You must be this tall to ride the security ride
Download
Report
Transcript You must be this tall to ride the security ride
Pete Caro, Joel Wilbanks and Shlomo
ShmooCon 4
Bruce Potter says it’s “like a short range sawed off shotgun”
What is this talk all about?Why are we here?
Nov 07 – Joel, Pete and Shlomo decide to
submit a paper to ShmooCon 4
The paper – ‘You Must Be This Tall to Ride the
Security Ride’ was going to be all about how
small business couldn’t possibly afford IT
security for themselves
It turns out we were wrong….
What we found out was small business can secure themselves
pretty effectively, if they do it right
So a small business, as defined by the US SBA
No more than $750,000-32,500,000 revenue
No more than 500-1500 people
Industry dependant
Doing security right depends on
Knowing your actual risks and threat space
The IT security industry doing our job right
Turns out small businesses might even have it
easier than big businesses
How we first saw it
Small and Large
Business Threats
·
·
·
·
·
·
Phishing
Spyware
Spam
Script Kiddies
Botherder
“Acts of God”
(or Man)
· Viruses
· Worm
· Insiders
· Spear Phishing
· Other
Organized
Crime
· Nation-State
Attack
· Industrial
Espionage
Security, what we thought everyone needed at first
Anti-virus, HIDS, HIPS, IDS, IPS, Firewalls,
Sniffers, Anti-malware, Anti-spam, Honey pots,
Encryption at rest/transit, Biometrics,
Smartcards, PKI, Single Sign On, Remote access,
VPNs, Security Admins, SIMs, Traffic Analysis
tools, Patch management, Vulnerability testing,
Penetration testing, PII protection, HIPPA, SOX,
regulatory compliance….etc
But everyone has a different risk level and
different security requirements
Quick combination of security and threats
Makes you think you have to buy everything
and mitigate every threat
Thinking like that is insane, and the costs are
prohibitive anyway
Effectiveness of Security Features
100%
0
Cost
∞
A realistic threat picture
Generally small organizations face most of the
same threats and only a few that are different
The ROI for hacking small businesses is lower –
they are simply less attractive targets
Don’t buy into the hype, conduct a risk
assessment and figure out the ground truth
How we see it now
·
·
·
·
Large Business
Threats
·
·
Spear Phishing
·
Other
·
Organized
·
Crime
Nation-State
·
Attack
Industrial
·
Espionage
·
·
Phishing
Spyware
Spam
Script Kiddies
Zombie Bot
Masters
“Acts of God”
(or Man) Small
Viruses Business
Threats
Worm
Insiders
The trick is to shoot for the amount of security protection you
actually need
Be realistic about the threats you face
Implement a risk based level of security,
mitigates actual threats, not all threats
Make the right security choices based on your
threat exposure
Don’t try and prevent or even mitigate every
single existing and emerging threat –prevent
and mitigate enough to stay in business
Don’t be overwhelmed by the plethora of
security services, products and threats
Some general ideas
Managed security services
Turn key solutions
Push security responsibilities down to non-
security personnel
Use proven products and techniques
Leverage automation
Be realistic in your approach to security
Stick to your core competency, as a small business this
probably isn’t information security
Email – servers, web access, spam filters, etc
IT support – help desk services, system
administration, etc
Web presence – web servers, outage
monitoring, e-storefronts
Custom or line of business applications
All of these services have security aspects
Minimize exposure of sensitive, proprietary, and PII data
Don’t improperly use SSNs – employee numbers,
etc
Avoid system design which requires multiple
data stores
If you need to share info consider an intranet
instead of the internet
Wireless
Mobile data (HDD, USB drive) encryption
Each instance of data needs to be secure, more
instances more security costs
Minimize exposure of sensitive, proprietary, and PII data
Don’t improperly use SSNs – employee numbers,
etc
Avoid system design which requires multiple
data stores
If you need to share info consider an intranet
instead of the internet
Wireless
Mobile data (HDD, USB drive) encryption
Each instance of data needs to be secure, more
instances more security costs
Don’t utilize devices designed for home/recreational use for
business purposes
iPhones - &@!^#*&@^#&
Personally-owned computers, PDAs, etc
Home versions of OS’s, and to a certain extent
free ones
These devices often aren’t designed with
adequate security in mind, and even when they
are you can’t secure them all the time
Authentication and Encryption
RSA is a household name for a reason, it wasn’t
easy to invent – neither was PKI
Two words – Rainbow tables
Multi-factor authentication
Dual-sided SSL – servers and clients should both
authenticate the other party
Use strong and proven encryption
Identity proofing, verify who they claim to be is
whom they really are
User security awareness training –how to prevent stupid
user’s from impacting security
Phishing, malicious email, Nigerian scams, spear
phishing, etc
Social engineering, phones, physical security, etc
Use encrypted password stores instead of post-it
notes
They are the last and first line of defense
Training is the only plausible answer
Systems and App hardening
Enable security features shipped with products
Retire discontinued and EOL systems and
products
Patch systems in operation
Run malware (spyware, viruses, etc) protection
Disable services you don’t need
Practice secure destruction –cheap but important
Recycling is good, but data gets recycled too.
Secure destruction – it’s cheap
Enforce security on capable devices, use the
total delete capability on ones with the feature
Remote access –why telecommuting isn’t always a good
idea
Webmail application vulnerabilities – OWA etc
You can’t control the security posture or
disposition of personal equipment
Limit telecommuting access to essential services
only
Implement secure VPN access
Remember we said it depends on the security industry
doing the right thing? Sometimes we make it worse…
Linux tools – free, neat and effective but they
require almost on-the-fly development to make
‘em work
Too often we ignore the needs of small networks
Not enough professionalization
Sales creep – plug and play security often isn’t
Cumbersome security – Deny or Allow?
Security turned off by default – why?!
Too much data – we have as many security logs
as data
Here are some random things we can do to make things
better for small business
Better tools: 10 years ago there were no tools,
let’s keep going
More automation: let’s reduce the amount of
manual labor involved in security
Professionalization: work together to make
security practitioners a known quantity
Licensing: Sometimes our definition of small
business does not reflect the reality of being a
small business
Accountability: Hold product vendors
accountable for security flaws
Conclusion
Security is achievable for most small
businesses – but it’s complicated
Size, data value and resources impact the
threats and responses
We need to keep working to provide better
tools for small business – and everyone else
Think about the children
ShmooCon 4
Phreaknik 2007, GDead says “defense in depth is dead’
Defense in depth IS dead—long live intelligent
defense in depth.