Presentation is loading. Please wait.

Presentation is loading. Please wait.

Pete Caro, Joel Wilbanks and Shlomo ShmooCon 4 Bruce Potter says it’s “like a short range sawed off shotgun”

Similar presentations


Presentation on theme: "Pete Caro, Joel Wilbanks and Shlomo ShmooCon 4 Bruce Potter says it’s “like a short range sawed off shotgun”"— Presentation transcript:

1 Pete Caro, Joel Wilbanks and Shlomo ShmooCon 4 Bruce Potter says it’s “like a short range sawed off shotgun”

2 What is this talk all about? Why are we here?  Nov 07 – Joel, Pete and Shlomo decide to submit a paper to ShmooCon 4  The paper – ‘You Must Be This Tall to Ride the Security Ride’ was going to be all about how small business couldn’t possibly afford IT security for themselves  It turns out we were wrong….

3 What we found out was small business can secure themselves pretty effectively, if they do it right  So a small business, as defined by the US SBA  No more than $750,000-32,500,000 revenue  No more than 500-1500 people  Industry dependant  Doing security right depends on  Knowing your actual risks and threat space  The IT security industry doing our job right  Turns out small businesses might even have it easier than big businesses

4 How we first saw it

5 Security, what we thought everyone needed at first  Anti-virus, HIDS, HIPS, IDS, IPS, Firewalls, Sniffers, Anti-malware, Anti-spam, Honey pots, Encryption at rest/transit, Biometrics, Smartcards, PKI, Single Sign On, Remote access, VPNs, Security Admins, SIMs, Traffic Analysis tools, Patch management, Vulnerability testing, Penetration testing, PII protection, HIPPA, SOX, regulatory compliance….etc  But everyone has a different risk level and different security requirements

6 Quick combination of security and threats  Makes you think you have to buy everything and mitigate every threat  Thinking like that is insane, and the costs are prohibitive anyway

7

8 A realistic threat picture  Generally small organizations face most of the same threats and only a few that are different  The ROI for hacking small businesses is lower – they are simply less attractive targets  Don’t buy into the hype, conduct a risk assessment and figure out the ground truth

9 How we see it now

10 The trick is to shoot for the amount of security protection you actually need  Be realistic about the threats you face  Implement a risk based level of security, mitigates actual threats, not all threats  Make the right security choices based on your threat exposure  Don’t try and prevent or even mitigate every single existing and emerging threat –prevent and mitigate enough to stay in business  Don’t be overwhelmed by the plethora of security services, products and threats

11 Some general ideas  Managed security services  Turn key solutions  Push security responsibilities down to non- security personnel  Use proven products and techniques  Leverage automation  Be realistic in your approach to security

12 Stick to your core competency, as a small business this probably isn’t information security  Email – servers, web access, spam filters, etc  IT support – help desk services, system administration, etc  Web presence – web servers, outage monitoring, e-storefronts  Custom or line of business applications  All of these services have security aspects

13 Minimize exposure of sensitive, proprietary, and PII data  Don’t improperly use SSNs – employee numbers, etc  Avoid system design which requires multiple data stores  If you need to share info consider an intranet instead of the internet  Wireless  Mobile data (HDD, USB drive) encryption  Each instance of data needs to be secure, more instances more security costs

14

15 Minimize exposure of sensitive, proprietary, and PII data  Don’t improperly use SSNs – employee numbers, etc  Avoid system design which requires multiple data stores  If you need to share info consider an intranet instead of the internet  Wireless  Mobile data (HDD, USB drive) encryption  Each instance of data needs to be secure, more instances more security costs

16 Don’t utilize devices designed for home/recreational use for business purposes  iPhones - &@!^#*&@^#&  Personally-owned computers, PDAs, etc  Home versions of OS’s, and to a certain extent free ones  These devices often aren’t designed with adequate security in mind, and even when they are you can’t secure them all the time

17 Authentication and Encryption  RSA is a household name for a reason, it wasn’t easy to invent – neither was PKI  Two words – Rainbow tables  Multi-factor authentication  Dual-sided SSL – servers and clients should both authenticate the other party  Use strong and proven encryption  Identity proofing, verify who they claim to be is whom they really are

18 User security awareness training – how to prevent stupid user’s from impacting security  Phishing, malicious email, Nigerian scams, spear phishing, etc  Social engineering, phones, physical security, etc  Use encrypted password stores instead of post-it notes  They are the last and first line of defense  Training is the only plausible answer

19 Systems and App hardening  Enable security features shipped with products  Retire discontinued and EOL systems and products  Patch systems in operation  Run malware (spyware, viruses, etc) protection  Disable services you don’t need

20 Practice secure destruction – cheap but important  Recycling is good, but data gets recycled too.  Secure destruction – it’s cheap  Enforce security on capable devices, use the total delete capability on ones with the feature

21 Remote access – why telecommuting isn’t always a good idea  Webmail application vulnerabilities – OWA etc  You can’t control the security posture or disposition of personal equipment  Limit telecommuting access to essential services only  Implement secure VPN access

22 Remember we said it depends on the security industry doing the right thing? Sometimes we make it worse…  Linux tools – free, neat and effective but they require almost on-the-fly development to make ‘em work  Too often we ignore the needs of small networks  Not enough professionalization  Sales creep – plug and play security often isn’t  Cumbersome security – Deny or Allow?  Security turned off by default – why?!  Too much data – we have as many security logs as data

23 Here are some random things we can do to make things better for small business  Better tools: 10 years ago there were no tools, let’s keep going  More automation: let’s reduce the amount of manual labor involved in security  Professionalization: work together to make security practitioners a known quantity  Licensing: Sometimes our definition of small business does not reflect the reality of being a small business  Accountability: Hold product vendors accountable for security flaws

24 Conclusion  Security is achievable for most small businesses – but it’s complicated  Size, data value and resources impact the threats and responses  We need to keep working to provide better tools for small business – and everyone else  Think about the children

25 ShmooCon 4 Phreaknik 2007, GDead says “defense in depth is dead’ Defense in depth IS dead—long live intelligent defense in depth.


Download ppt "Pete Caro, Joel Wilbanks and Shlomo ShmooCon 4 Bruce Potter says it’s “like a short range sawed off shotgun”"

Similar presentations


Ads by Google