Protecting a SME (Small and Medium Size Business) of less than 250 employees is no small task. It has all the complexities of a large enterprise, generally with less staff and budget.
Because all SME are different and have various requirements, I am going to try to keep the architecture as generic as I can to cover the broadest possible scenarios. I am going to concentrate on the Windows Server and Desktop operating system. I will also try to suggest both commercial and open-source utilities where available.
This document is not meant as an in-depth reference, but a high-level discussion of the different aspects, considerations, and technologies you will need to be aware of to protecting an SME.
From a security manager's point of view, this can be an excitingly scary time. The technology to protect your systems have advanced significantly and cost less than it ever did. Although cybercriminals have increased in numbers and sophistication. They’re also not just using network attacks anymore, they’re now employ social engineering techniques (such as phishing), advanced malware, and they’re leveraging application and browser exploits to attack your organization.
Microsoft’s 10 Immutable Laws of Security (Link) [Written by Scott Culp in 2000, and all of them seem applicable in today’s environment]
- Law #1: If a bad guy can persuade you to run his program on your computer, it's not your computer anymore
- Law #2: If a bad guy can alter the operating system on your computer, it's not your computer anymore
- Law #3: If a bad guy has unrestricted physical access to your computer, it's not your computer anymore
- Law #4: If you allow a bad guy to upload programs to your website, it's not your website any more
- Law #5: Weak passwords trump strong security
- Law #6: A computer is only as secure as the administrator is trustworthy
- Law #7: Encrypted data is only as secure as the decryption key
- Law #8: An out of date virus scanner is only marginally better than no virus scanner at all
- Law #9: Absolute anonymity isn't practical, in real life or on the Web
- Law #10: Technology is not a panacea
Below are key principles that you should utilize in all your security architectures and systems that you create.
- Defense In Depth – This is a strategy in which multiple layers of defense are placed throughout your environment, to help mitigate consequences of an attack against your organization.
- Least Privilege – Giving users or application services only those security rights which are absolutely essential for them to accomplish what they need to do.
- Risk management – Whenever you’re creating a security architecture for any systems, network or applications, you need to identify any known vulnerabilities and threats to it. Then decide what countermeasures can be taken to reduce the risk to an acceptable level, based on the value of the information resource to the organization.
- Containment management – Almost everything you will read on the subject of data security talks about how to protect your data. Although, you also need to have policies and procedures in case you do have a data breach and how you’re going to deal with this eventuality and minimize the damage to both the data and company’s reputation.
- User Security Training – All the hardware in the world is not going to completely protect your company. You will need to invest time, money and energy into making sure your that other employees and contractors are doing their part to protect the integrity and security of the companies digital assets.
Tip: For more information on this subject, see the following Wikipedia article (Information Security).
Types of Threats
As you know computer security is all about protecting the integrity of the company’s data. Whether that is making sure that only the correct people have access to it, or taking part in the planning to make sure that in the event of an environmental disaster (such as fire, flood, terror, etc.), that there is a business continuity plan in place to make sure that the organization can continue.
- Outside Intruders – These are easiest of all threats to understand who they are. It’s anyone outside your organization that is trying to steal it's data or trying to cause harm to it.
- Insider Intruders – The main problem with identifying this threat, is that these can be people that you know and trust. Generally driven by ulterior motives (revenge, money, etc.) they can turn against the organization and seek to damage it.
- To help mitigate this type of threat, structure your server operation personnel around the notion of "separation of duties" (also known as "segregation of duties,") to prevent power from being excessively concentrated in any individual.
- As your server/network operation personnel transition roles overtime, it's important to remove their old rights or change passwords that they had access. Also, rotating general application/hardware passwords on a regular basis, can help mitigate this issue.
- Environmental – I grouped a lot of different things into this category, it can be anything from power outage, flood, terrorist attack, etc. You need to do your part in making sure that the business can continue in case of some type of event that can inhibit or stop your organization's day-to-day operation.
The perimeter of your network is the fortified boundary between your organization and the Internet. This is where the following equipment below is used.
