SMEs usually are inclined to downplay or ignore network security threats, but they are actually exposed to the same level of threat as large companies. SMEs tend to embrace IT because of its ability to 'level the playing field' and help them compete with larger competitors. Smaller organizations also tend to rely on the cost efficiencies available through transacting and marketing online even more than their bigger cousins. There are dangers associated with these competitive advantages, however, that many SMEs either downplay or ignore. In reality, SMEs have to strike a tricky balance as they seek to take advantage of the global reach and considerable efficiencies of the Internet and conduct increasing amounts of business online. They have to open themselves and their networks up to achieve this, but need to make sure they remain secure while doing so.
The SMEs that downplay the risks usually believe that a firewall and anti-virus is enough to secure their infrastructure and sensitive customer data, but the latest research on cyber-crime suggests that IT security for SMEs is more than just preventing viruses and blocking spam. Those that ignore the risks habitually argue that they are so small they are not worth targeting and that hackers focus on larger organizations. This is simply not true. As any IT security expert will confirm, it is not a question of turnover, assets or numbers of staff, but a company's reliance on IT that determines its potential exposure. In actual fact, SMEs are typically exposed to the same level of threat as larger organizations, and can be hit especially hard when they experience a loss - either of productivity or sensitive client data - because they don't have the personnel or resources to tackle the issue adequately.
SMEs today may be relatively limited in size, but the communications services they require no less diverse than those of larger companies.From basic telephony to broadband Internet and VPN services improved, SMEs require access solutions low-cost/high-performance.But this does not mean that their link in the communications backbone for the world is necessarily guaranteed.Quite the contrary, SMEs represent one of the sectors with the largest market served on the communications landscape.
Service providers and SMEs should ideally be on the same page.The business customers voice quality of calls and data services that are competitively priced.Service providers whether established telecom or ISP competitive always looking to expand their reach in up-and-coming market access.The main challenge common to both established and Greenfield operators is how to serve their customers served last mile business with cost-effective and attractive high performance.
For some years past, the question of data center and the vulnerability of small to medium sized businesses has been a subject of debate.Industry analysts say a smaller company, needs to be equally protected as a large company, but many SMEs feel they are not too sensitive to threats because attackers tend tofocus on larger goals.Although it may be tempting to skimp on vulnerability assessments and threat management, in many cases, experts believe it is better safe than sorry. This sort of mentality from SME's really makes them careless towards security of the network. Not every hacker tends to attack large company sites because most of the hackers feel that hacking small business network is easy and they have slim chances of getting caught. So SME's should atleast have a department of network security so they can tackle with these small hackers.
"Any company, large or small, is at risk in proportion to their dependence on information technology for their processes and business continuity," said Richard Stiennon, "evangelist" security and chief marketing officer at the firmFortinet security. "Today, even the companies' most small businesses use computers to all its billing process, accounts receivable and accounts”.
The creation of these databases, folded with widespread use email, many SMEs makes it vulnerable to attacks, Stiennon believes.How vulnerable are many of these companies? Potentially more risk than they might think.
Purpose of security
What is security all about? In short Â managing risk. This tends to be quite a subjective process where the value of assets is considered in the light of some threat model that is linked to a system vulnerability. In considering the threat versus the vulnerability of the system, we get a measure of risk.
In the act of assessing risk, security engineers are particularly interested in three attributes of the information to be protected: confidentiality, availability and integrity. Put very simply, all of these attributes are placed into a melting pot, and a set of countermeasures are defined and implemented, with the result that the risk is managed.
These countermeasures can be categorized into a number of domains, including, but not limited to procedural, personnel, physical and technical.
Top Security Threats to SME
"Security threats for SMEs are as real as they are for enterprise organizations," said Eric Aarrestad, vice president of marketing at WatchGuard Technologies."The tragedy is that many SMEs are simply unaware of the Unified Threat Management (UTM) that can fight against these threats."
It is difficult to find based on reality, accurate reports on what the threat to network security is now really for the average firm.This document lists the top 10 most common vectors of data compromise in our experience as security analysts for SMEs.We also suggest practical techniques and defenses to fight against each vector.
