An In-depth Overview Of Digital Security: Interview with Symantec’s Dean Turner

Do you remember when all you need was to make sure every one of your computers had a copy of an anti-virus program and you were pretty fine?
Hackers and other malicious persons make their living, get a challenge or just get excited by breaking into computers/networks and/or wreaking havoc overall. Into this “new” world sits your computer, networks, databases, financial data and everything else that’s precious and dear to your business.
You want to ensure that this is protected from assaults via email, web sites, instant messaging, mobile devices and any other access point.
Symantec’s Dean Turner, Senior Manager, Symantec Security Response gives a good overview of the new age of security we’re in, in this Q&A from Symantec.
Q: How has the threat landscape changed for SMBs in the past several years? Are small businesses better or worse off than they were a few years ago?
Perhaps the biggest change we’ve seen in the threat landscape is that hackers are now more focused on financial gain versus fame or notoriety. The reason is that information has become a lot more valuable, and that there is a lot of money to be made in finding and stealing personal and confidential information.
Threats have also become more silent and difficult to detect, as well as highly targeted to web browsers and the client application. Moreover, attackers are increasingly refining their methods and consolidating their assets to create global networks that support coordinated criminal activity. Thus, from what we’ve seen, most attackers are now focusing on the path of least resistance, as their goal is to remain undetected in their efforts to gather information for as long as they can. And for today’s hackers, SMBs and home users are usually that path.
As for whether SMBs are better or worse off than they used to be, well, that’s kind of mixed answer. In many ways, SMBs are better off because there is more technology available now than there used to be five years ago that they can use to protect themselves. That said, there are also more threats around today and information has become increasingly more valuable than it used to be. The challenge for SMBs is that they are more susceptible to attacks simply because they don’t have the same amount of time, resources or expertise to devote to protecting themselves as larger businesses do. And, for most, developing a comprehensive IT infrastructure typically isn’t a high priority given the multiple hats that small business owners wear, their budget and resource constraints, and their primary focus on generating sales to pay the bills.
Besides what you mentioned above, what are some of the other reasons that SMBs are now hot targets?
Small businesses are easier for a hacker to break into and they have more valuable data sitting on their machines than some home users, so SMBs offer attackers a “bigger bang for their buck” if you will. Let’s face it, identity theft is a big business, and hackers have become pretty good at stringing innocuous pieces of data together to make it valuable. To give you a basic idea of just how much money there is to be made in this industry, the 2006 CSI/FBI Computer Crime and Security Survey estimates financial losses from security threats from only 313 responding companies to be $52.5 million. However, we believe the numbers that are currently being reported are really a lot higher because in our experience, most survey respondents (i.e. businesses) typically don’t like to admit that they’ve been a victim of an attack. It’s not good for their business.
What are some of the biggest mistakes that small businesses make when it comes to security?
One of the biggest mistakes they make is assuming that since they’re small, hackers won’t be interested in them. Unfortunately, just the opposite is true. SMB servers and home users are, in many cases, now the preferred targets of choice for attackers for the installation of bots, spam zombies and phishing web sites, namely because they’re easy targets. After all, information in SMB databases is often just as valuable to an attacker as that contained on an enterprise database, as any user, system or personally identifiable information can be sold or used for identity theft. And, since large companies have more resources, they’re getting smarter and their systems have become a lot harder to penetrate.
What are some of the biggest security threats to SMBs at this time?
Right now, we’re seeing an increase in phishing, spam, bot networks, Trojans, and zero-day threats, and more malicious code being created to target specific organizations for information that can be used for financial gain. We’re also seeing an increase in data theft and data leakage.
But, if I had to specifically name a few I would say:
1) SMBs typically have databases on their network that lots of people have access to, but many shouldn’t. By not protecting these databases or pulling these database offline, SMBs are opening themselves up to some pretty big security risks.
2) Phishing attacks – Often times, SMBs may think they’re responding to a vendor, when in actuality, they may be responding to a criminal who is phishing for financial or business-related information.
3) Repurposing IT systems – Criminals are building networks of systems, referred to as botnets, that end up using the computing cycles of PCs to execute their criminal intentions to steal data or to simply occupy bandwidth.
Aside from that, many times it’s the type of technology and functionality that SMBs adopt in order to reduce their total cost of ownership (TCO). What I mean is that they often rush to adopt new technologies that may not have undergone testing or been thorough an audit simply just to reduce their TCO. And, they may even implement those technologies without thinking about what the potential security implications could be. Big businesses often adopt these technologies, too, but they’re usually more prepared and better equipped to protect themselves.
What are some of the areas in which SMBs are most vulnerable?
