Risking the Company Because Security is too Expensive?5 Cost Effective Security Program Tips for the SMB

Often times business owners reach out to the IT department to secure the company.  Technical Security is only a part of the risk and generally the most heavy with products.  This product based approach to security drives the business owner to the thought that security is too expensive.  Organizations can start small and grow towards a mature security program within the organization.  

Business owners need to look at Security from a Holistic Approach. Small to midsized organizations are challenged with regulations such as PCI, HIPAA, and Privacy Information Act. They face the same cyber threats as larger corporations but with a tighter budget and already overworked staff.  

Below is a list that is cost effective and will get a security program started.  It may seem complicated or overwhelming at first. Like the old adage "Rome wasn't built in a day" it takes time to build a security program in a small business but if you don't protect your business remember "Rome was burned in a day"

TOP 5 Cheap and Easy Security for the SMB

1. Look beyond your IT person.  Security should be more than a firewall and anti-virus. 

Security involves several facets:

• Physical controls e.g. fences, doors, locks and fire extinguishers;
• Procedural controls e.g. incident response processes, management oversight, security awareness and training;
• Technical controls e.g. user authentication (login) and logical access controls, antivirus software, firewalls;
• Legal and regulatory or compliance controls e.g. privacy laws, policies and clauses.

2. Train your employees.  Security Awareness can be FREE.  There are lots of resources out there.  Trained staff will stop a problem before it gets too big. 
3. Perform Vulnerability Assessments at a minimum.  There are cheap options out there and if you are need to be PCI compliant often the Acquiring bank will offer a program like Control Scan.  Utilize the tools you have. 
4. Document what you do! Create security policies. The company probably has a shedder and people do shred, yet where is the policy? 
5. Assign responsibility to the security role.  Measure and manage security, create milestones and projects.  Treat this like any other project or decision in your company. Assign it, track it, measure it, put a budget to it. 

Non-Responsive Incident Response: 10 Steps to Avoid the Patch and Proceed Fail

Incident Response is more than fixing the immediate and perceived problem.  System and network engineers are excellent technical problem solvers but when an information security breach happens there is more to it than meets the technical eye.  Root cause analysis, evidence collection, chain of

custody, breach notification and disclosure law, these are terms not used in many CCIE or MCSE circles.  When a breach occurs there is much more at stake than just getting the system restored.  There may be legal liabilities, potential contract breaches, customer reporting requirements.  How the incident is handled can mean the difference between a few extra minutes of downtime and years of paying fines, negative press, lost customers, and large legal fees.

In today’s heavily regulated and constantly attacked world it is important to plan ahead and handle security incidents correctly. As the handling of a security incident is more than a technical issue it needs to involve more than technical resources. Senior Management is required to make decision that affect the risk to the company; security regulation experts are required to interpret requirements and guide the response; and communications directors are required to ensure an appropriate response to affected customers and to the public.   Too often a system administrator is all these calls when they lack the proper training, expertise, or responsibility.

  In an emergency a measured and effective response is everything.  Organizations that don’t prepare for the event of a fire or an active shooter may find themselves placing themselves in greater danger by their ad-hoc response or even panic.  Without effective information security response planning your organization may find themselves in the same situation when if anonymous comes knocking; a laptop with social security numbers is stolen; or a reporter calls with evidence of you customer’s private records made public. 

Here are ten steps to planning an effective incident response.

1. Assign an executive to take on responsibility for the plan and for integrating incident-response efforts across business units and geographies.
2. Develop categorization of risks, threats, and potential failure modes. Refresh them continually on the basis of changes in the threat environment.
3. Develop easily accessible quick-response guides for likely scenarios. 
4. Establish processes for making major decisions, such as when to isolate compromised areas of the network.
5. Maintain relationships with key external stakeholders, such as law enforcement.
6. Maintain service-level agreements and relationships with external breach-remediation providers and experts.
7. Ensure that documentation of response plans is available to the entire organization and is routinely refreshed.
8. Ensure that all staff members understand their roles and responsibilities in the event of a cyber-incident.
9. Identify the individuals who are critical to incident response and ensure redundancy.
10. Train, practice, and run simulated breaches to develop response “muscle memory.” The best-prepared organizations routinely conduct war games to stress-test their plans, increasing managers’ awareness and fine-tuning their response capabilities.

 

When a security incident next affects your organization may be unknown but it is nearly certain that it will. The 2013 Data Breach Investigations Report shows a staggering number of attacks for both small and large organizations. 

  http://www.verizonenterprise.com/

Without addressing the 10 steps above your current incident response process is a purely technical response that drives up the damage of any security incident. . 

Matt Malone

Sr. Security Consultant

SLAIT Consulting

Office: 512-692-0824

Cell: 512-537-8285

matt.malone@slaitconsulting.com

www.slaitconsulting.com

Password Security is more than writing down a secure password.

I bought a day planner today and in it I found a section for passwords. I asked myself is this a day planner or an Identity Theft kit.  People are extremely hack-able because they are predictable and lazy.  I have seen it time and time again.  The new technique of hackers are to hack the users personal account then attack the corporate system.  So a person could lose their job, their identity, and their finances in one very bad day.  The most important thing to do is perform a risk assessment of yourself.  Know your assets, and know your protection of those assets.  Set the protection levels appropriately. 

