Taming the Computer Security Shrew

What Shakespeare Might Write Today if Katherina Were a Hacker and Petruchio Was Running a Small Business

Monte Robertson, President and CEO of Software Security Solutions

I’m taking a little poetic license here with Shakespeare’s original plot line, but small business owners could do worse than take a page from Petruchio’s book and make a determined effort to tame the threat cyber criminals pose to today’s businesses. Without effective methods to tame the threats, businesses risk losing all the benefits an effective business-computer partnership can deliver.
Consider the enormity of what the business has to protect against the bad guys. Then add to the mix the speed and complexity at which threats grow and change. So much has been written about both these topics that most businesses can’t keep up. Besides, who has time to read all the literature on a subject that doesn’t add value to the business? Most businesses would probably say, “We want security vendors to predict the future and work as reliably as the light switch. Oh, and did we mention we want it now?”
Cliff notes from the business owner and the shrew.
First, let’s hear from Petruchio, the business owner

  • We have anti-virus which supposedly catches everything. Some say there is no end in sight and no-one catches everything, but we also realize no Virus Vendor will admit that they are struggling to keep up.
  • We think that, because we have a firewall, we are protected against anything the Internet can throw at us. But now we’re hearing that firewalls can’t even see malicious code that’s buried in approved traffic.
  • We can’t be competitive unless we give everyone wireless connectivity and 24×7 access to the network. OK, so some businesses got burned when their data was diverted, but we’re not important enough for anyone to bother with.
  • Our users need to have free access to the Internet, and we trust them to behave responsibly. If we start putting security barriers in their way, we’ll have a riot on our hands.
  • We have to have a cool-looking website to keep the customers coming, and we assume our service provider will keep it properly maintained and updated.
  • Every computer has 65,000 ports and countless software vulnerabilities, but we’re just trying to run a business here. We’re not security experts.

Counterpoint from Katherina, the shrewish hacker:

  • Every day, 15,000 new threats are released daily onto the Internet. Creation and testing is automatic and fast-paced. We’re highly organized, we’re always on the move, and we now generate more dollars than the drug trade.
  • It’s no secret that we have been compromising firewalls for years, largely because of the assumption that users behind the firewall can be trusted.
  • The more connection points you have, the more threat surfaces and attack vectors there are to exploit. We really like this one!
  • The web is our playground. No-one knows where we are – but we know that’s where you are. All I have to do is convince one unsuspecting user on my target network to click on or open something and bingo! I’m in.
  • We know most web sites are largely un-attended, their applications and patch levels not up to date. We have many resources to tell us what applications are vulnerable to what exploits. All we have to do is find a web site with those applications, run the exploit and voila!
  • Really, businesses make it so easy for us to exploit them; we hardly have to make any effort at all.

So what’s Petruchio to do to tame his shrew?
There is no panacea, no silver bullet, and no simple fix. That’s the hard part. But most businesses don’t take the hard road when they’re faced with unknown threats and complicated technology. When a vendor comes through the door and says “We can solve all your security problems! Just plug this magic box in here and you don’t have to worry any more!,” the temptation is to say “Thank you! Where do I sign?”
Trouble is, the largest purveyors of security software are also the largest targets for Katherina and her friends. The shrews target the market leaders because that is where they can get the most “bang for their malicious buck”.
As the bard might say, first educate thyself
Think about it for a moment. There are all these threats out there, with new ones evolving all the time. It’s not realistic to expect one solution to know every security threat that has and will happen. But if you think about a series of layers, each one designed to catch anything the layer above might miss, you’re on your way to a logical and effective solution that doesn’t get in the way of business. Welcome to the world of the layered security solution.
Here’s your bullet-point guide to developing a layered approach to security:

  • Have an updated security policy. This is fundamental for an effective layered security solution.
  • Identify critical data, where it is, where it goes, who has access to it and back that data up, because if it goes away and there is no back up, you’re done.
  • Put a disaster recovery and business continuity plan together. This is non-negotiable.
  • Understand that different solutions excel at taming different threats. Do the research – or find a trusted partner to do the research for you – to find the best solutions for each threat category.
  • Understand that, as threats and the environment change, so must the solutions and your processes and knowledge. Review everything regularly.
  • Make sure EVERYTHING is kept up to date. If a patch breaks one of your business applications, it might be time to find a different application vendor – one who takes a more responsible approach to the security of its customers.

The prep work
The first step in building a layered security solution is building a strong foundation. Start by putting a security policy in place. Boring yes, but necessary. It identifies and drives how your business and its employees deal with the business of security.
To find out who does what best in the world of computer security, check out the independent testing labs. Virus Bulletin (Virusbtn.com), AV-Comparatives (AV-Comparatives.org) and AV Test (AV-Test.Org) are all worth regularly checking out to see how the better-regarded anti-malware applications compare. And keep an eye out for articles about “application whitelisting”. Logic says this has to be the future for an anti-malware industry that’s facing thousands of new threats every day. Signature-based detection just doesn’t cut it any longer.
As far as finding a bullet-proof firewall, start with those that pass the ISCA (icsa.net), West Coast Labs (westcoastlabs.com) for hardware firewalls and Matouesec (matousec.com) for software firewalls.
Share information on securing wireless networks with employees who use the technology at home when they might be working virtually. Start by changing the default user name and password on the Wireless Access point, make sure everyone uses encryption (WEP is ok but WPA is better).
Make sure everyone understands the importance of keeping software up to date. Information on known exploits on many web applications can be quickly found at osvdb.org, by searching their database and web vulnerability search.
User education is the final, and some might say the most important, layer. What they don’t know can hurt your business. They are the largest threat surface and the weakest link. Staysafeonline.org has some excellent resources you can use.
Katherina and Petruchio managed to live happily ever after – and so can you if you learn how to take the hacker shrew.
Good luck, think layers, and stay safe out there.
Monte Robertson is the President and CEO of Software Security Solutions, a SMB-focused security firm in Lakewood, CO.