By the use of some common sense and implementing some of the security solutions available in the market, we can make sure our SMB becomes security self-sustainable for years to come.
The spectrum of systems technology has changed so much in the last years, that is very difficult to keep track of what is the best way to keep systems secure.
The easiest way to approach this challenge is to first apply common sense to each layer of our digital assets, starting at the physical and infrastructure layer, followed by the system or server layer, and finally the users' PC's, known in the security world as the "End Point".
If any one of these layers is compromised, then the entire system becomes susceptible to intrusion, identity theft and/or data leakage.
Lets look at each layer in separate:
1.) Physical and Perimeter Layer:
- Servers and routers must be placed in a secure location, not accessibly physically to anyone who shouldn't have access to them. Only system administrators should have access to this area.
- If the business network is connected to the internet (most of them are nowadays) use an appliance firewall or UTM (Unified Threat Management System) to connect to the internet. UTM's are fairly inexpensive, and there are multiple solutions available in the market.
2.) Systems and Servers layer:
- Each server must have its own firewall activated. Make sure to close all unused ports.
- Keep all servers' OS and software up to date with a patching strategy. If possible, patches should be applied automatically everyday.
- If its not an overkill for the system administrator, apply recommended security configurations based on the NSA documents for hardening systems for each server. How much effort to put into hardening should be directly proportional to the value and sensitivity of the data that could be subject to attacks.
- Change default passwords and use complex password schemes.
- Make sure applications and domains are set to ask users to change passwords every 3 moths or so. Also use complex password schemes for end users.
Again the degree of effort and inconvenience that this may represent for your users is directly related to the value and sensitivity of the data they need to access. More sensitive or valuable data should require harder passwords that are frequently changed. - Communications to servers over the network should always be encrypted if possible. i.e. use SSL for web applications, SSH for terminal connections, SFTP for secure transfer of files, etc.
3.) End Point Layer (user PC):
- Install and configure a good end point solution like eEye Digital Security Blink. This will protect your end point clients from viruses, intrusion, phishing, zero day attacks, identity theft and data leakage.
- Configure the end point to install all updates automatically for the OS and all the software utilized in your organization.
4.) All Layers:
- Run a vulnerability assessment for your entire network at least once each quarter. There are companies like GB Advisors that can provide this service, or sell the software required to run this type of assessments. The resulting reports will provide an insight of your network vulnerabilities and how to fix them. Because system vulnerabilities are discovered every day, companies should have vulnerability assessments done to their network on a regular basis.
Important note: Digital security changes every day, as a minimum you should have an 8 hour research about digital security once or twice a year.
Hope this provides an open guide to start looking as security as part of your IT strategy, if it isn't already.