Threat # 1: Insider attacks
In many SMEs, business records and customer information is often entrusted to a single person.Without adequate checks and balances, including network system logs and automated reports, data loss from within can stretch over long periods of time.
External attacks are attacks launched by opponents who were not initially allowed to participate in network operations.These attacks generally aim to cause network congestion, by refusing access to the function of specific network or disrupt the operation of the entire network.Bogus packet injection, denial of service, and borrowing are some attacks that are usually initiated by external aggressors.
The most serious attack from the second source of attacks is the internal attack. Attacks are initiated by internal nodes allowed in the network, and could come from both compromised and the nodes of misconduct.Internal nodes are identified as nodes compromised if attackers hijacked outside the permitted internal nodes and then use them to launch attacks against networks.Security requirements such as authentication, confidentiality and integrity are seriously vulnerable to compromise networks with internal nodes, the keys of communication used by these nodes could be stolen and passed to the collusion of otherassailants.
Furthermore, nodes are classified as bad behavior if they are allowed access to system resources, but fail to use these resources so they should be.Internal nodes may misbehave to make their limited resources, such as battery power, processing capabilities, and communication bandwidth.Attacks that are caused by bad behavior of internal nodes are difficult to detect because the distinction between network failures and excesses of normal activities in networks is not an easy task.
Implement the principle of dual control. Implement a dual control means that for each key resource, you have a fallback.For example, you may choose to have a senior technician responsible for setting up your website and SMTP servers.But at least, login credentials for these servers must be known or to another person.
Threat # 2: Lack of contingency
One of the biggest threats to SMEs related to the business impact of post-hack, intrusion or virus.Many SMEs lack a data policy for loss of response or recovery plan disaster, leaving their business and the slow recovery and resume operations.
Companies that pride themselves on being "agile" and "reactive" often achieve this speed, leaving standardization, process maturity and planning.Many SMEs have found that a simple failure of bad data or compromise is disastrous when no Business Continuity Plan, Disaster Recovery Plan, Intrusion Response Policy, up-to-backup system updatedfrom which you can actually restore or offsite storage.
Mitigation for lack of planning
Of course, if you have the money for it, hire an expert to help you develop good methods of security information.If you do not have much money to operate with leverage what others have done good work and modify it to suit your organization.The SANS Security Policy Project offers free templates and other resources that can help you write your own policies.
Threat # 3: Poor configuration leading to compromise
Inexperienced or underfunded SMEs often install routers, switches and other gear networking without involving anyone who understands the ramifications of security for each device.In this scenario, networking Amateur Guy is just happy to have any success with sending data and other traffic.It did not occur to him that he must change the default user and the manufacturer's login credentials password.
Hackers publish and maintain a list of default credential (username and password) to nearly every networked device, and can easily take control of network resources if the configuration settings by default do not change.
Mitigation for poor configuration choices
Perform an automated vulnerability audit scan. If you cannot afford to hire consultants, you probably can afford a single, automated scan of your network.There are many, many "vulnerability management" products on the market at all price levels. Regular use of them should be part of your routine network maintenance.
Threat # 4: Reckless use of hotel networks and kiosks
Hotel networks are notoriously lousy with viruses, worms, spyware and malware, and are often managed with the practices of global insecurity.Public kiosks are a convenient place for an attacker to leave a key logger, just to see what falls into his net.Laptops that do not have up-to-date personal firewall software, anti-virus and anti-spyware can be compromised on the road. Traditional defenses can be rendered useless when the user carries the portable literally through the firewall gateway and connects from inside the trusted zone.
In many small businesses, employees often take the computer home to work.In an unsecured home network, laptop business could be dangerously exposed to viruses, attacks and malware applications.
Mitigating reckless use of hotel networks
Set and enforce a policy forbidding employees from turning off defenses. According to a survey commissioned by Fiber link, 1 to 4 "road warriors", has admitted to modifying or disabling security settings on their laptops. Your policy should be that workers are never off the defenses ofcall and unless they receive permission from you. Many popular anti-viruses can be configured so that they cannot be disabled, even by a user with local administrator privileges, checksuch capacity in your current solution.
