An SMB Security Blanket — Expert Tips from HP

by Lauren Simonds

Want to keep viruses, worms, Trojans and other nefarious security threats from running roughshod over your business? We ran a series of questions by an HP security expert — here's what we learned.

Manny Novoa, a technologist in HP's personal systems group was kind enough to answer our security questions relating specifically to small businesses. He breaks down the types of security risks and the ways you can fight back.

SMBs hear a lot about protecting their data from internal and external threats. Could you define internal and external — and give examples of the ways these threats place a company at risk?

Many people are surprised to find that internal threats — not external — pose the greatest risk to your network. In fact, statistics show a staggering 80 percent of IT crimes originate internally. However, companies tend to fear external threats just as seriously.

Internal security threats
These can be caused by people within the company: a contractor or service provider, malicious insider, disgruntled employees or employees who have been recently terminated.

"Social Engineering" is also a new type of internal attack similar to "phishing" in which a malicious insider — with access to company information — tricks other users into providing access to restricted information.

For example, you receive an internal call from someone who claims to be from the IT group. You can confirm that person's name and position in the company directory He proceeds to convince you that you're being moved to a new e-mail server and he apologizes for the slow network today. He tells you that in order to expedite your move, he needs your network password.

Here's another common scenario — an e-mail comes from your boss telling you to give someone else access to sensitive documents. We are social creatures, and inherently trust people we "know" — studies have shown that 70 to 80 percent of people would immediately supply their credentials.

Additionally, security could be threatened simply by careless employees who inadvertently put systems at risk by opening a virus-infected e-mail or by following self- perceived directions that they believe will protect the network when, in fact, they are deleting crucial applications.

An internal attack can range from file and data snooping, deleting valuable information, sharing private data with others (possibly external users), changing policies and database entries, and so on. Of course the extent of the attack will depend upon both the intent and the skill of the person involved. Obviously someone who is knowledgeable about the company network and its IT management practices can pose more of a threat than someone unacquainted with the environment.

External security threats
These originate from outside sources, either targeted at your company or randomly spread to your network through users or the Internet. External threats can range from Web site defacement and attacks targeting your business, to nasty viruses and worms that tunnel their way into any network and destroy or alter data and applications or monopolize system resources (denial of services) by duplicating and spreading themselves.

Trend Micro, the world's third-largest anti-virus software maker, recently reported that computer virus attacks cost global businesses an estimated $55 billion in damages in 2003, a sum that is expected to increase this year.

How can SMBs protect themselves from internal threats?

If your business has an IT manager, it's important to initiate regular internal audits to gather a comprehensive analysis of your IT infrastructure — including its hardware, operating system and applications — for vulnerabilities. Outside vendors and consultants such as HP local service providers can help those small businesses that do not have an IT department or the resources to address this critical examination.

The most crucial component of internal technology security is a well-developed security program that educates everyone in your company on the process, technology and risks associated with vulnerabilities within your IT infrastructure.

No matter how much security technology you have in place, you can't be safe without support from your employees. Make certain they understand how serious you are about security — i.e., you shall not post your password next to your monitor, or you will be fired; don't open suspicious looking e-mail, don't provide your password to anyone, not your administrator, co-worker or even IT personnel.

Data protection is also paramount. Co-workers should not be able to access each other's files unless they are given explicit permission to do so. Smaller companies with only a single piece of more expensive equipment (such as a workstation, or a small pool of notebooks for the occasional traveler) for employees to share, should create separate user accounts for any systems that will be used by more than one person.

During the Microsoft Windows 2000 and Windows XP startup process, the software lets you set up multiple-user accounts. You can also place access controls on specific folders that restrict access to certain people. These two features together help ensure that only employees with the proper network permissions can access company data.

SMBs should also protect company information with a consistent data backup program. Performing daily data backup to an onsite, or preferably off-site, storage solution protects a company from losing significant portions of its critical financial data and intellectual property. These types of storage solutions range from very easy-to-use, low-cost tape backup products to more advanced storage arrays for archiving mass amounts of data.

