Small Businesses Deserve Security Too

Small Businesses Deserve Security TooFrank J. Hackett

2

Shout Outs

• High Hack Society• Awesome group of people, too many to name

• j0e McCray @j0emccray• Took my on my first pentest and changed my life

• Marcus J. Carey @marcusjcarey• Told me to read Presentation Zen

• Wow was he right

3

•Georgia Weidman @georgiaweidman• Bulb Security – mobile goddess

• Bill Gardner aka Da Professor @oncee• Awesome

Shout Outs

4

Me

• Security Consultant

• Senior Systems Engineer

• Senior r00kie under j0e McCray

• I have papers (certs)

• SATF member• http://www.satframework.org/

5

Me

I work for and with Small Business

6

“Most of the business owners surveyed believe they are not at

risk, when in fact smaller businesses are increasingly

being targeted…”• The Hartford

• http://newsroom.thehartford.com/News-Releases/Small-Business-Owners-Despite-Being-Increasingly-Targeted-Believe-Data-Breach-Unlikely-50c.aspx

7

“No one wants my data.”“We don’t have anything worth

stealing.”“We don’t have time to worry

about security.”

Small Business Security

8


“Max’s main targets were ultimately small hospitality businesses— not international conglomerates or secret world governments.”

9


“Adam Levin, co-founder and chairman of Identity Theft 911, says that for most companies it's not a matter of if they will have a breach but when.”

http://www.foxnews.com/politics/2013/02/22/small-businesses-big-targets-for-cyber-snoops/

10


Mature Security Program Metrics

Security Appliances

Anti-Virus/HIDs

Log Management

Patch Management

User Awareness Training

Policies and Procedures

11


This has to be there!

Anything is better than nothing!

Very hard for Small Business

YES! AV is a must. It’s free these days

Bare minimum have a real firewall

Policies & Procedures

YES! OS as well as Third Party


Patch Management

Log Management

AV/HIDS

Security Appliances

Metrics Not gonna happen

12


• What constitutes a small business varies widely around the world. Small businesses are normally

privately owned corporations, partnerships, or sole proprietorships. What constitutes "small" in

terms of government support and tax policy varies by country and by industry, ranging from

fewer than 15 employees under the Australian Fair Work Act 2009, 50 employees in the

European Union, and fewer than 500 employees to qualify for many U.S. Small Business

Administration programs, although in 2006 there were over 18,000 "small businesses" with over

500 employees that accounted for half of all the employees employed by all "small business ".

[1] [2] Small businesses can also be classified according to other methods such as sales, assets,

or net profits.

http://en.wikipedia.org/wiki/Small_business

What is a Small Business?

13


• 10-50 employees

• Employees wear many hats

• Typically revenue is less than 1 – 5 + million a year

• No full time IT staff

• No full time security staff

What I consider Small Business

14


• Medical Offices

• Law Offices

• Financial Offices

• Boutique Shops

• Etc

Examples of Small Businesses

15

Small Business SecurityNetwork Layout

16

Small Business SecurityPolicies & Procedures - templates

• SANS• http://www.sans.org/security-resources/policies/

• California Government• http://www.cio.ca.gov/OIS/Government/library/samples.asp

• Google• http://bit.ly/15dQXjw


17

Small Business SecurityPolicies & Procedures – what to have

• Acceptable Usage Policy (AUP)

• Computer Security Policy

• Compliance Document (HIPPA, ISO, etc)

• Data Classification• This is HUGE and rarely happens


18

WRONG WAY

• Owner has access to everything

• No one has access to the owner’s documents

• Public Information (level 1)

• Corporate Information (level 2)

• Sensitive Information (level 3)

• Private (level 4)

RIGHT WAY

Small Business SecurityData Classification

19

Small Business SecurityUser Awareness Training - Resources

• Infragard• https://www.infragardawareness.com/• Free training for businesses with less than 25 employees

• Security Awareness Training Framework• http://www.satframework.org/

• Google• http://bit.ly/15dUDlf


20

Small Business SecurityUser Awareness Training - Topics

• Phishing attacks

• Spear Phishing

• Social Engineering

• Passwords• Management/reuse/weak


21

Small Business SecurityPatch Management - OS

• Windows Automatic Updates• Will not work if not configured

• WSUS• Will not work if not managed

• Third Party• MSP software RMM (Labtech)

User Awareness TrainingPatch

Management

22

Small Business SecurityPatch Management – Third Party

• MSP Software RMM (Labtech)

• Ninite• http://ninite.com/• Jury rigged or buy Pro ($20 a month for 100 machines)

• Trust your users to update regularly• Never going to happen


Management

23

Small Business SecurityPatch Management – Third Party


Management

24

Small Business SecurityLog Management

• This is HARD regardless of the business size

• OSSIM• http://communities.alienvault.com/

• OSSEC• http://www.ossec.net/

• RMM solution


ManagementLog

Management

25

Small Business SecurityLog Management

• Realistically this will not happen at first

• Something is better than nothing• Firewalls logs via SMTP


ManagementLog

Management

26

Small Business SecurityAntivirus & HIDS

• Invest in a managed antivirus solution• Symantec Endpoint• Trend• McAfee

• Microsoft Security Essentials (free but unmanaged)• Install Malwarebytes too!


ManagementLog

ManagementAV/HIDS

27

Small Business SecurityHardware

• You must have a real firewall!• Dlink/Netgear/Linksys is not allowed

• Security Appliances do a lot• Router• Firewall• GAV• IDS/IPS


ManagementLog

ManagementAV/HIDSSecurity Appliances

28

Small Business SecurityHardware

• Security Appliance Suggestions• Sonicwall• Watchguard• Meraki

• Cost effective and easy to manage


ManagementLog


29

Small Business SecurityMetrics

• RMM reports from MSP

• WSUS Reports

• ??????


ManagementLog


Metrics

30

• Audit

• Identify Problems

• Find Low Hanging Fruit

• Roadmap for Changes

• Realistic Timeline!

• Create Policies and Procedures

• Implement Action Plan

• Stay Current

Small Business SecuritySteps To Take

31

Small Business SecurityKeep the Bad Guys Out

• Protect the Data

• Protect the Business

• Eliminate Low Hanging Fruit

32

Small Business SecurityAdvantages of a Small Business

• Offsite webserver

• Typically patches do not need to be tested

• Small environment

• Small number of employees

33

Small Business SecurityAdvice to Small Business

• Talk to you vendors• Ask about security!

• Find a QUALIFIED MSP• Ask about their security!

• Begin to make security a requirement,not an afterthought

34

“Small Business is the Heart of the American Economy.”-President Obama

35

Small Business SecurityHit me up

• @fjhackett

• http://www.slideshare.net/fjhackett

• [email protected]

Technology

Small Businesses Deserve Security Too