Secure Ideas spends a lot of time working with organizations both large and small. And during this work, we deal with and help people trying to figure out what the threats and risks are in the wild today. For larger companies, this exercise is something they deal with often, but smaller organizations may not have the resources or the view to help them figure this out. A few weeks ago, I was able to present to a great organization that focuses on helping franchises work together and better themselves. I did a keynote presentation that we called Red Dawn: Protecting Small Organizations from Attacks.
|The Original of course!|
The first thing that people need to think about as they evaluate what risks they are exposed to is to determine the types of flaws and threats that are of concern for them. Please keep in mind that just because you may not be concerned, does NOT mean that the flaw or threat is not going to be a problem. Many smaller organizations ask why me?!?!?! when they should know why. They have access to sensitive data, fast internet connections and have fewer controls then the large organizations. So they are easier targets.
The way that I find it easier to start is to come up with categories. This helps me determine how to deal with things. When I work with smaller organizations I tend to group things into two buckets: organized and unorganized threats.
|So Anonymous is the Cuban army???|
The organized threat would include attackers and hackers that have grouped together into some hactivist group. Another group that falls into the organized threat is employees or ex-employees. Any one who purposefully targets an organization threatens a small organization with attack and exploitation.
|Preventing malware with automatic weapons!|
The unorganized threat would be attacks or problems that didn’t purposefully target that organization (even if it purposefully targeted a vulnerability.) A good example of this is malware. Malware often targets a particular vulnerability to get into the organization, but doesn’t typically care who the organization is.
Once an organization has an idea of the categories of threat, they can then start thinking about how to protect against these issues.
|Protect your data|
One of the first ways to protect against both categories of issues is to have some form of network segmentation. Yes, most organizations have a firewall between the Internet and their internal resources, even if its just a simple Linksys router that blocks incoming traffic. But do they segment the point-of-sale system from the computer that everyone uses in the manager’s office? Do they provide wireless Internet access to their customers via the same connection they use to validate credit cards? It is usually pretty simple to separate the various parts of a network. Some of the more advanced devices from companies like Linksys actually offer this type of feature. Or you could use the next protection…
The second big way to protect a smaller organization is end-point protection. I know, I know, its obvious to us security people that things like anti-malware and a host-based firewall are simple ways to raise the bar for security. But it amazes me how often I find that an organization hasn’t installed anti-virus or has disabled the firewall on the Windows machines they use. These simple procedures can help prevent the loss of sensitive data or the problems caused by a malware outbreak.
All organizations have sensitivities. These may be data that can’t be lost or just the availability of their machines. No matter how small or large, we need to work together to raise the bar on security!
If you would like to see a recording of James Jardine and I presenting this, it is embedded below.
Kevin Johnson is the CEO of Secure Ideas. If you are in need of a penetration test or other security consulting services you can contact him at firstname.lastname@example.org or visit the Secure Ideas – Professionally Evil site for services provided.