A Compliance Research Group
White Paper

A summary of key actions that are
                 Contents                       recommended for SMB’s is as follows:

Small-Medium Businesses and                    Some of the factors that make SMB’s
Network Security                       ...
services to California residents. It            Vulnerabilities can exist in software
essentially requires companies that ...
anticipated to become a security problem         flooding the site with bogus traffic, thus
for instant messaging traffic ...
Some of the more common and popular              It is important that both types of AV
security industry solutions are des...
An example might be web (port 80) traffic,
which a firewall would hypothetically be
configured to allow. An IDS system can...
variants dubbed “flash worms” will be able      bullet” in IT and network security.
“to infect almost all vulnerable serve...
lower than the cost of remediation, where      SANS publishes an annual list of the 20
the business will choose to just ac...
so that users understand their part in           Given the set of assumptions provided
maintaining the security of the com...
hosts. A study of firewall configuration         4)       Use anti-virus software, both at the
errors concluded that almos...
6) Know your network, harden systems by          company by providing fewer avenues for
removing unnecessary applications,...
that try to guess user ID/password             resources that are called in may be external
combinations, based upon a bru...
Compliance Research Group has been
SMB’s should backup critical data                proud to work with organizations such ...
Upcoming SlideShare
Loading in …5

A Guide To SMB Network Security Compliance Research Group(1)


Published on

A guide to IT security for IT & staff in SMB organizations.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

A Guide To SMB Network Security Compliance Research Group(1)

  1. 1. A Compliance Research Group White Paper 303.495.3123 www.complianceresearchgroup.com Network Security A Guide for Small-Medium Businesses Jim Hietala Principal, Compliance Research Group CISSP, GSEC, GCFW Sponsored by: February 6, 2008
  2. 2. A summary of key actions that are Contents recommended for SMB’s is as follows: Introduction 2  • Model the threats to your business, Small-Medium Businesses and Network and perform a security risk assessment Security 3  • Develop an information security Network Security 101 4  policy, and educate your users Threat and Attack Trends 7  • Design a secure network, Where Should an SMB Start? 8  implement packet filtering in the router, implement a firewall, Top 10 actions to take to create a more and use a DMZ network for secure network 8  servers requiring Internet Conclusion 13  access. • Use anti-virus software, both at the gateway, and on each desktop Introduction • Use only Operating Systems that have adequate security baseline capabilities The objective of this paper is to educate • Know your network, harden both IT staff and senior management for systems by removing small-medium sized businesses (SMB’s) as unnecessary applications, and to the network security threats that exist. maintain an aggressive program The paper presents a digest of industry best of patching operating systems practices for network security, which will and applications hopefully assist SMB’s in setting priorities • Use personal firewalls, particularly for securing the perimeter of a typical SMB on laptops used by mobile users network. • Use strong authentication • Develop a computer incident The security industry does a good job of response plan publicizing security threats on a continual • Get started! basis. However, much of what we read in the press contains little if any context associated with each new security threat that can assist senior management or IT staff of the SMB’s in determining which threats to address, and in what priority order. This paper will seek to bridge this gap, by providing guidance to companies who, faced with the seemingly impossible and endless task of securing their network, need help deciding where to start, and where to focus-what to do first, second, third, and so on, among the myriad of information security threats that are out there, and possible solutions. 2
  3. 3. Small-Medium Businesses and Some of the factors that make SMB’s Network Security susceptible to mass attacks include the fact that they tend to be pretty homogenous in Market research firm Penn, Schoen & terms of their computing infrastructure. Berland defines small-medium businesses According to Gartneriv, 90% of SMB’s are as being those with less than 1,000 total running Windows on their servers, 80% are employeesi. For many SMB’s, their using Outlook and Exchange as their e- perception regarding risk of attack is a mail clients and servers, and 70% are using significant problem in itself. A recent poll SQL databases. In addition, SMB’s by the National Cyber Security Alliance typically lack the specialized, dedicated, showed that “More than 30% of those and highly trained security staff that can polled …think they’ll take a bolt of address IT security. Unlike the situation at lightning through the chest before they see large IT organizations, where there is likely their computers violated in an Internet to be a significant staff whose sole attack”ii. responsibility is securing the IT environment, at most SMB’s security is These businesses evidently believe that likely to be a