In this roundtable, security experts focus on smaller businesses offer real-world advice for actionable ways to shore up defenses using fewer resources.
Small- to medium-sized businesses (SMBs), those with 100 employees or less, are more vulnerable than ever to catastrophic cybersecurity breaches and attacks.
The good news is that there are many things they can do, with extraordinarily little added investment, that will help IT managers lock down their organizations enough to make the next threat actor move along to softer targets.
Threatpost assembled a group of experts, including Timur Kovalev, CTO of Untangle, Erich Kron from KnowBe4 and Greg Murphy, CEO of Order, to help unpack the challenges facing SMBs today and examine easy, actionable things every business can do.
The panel, along with the Threatpost editorial team, narrowed down the most common cybersecurity mistakes that businesses make to 15 and discussed remedies for them — everything from a lack of basic segmentation, to a thorough asset inventory, to simple patching and regular backups can make all the difference in keeping your data safe from compromise.
The following is a lightly edited transcript of the Feb. 24th live webinar event, titled, 15 Cybersecurity Pitfalls and Fixes for SMBs, and hosted by SACUT’s Becky Bracken.
Listen free and on-demand at the link above, and check out all of our free on-demand upcoming live webinar events – unique, dynamic discussions with cybersecurity experts and the SACUT community.
What are the Top SMB Cybersecurity Mistakes?
Becky Bracken: Hi, everybody! My name is Becky Bracken, your Threatpost host. Welcome to our February webinar. Today, we have an interesting topic. We are looking at 15 common mistakes, gaffes, if you will, that small- to medium-sized businesses typically make when it comes to locking down their cybersecurity.
The goal of our discussion today is for all our attendees to take away practical, doable, advice that you can start implementing today and that relates specifically to the small- and medium-size business community. We know what Fortune 100s are doing, and it involves manpower and a lot of dollars. And that’s not reasonable for the vast majority of businesses. So, we want to really tailor our discussion to that.
To that end. We have a widget up, and I think it should be in your right-hand corner of your screen. You can submit questions at any time throughout our presentation. We encourage you to do so. We want to make sure that this time is useful for you and is addressing the problems that you’re seeing in real life. So, please, submit your questions early, submit them often, and we will get to them both throughout the presentation, and we’ll reserve some time at the end to really unpack some of those.
I don’t need to dwell on this a lot, but just to give a snapshot of where we are, for the SMB market in relation to cybersecurity.
And right now, many businesses are trying to balance this incredibly careful calibration between budgets, between resources and mounting attack risk and increased attack surface.
We’ve got executives who want to use technology to save money, to make resources stretch further, but often that conversation doesn’t include smart ways to secure these new tools that we’re using.
Right now, ransomware is our biggest threat that’s out there.
And just recently, we saw a report that came out that saw a 14 percent increase in ransomware attacks in the U.S., which consistently rides higher than the rest of the world, and the ransoms demanded are up 320 percent. And we’re seeing double extortion, where not only do you need to pay the ransom to get your data back, but you also need to pay for the privilege of not having that data posted on the dark web for anyone to buy or sell.
Even if you pay, there’s still no guarantee that that’s going to be the end of it and more often, it’s not. So the stakes are being ratcheted up.
We have assembled a panel that we are really proud of, to talk about some real-world stuff that’s happening today. And all our panelists today represent their own commercial interests, however they have graciously volunteered to provide some agnostic, practical advice and share their expertise with us.
So, let’s meet our panelists.
First you have Timur Kovalev. He is the CTO of Untangle and as you can see here has a deep well of expertise to share with our audience today.
We have Erich Kron. He is a security awareness advocate for KnowBe4, and his area of expertise is all about user training and helping your employees understand that security is a daily practice.
We also have Greg Murphy, and he is Ordr’s CEO and as a security expert, again, with decades of experience.
They can really speak to what we’re seeing today. So, hi, all of you. Thank you for joining us.
How Confident Are You That You’re Prepared for An Attack?
Again, as I said, we have divided this into 15 common mistakes, but before we get into that, and before I let our panelists loose, I would like to get a feel for where our audience is.
We have a poll question, and I’m going to launch that right now to come up on your screen.
How confident are you sitting here right now today that your organization is prepared for an attack?
