A Guide To SMB Network Security Compliance Research Group(1)
1. A Compliance Research Group
White Paper
303.495.3123
www.complianceresearchgroup.com
Network Security
A Guide for Small-Medium Businesses
Jim Hietala
Principal, Compliance Research Group
CISSP, GSEC, GCFW
Sponsored by:
February 6, 2008
2. A summary of key actions that are
Contents recommended for SMB’s is as follows:
Introduction 2 • Model the threats to your business,
Small-Medium Businesses and Network and perform a security risk
assessment
Security 3
• Develop an information security
Network Security 101 4 policy, and educate your users
Threat and Attack Trends 7 • Design a secure network,
Where Should an SMB Start? 8 implement packet filtering in
the router, implement a firewall,
Top 10 actions to take to create a more
and use a DMZ network for
secure network 8 servers requiring Internet
Conclusion 13 access.
• Use anti-virus software, both at the
gateway, and on each desktop
Introduction • Use only Operating Systems that
have adequate security baseline
capabilities
The objective of this paper is to educate • Know your network, harden
both IT staff and senior management for systems by removing
small-medium sized businesses (SMB’s) as unnecessary applications, and
to the network security threats that exist. maintain an aggressive program
The paper presents a digest of industry best of patching operating systems
practices for network security, which will and applications
hopefully assist SMB’s in setting priorities • Use personal firewalls, particularly
for securing the perimeter of a typical SMB on laptops used by mobile users
network. • Use strong authentication
• Develop a computer incident
The security industry does a good job of response plan
publicizing security threats on a continual • Get started!
basis. However, much of what we read in
the press contains little if any context
associated with each new security threat
that can assist senior management or IT
staff of the SMB’s in determining which
threats to address, and in what priority
order. This paper will seek to bridge this
gap, by providing guidance to companies
who, faced with the seemingly impossible
and endless task of securing their network,
need help deciding where to start, and
where to focus-what to do first, second,
third, and so on, among the myriad of
information security threats that are out
there, and possible solutions.
2
3. Small-Medium Businesses and Some of the factors that make SMB’s
Network Security susceptible to mass attacks include the fact
that they tend to be pretty homogenous in
Market research firm Penn, Schoen & terms of their computing infrastructure.
Berland defines small-medium businesses According to Gartneriv, 90% of SMB’s are
as being those with less than 1,000 total running Windows on their servers, 80% are
employeesi. For many SMB’s, their using Outlook and Exchange as their e-
perception regarding risk of attack is a mail clients and servers, and 70% are using
significant problem in itself. A recent poll SQL databases. In addition, SMB’s
by the National Cyber Security Alliance typically lack the specialized, dedicated,
showed that “More than 30% of those and highly trained security staff that can
polled …think they’ll take a bolt of address IT security. Unlike the situation at
lightning through the chest before they see large IT organizations, where there is likely
their computers violated in an Internet to be a significant staff whose sole
attack”ii. responsibility is securing the IT
environment, at most SMB’s security is
These businesses evidently believe that likely to be a part time responsibility for
they are either too small to be targeted, or someone on the IT staff.
too obscure. Or they perhaps believe that
they are working in an industry that Gartner research indicates that more than
wouldn’t attract attacks because their data 60% of midsize businesses in North
is not high-value intellectual property, or America do not have a dedicated resource
sensitive proprietary data, etc. What these to manage security. The situation at small
businesses are failing to realize is that in businesses is undoubtedly even worse.
the Internet era, with always on
connections providing easy access for With the proliferation of worms and
mass, indiscriminate attacks, a business or viruses on the Internet, there is a very high
organization does not have to be a target to probability that a typical small-medium
be a victim! business will experience an attack.
