Small Business Does Not Mean Small Security
Published: June 26, 2012
Author: Stewart Cawthray, Microsoft MVP - Enterprise Security
You have worked hard to build your business. You have invested in technology, hired knowledgeable staff, and carved a niche in your market. Your business may be smaller in size, but that does not mean you need to protect it any less than a large enterprise. Security is just as important to the small and medium business as it is for the large enterprise. The difference is that even a small security breach or incident can have major impact on a small and medium business.
IBM's X-Force Security Research declared 2011 as the year of the breach. Companies of all sizes suffered attacks which resulted in breaches and loss of information, money, and, worst of all, reputation. What can you as a small or medium business owner do to protect yourself when even the big enterprises are falling victim to this increasing onslaught?
The answer is: Focus on the basics!
Security breaches, for the most part, are not the elaborate hacks we see in movies and TV. Most attackers use simple and non-flashy methods to penetrate a company’s system and information. There is no reason to pick a lock when the door is left open. As a result, by focusing on some basic security practices, you can dramatically increase the difficulty for a potential attacker and reduce their chances of being successful. Most likely, they will move on to easier targets.
The security basics I am going to discuss in this article are not specific to small or medium businesses; they are the same principles I recommend to my financial, government, and large enterprise customers:
These activities can be implemented by any size business in any industry and will have a significant impact on the ability of an attacker to comprise and breach your systems and data. You would be surprised how many companies do not implement these basic principles effectively.
Protect Endpoint Systems and Data
I have often referred to this activity as the “3 rules” or “golden rules” of information security. The endpoints are the servers, workstations, laptops, and mobile devices on and from which you store and access data. The most common method of attack on endpoints is malware, a virus, or a Trojan to be installed, which an attacker can then use to exploit a vulnerability that gives them access to the system remotely. You can protect you endpoint by keeping it up to date and ensuring that all software—both operating systems and applications—are up to date and patched. This is important because software vulnerabilities are discovered every day and can be used by attackers to plant malware or elevate their access once they have made their way into your systems.
It is important to note that all operating systems have vulnerabilities; no vendor is exempt. So if you think that running your business on Linux or a Mac operating system is keeping you protected, that is not necessarily the case. Patch management is critical for all operating systems and applications. The patching of applications is often even more important because, in many cases, it is forgotten. Attackers can use a flaw in a small application just as easily as flaw in a major, line of business application. Don’t leave the door unlocked.
Now that your operating system and applications are patched, you need to ensure that you use an antivirus program and that you keep that program, and its definitions, up to date. Malware, such as a virus, is the most common method of exploiting vulnerabilities so detecting and preventing malware from functioning is the most practical way to protect your systems against this threat.
Like patch management, malware is not restricted to Microsoft environments. In fact malware is on the rise in non-Microsoft environments. Malware writers develop malware that will impact as many systems as possible to increase their chances of success. Until recently, Microsoft dominance in the operating system market meant they were the target of choice. Now, as Microsoft users are more knowledgeable about protecting against malware and the tools available to protect against malware are better, attackers are finding this a more difficult environment to penetrate. Non-Microsoft environments have not been the strong focus on attackers in the past and, as a result, do not have the same tools available. This makes them a tempting target. Use an antivirus program on your systems regardless of which operating system you run.
The last of the “golden rules” is to use a personal firewall on your endpoints. A personal firewall is a software application that monitors and controls the connection points available on your system. If you are not running a web server, there is no reason for your system to be listening on web channels.
Personal firewalls use to be cumbersome and difficult to use effectively. You needed to understand network addressing and port and port ranges to allow applications to communicate properly. These tools, especially on the Windows platform, have become easier to manage and control, often requiring little more than knowing the name of the application to allow it to communicate. Personal firewalls reduce the attack surface visible to attackers. In other words, a locked door is good, but hiding the door altogether is even better.
Implementing these “golden rules” of information security will make it harder for attackers to access and exploit your system making them move on to easier targets.
Focus on Identity and Access Management
Restricting access to your systems and data to authorized users only is a basic security practice for companies of all sizes. If you do not know who has access to your data, you don’t know what they are doing with it. Each user should have a unique account that is protected using a strong password to access systems and applications which only he or she uses. Shared or common accounts reduce accountability and, therefore, security. Tools like Microsoft Active Directory make it easy to use a single account to access multiple systems and applications with one account and password. This makes life easier for your users.
A user account is only useful of it is protected with a strong password. Simple passwords are easy to remember but also easy to guess or crack. The tools exist today to crack passwords with minimal computing power and time. To increase the strength of your passwords, passwords should be at least 8 characters in length and contain a mix of upper and lowercase letters, numbers, and special characters. If possible, they should not be based on dictionary words. Once your passwords are strong, they need to be kept fresh. Requiring users to change their passwords regularly (for example, every 30-40 days) will provide protection if a password if accidently disclosed.
In addition, users need to understand that the secrecy of their user accounts and passwords is critical to ensure the protection of your systems and data. User awareness of security is an effective and strong security tool.
Promote User Awareness
User awareness is the education of users, customers, and partners around security issues that are related to your environment. Awareness training can be as simple as posters informing users of different security practices to actual training courses that users can view online or attend in person. Many large enterprises use online training videos and quizzes to relay important security topics to users.
You should also ensure that users take security training annually to ensure that any changes to your security practices are communicated regularly. User awareness training should cover major security policy items such as password strength and privacy requirements, physical security items such as laptop and mobile device security or building access, and security threats such as phishing, malware, and social engineering.
Monitor Your Log Files
Finally, monitoring log files is an often overlooked activity in most companies. Information systems use log files to record activity—everything from startup and shut down activities to records on when users attempted access and what they accessed. This information can be very helpful in identifying security breaches or attempted breaches, but you can only use the intelligence in your log files if you monitor them.
How you perform log monitoring will depend on how many log files you need to review. It could be as simple as reviewing the Windows Event Viewer entries or UNIX syslog on a regular basis, or as complex as using a security event and information management system to centralize and automate log analysis. You will need to look at you environment and determine what method will work best for you and your company. Among the logs that should be reviewed regularly are system logs, access and application logs, network firewall and IDS/IPS logs. and antivirus logs. These logs contain a lot of intelligence that can help you determine if you are under attack or have been attacked.
You can see, from the activities I have discussed in this article, that the standard security practices for a small and medium business are not far from those utilized by large enterprises. Perhaps the most important practice, however, is that you think about security and act to improve it. When we think about security, we eliminate the number one thing attackers are counting on—lack of awareness and proactive protection.
About the Author
Stewart Cawthray is a Senior Security Architect and Strategist with IBM Global Technology Services. He is responsible for defining end-to-end IT security solutions for IBM’s enterprise customers. He has over 18 years’ experience in information technology ranging from product management and consulting to threat management and penetration testing.