- Border Routers – These routers control what goes in out of your network. These devices if configured properly can deflect certain types of DDoS attacks that use malformed TCP/IP packets. They can also be used for blocking and filtering other types of network traffic depending on the rules you write. Below are some basic router filtering rules:
- Block all inbound traffic where the source address is from your internal networks. This is generally a sign that someone is trying to send you spoofed traffic.
- Block all outbound traffic where the source address isn't from your internal networks. This is generally a sign that someone is trying to send you spoofed traffic.
- Block all inbound and outbound traffic where the source or destination addresses are from the private address ranges (see RFC1918). The ranges for them are: 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, and 169.254.0.0/16 (Windows automatic private IP range).
- Block all source-routed packets (this is an obsolete routing technology).
- Block all broadcast packets, including directed broadcasts. This type of traffic should never come from the Internet
- Block all packet fragments (except when IPSEC is involved).
Note: It's important to make sure that these devices are locked down, by only running necessary services. All remote management needs to be done through SSH.
- Firewall – After your border routers, firewalls are your next line of defense against an attack from the Internet. There are several different type of firewalls available (such as: Stateful Packet Inspection, packet filtering, proxies, and NATs), but they all are controlled by rules that tell them what to allow and deny.
- Intrusion Detection System / Intrusion Prevention System (IDS/IPS) - are network security appliances or systems that monitor network and/or system activities for malicious activity. The main function of these devices is to identify malicious activity, attempt to block/stop it, and report it.
- SNORT is an open source (Linux based) network intrusion prevention system capable of performing real-time traffic analysis and packet logging on IP networks.
- Open Source version Tripwire of the software is a security and data integrity tool that is useful for monitoring and alerting on specific file change(s) on a range of systems.
- DMZ (De-Militarized Zones) – An isolated private network behind the firewall that is doesn't have direct access to your main corporate network. Generally only public servers like web servers are stored here. Only a limited number of ports are generally opened and exposed to the Internet, such as port 53 (DNS), 80 (HTTP) and 443 (HTTPs).
- Virtual Private Network (VPN) – This service allows remote workers connected to the Internet to have secure access to the corporate network through an encrypted tunnel. Once a VPN user is connected to the Internet network they can utilize its applications, data and services.
- NAP (Network Access Protection) – This technology ensures that the computer’s health connecting to your organization’s network complies with the minimum security configuration (such as anti-malware is installed and up-to-date, a firewall is enabled, the latest security patches are installed, etc.) before they are given access. This technology is build into Windows Server 2008.
Tip: To help simplify your network security architecture you might want to consider buying a UTM appliance that can perform several functions (such as: firewall, network hygiene, web proxy, and more) that are listed in this article.
10 Immutable Laws of Security Administration (Link) [Written by Scott Culp in 2000, and all of them seem applicable in today’s environment]
- Law #1: Nobody believes anything bad can happen to them, until it does
- Law #2: Security only works if the secure way also happens to be the easy way
- Law #3: If you don't keep up with security fixes, your network won't be yours for long
- Law #4: It doesn't do much good to install security fixes on a computer that was never secured to begin with
- Law #5: Eternal vigilance is the price of security
- Law #6: There really is someone out there trying to guess your passwords
- Law #7: The most secure network is a well-administered one
- Law #8: The difficulty of defending a network is directly proportional to its complexity
- Law #9: Security isn't about risk avoidance; it's about risk management
- Law #10: Technology is not a panacea
Once you secure the perimeter, the next step is fortifying the internal network against intruders and insiders. You can have the best perimeter security, and block all outside network attacks, but there will always be insiders that will try to steal information for personal or financial gain.
The greatest tools you will have against these type of threats, are tight ACLs that limit user access rights, data encryption of all the information that you’re trying to protect, and policies and procedures in place to safe guard it.
- DNS and DNSSec – DNS is a core part of your network services. Services like Active Directory rely on it in order to function. The original DNS design was unsecure, so to overcome this limitation, DNSSec was created to prevent attacks like man-in-the-middle. DNSSec is support in Windows Server 2008.
