|
Many midsize businesses (MSBs) don't believe that
a hacker would target their business. While it's true
that many attacks are planned to vandalize highly
visible web sites, any size enterprise that has inadequate
security should be concerned.
The
recent emergence of the SQL "Slammer" worm
(also known as "Sapphire") demonstrates
the challenges that MSBs face from a mass attack that
hits any IP address where it finds a vulnerability.
In attacks such as Nimda, Code Red and Slammer, hackers
are going after systems at random – being a midsize
business doesn't make you any less attractive as a
target.
SQL
Slammer crashed automated teller machine networks,
other business systems and operational control systems
not running on the Internet. The other factor that
makes MSB prime targets are that 90 percent of them
are running Windows on their servers, 80 percent are
using Outlook and Exchange for e-mail, and 70 percent
are using SQL databases. Microsoft software is a major
target for hackers because its software has large
numbers of vulnerabilities and its market share gives
hackers the ability to impact the masses. Just because
security breaches at smaller businesses don't grab
the headlines like hacks on Fortune 500 firms, doesn't
mean that they are any less devastating to the business.
Forty
percent of MSBs that manage their own network security
and use the Internet for more than e-mail will experience
a successful Internet attack, and more than half of
them won't know they were attacked.
Another
oversight that many MSBs make relative to security
is the threat from within the enterprise. The most
damaging security incidents at any business usually
stem from trusted insiders who abuse their privileges.
Seventy percent of all attacks that cause more than
$50,000 of damage involve an insider. MSBs must develop
a plan to deal with both internal and external security
issues, including making sure that internal or outsourced
IT support personnel are trustworthy.
The
biggest challenge most MSBs have is deciding how much
of their IT budget they should spend on security. Below we list some actions that MSBs should
take now that won't impact the IT budget:
|
>
|
Educate
system administrators first, then users.
Becoming more secure is not just a technical exercise.
User education and awareness can go a long way
in minimizing vulnerabilities. A security policy
is the starting point for any security program.
Without security policies, users do not know their
responsibilities to the enterprise regarding the
protection of information assets; the IS organization
can't provide consistent and adequate information
security implementations; and business managers
can't protect intellectual property.
|
|
>
|
Hackers
have made a dangerous discovery –
that system administrators cannot keep up
with the never-ending floods of security alerts
and patches issued by software vendors. Gartner
estimates that 90 percent of security breaches
take advantage of poorly configured or unpatched
servers. MSBs should evaluate the patch status
of all production systems connected to general-purpose
networks. The success of the SQL Slammer worm
was because enterprises didn't install a patch
that had been available for over six months.
|
|
>
|
Don't
give users administrative privileges on their
PCs.
Lock PCs down in a secure configuration so they
can't load new software. 90 percent of the software
users put on their PCs isn't business software.
If you can't lock down user PCs (because of cultural
issues), then put a personal firewall (about $40
per user) on every laptop, configured to allow
the minimal possible services and prevent unauthorized
software from connecting over the Internet.
|
|
>
|
More
than 95 percent of attachments from outside of
the enterprise are not business related. MSBs should block all
potential dangerous attachments from outside the
enterprise (pretty much anything but .zip) Other
files being allowed in without compromising security
posture include .doc, .xls, .rtf and.ppt. This
can be done basically free. You don't need antivirus
software to do this. The files can be blocked
from your e-mail server.
|
|
>
|
Disable
all inactive accounts and close out obvious vulnerabilities.
Examine user account lists on all systems, and
remove all unnecessary default accounts. Change
passwords on root and administrator accounts.
Review help desk and password reset procedures
– don't use employee numbers (identification
codes), Social Security numbers or addresses for
authentication of calls for password resets. Examine
security practices for remote access, including
dial-up lines, extranets and VPNs.
|
|
>
|
The
most likely security incident MSBs will experience
is a virus that arrives as part of an e-mail
message.
Update virus signatures daily or more frequently.
Scan for viruses at the firewall and server;
do not depend on synchronization of the signature
files of desktops and laptops. Perform full
scans on all systems, using the latest signatures,
to ensure that they are not already infected.
|
|
>
|
Protect
every Internet connection with a certified firewall.
Have a penetration test done against your firewalls
(about $20K) and re-configure it and any exposed
servers to close all vulnerabilities. Then sign
up for a vulnerability scanning service (instead
of overtaxed systems administrators; this will
cost about $5-10K per year) to make sure it stays
secure. Block every port that your business does
not require to be open. To minimize operational
cost and complexity, MSBs can use appliance-based
firewalls or outsource their perimeter security
to a managed security service provider. |
Learn
more about security technologies and tactics at Midsize
Enterprise Summit. Click
here for details.
|