Threat # 5: Reckless use of Wi-Fi hot spots
A common ruse by attackers is to put in place an access point unsecured wireless labeled "Free Public WiFi" and simply wait for a connection to lack of road warriors to connect.With a packet sniffer enabled, an attacker stealthily sees everything the employee types, and is then able to use these data for personal use.
Public Wireless Hotspots all wear the same risks as the networks of hotel - and then some. Attackers commonly used access point unsecured wireless that spread like "Free Public WiFi." Then they wait for a connection to lack of road warriors to connect. With a packet sniffer enabled, the'attacker can see everything the employee types, including login information. This attack is especially harmful because the attacker pulls the data out of thin air, leaving absolutely no trace of compromise on the computervictim.
Mitigating reckless use of Wi-Fi
Teach users to always choose encrypted connections. Ask them to connect through a virtual private network (VPN).This encrypts the data stream, so that even if eavesdroppers listening wireless, what they get is gibberish.
Threat # 6: Data lost on a portable device
Much of the SME data is compromised every year due to lost laptops, misplaced mobile devices and left behind USB sticks.Although encryption of mobile device and use of strong passwords would mitigate many of these losses, many SME users simply fail to secure their mobile devices and data.
Much of sensitive data is compromised every year, when workers accidentally leave their smart phone in a taxi, their USB drive in a hotel room, or laptop in a commuter train.When data is stored on devices, it is wiser for the managers to stop thinking about what to do "if the device gets lost forever ..." and instead, think when she loses... "
Mitigating data lost on portable devices
Manage mobile devices centrally. Consider investing in servers and software to centrally manage mobile devices.RIM Blackberry Enterprise Server can help you secure transmissions are encrypted, and if an employee informs you of a lost phone, you can erase data remotely from the Blackberry lost.These measures will contribute greatly to minimizing the negative impact of aircraft lost.
Threat # 7: Web server compromise
Many SMEs are hosting their own websites without adequate protection, leaving their business networks exposed to SQL injections and botnet attacks.
The most common attack today is botnet cons websites, and the fatal flaw in most web sites is poorly-written application code personally.The attackers have compromised hundreds of thousands of servers in a single stroke with SQL injection attacks automated.Legitimate sites are then caused to serve malware, and disseminate their knowledge empire bot master.
Mitigating web server compromise
Audit your web app code. If e.g. a web form has a field for a visitor to provide a phone number, web application must dispose of excess characters.If the web application does not know what to do with data or a command, it must be rejected, not the deal.Find the best solution for auditing code you can afford (if a team of experts or automated tool), with emphasis on research to know if your code does not validate correct entry.
Threat # 8: Reckless web surfing by employees
Now more than ever, malware, spyware, keyloggers and spambots reside in innocuous looking websites.Employees who venture into the ostensibly safe sites May be unknowingly exposing their business networks to extreme threats.
A 2006 study by the University of Washington revealed that sites that spread spyware most were (in order)
- Celebrity fan sites (such as the type that give updates on the follies of Paris Hilton and Britney Spears);
- Casual gaming sites (where you can play checkers against a stranger)
- Porn sites (coming in at a surprising third place)
The social networking sites like MySpace and Facebook have taken the initiative as cesspools virtual spam, trojans and spyware.Employees who surf the non-business-related sites end up inviting customer's bot corporate network, Trojans, spyware, keyloggers, spam,full range of malware.
Mitigating reckless web surfing
Implement web content filtering. Using the Web as the filtering software from WatchGuard WebBlocker,Web filtering solutions to maintain database (updated daily) blocked URLs in dozens of categories.More classes mean more nuance.These tools help you enforce your acceptable use policy with technology.
Threat # 9: Malicious HTML email
They are attackers sending e-mails with malicious attachments.Today, the threat is hidden in HTML e-mails that contain links to malicious websites, booby-trapped.A wrong click can easily lead to a drive by download.
The attack on the most common e-mail now arrives as an HTML email that points to a malicious site trapped.A wrong click can trigger a drive-by download.The dangers are the same as Threat # 3, "Reckless surfing the Web," but the attacker uses email to get the victim to the malicious website.