Some very well publicized attacks that The regulatory environment is increasingly
were indiscriminate mass attacks include mandating that businesses of all sorts
Nimda, Code Red, SQL Slammer, and tighten their security. In industries such as
Blaster, all of which spread rapidly health care and financial services,
throughout the Internet, and none of which government regulations (for example Hipaa
spared SMB’s. In fact, SMB’s may be and GLBA) are forcing affected
more susceptible to mass attacks as organizations to enhance their network
compared to larger businesses. A case in security and tighten access to personal
point is the Mydoom virus (and its many information. A new law enacted by the
offspring variants), which initially State of California, SB1386 (effective July
launched in January 2004, and quickly 1, 2003), has implications for SMB’s in
affected one in three small businesses, any industry, and it applies to any business
versus only one in six large enterprisesiii. (located anywhere) that sells products or
4. services to California residents. It Vulnerabilities can exist in software
essentially requires companies that running on PC’s, servers, communications
experience a breach in information security equipment such as routers, or almost any
to disclose this fact to their customers. A device running software. Not all
breach is defined by SB 1386 as one in vulnerabilities are created equal-some will
which the confidential personal data of the cause the program affected to crash (which
customer is exposed. Legal experts believe can lead to a denial of service condition on
that the bill will open up firms the affected system), or cause a reboot, or
experiencing such a breach to possible in the worst case, they can allow the
class action lawsuits. In addition, since the attacker to gain root or administrative
passage of SB 1386, over thirty other states access to the affected system. Upon
have passed similar legislation. discovery of a vulnerability, the software
vendor will (hopefully quickly) develop a
Clearly, all businesses need to maintain fix, or software patch, and make it
adequate security, and just as clearly, available to users of the software. SANS
SMB’s are not immune from the security maintains a list of the Top 20 most critical
issues that exist in today’s interconnected vulnerabilities that is very useful in
world. ensuring that the highest priority
vulnerabilities are addressed.v
Network Security 101 Exploits-When vulnerabilities are found in
software, the hacker community will
In order to understand the IT and network frequently attempt to develop attack code
security environment, and how best to deal that takes advantage of the vulnerability.
with it, it is necessary to define some This attack software is called an exploit,
terms, and describe the kinds of threats and and exploit code is frequently shared
security solutions that exist today. This is among hackers, as they attempt to develop
not intended to be an exhaustive list, but different sophisticated attacks.
rather a “plain english” description of the
most common terms. Threats or attacks-One useful way to
categorize security threats or attacks is to
Vulnerabilities-Vulnerabilities are known look at the intent-a directed attack is one
(or newly found) security holes that exist in aimed at a single company-for example a
software. An example is a buffer overflow, company attempting to hack into a
which occurs when the developer of a competitors network. A mass attack is
software product expects a certain amount usually a virus or worm, that is launched
of data, for example 20 bytes of onto the Internet, and that replicates itself
information, to be sent at a particular point to as many systems as possible, as quickly
in the operation of a program, but fails to as possible. Attacks may come from
allow for an error condition where the user outside of a company, or a company insider
(or malicious attacker) sends a great deal may carry them out.
