Table 2. Basic Endpoint Controls to Mitigate Risk at Endpoints Control
Antivirus (AV)
Description
Technology capable of detec�ng known malicious malware using signatures, heuris�cs, and other techniques
Implementation Specification • Push AV packages out using endpoint management systems that interface with Windows and Apple opera�ng systems (OS). • Develop metrics to monitor the status of AV engines, signature updates and health. • Dispatch field services/desktop support for malware that is detected but not automa�cally mi�gated. • Leverage network access control (NAC) to conduct a valida�on check prior to enabling network access. • Ensure that encryp�on is enabled on new endpoints acquired by the organiza�on.
Full disk encryption
Technology capable of encryp�ng an en�re disk to make it unreadable for unauthorized individuals
• Connect encryp�on management to endpoint management systems that interface with both Windows and Apple OS. • Develop metrics to monitor the status of encryp�on. • Dispatch field services/desktop support teams to resolve encryp�on errors. • Use an�-the� cable locks to lock down any device that cannot support encryp�on. • Leverage NAC to conduct a valida�on check prior to enabling network access. • Limit usage of local administrator accounts. Enable only local administra�ve rights required by the user. Use a separate account dedicated to this purpose.
Hardened baseline images
Configure the endpoint opera�ng system in the most secure manner possible
• Enable local firewalls and limit inbound access to the endpoint to only required ports. • Disable weak authen�ca�on hashes (e.g., LANMAN, NTML Version 1.0). • Prevent so�ware from auto-running/star�ng, especially when using thumb drives. • Disable unnecessary services and programs. • Permit usage only of known hardware encrypted thumb drives for wri�ng data. • Review and consider the implementa�on of Security 25
