It’s clear from the headlines that today’s approach to endpoint security isn’t working: take your OS, install antivirus, the latest XDR and DLP, make a lot of settings, harden that with custom scripts, install your applications, keep updating those applications and the OS and the AV and DLP….. and hope that all these steps keep the wolf from the door and the ransomware out of your systems.  Does your business financial data, personal health information or any other data feel secure?

With many of today’s workloads moving from the endpoint to SaaS, DaaS, VDI or being accessed through secure browsers, and many organizations looking at how to apply Zero Trust, isn’t it time to re-evaluate the endpoint?

What if you could put an endpoint OS into your workforce’s hands that was designed for the cloud-first world that doesn’t need high levels of care and feeding to remain healthy? Something that is more robust by its nature, that had built-in preventative components or measures, as in “Prevention is better than cure.”?

IGEL OS applies a number of core principles that make it a secure choice as an endpoint OS – the Preventative Security Model.

A Safe Place for Your Data

The best place for your business data is definitely not on the endpoint device that could be lost, stolen, left on a plane,   Put your applications and data on servers in a data center – whether you call this approach server-based computing, VDI, cloud, DaaS or SaaS. Windows and its applications run great there, SaaS applications have proven to be more secure than the endpoint – patched by professionals, constantly updated, protected by network security, physical security, fire protection, uninterruptible power supplies, backup, failover…

With this approach, your endpoint can run a minimal system that excels in securely enabling access to your hosted workloads. The endpoint now holds nothing of interest for an attacker – ticking the device box for your Zero Trust review.

Encrypted

The configuration information which is the only item of potential value is stored by IGEL OS on a separate disk partition encrypted with industry-standard AES256 in XTS-plain64 mode with 512 bits of key material. If your hardware supports TPM 2.0, IGEL OS will use it to protect the encryption keys.

Read-Only Is Robust

The rest of IGEL OS, its Linux operating system and the programs, are mounted read-only. This means that a user  – or malware – can’t change them by mistake or by ill intent. And it also means that malware can’t find a foothold there and persist. Its solid Linux foundation kept NHS hospitals using IGEL OS functioning when many others were brought down by the WannaCry malware wave that affected Windows in 2017.

Additionally, all the disk partitions on IGEL OS are cryptographically hashed and signed. This guarantees they come from IGEL and have not been tampered with. The signatures are checked on every boot, during runtime, and before you install a system update or an IGEL OS app. Also, IGEL uses UEFI Secure Boot with a signed bootloader and Linux Kernel to make sure the booted system is trustworthy.

Endpoint Control

Besides this core OS robustness, IGEL’s Universal Management Suite (UMS) lets you lock down every IGEL’s endpoint to control everything from a system’s network configuration to when the screensaver and screenlock kick in. With the IGEL App Portal, you install only what your staff need to do their work, and nothing more. IGEL native apps are available from Citrix, VMware, Imprivata, Cisco, Okta and more.  IGEL OS logs can be forwarded to your SIEM of choice integrating with your monitoring and alerting frameworks for familiar and coherent visibility.

Restore and Update Fast

It is also easy to replace an IGEL OS endpoint that has failed: IGEL ships from the factory on HEP, Lenovo and LG devices, or you can IGEL an existing device that you may have to hand within a matter of minutes. A complete factory reset on the existing hardware will pull down its latest configuration and apps from UMS and is ready to be used.

Due to the much smaller IGEL OS footprint, a full system update finishes within a few minutes and can be scheduled outside office hours using UMS. IGEL’s failsafe update keeps the previous system as a fallback should the update fail, maybe because of a power cut. This means that an IGEL OS device will always be able to boot, get on the network and keep employees productive.

Tested and Trusted

To make and keep IGEL OS secure IGEL has a dedicated Security Team and employs a Secure Software Development Lifecycle (SSDLC) that covers all steps from the idea and design of a new feature up to its release in a new product version. It contains in-house tasks as diverse as threat modeling, design review, code review, static and dynamic application security testing and documentation. Additionally, we have all our software undergo independent penetration testing by external providers every year.

Save Time, Money and Nerves

This is, in very short terms, the Preventative Security Model of IGEL OS. It is supported by a company with more than 20 years of experience in end user computing and Linux – a company with the experience and knowledge to support you. IGEL will help you save time, money, and nerves, despite the ever-increasing crescendo of security issues clamoring for your attention.

The post Preventative Security for your Endpoints – Prevention Is Better Than Cure appeared first on IGEL.