more data, or unexpected (perhaps special)
characters. Viruses-Viruses are generally carried
within e-mail messages, although they are
5. anticipated to become a security problem flooding the site with bogus traffic, thus
for instant messaging traffic as well. Users making it unusable. The attacker
unknowingly cause the virus to execute as attempting to create a denial of service
a program on their system when they click condition will oftentimes try to
on an attachment that runs the virus compromise many PC’s, and use them to
program. Virus writers go to great lengths “amplify” the attack volume, and to hide
to disguise the fact that the attachment is in his or her tracks as well. This is called a
fact a virus. They also attempt to spread by Distributed Denial of Service Attack
using all of the e-mail addresses that they (DDoS). Denial of service attacks have
can find on an infected system to send now become a popular criminal activity. In
themselves to. An example of a well know an online form of the “protection racket”
virus is the Bagle family of viruses (there (pay us some protection money or we’ll
have been many versions of this virus). ruin your business), computer criminals
These viruses contain their own e-mail have taken to using denial of service attack
server, so that they can replicate by sending methods to put online businesses out of
e-mail to all mail addresses that they business, at least temporarily, and to then
harvest from the compromised system. demand money from the target. This sort of
cyber extortion attack has been used by
Worms-An example of a worm is the hacker rings operating out of Eastern
Blaster worm, which rapidly spread Europe, and has caused significant
through the Internet in August 2003. disruptions to online bookmakers and
Blaster targeted computers running gambling sites. Any business that depends
Windows operating systems, and used a on online ordering for a significant portion
vulnerability in Remote Procedure Call of its revenues is susceptible to this sort of
(RPC) code. Blaster affected computers attack. Denial of Service attacks have also
running Windows 2003 operating system, been used to try and put competitors out of
Windows NT 4.0, Windows NT 4.0 business. In a case that surfaced in August,
Terminal Services Edition, Windows 2000, 2004, a satellite TV dealer hired hackers to
and Windows XP. After compromising mount DoS attacks on the websites of his 6
hundreds of thousands of systems, Blaster primary competitors, causing them over
launched a distributed denial of service $2M in lost revenue. Denial of service
attack on a Microsoft Windows update site. attacks are very hard to effectively protect
against.
Trojan horses-As the name implies, these
are software programs that are put onto Spam-Spam is not a security threat per se,
target systems (whether by a direct hack, or but spam techniques are increasingly being
as the result of a virus or worm) that have a used to deliver malicious software. Spam
malicious intent. The Trojan can capture can also be used to launch “phishing”
passwords, or provide root access to the attacks, which attempt to elicit confidential
system remotely. personal information (bank account
information, credit card information, etc.)
Denial of service attacks (DoS)-A denial as a means to steal identity, or cause
of service attack attempts to put the target financial harm.
site out of operation, frequently by
6. Some of the more common and popular It is important that both types of AV
security industry solutions are described software are kept up-to-date, as new
below. viruses are found on a very frequent basis.
Routers-Routers are perhaps not generally Virtual Private Networks-The ubiquity and
thought of as “security solutions”, however low cost of Internet connections have
most routers today provide packet filtering created a requirement to use the Internet
capabilities, and they can be used to for private company communications,
enhance the security of most networks. In replacing more expensive private networks
addition, there are certain security tasks (frame relay, and private line networks).
that are best performed on the router in Virtual Private Network (VPN) technology
order to optimize the performance of the was developed to allow the Internet to be
overall network, and to reduce the used in a private manner, with all data
processing load on a firewall. between company locations or endpoints
being encrypted. VPN’s provide privacy
Firewalls-Firewalls are a fundamental for the data while it is in transit across the
network security solution. Firewalls are Internet. VPN’s do not secure endpoints
used to restrict inbound and outbound from other sorts of attacks, however. And
network access to only traffic that is from a security standpoint, VPN’s actually
allowed by the security policy of the extend the corporate network to remote
organization. For example, an organization locations. The notion that the network is
that does not maintain a publicly accessible only as secure as it’s weakest link is worth
webserver on their company LAN can use bearing in mind when implementing
a firewall to define and enforce a security VPN’s, as the weakest link may become
policy that allows outbound web access for the executive’s home PC which has a VPN
employees, but that blocks any inbound connection to headquarters, or the
webserver access attempts (HTTP protocol, salesperson’s laptop which is equipped
port 80 access) at the firewall. with a VPN connection for remote access,
or the business partner’s LAN that is
Anti-virus software-Anti-virus (AV) equipped with a VPN connection to allow
software is used to scan e-mail messages sharing of information. Another way to
looking for defined viruses, which show up think about this is to acknowledge that the
as known signatures that the software actual network perimeter to be secured
recognizes as a virus. AV solutions can be extends to all systems that are provided
implemented on each desktop, or they can with VPN access-not just those on the local
be implemented as a gateway or e-mail LAN.
server function, where all incoming
messages are scanned before being Intrusion detection/prevention systems-
delivered to the recipient. Best practices for Intrusion detection (IDS) and intrusion
preventing viruses on a corporate network prevention (IPS) systems are products that
call for both desktop and gateway or server can analyze certain types of traffic, and
AV to be implemented, to ensure that determine whether the traffic is legitimate
laptops that plug into the LAN cannot traffic, or if the traffic matches a known
corrupt systems “behind” the AV Gateway. pattern indicating that it is attack traffic.