You’ve got “very, bring it.” That is our very confident crew. Then there’s the, “Man, I don’t really know, I’m almost nervous that I don’t know what I need to know.” And there’s not so confident.
So, if you guys just can take a minute to log your answers.
OK, so 57 percent of you aren’t confident, 29 percent medium-confident and 14 percent of you are rock stars. They’re ready.
So, with that in mind, let’s kick off out 15 common SMB security mistakes. We sat down with our panel, and we’re able to hammer out these 15. This, of course, is not comprehensive. This is just based on where we are today and what they’re seeing. I can hand it over to Greg, Greg, can you kick us off with number one, businesses think they’re too small to be a target.
Mistake #1: Think They’re Too Small to be a Target
Greg Murphy: So there are definitely people that are out there that are targeting small businesses like ours.
I think that when you think about the threat landscape, it’s true that a small business, an SMB, with less than a thousand employees, probably not at the top of the target list for nation-state actors.
But if you look at who’s out there right now, there are an awful lot of criminals who are looking to get money, get data, get information for their own nefarious purposes. And that’s who we see targeting the SMB. So, I don’t imagine there’s someone overseas sitting there targeting most small businesses with a few hundred employees.
But, if you look at the data that the sheer volume of attacks is probably greater on large businesses than they are on small businesses, but if you look at the data, I think it’s also much more likely that attacks on small businesses go undetected and unreported.
So, I think that there is you look at something like SolarWinds, an attack on some of the largest and best protected entities in the world that went undetected for 6 or 9 months. Yeah, think about attacks on an SMB who’s with one guy named Jim, you, who is struggling to do all of the work of the entire security organization.
The odds that they are going to be able to detect these attacks and breaches, with the same level of precision as the large organizations.
I think the other fact of the matter is, because SMB organizations have limited resources, those breaches are more likely to lead to data disclosures.
Less than 10 percent of the of the attacks are the breaches lead to data disclosure. But in the SMB space is more like 50 percent. So while there may not be as many actors out there targeting you, as an SMB, as our targeting large public entities know the odds that when they get in, that you’re going to know about it or probably less.
And the odds that it’s going to lead to a data disclosure is substantially greater. So I think if I’m an SMB no, I don’t want to take comfort and have my security strategy based on the idea that I’m too small to be at the target. I want to make sure that I’m taking and putting in place appropriate defenses for the types of act against the types of actors were likely going to be targeting my business, which is probably those malicious criminals.
BB: Right, OK. Timur, what do you think about that?
Timur Kovalev: I completely agree.
When we look at the players that are actually executing some of these malicious attacks across the world, we can think about it and several groups, right?
We have obviously, the nation-state actor, which for a typical SMB would be kinda hard to protect against. Especially now as some evidence suggests that there were more than a thousand developers that contributed to the SolarWinds attack and so forth. And, I think that that might be something that’s not in the context of a typical SMB IT admin.
But then you also have groups that are teenagers that are hacking around from Mom’s basement, right? You have those guys. You have legitimate criminal enterprises that are in a for-profit, that have balance sheets that have accountants that are actually doing things for profit and for their own revenue.
And so when you look at the tools that are available to these organizations, if you look at the black market, and if you look at some of the things that are happening on the internet, you can actually buy toolkits for exploitation. You can buy toolkits that will allow some of these attacks to happen.
And from the perspective of a malicious actor, the idea is not necessarily to target a specific business and to get their data. It’s kinda like fishing. You know, the larger net you cast, the more fish you’re going to catch. And so, while somebody might not be targeting your business individually, somebody might be targeting business, as in the context of an entire wide net that they’re sending out there.
And so, being aware of the fact that it’s not about you, it’s ultimately about the goals that these guys are after. And that’s important to understand and be able to prepare for that.
Mistake #2: No Business Risk Evaluation
BB: And Erich, since you spend a lot of time talking to businesses, essentially about their feelings about security. I want to have you address, what is the general stance that you see within small- to medium-sized business? What are their feelings about cybersecurity, and how does that manifest itself?
Erich Kron: Yeah, so a lot of the people that I talk to are like, “we’re too small, Nobody’s going to target us. I don’t have anything that anyone wants, OK?”
