Rook Uncut: 6 Security Options for Small Businesses
Welcome to “Rook Uncut, “ a blog series that features common questions frequently posed to our security experts. With new data breaches or information security concerns making headlines each day, Rook is often approached by peers, friends, family, and the media to provide insight. Rook Uncut gives you our experts’ quick and raw answers to security questions. Be sure to check back for more of Rook Uncut!
If you missed last week’s edition of Rook Uncut, check it out here.
6 Security Options for Small Businesses
So, I will go ahead and preface this with there is not an all-in-one security solution out there. Everyone talks about that “silver bullet.” Some used to think it’s AV, some still do, but it’s no longer effective in prohibiting and detecting today’s cyber threats. So here is my take on a grassroots security solution:
1) Inventory of Company Assets
Unapproved systems on your network introduce another level of risk to the organization, which is why having an up-to-date listing of approved resources that should be on the network is important. This allows you to easily identify potentially rogue devices (cell phones, tablets, etc…) that users bring to into the office. If Internet is required for these, create a separate network that only has access to the Internet, not other corporate resources, specifically for (non-approved) user devices.
So, how do you answer questions about things that have happened in the past on your network you ask? Logging! It may not be the sexiest thing out there, but the amount of information that can be gleaned from reviewing and aggregating logs is vast. You will want to capture system (Windows / Unix), networking (Firewall / VPN), network services (DNS, DHCP), and get them all into a single location for storage and review.
3) Scanning / Monitoring
These topics will give you the insight into what is currently happening on the network. AV will be put into this category, as it’s still effective at catching low-hanging known malware, but that’s not enough. You need to be able to see what’s actually going across the network, and what is attempting to get in. Deploying an IDS sensor (or two) on the network will give you the eyes and ears to do so. Also look at performing vulnerability scans on critical systems, to identify those in need of patches and updates.
4) Content / URL Filtering
Help your users help themselves. Performing some kind of content filtering will reduce the risk that users navigate, or get redirected to malicious links or sites on the Internet. This can be accomplished a few ways: DNS filtering (there are free services for this) or standing up a web proxy with content filtering capabilities will do the trick. We all know this is a cat and mouse game, but something is better than nothing.
5) Account Monitoring and Control
Account review is critical to ensuring that old, unused accounts are not leveraged or misused in the future as an attack surface. Also, do ALL of your users actually need Administrator accounts to perform their job? Let’s leave the systems administration to the IT department. Privileged accounts should be monitored and reviewed more frequently, and admins should always have two accounts. 1) Normal user account for day-to-day activities, web browsing, etc.. 2) Elevated account to perform administrative functions.
6) Security Skills Training
This is two-fold. First, you need to enable and find that “security ninja” on your staff. In most circumstances, I find it easier to train an IT person to be more security conscious than training a dedicated security guy to perform IT tasks. Get them the training or time they need to support the chosen tools. Second is user awareness and security training. At small and medium sized companies this is usually overlooked, however, it is critical to enable all of your users to be security people. Teach them how to spot a phishing email, proper password usage techniques (use a password manager), and when to notify IT or security of something out of the ordinary.
While you may be thinking all of the above is going to cost a fortune, the truth of the matter is that most, if not all, of these things can be done on the cheap (with a little elbow grease). It’s going to come down to the decision of the time/cost it takes someone (security or IT) to support all of these security systems using open source platforms. Or evaluating more mid-tier enterprise solutions that can solve the problems.
TL;DR — Security is fun, can be achieved for a low cost, and should be approachable by all businesses small/medium/large.