Transcript You must be this tall to ride the security ride

Pete Caro, Joel Wilbanks and Shlomo
ShmooCon 4
Bruce Potter says it’s “like a short range sawed off shotgun”
What is this talk all about?Why are we here?
 Nov 07 – Joel, Pete and Shlomo decide to
submit a paper to ShmooCon 4
 The paper – ‘You Must Be This Tall to Ride the
Security Ride’ was going to be all about how
small business couldn’t possibly afford IT
security for themselves
 It turns out we were wrong….
What we found out was small business can secure themselves
pretty effectively, if they do it right
 So a small business, as defined by the US SBA
 No more than $750,000-32,500,000 revenue
 No more than 500-1500 people
 Industry dependant
 Doing security right depends on
 Knowing your actual risks and threat space
 The IT security industry doing our job right
 Turns out small businesses might even have it
easier than big businesses
How we first saw it
Small and Large
Business Threats
·
·
·
·
·
·
Phishing
Spyware
Spam
Script Kiddies
Botherder
“Acts of God”
(or Man)
· Viruses
· Worm
· Insiders
· Spear Phishing
· Other
Organized
Crime
· Nation-State
Attack
· Industrial
Espionage
Security, what we thought everyone needed at first
 Anti-virus, HIDS, HIPS, IDS, IPS, Firewalls,
Sniffers, Anti-malware, Anti-spam, Honey pots,
Encryption at rest/transit, Biometrics,
Smartcards, PKI, Single Sign On, Remote access,
VPNs, Security Admins, SIMs, Traffic Analysis
tools, Patch management, Vulnerability testing,
Penetration testing, PII protection, HIPPA, SOX,
regulatory compliance….etc
 But everyone has a different risk level and
different security requirements
Quick combination of security and threats
 Makes you think you have to buy everything
and mitigate every threat
 Thinking like that is insane, and the costs are
prohibitive anyway
Effectiveness of Security Features
100%
0
Cost
∞
A realistic threat picture
 Generally small organizations face most of the
same threats and only a few that are different
 The ROI for hacking small businesses is lower –
they are simply less attractive targets
 Don’t buy into the hype, conduct a risk
assessment and figure out the ground truth
How we see it now
·
·
·
·
Large Business
Threats
·
·
Spear Phishing
·
Other
·
Organized
·
Crime
Nation-State
·
Attack
Industrial
·
Espionage
·
·
Phishing
Spyware
Spam
Script Kiddies
Zombie Bot
Masters
“Acts of God”
(or Man) Small
Viruses Business
Threats
Worm
Insiders
The trick is to shoot for the amount of security protection you
actually need
 Be realistic about the threats you face
 Implement a risk based level of security,
mitigates actual threats, not all threats
 Make the right security choices based on your
threat exposure
 Don’t try and prevent or even mitigate every
single existing and emerging threat –prevent
and mitigate enough to stay in business
 Don’t be overwhelmed by the plethora of
security services, products and threats
Some general ideas
 Managed security services
 Turn key solutions
 Push security responsibilities down to non-
security personnel
 Use proven products and techniques
 Leverage automation
 Be realistic in your approach to security
Stick to your core competency, as a small business this
probably isn’t information security



Email – servers, web access, spam filters, etc
IT support – help desk services, system
administration, etc
Web presence – web servers, outage
monitoring, e-storefronts
Custom or line of business applications

All of these services have security aspects

Minimize exposure of sensitive, proprietary, and PII data
 Don’t improperly use SSNs – employee numbers,
etc
 Avoid system design which requires multiple
data stores
 If you need to share info consider an intranet
instead of the internet
 Wireless
 Mobile data (HDD, USB drive) encryption
 Each instance of data needs to be secure, more
instances more security costs
Minimize exposure of sensitive, proprietary, and PII data
 Don’t improperly use SSNs – employee numbers,
etc
 Avoid system design which requires multiple
data stores
 If you need to share info consider an intranet
instead of the internet
 Wireless
 Mobile data (HDD, USB drive) encryption
 Each instance of data needs to be secure, more
instances more security costs
Don’t utilize devices designed for home/recreational use for
business purposes
 iPhones - &@!^#*&@^#&
 Personally-owned computers, PDAs, etc
 Home versions of OS’s, and to a certain extent
free ones
 These devices often aren’t designed with
adequate security in mind, and even when they
are you can’t secure them all the time
Authentication and Encryption
 RSA is a household name for a reason, it wasn’t
easy to invent – neither was PKI
 Two words – Rainbow tables
 Multi-factor authentication
 Dual-sided SSL – servers and clients should both
authenticate the other party
 Use strong and proven encryption
 Identity proofing, verify who they claim to be is
whom they really are
User security awareness training –how to prevent stupid
user’s from impacting security
 Phishing, malicious email, Nigerian scams, spear
phishing, etc
 Social engineering, phones, physical security, etc
 Use encrypted password stores instead of post-it
notes
 They are the last and first line of defense
 Training is the only plausible answer
Systems and App hardening
 Enable security features shipped with products
 Retire discontinued and EOL systems and
products
 Patch systems in operation
 Run malware (spyware, viruses, etc) protection
 Disable services you don’t need
Practice secure destruction –cheap but important
 Recycling is good, but data gets recycled too.
 Secure destruction – it’s cheap
 Enforce security on capable devices, use the
total delete capability on ones with the feature
Remote access –why telecommuting isn’t always a good
idea
 Webmail application vulnerabilities – OWA etc
 You can’t control the security posture or
disposition of personal equipment
 Limit telecommuting access to essential services
only
 Implement secure VPN access
Remember we said it depends on the security industry
doing the right thing? Sometimes we make it worse…
 Linux tools – free, neat and effective but they
require almost on-the-fly development to make
‘em work
 Too often we ignore the needs of small networks
 Not enough professionalization
 Sales creep – plug and play security often isn’t
 Cumbersome security – Deny or Allow?
 Security turned off by default – why?!
 Too much data – we have as many security logs
as data
Here are some random things we can do to make things
better for small business
 Better tools: 10 years ago there were no tools,
let’s keep going
 More automation: let’s reduce the amount of
manual labor involved in security
 Professionalization: work together to make
security practitioners a known quantity
 Licensing: Sometimes our definition of small
business does not reflect the reality of being a
small business
 Accountability: Hold product vendors
accountable for security flaws
Conclusion
 Security is achievable for most small
businesses – but it’s complicated
 Size, data value and resources impact the
threats and responses
 We need to keep working to provide better
tools for small business – and everyone else
 Think about the children
ShmooCon 4
Phreaknik 2007, GDead says “defense in depth is dead’
Defense in depth IS dead—long live intelligent
defense in depth.