Small Businesses Deserve Security Too

Post on 14-Nov-2014

1,160 views 0 download

Preview:

Click to see full reader

Tags:

Report this document
SHARE

description

If you look at a basic network diagram of a small business, the attack surface is that of a large business. Why don't we target small businesses when it comes to security? They still have to meet compliance regulations the same as large business. Actually when it comes to security, small businesses have several advantages over large businesses. Lets exploit those advantages and make small businesses secure. After all, SMB's are the heart of our community. Frank J. Hackett is a Senior Systems Engineer for a MSP in the Washington DC Metropolitan area. Hackett dabbles in security as well as a consultant. His love for IT is due to his father who used to beat him at Monopoly played on DOS 6.1, Hackett soon learned how to set a password to keep his Dad from using the computer. The last two years, he has worked under Joe McCray of Strategic Security as a Senior R00kie and has been on many high security pentests and has developed course work.

transcript

Small Businesses Deserve Security TooFrank J. Hackett

2

Shout Outs

• High Hack Society• Awesome group of people, too many to name

• j0e McCray @j0emccray• Took my on my first pentest and changed my life

• Marcus J. Carey @marcusjcarey• Told me to read Presentation Zen

• Wow was he right

3

•Georgia Weidman @georgiaweidman• Bulb Security – mobile goddess

• Bill Gardner aka Da Professor @oncee• Awesome

Shout Outs

4

Me

• Security Consultant

• Senior Systems Engineer

• Senior r00kie under j0e McCray

• I have papers (certs)

• SATF member• http://www.satframework.org/

5

Me

I work for and with Small Business

6

“Most of the business owners surveyed believe they are not at

risk, when in fact smaller businesses are increasingly

being targeted…”• The Hartford

• http://newsroom.thehartford.com/News-Releases/Small-Business-Owners-Despite-Being-Increasingly-Targeted-Believe-Data-Breach-Unlikely-50c.aspx

7

“No one wants my data.”“We don’t have anything worth

stealing.”“We don’t have time to worry

about security.”

Small Business Security

8

Small Business Security

“Max’s main targets were ultimately small hospitality businesses— not international conglomerates or secret world governments.”

9

Small Business Security

“Adam Levin, co-founder and chairman of Identity Theft 911, says that for most companies it's not a matter of if they will have a breach but when.”

http://www.foxnews.com/politics/2013/02/22/small-businesses-big-targets-for-cyber-snoops/

10

Small Business Security

Mature Security Program Metrics

Security Appliances

Anti-Virus/HIDs

Log Management

Patch Management

User Awareness Training

Policies and Procedures

11

Small Business Security

This has to be there!

Anything is better than nothing!

Very hard for Small Business

YES! AV is a must. It’s free these days

Bare minimum have a real firewall

Policies & Procedures

YES! OS as well as Third Party

User Awareness Training

Patch Management

Log Management

AV/HIDS

Security Appliances

Metrics Not gonna happen

12

Small Business Security

• What constitutes a small business varies widely around the world. Small businesses are normally

privately owned corporations, partnerships, or sole proprietorships. What constitutes "small" in

terms of government support and tax policy varies by country and by industry, ranging from

fewer than 15 employees under the Australian Fair Work Act 2009, 50 employees in the

European Union, and fewer than 500 employees to qualify for many U.S. Small Business

Administration programs, although in 2006 there were over 18,000 "small businesses" with over

500 employees that accounted for half of all the employees employed by all "small business ".

[1] [2] Small businesses can also be classified according to other methods such as sales, assets,

or net profits.

http://en.wikipedia.org/wiki/Small_business

What is a Small Business?

13

Small Business Security

• 10-50 employees

• Employees wear many hats

• Typically revenue is less than 1 – 5 + million a year

• No full time IT staff

• No full time security staff

What I consider Small Business

14

Small Business Security

• Medical Offices

• Law Offices

• Financial Offices

• Boutique Shops

• Etc

Examples of Small Businesses

15

Small Business SecurityNetwork Layout

16

Small Business SecurityPolicies & Procedures - templates

• SANS• http://www.sans.org/security-resources/policies/

• California Government• http://www.cio.ca.gov/OIS/Government/library/samples.asp

• Google• http://bit.ly/15dQXjw

Policies & Procedures

17

Small Business SecurityPolicies & Procedures – what to have

• Acceptable Usage Policy (AUP)

• Computer Security Policy

• Compliance Document (HIPPA, ISO, etc)

• Data Classification• This is HUGE and rarely happens

Policies & Procedures

18

WRONG WAY

• Owner has access to everything

• No one has access to the owner’s documents

• Public Information (level 1)

• Corporate Information (level 2)

• Sensitive Information (level 3)

• Private (level 4)