That’s why IGEL is pleased to share the news that we are offering zero-day support, with IGEL UD2 and UD6 endpoints, for the Intel microcode M01406C4411 (for UD2) and M0C30678_838 (for UD6), announced today in their latest security notification.

“With support for Intel’s latest microcode updates, IGEL is enabling our mutual partners and customers to close the door quickly on security threats,” said Alec Gefrides, General Manager, Retail Division, Intel. “ IGEL excels at providing security solutions for cloud workspaces, and we place tremendous value on our partnership with their team in bringing to market innovative endpoint solutions for the enterprise.”

At IGEL, we all know that when it comes to security, we have to be faster and more responsive than the bad guys. To that end, IGEL’s secure “chain of trust” begins with the UEFI secure boot, available through IGEL OS, and goes all the way through to the virtualization session in the datacenter.  Being secure is one thing, being up-to-date is another; so IGEL endpoints, wherever they are, can be updated with a simple “drag and drop” operation from a central management console to prevent the next wave of attacks.

Update Instructions

IGEL OS users need not update the BIOS/UEFI. Instead, the microcode released by Intel will be applied at boot time by IGEL OS.

• IGEL OS 11: Update to IGEL OS 11.03.580 or newer.
• IGEL OS 10: Update to IGEL OS 10.06.180 or newer.

Let us show you today how we are helping our partners and customers protect mission critical data and applications and the endpoint. For more information view the security notice posted on the IGEL Knowledge Base.

The post IGEL Announces Zero Day Support for Latest Intel Microcode Updates appeared first on IGEL.

To begin with, the IGEL UMS Console, which system administrators use for their daily work, has been refined and optimized for even faster management of large numbers of devices – ranging from a few endpoints to upwards of tens of thousands of devices.

Further, secure shadowing of devices outside the corporate LAN (via IGEL Cloud Gateway) has also been added, enabling helpdesk staff to see users’ screens, even when they are working remotely from their home office or traveling.

Finally, the release is nicely rounded out with many nifty user experience features such as copying a device’s complete system information to the clipboard in one click.

Additionally, the complete IGEL UMS architecture has received improvements including support for up to 100,000 endpoint devices in a single cluster. To scale to this number and beyond, IGEL’s UMS R&D team completely re-engineered the UMS architecture with an array of improvements designed for massive scalability, including a new caching algorithm and a highly capable memory management system, to name just a couple of the enhancements.

Beyond its even greater scale, the IGEL UMS is ready for the modern global enterprise with Red Hat Enterprise Linux 8 now added to the list of supported software platforms, and support for Microsoft SQL Server Always On Availability Groups.

All this innovation underscores the impact and significance of the UMS 6.03.110 release. Legendary for its simplicity, the IGEL UMS is now ideal for any organization of any size, from the small business to the Global 500 enterprise!

Learn more about this latest UMS release here.

The post UMS 6.03: Enterprise Ready! appeared first on IGEL.

Speculative execution is a nifty trick that modern microprocessors use to do their work faster: Regardless of whatever branch program execution will take – the CPU has already calculated the result in advance. However, this speed increase has a security downside. Timing attacks and other techniques can be employed by attackers to abuse speculative execution to read data that the CPU would normally protect from them.

Confidentiality under Threat

What would that mean? On a multi-user-system, one user’s program could potentially read passwords, cryptographic keys and other confidential information associated with another user’s processes on the same CPU. This threat is even worse for cloud hosting providers, where one customer might access secrets contained in a different customer’s virtual machine.

And IGEL?

IGEL OS and IGEL’s variant of Windows 10 IoT, however, are in effect not really multi-user systems. True, technically they run code under different user, administrator and system accounts – but the secret information they might contain in practice only belongs to the person sitting in front of the workstation. The fact that IGEL operating systems run from read-only system partitions further mitigates the risk that an attacker could install a snooping program on a machine. This is why IGEL rates the threat of the recent processor vulnerabilities for IGEL systems as low.

Help Is on the Way

In addition, IGEL is working on integrating Intel microcode fixes for Zombieload, RIDL and Fallout (CVE-2018-12126, CVE-2018-12130, CVE-2018-12127, CVE-2019-11091) into our products. Our Product Security Incident Response Team has published Security Note 2019-03 [LINK], announcing fixed versions of IGEL OS 10, IGEL OS 11 and IGEL Windows 10 IoT. When these are released, we will update that note, and inform our customers via blog posts and a newsletter.

The post Don’t Fear the Zombie appeared first on IGEL.

