Network Security for Startups

Download Report

Transcript Network Security for Startups

Network Security for Startups
General Assembly
July 11th, 2011
Bill Totman [[email protected]]
http://billtotman.com
Introductions
• Who am I?
• In the interest of full disclosure.
– Who I work for.
– Who I have worked for.
• Who are you?
Network Security for Startups - Bill Totman
- Copyright 2011
2
Definitions
• Network/computer security
– The governance of authority
• Controlling {who,what} has access to {what,who} as
well as {when,why}.
– 'What' is being secured?
• Data
– Personal information
– Company IP
– Computer meta data
» Logs
» System alerts
Network Security for Startups - Bill Totman
- Copyright 2011
3
Definitions
• Resources
– Time
– CPU Cycles
– IP Addresses
» Blacklisted IP Addresses
• See Resources for checking your IP(s)
• BC/DR
– Business Continuity/Disaster Recovery
• The maintenance and recovery of your business
processes.
Network Security for Startups - Bill Totman
- Copyright 2011
4
Definitions
• Vulnerabilities, Threats, and Risk
– Vulnerabilities
• Flaws in the programming and/or design of software (or
hardware).
– Threats
• Methods by which attacks are carried out.
– Risk
• The likelihood of being targeted for an attack.
Network Security for Startups - Bill Totman
- Copyright 2011
5
Definitions
• Accessibility
– The ability to access data and resources in a timely
manor.
• Convenience
– Ease of access.
– a.k.a. An Enemy of Network Security.
• Implementation
– A change – whether new or during maintenance.
Network Security for Startups - Bill Totman
- Copyright 2011
6
Traditional IT Security Threats
• Vulnerabilities
– Application vulnerabilities.
– Protocol implementations.
– OS-level vulnerabilities.
– Bad software design.
– Mistakes in implementations.
• Not changing default usernames or passwords.
Network Security for Startups - Bill Totman
- Copyright 2011
7
Traditional IT Security Threats
• Viruses.
• Worms.
• Social engineering.
– "Enter your password“
• Familiarity or proximity.
– Looking over the shoulder.
– A written password.
– Guessing passwords based on known information.
– Weak passwords.
Network Security for Startups - Bill Totman
- Copyright 2011
8
Traditional IT Security Threats
• Bad design.
• Vendor-wise.
– Zero-day vulnerabilities.
• Client-wise.
– Miss-configuring access policies.
– Not having a firewall at all.
– Not documenting your IT infrastructure.
» One must know what needs to be protected.
» One must also know how it is protected, if at all.
– Not remaining vigilant.
Network Security for Startups - Bill Totman
- Copyright 2011
9
Traditional IT Security Threats
• Mistakes.
– Bad execution during an implementation.
• Forgetting to perform a step.
– Losing track of changes during an implementation.
• Barracuda Networks’ WAF gaff.
• Convenience.
– Microsoft's monoculture threat.
– Too many clicks.
• Lawyers come to mind.
Network Security for Startups - Bill Totman
- Copyright 2011
10
Defending Yourself
• Never assume your risk is 'zero'.
– Expect problems.
• Plan how to recover from problems.
– Problems are not limited to insecurity.
• Hardware failures.
• Failures of service.
Network Security for Startups - Bill Totman
- Copyright 2011
11
Defending Yourself
– Develop and test a BC/DR plan.
• Imagine what you would do if your main
workstations/laptops/servers went down.
• What would you do to restore the system(s) to working
order?
• Write down that plan.
• Review the plan.
• Test the plan.
• As necessary, edit that plan.
• Review and test yearly (or more) and with major
system/network changes.
Network Security for Startups - Bill Totman
- Copyright 2011
12
Defending Yourself
– Your BC/DR plan is your 'physical' worst case
scenario plan.
• Understanding a security breach is a 'logical' problem.
• It's like reverse engineering a recipe.
– There are clues to the ingredients by its taste or appearance.
– But, the methods to the results might not be known.
• How does one unscramble eggs?
– Use this plan as a guide to understand what it can
take to recover from a serious security breach.
Network Security for Startups - Bill Totman
- Copyright 2011
13
Areas to Defend
• Physical
– Mostly self-evident.
– PCI regulations.
• People
– Hire well
– Foster a culture of security.
• What is your business' attitude toward it's own data?
– Do you backup your own data?
» More Specifically:
• How?
• How often?
– Do you use encryption?
Network Security for Startups - Bill Totman
- Copyright 2011
14
Areas to Defend
– How do you change the minds of those who are
not security mindful?
• Define your security expectations and policies.
–
–
–
–
Password strength
Individual responsibility
Legal liabilities
Learning expectations
• With backups:
– Show them how long it takes to make backups.
– Show them how long it takes to restore from backups.
– Ask them if they can afford to risk losing that kind of time.
Network Security for Startups - Bill Totman
- Copyright 2011
15
Areas to Defend
– Reinforcement.
• Reminding users of what it means to be secure.
– HIPAA regulations requires a login reminder about the data
accessible from that account