7. An example might be web (port 80) traffic,
which a firewall would hypothetically be
configured to allow. An IDS system can Threat and Attack Trends
look at the traffic, and determine that the
traffic is actually a NIMDA attack, and not The trends regarding threats and attacks
valid user traffic, based upon the pattern. have gotten significantly worse over time.
An IDS product will alert on invalid traffic,
while an IPS product will block the Some key trends…
offending traffic. IDS/IPS products come
in two configurations-they are -The time lag from when a vulnerability is
implemented either as a network device found and publicly identified, and an
analyzing traffic on the local LAN exploit becoming available or an attack
segment, or they are software implemented being launched has decreased significantly
on a specific host that looks at traffic on in the past few years. This heightens the
that host only. need to quickly test and implement
software patches that address new
Spam filtering-Spam filtering can be vulnerabilities, so as to close the security
implemented on the e-mail server, or on a holes as soon as is possible.
separate appliance sitting between the
Internet and the mail server. There are -SANS/Internet Storm Center publishes a
many techniques that can be used to try and statistic regarding the average length of
identify Spam, and generally the goal is to time that a fresh (unpatched) system lasts
eliminate as much as possible false on the Internet before being scanned or
positives (legitimate mail mis-classified as attacked. The latest data available indicates
Spam), while also eliminating false that this time has dropped from 40 minutes
negatives (Spam that slips past the Spam to 18 minutes in the last 15 months.vi This
filter). A category of Spam that is more suggests that with all of the various
ominous than most is what are known as “mature” attacks still floating around the
“phishing” attacks. These are generally Internet, it is critical to patch new systems
mass messages that are cleverly crafted to immediately upon putting them into
look like legitimate mail from a bank or service, to avoid being compromised.
online merchant, that request the recipient
to verify some confidential personal -As to the future of attacks, experts have
information, usually including account theorized that new attacks will become
data. polymorphic, that is, they will change their
code and attack methods over time so as to
Unsuspecting victims who actually avoid detection by anti-virus software, and
respond, and provide their personal intrusion detection and prevention systems.
information, oftentimes end up the victim In addition, a fascinating study looked at
of identity theft, or some sort of financial techniques that future attacks might use to
fraud. Implementing a Spam filter will help more quickly propagate throughout the
to improve the security posture of a Internet. By pre-scanning for vulnerable
company, and it will also help to improve systems, and creating a “hit list” of these
the productivity of the company. servers, the study postulates that new worm
8. variants dubbed “flash worms” will be able bullet” in IT and network security.
“to infect almost all vulnerable servers on Creating a secure network is only achieved
the Internet in less than thirty seconds”.vii by understanding the nature of the threats
This is significantly faster than previous that are being faced (and the threat
worms such as Code Red and NIMDA, environment is constantly changing), their
which required 20+ hours to propagate potential impacts to the business, and by
widely through the Internet. The taking those actions that are most likely to
emergence of this sort of threat will address the highest risk threats. It is also
mandate that organizations of all sizes pay important to note security is not a one-off
very close attention to their perimeter project or exercise. It is probably best
security, and to what traffic their firewall thought of as an iterative process-as the
should allow in. threats change, and the IT needs change,
new security threats will need to be
assessed, and the appropriate security
measures put in place.
Where Should an SMB Start?
