The 12 Secrets of SMB Security

If after reviewing these 12-Secrets and implementing them you find your Corporate IT Security lacking, we will gladly refund your misery. Of course, we are just joking, by implementing these 12-Secrets, or validating your current implementation of some or all of these policies, you will invariably improve your security.

The aim of this guide is to make you aware of the risks involved when you are dealing with computer network. Whether you have a small or large business, you need to be aware of the risks and must take actions to mitigate these risks as far as possible. Further, analyzing these risks on your own can be costly in the long run as you might not be able to do a thorough analysis yourself of the dangers of these risks. It would therefore be advisable to take a professional help. COPIATECH has done such analysis for a number of businesses and its experts understand the vulnerabilities much better than you can imagine. COPIATECH can help you develop a plan to eliminate all those risks so that you can focus on your business and do not worry about cyber security.

What are you waiting for? Eliminate your security issues by calling or filling out a contact sheet and we will be glad to help you understand the world of IT Security.

Thanks so much for taking the time to read the “The 12 Secrets of SMB Security” series. Please feel free to contact CopiaTECH with any questions about anything you read or your small or medium-sized business and cyber security.

Full disk encryption (or whole disk encryption) is a kind of disk encryption software or hardware which encrypts every bit of data that goes on a disk. The term “full disk encryption” is often used to signify that everything on a disk, including the operating system, is encrypted. There are also programs capable of encrypting an entire disk fully but not capable of directly encrypting the system partition or boot partition of the operating system (e.g. FreeOTFE, GBDE and TrueCrypt which can fully encrypt an entire secondary hard disk). To boot from a fully encrypted disk on a standard personal computer requires hardware assistance as there is otherwise no other way for the BIOS to decrypt and transfer program control to an encrypted master boot record (MBR). There are software programs that can encrypt bootable operating system partitions but they must still leave the MBR, and thus part of the disk, unencrypted.

Why Do I Need Whole Disk Encryption

Full disk encryption has several benefits compared to regular file or folder encryption, or encrypted vaults. The following are some benefits of full disk encryption:

1. Everything including the swap space and the temporary files are encrypted. Encrypting these files is important, as they can reveal important confidential data.
2. With full disk encryption, the decision of which files to encrypt is not left up to users.
3. Support for pre-boot authentication.
4. Immediate data destruction, as simply destroying the cryptography keys renders the contained data useless. However, if security towards future attacks is a concern, purging or physical destruction is advised.

What To Look For In A Solution

* Powerful full-disk, file, and folder encryption
Rest assured that data is securely encrypted whenever it’s stored on desktops, laptops, tablets, and other mobile devices, and that files and folders remain encrypted wherever they travel thanks to industry-standard strong encryption algorithms such as RC5-1024 and AES-256
* Strong access control
Prevent unauthorized access and subsequent data loss with two- and three-factor preboot authentication, which supports many different smart cards and USB tokens; supports single sign-on to minimize hassles for authorized users and password synchronization with Windows
* Synchronized password changes
Propagate password changes that a user makes on one machine to all other machines that the user is assigned
* Centralized management
Centrally define, deploy, manage, and update security policies; maintain central control over user credentials, including synchronization, recovery, and revocation; and generate reports to meet compliance requirements
* Invaluable reporting and auditing capabilities
Support compliance with company, industry, and government regulations using the solution’s capable auditing and reporting features
* Seamless integration with existing infrastructure
Synchronize this solution with Active Directory, LDAP, PKI, and others; supports all Windows operating systems (full 32- and 64-bit Vista support), common languages, and various keyboards; next to that, endpoint encryption supports automatic language detection in preboot based on Microsoft Windows language settings

source:wikipedia.com;safeboot.com

The 12 Secrets of SMB Security

Secret #12: Get Technical Expertise and Outside Help When You Need It

Cost: Low to High depending on the services needed

Technology skill level: Medium to High

Participants: Company Management and Technical support

Good technical assistance is a valuable asset for any business in today’s day and age. You have a business to take care of and cannot possibly manage all the security and risk concerns on your own. Therefore, it is important to have someone who is qualified in this line of work. Even this measure is not totally foolproof as new viruses are discovered on a daily basis.