part time responsibility for they are either too small to be targeted, or someone on the IT staff. too obscure. Or they perhaps believe that they are working in an industry that Gartner research indicates that more than wouldn’t attract attacks because their data 60% of midsize businesses in North is not high-value intellectual property, or America do not have a dedicated resource sensitive proprietary data, etc. What these to manage security. The situation at small businesses are failing to realize is that in businesses is undoubtedly even worse. the Internet era, with always on connections providing easy access for With the proliferation of worms and mass, indiscriminate attacks, a business or viruses on the Internet, there is a very high organization does not have to be a target to probability that a typical small-medium be a victim! business will experience an attack. Some very well publicized attacks that The regulatory environment is increasingly were indiscriminate mass attacks include mandating that businesses of all sorts Nimda, Code Red, SQL Slammer, and tighten their security. In industries such as Blaster, all of which spread rapidly health care and financial services, throughout the Internet, and none of which government regulations (for example Hipaa spared SMB’s. In fact, SMB’s may be and GLBA) are forcing affected more susceptible to mass attacks as organizations to enhance their network compared to larger businesses. A case in security and tighten access to personal point is the Mydoom virus (and its many information. A new law enacted by the offspring variants), which initially State of California, SB1386 (effective July launched in January 2004, and quickly 1, 2003), has implications for SMB’s in affected one in three small businesses, any industry, and it applies to any business versus only one in six large enterprisesiii. (located anywhere) that sells products or
  4. 4. services to California residents. It Vulnerabilities can exist in software essentially requires companies that running on PC’s, servers, communications experience a breach in information security equipment such as routers, or almost any to disclose this fact to their customers. A device running software. Not all breach is defined by SB 1386 as one in vulnerabilities are created equal-some will which the confidential personal data of the cause the program affected to crash (which customer is exposed. Legal experts believe can lead to a denial of service condition on that the bill will open up firms the affected system), or cause a reboot, or experiencing such a breach to possible in the worst case, they can allow the class action lawsuits. In addition, since the attacker to gain root or administrative passage of SB 1386, over thirty other states access to the affected system. Upon have passed similar legislation. discovery of a vulnerability, the software vendor will (hopefully quickly) develop a Clearly, all businesses need to maintain fix, or software patch, and make it adequate security, and just as clearly, available to users of the software. SANS SMB’s are not immune from the security maintains a list of the Top 20 most critical issues that exist in today’s interconnected vulnerabilities that is very useful in world. ensuring that the highest priority vulnerabilities are addressed.v Network Security 101 Exploits-When vulnerabilities are found in software, the hacker community will In order to understand the IT and network frequently attempt to develop attack code security environment, and how best to deal that takes advantage of the vulnerability. with it, it is necessary to define some This attack software is called an exploit, terms, and describe the kinds of threats and and exploit code is frequently shared security solutions that exist today. This is among hackers, as they attempt to develop not intended to be an exhaustive list, but different sophisticated attacks. rather a “plain english” description of the most common terms. Threats or attacks-One useful way to categorize security threats or attacks is to Vulnerabilities-Vulnerabilities are known look at the intent-a directed attack is one (or newly found) security holes that exist in aimed at a single company-for example a software. An example is a buffer overflow, company attempting to hack into a which occurs when the developer of a competitors network. A mass attack is software product expects a certain amount usually a virus or worm, that is launched of data, for example 20 bytes of onto the Internet, and that replicates itself information, to be sent at a particular point to as many systems as possible, as quickly in the operation of a program, but fails to as possible. Attacks may come from allow for an error condition where the user outside of a company, or a company insider (or malicious attacker) sends a great deal may carry them out. more data, or unexpected (perhaps special) characters. Viruses-Viruses are generally carried within e-mail messages, although they are
