Licensed under the Creative Commons Attribution LicenseDanny Lieberman
http://www.dannylieberman.info [email protected] http://www.controlpolicy.com/
Data security for an SMBFly first class on a budget
“Any large company is made up of a large number of small businesses.”
Bill Gates, circa 1998. Explaining why Microsoft workgroup products were a good fit for big enterprises.
Agenda
• What threats should concern an SMB?• SMB awareness of data security• Cultural factors• What data should an SMB protect?• Is anti-virus enough?• Is a firewall enough?• Servers in the office or in the cloud?• Planning for disasters• Fly first class for cheap
•What threats should concern an SMB?
• Data security is Ugly– Loss of IP
• Trusted insider theft– Mail, Web, IM– Smart phones
• Front-door attacks– Lost passwords makes it easy
• Back-door attacks– Spyware, Trojans– Piggy back on legit sessions
•SMB awareness of data security
• Market research performed by Infowatch in September 09
– 99% of 190 SMBs were aware of data breach issues.
– Over half focused on IP protection
Infowatch CEO Natalya Kaspersky
Cultural factors
• Americans– Rule-based– Technology– Lots of regulation that doesn't work
• Europeans– Principles-based– Discipline– Regulation that appears to work
•What data should an SMB protect?
• Credit cards– Usually not an issue for SMB merchants
• Most have less than 1 million transactions/year
• Most outsource payment processing
• Can comply to PCI DSS with a self-assessment
• Intellectual property– A small firm can have extremely valuable IP
• Manufacturer, design house, hi-tech startup
• Designs, algorithms,commercial agreements
• IP theft can put a SMB out of business
Is anti-virus enough?
• The good news– Good AV software can detect and
prevent certain kinds of attacks that steal data
• The bad news– Anti-virus software is worthless against
trusted insiders, phishing, man-in-the-middle attacks.
Is my firewall enough?
• There is no good news– Firewall creates false sense of security– Cannot stop trusted insiders– Anyone can violate privacy of other
employees – Cannot stop targeted Trojans from
stealing data on open FTP or high-numbered ports
• If you shut them down, employees will take their data home....
In the office or in the cloud?
Wake up and smell the hummus– Hosting your own mail/Web servers in
the office is a bad idea• Attracts attackers like flies to honey
– Use service like Google Apps• They may read, but they won't steal
Planning for disasters
• Take regular backups• Use a professional hosting service
– Calculate cost of loss of business– Spend the right amount
• Build employee ERT– Emergency response team– Train once every 3 months– Know where the keys are
Fly first class for cheap
• Policy • Enforcement
Fly first class for cheap
• Policy: the 10 commandments are free.
• An AUP reduces the number of employee options by default
– No “opt-in” check box
AUP read and understand agreement
An Approved Usage Policy states that: “Digital channels are to be used to further the
company’s business and improve customer service and not for personal entertainment or gain”
“Employees will protect the company's digital and physical assets”
Digital Assets
• Any computerized information that the firm uses to compete or accomplish it’s missions
– Customer pricing– Intellectual property– Biz dev plans
Enforcement
• Corporate culture– A little fear in the workplace is not a bad idea
(Andy Grove)
• Everyone signs, owner first• DLP “Light”
– Mail and Web – Alert and/or block violations– SMB solutions available for $10k
Database Server
File Server
SMTP
HTTP
Policies
Interception
Alert or Block
Reporting
Forensics
DLP “Light” for SMB
Coming attractions
Register online for:• Oct 8: SMB data security• Oct 15: Data security as a business
objective• Oct 22: A holistic approach to security
and compliance
http://www.controlpolicy.com/workshops/
Learn more
• Read the Data Security Bloghttp://www.software.co.il/wordpress/
• Presentation materials and resourceshttp://www.controlpolicy.com/workshops/data-security-workshops/