IT Security for the Small Business

Structured IT Security is generally seen as the domain of the medium to large enterprise as it can be an expensive exercise to implement properly, and requires hard-to-find skills. However, there are a lot of areas a small business can tackle to improve their security status considerably without breaking the bank.

I’ll simplify this process and go through some of the low hanging fruit in this blog post. Note that in this simplification, I’ll potentially leave out more complex topics or scenarios, so please consider the target audience this blog post is aimed at. For more complex topics, please contact me directly.

General

It’s important to understand that IT/Cyber Security covers an absolutely vast array of product categories and capabilities, some of which don’t apply to small business or are less important. The aim for small business is to identify the
simple tasks that bring the most benefits in security, with an acceptable cost.

The process is

  • compile a list of all areas that require consideration in terms of security
  • prioritise and cost them
  • take action

Once all is said and done, there may still be gaps; and that’s where an incident response plan can play a part in mitigating security events within the scope and capability of your specific organisation.

The aim is to catalogue your requirements, remediate/protect what you can and have a plan to deal with the rest. This is an exercise that you can either do yourself as a small business owner or get an outside consultancy to do.

Let’s move on to some of the primary areas one needs to consider when talking security.

Primary areas of concern

1. Asset list and management

How do you know what to protect if you don’t know what you have? This crucial first step is often overlooked when dealing with security. It’s vitally important to catalogue all devices, systems and software in (and outside of) your organisation so that you can determine what needs protection, and what form that protection should take.

This can be as simple as putting a spreadsheet together with all your IT systems and their associated asset/serial no’s or you can use a program specifically designed for this (like GLPI). Note, some asset discovery systems only deal with network devices and not specific software tools used on these devices – so make sure you cover everything and don’t leave anything on the table. This should include ANYTHING that connects to your business network, or any devices and services used both inside and outside your network.

Once you have this list, you are ready to move onto the next step which is to assign a severity level (how critical is this item to your business) to each system. This will help you prioritise each system in terms of security. Ask hypothetical question like:

  • what happens if the PC with my accounting system or files, fails or is compromised?
  • how do I continue operating when my internet connection fails?
  • how do I resolve a malware infection?
  • how do I recover from a ransomware attack?

2. Firewall or perimeter security

This is a device that sits at the bridge between your local network and the internet. A term that is well-known but less understood, firewalls provide a choke point to control access to and/or from your local network as well provide security for content that traverses the firewall.

There are a number of different types of firewall, but for simplification, I’ll mention the 2 most popular options:

  • stateful firewall – these control access only and do not check the contents of traffic for security issues
  • next generation firewall (NGFW) – these devices provide a rich group of security features that checks traffic content for a variety of security attacks

In the modern era of rich internet services, the standard stateful firewall is no longer suitable in protecting a network from security events. An NGFW is the minimum requirement one should aim for to provide reasonable security in today’s hostile environment. The following features can be seen in NGFWs:

  • AntiVirus or malware protection
  • Intrusion prevention
  • Application identification and control
  • Web filter
  • DNS filter
  • Email/Anti-Spam filter
  • Botnet protection
  • VOIP/Voice protection
  • Authentication services
  • Inspection of encrypted traffic (DPI)

With the above set of features, an NGFW is well suited to protect networks against attacks. Saying that, it is vitally important to configure these systems properly – an improperly configured system can be as bad as having no system at all.

3. Endpoint Security and Protection (EPP)

This is a fancy phrase/synonym for Anti-Virus or Malware protection. It’s an application that is installed on a PC or server that protects that system against malware and viruses, amongst other security issues.

From Gartner (an industry analyst group):

An endpoint protection platform (EPP) is a solution deployed on endpoint devices to prevent file-based malware attacks, detect malicious activity, and provide the investigation and remediation capabilities needed to respond to dynamic security incidents and alerts.