And where that may have made sense 10 years ago, things like ransomware have changed that game, right? It doesn’t matter who wants your data, you want your data, right. So, ransomware has really changed that.
That’s why we see SMBs being targeted so much with ransomware. And I’ve actually talked to my chiropractor about this. He’s like, if the nation-states are out there, and if they can get SolarWinds, and they can get these guys, I don’t stand a chance. So why bother trying?
And that’s an unfortunate mentality to have towards that, because they’re probably not being targeted by nation-states. But I do hear that in a lot of different contexts, where they’re thinking, I don’t even know that we have a chance here. And I see that far too often.
The idea is that incremental improvements make you that much harder to breach, and might be enough to make your average attacker move on to somebody that’s a softer target, perhaps.
Mistake #3: Haven’t Made an Asset Inventory Assessment
BB: OK, number two, you haven’t made a thorough asset inventory assessment. What do you think about that, Greg? Where do we start with that?
GM: This is one of my favorites because I when I meet anyone who’s a security practitioner the first question that I’ll always ask them is just, how confident are you that you know what’s connected to your network?
And I have never once had a security practitioner come back to me, and say, you know what, I am absolutely confident. I know exactly what’s on my network. Whatever asset inventory you’ve got is probably wrong.
The most common asset inventory is an Excel spreadsheet of some kind, and it was most likely updated, six months ago, when there was an intern that they could send around to go look and see what was connected on the network.
So the idea that an asset inventory exists, it may not be true in the SMB, but it is almost certainly not up to date.
I think that the really smart thing to do is to find ways to automate that process. You can’t rely on an annual inventory to be accurate and those manual inventories, if anything, may just be about your asset tags. Do I see a workstation? Do I see inventory or a device where I expect to see it? It doesn’t really get into what software is running. Is that the device up-to-date? So important.
So getting some form of automated asset-inventory solution is really critical for an organization of any size. This is a huge, not just a blind spot that organizations have, I think it’s more of a black hole.
Literally, when we go into organizations, you find 40 percent or more of the devices connected to your network are not sitting in their asset inventory. And that just means if you don’t see it, if you don’t know what’s there, by definition, you don’t have a security strategy to protect that.
You’ve got to start with knowing what’s connected in your environment. And I’d also point out that this is not just a security concern. This is actually just having a cost-business fundamentals conversation.
I was talking with a small hospital recently. They were leasing the medical equipment and medical devices, and they were paying for literally hundreds of devices. They had a lease on something that was nowhere in their environment. So they’re paying a bill every month for assets that they don’t have.
It’s about making sure that everything that you’ve got is in that asset inventory, but also making sure that all of those things that you’ve bought are actually on your network and connected, because, otherwise, you’re just throwing good money after bad.
So for me, from business-operations perspective, from a security perspective, you’ve got to start with an asset inventory, and you gotta get out of the mode of human beings going around to do manual inventories and updating spreadsheets. In today’s world, that’s just not sustainable, and it’s not gonna give you the type of information you need in a world that changes this fast.
BB: Are you seeing that, Erich?
EK: They’re usually pretty far off. You know, “oh, that smart TV in the conference room.”
The other thing is, do they know what it actually does? I came into a job where there was a gap between me and the security manager before, of about a week, and I get there, and there’s a machine that was literally labeled “I don’t know what this does. But when we turn it off, the programmers can’t get to the internet.”
So they knew it existed and that it killed their internet, right? And there’s things like that, that are floating out there, that are legacy, they’ve been around for a while, but they don’t know what it does.
BB: What about you Timur? What are you seeing as far as asset inventories and how they exist in the universe?
TK: Yeah, well, I certainly agree with trying to put some level of automation around that, just because it solves the problem of keeping it up-to-date and as it can be. However, there are also some free tools, or some fairly cheap tools, that will allow you to do that as well.
So, it depends how automated you want it to be versus how much simpler you want it to be, compared to an intern collecting inventory across the organization, right?
But I think one of the challenges, and, and this is probably something that a small- to medium-sized businesses needs to consider, is that a lot of times, when you’re doing your digital asset inventory, it’s not just about the things that you have in your office. It’s not just about the PCs that your users are using. You must think about it more holistically and say, well, do I have a website and where does that reside?