  5. 5. anticipated to become a security problem flooding the site with bogus traffic, thus for instant messaging traffic as well. Users making it unusable. The attacker unknowingly cause the virus to execute as attempting to create a denial of service a program on their system when they click condition will oftentimes try to on an attachment that runs the virus compromise many PC’s, and use them to program. Virus writers go to great lengths “amplify” the attack volume, and to hide to disguise the fact that the attachment is in his or her tracks as well. This is called a fact a virus. They also attempt to spread by Distributed Denial of Service Attack using all of the e-mail addresses that they (DDoS). Denial of service attacks have can find on an infected system to send now become a popular criminal activity. In themselves to. An example of a well know an online form of the “protection racket” virus is the Bagle family of viruses (there (pay us some protection money or we’ll have been many versions of this virus). ruin your business), computer criminals These viruses contain their own e-mail have taken to using denial of service attack server, so that they can replicate by sending methods to put online businesses out of e-mail to all mail addresses that they business, at least temporarily, and to then harvest from the compromised system. demand money from the target. This sort of cyber extortion attack has been used by Worms-An example of a worm is the hacker rings operating out of Eastern Blaster worm, which rapidly spread Europe, and has caused significant through the Internet in August 2003. disruptions to online bookmakers and Blaster targeted computers running gambling sites. Any business that depends Windows operating systems, and used a on online ordering for a significant portion vulnerability in Remote Procedure Call of its revenues is susceptible to this sort of (RPC) code. Blaster affected computers attack. Denial of Service attacks have also running Windows 2003 operating system, been used to try and put competitors out of Windows NT 4.0, Windows NT 4.0 business. In a case that surfaced in August, Terminal Services Edition, Windows 2000, 2004, a satellite TV dealer hired hackers to and Windows XP. After compromising mount DoS attacks on the websites of his 6 hundreds of thousands of systems, Blaster primary competitors, causing them over launched a distributed denial of service $2M in lost revenue. Denial of service attack on a Microsoft Windows update site. attacks are very hard to effectively protect against. Trojan horses-As the name implies, these are software programs that are put onto Spam-Spam is not a security threat per se, target systems (whether by a direct hack, or but spam techniques are increasingly being as the result of a virus or worm) that have a used to deliver malicious software. Spam malicious intent. The Trojan can capture can also be used to launch “phishing” passwords, or provide root access to the attacks, which attempt to elicit confidential system remotely. personal information (bank account information, credit card information, etc.) Denial of service attacks (DoS)-A denial as a means to steal identity, or cause of service attack attempts to put the target financial harm. site out of operation, frequently by
  6. 6. Some of the more common and popular It is important that both types of AV security industry solutions are described software are kept up-to-date, as new below. viruses are found on a very frequent basis. Routers-Routers are perhaps not generally Virtual Private Networks-The ubiquity and thought of as “security solutions”, however low cost of Internet connections have most routers today provide packet filtering created a requirement to use the Internet capabilities, and they can be used to for private company communications, enhance the security of most networks. In replacing more expensive private networks addition, there are certain security tasks (frame relay, and private line networks). that are best performed on the router in Virtual Private Network (VPN) technology order to optimize the performance of the was developed to allow the Internet to be overall network, and to reduce the used in a private manner, with all data processing load on a firewall. between company locations or endpoints being encrypted. VPN’s provide privacy Firewalls-Firewalls are a fundamental for the data while it is in transit across the network security solution. Firewalls are Internet. VPN’s do not secure endpoints used to restrict inbound and outbound from other sorts of attacks, however. And network access to only traffic that is from a security standpoint, VPN’s actually allowed by the security policy of the extend the corporate network to remote organization. For example, an organization locations. The notion that the network is that does not maintain a publicly accessible only as secure as it’s weakest link is worth webserver on their company LAN can use bearing in mind when implementing a firewall to define and enforce a security VPN’s, as the weakest link may become policy that allows outbound web access for the executive’s home PC which has a VPN employees, but that blocks any inbound connection to headquarters, or the webserver access attempts (HTTP protocol, salesperson’s laptop which is equipped port 80 access) at the firewall. with a VPN connection for remote access, or the business partner’s LAN that is Anti-virus software-Anti-virus (AV) equipped with a VPN connection to allow software is used to scan e-mail messages sharing of information. Another way to looking for defined viruses, which show up think about this is to acknowledge that the as known signatures that the software actual network perimeter to be secured recognizes as a virus. AV solutions can be extends to all systems that are provided implemented on each desktop, or they can with VPN access-not just those on the local be implemented as a gateway or e-mail LAN. server function, where all incoming messages are scanned before being Intrusion detection/prevention systems- delivered to the recipient. Best practices for Intrusion detection (IDS) and intrusion preventing viruses on a corporate network prevention (IPS) systems are products that call for both desktop and gateway or server can analyze certain types of traffic, and AV to be implemented, to ensure that determine whether the traffic is legitimate laptops that plug into the LAN cannot traffic, or if the traffic matches a known corrupt systems “behind” the AV Gateway. pattern indicating that it is attack traffic.