There is varying quality in the applications available so one should look for the following features and capabilities:

  • uses little resources
  • has a high malware identification rate
  • has a low false positive rate
  • web filtering
  • email security
  • central or cloud management
  • vulnerability scanning

Trying to find an EPP solution amongst the sea of vendors is a difficult task so you can make use of VirusBulletin’s vendor list to assist you:

https://www.virusbulletin.com/testing/vb100/

AV-comparatives is another site that can assist – here is their latest test report:

https://www.av-comparatives.org/test-results/

Another type of endpoint security that has become popular in recent years, is EDR or Endpoint Detection and Response. The primary difference between EPP and EDR is that EPP is generally based on matching of signatures while EDR is based on behavioural matching. Per Gartner once again:

The Endpoint Detection and Response Solutions (EDR) market is defined as solutions that record and store endpoint-system-level behaviors, use various data analytics techniques to detect suspicious system behavior, provide contextual information, block malicious activity, and provide remediation suggestions to restore affected systems. EDR solutions must provide the following four primary capabilities: • Detect security incidents • Contain the incident at the endpoint • Investigate security incidents • Provide remediation guidance

EPP and EDR are distinctly different product categories with some overlap in specific areas – you would therefore use a combination of the 2 to provide you with a full endpoint security solution.

4. Email security

Considering that 80%+ of all endpoint infections occur through email, and more specifically through phishing attacks, email security is critical.

What protections can assist you:

  • an EPP and/or EDR client per the previous section that includes email security
  • specific email configurations (eg. don’t allow automatic loading of images and links, disable HTML, use SSL and TLS)
  • email security gateway – this checks emails in-flight for security issues before it gets to the mailboxes
  • anti-spam/phishing protection
  • end-user training

The last item is the most critical one and also the item where security falls down the most. End-users are typically not savvy enough to navigate email security properly, especially when they don’t have any training.

Consider doing security awareness training or phishing simulations with your end-users to improve their ability to identify and navigate security risks in email and other areas.

5. Data protection / Business Continuity

Protection of your data is a critical component of security and is primarily concerned with the backup of your data. It deals with making copies of your data in various ways and on various mediums. In the event that data is corrupted/destroyed/lost/etc., a copy of that data can be retrieved from a backup.

How does security factor in here? Ransomware groups specifically target the encryption/destruction/exfiltration of data as a method of operation, and this includes backups too. If you don’t have backups available or the backups have been encrypted or destroyed, then you have nothing to fall back on and your data will be permanently lost.

Many organisations have been forced to permanently shutter their doors due to ransomware and other attacks, as without valid backups, they have no way to recover from an attack.

I won’t go into specifics on data protection here except to say that your backup solution should be designed to protect against all eventualities, including security events.

6. Network design

If you have a network which includes either VOIP (phones) or DVR (cameras) devices, then you should consider segmenting your network to split access between these devices and your normal endpoints (eg. PCs, servers and printers). There are both performance and security reasons for doing this. The technical/colloquial term for this is called vlan’ing your network.

By splitting your network into distinct logical pieces, you can control access between these segments improving security. By example, if a device is compromised in one logical segment, you may by way of configuration, prevent that compromise from spreading to other segments.

7. Access control

This covers both network access control (eg. by controlling access through a firewall) or service/application access control (authenticate users to a service on the network). It’s critical that you implement access control as a 1st point of access to any device or service. Without this, you have no control as to who can access what on your network potentially leading to uninvited access by both staff or attackers.

8. DVR/NVR and VOIP systems

DVRs (digital video recorders for security cameras) and VOIP systems (eg. internet phones) are systems that are installed in many organisations, including small businesses.

However, the installers of these systems are generally not security conscious/aware, let alone IT capable. In fact, the standard implementation of these systems by installers is typically insecure and puts organisations at risk.

DVRs especially (and I’ll mention cheap Chinese systems here for affect) have poor software quality and are often subject to vulnerabilities, and subsequent attacks and compromise.

By way of example, Hikvision, a popular security system used in South Africa, has an appalling security track record and is currently under attack due to a vulnerability.

https://mybroadband.co.za/news/security/457685-critical-security-vulnerability-affects-thousands-of-hikvision-cameras-in-south-africa.html

This kind of vulnerability can be mitigated and contained to an extent but that is dependent on a secure installation, of which most are not.