Mistake #4: Insecure Digital Assets
TK: Well, that website may not live on premise, right, but it might be exposing additional data through other means. I think one of the ways to start approaching the problem is to figure out all the digital assets that you pay for.
So, if you, if you are paying for web hosting, well, that’s probably digital assets behind that.
If you’re paying for a laptop while you are aware that there’s a laptop that’s floating around, if you have cloud infrastructure, and you have stuff S3 buckets, then you are aware of the fact that there’s potential exposure there and starting from from that perspective.
And being able to say, “this is where I allocate my resources on a monthly basis” and be able to identify with them that where breaches may occur.
You may find out that that you have vulnerabilities that exist outside of your organization. You know, I’m using a third-party cloud service to do X, Y and Z .Well, what’s going to happen to your business if that cloud service goes down, or gets infiltrated and data gets exfiltration from that cloud service? And then it starts building up a fuller picture of what your risk exposure.
Mistake #5: No Network Segmentation
BB: Understood, OK. We’re gonna go to Network Segmentation, and Greg, pretty much most of what we discussed, for you, seems to come back to this idea of smart network segmentation. So, can you talk to us about what that is, why it’s important, and where to start?
If you look at almost any kind of security framework, security program, it’s just foundational. You need to put in place, some form of segmentation, and this is really critical to make sure that when something happens, it does not spread and propagate laterally across your entire organization. That’s so, you don’t have a breach and with one set of devices are in one area of your business, then it propagates across and takes down your entire business operation.
So this is the very most basic form of hygiene that you need to have. The analogy that I always use is, if you’re a zookeeper, the thing that you want to do is you want to make sure that all of the animals are in their proper cages. You don’t want to put one big cage with your lions and your gazelles, you know?
What would happen if you took all of the devices, all of the assets on your network, and put them in one big, flat network, into said, OK, let’s hope that none of those devices get breached. Let’s hope that no one finds their way in through a security camera, and then can find their way to my financial systems, and into other assets.
Fundamentally, I think everybody understands that this is a practice that you need to put in place, but it’s also one that we rarely see implemented effectively, especially in SMBs.
I was recently at a place where they had a candy machine, a candy-vending machine that was network-connected to the wonderful world of the internet of things (IoT). And it was on exactly the same network as a multimillion dollar robotic system. That it absolutely crazy from a from a security perspective. Or you find, “well we’ve got some executives in our organization and their Teslas are sitting on the corporate network, or their Peleton is just sitting on the corporate network.
That’s a problem. And the way you want to address that is to start to segment and making sure you’ve got, obviously, your guest network separated from your enterprise network, but then putting in place reasonable protections to ensure that you’ve got controls over which devices are able to communicate to which destinations on your network.
So the way to do this is not to try to wake up and say, you know what, we’re gonna just segment our entire network and all places tomorrow, that’s not realistic. It’s really taking a look and saying, “What are the most vulnerable devices on my network? I really want to make sure I’ve got those segmented off and protected.”
So, starting with a very practical assessment of, where do you think you’ve got the most risk, and then use your existing network infrastructure to put in basic segmentation policies.
And the great news is, most enterprises, most organizations, even SMBs, your infrastructure that you’ve got today will enable you to implement this type of segmentation. This is not high-end functionality that’s only available to the Fortune 500. This is the fundamental capability that’s available for almost any network firewall infrastructure that you have today.
BB: Excellent. Now, Timur, is your Tesla on the enterprise network? Is that what you’re working with over there?
TK: Sadly, no. I do not have a Tesla. But I completely agree with Greg. I think there are certain fundamental errors that are made, and sometimes the error is just considering the fact that you have that ability already provided to you by your service provider. It’s nothing extra that you need to pay for it. You just need to take the time to identify the resources. They need to be separated into their own buckets.
You’d be surprised how many times I see a guest Wi-Fi network that connects to the same network that all the other networks connect to. The idea of creating a VLAN specifically for the entities that you don’t trust, I think, is pretty straightforward.
I think there are best practices for segregating individuals who bring in devices onto the network from infrastructure components, like printers, like your servers that are hosted, sharing some data and so forth, from IoT devices; which are your thermostats, your Tesla, et cetera.