It is always dangerous to generalize about Top 10 actions to take to create a
what specific set of actions should be taken more secure network
to enhance security. Each SMB’s network
and IT situation will be different, with 1) Model the threats to your business,
varying levels of sophistication, different and perform a security risk assessment.
types of computers, operating systems, Because each organization is unique, it is
applications, and different access important to think through the potential
requirements. threats to your business. This will be a
brainstorming exercise that produces a long
However, we are making the following list of potential threats. Building upon this
assumptions about an average SMB’s list, management and IT staff will then
Internet and IT infrastructure and use: want to think through which of these
• They will have an always-on threats are worth worrying about.
Internet connection, and in
addition, A risk assessment will examine all of the
• A mail server hosted onsite, relevant security risks, in terms of which
• A web server hosted onsite, risks are applicable to the business, what
• A number of Internet users onsite, the expected number of annual occurrences
• A file server and/or database with might be for each, and the expected loss
proprietary customer and other per occurrence. This will result in an
business information annual loss expectancy for each identified
risk. Armed with this information, it then
Given this set of assumptions, there are a becomes easier for the business to decide
number of actions outlined below that will which risks to address in which order, and
dramatically enhance the security of the what level of remediation expenditure
SMB’s network. Vendor hype to the makes sense for each risk. There may be
contrary, there is unfortunately no “silver risks where the annual loss expectancy is
9. lower than the cost of remediation, where SANS publishes an annual list of the 20
the business will choose to just accept the most critical vulnerabilities. This list
risk. The table below shows an example of presents a consensus of industry experts as
this sort of analysis. to the most critical vulnerabilities for
Windows and UNIX systems. This list is
The objective of the risk analysis exercise worth reviewing (it is currently updated
is to identify all of the risks that are annually), to ensure that any vulnerabilities
relevant to the business, and to rank order present in the SMB’s IT infrastructure are
them in terms of priority. The risks and addressed via patching, or some other
their priority will be different for each solution. The list provides detail on the
business. A small company that does all of nature of the vulnerability, it provides
its business via Internet ordering will guidance on how to determine if you are
necessarily want to make certain that the vulnerable, and most importantly it tells
web server hosting the order processing you how best to address each vulnerability.
application is secure, as 100% of the
revenues of the business rely on this server 2) Develop an information security
and software. Similarly, they will place a policy, and educate your users. Every
high loss expectancy value on denial of organization of any size should have an
service attacks, as these can cause a acceptable use policy for their computing
significant loss if the ability of customers resources, defining how employees may
to place orders is affected. A “brick and use IT resources, including the internet,
mortar” company that uses the Internet for and an e-mail policy, defining acceptable
less critical functions is certain to have uses and practices for company e-mail. The
different risks and priorities. A company SANS website provides a great resource,
that maintains multiple branch offices, all the SANS Security Policy Resource page,
with VPN connections to the corporate that can speed the development of sound
headquarters, will have different risks than information security policies. The web
a company which does not have remote page contains templates for many areas
offices, and which does not extend VPN where an organization may need to develop
access outside of the main office. This is a security policy.
why it is critical to evaluate the specific
risks to your business. Creating a set of clear security policies and
making the organization aware of the
It is also advisable for SMB’s to stay policies will provide a foundation for a
abreast of emerging threats and secure network. For example, defining a
vulnerabilities. There are many industry policy that requires all software to be used
newsletters and security industry websites on company computers be first tested and
that can be of assistance, including: then implemented by IT staff, and making
end users aware of this policy, will reduce
Http://www.sans.org help desk calls, and will strengthen
Http://www.securityfocus.com security. Similarly, defining and enforcing
Http://www.securitypipeline.com a corporate password policy will strengthen
Http://www.esecurityplanet.com security. It is also important to undertake
user education on company security policy,
10. so that users understand their part in Given the set of assumptions provided
maintaining the security of the company’s earlier, the firewall will need at least three
network and IT resources. Users need to interfaces-LAN, WAN, and DMZ. The
fully understand their role in the security LAN interface will be used to connect all
process, which extends from “don’t open of the user workstations, and Network
attachments from people you don’t know”, Address Translation should be used to hide
to not sharing passwords, and using strong the actual addresses of all workstations.
