Home versions of OS's, and to a certain extent free ones .. PowerPoint PPT Presentation

presentation player overlay
1 / 25
About This Presentation
Transcript and Presenter's Notes

Title: Home versions of OS's, and to a certain extent free ones ..


1
You must be this tallTo ride the security ride
  • Pete Caro, Joel Wilbanks and Shlomo

ShmooCon 4
Bruce Potter says its like a short range sawed
off shotgun
2
What is this talk all about? Why are we here?
  • Nov 07 Joel, Pete and Shlomo decide to submit a
    paper to ShmooCon 4
  • The paper You Must Be This Tall to Ride the
    Security Ride was going to be all about how
    small business couldnt possibly afford IT
    security for themselves
  • It turns out we were wrong.

3
What we found out was small business can secure
themselves pretty effectively, if they do it right
  • So a small business, as defined by the US SBA
  • No more than 750,000-32,500,000 revenue
  • No more than 500-1500 people
  • Industry dependant
  • Doing security right depends on
  • Knowing your actual risks and threat space
  • The IT security industry doing our job right
  • Turns out small businesses might even have it
    easier than big businesses

4
How we first saw it
5
Security, what we thought everyone needed at first
  • Anti-virus, HIDS, HIPS, IDS, IPS, Firewalls,
    Sniffers, Anti-malware, Anti-spam, Honey pots,
    Encryption at rest/transit, Biometrics,
    Smartcards, PKI, Single Sign On, Remote access,
    VPNs, Security Admins, SIMs, Traffic Analysis
    tools, Patch management, Vulnerability testing,
    Penetration testing, PII protection, HIPPA, SOX,
    regulatory compliance.etc
  • But everyone has a different risk level and
    different security requirements

6
Quick combination of security and threats
  • Makes you think you have to buy everything and
    mitigate every threat
  • Thinking like that is insane, and the costs are
    prohibitive anyway

7
(No Transcript)
8
A realistic threat picture
  • Generally small organizations face most of the
    same threats and only a few that are different
  • The ROI for hacking small businesses is lower
    they are simply less attractive targets
  • Dont buy into the hype, conduct a risk
    assessment and figure out the ground truth

9
How we see it now
10
The trick is to shoot for the amount of security
protection you actually need
  • Be realistic about the threats you face
  • Implement a risk based level of security,
    mitigates actual threats, not all threats
  • Make the right security choices based on your
    threat exposure
  • Dont try and prevent or even mitigate every
    single existing and emerging threat prevent and
    mitigate enough to stay in business
  • Dont be overwhelmed by the plethora of security
    services, products and threats

11
Some general ideas
  • Managed security services
  • Turn key solutions
  • Push security responsibilities down to
    non-security personnel
  • Use proven products and techniques
  • Leverage automation
  • Be realistic in your approach to security

12
Stick to your core competency, as a small
business this probably isnt information security
  • Email servers, web access, spam filters, etc
  • IT support help desk services, system
    administration, etc
  • Web presence web servers, outage monitoring,
    e-storefronts
  • Custom or line of business applications
  • All of these services have security aspects

13
Minimize exposure of sensitive, proprietary, and
PII data
  • Dont improperly use SSNs employee numbers, etc
  • Avoid system design which requires multiple data
    stores
  • If you need to share info consider an intranet
    instead of the internet
  • Wireless
  • Mobile data (HDD, USB drive) encryption
  • Each instance of data needs to be secure, more
    instances more security costs

14
(No Transcript)
15
Minimize exposure of sensitive, proprietary, and
PII data
  • Dont improperly use SSNs employee numbers, etc
  • Avoid system design which requires multiple data
    stores
  • If you need to share info consider an intranet
    instead of the internet
  • Wireless
  • Mobile data (HDD, USB drive) encryption
  • Each instance of data needs to be secure, more
    instances more security costs

16
Dont utilize devices designed for
home/recreational use for business purposes
  • iPhones - _at_!_at_
  • Personally-owned computers, PDAs, etc
  • Home versions of OSs, and to a certain extent
    free ones
  • These devices often arent designed with adequate
    security in mind, and even when they are you
    cant secure them all the time

17
Authentication and Encryption
  • RSA is a household name for a reason, it wasnt
    easy to invent neither was PKI
  • Two words Rainbow tables
  • Multi-factor authentication
  • Dual-sided SSL servers and clients should both
    authenticate the other party
  • Use strong and proven encryption
  • Identity proofing, verify who they claim to be is
    whom they really are

18
User security awareness training how to prevent
stupid users from impacting security
  • Phishing, malicious email, Nigerian scams, spear
    phishing, etc
  • Social engineering, phones, physical security,
    etc
  • Use encrypted password stores instead of post-it
    notes
  • They are the last and first line of defense
  • Training is the only plausible answer

19
Systems and App hardening
  • Enable security features shipped with products
  • Retire discontinued and EOL systems and products
  • Patch systems in operation
  • Run malware (spyware, viruses, etc) protection
  • Disable services you dont need

20
Practice secure destruction cheap but important
  • Recycling is good, but data gets recycled too.
  • Secure destruction its cheap
  • Enforce security on capable devices, use the
    total delete capability on ones with the feature

21
Remote access why telecommuting isnt always a
good idea
  • Webmail application vulnerabilities OWA etc
  • You cant control the security posture or
    disposition of personal equipment
  • Limit telecommuting access to essential services
    only
  • Implement secure VPN access

22
Remember we said it depends on the security
industry doing the right thing? Sometimes we make
it worse
  • Linux tools free, neat and effective but they
    require almost on-the-fly development to make em
    work
  • Too often we ignore the needs of small networks
  • Not enough professionalization
  • Sales creep plug and play security often isnt
  • Cumbersome security Deny or Allow?
  • Security turned off by default why?!
  • Too much data we have as many security logs as
    data

23
Here are some random things we can do to make
things better for small business
  • Better tools 10 years ago there were no tools,
    lets keep going
  • More automation lets reduce the amount of
    manual labor involved in security
  • Professionalization work together to make
    security practitioners a known quantity
  • Licensing Sometimes our definition of small
    business does not reflect the reality of being a
    small business
  • Accountability Hold product vendors accountable
    for security flaws

24
Conclusion
  • Security is achievable for most small businesses
    but its complicated
  • Size, data value and resources impact the threats
    and responses
  • We need to keep working to provide better tools
    for small business and everyone else
  • Think about the children

25
ShmooCon 4
  • Phreaknik 2007, GDead says defense in depth is
    dead
  • Defense in depth IS deadlong live intelligent
    defense in depth.
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2026 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The : "Home versions of OS's, and to a certain extent free ones .." is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!