8 Steps to Defense In Depth for the SMB

Running a small business usually means working with a small budget (or a tight one, at least) and network security is often not given the proper attention it deserves. The perceived risk of intrusion/compromise of a small business network is often viewed as being very low: A common line I hear is “We are just a small widgets maker, no one wants to break in to our computers”. Research continually shows that hackers are stealing billions from small businesses, due in large part to this attitude towards security. In the minds of many business decision makers who are responsible for IT systems, the term “network security” tends to be synonymous with “antivirus”. For them, antivirus represents both the front line defense and the last hope to protect their network. However, there is a better way to protect your valuable data – and it doesn’t have to break the bank.

In the Information Assurance (IA) world, “Defense In Depth” is a strategy for protecting an IT system where security is layered with multiple defenses (controls). This provides redundancy in the event that one of your controls (endpoint antivirus, for example) fails to detect, block, or remediate an exploit. A control can be just about anything that helps protect your network – firewalls, content filters, or even training for your employees. Some controls may not be designed to block an attack, but rather delay, detect, or quarantine it. Even if computer viruses are the only threat that concerns you (and they really shouldn’t be), you might feel differently about putting your faith in a single application if you knew that new studies are showing AV applications as woefully ineffective – less than 5% – against new malware without additional protections.

When looking at a multi-layered approach to defense for a small business, some big-ticket items used in the enterprise are simply off the table due to budget constraints. However, there are still several simple (and low-cost) controls we can implement that could be the difference between a blip on your security logs and a massive loss of data and productivity:

1. End User Training – The majority of vulnerabilities will involve your end users. Nearly every virus infection we are called to remediate started or was accelerated by a poor decision from an end user. Opening e-mail attachments, clicking a hyperlink, or installing software can all be gateways to delivering malware. “Don’t open attachments from suspicious e-mails” is a rule that seems so basic we often forget to follow it. Studies have shown that a surprising portion of users still get duped in to clicking malicious links even when the warning signs are there. Attackers have also gotten very sophisticated with their bait, crafting incredibly convincing messages that can appear to come from inside your organization. Most users know not to open an e-mail promoting prescription drugs from sa21345@aol.com, but what about an e-mail requesting all employees fill out an HR form that appears to come from the HR manager? End user training is key here, but the good news is that it won’t cost you anything aside from some well-spent time. There are plenty of excellent free resources available for internal training to Small Businesses (Check out OnGuard.gov for starters).
2. Browser Warnings– Most modern browsers have some degree of in-browser warnings when a site is detected as potentially malicious. In order for it to have a chance at working though, you have to ensure your computers are actually running a modern browser with the latest updates and your end users have been trained to recognize the message and not simply ignore it (which seems to be our default response nowadays). Many endpoint security suites will also add their own site safety check mechanism for increased security.
3. Content Filtering – Any decent next-generation business-grade firewall (i.e. NOT your Linksys/D-Link/Netgear from Walmart) should feature baked-in Content Filtering that will allow you to block known malicious or unwanted sites. A more affordable option may be cloud filtering, which usually works on a redirection of DNS requests but does not require any on-premise hardware. In either case, I highly recommend opting for a whitelist strategy instead of a blacklist – providing a list of sites you want allowed and blocking everything else, instead of relying on an incomplete list of malicious sites that need to be blocked.
4. Gateway IPS – Intrusion Protection Systems (IPS) on a firewall monitor connections and try to detect suspicious behavior. If you are hosting any kind of service internally (E-mail / Exchange, Web Site, Remote Desktop / Terminal Services, etc.), a properly tuned IPS is very desireable for preventing exploitation.
   
5. Gateway Antivirus – That next-generation firewall you have for Content Filtering and IPS may also include a built-in antivirus scanner. This ensures all traffic passing in to the network is scanned at least once (and hopefully twice when it reaches the destination endpoint). Most firewall manufacturers outsource the scanning engine to a third party such as Kaspersky or McAfee and keep definitions up-to-date automatically. Keep in mind that these services are almost always subscription-based, so you’ll need to be sure you are keeping up with those yearly maintenance renewals.
6. Endpoint Antivirus – If you already have one control in place, this is probably it. Make sure you are getting all the value out of it that you can by keeping it updated and enabling as many of the advanced security functions as possible. Train users on how to recognize the warning messages that it produces and take the appropriate action.
7. Host IPS – Host Intrusion Protection Systems (HIPS) can sometimes come integrated in to your existing antivirus software. They perform similarly to gateway IPS, but protect only the host they are running on. Often times they are disabled because an improperly configured HIPS can interfere with, or completely block, legitimate applications from executing.
8. Limited User Rights – Assuming malicious code makes its way on to a PC despite your defenses, it will typically execute under the context of the user that ran it. If your users are granted local administrative permissions, this means the infection will also have administrative permissions – that’s not good! However, if users are restricted from installing software or making high-level changes on the computer, this will greatly reduce the potential for damage after an infection and slow the rate of spread. An even more secure, though administratively cumbersome, option would be to restrict users to running only approved executable files – entirely preventing the execution of most malicious code. Controls like this are easily implemented through Group Policies on Windows Server – which many small businesses already possess.

Almost all of these items can be implemented through a combination of Windows Server, a decent NG firewall, and a solid antivirus application – all of which are available at price points within the budget of most SMBs. Excellent cloud solutions are also available for businesses who wish to avoid the capital expenditure altogether. If you are interested in having InfoTECH review your network security or deploy these solutions according to industry best practice, just drop us a line at info@infotech.us or call our office at 337-896-3681.