Security Basics mailing list archives
Re: RES: Best practices for preventing malware in a small businessenvironment?
From: Todd Haverkos <infosec () haverkos com>
Date: Wed, 15 Jun 2011 14:13:07 -0500
Larry: how many workstations are we talking about? First kudos to Rafael who took the time to give Larry a thorough answer to his difficult question. Comments inline. "Rafael.Pandini" <Rafael.Pandini () senior com br> writes:
Hi list, IMHO technology isn't enough to protect the users and the network, a combination of technology and educated the users will help you to "implement" a more reliable protection. But always remember that a secure system/network is an utopia and there is no patch for human minds. On technology side, you can implement: - Anti-virus, a good one !
Sadly no good ones exist, and AV is very broken, but it's true they're a baseline of at least getting some indications about known threats and you can't responsibly do without it, despite their limited effectiveness.
- Some proxy rules to restrict user from accessing some sites (Better is permit only allowed sites).
Caveat: if you try to permit only allowed sites, adding to that list will soon be all that you do. I'm curious what appropriately-priced-for-small-biz proxy is available that includes site categorization/blocking policy customization is available, or is there a free ware solution that can leverage a third party categorization service that's affordable? Or is skipping a proxy and leveraging openDNS the best play for a small business with tiny IT budget?
- Some solution to keep users OS/Office/browsers/java/flash/anti-virus updated. Believe me, users are really lazy, even if the update process is click only in a button with the text "Yes, update now" they won't do, the update must be automatically or it won't work.
Totally true! Now, does anyone have a specific product recommendation on this front that will actually do this within the humble means of a small business's IT budget? Bigfix, Landesk, Shavlik and friends are all generally very pricey. Is Microsoft SCCM+ Shavlik SCUPdates about the best value one can hope for?
On users side, the user side, what you need is simple, just education. - Train the users about security. - There are some different kind of users, some prefer numbers, other facts, other "abstract ideas", you must win the attention of all of them. - Show cases of hacking and the results of their attacks. Talk about Sony, how many credit cards stolen, some company that have their website defaced, etc... - Show numbers, say things like "Will our customers still believing in us even if all our database is exposed online ?" (marketing guys really fear this phrase !) - Unfortunately security is the market of fear, if the users don't fear an attack, don't matter how many times you say "don't open all .exe files that you receive by e-mail" they will still doing it. - Alert about common attacks, talking on USER language. - Each three months (or when you think that is the time), refresh the topic on user mind.
That'd all be a tough sell in small businesses I've seen, and getting this rolling even in mid size businesses remains a challenge, but it can pay dividends. There will always be those people who despite all you've told them will click click click away and have their password postit on their monitor. But we do have to try.
- Monitor the proxy and anti-virus logs to know your company health.
I'd be curious with specifics here as to what AV's have a console that are priced effectively for the usual small biz?
- if some user bother you bypassing your protections, infecting stations and other things like that, talk with him, one, two, and three times, and if don't work talk with HR area about it. After the first "evil user" is fired, all others will act like a sheep and respect your authority.
Angsar added a really good point about not letting users run with admin privileges. This can be a hard pill to swallow depending no what the company does, but it will be a lot of bang for the buck. I have learned about a company, however, that was focussed on small business and non profits that was putting together a really great architecture and solution for truly small businesses, especially ones without anyone in dedicated IT staff. You have a single Microsoft Terminal Server, you patch the living daylights out of it, deploy essentially read only linux images out to all the workstations that get refreshed automatically with every reboot, everyone rdp's to the one patched well administered terminal server and off you go. The part time IT consultant pops in periodically to apply patches if no one can be trained to do it, and you have a system that's very centralized and manageable. It's a paradigm shift, but absent the ability to effectively patch (including the essential 3rd party patches) and lock down more than a handful of machines by hand, it's definitely something to think about. A similar approach is essentially being undertaken with VMWare's virtual desktop infrastructure, where you can put very inexpensive very lower power modern 2-terminal WYSE servers on each desktop that do nothing but connect to the (not inexpensive) VMWare ESX cluster. Now, that involves a lot more specialized skill than a terminal server approach, and total licensing costs will be an eye opener, but the concept is similar... abandon the distributed computing model because for workstation management without a large dedicated staff, it's just intractably broken. -- Todd Haverkos, LPT MsCompE http://haverkos.com/ ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- Re: Best practices for preventing malware in a small businessenvironment? Rob (Jun 14)
- RES: Best practices for preventing malware in a small businessenvironment? Rafael.Pandini (Jun 14)
- Re: RES: Best practices for preventing malware in a small businessenvironment? Todd Haverkos (Jun 17)
- Re: RES: Best practices for preventing malware in a small businessenvironment? Kim Guldberg (Jun 20)
- Re: RES: Best practices for preventing malware in a small businessenvironment? Todd Haverkos (Jun 17)
- <Possible follow-ups>
- Re: Re: Best practices for preventing malware in a small businessenvironment? Rob (Jun 14)
- Re: Best practices for preventing malware in a small businessenvironment? krymson (Jun 20)
- RES: Best practices for preventing malware in a small businessenvironment? Rafael.Pandini (Jun 14)