- IPSEC – Like the original version of DNS, TCP/IP was not created to be a secure protocol. To help overcome this, IPSEC was created to provide trusted TCP/IP communications between network devices. IPSEC can also be used to segregate traffic between a secure and unsecure environment on the same network. IPSEC is included in all versions of the Microsoft OS since Windows 2000.
Note: Several hardware appliances don’t support IPSEC communication. Check with your appliance vendor to find out if this is an issue.
- PBX/VoIP/Voicemail – A call system is still a central communication hub for any company. Also, with the popularity of Asterisk and other systems based on this technology, if not managed properly can create a security vulnerability for the company if attacked. Some of the greatest problems you can face are, abuse of the phone system to make non-business related long distance calls, voice mailboxes being compromised, or eavesdropping.
- Asterisk is a free and open source Linux software platform that turns a computer into a voice communications server. Asterisk powers IP PBX systems, VoIP gateways, conference servers and more. It is used by small to large businesses, call centers, carriers and governments worldwide.
- If you’re still using a traditional PBX system, check out the following document from the NIST.
- Server Security/Hygiene – Most server types can be broken down into the categories below (such as: file, web, email, etc.). Each type of server has it own security/hygiene concerns. For example, an email server you have SPAM/file attachment filtering, and anti-malware concerns. I would recommend that you have a standard server image that contains the latest patches, latest version of your anti-malware software, and a locked down OS configuration by default. This will help ensure that you mitigate unintentional security vulnerabilities.
- File – Your two greatest concerns on a file server are making your ACLs are setup correctly and that you have anti-malware software in place and up-to-date. You also need to be careful unsecured of file shares that contain confidential information.
- Web – If the web server is exposed to the Internet you want to make sure the server is locked down as much as possible (i.e.: use limited services/features/accounts), you also want to remove any unnecessary files like documentation and sample code. For Intranet facing servers you follow similar rules when possible. It is also important to be aware of file/application ACLs used by the web server. If web based applications are not designed correctly, they can be vulnerable to SQL injection based attacks.
- See the DMZ section for more information about hosting Internet facing web servers.
- Email – With more then 95%+ of all mail is SPAM, phishing, and malware. Hygiene on your email server has become very critical. Most modern enterprise based mail systems are going to come with build SPAM and file attachment filtering. If your email system doesn’t support these features, there are 3rd party vendors that offer these services. It is worth noting that your email servers can be vulnerable a denial of service and port 25 attacks.
- Email archiving emails for compliance reasons has been the recent hot topic that you will need to aware of.
- All communications with your email server should utilize encrypted communications, whether it's accessed via a email client or web browser.
- Database – Most companies rely on their databases to manage their business. Generally these servers are going to be prime targets of most attacks from intruders (both inside and outside). Maintaining ACLs with the right level of application and user access and data encryption will play a key role in the security of your data.
- Application – These types of servers can host an unlimited variety of services, from 3rd party commercial applications to custom in-house projects. So their individual security requirements will differ. You will need to work with the application developer, to determine the individual security requirements. Although, managing the service accounts which these applications utilize play a critical role in maintaining security on these servers.
- Collaboration Platform – This can be a web application like SharePoint that is used throughout the Enterprise to share information and files between users. Users site and files ACLs and anti-malware services are critical. Like file servers you have to be careful of confidential data being published in unsecure locations.
- Directory Services – This is where all your user account information is stored, so like a database this can be a primary target of a cyber attacks against your company. Also like databases, maintaining ACLs with the right level of application and user access will play a key roles in the security of your directory services.
- On your active directory server, consider enabling LDAP signing, to help prevent replay and man-in-the- middle attacks (for Windows Server 2008, see the following KB article 935834). Make sure to investigate the impact to your network clients before implementing this change.
Note: Microsoft is now including Best Practice Analyzers (BPAs) with recent version of some their products. They're also making the default installation more locked down to help ensure you have a secure configuration.
- Backup/Restore – In case of a disaster (environmental, physical, or data) backups are going to be one your first lines of defense, unless you have a recovery site or cluster services. It's important to monitor your backup logs to make sure data is getting backed up. It's also important to make sure that you do regular test restore of your data to make sure you’re getting good backups. You need to make sure you’re rotating your tapes on a regular basis so that at least one set of them is stored at a secure offsite location at all times.
