There are some low-hanging fruit when it comes to security that, when implemented, can make your life a little easier. But with the limited funds available to smaller IT organizations, here are some tips for getting the biggest bang for the buck.
In this blog, I've touched on the evolution of IT organizations in SMEs as the companies start growing. One of the worst side effects of this growth within an IT organization is not being able to keep up with the demands of the business. Eventually, departments tired of waiting for IT to help them start taking things into their own hands.
Consumer grade hubs, printers, external disk drives, wireless access points, and even third-party broadband connections start popping up all over the place. Sure, you may have a firewall and virus protection on all the PCs, but you'll find that there are work-arounds galore that marginalize whatever security benefit you thought you had.
Security is never 100%. The security game is all about raising the bar higher than the other guy. By making your company a more difficult target than someone else, you automatically reduce the risk of letting the hacker-wannabe inside your network and the various nastiness embodied by malware, root kits, Trojans, worms, and viruses. A determined and skilled hacker is very tough and very expensive to effectively combat and is well beyond the scope of this blog and my skills.
I've asked Reuben Moretz, CISSP, to help highlight the low-hanging fruit from a security standpoint that will reduce the risk to your company. Let's first start by outlining the basics:1. Policies: Make sure that there are no other networks attached to the company network. Wireless access points or cable modems or even dial-up modems should never be allowed. If the business pushes back, then you need to get the CEO involved. These devices put the company at risk and the only one that can do that is the CEO. Don't be a jerk about it, but be forceful enough so it's clear that the point is non-negotiable. This is your network. You are responsible and accountable. Additionally, work with Human Resources on a process to inform IT whenever a new employee joins the company and when an existing employee leaves a company. There have been many well-documented cases of disgruntled employees causing all kinds of problems because IT was never notified to disable that employee's user account. 2. Data: You need to understand what the company's risk tolerance is for data leakage. This is sensitive data walking out the door and either being lost, stolen, or used for purposes that could harm the company. PCs with CD burners, USB drives, external hard drives, e-mail attachments, file server access control, access to external FTP servers and social networking sites all present risks of data leakage. It's extremely important to have clear guidelines as to who has what access to what data and how that data is to be used. And just as important is accountability for upholding and enforcing these guidelines. Holding employees accountable is often difficult for minor violations, but it's important that management understands the risks that data leakage can cause a company. Use analogies, court cases, magazine articles, whatever you can to articulate the risks in a way that they can relate to. 3. Network Architecture: It's always worth the effort to get external help is designing your network and then regularly testing it. Set up firewalls and virus protection according to best practices and design a robust DMZ that can be enforced. Have annual penetration tests conducted and remediate findings quickly. Change and update password enforcement policies and require that letter, number, and special character passwords be changed every 30 to 45 days. Remove all default administrator accounts (i.e., MS SQL Server's infamous "sa" account) and eliminate all group accounts. All accounts accessing data or resources need to be associated with a human. Batch jobs or automated monitoring accounts need to perform very specific tasks and cannot have access outside of what those accounts are designed to do.
That's the baseline. According to Reuben Moretz, the following security steps will address the largest security risks while being the simplest to implement (or you get the biggest bang for the buck):
1. External access to applications. "Consider getting a commercial small business solution here, such as Sonicwall or Barracuda," said Moretz. These have a built in VPN solution with all the nifty security bells and whistles and it's easy to NAT as well."
2. "Make sure you have an antivirus program that can be centrally managed. You'll find that most of the larger antivirus companies have a centrally managed solution - and also includes spyware/malware protection as well. Having it centrally managed takes away the responsibility of updating and running scans from the user, which generally leads to the application not getting updated at all.
3. External Access to data. Having a single point of control for file transfers, automatic data feeds, etc. provides a high level of control and a high level of flexibility. "Consider setting up a Secure FTP (SFTP)" said Moretz. It's sort of like FTP, except it uses a different set of protocols - the data is encrypted before it sends it over. Great SFTP server applications are available for the small business market. "Reuben also added that some of these smaller SFTP applications need some care and feeding and that if you can afford it, find a system that will automate a lot of the administrative tasks.
Additionally, if you have remote workers or require third-party access to your data, here are some rules of thumb for managing your DMZ:
1. "The best practice for DMZ, is deny everything," said Moretz. "Make a list of what users need access to, and take that list to a networking professional. You could save some money if you have him break down a DMZ design for your network and then just pass that off to your network guy."
2. "Make sure that the minimum privileges are given - this is most often a problem in small business. It's just easier to give your users escalated privileges, even if they don't need it. I call it "Casual Permission." Would you leave the door unlocked to your house, even if you trusted all your neighbors? Maybe, but it would only take one instance of thievery for you to change your mind...and it may be too costly at that point.
3. Reuben also talked about areas such as reliability and usability as key elements. Not so much for security, but to ensure the systems are not too constricting to users. You can have the most secure infrastructure in the world, but if the user doesn't use it, it is all for not.
Reuben also shared with me an interesting way to quantify the investment in the security infrastructure:
"If you need a 'quick' way to look at your risk factor, there's a simple calculation you can do, called a Quantitative Risk Analysis. It is estimated by potential losses, or SLE (single loss expectancy). The equation is: SLE = Asset Value ($) X the Exposure Factor (%) (SLE = AV X EF). The Exposure Factor is the percentage of asset loss when a threat is successful (could be a hacker, loss of data or theft). So, in essence, the SLE is the amount of damage that an asset suffers due to a single event. If a set of data on a drive is worth the cost of the drive, plus the data in that drive, let's say it's a low number, say, $10,000 of your business. The SLE = (10,000) X 25%... Now, there are a lot of potential risks to consider, the 25% exposure factor is probably on the low side - but put in a realistic number - even if it's a 10% risk of loss, the SLE is still $1,000. It's not accurate, but the equation does give you at least a ball park to start your analysis."
One of the interesting things about security and how the business perceives it is that because it's preventative, money and time can be better spent on things that can generate revenue. You start hearing things like, "it hasn't happened yet." I usually respond, "Well, on September 10, 2001, the World Trade Center was still standing."