And what about external threats?

To protect your small business from external security threats, institute a few basic precautions including firewalls, data protection, virus protection and patch management.

External and internal firewalls are both important to handle intrusion detection, which entails notifying the user of the nature and source of an attack in progress. It's advisable to apply a personal firewall on each system in addition to any appliance or company/centralized firewall.

This is especially important for mobile devices — such as laptops — that employees use for business travel and may use with broadband connections in hotels or cybercafes. Many of the personal firewall products notify the user when software on the device requests Internet access. This prevents certain viruses, games, etc. from inadvertently uploading data from your device.

HP offers customers three types of personal firewalls — standalone (software installed), appliance-based, and agent-based (software from a central policy server) — so small and medium businesses can choose which type best fits their IT infrastructure.

Data Protection
In the case of theft or loss of a notebook or handheld device, it's the data that becomes the clear concern, and not so much the loss of the physical device. For example, HP provides a DriveLock feature on notebooks that prevents the hard drive from working unless the user enters his password. That means a thief can't just access the data by plugging the hard drive into another machine.

HP provides different authentication options — ways for employees to identify themselves. These work well in situations where passwords won't work because a company must change them frequently.

HP desktop and notebook PCs use HP ProtectTools Embedded Security feature — an embedded hardware chip built to the Trusted Computing Group standard. This chip provides enhanced data encryption and system authentication, keeping data safe and ensuring that only PCs you've authorized have access to your network.

Smart Cards, credit-card-like security devices combine both a physical element that an employee keeps (a Smart Card) with password only the employee knows The HP ProtectTools Smart Card Security solution features a pre-boot, power-on technology that requires the employee to insert the Smart Card before the system starts up.

This prevents data thieves from giving themselves authorization to your computer systems, which can be done quickly through a computer program if a Smart Card is only used for network authentication, as most traditional Smart Cards do.

You could also use a software solution that requires employees to implement data encryption on any sensitive company data, presentations or e-mail as an added barrier to accessing data. Features built into Microsoft Windows 2000 and Windows XP can encrypt data, as well as many third party products.

Virus Protection
Many anti-virus vendors now offer security solution suites that include firewall safety, e-mail protection, live updates and intrusion protection. Virus scanners and personal firewalls not only keep "outsiders" off your networks, they enforce policies that can prevent viruses and worms from spreading throughout your systems.

Patch Management
Glitches or bugs discovered in software after it ships may leave a system or network vulnerable to attack, so it's critical to maintain timely patch management.

Even a virus utility or personal firewall is only as good as the last update for "known" attacks. Proactive policies must be put in place that either "force" users to update patches periodically or that automates the update process. IT vendors offer a variety of technology patch management solutions to facilitate the process.

More security questions continued on page 2

Continued From Page 1

Which is the bigger security threat — human error or faulty technology?

Humans are by far the biggest threat - but not necessarily human ERROR. It's often a lack of knowledge that causes people to expose their company to outside security risks, and that's why it's so important to educate employers and employees on security policies. Hackers, virus creators and social engineers are certainly not "accidentally" causing harm. Their efforts are very deliberate.

Technology is a human invention, and the technology that runs business today is only as safe as we make it. Computers and other IT systems are machines — similar to cars in that they need regular maintenance to keep them running properly.

Maintenance is even more crucial now that cyber criminals constantly hunt for an open door into your business. Business owners and IT managers have a responsibility to keep their technology updated with the latest software and virus patches to keep their business safe.

How do new compliance regulations such as Sarbanes-Oxley and HIPAA impact SMBs?

These new federal regulations such as Health Insurance Portability and Accountability Act of 1996, known as HIPAA, include important new - but limited health protection for employees. HIPAA's group market rules apply to every employer group health plan that has at least two participants who are current employees.

HIPAA is intended to prevent the unauthorized disclosure of a patient's "individually identifiable health information. To meet the HIPAA regulations, small businesses need to ensure computer security features are completely in place so that unauthorized users can not access private patient data.

