Risk
1/11/2012
01:13 PM
50%
50%

Top SMB Security Worries: Intellectual Property, Mobile

An expert security researcher shares his top security concerns for SMBs in 2012 and offers advice on how smaller companies can manage risks.

10 Companies Driving Mobile Security
10 Companies Driving Mobile Security
(click image for larger view and for slideshow)
The more things change, the more they stay the same. That pretty much sums up the information security landscape for small and midsize businesses (SMBs) in the year ahead, according to the head of Blue Coat Security's research lab.

The security world is indeed ever-changing. Blue Coat, for example, shifted its protection approach in 2011 away from the point of attack to the underlying networks that enable and distribute malware and other threats. In the process, the company hopes to better identify threats before they unfold--Blue Coat likens it to the "pre-crime" conceit in Minority Report. Yet Chris Larsen, Blue Coat's head researcher, acknowledges many smaller companies don't have the resources to devote to sifting through traffic logs and similar methods. That doesn't mean SMBs are helpless. In an interview, Larsen detailed his priority concerns for SMBs to keep top of mind in 2012--and some of them should sound familiar by now.

For starters, Larsen issued a reminder: Be proactive. Even if you outsource security to a consultant or other vendor, remain engaged with what they're doing to keep you protected. Ask questions about processes, risks, and remediation. Set-it-and-forget-it deals have inherent shortcomings.

As in years past, basic security hygiene is still a must for any business, no matter how small. Every SMB has a bank account and other financial information, and banking-related fraud will remain the number one threat to smaller firms in 2012. Larsen said online criminals are usually thrilled to infiltrate an SMB network because the bank balance is almost always a multiple of the typical consumer account.

Protection is a matter of recognizing the threat and identifying which people, processes, and information inside your organization make likely targets. "If you know [bank fraud] is going on, than you can put defenses in place to watch for it," Larsen said.

The minimum safety practices that any SMB should deploy: Use strong passwords and anti-malware protection, stay current on patches and downloads, beware of fishy emails and links, and restrict account access to critical personnel. The extreme approach: Use a dedicated computer for banking--no email, no spreadsheets, nothing--and keep it offline when not in use. (Larsen said some Blue Coat employees redefine "extreme"--they boot their machines from a Linux CD any time they bank online. Larsen himself isn't so paranoid, but he still won't use a Windows PC to manage his finances online.)

There's a newer concern for some SMBs: Intellectual property (IP) theft. While it won't apply across the board, high-value data could make some companies juicy targets--even if they're not a household name or have no trophy cachet. Firms in areas such as biotech or those with government defense contracts make prime examples. While bank fraud usually involves indiscriminate, catch-all attacks, IP theft typically falls into the realm of targeted or "advanced persistent" threats. Identifying potential dangers involves taking more of a risk management approach.

"You have to do an analysis: Do we have something besides our bank account that would be of interest to somebody?" Larsen said. "If we do, we have to give some thought to how to protect it." Doing so involves indentifying where the valuable data lives, who has access to it, and knowing whether there's an audit trail to follow.

Any public company fits the bill here, no matter its size or industry, since sensitive corporate information could be used to profitably trade the firm's stock ahead of the market. Employee social media profiles and other data readily available online have made it easier than ever to orchestrate this type of planned attack, Larsen said.

"Traditionally, you might say that we're so small nobody will come after us. But if you have intellectual property that would make it worthwhile, then somebody will come after you--and if Google can get hacked, so can you," Larsen said. "The nice thing if you're a smaller organization: You have a lot more concentrated and fewer assets to keep an eye on than Google does."

Mobile, for all its business benefits, will continue to grow as the new Wild West for security. Larsen said that while large enterprises have been wringing their hands over mobile security for some time, it's now something much smaller companies need to worry about, too.

"It's very sexy and seductive to be able to have a little app for your iPhone that gets into your customer database so your sales guys can pull stuff up when they're out in the field," Larsen said. "What's to prevent a sales guy from walking out with your whole contact list? It's really easy to get seduced by how cool all the new toys are and not do the really hard work and think about all of the security implications."

Larsen said cloud security platforms will be the way to manage a vast array of devices. "You can't carry around your data center defenses with you," Larsen said. "You want to have that iPad or iPhone talking to a cloud portal that has those kinds of defenses in place." The good news: that cloud infrastructure continues to grow and make those kinds of protections available.

He also advised SMBs that embrace a bring-your-own-device approach do so in a security-conscious manner. In particular, consider a device-restrictive plan for protecting key assets. If your banking information is your most valuable data, for example, don't let employees access it with their personal mobile devices--even if they're encouraged to use them in other areas of the business.

That fits Larsen's general thesis for SMBs: If time, money, and staff all run in short supply, don't worry about protecting everything--worry about protecting what's actually valuable.

"It boils downs to for a smaller operation: Play the priorities. What am I going to prioritize protecting? And I'm going to make darn sure adequate protection on that, and everything else I'm just going to free-wheel because I can't deal with it," Larsen said. "That's a reasonable security compromise posture." InformationWeek is conducting our third annual State of Enterprise Storage survey on data management technologies and strategies. Upon completion, you will be eligible to enter a drawing to receive an Apple iPad 2. Take our Enterprise Storage Survey now. Survey ends Jan. 13.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
JABADI000
50%
50%
JABADI000,
User Rank: Apprentice
1/14/2012 | 9:58:34 AM
re: Top SMB Security Worries: Intellectual Property, Mobile
File Secure Pro provides cloud protection for PDF files. File Secure Pro-« is a moderately priced solution for intellectual property security. FSP's digital rights management (DRM) technologies offer dynamic remote control for usage and storage of digital property. Please visit http://www.file-secure.com/faq... for service plan details.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-8617
Published: 2015-03-04
Cross-site scripting (XSS) vulnerability in the Web Action Quarantine Release feature in the WebGUI in Fortinet FortiMail before 4.3.9, 5.0.x before 5.0.8, 5.1.x before 5.1.5, and 5.2.x before 5.2.3 allows remote attackers to inject arbitrary web script or HTML via the release parameter to module/re...

CVE-2015-2209
Published: 2015-03-04
DLGuard 4.5 allows remote attackers to obtain the installation path via the c parameter to index.php.

CVE-2014-7896
Published: 2015-03-03
Multiple cross-site scripting (XSS) vulnerabilities in HP XP P9000 Command View Advanced Edition Software Online Help, as used in HP Device Manager 6.x through 8.x before 8.1.2-00, HP XP P9000 Tiered Storage Manager 6.x through 8.x before 8.1.2-00, HP XP P9000 Replication Manager 6.x and 7.x before ...

CVE-2014-9283
Published: 2015-03-03
The BestWebSoft Captcha plugin before 4.0.7 for WordPress allows remote attackers to bypass the CAPTCHA protection mechanism and obtain administrative access via unspecified vectors.

CVE-2014-9683
Published: 2015-03-03
Off-by-one error in the ecryptfs_decode_from_filename function in fs/ecryptfs/crypto.c in the eCryptfs subsystem in the Linux kernel before 3.18.2 allows local users to cause a denial of service (buffer overflow and system crash) or possibly gain privileges via a crafted filename.

Dark Reading Radio
Archived Dark Reading Radio
How can security professionals better engage with their peers, both in person and online? In this Dark Reading Radio show, we will talk to leaders at some of the security industry’s professional organizations about how security pros can get more involved – with their colleagues in the same industry, with their peers in other industries, and with the IT security community as a whole.