- Its highly recommended that you use some type of encryption (hardware or software) to make sure that even if the tapes are lost, the data can’t be recovered by someone who doesn’t know the encryption key.
- Internet Proxy – Generally if there is an issue of inappropriate web surfing, the first place that you’re going to check are the logs. Also depending on the proxy software that your using, you can use it as a web filter to control access to specific web sites. Some company policies lockdown Internet access to the general employee population, others limit it, while others provide unfiltered access.
- Wireless Connectivity – Wireless connectivity is a technology that has become a necessity for supporting mobile worker. Although, It does open significant security holes in your network if not managed properly. You need to ensure that you’re using the highest level or encryption and authentication available (such as WPA2, with EAP-TLS authentication and user and computer certificates). Also, placement of the Wireless Access Points (WAPs) towards the middle of your building can help limit the signal outside your physical offices.
Note: A critical threat to any organization are rogue APs. These are unauthorized AP that are user installed on to your network. These APs are generally not locked down and open gapping security holes in your internet network.
- Virtual Machines (VMs) and Private Clouds – VMs are a fairly new technology, but should not be treated any differently then a standard server configuration. Although, all virtual machines rely on a host server. If an attacker can gain access to the host server, then the security of your VMs can be compromised. Also depending on your VM servers architecture, you might have what is classified by some as a ‘private cloud’ computing infrastructure.
- Public Cloud Computing – It seems like everyone these days that is hosting services on the Internet is calling it ‘cloud computing’. Also, by having these service and data hosted on the public Internet can create challenges to any security department assigned to manage it. Key considerations, is user authentication management, secure communication between the cloud and the user, and security of the data stored in the cloud (i.e.: ACLs, local data encryption, availability and backups).
- Network Appliances – These devices are used to perform a variety of specialized tasks. Most of them will have a web interface that needs to be locked down. There must also be policies and procedures in place to perform regular upgrade maintenance on these devices as new software/firmware becomes available (this helps protect against known exploits from being utilized). If you’re network utilizes IPSEC or IPV6, you may need to ensure that these devices can support it before purchasing them.
- Modems/RAS – Most companies are not using dial-up modems anymore, but it's still possible you might have some of these legacy devices still hanging around. If you still use these devices, or if some of your vendors use to them to perform remote maintenance on hardware that is installed at your site. Be aware that they can provide a backdoor into your network that you might not be aware of.
- Regulatory Compliance – Certain businesses need to comply with specific compliance laws like: HIPPA, Sarbanes–Oxley, etc. For example, these laws can mandate that IT departments establish processes for document/email retention, and more. Make sure to check with your company's legal counsel that has expertise in this field to let you know how you will be affected.
- Its important to lock down all application maintenance/management consoles that come as parts of network attached equipment (such as: routers, switches, SANs, backup libraries, etc.) and 3rd party applications (such as: Asterisks, monitoring software, etc.). Most of these management consoles still come with a default administrator password that is easy to find or guess.
- All physical access to your server infrastructure should be locked down, with limited access only by authorized personal through use of some type of electronic access control system. If an attacker can gain physical access to your servers all your other security measures can be easily circumvented.
- Isolate any infrastructure management (such as: IP/PDU, IP/KVM, and other network devices) or server remote management consoles (such as: iLO) to a private VLAN whenever possible.
- All the clocks on all your servers need to remained synced to a central source. It’s easy to overlook this issue, but it's important to make sure that timestamps on your log files are correct.
Tip: One of the best ways to protect highly sensitive data or equipment is to isolate it off the main corporate network. This does make it more challenging to move data between the two different networks. Although it can prevent a breach of security from an outside attacker (note: these systems can still be vulnerable to inside attacks).
There is a great variety of free and commercial software that is available that you can use to monitor your equipment, manage security, deploy software/security patches and more. Although, I will only discuss a few of the high level categories.
