Effective and Efficient Security on a SMB Budget

A How-to Guide
By Roger Grimes, IT Security Expert and Author Its clear that todays traditional defenses arent working for small- to medium-sized businesses (SMBs). This paper will discuss the different threats facing todays SMBs, talk about why the traditional defenses fail, discuss what does work, and confirm why intelligent application control (a.k.a. whitelisting) is the single best defense that any company can implement to significantly minimize security risk.

September 2011
WP-EN-09-27-11

Effective and Efficient Security on a SMB Budget: A How-to Guide

Overview
Its clear that todays traditional defenses arent working for small- to medium-sized businesses (SMBs). For two decades, SMBs have been told their best defenses are frequent patching, up-to-date antivirus software, least privilege users, firewalls, and strong passwords. SMBs have been doing their best to implement all these defenses, but sadly, they are still as exploited as ever. Albert Einstein is quoted as saying, Insanity: Doing the same thing over and over again and expecting different results. This paper will discuss the different threats facing todays SMBs, talk about why the traditional defenses fail, discuss what does work, and confirm why intelligent application control (a.k.a. whitelisting) is the single best defense that any company can implement to significantly minimize security risk.

And lets be clear, cyber thieves are stealing tens of millions of dollars every day over the Internet. Who are the criminals and what are their motivations?

Financially Motivated Thieves

Easily the biggest threat facing most SMBs today is financially-motivated cyber thieves. You may think they wouldnt bother messing with a company of your size but trust me when I say they very often do. They go where the money is, and the money is stored as bits and bytes on your network and individual computers. If you find malware on your computer today, theres no need to wonder about why they are on your system. They are there to steal money. And they do it through identity theft, password theft, or in some cases, controlling the system you use to transfer money. Malware can break into someones computer to steal an individuals personal identity and money, but more and more the intended target is the much wealthier employer. In the last few years, the news has highlighted many stories where computers located in a companys accounting or payroll department have been maliciously taken over to make fake bank transfers. By the time the theft was noticed, the victim company was out hundreds of thousands of dollars. It happens many times a day, every day. Over and over again, courts are ruling in favor of the participating banks and against the victimized small business so that the victim is simply out the money, even when the transfers were out of nature for the victim and egregious upon human review.

Todays Threats
Long gone are the days when our biggest worries were teenage hackers out to prove their online technical skills by developing harmless malware. Todays attacker is much more likely to be a professional criminal out to steal money and/or cause real harm. Professional criminals who used to rob banks and break open mailboxes to steal social security checks and credit cards are finding a better payoff with much less risk by stealing what they need online. If a thief robs a bank, they are lucky to get a few thousand dollars and they have a big chance of going to jail for a significant portion of their life. Online thieves can make off with hundreds of thousands to millions of dollars and very few are ever caught.

Effective and Efficient Security on a SMB Budget: A How-to Guide

IP Theft
Thieves are also motivated by valuable information. Corporate espionage has been a malicious tool used against small businesses. I was personally involved in many cases where stolen information was offered for sale, with proof of possession, to the victims competitors. Many of these illegal offers only came to light because some competitors were ethical enough to report the offer to the victim and law enforcement authorities rather than take the bad guys up on their offer. I wonder how many competitors either remained silent or took up the offers? Business-like cyber thieve gangs, known as Advanced Persistent Threat (APT), are often present in many networks stealing as much intellectual property (IP) as they can send through the victims Internet pipes. Many APT experts believe that most companies with significant IP assets are already compromised and being actively exploited. This year, Rhode Island Senator Sheldon Whitehouse put it this way, Cybercrime has put our country on the losing end of what could be the largest illicit transfer of wealth in world history. The 2011 Verizon Data Breach Investigations Report says 17% of all data breaches were due to trusted insiders, and when involved, it led to higher monetary loss than from external attacks. Of the approximately 800 data breaches in 2010 examined in the Verizon Data Breach Investigations Report, the highest concentration of attacks were on companies with fewer than 1,000 employees. Hackivists are often helped by insiders. Much of the information being leaked outside was stolen by previously trusted employees. Many times the compromised insiders are identified and prosecuted, but not before the embarrassing information leak. Some insiders steal information for personal gain (e.g. credit card or medical information), while others are informants paid by outsiders.

Who is behind data breaches? 92% 17% <1% 9%

stemmed from external agents implicated insiders resulted fron business partners involved multiple parties

Hacktivists
Sometimes cybercriminals only want to embarrass companies by leaking their confidential data and emails. The decentralized hackivist group, Anonymous proved this over and over. Their list of embarrassed victims reads like a Fortune 500 list but also includes dozens of small businesses, law enforcement offices, banks, consultant agencies, and military-related companies.

