In a column that ran earlier this month, I took a look at 'defense in
depth' for small business -- well, actually, for all businesses. In this
follow-up article, I'll lay out a basic list, or menu, of security
technologies and processes that business and technical folks should
I call it a menu because it's a list that you can pick and choose from.
Some technologies and processes may apply to your business, while others
may not. Let this serve as a guide and choose from it based on risk
factors and needs.
Documentation -- This is often a dirty word to IT and small
business. The fact is that documentation is needed to ensure continuity.
Even if you are a one-person IT shop, can you remember all of your
firewall and Internet router settings after one year? Documentation is
invaluable for disaster recovery, as well as for training new people and
communicating with teams.
Formally Assign Duties -- If there are security tasks to be
performed, make sure you identify who will do each task and write out a
schedule to follow. Unassigned tasks are apt to be skipped or done in a
haphazard manner. Consider creating checklists for people to date and
sign when tasks have been completed.
Change Management -- The owner of an accounting practice was
telling me he always has issues with his accounting software after the
vendor applies updates. To compensate for such issues, at a minimum, be
sure that you have full system backups of the application and database
before ever applying a patch. Ideally, have a small test system where you
can install the patch first and go through a series of tests so you can
validate the outcomes to make sure the new functionality performs as
planned, and that existing functions did not break.
User IDs and Passwords -- Small businesses frequently skip
user IDs and passwords at the operating system and application/database
layers out of a mixture of trust, and a desire for simplicity and
expediency. This absence of access controls creates a serious security
hole. First of all, once someone gains access to one of these systems,
they have full control. Secondly, with unique user IDs and passwords for
each user, you'll have a log to fall back on to find out who may need
training in the event of errors or to determine when a mistake was made.
Password Rules -- Bear in mind some simple rules about
-- Make them at least eight characters long and a mix of letters, numbers
-- Have them expire every 60 days in case someone steals both a user ID
and a password;
-- Have the system set to lock an account after three or five failed
attempts at getting the password right. Investigate why an account is
locked versus simply resetting it;
-- Don't allow people to write their user ID or password on a note and
stick it to their monitor or under their keyboard...;
-- Remove/disable default accounts such as ''administrator'' or
''guest''. If you can't, then at least change the password to something
-- On a daily or weekly basis, check the logs of access attempts to look
for abnormal behavior;
Limit Rights -- A cardinal rule of security is to give users
as few rights as possible to do their jobs. This means that a person in
accounts receivable only gets what he/she needs to perform that job. This
helps keep people from getting into parts of the system where they don't
System Logs -- Be sure to log access and important
transactions, and make sure someone reviews the logs on a daily or weekly
basis. This helps safeguard against errors, as well as security breaches.
Logging data without review is pointless.
Monitoring & Alerting -- Determine how automatic systems can
be set up to monitor the network and servers, and generate alerts about
suspicious activity. Alerts are often simple to set up and worth their
weight in gold.
Physical Access -- Limit physical access to servers, wiring
closets, and system backups. If someone can pick up tapes, or even entire
servers, and walk away, you've totally lost control. Setting up a keycard
and keycode for access would be idea, because both would create access
logs. Tell employees not to let strangers wander around in critical
Firewalls -- Any organization with access to the public Internet
needs a firewall. There are tons of models with a mile-long list of
features. The question isn't whether you need one or not. The question is
more along the lines of which one. That is partially determined by the
amount of traffic you get and the features you may want. In terms of any
firewall, there are some important caveats to bear in mind, though. A
firewall that isn't monitored and maintained with updates can create a
false sense of security. An organization that invests in a firewall also
needs to determine how IT will review the logs and keep the system
current. This may be a prime activity to outsource in part or entirely.
Detection & Prevention -- An Intrusion Detection System (IDS)
is a passive monitoring system that generates alerts based on suspicious
activity either at the network or host device level. An Intrusion
Prevention System (IPS) is reactive in that it can automatically shut off
network ports or take other measures to counter perceived attacks. Now,
to be done right, these systems are often high maintenance. If an
organization puts one in and never reviews and updates the unit, they are
again creating a false sense of security. Make the time, or outsource the
work, to do it right.
Anti-Virus & Anti-Malware -- This is one category that all
businesses need on their desktops, notebooks, and servers, especially
email and file servers. The traditional anti-virus systems are rapidly
evolving to deal with threats, such as viruses, Trojans, spam, and
spyware. Key attributes to look for include automatic signature updates,
system reports, and a report of virus activity on all workstations.
System Backups -- Having reliable backups are a failsafe in
the event that data is destroyed or corrupted. But sometimes a few key
processes are missing from the backup plan. Review backups and job logs
to ensure the backups were successful. And there must be routine
restoration tests to make sure data is backed up with integrity. There
are many cases where people backed their systems up daily only to find
out, when the data was needed most, that the tapes were actually corrupt.
In addition, store copies remotely.
Encryption -- The strength of the encryption routine, the
quality of the password and the rate at which keys change all affect how
secure the data is.
Patches -- For a variety of reasons, some patches work and
others can cause systems to outright fail and never boot again. IT needs
to formulate a process for dealing with patches -- how to best find out
about them, research and testing, deployment, and how to rollback or
remove the patch if it fails. Patch management should be part of an
overall change management process.
Power -- While not hacker-related per se, risks relating to
reliable power should be taken into account. In case of a relatively
minor power outage, many firms have invested in UPSes, but with a battery
life of only three to five years, they need to be checked periodically.
And those systems should be tested with real world loads to make sure
they keep the systems up long enough for an orderly shut down to happen.
Other Issues -- Your risk assessment may turn up other
threats. In areas prone to flooding, there may be a need for sensors that
trigger an alarm when water is detected, and shelving to lift equipment
well above the average flood level. Resources listed at the bottom of the
page can provide a wealth of resources on other threats and means to
reduce their risk to the organization. Every organization has different
risks. Make sure you know what yours are.