- Log File Monitoring – Server log files are critical for a lot of reasons. They provide information about application and hardware problems. Also if there is a breach of security they can provide clues to how the system was compromised, as well as when and where the attacks came from.
- All log files should be backed up and locked down. They can be required in a security audit. They will also be an area where an attacker will try to remove his trail.
- Server/Workstation Patch Management – Patch management is a critical part of maintaining the security of your desktops and servers. With the popularity of zero-day attacks, making sure that the OS and applications has the most current patches is important. Microsoft regularly releases patches on Tuesday (other companies have different release schedules). You also need to make sure you have processes and procedures for out-of-band deployments.
- Managing Service Account Password – Service accounts are one of those things that are easy to forget about until the application stops functioning and you have to diagnose the reason for the failure. It's important to have processes and procedures in place to manage all these accounts to make sure the passwords are changed on a regular basis.
- Vulnerability Assessments Tools – These tools can help you assess the security of your network, by allowing you run different types of controlled attacks against them. There are several vulnerability assessments tools available, some free and open source and others are commercial.
- If you want a tool that is free and easy to use, check out the Microsoft Baseline Security Analyzer (MBSA). The MBSA can perform basic scans of Microsoft servers on your network and report misconfigurations it finds. Microsoft is also now including Best Practice Analyzers (BPAs) with recent versions of some their products.
The security requirements for these offices can vary depending on the number of employee and amount of equipment that is deployed. For the most part they will utilize the same security corporate policy and procedures, but you might have to make a few accommodations for the unique nature of these locations.
- Network (LAN/WAN) – Depending on how you setup the WAN connectivity with the corporate office will determine the security requirements for this location. For example, if you use VPN connectivity over the Internet you need to make sure that the firewall is monitored on managed on a regular basis. As far as the wired and wireless LAN goes, generally the corporate security policies and procedures will apply to this equipment.
- Phone/VoIP Services – Like the main corporate office, phone services can be critical for these location(s). Depending on the service/equipment you will be using will determine the security requirements. Generally the corporate security policies and procedures will apply.
- File Replication – Microsoft includes a new feature in Windows 2008 R2 called BranchCache. It allows file and web content to be cache at the regional branch office for faster file access. Like file servers ACLs and file hygiene are going to be key considerations.
- Remote Management – Any servers or workstations in your branch office will require remote management from time-to-time. It's also important to have IP/KVM and remote power management for all network and server hardware.
You can have the best security hardware and software, and it can be circumvented by your organization still vulnerable to browser based threat and social engineering through phishing attacks. My point is there are several attack vectors that you have to consider, and there is always a weak link somewhere. All you can ever do is mitigate any damage and reduce the consequences of an attack.
- Workstation Security – Similar to servers, workstation ideally should be built from standard images that are locked down by default, with anti-malware and group policies enforced through directory services. Depending on the security requirements of your data, you may want to enforce file or drive encryption. I would also recommend that whenever possible, have the users run with a limited account and not in administrator privileges. If users do require administrator privileges, then enforce the UAC (User Account Control) feature at the maximum setting via a group policy.
- File/Disk Encryption – Windows Vista and higher supports file (called EFS) and disk encryption (called BitLocker).
- Windows Security Policies – Active Directory allows you push security policies out to the Windows servers and desktop OS. These policies can limit or grant access to OS feature and configurations.
- Laptop Security – Laptops pose a significant security risk to any organization if it is lost or stolen. I would suggest that you use the recommendations I made for workstations, with the exception that full disk encryption should be mandatory. You should also look at technologies that allow you to perform remote data wipes or locate the device if it's lost or stolen.
- For more information on remote data destruction/device recovery services for laptops, check out Absolute Software’s ‘LoJack for Laptops’. Some laptop have a feature like this embedded into their BIOS, check your laptop’s manufacture for more details.
- New laptop should be purchased with a TPM Chip (also known as: Trusted Platform Module). This is a secure cryptoprocessor that stores cryptographic keys used to protect information. Technologies such as Windows BitLocker use this feature to protect the encrypted keys for its disk encryption.