Unlike most software tools and hardware components, technology security cannot be learned by trial and error. Security is not something which will remain constant. There are new dangers to security at every corner and that is why security measures need to be reassessed frequently. This frequent reassessment will enable you to identify when changes within the organization and new threats require an adjustment to some or all of the protection mechanisms.

But though this is important to have technical assistance, it is equally important to safeguard yourself. Those taking care of your technological security will be aware of your weaknesses and may use them to your disadvantage. Make sure they are able to explain whatever they are doing and how it is going to help you prevent attacks, recognize intrusion and recover if need be.

Hardware and software components are designed for easy installation and use and with the purpose of enhancing security. A wide range of information sharing capabilities are available but should not be used without careful consideration. Additional time and effort is required to implement security, but without it your network can be compromised and your information taken or destroyed without your being aware of anything unusual.

In addition to the Internet attackers attempting to compromise all types of devices for unknown purposes and data snoopers looking for ways to steal personal and financial data, others such as your competitors, current and former employees, and family members may be seeking ways to learn more about your business, employees, and customers. Whether their reasons for snooping are that they are doing it for fun or whether the reason is that they are trying to get at you, the outcome to your organization will be a loss of your business reputation, potential harm to customers, potential fines and penalties, and loss of time while you explain why you let this happen.

The only way to stop such things is by following the best practices of cyber security. Start by asking the individuals handling your technology support how they are addressing the security practices in this booklet and if they need additional assistance.

If you are considering hiring outside assistance, evaluate the following:

1. Review past work experience

2. Review partial client list and ask for references from current customers

3. Ask how long the company has been in business

4. Ask who, specifically, will be assigned to do your work and their qualifications and relevant certifications

5. Ask how they provide support, what is done at your site, and what is done offsite

6. Ask how offsite access is controlled

Make sure you have made arrangements for all of the security practices described in this booklet. If internal staff is handling some of the technical work with the assistance of a consultant, make sure everyone knows what they are to do and how they will work together.

Make sure you have included minimum performance requirements, monitoring mechanisms, and a termination process before establishing any technical security support.

Additional Steps

Through organizations such as the Chamber of Commerce, National Association of Manufacturers, National Federation of Independent Businesses, the Internet Security Alliance, and other peer groups and conferences, ask others about their approach to security and what they feel has been successful.

Establish periodic reviews of your security service, whether it is being handled internally or externally (annually at a minimum and preferably once a quarter) to determine if existing support is sufficient and identify if any further improvements are needed.

This is an example of how we tend to undermine the need for cyber security and how it leads to undesirable consequences.

Venture Capital Research Firm and Law Firm Try to Get by Without Good Technical Assistance—Regret the Decision

A three-person venture capital research firm realized how dependent their business was on the Internet when their e-mail went out due to a virus just before two of the partners were due to take extended business trips. Although the firm received over 600 e-mails a week and used the web as its sole source of promotion, it felt it could not afford a full-time tech expert. The partners had to cancel the business trips fearing they would lose their customers if they could not keep in touch. It took three frantic days of calling around before they found an expert to talk them through their problems.

An Albany NY law firm with about 20 computers lost its network administrator and failed to replace him for six months. When the firm finally brought in consultants, they found a variety of vulnerabilities. In addition, updates had not been applied to the server, the anti-virus software had not been updated, and the license had expired. After the technical consultants turned in their analytical report, but before they had begun to repair the situation, the law firm was hit by a virus. Many of the PCs were affected and hundreds of files were compromised.

Thanks so much for taking the time to read Part 14 of 15 in the “The 12 Secrets of SMB Security” series. Please feel free to contact CopiaTECH with any questions about anything you read or your small or medium-sized business and cyber security.

Please continue on to the final installment, Part 15 in the series, “We will gladly refund your misery”.

The 12 Secrets of SMB Security

Secret #11: Establish and Follow a Security Financial Risk Management Plan; Maintain Adequate Insurance Coverage

Cost: Moderate – a risk management methodology is free

Technology skill level: Low to Moderate

Participants: Representatives of all levels of the organization and technical support.