From a purely technology standpoint, one of the areas in which SMBs are most vulnerable is not having what we call a “defense in depth” strategy, or in other words, not having multiple layers of security defenses. As an example, most small businesses know they need a firewall on their system, but may not realize that they also need a firewall on all of the other devices attached to their network. They also may not be aware that not all attackers come through a firewall√≥an attacker can break into a network simply by coming in through a sales guy’s laptop in an airport on which he accidentally left a Wi-Fi connection turned on.
Another common area in which they’re vulnerable is not having a security policy that clearly defines how their company’s technology and information can be/should be used within their company, where customer information can be stored, etc. They also need to stay up to date on any data protection laws that they may be subject to, such as the Health Insurance Portability and Accountability Act (HIPAA), Sarbanes-Oxley, etc.
Is there anything else that SMBs need to be aware of?
Yes. In the latest Symantec Internet Security Threat Report (ISTR), we discovered that Microsoft Internet Explorer was targeted by 77 percent of all attacks, specifically targeting Web browsers. In addition, 54 percent of all identity theft-related data breaches were due to theft or loss of a laptop or data storage medium. The second most common case was insecure policy, which made up 28 percent of all incidents. And, since many SMBs use Microsoft Internet Explorer and have employees working on laptops, they need to take steps to protect themselves in those areas.
In small businesses, many times it’s the CEO or a corporate management person who oversees IT. What advice do you have for people in those situations?
The best advice I can offer those who are in that situation is to start with the basics, and invest in products and solutions that will scale as their business grows. What we recommend is finding a good value-added reseller (VAR) that can help them implement a sound security strategy. Many Symantec partners are well positioned for that. As small businesses grow, many still rely on a VAR, but hire someone in-house, such as a director of IT, to manage this for them. At that point, SMBs start seeing their security management strategy become part of their company’s internal knowledge. We have seen and expect to continue to see small businesses turning to channel VARs that have experience helping small businesses address these challenges. At mid-size businesses, we’re seeing that as well, but that’s the point where companies typically start hiring someone in-house to oversee that function.
The bottom line is, SMBs have budget and IT resource constraints, and require solutions that are easy to install and integrate, as well as to use and manage over time as their business grows. Every IT decision is critical – they can’t afford to rip and replace. Therefore, they need to know what they’re implementing andave a solid understanding of the impact that a particular technology may have on them.
The other advice I would offer them is to take inventory of what they have. For example, what are their assets? What do they need to protect? What’s vulnerable? What do they have to expose? They should also be thinking about things like what is their security policy going to be around those assets? And, what are the specific tools or services that they need to either buy or engage a VAR on to help them implement those security technologies or security policies?
What are some of the steps that SMBs can take to protect themselves?
To stay secure in today’s highly connected world, SMBs need to employ defenses along multiple fronts. This requires a two-pronged strategy: 1) having the right software in place to protect their small business network from malicious network attacks, viruses, security breaches, suspicious activity, etc.; and 2) putting the right policies and practices in place to ensure they’re doing everything they can from both a software usage and human resource standpoint to help protect their network.
For small businesses, data and systems protection is the first order of business. Some specific steps that SMBs can take to protect themselves include:
– Turn off and remove services that are not needed
– Have a password policy
– Secure their e-mail server – 80% of malicious code is coming through browser, or email as a phishing attack
– Don’t open attachments unless you know who it is coming from
– Use internet security solution to scan attachments and files at point of entry
– Create emergency response procedures – minimizes the opportunity for lost data (regular backup and restore)
What else have SMBs not been doing that they should be thinking about?
To some degree, SMBs are at more risk than larger businesses because of the type of connections they use (e.g. modems, DSL, etc.). SMBs need to know where all of their endpoints are, and protect those endpoints. For instance, if they have a home computer that they use to access their network, that home computer is an endpoint. If they have files floating back and forth on a personal digital assistant, that’s an endpoint.
They also need to have a security policy that not only identifies the key assets that need to be secured, but which assets will be extended to whom. For example, their security policy should include things like installing and updating antivirus software, installing a firewall, checking for encryption and authentication, creating strong passwords, and updating Web browsers.
The purpose of the policy is to guide users in knowing what is allowed and to guide administrators and managers in making choices about system configuration and use. And, by going through the process of creating a security policy, SMBs will be able to establish specific security goals and a plan for tackling them.
But perhaps most importantly, SMBs need to educate themselves on and stay abreast of what’s happening in the threat landscape. One of the easiest ways to do this is by reading some of the materials posted at or or other similar material available on the Internet.
Since SMBs have such limited resources, what should their biggest priorities resource wise be when it comes to security?
That really varies depending on the individual business. I say that because there are all kinds of variables that can come into play, such as do they have a store front? Do they do most of their business online and take credit cards? Etc. All of those variables have to be taken into consideration when determining what an SMB’s biggest security priorities should be.