Re: RES: Best practices for preventing malware in a small businessenvironment?

[Todd Haverkos <infosec () haverkos com>]

Larry:  how many workstations are we talking about? 

First kudos to Rafael who took the time to give Larry a thorough
answer to his difficult question.  Comments inline.

"Rafael.Pandini" <Rafael.Pandini () senior com br> writes:
> Hi list,
>
> IMHO technology isn't enough to protect the users and the network, a
> combination of technology and educated the users will help you to
> "implement" a more reliable protection. But always remember that a
> secure system/network is an utopia and there is no patch for human
> minds. 
>
> On technology side, you can implement:
>  - Anti-virus, a good one !

Sadly no good ones exist, and AV is very broken, but it's true they're
a baseline of at least getting some indications about known threats
and you can't responsibly do without it, despite their limited
effectiveness. 

>  - Some proxy rules to restrict user from accessing some sites
>    (Better is permit only allowed sites).

Caveat:  if you try to permit only allowed sites, adding to that list
will soon be all that you do.    

I'm curious what appropriately-priced-for-small-biz proxy is available
that includes site categorization/blocking policy customization is
available, or is there a free ware solution that can leverage a third
party categorization service that's affordable?

Or is skipping a proxy and leveraging openDNS the best play for a
small business with tiny IT budget? 

>  - Some solution to keep users
>    OS/Office/browsers/java/flash/anti-virus updated. Believe me,
>    users are really lazy, even if the update process is click only
>    in a button with the text "Yes, update now" they won't do, the
>    update must be automatically or it won't work. 


Totally true!  Now, does anyone have a specific product recommendation
on this front that will actually do this within the humble means of a
small business's IT budget?  Bigfix, Landesk, Shavlik and friends are
all generally very pricey.  Is Microsoft SCCM+ Shavlik SCUPdates about
the best value one can hope for?

> On users side, the user side, what you need is simple, just education.
>  - Train the users about security.
>    - There are some different kind of users, some prefer numbers, other facts, other "abstract ideas", you must win 
> the attention of all of them.
>      - Show cases of hacking and the results of their attacks. Talk about Sony, how many credit cards stolen, some 
> company that have their website defaced, etc...
>      - Show numbers, say things like "Will our customers still believing in us even if all our database is exposed 
> online ?" (marketing guys really fear this phrase !) 
>    - Unfortunately security is the market of fear, if the users don't fear an attack, don't matter how many times you 
> say "don't open all .exe files that you receive by e-mail" they will still doing it.
>    - Alert about common attacks, talking on USER language.
>  - Each three months (or when you think that is the time), refresh the topic on user mind.

That'd all be a tough sell in small businesses I've seen, and getting
this rolling even in mid size businesses remains a challenge, but it
can pay dividends.  There will always be those people who despite all
you've told them will click click click away and have their password
postit on their monitor.  But we do have to try.

>  - Monitor the proxy and anti-virus logs to know your company
>    health.

I'd be curious with specifics here as to what AV's have a console that
are priced effectively for the usual small biz? 

>  - if some user bother you bypassing your protections, infecting
>    stations and other things like that, talk with him, one, two, and
>    three times, and if don't work talk with HR area about it. After
>    the first "evil user" is fired, all others will act like a sheep
>    and respect your authority. 

Angsar added a really good point about not letting users run with
admin privileges.  This can be a hard pill to swallow depending no
what the company does, but it will be a lot of bang for the buck. 

I have learned about a company, however, that was focussed on small
business and non profits that was putting together a really great
architecture and solution for truly small businesses, especially ones
without anyone in dedicated IT staff.  You have a single Microsoft
Terminal Server, you patch the living daylights out of it, deploy
essentially read only linux images out to all the workstations that
get refreshed automatically with every reboot, everyone rdp's to the
one patched well administered terminal server and off you go.  The
part time IT consultant pops in periodically to apply patches if no
one can be trained to do it, and you have a system that's very
centralized and manageable.

It's a paradigm shift, but absent the ability to effectively patch
(including the essential 3rd party patches) and lock down more than a
handful of machines by hand, it's definitely something to think about.
A similar approach is essentially being undertaken with VMWare's
virtual desktop infrastructure, where you can put very inexpensive
very lower power modern 2-terminal WYSE servers on each desktop that
do nothing but connect to the (not inexpensive) VMWare ESX cluster.
Now, that involves a lot more specialized skill than a terminal server
approach, and total licensing costs will be an eye opener, but the
concept is similar... abandon the distributed computing model because
for workstation management without a large dedicated staff, it's just
intractably broken.


--
Todd Haverkos, LPT MsCompE
http://haverkos.com/

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------