Review of Data Protection Measures

Endpoint security continues to evolve, with operating system vendors and third parties offering various products and solutions. Although significant emphasis is placed on server and cloud-based solutions, a vulnerable endpoint will always exist. Our service determines whether your solution, and above all its current configuration, is effective in real-world conditions.

The service includes user-level verification of antimalware system configuration, such as EDR/XDR, content filtering at mailbox and web browser level, and, where applicable, verification of the effectiveness of Data Loss Prevention (DLP) systems during attempted data exfiltration.

Antivirus and content filtering protection

The service includes testing antivirus protection, hereinafter also referred to as AV protection, in the customer’s environment at various levels.

The EICAR.COM test file is used as the baseline sample. This is a widely recognised, harmless demonstration virus intended for testing antivirus software. The objective is to verify the effectiveness of mechanisms for detecting known viruses. For testing purposes, a set of approximately one hundred samples is prepared, including the EICAR.COM file directly, the “virus” in various archive formats such as 7Z, ZIP, RAR and TAR, nested archives, self-extracting archives, and similar variants. The set also includes a number of harmless files of various types, the purpose of which is to verify whether a given, potentially malicious, extension is blocked.

The service verifies the effectiveness of protection at several levels:

• Mail server or service, including the capabilities of implemented controls at the level of antivirus, content filtering, and partially also antispam protection.

• Web proxy, including proxies providing TLS inspection.

• Workstations, in the context of endpoint security.

The objective is not to assess the quality of the antivirus solution itself, but rather its configuration and implementation, where an unexpectedly modified or renamed unwanted sample may reach the user.

The test is performed and evaluated manually at the customer’s premises on a typical user Windows workstation or laptop using a standard, non-privileged user account. It may also be performed remotely using webmail access. In that case, however, endpoint defence mechanisms on the employee’s computer cannot be evaluated.

Data exfiltration

Personal data or other sensitive organisational data may be present on an endpoint. It is usually undesirable for such data to be transferred to the internet. Our service maps the basic possibilities for data exfiltration and, where a DLP system is deployed, verifies its effectiveness.

We recommend complementing the test with a Windows workstation security audit, which we provide as a separate service. Both assessments can be performed efficiently at the same time; however, the audit requires a privileged account with local administrator rights.