Exposed to the Internet

That Gateway is used to implement secure connections between the Universal Management Suite (UMS) inside a corporate network and endpoints outside it, e.g. in a home office or road warrior scenario. As ICG is located in the cloud or in the company’s demilitarized zone (DMZ), it could be exposed to attacks and eavesdropping attempts from anywhere on the Internet. The penetration test has proven in practice what ICG promises: Secure connections that guarantee integrity and confidentiality of the data transferred.

Concept and Implementation Have Stood the Test

The testers reviewed the concept of the product, analyzed an ICG installation with tools of the trade such as Nmap, Nessus, Burp Suite and Wireshark, and finally tried their hand at manual hacking. They found no weaknesses of high criticality and only one of medium importance: UMS backup files are not encrypted. This poses a risk as they may contain confidential data such as passwords, but it cannot be exploited remotely from an Internet-based attacker. The risk can be mitigated by keeping backups in a secure storage location, possibly on an encrypted medium. In addition, IGEL is working to eliminate a few issues of low relevance in upcoming releases.

The product versions tested were IGEL Cloud Gateway 1.02.100, UMS 5.06.100 and IGEL OS 10.02.120. Read an extract of the Security Assessment report here. Download pdf HERE.

Save

Save

Save

Save

Save

The post IGEL Cloud Gateway Stands Up Well to Penetration Test appeared first on IGEL.

A Smart Way Of Rolling Out Fixes

However, having fixed software packages and firmware images available is only half of the battle: You need to get the fixes out to the thousands of devices running in your organisation. And here, IGEL has you covered too. Universal Management Suite is our central administration hub that makes it easy for you to download security updates and deploy them to any number of endpoints. These may be Linux- or Windows-based, IGEL devices or converted 3rd-party-hardware, and with IGEL Cloud Gateway (ICG) you even reach those in the home office or on the road. Our pen-drive sized endpoint UD Pocket gets its updates, too!

UMS makes downloading and distributing firmware updates easy.

Fast Fixes And Regular Releases

With out-of-band updates for important security issues IGEL comes to your rescue when there is imminent danger to your endpoints. We do this on top of our regular updates that fix bugs, make improvements or even add new features. These are released roughly every 12 weeks. Subscribe to our Technical Newsletter at the bottom of this page to learn about IGEL firmware and software releases directly from us.

Save

Save

Save

Save

The post Fixing KRACK with IGEL: Simple, Smart, Secure appeared first on IGEL.

Authentication

A locked screen, protected by a password, is often the first line of defense for a workstation when its user is absent. IGEL lets you configure local passwords, a hotkey for locking the screen and a grace period after which the screen is locked automatically. Together with our technology partners we can even lock the screen when the user removes their proximity card.

Passwords usually also protect the desktop services that are used on endpoints. Make this protection much stronger by using two-factor authorization (2FA): Combining a password with a second factor such as a smartcard, e-token or RFID card. IGEL OS offers many options for this.

Less is More

The most secure code is code that isn’t there at all. In other words: Remove all software components that you do not use. IGEL OS with its modular system of partitions is ideal for this. Don’t need a local web browser? Just uncheck it in the feature list in IGEL Setup, reboot the device, and it’s not only hidden, but actually removed from the OS! Likewise, run only a minimum of network services on the endpoint — e.g. create a profile that disables everything but SSH.

Use Encrypted Network Protocols

When IGEL’s Universal Management Suite transfers settings to endpoints over the network, it uses TLS/SSL to encrypt the traffic. Most desktop services can do the same, so enable the encrypted version of the protocol wherever possible. Apart from that, you can even make your endpoint devices part of a virtual private network (VPN) that also is encrypted.

Keep Up-to-Date

New vulnerabilities are being discovered in almost all kinds software all the time. That means a secure system can only be one that is kept up-to-date. IGEL fixes security issues in each update of its OS and publishes special builds to fix high-risk vulnerabilities when these are discovered, such as Heartbleed and Shellshock. On top of that, IGEL is in for the long haul: We provide security fixes for IGEL OS releases for three more years after their end of life.

Coming Soon

As you have seen there are many knobs to turn in securing IGEL OS. Why don’t we turn them all on by default in the factory settings? We turn on a lot of them, but in some respects our customers’ needs differ: Some may use Wi-Fi, some not, some may need USB peripherals to do their work, others will want to lock down USB completely. But IGEL is going to make things simpler: We are working on a new feature for Universal Management Suite that will let you turn on a baseline of secure settings for any number of endpoint devices easily. Stay tuned.

The post New Guide: Securing IGEL OS Endpoints appeared first on IGEL.