Ordering off the Security Menu

Share it on Twitter  
Share it on Facebook  
Share it on Linked in  
In a column that ran earlier this month, I took a look at 'defense indepth' for small business -- well, actually, for all businesses. In thisfollow-up article, I'll lay out a basic list, or menu, of securitytechnologies and processes that business and technical folks shouldconsider.

I call it a menu because it's a list that you can pick and choose from.Some technologies and processes may apply to your business, while othersmay not. Let this serve as a guide and choose from it based on riskfactors and needs.

  • Documentation -- This is often a dirty word to IT and smallbusiness. The fact is that documentation is needed to ensure continuity.Even if you are a one-person IT shop, can you remember all of yourfirewall and Internet router settings after one year? Documentation isinvaluable for disaster recovery, as well as for training new people andcommunicating with teams.

  • Formally Assign Duties -- If there are security tasks to beperformed, make sure you identify who will do each task and write out aschedule to follow. Unassigned tasks are apt to be skipped or done in ahaphazard manner. Consider creating checklists for people to date andsign when tasks have been completed.

  • Change Management -- The owner of an accounting practice wastelling me he always has issues with his accounting software after thevendor applies updates. To compensate for such issues, at a minimum, besure that you have full system backups of the application and databasebefore ever applying a patch. Ideally, have a small test system where youcan install the patch first and go through a series of tests so you canvalidate the outcomes to make sure the new functionality performs asplanned, and that existing functions did not break.

  • User IDs and Passwords -- Small businesses frequently skipuser IDs and passwords at the operating system and application/databaselayers out of a mixture of trust, and a desire for simplicity andexpediency. This absence of access controls creates a serious securityhole. First of all, once someone gains access to one of these systems,they have full control. Secondly, with unique user IDs and passwords foreach user, you'll have a log to fall back on to find out who may needtraining in the event of errors or to determine when a mistake was made.

  • Password Rules -- Bear in mind some simple rules aboutpasswords.
    -- Make them at least eight characters long and a mix of letters, numbersand symbols;
    -- Have them expire every 60 days in case someone steals both a user IDand a password;
    -- Have the system set to lock an account after three or five failedattempts at getting the password right. Investigate why an account islocked versus simply resetting it;
    -- Don't allow people to write their user ID or password on a note andstick it to their monitor or under their keyboard...;
    -- Remove/disable default accounts such as ''administrator'' or''guest''. If you can't, then at least change the password to somethingmore secure;
    -- On a daily or weekly basis, check the logs of access attempts to lookfor abnormal behavior;

  • Limit Rights -- A cardinal rule of security is to give usersas few rights as possible to do their jobs. This means that a person inaccounts receivable only gets what he/she needs to perform that job. Thishelps keep people from getting into parts of the system where they don'tbelong.

  • System Logs -- Be sure to log access and importanttransactions, and make sure someone reviews the logs on a daily or weeklybasis. This helps safeguard against errors, as well as security breaches.Logging data without review is pointless.

  • Monitoring & Alerting -- Determine how automatic systems canbe set up to monitor the network and servers, and generate alerts aboutsuspicious activity. Alerts are often simple to set up and worth theirweight in gold.

  • Physical Access -- Limit physical access to servers, wiringclosets, and system backups. If someone can pick up tapes, or even entireservers, and walk away, you've totally lost control. Setting up a keycardand keycode for access would be idea, because both would create accesslogs. Tell employees not to let strangers wander around in criticalareas.

  • Firewalls -- Any organization with access to the public Internetneeds a firewall. There are tons of models with a mile-long list offeatures. The question isn't whether you need one or not. The question ismore along the lines of which one. That is partially determined by theamount of traffic you get and the features you may want. In terms of anyfirewall, there are some important caveats to bear in mind, though. Afirewall that isn't monitored and maintained with updates can create afalse sense of security. An organization that invests in a firewall alsoneeds to determine how IT will review the logs and keep the systemcurrent. This may be a prime activity to outsource in part or entirely.

  • Detection & Prevention -- An Intrusion Detection System (IDS)is a passive monitoring system that generates alerts based on suspiciousactivity either at the network or host device level. An IntrusionPrevention System (IPS) is reactive in that it can automatically shut offnetwork ports or take other measures to counter perceived attacks. Now,to be done right, these systems are often high maintenance. If anorganization puts one in and never reviews and updates the unit, they areagain creating a false sense of security. Make the time, or outsource thework, to do it right.

  • Anti-Virus & Anti-Malware -- This is one category that allbusinesses need on their desktops, notebooks, and servers, especiallyemail and file servers. The traditional anti-virus systems are rapidlyevolving to deal with threats, such as viruses, Trojans, spam, andspyware. Key attributes to look for include automatic signature updates,system reports, and a report of virus activity on all workstations.

  • System Backups -- Having reliable backups are a failsafe inthe event that data is destroyed or corrupted. But sometimes a few keyprocesses are missing from the backup plan. Review backups and job logsto ensure the backups were successful. And there must be routinerestoration tests to make sure data is backed up with integrity. Thereare many cases where people backed their systems up daily only to findout, when the data was needed most, that the tapes were actually corrupt.In addition, store copies remotely.

  • Encryption -- The strength of the encryption routine, thequality of the password and the rate at which keys change all affect howsecure the data is.

  • Patches -- For a variety of reasons, some patches work andothers can cause systems to outright fail and never boot again. IT needsto formulate a process for dealing with patches -- how to best find outabout them, research and testing, deployment, and how to rollback orremove the patch if it fails. Patch management should be part of anoverall change management process.

  • Power -- While not hacker-related per se, risks relating toreliable power should be taken into account. In case of a relativelyminor power outage, many firms have invested in UPSes, but with a batterylife of only three to five years, they need to be checked periodically.And those systems should be tested with real world loads to make surethey keep the systems up long enough for an orderly shut down to happen.

  • Other Issues -- Your risk assessment may turn up otherthreats. In areas prone to flooding, there may be a need for sensors thattrigger an alarm when water is detected, and shelving to lift equipmentwell above the average flood level. Resources listed at the bottom of thepage can provide a wealth of resources on other threats and means toreduce their risk to the organization. Every organization has differentrisks. Make sure you know what yours are.