Small Business Security Advantages

Archive for the ‘Security’ Category

Small Business Security Advantages

Posted by

I have had some great conversations since Raf Los (@Wh1t3Rabbit) posted his podcast Monday. Much of the talk has been around some advantages that we do have.

Down the Rabbithole – Episode 4 – Effective Small Business Security
http://podcast.wh1t3rabbit.net/down-the-rabbithole-episode-4-effective-small-business-security

First, information security is a scaling problem.

I have a staffing rule of thumb. I have posted it before, but I’ll repeat it. Take the employees, networked devices, and IT support staff. Security is 1 FTE per 1K employees, 1 FTE per 5K devices, or 1 FTE per 20 IT employees. Most security folks that I have talked with fall within this range, whether they work with multi-nationals or mom-and-pop shops.

This applies to my case. I am dedicated 25% to security. I have 250 end users and around a thousand end-points, servers, switches, routers, and firewalls. Luckily we have more than 5 IT folks, but you get the idea.

The scopes of security challenges remain consistent regardless of the scale. But we on the small medium business side do have a few unique opportunities.

Information security pros at the SMB level have advantages.

Reach. There are fewer layers between us and executive management. The board level directives can flow right into our security planning. There are fewer layers between us and line employees. The security controls can flow right into their daily activities. Communications are simpler in smaller organizations.

Flexibility. If you are an army of one, not much time is needed for generalship. Reaction and response can be quicker. Process and procedure can be reduced, in favor of action and implementation.

Cooperation. Baking security in means getting buy in from the IT operations team, the software development team, the IT engineering folks, the project managers, the business analysts, and IT management. With separate teams, this can mean significant work just to navigate the politics. More time can be spent on implementing and less on negotiating when all the folks are in one team.

End-to-end. One dedicated InfoSec pro in a company with less than 5K devices can hold the entire network in his mind. Two dedicated FTEs and 10K devices, and you’ll end up naturally dividing the work between each other. Reach 100K devices secured by 20 InfoSec guys, and one person knowing every nut-and-bolt becomes impossible.

A small network can be a very secure network.

Security flaws come from the people creating the security controls in a vacuum with no relation to the organization’s mission. Security flaws come from people working on the front lines, with no ideas of the control environment. Flaws come from projects without security tasks, from systems that go-live without security review, and from bolted-on security features. Flaws and weaknesses crop up in the gaps of responsibility between teams, and between people.

A security pro in a small medium business is in a position to make a significant contribution to their organization.

Effective Small Business Security Podcast

Posted by

“Do you think a team of one person has already lost the battle? Straight out of the gate? Does he stand a chance? Does the individual even have a chance?” — Michael Allen (@_Dark_Knight_)

Have we lost the battle? On the one hand, we say that it is not if a breach will occur, but when. On the other hand, we say that we are all one breach away from unemployment. What does this tell us about the InfoSec field?

We need a seat at the table.

Most of us got into security back when, if you knew how to set the pins on the modem and knew how to type up firewall rules in a text editor, our users thought we were rockstars. They depended upon us. And we, in turn, depended upon their dependence in order to keep things running securely.

That is no longer the case. People today are more tech savvy and more willing to Google it for themselves. A slew of new companies, with buzz words from cloud to IT consumerization, enable the users doing just that. People do not depend on us any more.

Perhaps we became too dependent on their dependence. We no longer get a seat at the table. We no longer have a free pass. We no longer get included in discussions on new technology. And then we become concerned about all the technology being deployed in our organizations without proper security review and controls.

We must earn a seat at the table.

The #SecBiz thread on Twitter represents a search for earning that seat. #SecBiz shifts our focus away from securing technology and towards securing businesses. Less modems and firewalls, more business initiatives and processes.

Raf Los (@Wh1t3Rabbit) has been on the vanguard of this change. From his blog, from his presentations at B-Sides Detroit and everywhere else, and from his podcast, Raf has been driving home the point. This week, Michael Allen and I were guests on his “Down the Rabbithole” podcast. The topic being information security in the SMB space. We had a fantastic conversation about what security means today.

Are you wondering how to get a seat at the table? Feeling like you have already lost the battle? Spend some time following the Wh1t3Rabbit.

Down the Rabbithole – Episode 4 – Effective Small Business Security
http://podcast.wh1t3rabbit.net/down-the-rabbithole-episode-4-effective-small-business-security

Malware Removal Guide for Windows

Posted by

I was at a family event this past weekend. As so often happens at these events, the conversation goes something like:

Them: “Oh, you are in computer security? I got this virus. What should I do?”

Me: “Uhh … Well, that’s not really what I handle.”

Malware infections in the corporate world are easy. First, we keep up on the patches. That prevents a lot of infections. Second, we have anti-virus software with updated signatures. This catches what gets thru. Finally, if computers do get infected, we have a silver bullet. A simple reimaging gets everything back in shape.

People at home are not so fortunate. Reimaging is not a fix for them because that often means losing valuable data and applications.