  7. 7. An example might be web (port 80) traffic, which a firewall would hypothetically be configured to allow. An IDS system can Threat and Attack Trends look at the traffic, and determine that the traffic is actually a NIMDA attack, and not The trends regarding threats and attacks valid user traffic, based upon the pattern. have gotten significantly worse over time. An IDS product will alert on invalid traffic, while an IPS product will block the Some key trends… offending traffic. IDS/IPS products come in two configurations-they are -The time lag from when a vulnerability is implemented either as a network device found and publicly identified, and an analyzing traffic on the local LAN exploit becoming available or an attack segment, or they are software implemented being launched has decreased significantly on a specific host that looks at traffic on in the past few years. This heightens the that host only. need to quickly test and implement software patches that address new Spam filtering-Spam filtering can be vulnerabilities, so as to close the security implemented on the e-mail server, or on a holes as soon as is possible. separate appliance sitting between the Internet and the mail server. There are -SANS/Internet Storm Center publishes a many techniques that can be used to try and statistic regarding the average length of identify Spam, and generally the goal is to time that a fresh (unpatched) system lasts eliminate as much as possible false on the Internet before being scanned or positives (legitimate mail mis-classified as attacked. The latest data available indicates Spam), while also eliminating false that this time has dropped from 40 minutes negatives (Spam that slips past the Spam to 18 minutes in the last 15 months.vi This filter). A category of Spam that is more suggests that with all of the various ominous than most is what are known as “mature” attacks still floating around the “phishing” attacks. These are generally Internet, it is critical to patch new systems mass messages that are cleverly crafted to immediately upon putting them into look like legitimate mail from a bank or service, to avoid being compromised. online merchant, that request the recipient to verify some confidential personal -As to the future of attacks, experts have information, usually including account theorized that new attacks will become data. polymorphic, that is, they will change their code and attack methods over time so as to Unsuspecting victims who actually avoid detection by anti-virus software, and respond, and provide their personal intrusion detection and prevention systems. information, oftentimes end up the victim In addition, a fascinating study looked at of identity theft, or some sort of financial techniques that future attacks might use to fraud. Implementing a Spam filter will help more quickly propagate throughout the to improve the security posture of a Internet. By pre-scanning for vulnerable company, and it will also help to improve systems, and creating a “hit list” of these the productivity of the company. servers, the study postulates that new worm
  8. 8. variants dubbed “flash worms” will be able bullet” in IT and network security. “to infect almost all vulnerable servers on Creating a secure network is only achieved the Internet in less than thirty seconds”.vii by understanding the nature of the threats This is significantly faster than previous that are being faced (and the threat worms such as Code Red and NIMDA, environment is constantly changing), their which required 20+ hours to propagate potential impacts to the business, and by widely through the Internet. The taking those actions that are most likely to emergence of this sort of threat will address the highest risk threats. It is also mandate that organizations of all sizes pay important to note security is not a one-off very close attention to their perimeter project or exercise. It is probably best security, and to what traffic their firewall thought of as an iterative process-as the should allow in. threats change, and the IT needs change, new security threats will need to be assessed, and the appropriate security measures put in place. Where Should an SMB Start? It is always dangerous to generalize about Top 10 actions to take to create a what specific set of actions should be taken more secure network to enhance security. Each SMB’s network and IT situation will be different, with 1) Model the threats to your business, varying levels of sophistication, different and perform a security risk assessment. types of computers, operating systems, Because each organization is unique, it is applications, and different access important to think through the potential requirements. threats to your business. This will be a brainstorming exercise that produces a long However, we are making the following list of potential threats. Building upon this assumptions about an average SMB’s list, management and IT