The WikiLeaks furore of 2010, and the more recent debacle of the documents leaked from the American National Security Agency (NSA) has left the world reeling at the power of a well-orchestrated data breach. President Obama recently announced that due to the revealed abuses by the agency, he would reform espionage policy, allowing privacy campaigners around the world to breathe a cautious sigh of relief.
But not every organisation is as insidious or as unaccountable as the NSA, and not every leaker has the good intentions of Edward Snowden or Chelsea Manning. One thing to come out of these events is crystal clear: if the government is vulnerable to network security and data breaches, your business is too.
A few safeguards in place could have staved off the leakage of classified information from both these networks, many of which are available to small businesses: activity monitoring, limiting which data is searchable, keeping tabs on user permissions, and deploying a robust data leak prevention solution.
According to an article from the National Journal the leaked "cables" obtained by Chelsea Manning started life as incident reports, which were then transmitted as PDF files by government workers to a secured network, but then are stored as searchable PST files.
That's right, the same PST files you create when you backup your folders in Outlook. Apparently, all anyone with access had to do was download the PST files and extract them. Voila! Exposed data.
The most immediate question anyone responsible for network security would ask in this case would be, "Who was responsible for tracking network activity to monitor who was downloading what and when?" As per the National Journal post, since government analysts routinely download and upload these files, activity logs were pretty much ignored and no one noticed any suspicious pattern of activity. In other words, whoever was in charge of network security got too comfortable and let their guard down.
Since this recent leak, a Pentagon official noted that procedures had changed and that now these analysts seeking to upload or download data must do so in a supervised setting. That's a good start, but the fact that it took such a security breach to implement a measure for critical data is unfortunate.
When it comes to protecting your business' network and data, it pays to be paranoid — especially when it comes to that critical data that could make or break your business: customer information, patient information, and the like. Activity logging, locking down access to USB drives, and careful monitoring of networking admins, or any person given keys to the network, may seem draconian but these are all essential components of a good security plan
While no network is 100 per cent impenetrable; there are several ways small businesses can shore up networking security and preventing their own "wikileaks:"
1. Take a Multi-Faceted, Layered Approach
Network security is not just about having an antivirus program running on every desktop. It's all-inclusive. This means any node on your network, wireless and wired, must be protected. It also means you have compliance rules that govern anything that is allowed to connect to your network. You must also have protective measures for data both at rest and in transit. This means protecting not just data on servers and user machines, but data that goes in and out of your network, with security methods like encryption. Finally, you've got to keep control of mobile devices on your network as well as which USB devices may or may not have access.
2. Create, adhere to and maintain a security policy
No matter the size of your company, best practice dictates that the first step is creating and documenting a security plan. This is required by regulations like HIPPA, but it's actually a good idea for any business with a network. Educate and familiarise employees with the plan. Keep it updated as you add and deploy new technology on the network, or when new technologies like the iPad emerge. Most importantly, adhere to it.
3. Protect the perimeter
Third-party application or appliance firewalls (separate from the default firewalls found in OSes and routers), Unified Threat Management devices, and Intrusion Detecion/Protection systems (IDS/IPS) are all parts of a layered, comprehensive security solution.
Purchase the best devices you can, as these technologies can help protect against DDoS attacks, snooping and other external threats. Zyxel offers UTM appliance for the SMB, as does eSoft. Juniper and Dell have partnered to deliver the J-SRX Services Gateway Series. Cisco and Juniper also offer many firewall and IPS/IDS solutions. Many SMB security devices are designed to be easily deployed without the need for dedicated IT support.
4. Secure endpoints
It's vitally important to cover your network endpoints. What's an endpoint? Any single thing that can attach to your network, whether it's a server or a USB drive. Pay particular attention to those small portable devices like USB and external hard drives. They can be carriers of threats, sneaking them into and out of your business' network.
For years, network security admins considered networks as closed, unified entities, and designed their defensive strategies accordingly. With the proliferation of portable devices, you've got to consider your network as an expandable, mobile one. That's why endpoint security is crucial. Patching endpoints, performing vulnerability assessments, remediation, and enforcing corporate compliance are all part of effective endpoint security.Implement Data Leak
DLP is software or devices that can aid in preventing data theft from within an organisation. It does so by allowing network administrators to lock out unauthorised users from USB and FireWire devices, prevent users from connecting PDAs or any other plug-and-lay devices, and allow defining and controlling data retrieval policies. One example of a DLP solution isDeviceLock.
6. Adhere to corporate compliance
Corporate compliance isn't the same as a security policy. A policy is your network's laws, whereas compliance refers to their enforcement. For example, enforcing compliance means preventing any PC or laptop from accessing the network if it doesn't have the security patch specified in your policy. Products such as Trend Micro Worry Free; Symantec Protection Suite for Small Business and McAfee Total Protection for Endpoint are all focused on securing the endpoint
7. Don't forget user security
Security problems can originate from what's in between the keyboard and chair: end-users. Restricting what users can and cannot access (maybe using a Web filter to prevent Facebook access during work hours, for example) can stop nasty bugs from entering your network.
Don't run a free-for-all network; force users to authenticate into the network, whether it's a wired Windows Domain using Active Directory, a SQL Server or a wireless router.
For organisations with highly sensitive data, there are third-party solutions like RSA SecurID which provides two-factor authentication for users to access network resources. Implementing authentication lets you keep tabs on who is accessing what, when they can access it, and helps in keeping hackers out.
No matter how effective you are in securing up a network, you still have to contend with end-users, who often inadvertently make the biggest security breaches. Educate users about security and policies.
8. Smartphones and mobile devices need security, too
Threats are still largely endemic to the Windows ecosystem. That doesn't mean other devices, such as Apple products and smartphones, should be left unsecured, however.
Treat them as you would treat any other endpoint and ensure they comply with your security rules. For example, only allow them to connect to your network if your endpoint solution detects that they have antivirus installed.
A recent study showed that, yes, you do need security on smartphones and assessed four different mobile phone security solutions. You may think the potential for being hacked via your cellphone is remote, but at the very least you'll want some software on your handsets that lets you lock them down should they be stolen.
9. Don't set it and forget it
There are a number of routine network housekeeping tasks that should be part of your security strategy. Keeping all of your software updated is one. This not only includes Windows Updates and patches for servers and clients, but applications, firmware upgrades on routers and switches, and pertinent updates for smartphones on the network. Many of these updates contain security fixes and patches.
Keep a handle on updates and patches with a solution like GFI LANguard, which offers patch management. Also, as users come into and leave your network, be sure to remove or disable (depending on your corporate policy) their access to the network and its resources.
10. Watch the watchers
Anyone responsible for maintaining network health and security, from the CIO on down, should be part of a checks-and-balances system where no one person has lone knowledge over passwords or network activity.
There are several third-party security vendors, such as Guardium who make devices that will log all activity happening on a database, including alerts for changes made by administrators. Log files should be enabled for major transactions and network activity and regularly inspected.
Image: Flickr (Victor1558)