This first posting is going to address some of the myths about security and small to medium-sized businesses so let's get right down to business.
Myth 1: My business is too small to be targeted.
This often (but not exclusively) comes up when discussing security with organizations that have only a few employees. The thought is that "hackers" will target big companies and will ignore small ones. This seems to make sense. Big companies have more to steal, they have a larger footprint and they are far more well known. This, however, assumes that all attackers are intentionally targeting their victims - a fact that is not always true. There are plenty of "target of opportunity" attackers out there. Viruses and worms, for the most part, don't care who they infect and if an attacker finds your vulnerable system during random scanning of the Internet, they will be happy to compromise you. Making things worse, your users are browsing the Internet, taking advantage of wireless hot spots at airports, hotels and Starbucks and placing their laptops behind Best Buy purchased broadband routers with the default configuration when they work from home. All of these put your users and your organization at risk. Some studies have shown that a random computer gets compromised if placed unprotected on the Internet after 15 minutes. There are 96, 15-minute blocks per day, 672 per week and 34,944 per year. That's a lot of time for a compromise to happen.
Myth 2: I don't have anything of value so there's no reason I'd be compromised.
This statement simply highlights some misunderstandings or ignorance about what is considered valuable. To a bad buy hacker, any business is ripe with valuable targets. They want your processing power, Internet bandwidth and hard drive space for storing and distributing porn, stolen credit card numbers and other contraband. They also want your systems to use as Spam relays and bot-net zombies.
More personally, employees have access to bank accounts (corporate and personal), Facebook accounts and and even World of Warcraft. Recently, a "friend" on Facebook contacted me via Facebook IM stating that he got mugged outside his hotel in London and that he needed money to get home. His account had been compromised. I didn't send any money but how many people would have - particularly if it was a close friend. I'll also admit to the fact that I had a World of Warcraft account (yes I'm a nerd) that I stopped using for around a year or so get compromised. These things happen all the time.
Finally, bad guy hackers also want personal information such as names, addresses and social security numbers. Identity theft is real and can create havoc in the lives of the victims. And if you think that one of your employees suffering identity theft has nothing to do with you business, wait until it happens and see how their performance and productivity are affected.
Myth3: I have a firewall and anti-virus so I'm secure.
This myth was not limited to the SMB space until fairly recently. This was a common belief until significant, publicized breaches and comprehensive regulatory requirements swayed many large (and regulated) organizations over to a more comprehensive security program mentality. Unfortunately, it still rings true for many organizations. It is, in fact, quite false for a number of reasons. First, the fact is that anti-virus technology is not perfect. Every time testing is done, testers find that some AV products catch some malware and some miss. I've not seen any solid statistics but the number that rings fairly true is that the average AV product is between 60 and 70% effective. Anti-virus is not the answer (although it is part of the answer).
Firewalls are even more of a problem. In the past firewalls were set up to block all inbound traffic and that was good. Then organizations decided it would be a good thing to receive email and host web sites - and holes were created in the firewall. Then organizations went from web sites to mission critical web applications and more holes were created. Today, it is not uncommon to find firewalls with dozens or ports and protocols allowed in, each and every one of which represent a risk. Making things worse, most firewalls are configured to block (at least some) inbound access but to allow all outbound access. This means that users all allowed to establish outbound connections to any IP address on the Internet using any port - and the firewall will allow the responses back in. All an attacker need to do is trick one user into opening a file, click on a link or visit a malicious site and your firewall is now, effectively useless.
Myth 4: Small businesses have simple IT environments.
This isn't something that people often say but rather something that people often assume. Along with that assumption is that security is, as a result, easy. While this may be the case for some organizations, it is not uncommon for even fairly small organizations to have VoIP phone systems, virtualization, wireless, storage (either SAN or NAS), wide area network connections, VPN (site-to-site, IPSec and SSL) tunnels and Active Directory (or other LDAP). These are complex and sophisticated technologies that each bring with them a unique set of security concerns. Particularly in smaller organizations, knowledge of these security risks and the skills necessary to address them is not available making security all the more difficult.
Summary
We've discussed some of the myths about security for small to medium-sized businesses. Hopefully, it is fairly obvious that in the SMB space, while organizations may have fewer employees, they require every bit as sophisticated a security program as their larger counterparts. Consider the following:
- A collections company that maintains a database with the personal information of over 11 million people including, in some cases, credit card and bank account data
- A private equity fund company that manages over $3 billion in assets
- A web application development company that focuses on providing health care data to pharmaceutical companies
- A business that provides data center services to credit unions
The question faced by these organzations, and by may others is how can we achieve these security goals with minimal staff, minimal budget and minimal resources. That is the question that will be answered by upcoming postings. In future postings we will discuss each of a variety of security topics and how they can be addressed by the average SMB. We'll be discussing the following:
- VoIP – network design, 802.1x & NAC
- IDS/IPS
- Endpoint - anti-malware, encryption, application control (blacklisting/whitelisting), integrity verification
- Smart phones
- Network design
- Web app vulnerability scanning, web app firewall
- Firewalls and VPN
- Authentication – user provisioning, good passwords, tokens, rights assignment, admin rights
- SEIM/Central Monitoring
- Network Device Hardening
- Active Directory – design, GPO
- Vulnerability Scanning, Patch Management
- Virtualization
- Wireless network design, authentication/802.1x/WPA2, etc.
- Wireless client attacks, bluetooth, keyboards, etc.
- Wireless IDS
- Data Leakage Protection
- Media Sanitization
- Data Classification, Risk Assessment, Security Awareness, Acceptable Use, Incident Response, Change Control
- Physical Security
- Regulatory Compliance, Policies
Posts
No comments:
Post a Comment