staff will then Internet and IT infrastructure and use: want to think through which of these • They will have an always-on threats are worth worrying about. Internet connection, and in addition, A risk assessment will examine all of the • A mail server hosted onsite, relevant security risks, in terms of which • A web server hosted onsite, risks are applicable to the business, what • A number of Internet users onsite, the expected number of annual occurrences • A file server and/or database with might be for each, and the expected loss proprietary customer and other per occurrence. This will result in an business information annual loss expectancy for each identified risk. Armed with this information, it then Given this set of assumptions, there are a becomes easier for the business to decide number of actions outlined below that will which risks to address in which order, and dramatically enhance the security of the what level of remediation expenditure SMB’s network. Vendor hype to the makes sense for each risk. There may be contrary, there is unfortunately no “silver risks where the annual loss expectancy is
  9. 9. lower than the cost of remediation, where SANS publishes an annual list of the 20 the business will choose to just accept the most critical vulnerabilities. This list risk. The table below shows an example of presents a consensus of industry experts as this sort of analysis. to the most critical vulnerabilities for Windows and UNIX systems. This list is The objective of the risk analysis exercise worth reviewing (it is currently updated is to identify all of the risks that are annually), to ensure that any vulnerabilities relevant to the business, and to rank order present in the SMB’s IT infrastructure are them in terms of priority. The risks and addressed via patching, or some other their priority will be different for each solution. The list provides detail on the business. A small company that does all of nature of the vulnerability, it provides its business via Internet ordering will guidance on how to determine if you are necessarily want to make certain that the vulnerable, and most importantly it tells web server hosting the order processing you how best to address each vulnerability. application is secure, as 100% of the revenues of the business rely on this server 2) Develop an information security and software. Similarly, they will place a policy, and educate your users. Every high loss expectancy value on denial of organization of any size should have an service attacks, as these can cause a acceptable use policy for their computing significant loss if the ability of customers resources, defining how employees may to place orders is affected. A “brick and use IT resources, including the internet, mortar” company that uses the Internet for and an e-mail policy, defining acceptable less critical functions is certain to have uses and practices for company e-mail. The different risks and priorities. A company SANS website provides a great resource, that maintains multiple branch offices, all the SANS Security Policy Resource page, with VPN connections to the corporate that can speed the development of sound headquarters, will have different risks than information security policies. The web a company which does not have remote page contains templates for many areas offices, and which does not extend VPN where an organization may need to develop access outside of the main office. This is a security policy. why it is critical to evaluate the specific risks to your business. Creating a set of clear security policies and making the organization aware of the It is also advisable for SMB’s to stay policies will provide a foundation for a abreast of emerging threats and secure network. For example, defining a vulnerabilities. There are many industry policy that requires all software to be used newsletters and security industry websites on company computers be first tested and that can be of assistance, including: then implemented by IT staff, and making end users aware of this policy, will reduce Http://www.sans.org help desk calls, and will strengthen Http://www.securityfocus.com security. Similarly, defining and enforcing Http://www.securitypipeline.com a corporate password policy will strengthen Http://www.esecurityplanet.com security. It is also important to undertake user education on company security policy,
  10. 10. so that users understand their part in Given the set of assumptions provided maintaining the security of the company’s earlier, the firewall will need at least three network and IT resources. Users need to interfaces-LAN, WAN, and DMZ. The fully understand their role in the security LAN interface will be used to connect all process, which extends from “don’t open of the user workstations, and Network attachments from people you don’t know”, Address Translation should be used to hide to not sharing passwords, and using strong the actual addresses of all workstations. passwords. The risk assessment The mail server and web server will be recommended above will likely highlight placed on a network segment using the areas where security policies need to be DMZ interface, where the traffic into and developed. For example, when a company out of these devices can be subjected to extends network access via a VPN to third different filtering rules. Address translation parties (business partners, suppliers, should be applied to these devices as well. consultants, and so on), it is advisable to • Consider