Effective and Efficient Security on a SMB Budget: A How-to Guide

familiar with what their real antivirus even looks like. All they want to do is get rid of the virus. While this is one of the biggest threats that any company can face, most businesses fail to educate their end-users as to what their real antivirus scanner warning looks like. When the end-user gets tricked into running a Trojan program, that program is allowed to bypass all the existing network defenses. The Trojans are often loaded over SSL\TLS-protected HTTPS connections, both as they get installed and as they dial-home to let their owner know they were successful, so that network scanning defenses dont get a chance to check the encrypted traffic. Co* Verizon Data Breach Investigations Report, 2011

Organizational size by number of breaches (number of employees)

1 to 10 11 to 100 101 to 1,000 1,001 to 10,000 10,001 to 100,000 Over 100,000 Unknown 46 436 74 49 59 55 40

incidentally, almost every firewall allows outbound HTTPS connections, so firewalls are becoming less relevant with each passing day. Once installed, the programs can take complete control of the exploited PC. They often install a remote backdoor so the human attacker can come visit, load additional malicious software, and steal authentication credentials. Password complexity and length doesnt mean much because the attacker can capture it directly using keyloggers or simply replay the credential (or password hash) and create new logons. In this way, one compromised PC leads to easy access to the rest of the network. Malware doesnt even need administrative access to do damage anymore. As least-privilege user security contexts become more popular, malware writers have realized they didnt need administrative access all along. Malware can do anything it wants to do (e.g. steal authentication credentials,
3

Clearly, small businesses are under attack like never before.

Why Traditional Defenses Dont Work

Traditional defenses dont work for a myriad of reasons. Most notably, today, the biggest risk in most environments is your users being tricked into running a Trojan horse malware program that bypasses installed defenses. Solitary antivirus scanning programs are having great difficulty keeping up with literally millions of new malware programs created every month. Users are tricked into running fake antivirus programs, fake disk scanners, and fake programs they dont need. In my experience, very realistic-looking fake virus warnings are the most common Trojan ploy. Its not surprising because most end-users arent all that

Effective and Efficient Security on a SMB Budget: A How-to Guide

identity theft, bank transfers, further compromises, etc.) without needing admin or system access. There are only two things that malware has a more difficult time accomplishing without system-level access, and that is fully hiding from anti-malware programs and in modifying the underlying operating system files. But can they continue to steal money and data? Yes, no problem. Lastly, timely patching is a great defense against malicious attack, but it turns out that good patching is harder than it first seems for most companies. According to multiple surveys over the last few years, a majority of companies do not have up-to-date patches, even for their most attacked software (these days it is Adobe and Java software). See http://www.zscaler.com/state-of-web-q2-2011/ for an example. Its difficult to blame companies for not having better patching. Every software vendor has its own updating routine and testing patches before applying can require more manpower than most companies likely have. Fortunately though, there are holistic software patch management solutions and more companies should take advantage of them. Every additional computer security defense adds to the overall defense-in-depth. So, least-user privileges, up-to-date anti-malware software, firewalls, strong passwords, timely patching, and better end-user education are all good things to do. In fact, the better you do these things, the better you will be defended. But three additional defenses should be deployed by every company. They are: Configuration Management, Device Control, and Application Control.

Configuration Management. Configuration Management is the process of configuring and maintaining desired settings. Most computers start out securely configured, but over time become less and less secure. Users disable firewalls and antivirus software to troubleshoot software installation problems and then forget to re-enable them. They ignore patch update prompts, disable password-protected screensavers, and uninstall programs that management intended to provide additional protection. Over time, computers tend to drift. Hackers hate compliance; they love drift. Configuration Management can ensure that PCs are appropriately configured and stay appropriately configured.

What Works?
If traditional defenses alone wont work, what does? First, Im not advocating throwing out the traditional defenses.

Device Control. The last few years have proven

that strict device control is also an essential tactic in any companys computer security defense plan. The Conficker worm first detected in 2008 became the farthest spreading worm since the 2003 SQL Slammer worm. Although it has multiple ways of infecting companies, most companies reported an infected USB storage drive as the primary origination vector. From there, Conficker would spread us-

Security is not binary. Its not black and white; its shades of gray.