passwords. The risk assessment The mail server and web server will be
recommended above will likely highlight placed on a network segment using the
areas where security policies need to be DMZ interface, where the traffic into and
developed. For example, when a company out of these devices can be subjected to
extends network access via a VPN to third different filtering rules. Address translation
parties (business partners, suppliers, should be applied to these devices as well.
consultants, and so on), it is advisable to • Consider implementing application
have policies for what sort of network proxies for common applications and
traffic will be permitted from the remote protocols. Proxies provide additional
site, and what sort of security solutions will security by not exposing internal hosts to
be in use at the remote site, including the Internet. This includes web protocols,
firewalls, anti-virus, and so on. and e-mail.
• Use the “principle of least
3) Design a secure network, privilege” in determining appropriate
implement packet filtering in the router, access to network resources. This
implement a firewall, and use a DMZ essentially means that if a given group of
network for servers requiring Internet users, be they internal or external, do not
access. need access to certain systems, or
There are many considerations in designing applications, then they should be restricted
a secure network. Some of the key factors from this access. A simple example is a
to consider include the following: payroll system. In most companies, very
• Use a “defense-in-depth” strategy few people in the company will actually
in designing a secure network. This need access to the payroll system. Given a
basically means not relying on a single properly designed network, it is possible to
device or product to enforce security, but use a router or firewall to restrict access
instead using the security capabilities of a into the payroll system so that it can only
router, and firewall, and ensuring that occur from the IP addresses of
software on hosts and servers are up-to- workstations with a legitimate need for
date with patches. In more sophisticated access, and access from every other
environments, it may also mean that some workstation is restricted and blocked.
or all of the following advanced security • Test each of the components after
solutions might be called for-intrusion installation, to ensure that they are
detection/prevention devices, host intrusion performing as expected. For example, test
prevention software, application firewalls, to ensure that a firewall that is configured
or encryption solutions. to only allow inbound web access to the
• Implement a firewall-ideally one web server located on the DMZ actually
that provides stateful packet inspection. blocks other attempted web access, to other
11. hosts. A study of firewall configuration 4) Use anti-virus software, both at the
errors concluded that almost 80% of gateway, and on each desktop. Given the
firewalls examined had “gross mistakes” in proliferation of viruses, using AV software
their actual implementation.viii Thus the is a must. Implementing gateway anti-virus
necessity of testing the firewall and software will ensure that all incoming and
perimeter security. Ideally the testing will outgoing e-mail is scanned for viruses. It is
be done by someone other than the person also wise to consider blocking some
or organization that configured the firewall categories of attachments (i.e. those that
and perimeter security. can introduce a virus or Trojan, for
example .exe files and other programs,
Testing and validation of the configuration scripts, and even .xls and .doc files that can
is done using various scanning tools (many contain harmful macros).
of which are freeware), and is important to
ensure that no inadvertent “holes” have Using AV software on each desktop is also
been created in the security of the network. recommended, as any viruses that get
Beyond configuring the correct policies introduced from somewhere other than the
and rules in the firewall and access router, Internet can be caught at the desktop (for
it is also very important to setup the example a laptop user picking up the virus
devices in a secure manner. There are while at home, and then spreading it upon
many commands and setting in each of reconnection to the corporate network).
these devices that can introduce security
exposures and weaknesses if configured 5) Use only Operating Systems that
incorrectly. An example would be turning have adequate security baseline
remote Telnet access on in the access capabilities. For example, Windows 98 and
router. All routers support this, but security prior versions do not have a real login
“best practices” would say to disable this capability-user Ids and passwords that are
capability, and if it is necessary to be able used can be easily bypassed just by hitting
to access the router console via the “esc” at the login prompt. This is
Internet, at a minimum use a more secure fundamentally unsecure. Upgrading to
option such as SSH. Windows 2000 and beyond provides real
login/access control capabilities, which are
A great resource for IT personnel tasked essential. In addition, as Microsoft is no
with designing and implementing a secure longer providing patches for Windows 98
network is the SANS reading room, and prior releases, any security
accessible at Http://www.sans.org. This vulnerabilities that are found in these older
public resource has many secure network OS’es won’t be fixed/patched.
