Small Business Security Advantages

Archive for October, 2011

Small Business Security Advantages

Posted by

I have had some great conversations since Raf Los (@Wh1t3Rabbit) posted his podcast Monday. Much of the talk has been around some advantages that we do have.

Down the Rabbithole – Episode 4 – Effective Small Business Security
http://podcast.wh1t3rabbit.net/down-the-rabbithole-episode-4-effective-small-business-security

First, information security is a scaling problem.

I have a staffing rule of thumb. I have posted it before, but I’ll repeat it. Take the employees, networked devices, and IT support staff. Security is 1 FTE per 1K employees, 1 FTE per 5K devices, or 1 FTE per 20 IT employees. Most security folks that I have talked with fall within this range, whether they work with multi-nationals or mom-and-pop shops.

This applies to my case. I am dedicated 25% to security. I have 250 end users and around a thousand end-points, servers, switches, routers, and firewalls. Luckily we have more than 5 IT folks, but you get the idea.

The scopes of security challenges remain consistent regardless of the scale. But we on the small medium business side do have a few unique opportunities.

Information security pros at the SMB level have advantages.

Reach. There are fewer layers between us and executive management. The board level directives can flow right into our security planning. There are fewer layers between us and line employees. The security controls can flow right into their daily activities. Communications are simpler in smaller organizations.

Flexibility. If you are an army of one, not much time is needed for generalship. Reaction and response can be quicker. Process and procedure can be reduced, in favor of action and implementation.

Cooperation. Baking security in means getting buy in from the IT operations team, the software development team, the IT engineering folks, the project managers, the business analysts, and IT management. With separate teams, this can mean significant work just to navigate the politics. More time can be spent on implementing and less on negotiating when all the folks are in one team.

End-to-end. One dedicated InfoSec pro in a company with less than 5K devices can hold the entire network in his mind. Two dedicated FTEs and 10K devices, and you’ll end up naturally dividing the work between each other. Reach 100K devices secured by 20 InfoSec guys, and one person knowing every nut-and-bolt becomes impossible.

A small network can be a very secure network.

Security flaws come from the people creating the security controls in a vacuum with no relation to the organization’s mission. Security flaws come from people working on the front lines, with no ideas of the control environment. Flaws come from projects without security tasks, from systems that go-live without security review, and from bolted-on security features. Flaws and weaknesses crop up in the gaps of responsibility between teams, and between people.

A security pro in a small medium business is in a position to make a significant contribution to their organization.

Effective Small Business Security Podcast

Posted by

“Do you think a team of one person has already lost the battle? Straight out of the gate? Does he stand a chance? Does the individual even have a chance?” — Michael Allen (@_Dark_Knight_)

Have we lost the battle? On the one hand, we say that it is not if a breach will occur, but when. On the other hand, we say that we are all one breach away from unemployment. What does this tell us about the InfoSec field?

We need a seat at the table.

Most of us got into security back when, if you knew how to set the pins on the modem and knew how to type up firewall rules in a text editor, our users thought we were rockstars. They depended upon us. And we, in turn, depended upon their dependence in order to keep things running securely.

That is no longer the case. People today are more tech savvy and more willing to Google it for themselves. A slew of new companies, with buzz words from cloud to IT consumerization, enable the users doing just that. People do not depend on us any more.

Perhaps we became too dependent on their dependence. We no longer get a seat at the table. We no longer have a free pass. We no longer get included in discussions on new technology. And then we become concerned about all the technology being deployed in our organizations without proper security review and controls.

We must earn a seat at the table.

The #SecBiz thread on Twitter represents a search for earning that seat. #SecBiz shifts our focus away from securing technology and towards securing businesses. Less modems and firewalls, more business initiatives and processes.

Raf Los (@Wh1t3Rabbit) has been on the vanguard of this change. From his blog, from his presentations at B-Sides Detroit and everywhere else, and from his podcast, Raf has been driving home the point. This week, Michael Allen and I were guests on his “Down the Rabbithole” podcast. The topic being information security in the SMB space. We had a fantastic conversation about what security means today.

Are you wondering how to get a seat at the table? Feeling like you have already lost the battle? Spend some time following the Wh1t3Rabbit.

Down the Rabbithole – Episode 4 – Effective Small Business Security
http://podcast.wh1t3rabbit.net/down-the-rabbithole-episode-4-effective-small-business-security

Remediating IT vulnerabilities

Posted by

You might say that InfoSec risk management is effectively asset management, threat management, and vulnerability management. What do we have? Who would want to attack it? And what attack vector would they use? The prioritization of fixing or mitigating the vulnerabilities is based on business impact. That is, a measure of how such an attack would affect an employee’s productivity and an organization’s mission. The following article gives a good overview of the vulnerability side of the process.

Remediating IT vulnerabilities: Quick hits for risk prioritization
http://searchsecurity.techtarget.com/tip/Remediating-IT-vulnerabilities-Quick-hits-for-risk-prioritization

Use multiple information sources. As J. Wolfgang Goerlich, network operations and security manager for a mid-sized money management firm told me, he looks for reports that provide “solid information regarding what the threats are and at what frequency they’re occurring.”

To keep the fix process focused and effective, know your environment and business impact, create meaningful metrics that take into account public and private ratings, and stay on plan with preset time-to-fix periods.

This article is also on my Press Mentions page.

Malware Removal Guide for Windows

Posted by

I was at a family event this past weekend. As so often happens at these events, the conversation goes something like:

Them: “Oh, you are in computer security? I got this virus. What should I do?”

Me: “Uhh … Well, that’s not really what I handle.”

Malware infections in the corporate world are easy. First, we keep up on the patches. That prevents a lot of infections. Second, we have anti-virus software with updated signatures. This catches what gets thru. Finally, if computers do get infected, we have a silver bullet. A simple reimaging gets everything back in shape.

People at home are not so fortunate. Reimaging is not a fix for them because that often means losing valuable data and applications.

Until recently, my only advice was to reload. Then Brian @ Select Real Security put up an in-depth guide on removing malware. Now I have a better answer. “I got this virus. What should I do?” Check out this guide.

Malware Removal Guide for Windows
http://www.selectrealsecurity.com/malware-removal-guide

“This guide will help you clean your computer of malware. If you think your computer is infected with a virus or some other malicious software, you may want to use this guide. It contains instructions that, if done correctly and in order, will remove most malware infections on a Windows operating system. It highlights the tools and resources that are necessary to clean your system.”

Comments on Cloud computing disappoints early adopters

Posted by

Symantec surveyed several businesses to find out how they felt about cloud computing. The standard concerns about security were expressed. Still no concrete statistics on the difference between the threat exposure of in-house IT versus the threat exposure of public cloud IT. The concern about expertise surprises me, however, as managing a cloud environment is only slightly different than managing an enterprise data center. I have a hunch that it may be IT managers protecting their turf by claiming their guys don’t have the expertise, but I may be off. So what’s going cloud? Backups, security, and other non-business apps. No surprise there. Give it a few more years yet.

“While three out of four organizations have adopted or are currently adopting cloud services such as backup, storage and security, when it comes to the wholesale outsourcing of applications there is more talk than action, Symantec found. Concerns about security and a lack of expertise among IT staff are the main factors holding companies back, according to the survey of 5,300 organizations …”

Cloud computing disappoints early adopters:
http://www.reuters.com/article/2011/10/04/us-computing-cloud-survey-idUSTRE7932G720111004