Security is of growing concern for businesses of any size. With everything from the company coffee machine (no, seriously – the Beyond Coffee Maker offers wireless brewing) to productivity applications being networked, risk is attached to every level of the technology stack. Pervasive end-to-end networks require security approaches that cover the whole instead of defend the borders. Ignore it at your peril.
Vendors' promises mean little in terms of security. Their solutions must deliver effectively. This challenges the SME to carefully evaluate the challenges presented by their environments, which are often a hodgepodge of solutions tied together. Should one seek out holistic solutions that cover the heterogeneous environment or look to secure individual components of the network with specific, and often included, solutions?
Skills and tools
Says Karel Rode, chairman of the Information Security Group of Africa (ISG Africa), “IT security is defined as good risk management practice. If one looks at what the SME requires it is not that much different from what the enterprise needs. The difference is that the available skills pool is so much smaller.”
He suggests the use of a ‘rented information security officer’ that is able to audit the environment and address security on behalf of business.
Skills aside, robust security solutions must also be deployed on the network. Cisco’s regional sales manager of commercial business, Val Moodley draws attention to the stack.
“It is essential to ensure that the network has built-in security. This will minimise the risk of infection from a wide range of sources, including a company’s own networked PCs and servers,” he says.
“Security threats today affect not only individual PCs, but company networks, regional networks and even the global infrastructure – causing almost instant security disasters,” continues Moodley. “The infamous Slammer virus spread worldwide in just 11 minutes infecting 55 million hosts per second at its peak. The results of such attacks can be disastrous, putting a halt to business processes, causing major disruptions for workers and damaging or destroyed data, not to mention a loss of revenue or customer confidence.
“Large enterprises have dedicated security teams in place, a luxury many midsize companies or SMEs cannot afford,” he explains. “But every day there are new kinds of viruses, spyware, denial of service attacks and other security threats facing businesses, no matter how small or large. A secure, adaptive network is especially important for smaller businesses that may not have the support of an in-house security resource.
“A way of achieving security without a dedicated team is through the use of a ‘self-defending network’. With the implementation of such a network, companies benefit from built-in security and the ability to anticipate threats before or while they are happening and adjust accordingly,” states Moodley.
“This type of network works by intelligently incorporating and integrating three crucial security components in the form of application security, defence against viruses, worms and other intrusions, and end-to-end network containment and control. It also aims to protect into the future,” he says.
Wireless networking continues to grow in use, including the rapid move to adopt mobile solutions that keep workers connected while out on the road. The convenience of wireless is bolstered by its currently low costs. And while wireless networking in the form of WiFi was considered to be a major security threat in the past, this is no longer the case.
In fact, wired networks can offer greater threats because businesses seldom bother to secure physical access points. In many business you can simply plug into an Ethernet port and receive settings via DHCP, adding you to the network. The assumption is that safety is maintained by the fact that physical access is required. But are you able to monitor your entire premises to make sure only authorised personnel have access to ports? And if an attacker managed to plug their own wireless access point into an available port then the threat would be exposed wirelessly.
“Securing data in motion as well as data at rest must be top of mind,” says Rode. “Moreover, allowing access to data without any classification and user privilege management is just taking too much risk, and the leakage of such information could be very damaging. Also, the new privacy legislation will not differentiate between small and big business. Holding personally identifiable information will mandate additional controls.”
Physical infrastructure must be protected and checks and balances maintained to ensure security.
The malware environment has also become increasingly complex with viruses, spyware and other software nasties becoming more and more sophisticated.
“The normal virus, pests and remote access Trojans can be fought off with ‘anti-ware’ that should be in place, and constantly maintained,” says Rode. “Keep in mind that the next big virus or malware may not be so intelligent as to ignore your business or IP address range.”
“System updates, patching and the continuous review of vulnerabilities must be taken care of,” he says. “This is another reason to consider the rented information security officer model.”
One can also not ignore the role of user education.
“Ignorant users pose a danger to the network, so user education and security awareness must be done on a regular basis,” advises Rode. “Small business can also succumb to extortion or internal user abuse, or a user may simply slip up and by accident do something untoward.”
Social networking must be mentioned here too. Consider Facebook and the open API it employs to allow anyone to build applications for use on the platform. By adding these applications users not only allow the developers of these third-party toys access to their private information, but also to their whole Internet session. A skilled attacker with their own Facebook application could wreak havoc.
In terms of security many consider the Linux operating system, and indeed most Unix-based solutions that include BSD and Apple’s OS X, to be more secure, given the inherent Unix architecture that employs robust user-level access and a kernel-approach that makes it difficult for attackers to directly target system resources.
Linux, the open source operating system, recently proved its robustness in the famous PWN to OWN competition that pits hackers against each other. Ubuntu Linux was unbeatable, but it must be said that Windows Vista did a good job in coming second. However, some believe that there is more to be gained from open source than just Linux, when it comes to security.
David Jacobson, technical director at SYNAQ believes that proprietary code may offer an inadvertent risk in itself.
“Software products that companies install to address vulnerabilities could well end up making the entire IT environment even more insecure – because they, themselves, contain security flaws,” he says.
“The only way to truly check that they are secure is to view the code. That is one of the reasons I believe open source software is the better option for companies where security is of the utmost concern,” continues Jacobson. “It is not that open source is more secure per se, but rather that you can see any vulnerabilities yourself and even fix if necessary, assuming you have the skills to do so. Of course, you can find someone who can do this for you too,” he says.
Security must be end to end in order to be effective. Users must be educated and where possible resources must be made available on a strictly role-based level. There is no such thing as an ‘SME virus’ or specific vulnerabilities focused on the business tier. Threats do not discriminate on business size, and neither can security solutions.