Sunday, January 17, 2016

Thinking about security for your small/medium business? Start with training

Do you remember the old saying, "Running a small/medium business is hard, running a secure one even more so?"  Not ringing a bell?  Well that is probably because I just made that up. 

The truth is, running a business is difficult. Lacking the ability to take on overhead for specialized positions in IT, security is generally not even thought of at all during business decisions. Because of this, small/medium business (SMB) are generally at the mercy of their vendors.  And, as Bruce Schneier put it, security is a lemons market, putting many SMBs at a disadvantage against skilled snake oil salesman. 

The problem is further shown when you investigate MBA programs at leading institutions. The core areas of an MBA generally fall into these categories: 

1) Finance and Accounting 
2) People and Organizations 
3) Supply Chain and Business Analysis 
4) Management 

While these courses are filled with useful information, none of it centers around cyber security. While this is slowly changing in the marketplace ( most of the courses are still being segmented off into off-core topics. 

When you boil it down, security is the management of risk. The management of risk of your assets. Depending on your business, this could be your people, your processes, or your technology. Similar to how courses are taught on leadership, and building the right people to run your business, courses should be taken to learn about security and learn how to build the right capabilities to protect your business. 

The second question to answer here is, what training should owners of SMB take? After all, time needs to be divided between this topic and others. Further, the right level of knowledge needs to be achieved. Security is a rat hole, and you don't want to dive too deep. 

So, what are my recommendations?

1)  Start with government resources 
There are some good government resources on cyber security that have emerged over the past few years. Read them and digest what you can.  Consider them extremely short crash courses. 

2) Learn about your role in the security process 
As owners of SMB, you are responsible for the protection of assets. As not all assets can be protected equally, and you are responsible for making the tough decisions about how much to spend to protect what. 

  • Business Continuity 
    • You are responsible for defining the parameters, standards and guidelines 
  • Data Owner 
    • All the data created as part of operations is yours, protect what needs to be protected. 
  • Information Security Officer 
    • You are responsible for defining how information in your organization is protected 
  • Compliance Officer 
    • You are responsible for defining how your organization complies with various policies (federal, local, etc) 

3)  Read about various compliance regulations 
There is a great deal of overlap in various compliance regulations. Having a read through some of them will give you ideas of areas of your business that you should be concerned about. 

Check out PIPEDA / HIPAA / PCI 

Yes, the above short list may seem quite daunting, but these are concepts that every SMB should be aware of and actively targeting.  Do you know of any other good resources to help SMBs get started with security?

Saturday, January 9, 2016

Your security task in 2016

Welcome, welcome, to the year 2016.  As is customary with this time of year, many security companies have published their top-10 lists for upcoming security trends.  You can read the following links for some good insight into the current predictions:

Mostly, these top 10 lists end up being an enjoyable read, and nothing more. They contain predictions similar to the following:

1)  <<Popular platform/OS>> Will Be hacked!
2) IoT is really insecure!
3) We hope legislators will finally listen to us and make security a regulation!
4) <<Popular hacking method>> will become more popular!

Don't get me wrong, getting the information out there is important, but I think most readers skip past these.  What do some of these things mean for the average user?

So, I've decided to take a little bit of a different tack and address different user groups and focus on the "thing" or task they should do in 2016.

Individual User

As an individual user, there are two things that I would strongly recommend doing his year.

1) Use Multi-Factor Authentication (MFA)

MFA has come a long way in recent years, allowing people to bypass MFA on known devices.  They are really working out the kinks in the system.  Further, for a lot of people, their phone is the center of their universe anyways.  Turn on MFA on as many applications as you can.  In fact, don't use services that do now allow for MFA.

While this does introduce new problems should your phone get stolen, I feel that overall it is a step in the right direction.

2)  Link your accounts with providers such as Google, Facebook, etc

By linking your accounts on secondary services with one single main provider, you start to reduce the attack surface on your accounts.  There are less of them, and the one that you choose to have as your provider can be secured with a strong password and MFA (See 1 above). Further, many of these providers have advanced reporting and alerting to help detect security issues.  In a lot of cases these features are free.  Use them!

Small / Medium Business (SMB)

Here are a couple things for SMB users to consider this year.

1) Centralize your identities online

The SMB space is heavily reliant on cloud services to run their business.  Many even use services such as box/dropbox to move/host files around.  My word of advice: Centralize access to these systems and create a policy for your employees.  From an SMB perspective, your data holds a lot of value to you.  Having employees use their own accounts means that you lose control over access to that data.  Take that back by using mechanisms such as Azure AD Premium or Google Apps.

2)  Push your IT provider on Security

Many SMB customers use outsourced IT.  Sometimes these are single-person shops, other times they are using a managed service.  In both cases, push your provider to better understand how they are securing your systems.  Some of your questions may include
  • How am I secured against ransomware?
  • How are passwords managed?
  • What are your on-boarding and off-boarding measures?
  • What type of security software and monitoring is in use on my systems?
At stake is your data and company reputation.  Take charge and ask the right questions to get results.


Ultimately, it is tough to provide enterprises with specific advice as where they are in the spectrum will vary greatly.

1)  Have your CISO report directly to the CEO

Risk and the management thereof is important.  So important that the person responsible for this should have a seat at the big table.  Too many times CIOs bury security issues by speaking mis-truths, cutting budgets, and allowing projects to go forward knowing the security stance is poor.  Audit (generally security teams when the topic is security) cannot exist as part of the structure it is auditing.

2) Implement one of the first 4 SANS top 20 controls

There may be many gaps in your security posture.  It is sometimes really hard to figure out where to start.  The right way to do this is to work through the security architecture from top to bottom making sure that everything maps.  While there are quick ways to get this off the ground, generally these tasks take a LONG time to complete.  ( See SABSA Whitepaper for more)

For reference, the top 4 are as follows
  • Inventory of Authorized/Unauthorized Devices
  • Inventory of Authorized/Unauthorized Software
  • Secure Configuration For All Devices
  • Continuous Vulnerability Assessment and Remediation
The core point here is that almost any security mechanism, technology, protocol that you want to implement WILL require the top 4 be done in some capacity.  That is to say, they will probably leverage the capabilities provided by the above 4 in some way.  So get on it.

In conclusion, there is no silver bullet for security.  But there are things that we can start doing that will help us better last the ever evolving security landscape.