implementing application have policies for what sort of network proxies for common applications and traffic will be permitted from the remote protocols. Proxies provide additional site, and what sort of security solutions will security by not exposing internal hosts to be in use at the remote site, including the Internet. This includes web protocols, firewalls, anti-virus, and so on. and e-mail. • Use the “principle of least 3) Design a secure network, privilege” in determining appropriate implement packet filtering in the router, access to network resources. This implement a firewall, and use a DMZ essentially means that if a given group of network for servers requiring Internet users, be they internal or external, do not access. need access to certain systems, or There are many considerations in designing applications, then they should be restricted a secure network. Some of the key factors from this access. A simple example is a to consider include the following: payroll system. In most companies, very • Use a “defense-in-depth” strategy few people in the company will actually in designing a secure network. This need access to the payroll system. Given a basically means not relying on a single properly designed network, it is possible to device or product to enforce security, but use a router or firewall to restrict access instead using the security capabilities of a into the payroll system so that it can only router, and firewall, and ensuring that occur from the IP addresses of software on hosts and servers are up-to- workstations with a legitimate need for date with patches. In more sophisticated access, and access from every other environments, it may also mean that some workstation is restricted and blocked. or all of the following advanced security • Test each of the components after solutions might be called for-intrusion installation, to ensure that they are detection/prevention devices, host intrusion performing as expected. For example, test prevention software, application firewalls, to ensure that a firewall that is configured or encryption solutions. to only allow inbound web access to the • Implement a firewall-ideally one web server located on the DMZ actually that provides stateful packet inspection. blocks other attempted web access, to other
  11. 11. hosts. A study of firewall configuration 4) Use anti-virus software, both at the errors concluded that almost 80% of gateway, and on each desktop. Given the firewalls examined had “gross mistakes” in proliferation of viruses, using AV software their actual implementation.viii Thus the is a must. Implementing gateway anti-virus necessity of testing the firewall and software will ensure that all incoming and perimeter security. Ideally the testing will outgoing e-mail is scanned for viruses. It is be done by someone other than the person also wise to consider blocking some or organization that configured the firewall categories of attachments (i.e. those that and perimeter security. can introduce a virus or Trojan, for example .exe files and other programs, Testing and validation of the configuration scripts, and even .xls and .doc files that can is done using various scanning tools (many contain harmful macros). of which are freeware), and is important to ensure that no inadvertent “holes” have Using AV software on each desktop is also been created in the security of the network. recommended, as any viruses that get Beyond configuring the correct policies introduced from somewhere other than the and rules in the firewall and access router, Internet can be caught at the desktop (for it is also very important to setup the example a laptop user picking up the virus devices in a secure manner. There are while at home, and then spreading it upon many commands and setting in each of reconnection to the corporate network). these devices that can introduce security exposures and weaknesses if configured 5) Use only Operating Systems that incorrectly. An example would be turning have adequate security baseline remote Telnet access on in the access capabilities. For example, Windows 98 and router. All routers support this, but security prior versions do not have a real login “best practices” would say to disable this capability-user Ids and passwords that are capability, and if it is necessary to be able used can be easily bypassed just by hitting to access the router console via the “esc” at the login prompt. This is Internet, at a minimum use a more secure fundamentally unsecure. Upgrading to option such as SSH. Windows 2000 and beyond provides real login/access control capabilities, which are A great resource for IT personnel tasked essential. In addition, as Microsoft is no with designing and implementing a secure longer providing patches for Windows 98 network is the SANS reading room, and prior releases, any security accessible at Http://www.sans.org. This vulnerabilities that are found in these older public resource has many secure network OS’es won’t be fixed/patched. designs submitted by certification students. It is also recommended that users not be All certification papers are public given administrative privileges on their references, and a great deal can be learned systems, and that the systems be delivered from referencing these papers. Papers have to end users in a “locked down” been written for almost every brand of configuration, where users are not allowed firewall, and for many different network to load on any additional software. configurations.
