Endpoint configuration build testing: what, why and how?
What is Endpoint configuration testing?
Endpoint configuration build testing is a form of cyber security test, where a suitably skilled tester assesses endpoint devices used by an organisation. The tester assesses the underlying operating systems, firmware and removable media interfaces on the endpoint device for weaknesses in their security configuration controls. These devices typically include corporate mobile phones, tablets, laptops and computers.
Endpoint configuration assessments are necessary to identify and remediate issues relating to misconfigurations and a lack of security hardening. Common weaknesses identified in these tests include users having access to unnecessary applications, poor password policies and a lack of logging and backup settings.
How is endpoint configuration tested?
To perform the assessment, the tester will use a mixture of automated and manual techniques, guided by security configuration guides or specific system checklists that establish security baselines. Most commonly, these benchmarks are from the Centre for Internet Security (“CIS”) and the National Institute of Standards and Technology (“NIST”). Any configurations that are below the required security standard will be flagged for remediation.
The test can be performed remotely, with the use of virtual machines or VPN access, but is often performed in person at the office. The tester will request a sample of endpoint devices: a standard user build and one sample of any ‘special’ user builds, such as an administrator or development team build. This is because different builds will have different configurations in place in line with the needs and privileges available to the different user types, so will need to be assessed separately.
Why is an endpoint configuration review critical?
An endpoint configuration test ensures that your organisation’s devices are secure. Manufacturers tend to release new devices with default configurations that maximise their functionality. In enterprise scenarios, these relaxed policies can lead to users having unnecessary access privileges, which can be exploited by threat actors.
If a poorly configured device was lost or stolen by a threat actor, this could lead to a severe security incident. Moreover, a poorly configured build might not only present exploitable vulnerabilities but may contain a “backdoor” access configuration that goes unnoticed for months.
Ultimately, the configuration of an endpoint directly influences the overarching security of the organisation. While accepting a manufacturer’s default settings may be quick and straightforward, it can lead to detrimental consequences from a security perspective. As a result, endpoint configuration reviews are a necessity in achieving a mature cyber security posture.
Moreover, in instances where organisations have proactively adapted system configurations, configuration management is still needed. As configurations are adjusted in line with evolving operational needs, the possibility of new vulnerabilities is introduced. By enabling a third party to validate endpoint configurations, organisations can maintain a secure state.
Lastly, for achieving certifications such as the Government Cyber Essentials Plus scheme, secure configurations are one of the five critical controls that must be addressed. This control includes building and installing security measures on endpoints to reduce avoidable vulnerabilities.
What does testing entail?
It is difficult to discuss endpoint configuration build testing without first referencing the implementation of a configuration management programme. This will require an initial investment from the organisation to implement and develop.
Such a programme involves creating principal policies and processes for device configurations – spanning features such as patch management and required updates. These policies and procedures can inform the baseline configurations the test compares against. In cases where a configuration management programme is not established, the tester will utilise guidance from CIS or NIST.
Most commonly, testers will focus on the endpoint testing of two types of systems: workstations – such as laptops and computers – and mobile phone devices.
Workstation reviews: The tester will analyse the sample workstations’ configurations against best practice guidelines to ensure that the setup is secure. The test will look at factors such as patching procedures, weak credentials, logging and auditing, firewall configurations and service permissions.
Mobile device reviews: In the case of mobile phone devices, if mobile device management (“MDM”) is set up, the security assessment will review the configurations of mobile devices against best practice guidelines to ensure MDM is deployed correctly. The tester will also look at patching procedures, poor authentication, allowing listing and blocklisting and logging and auditing.
In both instances, the tester will use a combination of manual and automated techniques. Typically, they will use a vulnerability scanner, such as Nessus, along with manual exploitation tactics to confirm the findings and to test if there are any sophisticated ways to circumvent the policy restrictions put in place.
How is endpoint configuration build testing performed?
An endpoint configuration build test typically occurs in four stages. In contrast to a penetration test, which analyses security from the outside-in, build and configuration looks at a device from the inside-out, reviewing the specific device’s configurations.
For more information on penetration testing, read our guide to penetration tests.
Scoping: The initial step involves understanding the client’s specific needs and requirements, considering factors such as the assets to be tested, the state of configuration management within the organisation and any aims for security hardening.
Data collection: In this step, the tester will learn more about the targets: reviewing the builds and analysing data around services and configurations.
Build and configuration analysis: The tester will use a combination of manual and automated techniques to find vulnerabilities and instances that differ from security best practices. As noted, best practices tend to be defined using CIS baselines but can also relate to the business’ unique architecture principles, depending on security maturity.
Reporting: Following the test, the team will put together a report of their findings to be shared with the client, often along with the option to have a debrief meeting to talk through the findings and answer any questions. The report will prioritise weaknesses based on their urgency and risk factor in line with CVE and CVSS references. It will include actionable insights for remediation.
Should my organisation conduct an endpoint configuration build test?
Most organisations will benefit from conducting one of these tests. In large organisations with many users, these tests are integral to minimising the potential attack surface.
The more users there are, the more critical it is that configurations follow best practices. That said, standardised builds are often less common in smaller organisations, which heightens the probability of misconfigurations.
For these reasons, we advocate organisations conduct these tests urgently to ensure they have a secure baseline for their endpoints. After this, we recommend performing the test again if there are any significant structural changes in the organisation or significant technological changes to the device estate and then, every other year as best practice.
Additional resources
If you are interested in learning more about secure configuration best practices, we recommend reviewing the Government’s Cyber Essentials Scheme. This contains five basic controls designed to help organisations achieve a solid security baseline. As mentioned, one of the controls is secure configuration. It provides guiding principles for implementing a configuration management programme within your organisation.
We have written a detailed guide on Cyber Essentials to help you understand more about the scheme. Furthermore, it’s worth noting that a step above Cyber Essentials is Cyber Essentials Plus – a certification that solidifies an organisation’s security best practices.
View our Cyber Essentials service page to find out how we can help you achieve Cyber Essentials Plus certification
Need help?
Our CREST-approved, experienced consultants can assess configuration security for laptops, workstations, servers, firewalls and network devices. We’ll compare your configurations to industry and vendor recommendations. If you need a quote, example reports, or just want some advice, we’d be pleased to help.