The Sarbanes-Oxley Act (SOX) was passed by U.S. Congress to protect investors from the possibility of fraudulent accounting activities by corporations. This law impacts all public and private businesses including SMBs.

For instance smaller companies must ensure the integrity of financial data by safeguarding infrastructure and processes against accounting errors and deceptive procedures.

Ensuring that your PCs are secure from unauthorized access and data interception with technology hardware and software security solutions can help small businesses meet these regulations.

What advice do you have for companies that don't have an IT staff?

It is important for small businesses without an IT staff to rely on experts to proactively protect their business from security threats. Look to local partners with the expertise to help with technology issues.

HP provides its partners with the assets and the capabilities they need to successfully support their SMB accounts. HP also provides SMB customers with solutions designed to integrate existing infrastructures. HP makes sure SMBs have the necessary building blocks to address increasing productivity, lower costs and ease of ownership. In addition, we provide our customers with white papers, Q&As and how-to articles to help them with security implementations.

Does the size of the company change the way it should look at security?

While the threats remain the same for all SMBs, it will obviously be much easier to manage security risks in the smaller businesses, as opposed to the larger, medium-sized businesses. Virus protection software, company security policies for end users and a data backup solution are a must for organizations of all sizes.

For businesses with less than 10 employees, the need for automated upgrade and patch management systems is less critical, due to the small number of systems to maintain. Physical security is also less of an issue, as it's also much easier to keep an eye on 10 employees than 50.

The main focus should be on virus protection, data protection and educating employees on best security practices A simple storage solution such as tape backup, and a network firewall are good fundamental ingredients. For employees that travel with their systems, don't forget to protect the data as discussed above

Any company with more than 10 employees — and without an IT staff — should consider outsourcing their network support to a trusted vendor. For companies with an IT staff, the larger the company, the greater the need for software that automates system management and automatically updates critical security patches and upgrades. A thorough security policy — including basic IT security training for all new employees and strict user access policies — is crucial.

There is also a greater need for user authentication. A network firewall is a must, and hardware-based user authentication is an even more important feature, as greater numbers of users will have access to the network. Depending on how mucharchival data that needs storage, companies should consider a storage array or network attached storage solution.

Are SMBs fully aware of the security risk introduced by Wi-Fi networks?

SMBs are very aware of the security risks they face. In fact, in a recent survey conducted by Penn, Scheon and Berland Associates, 49 percent of small and medium business respondents said the security of their company's computer system been threatened in the past year. Wireless security is not a separate network infrastructure that requires entirely different procedures and protocols, but there a few simple steps SMBs can take to make their wireless networks more secure.

First, change the default network SSID (network name) on your wireless router/access point. If it's possible to turn off broadcasting the name of the SSID, then do so. That way, only users that know your company SSID ahead of time can connect to your network. For smaller networks, you can also restrict access only to "known" network card addresses (low level MAC addresses). Many wireless access points and/or wireless routers let you lock out non-registered network cards from the network, preventing outsiders from accessing your network connection.

You should also turn on some form of encryption on the wireless traffic, such as Wireless Encryption Protocols (WEP). Activating rotating encryption keys for WEP encryption at regular intervals (say monthly), or implementing a "dead" wireless network can keep this type of encryption most secure.

A "dead" wireless network assigns network addresses to individual systems, but does not connect to the internal network infrastructure. Users must then use the company VPN to access the internal network, keeping each user connection into the internal network protected with unique and secure encryption keys.

Finally, develop a security policy that combines both wired and wireless security to leverage management and cost advantages. For example, integrate a single user ID and password requirement for your employees whether they access the network through your wired or wireless infrastructure. The addition of hardware-based security features, such as embedded security, compliments the 802.1x standard by providing extra data encryption and authentication protection.

Lauren Simonds is the managing editor of SmallBusinessComputing.com

Do you have a comment or question about this article or other small business topics in general? Speak out in the SmallBusinessComputing.com Forums. Join the discussion today!
This article was originally published on Thursday Aug 26th 2004
Mobile Site | Full Site