designs submitted by certification students. It is also recommended that users not be
All certification papers are public given administrative privileges on their
references, and a great deal can be learned systems, and that the systems be delivered
from referencing these papers. Papers have to end users in a “locked down”
been written for almost every brand of configuration, where users are not allowed
firewall, and for many different network to load on any additional software.
configurations.
12. 6) Know your network, harden systems by company by providing fewer avenues for
removing unnecessary applications, and attackers to try and exploit.
maintain an aggressive program of
patching operating systems and 7) Use personal firewalls,
applications. It is important to know what particularly on laptops used by mobile
is running on each system on your network, users. Laptop PC’s that are sometimes
and to ensure that appropriate patches are used in the office and at other times used
applied. The SQL Slammer attack took while connected to foreign networks have
advantage of a vulnerability that was proven to present security problems. These
known for more than 6 months, and for laptops may be used on dial-up networks,
which a patch was available for more than wireless LAN’s, or home broadband
6 months. Frequent patching will reduce networks. When the Blaster worm attack
the exposure from newly found was launched, many businesses that had
vulnerabilities. This is very important, as implemented firewalls on their Internet
the time lag between vulnerabilities being connection believed they were secure, and
found and exploits and attacks being they were-in terms of access via their
launched has shrunk significantly in the Internet connection.
past few years. Many organizations that
were affected by SQL Slammer thought Many of these same businesses were
that they were immune, as they weren’t infected by the worm when a laptop user
aware of having SQL database installed. In picked up the worm while connected to a
some cases, these organizations had a foreign network, and then subsequently
proprietary application that used an SQL connected to the corporate LAN. Upon
database, and as a consequence they were connection to the company LAN (behind
affected. Knowing your network, hosts, the firewall), the worm quickly sprayed
and operating systems is a matter of itself to the entire company.
knowing what is running on each system,
the vulnerabilities that exist in the OS Personal firewalls implemented on (at a
version, and of maintaining a secure minimum) company laptops will address
configuration. There are many tools that this security hole. For laptops that contain
can be used to assist in this effort, highly sensitive data, using strong
including: authentication and even encryption will
-Microsoft Baseline Security Analyzer15 - reduce the possibility that company data is
Nessus16 -NMAP17 exposed, even if the laptop is lost or stolen.
All company servers (mail servers, web Several third party firewall products exist
servers, file servers, databases, etc.) should to address this need. For users of
be hardened by removing unnecessary Microsoft’s XP OS, the new Service Pack
software and processes from the systems. 2 release includes a built-in firewall
For example, default installation of several module.
operating systems will turn on all sorts of
programs and services. If the program or 8) Use strong authentication.
services isn’t needed by the business, the Left to their own devices, most users will
prudent thing to do is to remove it. This pick short and frequently predictable
will tighten the security posture of the passwords. There are many attack tools
13. that try to guess user ID/password resources that are called in may be external
combinations, based upon a brute force resources, for examples consultants or
approach (trying every possible integrators.
combination) or that use a dictionary
approach (trying common words from an Here is a real world example-one evening
electronic dictionary). your ISP calls and tells you that an IP
address that is registered to your company
Many operating systems provide the ability is sending out massive amounts of SPAM,
to force minimum password standards, and that they will be removing your
including length (longer is better), internet access until the problem is solved.
avoidance of using dictionary terms, and If your business depends on the Internet in
use of special characters (using punctuation any way, you will need a plan to analyze
characters, for instance, makes passwords what is happening, identify the resources
less susceptible to dictionary attacks). that have been compromised, pull them
Anything that can be done to avoid using offline, clean and rebuild the systems, and
standard dictionary words will help to resolve the problem ASAP.