And I think just taking that step already incredibly reduces the amount of risk that you have if any one of those components gets breached, or has the ability.
BB: Erich, is that happening in the universe that you’re seeing?
EK: Yeah, Less often than I’d like to see. I mean, some things like WannaCry really opened our eyes to network segmentation across the U.K.’s National Health Service, as it just stormed through the entire network, and took out the NHS.
I mean, the other thing, I really like both of your answers, Greg, to your point, too. When you deploy network segmentation or you start segmenting networks, you also find stuff you had no idea was on there. How is that happening? Because, a lot of times, you’re gonna be basically tightening down where the traffic flows through and then you start to see that traffic.
Mistake #6: Not Understanding Basic Security Hygiene
BB: What about fundamentals? And I know this is a big universe of fundamentals, but, well, what are some of the ones that are more often overlooked in your experience?
GM: Oh, I’ll take that one. I think that you, as you can, you can probably tell from the cometary, I’m a back-to-basics kind of guy. And I think it’s amazing to how many security vendors are out there telling businesses and telling it to know what the SolarWinds never attacked never would have happened if you had only purchased our product, or this magic solution. And I think that, that, really, at the end of the day, especially for small businesses, is that core blocking and tackling that you need to get in place.
So, someone just asked me about fundamentals I would point to things, like, we talked about earlier, asset inventory, knowing what is connected in your environment, making sure that you’ve got a business-continuity plan.
If you say, “Alright, what would happen if we lost these particular assets at this application? How would we continue to run the business? How would we respond to that?”
And you better have backups in place.
I’m sure we’ll talk about security training given how most organizations are breached. If you haven’t educated your employees about how to recognize phishing attacks, then you haven’t even done the very, most basic things. I would add things like privileged-access policy and then having a segmentation strategy.
Those, those, to me, are the fundamentals that any security organization, any SMB should have in place, and these don’t need to be things that take you weeks, months, to implement.
I think moving from a base state to a reasonable stance is something that most organizations can do within days or weeks. And in a lot of these cases that’s where I would put my energy.
BB: Yeah, OK. What are some of your your fundamentals that you see being ignored too often?
EK: A lot of what Greg said, I also want to tack onto that though.
Access control. So people need to have right the permissions, or at least privilege. You know that idea where everybody is suddenly an admin on everything, that’s a problem. Come on. It’s 2021 now.
There isn’t an operating system we have these days that doesn’t support escalated privileges if you need to. So that’s a key one there, and then we mentioned the user side.
I’m sure we’ll talk more about this, but things like passwords and password re-use, we need to teach people why it matters.
You know, I have a meme that I’ve put up on a lot of my slides, it’s the knight, all decked out in armor, and it represents a multi-million dollar security budget, and then the next frame is an arrow right through the slit, and it says, “password re-used.” And it just sums it up so well that these are basics. We tell people not to re-use passwords. We don’t tell them why, necessarily. And so, it continues to happen, then it continues to be a problem.
BB: Timur, what about you do? Is there anything you want to add to that?
Mistake #7: No Business Risk Evaluation
TK: I really agree with everything that’s been said. And I think that leads us to the next point about the business risk evaluation and why some of these things are not being really scrutinize the way that they should be. I think a lot of times when you talk to SMBs and talk about their cybersecurity budget, they view it as an operational expense.
They say, either dedicate X amount of dollars, to make sure that I’m secure, but not really looking at it from the flip side. That is to say, how much would you pay the day after a breach occurred? How much would you pay after the data gets traded after somebody stole your customer records, or anything like that happened in your infrastructure?
And I think that’s where the fundamentals really come in. Because I think some of the smaller steps that you can take that actually don’t cost very much and will reduce that risk greatly. And I think it’s important to understand that those fundamentals are not something that only IT people should be aware of, but everybody in the organization should be aware of what the risk exposure would be.
Mistake #8: Know What ‘Normal’ Looks Like
Alright. Now, we’re going to talk about what normal looks like, which is more important than many people might think.
Erich, why don’t you talk to us about why that is important, and why we need to know what’s normal?
EK: For so many things we need to have a baseline and we don’t measure a lot.