Network Security for Startups - Bill Totman
- Copyright 2011
16
Areas to Defend
• IT Security
– Inventory your IT assets.
• It's hard to protect what you're not sure what you possess.
– Update that inventory regularly.
– Understand your network.
• How are you connected to the Internet?
• Does your ISP provide any security?
• Are there specialized servers in your network?
– Email servers
– File servers/shares
– Web servers
• Wi-Fi access points
– Are they properly configured?
Network Security for Startups - Bill Totman
- Copyright 2011
17
Areas to Defend
– Inventory you data
•
•
•
•
Employee data
Company IP data
Customer data
Where are these located and who has access to them?
Network Security for Startups - Bill Totman
- Copyright 2011
18
Creating Your Security Plan
• Who will be responsible for the plan?
– Create a position description for CSO and/or CISO.
• Enumerate the security responsibilities.
• Assign or delegate as needed.
– Identify risks.
• What data is most sensitive?
• Are there regulations that apply to that data?
–
–
–
–
Massachusetts 201 CMR 17
PCI
HIPAA
Secure Wi-Fi laws
• Is your hardware going to last?
• Risk assessment as a service is available.
Network Security for Startups - Bill Totman
- Copyright 2011
19
Creating Your Security Plan
• Identify vulnerabilities.
– Which software vendors have a reputation for security?
• Is it because their product is simple?
• Is it because they are honest when there vulnerabilities are
discovered?
• Is it because they quickly fix known vulnerabilities?
– Which software vendors have a history of vulnerabilities?
• Do they at least fix them quickly?
• Are they honest about their flaws?
• Do they still seem fishy?
– What security measures are already in place?
– Do you have a tested BC/DR plan?
Network Security for Startups - Bill Totman
- Copyright 2011
20
Creating Your Security Plan
– Understand the threats.
• Attend classes like this one.
– (Shameless Promotion)
• Read security blogs.
– Zscaler Research
– Barracuda Networks Blog
• Use your network security vendor.
– Do they provide regular updates?
– Do they provide informational seminars?
• Professional organizations.
– OWASP (Open Web Application Security Project)
– SANS Institute (SysAdmin, Audit, Networking, and Security)
Network Security for Startups - Bill Totman
- Copyright 2011
21
Creating Your Security Plan
• Vendor sources.
–
–
–
–
Zscaler
McAfee
Symantec
Sophos
– Budget based on your risks, your known
vulnerabilities, and current threats.
• If 'best of breed' solutions do not fit your budget, there
are alternatives.
Network Security for Startups - Bill Totman
- Copyright 2011
22
Creating Your Security Plan
• Remediate.
– Meet with a vendor.
• See what they have to offer.
–
–
–
–
Get a quote.
See another vendor.
Get as many Proof of Concepts (POCs) as you can stand.
This will help you understand what you products or services
you need and your options for meeting those needs.
Network Security for Startups - Bill Totman
- Copyright 2011
23
Creating Your Security Plan
– Consider open-source solutions.
• While they are usually free, there are some
considerations.
– In my opinion they are not on the cutting edge of protection
– They also lag behind in management capabilities
– I do not recommend open-source anti-virus protections IF you
are going to have just one anti-virus protection.
» To stay up to date you still have to pay for a subscription
» If you're going to pay, pay for a major vendor's solution
• You will usually have more options in how it is
deployed
– Implement the solutions.
• Your IT staff or your vendor’s resources.
Network Security for Startups - Bill Totman
- Copyright 2011
24
Choosing a Reseller
• Reputation.
– Check online.
– Ask friends and associates.
– Ask instructors.
• Product line.
– Comprehensive set of solutions.
– Multiple vendors in multiple areas of protection.
Network Security for Startups - Bill Totman
- Copyright 2011
25
Choosing a Reseller
• Focus.
– Technology.
– Product and services-wise.
– Customer service-wise.
• Value.
– If the best of breed isn't available, are there alternatives?
– How do they compare to other resellers?
• Do they listen?
• Knowledgeability.
– Do they understand what you need?
• your concerns
• your goals?
Network Security for Startups - Bill Totman
- Copyright 2011
26
Choosing a Reseller
– Can they explain/present the differences in their
products?
– Do they relent on pushing a 'better' product if it
doesn't fit your budget?
• Personal preference.
– Do you like them?
– This may seem petty, but it can make a difference
if there are "bumps in the road" in the providing
of services.
Network Security for Startups - Bill Totman
- Copyright 2011
27
Conclusions
• Never assume your risk is 'zero'.
• Assign someone the responsibilities of your
startup's security.
• Cultivate a culture of security.
• Plan, test, plan.
• Document as much as possible.
Network Security for Startups - Bill Totman
- Copyright 2011
28
Questions?
Resources
• A list of resources will be available by COB
Wednesday, July 13th at:
http://billtotman.com
Network Security for Startups - Bill Totman
- Copyright 2011
30