In order to be effective, security must be available throughout the organization. Having tight security controls but practically non existent organizational security policies, makes no sense and undermines the very nature of the security tools. The best way to ensure that you have good cyber security measures is by having people from various levels develop a plan keeping the technological needs of the business in mind. While planning the following areas must be considered:

1. Security awareness and training for all technology users

2. Organizational security policies and regulations

3. Collaborative security management (partners, third-parties and contractors)

4. Contingency planning and disaster recovery

5. Physical security

6. Network and data security

In the rush of daily activities it is easy to overlook the need for such things as employee security training, contingency planning, and disaster recovery. You may not even be aware of the level of dependency your organization has developed on technology and the potential impact that a failure of one or more components will cause. By developing a security risk management plan, these dependencies will be highlighted and steps to lessen their disastrous effects can be identified. This will help to reduce the potential impact of technology compromise or failure.

Assume that you do not have a security risk management plan. Without a plan, you will have to react to technology compromise or failure as and when it happens. Your options for response will be limited by what you can find when the problem occurs. Also, you will not be in a good position for negotiating the cost of technical assistance or the level of expertise provided. The problem and the loss arising thereof may continue to remain longer than necessary as you attempt to figure out what to do before acting to correct the problem.

To save yourself from such a situation review your disaster recovery and contingency plans. Identify the impact to your business should you experience an extended power failure, flood, or major storm.

Additional Steps

Apply a security risk management methodology design for small business, such as OCTAVE®-S, to identify important technology assets, threats to these assets, and to develop a security plan for your organization. As part of the methodology you will compare your existing security practices with established best practices to identify areas where your organization is vulnerable and seek mechanisms and solutions for addressing the gaps in your existing security practices.

Get technical assistance to perform a vulnerability assessment on your technology environment to assist you in identifying vulnerabilities that pose a major risk to your important technology assets and identify mechanisms for reducing their possible impact.

Here is an example of how security measures could have saved this manufacturer from ruin.

On-Line Retailer Misunderstands Insurance Coverage, Gets Wiped Out by Attack

Thanks to a series of computer attacks, an on-line retailer once valued at over $1 million is ruined. The worst damage was done when the attacker spammed his clients contending the firm was a front for pedophiles (his wife operated a day care center). Direct losses, denial of service, replacing data, customer attrition and PR costs crippled him. Since this was an inside job no reasonable technical measures would have protected him, but appropriate risk management including insurance might have. Unfortunately, the president of the company had misunderstood that his cyber-risk exposures were not covered by his standard property and casualty policy. Standard insurance policies do not cover cyber-risks.* “My business is gone. My wife’s business is gone, now I just hope we can hang on to our house,” said the disheartened former owner.

Cyber insurance, which is now available, might have saved this company. Of course, taking out a separate cyber policy would have added to his operating expenses, but it might have allowed his company to survive the financial consequences of the cyber attack. Some organizations have arrangements in place wherein substantial premium credits on the cyber-insurance premium can be provided to its members who comply with best practices such as those outlined in this guide.

Thanks so much for taking the time to read Part 13 of 15 in the “The 12 Secrets of SMB Security” series. Please feel free to contact CopiaTECH with any questions about anything you read or your small or medium-sized business and cyber security.

Please continue on to Part 14 in the series, “How Geeks are like Boats & Planes”.

The 12 Secrets of SMB Security

Secret #10: Limit Access to Sensitive and Confidential Data

Cost: Moderate to High depending on the options selected

Technology skill level: Moderate to High

Participants: Technical support

If everyone could be trusted there would be no need for security measures anywhere. It is from this lack of trust that the need for security and control mechanisms arises. E-mails should only be viewed by those to whom they are sent. Data files should only be accessed by individuals who have the permission to view them. If the data is stored in files, folders, and databases within your network, you can control who can see and use the contents with an access control list, or ACL. ACLs define who can perform actions on a file or folder such as reading and writing. When access to information cannot be tightly controlled, such as e-mail or a credit card transaction over the Internet, this information can be concealed through a mathematical process called encryption. Encryption transforms information from one form (readable text) to another (encrypted or scrambled text). The encrypted text cannot be understood by most and remains so for people who don’t have the formulas (encryption transformation scheme and the decryption keys) to turn the encrypted text back into readable text. The encryption mechanism must be sufficiently complex or someone with electronic tools could guess the formulas and defeat the encryption.