A lot of organizations, especially small and medium businesses, they don’t necessarily understand what normal looks like, as far as everything from CPU usage, to network usage and things like that.
And so when something happens, let’s say somebody gets into a system, and they using a ton of data, they don’t notice that all of a sudden, 750 gigs have left this network, and they just don’t see that kind of thing.
So, I’m a big proponent of understanding basics, and not even to the point of all the software, like user behavior analytics, and things like that in a small, medium business. But understanding when something seems odd or out of place, or performance drops significantly on some boxes.
You know, maybe they’re doing some ransomware stuff, maybe you’ve got a crypto-jacker that’s on all of your 40 core servers out there, all of a sudden. If you don’t know what it looks like normally, you don’t see those.
BB: So, what are some of the things you should be monitoring on the regular to get that sense of what baseline is?
EK: To me, I always look at the network in and out traffic, and how that’s doing. What’s typical? What’s normal? You know, it doesn’t always mean that a spike is abnormal. Maybe somebody who’s streaming Netflix, who knows, you know?
But it does raise an alert that hey, maybe we should go look at this, or, you know, is that OK? So that’s a key one there.
CPU processes, on machines, it’s something that we don’t always monitor all that much. But when ransomware starts kicking off and a machine starts encrypting all these files all over there, it’s working a little harder than it was before.
And likewise, if things start working in the middle of the night, you start getting CPU spikes or data spikes in the middle of the night when nobody’s at the office, that should raise some red flags to you.
TK: Now, this is actually a pretty complex topic. Whenever I’ve interviewed someone for an IT admin position, one of the questions I ask is, “How would you know that the system is infected?”
And the answer to that as a lot more complicated than meets the eye. And that’s why there are enterprise grade services that provide that type of monitoring, assessment of what’s normal, what’s not normal.
And the problem with that is that the that assessment may change, right? Your workloads may change in your organization and so forth. And so, what was normal today, may not be the same tomorrow. And it’s a major issue.
I think, you know, when you’re talking about infrastructure that exposes you to the outside world, and obviously like web servers and things like that, then understanding your logs is very important. And having a way to not look through the logs line by line but be able to have a tool that is able to aggregate that information for you and give you a snapshot of what’s happening, and you’re able to correlate that to what that snapshot looked like yesterday, I think things of that nature certainly help.
But I think part of that is user awareness, right? When you are talking about CPU utilization at night, when you’re talking about unknown processes running on boxes, when you’re talking about bandwidth consumption changing, I think these are all the things that it’s very hard to have one tool, especially for an SMB that has limited budget constraints, to be able to deploy across the infrastructure.
And so, you must make users aware of the fact, hey, if your computer is running slow, it may not be because it’s getting old. It may be because there’s something else going on. Raising that level of awareness and making sure that everybody in organization that’s conscious of these changes and was able to escalate them appropriately is very important.
BB: Do you see that Greg, from where you are?
GM: Yeah. I do, and I think it would it really point to the need to have some form of monitoring solution that’s in place so that you can see this and visualize this data.
I think one of the things, as they more as you get more and more different types of connected devices and connected assets, it’s impossible for a human being to carry in their brain. What does normal look like from even a year ago?
I found my first my IoT-enabled toilet paper dispenser. I hesitate to think what normal usage of that would look like. But now you have to think about that.
And I think one of the things is for an SMB is to look for some tools that really help visualize that. So you can say, “Hey, I’ve got a device, it’s on my financial network, and it is communicating. Or, I’ve got an elevator that’s communicating with your financial systems and that doesn’t make much sense to me. Let me go investigate that. So you don’t want human beings have to parse through all the logs.
Having visualization tools to alert you if you’ve got a device that’s trying to communicate with a server in the Ukraine, does that sound right to you? If not, maybe you should go investigate that.
Mistake #9: Two-Factor Authentication
BB: All right. two factor authentication (2FA). Let’s revisit it. Erich, why do we need it?
EK: Because of that credential re-use thing. And I’m still reeling over Greg’s idea of the IoT toilet paper dispenser. And it’s going to my mind here in my home. I’ve got three teenagers, and how, if I could limit how much they used at a time, that would change my entire financial dynamics.