Effective and Efficient Security on a SMB Budget: A How-to Guide

ing network shares, unpatched computers, or weak passwords. Conficker proved that USB keys could be a strong malware vector. USB-based malware was even part of one of the most sophisticated malware programs developed to date, Stuxnet. Stuxnet, if you arent familiar, is widely believed to be a military-grade, nationstate-created worm. Its USB-infection vector was used to penetrate the air-gapped networks that protected Iranian nuclear networks. The attackers could rely on Internet connectivity to spread the worm, but they proved a few well placed infected USB keys could do the job just as well. And while most companies will hopefully never face a military-grade worm, professional penetration testers have often compromised previously considered secure companies by dropping anonymous USB drives in company parking lots and simply waiting for curious, budget-conscious employees to pick them up and plug them in. Equally as important as malware considerations is how likely it is for data to walk out a companys network on a pocketed USB key or other type of removal media. The very public case of an Army soldier, Pvt. Bradley Manning, is a good example. Manning supposedly leaked thousands of confidential cables using a blank CD-ROM disc labeled as the Lady Gaga artist. While his co-workers thought he was listening to the latest popular music, Pvt. Manning was able to leak more confidential data than any previously known military compromise. Whitelisting prevents drift. It prevents unnecessary and unwanted software from being installed. Companies that have been able to install comprehensive whitelisting have significantly fewer problems. Not only significantly less malware programs, but fewer operational problems (because users arent installing things that havent been approved or tested by IT). Intelligent, strict whitelisting will defeat almost every threat covered above. It will defeat previously unrecognized malware. It will defeat fake antivirus Trojans. It will defeat buffer overflows. It will prevent bad guys from installing remote access programs, keyloggers, expanding their sphere of influence, and exfiltrating data. I was personally involved with close, trusted employees stealing credit card information, and in another case, a vice-president attempting to download the entire companys customer database as he accepted a new job offer from a competitor. Today, almost all but the very largest databases can be downloaded to a single-chip drive the size of a postage stamp. Without device control (or intrusive physical security searches) you cant be assured that your data isnt walking out the door.

Application Control. But all of these solutions pale

in comparison to the great security protections provided by application control programs. Application control allows admins to define which programs will be allowed to run, either by defining only the programs that will be allowed (i.e. whitelisting) or by blocking only certain programs (i.e. blacklisting).

Effective and Efficient Security on a SMB Budget: A How-to Guide

Instead of computers gaining more and more unauthorized software over time, the computers stay the same as the day they were configured. Whitelisting leads to lower Total Cost of Ownership (TCO). Ive spent my 20-year career debunking all the computer security defensive software strategies that I knew wouldnt work. Ive called a spadea-spade and dismissed the products of many well-meaning vendors, protocols, and standards. Whitelisting isnt perfect, but it is a product class that does work. Ill be as clear as I can. If you cant do intelligent whitelisting, The death knell of good computer security is neglect. So many promising individual computer security solutions start out strong but fail when overly busy administrators dont have time to check the multiple management consoles for each security solution they have to manage. More and more, admins are looking for a single super console, where as many security concerns as possible can be addressed and managed. One console provides a then you have to do everything else. And everything else wont be as successful at reducing risk and real attacks as whitelisting. quick snapshot of the current state of their security, any possible problem areas, and one place to manage any changes and updates. The fight against malware, malicious hackers, and cybercriminals remains an ongoing war. It will likely be many years until the inherent flaws in the Internet and personal computers are improved in a way that significantly makes computing safer. Until then, we all have to pick the right tools and fight the good fight.

How to Manage It All

Many SMBs look to security defense vendors with multiple solutions and that is a good approach. Instead of trying to find best-of-breed separate security programs that result in a mutt solution, pick a multi-vector solution from a trusted vendor, especially if that holistic solution comes with a common management console.

www.intelligentwhitelisting.com/

Effective and Efficient Security on a SMB Budget: A How-to Guide

About Lumension Security, Inc.

Lumension Security, Inc., a global leader in operational endpoint management and security, develops, integrates and markets security software solutions that help businesses protect their vital information and manage critical risk across network and endpoint assets. Lumension enables more than 5,100 customers worldwide to achieve optimal security and IT success by delivering a proven and award-winning solution portfolio that includes Vulnerability Management, Endpoint Protection, Data Protection, and Compliance and Risk Management offerings. Lumension is known for providing world-class customer support and services 24x7, 365 days a year. Headquartered in Scottsdale, Arizona, Lumension has operations worldwide, including Florida, Texas, Luxembourg, the United Kingdom, Germany, Ireland, Spain, France, Australia, and Singapore. Lumension: IT Secured. Success Optimized. More information can be found at www.lumension.com.

About the Author

Roger A. Grimes is a 23-year security industry veteran, author or co-author of eight books and over 300 magazine articles on computer security, including a long-time columnist for InfoWorld. He is a frequent speaker at industry conferences and Principal Architect for Microsofts IS&RM Infosec ACE team.

Lumension, Lumension Patch and Remediation, Lumension Vulnerability Management Solution, IT Secured. Success Optimized., and the Lumension logo are trademarks or registered trademarks of Lumension Security, Inc. All other trademarks are the property of their respective owners.

Global Headquarters 8660 East Hartford Drive, Suite 300 Scottsdale, AZ 85255 USA phone: +1.888.725.7828 fax: +1.480.970.6323

www.lumension.com
Vulnerability Management | Endpoint Protection | Data Protection | Compliance and IT Risk Management
7