Do not depend on device installers to do secure installations – ask a skilled 3rd party to check the installation and make sure that it is secure.

9. Software, device and application updates

One can safely assume that all systems have security vulnerabilities that can be exploited. It’s just the nature of software development. These vulns are often found by security researchers poking holes in systems and then advising the vendors of the issues in their software. The vendor will then create a patch for the bug and publish this in a new software release.

It’s critical that you keep a record per your asset management list, of all systems and regularly check the websites of those systems for software updates. And don’t restrict this to applications running on PCs or servers – every other device you have (including the aforementioned DVR system) could also have software patches available. Consider phones, printers, voice assistants, video conferencing and any other system or device that has a fixed or wireless network connection.

10. Cloud services

While the term “Cloud Services” has become very popular in recent years, it’s not a new thing – the concept of cloud services has been around for 50 years already dating back to shared Unix systems in the 70’s.

What is new is that many more people are making use of these arguably more accessible variants that have sprung up in recent years. This includes productivity solutions like Office 365, Google Suite, SAP and Sage, to social media systems like Facebook, Instagram and Spotify.

The critical concern here is that cloud service providers do not inherently, or by default, take responsibility for the security and protection of your data and applications in their clouds. For example, AWS maintains a shared-responsibility model document detailing what they specifically take responsibility for and what the client needs to do themselves.

https://aws.amazon.com/compliance/shared-responsibility-model/

You need to treat cloud services in the same fashion as you would your local services. Identify services, allocate risk, mitigate and have an incident response plan.

11. Authentication, MFA and password managers

As an addendum to cloud services, but not limited to them, you need to consider the authentication aspect of accessing any services. MFA or multi-factor authentication should be a staple tool used for authentication to cloud services. In addition, and with the standard recommendation to use unique credentials for each service, a password manager is essential.

MFA provides additional security (although not 100% guaranteed) for the authentication process and password managers provide a secure method of managing all the credentials that you have for various services.

12. DNS and domain protection

An aspect of businesses that often goes unchecked is the security of your domain and the management interfaces to those domains.

Attackers are targeting domain management as a method of getting to the domain records for a domain, altering them to point to fraudulent websites, and then infecting the users in that domain with malware or phishing attacks.

  • make sure you know who manages your domain
  • make sure access to your domain management tool is well controlled
  • confirm the contact details for all contacts
  • lock your domain
  • keep an offline copy of all your domain records

12. Incident Response Plan / IRP

Sometimes, with the best intentions and actions, a breach or compromise still occurs. An IRP is a document that details what happens if you are breached, and what actions you can take to remedy the problem.

It may seem obvious in hindsight as to what actions one would take, but in the heat of the moment, a documented plan will allow you take immediate and efficient action which could mitigate the breach, and potentially save data, systems and information.

13. Vulnerability scanning and penetration testing

Often confused, these 2 security options are distinctly different.

Vulnerability scanning is the act of using a specific tool to check all your systems for known vulnerabilities. One can then remediate those vulns (eg. through patch upgrades) to resolve the issue. This is a medium cost option that can be automated depending on the solution used, with reports being sent to recipients for review.

Penetration testing is the highly skilled art of using a multitude of tools, including manual methods, to break into systems using either known or unknown vulnerabilities, or misconfigured options. This is typically an expensive option that can take place over a period of time as long as a few months.

The process in both cases is:

  • test
  • remediate/patch
  • re-test

Penetration testing is generally out of budget scope for small organisations but vuln scanning should be on your radar. This in conjunction with a good patch management solution and schedule, will increase your systems’ protection against attacks.

Conclusion

There are many other areas for consideration, too many to list here and either not cost-effective or applicable to the smaller business.

But the main takeaway from this blog is that one should at minimum, take steps to:

  • find out what you have
  • find out what steps you can take to protect what you have

Once you have this information, and with consideration for your budget, take action to secure your systems appropriately.

Doing nothing is not an option when automated discovery and attacks are taking place on a daily basis.