There is a wide range of people who work in an organization. Employees may be working full time, part-time, on a temporary basis, as contractors and vendors. All these people will have legitimate access to your network but should not have unrestricted access to every piece of information on the network. When a person can access your network, he can see every communication that passes among the devices on your network and can view, modify or destroy the contents. There may be a employees who harbor some grudge against the company. Unfortunately, they have legitimate access to your network. They can initiate programs to search your network communications for credit card numbers, social security numbers, and financial information for criminal intent. They can search for passwords to databases, applications and other networks to expand their access capabilities. It is these dangers which you need to safeguard yourself against.

A few steps can be taken to achieve this objective. Some important ones are:

• Educate employees to use care in sharing sensitive and confidential information electronically.
• Do not use real information for the testing of any new processes.
• Do not use public computers or Internet café computers to access online financial services accounts. Do not make any financial transactions from these places. Use a secure computer to do that.
• Do not disclose personal, financial, or credit card information to any website which you do not have enough information about or suspect.

Additional Steps

Ensure that your browser supports strong encryption (at least 128-bit or 256-bit is possible). Get technical assistance to establish automatic encryption. When possible, try use encryption for all electronic communication that passes outside of your network, and notify the sender when information cannot be sent encrypted.

Get technical assistance to establish ways to encrypt sensitive and confidential information which is stored and shared on the network.

Turn off the caching feature for the browser so sensitive and confidential information is not stored in unprotected temporary locations.

Establish ACL’s for access to all shared files, folders, and databases to assure that access is only available to those who have permission. These lists will have to be altered and maintained over time as staff changes. Further put a restriction on who can update and delete data and files. This allows for greater protection.

Here is an example of how your employees can use information shared on your network for their personal gain.

Credit Union Employee Gets Private Customer Information and Uses It for Personal Gain

The US Justice Department has prosecuted a woman who worked at Sacramento, California, Credit Union. The woman used her firm’s computer to obtain customer account information including names, social security and driver’s license numbers, and addresses to open accounts in the names of others and incur unauthorized charges. Some of the credit card accounts were opened on the Internet. After the phony accounts were established, the defendant made numerous purchases totaling well over $50,000.

Thanks so much for taking the time to read Part 12 of 15 in the “The 12 Secrets of SMB Security” series. Please feel free to contact CopiaTECH with any questions about anything you read or your small or medium-sized business and cyber security.

Please continue on to Part 13 in the series, “Fail to plan and plan to fail”.

How much is enough, well that is a trick question. Implementing and managing network security and access control is a slippery slope. Too much security and business screeches to a halt. Not enough and you are working for the bad guys. So, let’s apply some Common Sense to it.

The 12 Secrets of SMB Security

Secret #9: Implement Network Security with Access Control

Cost: Moderate to High depending on the options selected

Technology skill level: Moderate to High

Participants: Technical support and all network users

Though an organization’s technological environment is often referred to as “the network,” in reality it is a collection of pieces put together in a certain way to meet the technology-specific needs of that organization. Good network security requires access protection for each component on the network including firewalls, routers, switches, and all connected user devices. Otherwise, anyone who could reach your network could locate and harm the network components and services. In addition, remote and portable devices should be required to authenticate themselves to the network so that it is possible to limit who can see and access the network services such as databases, shared files and printers. Access to important data should be limited to the relevant users and should not be made available to all employees. This not only helps in preventing sensitive information from leaking out but also prevents unauthorized persons from intentionally or unintentionally corrupting the data.

A firewall acts as a buffer between the components of your network and the external environment. It helps in keeping out undesirable and harmful content from the network. Other techniques, such as proxy servers and network address translation (NAT) can help in further adding protection limiting the information an outsider can have access to. This helps in preventing them from learning about the components used in your technology environment making it more difficult for attackers to find vulnerabilities.

