Upload
frank-hackett
View
1.162
Download
0
Tags:
Embed Size (px)
DESCRIPTION
If you look at a basic network diagram of a small business, the attack surface is that of a large business. Why don't we target small businesses when it comes to security? They still have to meet compliance regulations the same as large business. Actually when it comes to security, small businesses have several advantages over large businesses. Lets exploit those advantages and make small businesses secure. After all, SMB's are the heart of our community. Frank J. Hackett is a Senior Systems Engineer for a MSP in the Washington DC Metropolitan area. Hackett dabbles in security as well as a consultant. His love for IT is due to his father who used to beat him at Monopoly played on DOS 6.1, Hackett soon learned how to set a password to keep his Dad from using the computer. The last two years, he has worked under Joe McCray of Strategic Security as a Senior R00kie and has been on many high security pentests and has developed course work.
Citation preview
Small Businesses Deserve Security TooFrank J. Hackett
2
Shout Outs
• High Hack Society• Awesome group of people, too many to name
• j0e McCray @j0emccray• Took my on my first pentest and changed my life
• Marcus J. Carey @marcusjcarey• Told me to read Presentation Zen
• Wow was he right
3
•Georgia Weidman @georgiaweidman• Bulb Security – mobile goddess
• Bill Gardner aka Da Professor @oncee• Awesome
Shout Outs
4
Me
• Security Consultant
• Senior Systems Engineer
• Senior r00kie under j0e McCray
• I have papers (certs)
• SATF member• http://www.satframework.org/
5
Me
I work for and with Small Business
6
“Most of the business owners surveyed believe they are not at
risk, when in fact smaller businesses are increasingly
being targeted…”• The Hartford
• http://newsroom.thehartford.com/News-Releases/Small-Business-Owners-Despite-Being-Increasingly-Targeted-Believe-Data-Breach-Unlikely-50c.aspx
7
“No one wants my data.”“We don’t have anything worth
stealing.”“We don’t have time to worry
about security.”
Small Business Security
8
Small Business Security
“Max’s main targets were ultimately small hospitality businesses— not international conglomerates or secret world governments.”
9
Small Business Security
“Adam Levin, co-founder and chairman of Identity Theft 911, says that for most companies it's not a matter of if they will have a breach but when.”
http://www.foxnews.com/politics/2013/02/22/small-businesses-big-targets-for-cyber-snoops/
10
Small Business Security
Mature Security Program Metrics
Security Appliances
Anti-Virus/HIDs
Log Management
Patch Management
User Awareness Training
Policies and Procedures
11
Small Business Security
This has to be there!
Anything is better than nothing!
Very hard for Small Business
YES! AV is a must. It’s free these days
Bare minimum have a real firewall
Policies & Procedures
YES! OS as well as Third Party
User Awareness Training
Patch Management
Log Management
AV/HIDS
Security Appliances
Metrics Not gonna happen
12
Small Business Security
• What constitutes a small business varies widely around the world. Small businesses are normally
privately owned corporations, partnerships, or sole proprietorships. What constitutes "small" in
terms of government support and tax policy varies by country and by industry, ranging from
fewer than 15 employees under the Australian Fair Work Act 2009, 50 employees in the
European Union, and fewer than 500 employees to qualify for many U.S. Small Business
Administration programs, although in 2006 there were over 18,000 "small businesses" with over
500 employees that accounted for half of all the employees employed by all "small business ".
[1] [2] Small businesses can also be classified according to other methods such as sales, assets,
or net profits.
http://en.wikipedia.org/wiki/Small_business
What is a Small Business?