RIGHT WAY

Small Business SecurityData Classification

19

Small Business SecurityUser Awareness Training - Resources

• Infragard• https://www.infragardawareness.com/• Free training for businesses with less than 25 employees

• Security Awareness Training Framework• http://www.satframework.org/

• Google• http://bit.ly/15dUDlf

User Awareness Training

20

Small Business SecurityUser Awareness Training - Topics

• Phishing attacks

• Spear Phishing

• Social Engineering

• Passwords• Management/reuse/weak

User Awareness Training

21

Small Business SecurityPatch Management - OS

• Windows Automatic Updates• Will not work if not configured

• WSUS• Will not work if not managed

• Third Party• MSP software RMM (Labtech)

User Awareness TrainingPatch

Management

22

Small Business SecurityPatch Management – Third Party

• MSP Software RMM (Labtech)

• Ninite• http://ninite.com/• Jury rigged or buy Pro ($20 a month for 100 machines)

• Trust your users to update regularly• Never going to happen

User Awareness TrainingPatch

Management

23

Small Business SecurityPatch Management – Third Party

User Awareness TrainingPatch

Management

24

Small Business SecurityLog Management

• This is HARD regardless of the business size

• OSSIM• http://communities.alienvault.com/

• OSSEC• http://www.ossec.net/

• RMM solution

User Awareness TrainingPatch

ManagementLog

Management

25

Small Business SecurityLog Management

• Realistically this will not happen at first

• Something is better than nothing• Firewalls logs via SMTP

User Awareness TrainingPatch

ManagementLog

Management

26

Small Business SecurityAntivirus & HIDS

• Invest in a managed antivirus solution• Symantec Endpoint• Trend• McAfee

• Microsoft Security Essentials (free but unmanaged)• Install Malwarebytes too!

User Awareness TrainingPatch

ManagementLog

ManagementAV/HIDS

27

Small Business SecurityHardware

• You must have a real firewall!• Dlink/Netgear/Linksys is not allowed

• Security Appliances do a lot• Router• Firewall• GAV• IDS/IPS

User Awareness TrainingPatch

ManagementLog

ManagementAV/HIDSSecurity Appliances

28

Small Business SecurityHardware

• Security Appliance Suggestions• Sonicwall• Watchguard• Meraki

• Cost effective and easy to manage

User Awareness TrainingPatch

ManagementLog

ManagementAV/HIDSSecurity Appliances

29

Small Business SecurityMetrics

• RMM reports from MSP

• WSUS Reports

• ??????

User Awareness TrainingPatch

ManagementLog

ManagementAV/HIDSSecurity Appliances

Metrics

30

• Audit

• Identify Problems

• Find Low Hanging Fruit

• Roadmap for Changes

• Realistic Timeline!

• Create Policies and Procedures

• Implement Action Plan

• Stay Current

Small Business SecuritySteps To Take

31

Small Business SecurityKeep the Bad Guys Out

• Protect the Data

• Protect the Business

• Eliminate Low Hanging Fruit

32

Small Business SecurityAdvantages of a Small Business

• Offsite webserver

• Typically patches do not need to be tested

• Small environment

• Small number of employees

33

Small Business SecurityAdvice to Small Business

• Talk to you vendors• Ask about security!

• Find a QUALIFIED MSP• Ask about their security!

• Begin to make security a requirement,not an afterthought

34

“Small Business is the Heart of the American Economy.”-President Obama

35

Small Business SecurityHit me up

• @fjhackett

• http://www.slideshare.net/fjhackett

• hackett@hackettweb.com

Top related

Too much-too-many
Documents
Women Deserve Better
Documents
Does Haig Deserve The Title ‘Butcher Of
News & Politics
HXRefactored - Doesn't Your Mom Deserve Better
Technology
Too much too young
Documents
Heaven: it is too high!Heaven: it is too high! –No one can attain this eternal dwelling place. –Instead, we justly deserve God’s wrath of hell. 2 Pet.
Documents
9 Reasons Successful eCommerce Businesses Focus on Email Marketing ( and you should too!)
Marketing
Look inward: Your employees deserve great customer service, too (Relate Live London)
Business
Dogs Deserve Better
Documents
Too expensive Too complicated Too time consuming.
Documents
Getting the Talent We Deserve
Presentations & Public Speaking
TOO - ?· TOO - Mesagne ... too merlin
Documents
Schools We All Deserve
Education
TOO, TOO, TOO MUCH SNOW !!
Documents
you deserve a good life
Health & Medicine
Too Cold too Tired
Health & Medicine
Cultural heritage Institutions deserve better!
Internet
Hard Working Pennsylvanians Deserve a Working ?· Hard Working Pennsylvanians Deserve a Working UC System…
Documents
Too Complex? Too Challenging?
Health & Medicine
You deserve some R&R
Documents

Copyright © 2018 DOCUMENTS