When Is a Desktop Not a Desktop?

Don Gray
As technologists and security practitioners, we tend to lump like things together to reduce complexity and identify trends. For instance, in describing the assets of a company we might break them down into the following general categories:

  • Devices
  • Servers
  • Desktops

And we will likely further sub-divide those categories into things like:

  • Devices
  • Network
  • Router
  • Switch
  • Security
  • Firewall
  • IDS
  • Proxy
  • Servers
  • Web
  • Mail
  • ERP

But aside from organizations that have to segregate based on their PCI Cardholder Data Environment (CDE), I rarely see much differentiation within desktops. They are secured, assessed, patched and reported on as an aggregation.

This can be a very costly mistake in two very specific cases:

Corporate Account Processing: According to the Financial Services - Information Sharing and Analysis Center (FS-ISAC), corporate account takeover, once the problem of just large corporations, is now affecting thousands of organizations yearly. Large corporations, SMBs, municipalities and non-profits are now targeted with the goal to issue counterfeit checks, initiate and verify funds transfers and make account changes that can lock the owner out of their own account. Federal Reserve Regulation E protects consumers from certain losses but does not apply to business accounts.

Typically initiated through an email or Web-delivered payload, malicious software makes its way to the accountant, treasurer or bookkeeper's desktop. Various phishing, spear-phishing and impersonation techniques are used to entice a well-meaning user to activate the malware. Once in place, additional root-kits, keyloggers, and command and control tools are typically installed.

As you can imagine, having the contents of its business account cleaned out in seconds by a wire transfer can be a non-recoverable, devastating blow to an SMB, non-profit or municipality.

Virtual Server Administration: Virtualization provides tremendous cost-savings potential to organizations through the abstraction of physical hardware from the systems that run on it. It enables systems to be instantiated with a click of a mouse. Entire infrastructure changes can be effected in minutes instead of days.

I used to have an employee who said "If you are going to put all your eggs in one basket, you better make damn sure it's a REALLY good basket." Virtualization puts all your IT eggs in one basket - your administrator's desktop. Or should I say laptop?

Convenience, speed and efficiency cut both ways. Compromise of the administrator's desktop allows a malicious actor to quickly and efficiently take over significant portions of your IT.

Ahh, but I hear you saying you have endpoint security in place. Well, in a disturbing trend that Solutionary is seeing with our log-monitoring customers, endpoint security software may be identifying known Trojans or bots, but in many cases the software is unable to quarantine or remove the malware. Unless you are watching the details of the log events these systems produce, you may mistakenly believe that because an alert was produced, the malware was ineffective.

So when is a desktop (or laptop) not a desktop? When it has any involvement in either corporate account processing or virtual server administration. I would argue in these two specific cases, those desktops are really special-purpose terminals or consoles. And because of such, the following controls should be in place:

  • Limited physical access w/ auditing
  • Single-purpose usage, not an individual's machine
  • No removable media access - CD, DVD, USB ; remove the devices and epoxy the ports closed or buy metal enclosures
  • Stripped of all unnecessary software
  • Limited user rights
  • Limited network access (in-bound and out-bound)
  • Up-to-date anti- software (virus, malware)
  • 24x7 continuous monitoring w/ LDAP user integration

I believe by following these recommendations, for the cost of some unused floor space, a couple of commodity PCs and some security software and monitoring, you can significantly reduce your IT risk both financially and operationally.


Add Comment      Leave a comment on this blog post
Feb 17, 2012 10:02 AM jellwally jellwally  says:
cable management simply refers to the solution that one employs for organizing every cable wire that connect computers and equipment in a work environment. cable management Reply
Mar 10, 2012 3:03 AM guducrid guducrid  says:
Cable management includes clamping, labeling and routing. There are various products to bundle cables together: cable management Reply
Mar 13, 2012 3:03 AM guducrid guducrid  says:
Cable management includes clamping, labeling and routing. There are various products to bundle cables together: cable management Reply
Mar 17, 2012 7:31 PM bullreed26 bullreed26  says: in response to jellwally
I am really impress after reading this post.When i am read this type post will must be get a lot of information thank you very much for sharing this blog. cable managements Reply
Mar 19, 2012 4:03 AM Anonymous Anonymous  says:
Cable management includes clamping, labeling and routing. There are various products to bundle cables together: cable management Reply

Post a comment





(Maximum characters: 1200). You have 1200 characters left.



Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.