  12. 12. 6) Know your network, harden systems by company by providing fewer avenues for removing unnecessary applications, and attackers to try and exploit. maintain an aggressive program of patching operating systems and 7) Use personal firewalls, applications. It is important to know what particularly on laptops used by mobile is running on each system on your network, users. Laptop PC’s that are sometimes and to ensure that appropriate patches are used in the office and at other times used applied. The SQL Slammer attack took while connected to foreign networks have advantage of a vulnerability that was proven to present security problems. These known for more than 6 months, and for laptops may be used on dial-up networks, which a patch was available for more than wireless LAN’s, or home broadband 6 months. Frequent patching will reduce networks. When the Blaster worm attack the exposure from newly found was launched, many businesses that had vulnerabilities. This is very important, as implemented firewalls on their Internet the time lag between vulnerabilities being connection believed they were secure, and found and exploits and attacks being they were-in terms of access via their launched has shrunk significantly in the Internet connection. past few years. Many organizations that were affected by SQL Slammer thought Many of these same businesses were that they were immune, as they weren’t infected by the worm when a laptop user aware of having SQL database installed. In picked up the worm while connected to a some cases, these organizations had a foreign network, and then subsequently proprietary application that used an SQL connected to the corporate LAN. Upon database, and as a consequence they were connection to the company LAN (behind affected. Knowing your network, hosts, the firewall), the worm quickly sprayed and operating systems is a matter of itself to the entire company. knowing what is running on each system, the vulnerabilities that exist in the OS Personal firewalls implemented on (at a version, and of maintaining a secure minimum) company laptops will address configuration. There are many tools that this security hole. For laptops that contain can be used to assist in this effort, highly sensitive data, using strong including: authentication and even encryption will -Microsoft Baseline Security Analyzer15 - reduce the possibility that company data is Nessus16 -NMAP17 exposed, even if the laptop is lost or stolen. All company servers (mail servers, web Several third party firewall products exist servers, file servers, databases, etc.) should to address this need. For users of be hardened by removing unnecessary Microsoft’s XP OS, the new Service Pack software and processes from the systems. 2 release includes a built-in firewall For example, default installation of several module. operating systems will turn on all sorts of programs and services. If the program or 8) Use strong authentication. services isn’t needed by the business, the Left to their own devices, most users will prudent thing to do is to remove it. This pick short and frequently predictable will tighten the security posture of the passwords. There are many attack tools
  13. 13. that try to guess user ID/password resources that are called in may be external combinations, based upon a brute force resources, for examples consultants or approach (trying every possible integrators. combination) or that use a dictionary approach (trying common words from an Here is a real world example-one evening electronic dictionary). your ISP calls and tells you that an IP address that is registered to your company Many operating systems provide the ability is sending out massive amounts of SPAM, to force minimum password standards, and that they will be removing your including length (longer is better), internet access until the problem is solved. avoidance of using dictionary terms, and If your business depends on the Internet in use of special characters (using punctuation any way, you will need a plan to analyze characters, for instance, makes passwords what is happening, identify the resources less susceptible to dictionary attacks). that have been compromised, pull them Anything that can be done to avoid using offline, clean and rebuild the systems, and standard dictionary words will help to resolve the problem ASAP. improve security with regards to authenticating users. In addition, many 10) Get started! Businesses of all