Small businesses have few options for cyber security tools and even fewer resources to deploy and manage them.
You must choose wisely to carefully balance low cost, ease of use, and high impact on the security posture of the organization.
So what security tools should small businesses focus on?
A SANS research paper has 10 suggestions for SMB security tools. The suggestions are based on a thorough review of training courses and resources on cyber security and interviews with experts in the field.
The top 10 most-recommended security tools are listed below.
The security tool most recommended for small businesses is a perimeter firewall.
In its simplest form, a network firewall scans network packets and allows or blocks them based on rules defined by the administrator. Two well-known types are stateless and stateful firewalls.
Stateless firewalls scan packet headers and compare their static values against a set of rules.
For example, the administrator can set a rule to block inbound network packets to TCP and UDP port 3389 (remote desktop protocol). Then all inbound packets with headers listing port 3389 as a destination will be blocked.
Stateful firewalls scan packet headers and also monitor the state of each connection – i.e. the stage of communication between the two end points. The packet headers and states are checked against a set of rules to determine if they’re allowed.
For example, the stateful firewall tracks details about each connection in a state table. Any inbound packets not following expected behavior – such as by listing an unexpected destination IP – are blocked.
Logging is an important feature for network firewalls – allowing the administrator to monitor current and past firewall activity for malicious behavior.
While some security pundits have declared “antivirus is dead!”, it’s a safe bet most of them use end-point anti-malware on their workstations.
Free anti-virus products are easy to acquire and most update automatically. And while signature-based detection is not foolproof, it can block a vast number of attacks.
*Update* - As a reader reminded us below, most free anti-virus products are not licensed for commercial use and are illegal to use in a business environment. Our apologies if we misled anyone. That said, free commercially licensed solutions are available, including Comodo Antivirus.
Anti-malware remains a critical line of defense for network and end-point security. Always keep it up to date!
Intrusion detection and prevention (IDS / IPS) is a critical tool used to block malicious traffic attempting to enter the network.
Rather than reviewing packet header information (as done by network firewalls), IDS/IPS systems examine the contents of every packet before it enters the network.
Two main types of IDS/IPS exist – network-based and host-based. AccessEnforcer UTM Firewall from Calyptix uses a network-based IDS/IPS system, which combines signature, protocol, and anomaly-based analysis to detect and block malicious traffic.
Thousands of laptops and thumb drives are stolen every day. When properly encrypted, even if the hardware is stolen, thieves cannot access the data.
Thieves who are skilled in cyber crime will have little trouble retrieving data from an unencrypted disk.
However, encryption renders the data useless to them – ensuring the confidentiality of all information housed on the disk, even if the disk ends up in the wrong hands.
The healthcare industry offers some insight on the prevalence of stolen disks. Due to HIPAA requirements, healthcare providers are obligated to report when hardware with personal information on 500 or more individuals goes missing.
Theft is a leading cause of HIPAA breaches.
However, healthcare providers are required to report the theft only if the drive was unencrypted. If adequate encryption was in place, providers can assume the data remained confidential and are not required to report the theft as a HIPAA breach.
This policy speaks volumes about the power of data encryption.
A discussion of cyber security best practices is never complete without mentioning patches and updates.
Hackers and malware routinely rely on software security flaws to breach networks. Exploiting such vulnerabilities is all they need to gain a foothold.
Vendors regularly patch the flaws by issuing software updates. The overwhelming majority of flaws that are exploited in cyber attacks have patches available.
Too often, these patches are ignored due to laziness or other constraints (such as a lack of resources needed to update or replace the system). This results in a persistent vulnerability – an open invitation to anyone wanting to compromise the system.
This is why a patch management systems are important cyber security tools. In general, the systems provide a central location from which to monitor software versions of systems across the network.
Several free patch management solutions exist, and more robust systems may also score the importance of certain patches or offer ways of testing or automating them. Some are also integrated into larger desktop management tools.
Don’t want to run a separate system for patch management? You can start small by creating a system and asset inventory and following a management process to periodically review and confirm systems are updated.
Another type of intrusion detection is host-based, i.e. it monitors for malicious behavior on a single machine and alerts the administrator when an intrusion is detected.