The more access restrictions you can legitimately place on your network using blocking capabilities within the firewall and other similar services, the easier it will be to keep it secure.

Special Considerations

Good access control is critical for wireless access since use of this type of connectivity is less visible. It is not uncommon for someone sitting in a car in the parking lot to be able to access an unsecured wireless network and destroy or damage everything on the entire network. You may have a wireless or remote access (dial-in) connection to your network and not realize it, since many vendors install them to provide remote support capabilities.

The ability to reach and use services on your network from outside (called remote access) is extremely valuable for traveling employees, suppliers, and customers. Remote access also allows technology vendors to provide support for critical network services quickly without having to travel to your site. Employees can and do add remote access devices (dial-in) directly to their computer so they can work from offsite. Use of this type of network access requires careful control, or anyone who happens to find the access point using simple scanning tools can get into the network and alter or destroy information. Instant messaging, chat sessions, and music-sharing capabilities establish other routes (peer-to peer) into the network, bypassing many of the traditional network security mechanisms. These options are a growing source of harmful codes and must be used carefully.

What Happens without a Good Network Security?

Attackers are constantly putting up devices on the Internet with programs such as query functions which looks for weaknesses in your system. Unprotected systems are infected within minutes after connectivity is established especially when Internet access is available through cable modems, digital subscriber lines (DSL), or other high-speed connections. As we know, one infected device can put all other devices on the network at risk since it can be used as an inside source for locating weaknesses in the network and attacking them.

Unfortunately, not all attackers are external to the organization. Jealousy makes people do irrational things. Employees can compromise fellow employee machines using tools readily available from the Internet when there is poor network security. These tools allow them to spy on others’ actions, view information outside of their job function, stalk and harass others, and plant inappropriate content on others’ machines. This is one of the simplest ways to exact revenge from the person you want to without getting caught. The best way to avoid such a situation is by being more aware of cyber security practices.

Access to each component on the network should be limited to protect it from improper access and harm. Basic access protection can be implemented using strong passwords.

Establish procedures to turn off the file and printer sharing feature on each computer unless it is in use, particularly when accessing the Internet using cable modems, digital subscriber lines (DSL), or other high-speed connections.

Instruct employees to disconnect from the Internet by turning off the online session and turn off their computer when it is not in use.

Access to network protection devices such as firewalls, switches, and routers should be further limited to only those individuals responsible for the maintenance and support of these components.

Knowledge of the passwords for each component should be limited to two people–the primary user and the person responsible for creating and maintaining backups.

Try and ensure that the vendor providing component support should exercise the same level of caution.

Do not select the option on web browsers for storing or retaining user name and password.

Make sure that authentication for wireless and remote access is required.

Additional Steps

Consider the use of smart cards or other hardware tokens for remote access to network-critical components, especially the firewall, switches, and routers. Educate employees in the use of these devices along with the reason for their use, and assign the responsibility to the employee in the event of loss or destruction.

Get technical assistance to establish intrusion/detection monitoring to make sure the network is being used as expected without internally – or externally – generated interference.

Following is an example of how emails are used as a means of extorting money not only from large businesses but also from smaller ones.

Cyber Blackmail Goes Mainstream

Once perpetrated predominantly against wealthy individuals or major corporations to extract large payouts, cyber blackmail has now become prevalent even in smaller business. Office workers are now widely reporting being the targets of an extortion scam that seems to target almost anyone with an e-mail address. The e-mail demands that the recipient make an on-line payment of a small sum of money, usually $20-$30 dollars. If the recipient fails to comply, the sender threatens to attack the company’s computer system and wipe out sensitive files or upload child pornography. Unsuspecting victims often opt to pay the extorter rather than risk the possibility of attack or embarrassment. Consequently, many instances of cyber extortion go unreported and investigations are not conducted.

Thanks so much for taking the time to read Part 11 of 15 in the “The 12 Secrets of SMB Security” series. Please feel free to contact CopiaTECH with any questions about anything you read or your small or medium-sized business and cyber security.

Please continue on to Part 12 in the series, “What to do with your secret sauce.”.