- Mobile Device Security – Mobile devices such as the iPhone, iPad, Android, and Windows Phone like laptops have become a critical tool of the remote office worker but also pose a significant security threat if lost. Also like laptops you have to enforce device locking, file system encryption, and remote data wiping policies before you allow them to carry your organization’s data.
- For more information see the following article
- Portable Storage Devices – Technology (such as: USB flash drives, MP3 players, etc.) keeps getting more and more pervasive. The amount of storage that these devices have seems to be increasing .exponentially everyday while form factors keep getting smaller. For some organizations these devices are not an issue, while for others they can pose a major threat. I have actually heard of some businesses that go as far as putting epoxy in the USB ports to prevent them from being used.
- Anti-Malware – The number of available anti-malware solutions are numerous, but not all these applications is created equally. Some vendors have higher detection rates of new threats, while others might not be system resource (RAM, CPU) intensive. It's also important to find a solution that has a central management console to administrate all the remote clients.
- For current test results of popular anti-malware products, checkout www.av-test.org.
- Remote Access – Depending on the security of your environment will determine your remote access policies for your employee and contract labor. There are several solutions available to deploy this technology, and I would recommend two-factor authentication (such as: password and OTP [One Time Password] token or smartcard). It's important to use NAP technology to make sure remote system health (i.e.: security software and hot-fixes are installed and up-to-date) comply with the corporate security standard.
- Web Access – Corporate web access policies defined by HR or executives vary between different organizations. Some have very strict policies that are enforced by proxy while others have little or no restrictions. No matter what types of policies are in place, you need to check if there are business or legal requirements for maintaining web proxy logs of employee activity.
- VoIP, Email and Instant Messaging – Managing outside service such as non-approved VoIP softphones, email and Instant Messaging (IM) services have issues (such as: confidential unencrypted information accidently being transmitting over a public network). There should be business/personal use policies defined by HR or executives for how employees can use this technology on your organization’s equipment. There are also monitoring issues to take in to consideration. Preferably you should have global IM solution that incorporate logging and encrypted communications, such as Microsoft Office Communicator.
- Video Conferencing/Online Meeting – With the high cost of business travel, video conferencing and online meeting solutions are becoming the technology of choice. There are several solution providers such as GoToMeeting, Microsoft Live Meeting, etc. As these technologies continue to evolve, and gain broader acceptance security policies defining need encrypted communications should be enforced.
- Software Piracy – This is a global problem that has been around for decades. Even if you know that all the software on your equipment that was installed by the IT department is licensed properly. Be aware that employees will sometimes install pirated versions of software for one reason or another. If this software is found by a BSA (Business Software Alliance) audit, you’re company can face stiff fines and negative media attention.
- If you have Windows 7 installed on your client machines joined to your domain. This version of the OS supports an ‘application whitelist’ group policy feature (known as AppLocker) that only allows approved applications to be run on the local machines.
- Equipment Disposal – One of the primary security concerns with the disposal of old equipment is that hard drives, and other types of storage media (such as data backup tapes) often contain confidential data. Any mountable hard drives or OS mounted storage devices (such as an external hard drive or USB flash drive) can be wiped with DBAN. Magnetic media can be wiped by using your tape library’s drives (see your tape management software’s help files to find out what features it supports) or you can use a media degasser that has a strong magnet.
- Printer/Photocopiers/FAX – An obscure fact about copiers, and some printer/fax machines include hard drives that track all the documents were duplicated. This can become a security liability to your organization if these drives are not wiped before the disposal of the old equipment.
Depending on the nature of business and/or the competitiveness of field that that you work will generally determine how susceptible your organization is to industrial espionage. I would say if there is great deal of money, or classified equipment or data then you become a greater target to cybercriminals.
There are a few technologies that you need watch out for:
- Keyboard loggers – Can come in two forms, generally either as software or hardware, and both can be difficult to detect. These devices can record anything typed on a keyboard, and transmit the data to a remote destination.
- Rogue Network devices – These can be devices such as a packet analyzer that is installed between a computer and/or critical network junctions (such as the connection between your ISP and your perimeter router). These devices can be setup to filter and capture specific types of unencrypted data.