improve security with regards to
authenticating users. In addition, many 10) Get started! Businesses of all sizes
solutions exist that can enhance frequently only get serious about security
authentication through the use of security after experiencing an attack or incident of
tokens. These products use cryptographic some sort. While a harmful virus or worm
techniques to produce “one time” can be highly motivating in terms of
passwords. This is referred to as “two making an SMB focus on information and
factor” authentication, wherein users are network security, it is inarguably better to
only permitted access after verifying expend resources and energy before an
“something you know” (the valid user attack happens, and to periodically review
login and PIN), and “something you have and strengthen the security measures in
or possess” (the security token that place. If you lack the internal resources to
produces the one-time password). A third adequately secure your network, consider
approach for the truly paranoid can include using a highly qualified provider of IT
“something you are”, or a unique biometric security solutions to provide expert
characteristic such as a fingerprint. assistance.
9) Develop a computer incident Conclusion
response plan. Even small companies need
to think through how to respond in the The downside of trying to condense the
event of a security incident. The computer topic of securing a network to a “top ten
incident response plan should identify the actions” list is that the result will inevitably
resources that will be involved in analyzing leave out some very important actions.
the incident, and the plan for analyzing and Businesses should, in addition to the ten
recovering from the incident. For small actions listed above, also have a business
businesses, the continuity plan that looks at business-
impacting disasters and plans for and tests
responses.
14. Compliance Research Group has been
SMB’s should backup critical data proud to work with organizations such as
frequently, and test that the backup/restore SANS and The Open Group Security
process actually works. SMB’s should also Forum, and to have provided consulting
evaluate their physical security-looking at and research services to leading security,
how access to physical IT equipment is risk, and compliance vendors.
controlled and secured. They may also
want to consider having an outside
i
organization actually test their security-this National SMB Market Attitudes Toward Future
is called a penetration test, and can help to Growth and the Role of Technology, Penn,
Schoen and Berland Associates, Inc., May 11
identify security problems and weaknesses. 2004
ii
Security is worth investing in. The http://searchsecurity.techtarget.com/originalCo
downside of doing nothing may well be ntent/0,289142,sid14_gci1011092,00.htm
iii
that the business ceases to exist when a Common Sense Guide to Cyber Security for
Small Business, Internet Security Alliance,
malicious attack destroys customer records March
or valuable proprietary data. However, iv
addressing the problem needn’t necessarily http://techupdate.zdnet.com/techupdate/stories
mean hiring direct, expensive staff. There /main/0,14179,2914399,00.html 5 SMBs Show
are many great security solution providers Preference for Security Services, Gartner,
2003
and managed security service providers
who can assist an SMB to implement the v
http://www.sans.org/top20/
appropriate solutions. When considering
vi
using a third party to assist with solving http://isc.sans.org/survivalhistory.php
security problems, it is important to make vii
How to 0wn the Internet in Your Spare Time ,
sure that the organization has qualified Proceedings of the 11th USENIX Security
personnel, and proven expertise. One way Symposium, Staniford, Paxson, Weaver ,
to ensure that this is the case is to look for http://www.icir.org/vern/papers/cdc-usenix-
solution providers who have recognized sec02/
expertise in information security-with viii
A Quantitative Study of Firewall
respected certifications such as the Configuration Errors, Avishai Wool, IEEE
SANS/GIAC certification series (GSEC, Computer Society, June 2004,
GCFW, GCIH, et al), and the ISC2 CISSP http://www.eng.tau.ac.il/~yash/computer2004.p
certification. df
Copyright Compliance Research Group 2008, all
About Compliance Research Group rights reserved. Sponsored by:
Jim Hietala, SANS GSEC, GCFW and
CISSP, is the principal of Compliance
Research Group, providing research and
consulting services in the areas of
compliance, risk management, and IT
security.