But besides that, here’s the thing about two-factor, we cannot rely on that to be the silver bullet. It doesn’t stop everything; it can be hacked. It can be worked around. But it makes you a lot better than somebody who doesn’t have it in place.
And to go back to the not-so-kind analogy but, I don’t have to outrun the bear. I only need to outrun the person next to me. If you make it tougher for them to get to you, they may move on to someone else.
So the problem, again, is with password re-use, or people getting suckered out of giving up their credentials in a phishing email that looks like a fake Google login or Microsoft login. So they give up those credentials, and now the attackers have those, and they do credential stuffing across Amazon and everybody else that they think you may have re-used your password.
Well at least with the multifactor, you’re going to get that text message or you’re going to get something like that, that’s going to keep them from logging in once they’ve given up your credentials.
And it can be an early warning thing, if you get a text message from your bank going, hey, here’s your code, and you didn’t try to login. You may want to login to your bank and see what’s going on and maybe change your password.
BB: It’s almost becoming mandatory in a lot of instances, it’s almost to the point where it’s becoming standard.
GM: Implementing two factor authentication is also a really good educational tool because it forces employees to stop and think about security on a fairly regular basis, which is something that most of us don’t do.
On a day-in, day-out basis, I think there are all the reasons that you should have two factor authentication, but I think just employee awareness helps drive that as well.
And the solution to all the complaints about that is password protectors. Is that what we’re telling, end users Timur?
TK: Well, we’ve been saying this for a long time, but, I will re-iterate that I think the password is ultimately on the way out. I think we will see the day when password is no longer the thing that logs you into a system.
You know, there’s something about the two-factor authentication is that, while it is becoming more prevalent, and there are more financial institutions that are requiring it, there are actually a lot of tools that habit and have had it for a long time.
But they’re not requiring it, right? So, like, if you use G Suite, you can enable two factor authentication to log into Google. But how many businesses don’t? You can enable two-factor authentication to log into Salesforce. But how many businesses don’t. And I think it all stems from the fact that they’ve never done that sort of initial analysis.
What would it mean if Jerry the sales guy’s credentials to Salesforce were compromised, and somebody else were able to get access to the customer base, the customer accounts? What does that mean for the business? What does that mean for the continuity of the business?
And I think once you start considering that, clicking that checkbox becomes a no-brainer. Right?
But I think, because the businesses do not initially go through that step, they miss that as an opportunity.
Mistake #8: Misunderstanding Cloud Security
BB: Let’s talk cloud servers, because I covered this pretty regularly where, oops, the S3 bucket didn’t have a password.
What are we looking for? Where do we need to start? And where are the possible vulnerabilities there?
EK: Yeah, so in my mind, the term S3 bucket and data breach kinda go hand in hand, right? We, unfortunately, have seen that so often. And a lot of that is about a misunderstanding, especially when you’re just moving to the cloud. Or, you’re a smaller organization, and you’ve heard, the cloud is secure. What they don’t realize all the time is that, while the cloud provider takes care of their infrastructure in the back end, the data you put out there securing that is up to you. It’s not up to them.
And applications are one thing. But especially when you’re storing data, or you’re doing your own app, in a cloud environment, you cannot rely on the cloud provider to be the security provider also. And I think that’s where a lot of confusion comes in on the SMB side.
TK: I think it’s funny that the world has evolved. Before, it was like, oh I don’t want to move things to the cloud because it’s more secure to do this. Now they’re moving to the cloud and assuming Amazon is going to take care of security for me.
Fundamentally, securing your data is your job. No one’s going to do that for you.
BB: And there are regulatory and liability concerns too. Can you talk about the exposure the business has when they’re flinging this stuff around unprotected?
GM: Well, I think, like Erich pointed out, I think there’s a little bit of a misconception in terms of, well, if I take it off-premise to the cloud, that means that somebody else’s responsibility. When, in fact, it does not.
And I feel like the same protections that you would set up for the on-premise infrastructure, you should really take care to set up for the cloud infrastructure, as well. If somebody, hacks your website, which is running an Amazon, or whatever, and gets access to the customer base that you have in their customer information, what does that mean, and what protections are you taking?