sizes solutions exist that can enhance frequently only get serious about security authentication through the use of security after experiencing an attack or incident of tokens. These products use cryptographic some sort. While a harmful virus or worm techniques to produce “one time” can be highly motivating in terms of passwords. This is referred to as “two making an SMB focus on information and factor” authentication, wherein users are network security, it is inarguably better to only permitted access after verifying expend resources and energy before an “something you know” (the valid user attack happens, and to periodically review login and PIN), and “something you have and strengthen the security measures in or possess” (the security token that place. If you lack the internal resources to produces the one-time password). A third adequately secure your network, consider approach for the truly paranoid can include using a highly qualified provider of IT “something you are”, or a unique biometric security solutions to provide expert characteristic such as a fingerprint. assistance. 9) Develop a computer incident Conclusion response plan. Even small companies need to think through how to respond in the The downside of trying to condense the event of a security incident. The computer topic of securing a network to a “top ten incident response plan should identify the actions” list is that the result will inevitably resources that will be involved in analyzing leave out some very important actions. the incident, and the plan for analyzing and Businesses should, in addition to the ten recovering from the incident. For small actions listed above, also have a business businesses, the continuity plan that looks at business- impacting disasters and plans for and tests responses.
  14. 14. Compliance Research Group has been SMB’s should backup critical data proud to work with organizations such as frequently, and test that the backup/restore SANS and The Open Group Security process actually works. SMB’s should also Forum, and to have provided consulting evaluate their physical security-looking at and research services to leading security, how access to physical IT equipment is risk, and compliance vendors. controlled and secured. They may also want to consider having an outside i organization actually test their security-this National SMB Market Attitudes Toward Future is called a penetration test, and can help to Growth and the Role of Technology, Penn, Schoen and Berland Associates, Inc., May 11 identify security problems and weaknesses. 2004 ii Security is worth investing in. The http://searchsecurity.techtarget.com/originalCo downside of doing nothing may well be ntent/0,289142,sid14_gci1011092,00.htm iii that the business ceases to exist when a Common Sense Guide to Cyber Security for Small Business, Internet Security Alliance, malicious attack destroys customer records March or valuable proprietary data. However, iv addressing the problem needn’t necessarily http://techupdate.zdnet.com/techupdate/stories mean hiring direct, expensive staff. There /main/0,14179,2914399,00.html 5 SMBs Show are many great security solution providers Preference for Security Services, Gartner, 2003 and managed security service providers who can assist an SMB to implement the v http://www.sans.org/top20/ appropriate solutions. When considering vi using a third party to assist with solving http://isc.sans.org/survivalhistory.php security problems, it is important to make vii How to 0wn the Internet in Your Spare Time , sure that the organization has qualified Proceedings of the 11th USENIX Security personnel, and proven expertise. One way Symposium, Staniford, Paxson, Weaver , to ensure that this is the case is to look for http://www.icir.org/vern/papers/cdc-usenix- solution providers who have recognized sec02/ expertise in information security-with viii A Quantitative Study of Firewall respected certifications such as the Configuration Errors, Avishai Wool, IEEE SANS/GIAC certification series (GSEC, Computer Society, June 2004, GCFW, GCIH, et al), and the ISC2 CISSP http://www.eng.tau.ac.il/~yash/computer2004.p certification. df Copyright Compliance Research Group 2008, all About Compliance Research Group rights reserved. Sponsored by: Jim Hietala, SANS GSEC, GCFW and CISSP, is the principal of Compliance Research Group, providing research and consulting services in the areas of compliance, risk management, and IT security.