13
Small Business Security
• 10-50 employees
• Employees wear many hats
• Typically revenue is less than 1 – 5 + million a year
• No full time IT staff
• No full time security staff
What I consider Small Business
14
Small Business Security
• Medical Offices
• Law Offices
• Financial Offices
• Boutique Shops
• Etc
Examples of Small Businesses
15
Small Business SecurityNetwork Layout
16
Small Business SecurityPolicies & Procedures - templates
• SANS• http://www.sans.org/security-resources/policies/
• California Government• http://www.cio.ca.gov/OIS/Government/library/samples.asp
• Google• http://bit.ly/15dQXjw
Policies & Procedures
17
Small Business SecurityPolicies & Procedures – what to have
• Acceptable Usage Policy (AUP)
• Computer Security Policy
• Compliance Document (HIPPA, ISO, etc)
• Data Classification• This is HUGE and rarely happens
Policies & Procedures
18
WRONG WAY
• Owner has access to everything
• No one has access to the owner’s documents
• Public Information (level 1)
• Corporate Information (level 2)
• Sensitive Information (level 3)
• Private (level 4)
RIGHT WAY
Small Business SecurityData Classification
19
Small Business SecurityUser Awareness Training - Resources
• Infragard• https://www.infragardawareness.com/• Free training for businesses with less than 25 employees
• Security Awareness Training Framework• http://www.satframework.org/
• Google• http://bit.ly/15dUDlf
User Awareness Training
20
Small Business SecurityUser Awareness Training - Topics
• Phishing attacks
• Spear Phishing
• Social Engineering
• Passwords• Management/reuse/weak
User Awareness Training
21
Small Business SecurityPatch Management - OS
• Windows Automatic Updates• Will not work if not configured
• WSUS• Will not work if not managed
• Third Party• MSP software RMM (Labtech)
User Awareness TrainingPatch
Management
22
Small Business SecurityPatch Management – Third Party
• MSP Software RMM (Labtech)
• Ninite• http://ninite.com/• Jury rigged or buy Pro ($20 a month for 100 machines)
• Trust your users to update regularly• Never going to happen
User Awareness TrainingPatch
Management
23
Small Business SecurityPatch Management – Third Party
User Awareness TrainingPatch
Management
24
Small Business SecurityLog Management
• This is HARD regardless of the business size
• OSSIM• http://communities.alienvault.com/
• OSSEC• http://www.ossec.net/
• RMM solution
User Awareness TrainingPatch
ManagementLog
Management
25
Small Business SecurityLog Management
• Realistically this will not happen at first
• Something is better than nothing• Firewalls logs via SMTP
User Awareness TrainingPatch
ManagementLog
Management
26
Small Business SecurityAntivirus & HIDS
• Invest in a managed antivirus solution• Symantec Endpoint• Trend• McAfee
• Microsoft Security Essentials (free but unmanaged)• Install Malwarebytes too!
User Awareness TrainingPatch
ManagementLog
ManagementAV/HIDS
27
Small Business SecurityHardware
• You must have a real firewall!• Dlink/Netgear/Linksys is not allowed
• Security Appliances do a lot• Router• Firewall• GAV• IDS/IPS
User Awareness TrainingPatch
ManagementLog
ManagementAV/HIDSSecurity Appliances
28
Small Business SecurityHardware
• Security Appliance Suggestions• Sonicwall• Watchguard• Meraki
• Cost effective and easy to manage
User Awareness TrainingPatch
ManagementLog
ManagementAV/HIDSSecurity Appliances
29
Small Business SecurityMetrics
• RMM reports from MSP
• WSUS Reports
• ??????
User Awareness TrainingPatch
ManagementLog
ManagementAV/HIDSSecurity Appliances
Metrics
30
• Audit
• Identify Problems
• Find Low Hanging Fruit
• Roadmap for Changes
• Realistic Timeline!
• Create Policies and Procedures
• Implement Action Plan
• Stay Current
Small Business SecuritySteps To Take
31
Small Business SecurityKeep the Bad Guys Out
• Protect the Data
• Protect the Business
• Eliminate Low Hanging Fruit
32
Small Business SecurityAdvantages of a Small Business
• Offsite webserver
• Typically patches do not need to be tested
• Small environment
• Small number of employees
33
Small Business SecurityAdvice to Small Business
• Talk to you vendors• Ask about security!
• Find a QUALIFIED MSP• Ask about their security!
• Begin to make security a requirement,not an afterthought
34
“Small Business is the Heart of the American Economy.”-President Obama
35
Small Business SecurityHit me up
• @fjhackett
• http://www.slideshare.net/fjhackett