Since January, I've been speaking with IT staff from local city and county governments throughout Florida at conferences and in private meetings. The common issue among nearly every one of their organizations is that they have practically no budget for security and no dedicated security staff. In many cases, there is only one or two IT people, and they handle everything from desktop and server support to IT training and security. My goal with the talks has been to help these small groups realize quick and no-cost (or low-cost) ways to strengthen their security posture.
The top three more effective ways small businesses can protect themselves are not allowing users to run as administrators, including IT; installing and keeping anti-malware software up-to-date; and security awareness. The first two recommendations are pretty obvious, so I'm going to start with security awareness given that many security "experts" say it is useless.
The primary issue with security awareness that causes it to be ineffective is that people have been doing it wrong for too many years. The assumption is that because it is a security-related matter, IT security staff should be the ones responsible for security awareness. Unfortunately, the majority of those staff members have no formal training in how to educate and train others. They are often geeks who are not always the best at communicating complex technical issues to the laymen.
To complicate matters, security teams within large organizations do not always have the political or social capital that is necessary to get their messages heard. The security team is often seen as the bad guys who are preventing employees from getting their work done, chastising them for doing "bad" things, and dictating obscure and hard to understand security policies.
So how is security awareness different in small companies? The visibility and personal relationships between IT staff and end users help the message be delivered in a way that personnel will listen to, understand, and not feel like they are a child being told what not to do. There will be exceptions, but my experience over the years is that users in small organizations are more likely to listen to and reach out to their IT staffs when they have a security question than their counterparts in an enterprise environment.
Getting back to numbers one and two, endpoint protection is absolutely necessary because it helps to weed out the noise of common malware and raise the effort necessary for successful attacks to take place. Is antivirus perfect? Of course not, but it is an important layer that isn't always managed well in a small environment. This is typically due to different consumer versions installed on user machines when they were purchased, only to end up expiring and getting uninstalled. But it's a necessary evil to help protect systems.
Taking away administrator rights from users is an effort that goes very smoothly or very badly -- there never seems to be a middle ground. From an IT perspective, it makes perfect sense that there's no reason a user should be surfing the Web with Internet Explorer while logged in with administrator rights on their desktop.
But from a user perspective, they often see their machines and their own and they should be able to do with them as they please. This is an especially painful argument when dealing with management because IT answers to them and they authorize the purchase of the machine. Why can't they have admin access? Start with a calm, rational explanation of the dangers of browsing the Internet, reading email, and using social networking sites. Explain how watering hole attacks work. Then discuss the effects of that attack on a system when a user does not have admin rights and when they do.
Those three steps are a good start to raising a small organization's security posture, but efforts should not stop there. There are several ways to protect desktops and laptops from physical attacks, such as theft or booting the system bootable Linux CD to steal the local administrator password hashes or sensitive data.
For example, start by locking down workstations' BIOS to prevent booting with CDs, DVDs, and USB flash drives. Next, consider using TrueCrypt for free full-disk encryption to protect hard drive contents in the case of theft or local boot attacks. And be sure that the local Administrator account is either disabled or has a unique password on all machines to prevent easy lateral movement by an attacker through a pass-the-hash attack.
Network segmentation is another area commonly overlooked in small environments. User workstations are on the same flat network segment as multifunction printers, file and Web servers, IT staff workstations, and network switches. In large enterprises, segmentation by role, function, and security level is the goal, yet something that is rarely implemented in a small organization. At the very least, create segments based on roles using the VLAN features included in managed switches, and create rules on host-based firewalls to limit access to unnecessary services or isolate systems that should not be generally accessible by all hosts on the network.
Last but not least, small companies need to regularly perform network and vulnerability scanning of their internal and external networks. There are two reasons for this. The first is that vulnerability scanning helps identify the low-hanging fruit that an attacker could easily compromise. Second, it can validate that only the services that need to be accessible to the outside are indeed available to the public. Several of the commercial vulnerability scanning solutions have free versions that can be downloaded for quick testing; commercial licenses run in the $1,000 to $3,000 range.
One thing to keep in mind when reviewing vulnerability scan results is that you should not be focusing just on high and medium vulnerabilities. Unfortunately, the focus on high vulnerabilities is something that is regularly stressed for compliance reasons, even though it's the low vulnerabilities that can lead to compromise. Chris Gates has an excellent blog series, called "LOW to PWNED," that includes about a dozen articles discussing how owner abilities labeled as low can be leveraged to gain deeper access to the system.
There are many things that small businesses can do to secure their networks and workstations that cost little to nothing beyond the time and effort to implement. But that time and effort will go a long way in protecting their organizations from attacks that can cost a lot of money and time.
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.