Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

1/11/2012
01:13 PM
50%
50%

Top SMB Security Worries: Intellectual Property, Mobile

An expert security researcher shares his top security concerns for SMBs in 2012 and offers advice on how smaller companies can manage risks.

10 Companies Driving Mobile Security
10 Companies Driving Mobile Security
(click image for larger view and for slideshow)
The more things change, the more they stay the same. That pretty much sums up the information security landscape for small and midsize businesses (SMBs) in the year ahead, according to the head of Blue Coat Security's research lab.

The security world is indeed ever-changing. Blue Coat, for example, shifted its protection approach in 2011 away from the point of attack to the underlying networks that enable and distribute malware and other threats. In the process, the company hopes to better identify threats before they unfold--Blue Coat likens it to the "pre-crime" conceit in Minority Report. Yet Chris Larsen, Blue Coat's head researcher, acknowledges many smaller companies don't have the resources to devote to sifting through traffic logs and similar methods. That doesn't mean SMBs are helpless. In an interview, Larsen detailed his priority concerns for SMBs to keep top of mind in 2012--and some of them should sound familiar by now.

For starters, Larsen issued a reminder: Be proactive. Even if you outsource security to a consultant or other vendor, remain engaged with what they're doing to keep you protected. Ask questions about processes, risks, and remediation. Set-it-and-forget-it deals have inherent shortcomings.

As in years past, basic security hygiene is still a must for any business, no matter how small. Every SMB has a bank account and other financial information, and banking-related fraud will remain the number one threat to smaller firms in 2012. Larsen said online criminals are usually thrilled to infiltrate an SMB network because the bank balance is almost always a multiple of the typical consumer account.

Protection is a matter of recognizing the threat and identifying which people, processes, and information inside your organization make likely targets. "If you know [bank fraud] is going on, than you can put defenses in place to watch for it," Larsen said.

The minimum safety practices that any SMB should deploy: Use strong passwords and anti-malware protection, stay current on patches and downloads, beware of fishy emails and links, and restrict account access to critical personnel. The extreme approach: Use a dedicated computer for banking--no email, no spreadsheets, nothing--and keep it offline when not in use. (Larsen said some Blue Coat employees redefine "extreme"--they boot their machines from a Linux CD any time they bank online. Larsen himself isn't so paranoid, but he still won't use a Windows PC to manage his finances online.)

There's a newer concern for some SMBs: Intellectual property (IP) theft. While it won't apply across the board, high-value data could make some companies juicy targets--even if they're not a household name or have no trophy cachet. Firms in areas such as biotech or those with government defense contracts make prime examples. While bank fraud usually involves indiscriminate, catch-all attacks, IP theft typically falls into the realm of targeted or "advanced persistent" threats. Identifying potential dangers involves taking more of a risk management approach.

"You have to do an analysis: Do we have something besides our bank account that would be of interest to somebody?" Larsen said. "If we do, we have to give some thought to how to protect it." Doing so involves indentifying where the valuable data lives, who has access to it, and knowing whether there's an audit trail to follow.

Any public company fits the bill here, no matter its size or industry, since sensitive corporate information could be used to profitably trade the firm's stock ahead of the market. Employee social media profiles and other data readily available online have made it easier than ever to orchestrate this type of planned attack, Larsen said.

"Traditionally, you might say that we're so small nobody will come after us. But if you have intellectual property that would make it worthwhile, then somebody will come after you--and if Google can get hacked, so can you," Larsen said. "The nice thing if you're a smaller organization: You have a lot more concentrated and fewer assets to keep an eye on than Google does."

Mobile, for all its business benefits, will continue to grow as the new Wild West for security. Larsen said that while large enterprises have been wringing their hands over mobile security for some time, it's now something much smaller companies need to worry about, too.

"It's very sexy and seductive to be able to have a little app for your iPhone that gets into your customer database so your sales guys can pull stuff up when they're out in the field," Larsen said. "What's to prevent a sales guy from walking out with your whole contact list? It's really easy to get seduced by how cool all the new toys are and not do the really hard work and think about all of the security implications."

Larsen said cloud security platforms will be the way to manage a vast array of devices. "You can't carry around your data center defenses with you," Larsen said. "You want to have that iPad or iPhone talking to a cloud portal that has those kinds of defenses in place." The good news: that cloud infrastructure continues to grow and make those kinds of protections available.

He also advised SMBs that embrace a bring-your-own-device approach do so in a security-conscious manner. In particular, consider a device-restrictive plan for protecting key assets. If your banking information is your most valuable data, for example, don't let employees access it with their personal mobile devices--even if they're encouraged to use them in other areas of the business.

That fits Larsen's general thesis for SMBs: If time, money, and staff all run in short supply, don't worry about protecting everything--worry about protecting what's actually valuable.

"It boils downs to for a smaller operation: Play the priorities. What am I going to prioritize protecting? And I'm going to make darn sure adequate protection on that, and everything else I'm just going to free-wheel because I can't deal with it," Larsen said. "That's a reasonable security compromise posture." InformationWeek is conducting our third annual State of Enterprise Storage survey on data management technologies and strategies. Upon completion, you will be eligible to enter a drawing to receive an Apple iPad 2. Take our Enterprise Storage Survey now. Survey ends Jan. 13.

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
JABADI000
50%
50%
JABADI000,
User Rank: Apprentice
1/14/2012 | 9:58:34 AM
re: Top SMB Security Worries: Intellectual Property, Mobile
File Secure Pro provides cloud protection for PDF files. File Secure Pro- is a moderately priced solution for intellectual property security. FSP's digital rights management (DRM) technologies offer dynamic remote control for usage and storage of digital property. Please visit http://www.file-secure.com/faq... for service plan details.
Edge-DRsplash-10-edge-articles
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
News
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Commentary
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Take me to your BISO 
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-28588
PUBLISHED: 2021-05-10
An information disclosure vulnerability exists in the /proc/pid/syscall functionality of Linux Kernel 5.1 Stable and 5.4.66. More specifically, this issue has been introduced in v5.1-rc4 (commit 631b7abacd02b88f4b0795c08b54ad4fc3e7c7c0) and is still present in v5.10-rc4, so it’s l...
CVE-2021-21428
PUBLISHED: 2021-05-10
Openapi generator is a java tool which allows generation of API client libraries (SDK generation), server stubs, documentation and configuration automatically given an OpenAPI Spec. openapi-generator-online creates insecure temporary folders with File.createTempFile during the code generation proces...
CVE-2021-29022
PUBLISHED: 2021-05-10
In InvoicePlane 1.5.11, the upload feature discloses the full path of the file upload directory.
CVE-2020-27226
PUBLISHED: 2021-05-10
An exploitable SQL injection vulnerability exists in ‘quickFile.jsp’ page of OpenClinic GA 5.173.3. A specially crafted HTTP request can lead to SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerability.
CVE-2020-27229
PUBLISHED: 2021-05-10
A number of exploitable SQL injection vulnerabilities exists in ‘patientslist.do’ page of OpenClinic GA 5.173.3 application. The findPersonID parameter in ‘‘patientslist.do’ page is vulnerable to authentic...