And we will likely further sub-divide those categories into things like:
But aside from organizations that have to segregate based on their PCI Cardholder Data Environment (CDE), I rarely see much differentiation within desktops. They are secured, assessed, patched and reported on as an aggregation.
This can be a very costly mistake in two very specific cases:
Corporate Account Processing: According to the Financial Services - Information Sharing and Analysis Center (FS-ISAC), corporate account takeover, once the problem of just large corporations, is now affecting thousands of organizations yearly. Large corporations, SMBs, municipalities and non-profits are now targeted with the goal to issue counterfeit checks, initiate and verify funds transfers and make account changes that can lock the owner out of their own account. Federal Reserve Regulation E protects consumers from certain losses but does not apply to business accounts.
Typically initiated through an email or Web-delivered payload, malicious software makes its way to the accountant, treasurer or bookkeeper's desktop. Various phishing, spear-phishing and impersonation techniques are used to entice a well-meaning user to activate the malware. Once in place, additional root-kits, keyloggers, and command and control tools are typically installed.
As you can imagine, having the contents of its business account cleaned out in seconds by a wire transfer can be a non-recoverable, devastating blow to an SMB, non-profit or municipality.
Virtual Server Administration: Virtualization provides tremendous cost-savings potential to organizations through the abstraction of physical hardware from the systems that run on it. It enables systems to be instantiated with a click of a mouse. Entire infrastructure changes can be effected in minutes instead of days.
I used to have an employee who said "If you are going to put all your eggs in one basket, you better make damn sure it's a REALLY good basket." Virtualization puts all your IT eggs in one basket - your administrator's desktop. Or should I say laptop?
Ahh, but I hear you saying you have endpoint security in place. Well, in a disturbing trend that Solutionary is seeing with our log-monitoring customers, endpoint security software may be identifying known Trojans or bots, but in many cases the software is unable to quarantine or remove the malware. Unless you are watching the details of the log events these systems produce, you may mistakenly believe that because an alert was produced, the malware was ineffective.
So when is a desktop (or laptop) not a desktop? When it has any involvement in either corporate account processing or virtual server administration. I would argue in these two specific cases, those desktops are really special-purpose terminals or consoles. And because of such, the following controls should be in place:
I believe by following these recommendations, for the cost of some unused floor space, a couple of commodity PCs and some security software and monitoring, you can significantly reduce your IT risk both financially and operationally.