Mitigating malicious HTML email
Implement an outbound web proxy. You can configure your local network so that all HTTP requests and responses to redirect a web proxy server, which provides a single choke-point where all Web traffic can be monitored adequacy.The Web proxy will not catch a malicious inbound email, but if a user on your network clicks on a link in this e-mail HTML that will generate an HTTP request that the web proxy can catch.If the user will never HTTP request to forward the web site-Booby trapped, your user does not become the victim.
Threat # 10: Automated exploit of a known vulnerability
More than 90 percent of automated attacks try to leverage known vulnerabilities.Although patches are issued regularly, a small short-staffed in May likely not to install the latest versions of applications and patches to their systems, leaving them vulnerable to an otherwise easily stopped attack.
Verizon 2008 Data Breach Investigations Report, compiling evidence of violations of data from more than 500, which is spread over 4 years.Team RISK Verizon revealed that 73% of the violations occurred from external sources.
SMEs neglect victims get if they do not install Windows patches during the same month, the patch is released.But your network contains more than Microsoft products.Your routine needs patching to extend systematically to all applications and OS components on your network.
Mitigating automated exploits
Invest in patch management. Patch management software will help you analyze your network, identifying missing patches and software updates and distribute patches from a central console, which dramatically increases your chances of having your entire network up-to-date.
Build an inexpensive test network. Even reputable companies may skid.Therefore, we recommend installing a patch on a test system and see how it behaves before deploying it across your network.If you do not have a test network now, the next time you replace outdated desktop computers and servers, hang onto them and concentrate on being your test network.
SMEs need to get serious
Quocirca predicted that over one third of small businesses expect more employees to work from home in the future and about 40% expect more employees to travel outside the office who need access them.
This is double the number expected by large companies. Sermons Quocirca show that SMEs are becoming important players in the industry working remotely.The remote computer is no longer a luxury, but really a critical element of employment, especially for employees such as sales representatives, engineers, nurses and field workers.Mobile workers are employed for a variety of skills, but are not necessarily sophisticated and certainly not security experts.Yet, according to a survey of Sybase, anywhere, over 71% of enterprises leave responsibility for security of mobile data in the hands of those users.This disconnect is clear.
For all companies, regardless of their size, trusting employees to work remotely is actually a scary concept.Very few employees intentionally introducing viruses or cause their device to stop functioning, however, many does just inadvertently due to lack of knowledge and understanding of their devices.
It is up to the company to make mobile management easy for the end user.
The world of IT management is very different in that it does from a desk and IT managers to address this concept are where many mobile solutions have fallen intothe past.With IDC reports that mobile work is expected to reach one billion workers worldwide over the next 12 to 18 months, embracing mobility is a question of "how" rather than "if."
SMEs implementing mobility solution has the advantage of learning a maturing industry, but also critically needed to ensure their safety and management of mobile devices in place for effective implementation.
Securing Sensitive Information
One of the companies facing serious problems is that sensitive information on mobile devices can become accessible to all employees and / or the public if a device is lost or stolen.
Employees are constantly requesting devices with more memory that can store large quantities of more information with large amounts of data that actually live on the mobile device.Being exposed to data loss, not only presents a huge problem for SMEs in terms of value of lost data, but also in terms of labor-intensive and expense to recover lost or corrupted files andeffort to rebuild a damaged brand by negative publicity.
It is essential to design an appropriate application for work done on the device and to ensure that the device has security measures to protect the company.Companies must determine how they will use data from the device, and what programs and applications are required for each specific job function.
Companies also need to determine what they will be stored on the device, for example, the customer database or simply full appointment specific information?Safety must be evaluated according to operative data storage, the requirements for effective data protection vary the conditions of life data on the device or not.Businesses have a responsibility to protect customers against data breaches in order to maintain trust and brand perception.
Mobile Workforce Threats
One of the biggest threats to a mobile workforce is not piracy, but employees.Without malice, the employees are losing devices, leave them in trains, planes, taxis or have stolen a car. It rarely industrial espionage, it is most likely accidental - but it still has a direct impact on the company.
