data patch is still far too long. Patching can be quite complex for organisations. It is not just about the OS but the interaction and compatibility between the different apps and operating systems. With Paradox we simplify and automate the patching process. In the process this helps organisations to avoid the risk of vulnerable endpoints.

Becrypt Logo (c) BecryptWith a heritage of creating UK National Cyber Security Centre (NCSC) certified products, Becrypt is a trusted provider of endpoint cybersecurity software solutions. Becrypt helps the most security conscious organisations to protect their customer, employee and intellectual property data. It has an established global client base which includes governments (central and defence), wider public sector, critical national infrastructure organisations and SMEs.

As one of the early pioneers in disk encryption software to today being first to market with a unique desktop operating system, Becrypt continues to bring innovation to endpoint cyber security technology. A recognised cyber security supplier to governments around the world, Becrypt’s software also meets other internationally accredited security standards. Through its extensive domain and technical expertise, Becrypt helps organisations optimise the use of new cyber security technologies and its flagship security solution Paradox delivers a highly secure platform for the modern age.


Please enter your comment!
Please enter your name here