A HIDS solution will monitor services that are typically invisible to network based IDS/IPS systems, such as local file systems and logs. Both signature- and anomaly-based means of detection can be used.
HIDS functionality is often integrated into larger solutions, such as comprehensive endpoint security with anti-malware, patch management, and centralized control.
Some HIDS systems also monitor network packets – similar to network-based IPS – but only those handled by the local machine.
Small businesses looking to avoid an expensive endpoint product can try OSSEC, a free, open-source HIDS solution that any SMB can afford.
Hackers and malware target software vulnerabilities – and they also target vulnerabilities in staff members.
Employees who do not understand the basics of cyber security pose a major risk to the company’s data security. Employees check email, browse the internet, and perform many other routine tasks that put them on the front lines of security.
Regular training for staff members can yield huge dividends. It’s one of the top factors that can lower the cost of a data breach at your organization.
Simple steps such as quarterly training sessions, monthly information flyers, and simulated phishing attacks, can raise awareness and cut risks – all without requiring the purchase of a single security product.
If a cyber attack hits your network, good logs can reveal how and when it occurred, what systems it impacted, and what data may have been compromised.
Nearly every network endpoint and service can generate logs. The same goes for services and processes on a local machine. The volume can be overwhelming, so it’s important to tailor the list of monitored log sources to a minimum.
Each log is a simple record of an event – such as a connection allowed or blocked, or a file transfer beginning or completing. To be useful for analysis across the network, logs need to be centrally aggregated, time synchronized, and comprised of useful, relevant information.
Rsyslog is one example of an open-source utility for UNIX and Linux systems, which can aggregate logs in syslog, a widely supported protocol.
However, the volume and technical details of logs makes them extremely difficult to parse and scan manually. Many IT managers instead rely on security incident event monitoring (SIEM) tools, which can tie network events together and correlate them. The tools may also offer insight into other problems, such as failed attempts at authentication and privilege escalation.
While many systems are capable of forwarding logs in a cross-platform format to a central service on the network, some cannot. In these cases, agent software maybe available for the system, which act as a bolt-on solution to collect and forward logs in the needed format.
Important types of logs include any involving authentication, firewall events, and IDS / IPS events. Endpoint logs are also important, such as logs maintained by local anti-virus, HIDS, and operating system. Other important logs include those for DHCP, DNS, and databases.
To learn more, check out this SANS paper on logging architecture.
The endpoint firewall is very similar to perimeter firewall mentioned above, but packet filtering is handled on the local machine.
While these firewalls can operate as simple stateless packet filters – many are also application-aware – i.e. the allow administrators control which applications are allowed to pass traffic to and from the network.
The Windows 10 firewall is an example of an application-aware endpoint firewall, and it comes free with the operating system.
Controlling authentication and access is critical to network security. All the best security products in the world cannot prevent a data breach if access goes unmanaged.
Imagine you own an art museum. You have security cameras, alarms, and all manner of fancy tools.
Normally, only a few people have keys and security codes to unlock the doors and disable the security system. This is access control.
Without access control, every employee has keys and security codes. It’s a security nightmare.
Many versions of this nightmare exist in cyber security.
One scenario is to give all users the password to join the company network and freely access servers and other critical resources. Another is allowing all users to browse the web while logged in as administrators on their workstations.
To avoid a nightmare in your SMB office, the principle of least privilege is a great place to start. In short, you should grant users access to the systems needed for their jobs and no others.
The value of the principle is most obvious for critical systems – such as those that manage the network, security, and vital business functions.
Only users who need access to these systems should be granted that access, and only users who need to administer these systems should be granted administrator-level access.
The principle also applies to workstations. Users who browse the internet and access email should do so from standard-user accounts – those which cannot change the operating system.
Only users who are allowed to make changes to the workstation should be granted administrative credentials – and the credentials should only be used when necessary. They shouldn’t be used when performing routine tasks, such as when drafting documents or researching online.
Two more important points
Additional items that are critical to SMB network security but were not mentioned in the SANS paper:
Spam filtering – check out Email Phishing report for more.
Web filtering – check out this post on types of web filters.
Automatic data back up – has proven very effective in ransomware prevention.