When implementing a mobile security system,SMEs need to focus on two key requirements
- authentication - ensuring that the correct user, and only the correct user, is allowed access to the device, and
- Encryption - the process of transforming information to make it unreadable to unauthorized users.
Specifically, all sensitive data on a device must be encrypted to ensure that if the SIM card is removed or if the device is violated, the solution for mobile device management is responsible for removing at least the sensitive data.All companies need a standard level of security to protect against lost or stolen phones and should be combined with Over the Air (OTA) protection that transfers data to and from the network.
Beyond these measures, companies should consider remote device kill as another key tool to prevent mobile security for critical business information can be found in the wrong hands.Time delayed device wipe should be used so if a device does not connect with his e-mail system or mobile device management within specific confidential data are automatically encrypted or erased.
In terms of productivity, it is essential to use the right equipment, and implement appropriate safety - Safety requirements for an executive Smartphone are extremely different from those required on the rugged handheld used for readingmeter.
One Stop Mobility Solution
Inevitably, the process of defining objectives mobile solution will highlight both the safety and management as necessary, interdependent requirements.Companies cannot have a mobile workforce secure without full visibility of where and how devices are used.
Central IT must monitor activity levels and use of devices used to anticipate problems and continuously improve the system.IT needs to know what work is happening and why, to make better decisions to facilitate success in the first line.Without effective management, device reliability varies, applications are not supported as well as those in the office, communication costs fluctuate and security threats are significantly increased.
Regardless of their size, companies need a single solution for both the mobile device management and data security on these devices.
By implementing a centralized management system, companies will have a scalable solution that is able to react quickly to business issues and security threats in the mobile workforce complete.IT managers can maintain control while giving frontline workers with the information they need when they need it.On the other hand, the information collected by front-line workers can be automatically processed and distributed to everyone in the company requires.
Effective Mobile Device Management
Effective management of mobile devices gives you control over your secure data, devices and applications, while giving your front-line workers the freedom to do the job they were hired to do. It is essential for a successful mobile deployment to implement measures to monitor and protect mobile assets.By implementing a solution that proactively manages and secures mobile data devices and applications, SMEs can improve efficiency, customer service and ultimately - profitability.Effective mobile systems management is a must.
Top tips for security
Small businesses survive and thrive precisely because they can be more flexible than large companies.These small companies are often able to make the best use of remote access into the network (either via VPN on the PC or laptop or other mobile devices) to conduct high yields and high levels ofstaff productivity.
Yet at the same time, with a greater variety of access devices accessing the network, there is an increased risk of threat to security.
Moreover, these threats become more sophisticated and therefore the damage more difficult to control without the processes and tools in place.So how small businesses can maintain the highest levels of data protection?
Ross Walker, UK & Ireland Director of Small Business at Symantec, gives the following top tips for small businesses looking at how they can protect information that drives their businesses, keeping it safe from threats, preventloss of information whether accidental or malicious, and How to better manage and access data on your network.
1. Layer your security
It is important to protect your company in depth.Use an integrated endpoint security and ensure your security patches are updated.
In addition, the definitions of your antivirus signatures and intrusion prevention must be updated regularly and all desktop computers, laptops and servers should also be updated with security patches needed to selleroperating system.
Consider deploying a personal firewall to help monitor network traffic to one edge devices that have access to your network.Also, be sure to activate the security settings on Web browsers and to disable file sharing.
In addition, teach users to develop strong passwords with at least eight characters and a combination of numbers, letters and special characters.
Recent research has shown that people tend to use the same passwords every time they go online and over 1.7 million people are at risk of falling victim to Internet fraud.Ensure that your company is not in danger by changing all passwords every 45-60 days to make it more difficult for intruders to access your data.
Spam is the leading source of malware entering networks today.Spam not only diminishes productivity, it also puts pressure on storage requirements and bandwidth.Deploy integrated anti-spam at the mail gateway to proactively protect your environment.
2. Implement a network access control solution
All computers connected to the network and incoming / outgoing traffic should be monitored for signs of unauthorized entry and malicious activity.
