In Part I of of my "SMB - Security Is At The Forefront" series I am going to explore the unique challenges presented by threats and vulnerabilities for SMB's.
I. Security Policies - The Key
Whenever I do a security audit for a SMB, the first thing I find is the lack of a specific security policy. I either find no policy or only a statement in the employee handbook about the AUP (Acceptable User Policy). This is not enough in this day and age to ensure a secure environment. First, the owner or owners need to understand that security is important and that their acceptance and support of a security policy is first and foremost. A written policy explaining the policies, baselines, standards, procedures and who is responsible for security should be created so everyone understands what is to be expected with regards to security.
II. Patching Control
Most SMB's do not have a managed patching system. By this I mean a centralized method of controlling when and what patches are applied to OS's and applications. Most SMB's rely on Windows Update to individually update the OS, however it is up to the individual to ensure the updates are applied. This can mean a workstation might not be updated and have a serious vulnerability. A major component to a secure system is ensuring that all systems are up to date with the latest patches. This includes a process that ensures that patches and updates are tested and rolled in a timely fashion. This can be done easily and effectively by WSUS (Windows Server Update Service). Also, ensuring a set of procedures to audit to ensure all systems are up to date is very important.
This is one of the biggest vulnerabilities for a SMB. A lot of SMB's have weak password policies or none at all. Employees are allowed to create passwords on their own for their workstations without any guidelines nor are they made to change them. Also, in some cases there is no password on the system at all. A strong password policy is crucial to securing a system. All employees should be required to have passwords that are at least 8 characters, have a number and a character and should be changed at least every 45 days.
The use of default accounts is also sometimes an issue. By this I mean workstations have just a default account on them such as administrator or guest with no password. This allows anyone to use the system with minimal or no controls creating a vulnerability whereas a hacker or employee could exploit the machine.
Since most SMB's only have a few offices, there may not be a great need for locks and door security since this is usually done. However security to the IT closet or where the servers are located needs to be addressed. Normally having only a few devices does not negate the fact that all servers, routers, switches and firewalls need to be in a secure place and have limited access.
Wireless - Rouge Access Points, Weak Wireless Security
Sometimes SMB's will employ wireless solutions just as they would as if they were installing one at home. This can be a serious concern because business wireless should not be treated like home wireless. Business wireless should be concerned with getting connectivity with secure protocols and most importantly controlling access to the wired network. Basic installation and lack of controls on the use of the wireless usually lead to a security breach.
Lack of Security Awareness
Owner and employees need to be aware of secure practices when doing their job. All employees should understand the impact on the company if they are working on a computer regardless if it is connected to a network. Having a good understanding of secure practices will help protect the company from most security breaches.
Next month in part 2, I will be discussing most specifics on how to create a SMB security policy.
Thank you and if you have any questions during the series please feel free to email me at firstname.lastname@example.org
Network Security Engineer/Senior Technical Instructor