Example: Accounts are assets, you protect them with passwords, depending on the data held in the account dictates the complexity of the password.  Have Multiple accounts:  Use one email address for online forms and normal account creation.  Use another for banking and accounts associated with Money.

Passwords have been the weakest link for years and now hackers out of Vietnam, Eastern Europe, and even in the US are exploiting this fact.  Secure and Safe Passwords start with user training.  More and more people are learning from bad experiences, data loss, and identity theft the importance of secure and changing passwords.  The current systems are not bad it is the users who need trained.  If we all start a program of Security Awareness Training then we can change the world.  Often hackers attack the people not the devices.  Policies are only half the battle, too complex and the users write them down and email them to yahoo or gmail accounts, to lax and the hackers have a field day.  Below are some easy ways to remember passwords and some simple security measures for password.

Password Protection and Training: 

Password Guessing or Dictionary Attacks are common attacks as well as easy reset questions.  

Use phonetic passwords, if your password is so random you can not remember it you are more likely to write it down or change it to something easy.  That is dangerous!  

Try something like this: Use the first letters of a sentence, all numbers and special characters.

I was married to Julie on December 5th of 2008!  Password: IwmtJoD52008!  Very Secure easy to remember and may even help you remember your anniversary. 

You can change it every 90 days to:

I was born on ...

My first child John was ....

Use multiple layers of security.  Use your security questions in a easy to remember but secure way.  Don't let the hackers reset your password.

Example of Unsecured Security Question:

Security Question: What was your first dogs name?  = If you answered SPOT you are not alone but easily guessed.  

Example of Secure Security Question:

Security Question: What was your first dogs name?  = Sp0Tw@smyf1r5td0g  (spotwasmyfirstdog using replacement value system) Much more secure.

Setup 2 Factor Authentication when possible.  This can be something like a Token device or Google Authenticator.  There are 3 factors of authentication:  2 Factor usally means Password and Token device.  Most mail programs such as google will allow you to add 2 factor authentication to you email.

• Something you know: Password, PIN
• Something you have: ATM card, Token Device
• Something you are:  bio-metrics such as finger print.

Treat your passwords like underwear:

1. Never Leave them out
2. Don't share them with others
3. Change them regularly

Security is more than just IT

Security Assurance Questionnaires are becoming more and more relevant.  Liability is being shuffled around like a hot potato from corporation to corporation.  Your business partners are trusting your business with sensitive data like client names, sales numbers, ssn #’s, medical records, whatever the data you must not only protect it but prove you can protect it.  Having policies, vulnerability scans, awareness training, and other controls in place are essential.  Most small to Mid-Sized companies lack the expertise to build an effective security program.  If you believe the IT department is in charge of protecting your data you will fail an audit.  Business decisions need to be made by business owners not by IT.  Data Classification, Personnel policies, BCP and DR, Regulation Compliance, these among many others fall well outside of IT.  Make sure you are protecting your data and not falling victim to the assumption security is happening when there is no evidence of it.  A firewall alone will not protect your business.

Tips for an SMB Evaluating MSSPs / security services

Walk in to any SMB and ask them who is responsible for security at their organization.  They will either point to the guy with the firewall or the security guard roaming the parking lot.  It is more than that, ultimately it is the Senior Management.  They don’t know every legal nook and cranny so they hire an attorney, they don’t know every IRS trick so they hire a CPA.  They don’t know security so hire a 3^rd party evaluator a Virtual Chief Security Officer.   The SMB has the IT mentality which does not work for security, the law, or financials.  You would never call the IRS and ask them the best way to save money would you?  Security is about protecting assets.  To the Janitor those assets are Keys, to HR they are personal records both written and electronic, to finance they are the books.  The biggest risk and concern to the SMB is thinking an MSSP is the end all be all and will make you secure.  You still have to be concerned with physical and administrative controls.  Having a third party evaluate your needs and help select a vendor is the best route.  If you’re getting your needs evaluated from the person selling you the service you are in serious trouble.  Never have the Fox build the Hen House then Guard it.  3^rd party evaluation will be the best money you ever spent.  Often times a 3^rd party evaluator will end up saving you money. 

Define the Drivers for MSSP

·         Does the MSSP meet ALL of the regulations:

o    Whether the SMB is trying to reduce risk, must comply with a regulation (PCI, GLBA, HIPAA) or have a security related contractual obligation with a customer.  Know the requirements before you start shopping a product.

·         If you have Information Security Policies ensure the MSSP can comply with those policies.

·         Know the GAPS in the products to the regulations.

Document Roles and Responsibilities:

If a breach does occur and a lawsuits happens, contracts become evidence.  It is important everything is clear in the beginning:

·         Who is responsible for what documented up front will save you in a breach situation and eliminates finger pointing later

·         Request the Vendor to clearly define the services they will be performing in the signed contract.  (Example Not just: Monitoring $1500 per month)

·         Request SLA’s be put in place and responsibility for a breach

·         Assign an Executive Management Resource assigned to oversee the project.  If a breach occurs the SMB will be sued not the MSSP.  Executive Management has ultimate responsibility for the company and is the only one who can make risk decisions.

Security in the Small to midsized businesses is can be tricky.  You don’t have to be an expert but get the advice of an expert.