Until recently, my only advice was to reload. Then Brian @ Select Real Security put up an in-depth guide on removing malware. Now I have a better answer. “I got this virus. What should I do?” Check out this guide.

Malware Removal Guide for Windows
http://www.selectrealsecurity.com/malware-removal-guide

“This guide will help you clean your computer of malware. If you think your computer is infected with a virus or some other malicious software, you may want to use this guide. It contains instructions that, if done correctly and in order, will remove most malware infections on a Windows operating system. It highlights the tools and resources that are necessary to clean your system.”

Learning the wrong lesson from DigiNotar

Posted by

DigiNotar declared bankruptcy this week, following a high profile attack that lead to malicious certifications being issued. Some five hundred certifications were issued, for everything from Google, to Twitter, to Microsoft, to the entire *.com and *.org namespace. Major browsers quickly removed DigiNotar’s root from the chain, thus protecting folks from these rouge certifications. And then DigiNotar was no more.

People are already saying this proves that IT security breaches put companies out of business.

I believe that is the wrong lesson.

Let’s take four companies with high profile breaches: DigiNotar, Distribute.IT, Sony, and TJXX. DigiNotar went bankrupt. Distribute.IT? Shuttered. Sony is back to business (handling it with an update to their SLA.) TJX is unaffected.

So why did TJX survive? At first, this does not make much sense. But consider the attack as it relates to impact to the organization’s mission.

TJX is in retail and has reasonably deep pockets. The attack did not so much as ruffle its ability to sell product. Save for a dip during the fall out from the attack, TJX did not suffer economic harm.

Sony is in the business of providing access to its services. Though the attack was not necessarily about availability, the attack severely affected Sony’s ability to reach the customer. They have deep pockets, however, and are making their way back. The reasoning behind the service level agreement and terms and conditions agreements is to minimize the cost exposure of future breaches.

Distribute.IT was in the hosting business. Their job was to keep other companies sites online, available, and protected. The attack was an availability attack that was made worse due to mismanagement of data backups. Distribute.IT, without the cash reserves and without any means to get back to business, was dead in the water.

The attack on DigiNotar struck right at the heart of their business. The mission of a certificate authority is to safeguard certificates and ensure issuance only to legitimate entities. We are talking about reliability and authenticity attacks against a company that markets a reliable and authentic security service. Further, due to DigiNotar’s limited reach (fewer than 2% of SSL hosts), there was little risk for the browser makers to remove DigiNotar’s root.

The lesson here is security controls must be framed within the context of the organization’s mission. Breaches can be weathered if the impact is low or in an area outside the core mission. Security breaches only put companies out of business when controls are not appropriately geared to the organization and when the financial impact is serious.

Cloud Security Alliance in SE Michigan

Posted by

We kicked off a new Cloud Security Alliance (CSA) chapter in Detroit this morning. The new chapter will be serving South Eastern Michigan. While some groups are geared to socializing and networking, CSA SE MI looks to distinguish ourselves by actively working on projects. With my private cloud operational and my eye on public cloud offerings, I am excited to contribute to body of knowledge.

Watch this space for more to come on securing public and private clouds.

Find your personal credit cards, SSN, and passwords in a stack of documents

Posted by

Most of us have stacks and stacks of digital documents. I just checked and my Documents folder is 14 GB. That’s thousands of spreadsheets, text files, Word documents, and web pages. There is a chance, a risk, that sometime I put personal information somewhere in that stack.

Want to scour your hard drive for this personal information? Find credit card numbers, social security numbers, passwords, and the like? There’s a free tool available for this.

Identity Finder free edition for consumers:
http://www.identityfinder.com/us/Home/IdentityFinder/Free

Start protecting your identity on your computer for free and see the power of Identity Finder. Simply download, install, and run Identity Finder on your computer to find credit cards numbers and passwords that are vulnerable to identity theft and fraud. You can search files that commonly contain private personal information such as Word, Excel, PowerPoint, Adobe PDF, text, and html. Once found, use powerful tools to permanently delete files, remove passwords from Firefox and Internet Explorer for Windows, and secure sensitive information. Use additional built-in security tools like the Identity Finder File Vault and Shredder to make sure your identity is safe on your computer.

Browsing in public with PuTTY 0.61, Firefox 5.0, and Amazon EC2

Posted by

PuTTY 0.61 released today with a handful of performance enhancements for OpenSSH. This makes the following trick even more attractive, as can it effectively double the performance in some cases.

What trick? Create an encrypted tunnel for browsing the Internet in public. Otherwise people who are sharing that cafe Wi-Fi can see your traffic. Depending on where you are going, these people can even see your usernames and passwords. You start out drinking a latte and end up with some random posts on your Twitter feed and your email box sending out spam. Not good. Not good at all.

To prevent this, setup a remote computer that you can connect to when you are on the go. Then when you find yourself relying on free Wi-Fi — like at a hotel, at a airport, or where ever — you can connect back to this safe computer. All your traffic in public is secured between your notebook and that remote computer. Just for fun, I like to use the cloud (e.g., Amazon EC2) for my remote end.