Ensure all infected computers are removed from the network and disinfected as soon as possible.Also, create and enforce policies that identify and restrict applications that can access the network. To make sure they have the latest protection, small businesses should apply the latest operating system and security software and patches as they are released.To protect against successful exploitation of Web browser vulnerabilities, upgrade all browsers to the latest versions.
3. Stay informed
Several companies publish reports that help define the threat landscape for small businesses. These reports can be viewed on their Web sites or through online searches.This is an excellent way to stay informed on what you are cons.
4. Don't forget physical security
There are a number of routine employee physical security tactics in small enterprises can use to help strengthen the defenses of the security of their societies.
These include using the function of locking the screen when away from the computer, shut off the computer when you are finished for the day, locking laptops with d 'cable, do not leave passwords in writing, and being mindful of physical security devices and mobile phones, which are prime targets for theft.
5. Back up your data
For any number of reasons - in case of disaster, human error, hardware failure, and so on - your system might be killed.It is essential to back up important data regularly and store extra copies of data offsite.Since the tapes containing confidential customer and business data may be lost or stolen in transit by encrypting backup stores is a good idea.
6. Assessment of network on regular basis
Assessment needs to be made to accurately establish what systems are at risk and to what extent. It needs to include everything from the network itself (routers, gateway etc) to all servers, workstations and client data repositories within it.
It is very important to make these assessments on regular basis to ensure the organization remains protected as it grows. So make sure the security consultant benchmarks the first set of metrics and then tests and reports against those at regular intervals.
Solution to Fortify Attacks:
The solution to fortify the attacks is to keep and transmit the data after ensuring security measures. One of the commonly used techniques is to cipher the data before transmitting and no receiver can extract the data without having the proper key. So only the authorized person can extract the actual information out of the received data.
So I have device a similar technique to secure the data by adding a specific value, changing with the time. So even if some person steals the key, even he/she would not be able to decipher the data until he or she does not the exact point of time when a specific value if applied to the data.
This can be shown graphically as:
MATLAB SIMULINK Implementation:
MATLAB SIMULINK Result:
As it is cleared from the above graphs that if the receiver has the correct key and time, it would not be a difficult task for it to decipher the received data. Now, let's assume that an unauthorized person tries to detect and decipher the data when:
- Receiver has the key but not the correct timing information.
- Receiver doesn't have the key at all.
The following graphs clearly show the difference and the impact on data security by just applying a simple technique.
In this scenario the receiver has steal the key but doesn't know the exact timing information. Let us say that receiver leads by one time clock to apply a specific key at the data.
The following graphs signify this huge difference of information extracted from the data which was ciphered because of marginal timing difference.
MATLAB SIMULINK Result:
In this scenario the receiver does not have any information of the key used by the transmitter to cipher the data. So the receiver can't decipher the data. Therefore the information transmitted by the SME network is secure.
The following result highlights this issue.
MATLAB SIMULINK Result:
The above result has proved the significance of ciphering to secure the data. The information extracted by the un-authorized receiver is highly un-correlated with the actual information. So by just adding a few modules, which are not very costly, in an SME's wireless transmitter and receiver network the data security has increased by many folds.
There lie a number of threats to SME Wireless Networks. If security measures are not taken seriously, the SME may be affected severely. There can be a number of solutions to secure the network and data. One of the techniques to secure data, while it is in some medium, is to cipher is using some special key which is known to just the transmitter and the receiver. At the same time the transmitter and receiver would also share timing information so that receiver can decipher the information exactly.
As it is pretty clear from the above simulation, if the data is ciphered then there is very low probability that information can be stolen. In this scenario, the information can only be extracted accurately if the un-authorized receiver has the complete information of key, ciphering technique and timing information. If the receiver does not know only one parameter, it would be highly unlikely that the un-authorized person can get the information being transmitted.
Other threats can also be handled via the same technique. For example, to protect the information from the internal threat, one can store the data in some kind of ciphered form. Only authorize persons should have the knowledge of how to extract the information from the stored data.
* Watch Guard White Paper