1 / 25

You must be this tall To ride the security ride

You must be this tall To ride the security ride. ShmooCon 4. Pete Caro, Joel Wilbanks and Shlomo. Bruce Potter says it’s “ like a short range sawed off shotgun ”. What is this talk all about? Why are we here?. Nov 07 – Joel, Pete and Shlomo decide to submit a paper to ShmooCon 4

jered
Download Presentation

You must be this tall To ride the security ride

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. You must be this tallTo ride the security ride ShmooCon 4 Pete Caro, Joel Wilbanks and Shlomo Bruce Potter says it’s “like a short range sawed off shotgun”

  2. What is this talk all about? Why are we here? Nov 07 – Joel, Pete and Shlomo decide to submit a paper to ShmooCon 4 The paper – ‘You Must Be This Tall to Ride the Security Ride’ was going to be all about how small business couldn’t possibly afford IT security for themselves It turns out we were wrong….

  3. What we found out was small business can secure themselves pretty effectively, if they do it right • So a small business, as defined by the US SBA • No more than $750,000-32,500,000 revenue • No more than 500-1500 people • Industry dependant • Doing security right depends on • Knowing your actual risks and threat space • The IT security industry doing our job right • Turns out small businesses might even have it easier than big businesses

  4. How we first saw it

  5. Security, what we thought everyone needed at first Anti-virus, HIDS, HIPS, IDS, IPS, Firewalls, Sniffers, Anti-malware, Anti-spam, Honey pots, Encryption at rest/transit, Biometrics, Smartcards, PKI, Single Sign On, Remote access, VPNs, Security Admins, SIMs, Traffic Analysis tools, Patch management, Vulnerability testing, Penetration testing, PII protection, HIPPA, SOX, regulatory compliance….etc But everyone has a different risk level and different security requirements

  6. Quick combination of security and threats • Makes you think you have to buy everything and mitigate every threat • Thinking like that is insane, and the costs are prohibitive anyway

  7. A realistic threat picture Generally small organizations face most of the same threats and only a few that are different The ROI for hacking small businesses is lower – they are simply less attractive targets Don’t buy into the hype, conduct a risk assessment and figure out the ground truth

  8. How we see it now

  9. The trick is to shoot for the amount of security protection you actually need Be realistic about the threats you face Implement a risk based level of security, mitigates actual threats, not all threats Make the right security choices based on your threat exposure Don’t try and prevent or even mitigate every single existing and emerging threat –prevent and mitigate enough to stay in business Don’t be overwhelmed by the plethora of security services, products and threats

  10. Some general ideas Managed security services Turn key solutions Push security responsibilities down to non-security personnel Use proven products and techniques Leverage automation Be realistic in your approach to security

  11. Stick to your core competency, as a small business this probably isn’t information security Email – servers, web access, spam filters, etc IT support – help desk services, system administration, etc Web presence – web servers, outage monitoring, e-storefronts Custom or line of business applications All of these services have security aspects

  12. Minimize exposure of sensitive, proprietary, and PII data Don’t improperly use SSNs – employee numbers, etc Avoid system design which requires multiple data stores If you need to share info consider an intranet instead of the internet Wireless Mobile data (HDD, USB drive) encryption Each instance of data needs to be secure, more instances more security costs

  13. Minimize exposure of sensitive, proprietary, and PII data Don’t improperly use SSNs – employee numbers, etc Avoid system design which requires multiple data stores If you need to share info consider an intranet instead of the internet Wireless Mobile data (HDD, USB drive) encryption Each instance of data needs to be secure, more instances more security costs

  14. Don’t utilize devices designed for home/recreational use for business purposes iPhones - &@!^#*&@^#& Personally-owned computers, PDAs, etc Home versions of OS’s, and to a certain extent free ones These devices often aren’t designed with adequate security in mind, and even when they are you can’t secure them all the time

  15. Authentication and Encryption RSA is a household name for a reason, it wasn’t easy to invent – neither was PKI Two words – Rainbow tables Multi-factor authentication Dual-sided SSL – servers and clients should both authenticate the other party Use strong and proven encryption Identity proofing, verify who they claim to be is whom they really are

  16. User security awareness training – how to prevent stupid user’s from impacting security Phishing, malicious email, Nigerian scams, spear phishing, etc Social engineering, phones, physical security, etc Use encrypted password stores instead of post-it notes They are the last and first line of defense Training is the only plausible answer

  17. Systems and App hardening Enable security features shipped with products Retire discontinued and EOL systems and products Patch systems in operation Run malware (spyware, viruses, etc) protection Disable services you don’t need

  18. Practice secure destruction – cheap but important Recycling is good, but data gets recycled too. Secure destruction – it’s cheap Enforce security on capable devices, use the total delete capability on ones with the feature

  19. Remote access – why telecommuting isn’t always a good idea Webmail application vulnerabilities – OWA etc You can’t control the security posture or disposition of personal equipment Limit telecommuting access to essential services only Implement secure VPN access

  20. Remember we said it depends on the security industry doing the right thing? Sometimes we make it worse… Linux tools – free, neat and effective but they require almost on-the-fly development to make ‘em work Too often we ignore the needs of small networks Not enough professionalization Sales creep – plug and play security often isn’t Cumbersome security – Deny or Allow? Security turned off by default – why?! Too much data – we have as many security logs as data

  21. Here are some random things we can do to make things better for small business Better tools: 10 years ago there were no tools, let’s keep going More automation: let’s reduce the amount of manual labor involved in security Professionalization: work together to make security practitioners a known quantity Licensing: Sometimes our definition of small business does not reflect the reality of being a small business Accountability: Hold product vendors accountable for security flaws

  22. Conclusion • Security is achievable for most small businesses – but it’s complicated • Size, data value and resources impact the threats and responses • We need to keep working to provide better tools for small business – and everyone else • Think about the children

  23. ShmooCon 4 Phreaknik 2007, GDead says “defense in depth is dead’ Defense in depth IS dead—long live intelligent defense in depth.

More Related