At a high-level, the procedure is:

  1. Sign up for Amazon Web Services and provision a free server instance
  2. Download and configure PuTTY 0.61 to proxy SOCKS over SSH
  3. Download and configure Mozilla Firefox 5.0 to use the SOCKS proxy for Web traffic (HTTP, HTTPS, DNS, and IRC chat)

 

Unified threat management – multi-function firewalls

Posted by

You bought an all-in-one printer. It seemed like a good deal, right? All that multi-function goodness for only a few dollars more than the ink for your current laser printer. Bet it didn’t take long for the good feeling to sour. Jammed paper, smeared faxes, and the like.

Printers gave multi-function a bad name. But firewalls may bring multi-function back in vogue. Specifically, I am looking at the Fortinet Fortigate products. Fortinet has cornered the market on unified threat management (e.g., multi-function firewalls). These devices ship with built-in firewalls, routers, vpns, intrusion detection, WiFi, and more.

 

Consider:

Use case 1: novice who needs to get up and running quick. The unified threat management gateway answers that need. The device is preconfigured and integrated. There are options to set, of course, but the time to get the system online is hours rather than weeks.

Use case 2: the dyed-in-the-wool security people. These folks have the time and budget and knowledge to continue to build dedicated security appliances. Such people have an edge over defending their networks for all these threats. You do the cost benefit and if you’re in a mixed role like mine, doing security operations and network operations, I wonder if it’s worth it.

Use case 3: the pragmatic security people. Compared to dedicated point solutions, the unified threat management gateway provides a majority of the security feature-set at a fraction of the cost. Pragmatic security folks can then redeploy their resources to addressing more pressing security concerns.

 

Needless to say, I am sold on Fortinet’s approach. Consider that every 18 months, silicon is pushing more bytes. We can either get better performance from a piece of hardware, or more functionality from the same hardware. Fortigate means simply doing more with less.

Hello SSAE16

Posted by

As mentioned in my last post on the subject, SAS70 has officially retired. SSAE16 (Statements on Standards for Attestation Engagement No. 16) has taken its place and improves upon SAS70 in several ways.

The improvements come from a shift of focus. SAS70 was about ensuring your control framework was sufficient and functional. SSAE16 is about ensuring your systems — including deployment and controls — are sufficient and functional. SAS70 was focused on the control structure around specific threats. SSAE16 incorporates risk management and ties together risks, threats, and controls. Going into this, SSAE16 looks set to provide a more complete result.

Another improvement is in the shift from audit to attestation. SOX (Sarbanes-Oxley Act of 2002) requires executive management to attest in writing to the accuracy of the financial statements. comparison, SAS70 does not require attestation. SSAE16 supports SOX by requiring a written attestation of the audit’s accuracy from executive management.

SSAE16 should provide a holistic audit with greater executive management participation. This is the first year I have done one, and my audit period begins in a couple months.

Wish me luck!

Goodbye SAS70

Posted by

SAS70 officially retires today, June 15, 2011. Taking its place is SSAE16.

SAS70 (Statement on Auditing Standards No. 70) is an audit framework that external parties follow to check the state of your controls. The audit is performed by financial services firms, and takes a top down approach. The objective is to ensure that financial results are recorded and reported accurately.

SAS70 has few common complaints: it lacks an objective technical spec, is carried out by CPAs at accounting firms, and misses technical details that leave businesses open to attack.

The SAS70 process emphasizes a truism that IT security folks sometimes lose sight of: the goal is securing the business’s ability to perform in the market. Though related, this is separate from the goal of securing all IT systems.

The SAS70 audit is top down and focused primarily on what drives the financial reporting. It is about prioritization. What is the top priority to a business? Financial success backed by accurate financial reporting.

A vulnerability assessment is bottom up. Your complete security audit would primarily focus on the IT domain, emphasizing technical controls and technical implementation. An audit here would tell you about your firewall ruleset and patching state, for example. What is the top priority for an IT security team? To not get breached.

These two priorities are not the same. Financial success does not prevent security breaches. Likewise, security breaches do not preclude financial success. Therefore, it makes sense to have separate auditor teams looking at the two separately.

As to the complaints of SAS70 audits, let’s step thru them with this background. First, there is no objective standard written into the SAS70 language. The result is that the applied standard is fluid and keeps up with the current standard of practice. Given SAS70 has been around for nineteen years, I think this speaks to the benefit of having an open-ended standard. Second, CPA firms rather than technology firms perform the audit. The benefit is that the resulting audit is driven from a financial perspective and scoped accordingly. The folks that I have worked with are very knowledgeable and are computer savvy, and often carry a CISSA or CISSP along with their CPA

So I found that SAS70 was a valuable tool for a top-down control assessment. As with all these standards, pairing the SAS70 with bottom-up technical assessments is necessary to truly secure an environment. The SAS70 had a positive impact on the industry, and I believe the SSAE16 is set to do the same.