To prevent that, you might have a firewall in your office, but do you have a web application firewall for your cloud deployments? Do you understand how the access to those resources as controlled? And who has access to those resources? A lot of times, we deploy internal resources in the cloud, but we don’t configure it to be internal only. And so, you see those types of misconfigurations all the time.
And I’m a huge fan of what Amazon has done with Amazon Web Services over the years, but I’m not sure if they have been working on a user interfaces — they’re not entirely intuitive. They’re not very easy to set up, and you need certifications and expertise in order to be able to do some of the things in there that are fairly basic from an on-premise perspective. And so, I think it’s important not to overlook that when you’re conducting the assessment of your digital assets. And is Amazon in a position to help you at all and walk you through that interface?
BB: I mean, is there support available for undereducated users?
GM: They do, they have to have quite a bit of documentation.
It’s, it’s a little bit fragmented, and a lot of times when you’re looking for, like configuration for load balancers and being able to configure web applications and what type of rules are going to be executed. And I think it’s a process. And for SMBs, a lot of times, it’s not being valued as the critical path components in the process.
But it really should be understood.
Mistake #10: Lack of Security Training
BB: Erich, now we really need to talk about security training, and I’ve read research in several spots that says, really bang for your buck-wise, your spending on security user training is a great return on your investment. So maybe you could talk about why it’s important and what you’re seeing.
EK: I agree 100 percent. And one of the things that’s amiss about the thought about this training is people assume it’s very expensive when, in fact, it’s very inexpensive.
And as technical people, we a lot of times focused on technical controls, it’s where we’re comfortable. I’d love to be in a in a data center with fans whirring all around and no humans around. That is my happy place, right? But as security pros, we have to deal with the human part because that’s what’s really driving a lot of these breaches.
I mean, we just see that over, and over again. And the other thing to think about is the user is, typically, the part where we go from proactive controls to reactive controls. So that email gets through all the proactive stuff, it gets to their desktop. If they click that link, or launch that document, or whatever, now we’re having to react to it, and we don’t want to be on the other side of that. So it’s a very pivotal part of it comes to that.
People misunderstand though; you can’t just train somebody in January for an hour of PowerPoint to go, OK, you’re cool till next year.
We have to break it down into smaller things that are relevant to them. Like right now, I’m telling people, it’s tax season. This is a great time to put tax stuff out to people to go, hey, keep an eye on these scams, because they’re going after your tax information.
And as they learn that, they’re also learning how to defend for the organization, as well. So you break it up across there, You cover these things like phishing. You cover these things like passwords, you cover the basic hygiene parts of security. And I think we just don’t give it enough.
BB: SMBs, specifically tend to not understand how important it is. and the training tends to land with a bit of an eye roll, right? I mean, that’s probably too flippant, but they’re not taking it as seriously as the threat really is.
EK: And that’s a messaging problem.
When we talk to people, and we’re going, “Hey, there’s going to be training.” We can’t be the guys that are up there, like, “Here’s the annual training, everyone.” We can’t do that. We have to show this is really important. Scams are getting bad, people are losing money, it can hit you at home, we’re going to help you protect yourself, and we need to put that in a different mindset for them with a messaging so that they take it more seriously.
That’s honestly our fault, and a lot of ways.
BB: Now, Greg, you’re a CEO. What, what kind of training do your employees get, and what’s your philosophy in your organization about it?
GM: It’s something that we have have implemented, and I’m very conscious of it, because I find sometimes as a cybersecurity organization, sometimes there’s the arrogance that says, we know everything, we’re professionals. Why should we possibly need to go through this type of training?
And fundamentally, it’s making sure that people are aware across the entire organization and thinking about this on a day-in, day-out basis. And to me, it is that messaging from the top.
If as a security organization we suffer a breach, there’s reputational damage that would harm us and our ability to sell our solution to make a living. So, this is something that’s part and parcel of who we are as an organization.
That’s why we brought in a chief security officer, to help drive that awareness and messaging across the organization.
BB: And Timur, we know that it is the highest-privilege users. It is usually the highest ranking members of companies that can often be the weakest links to the highest-value targets. And so, how do you drive that toward leadership? And if you’re an IT person sitting in the middle, how do you manage that messaging up?
TK: Well, to Greg’s point, we’re also a cybersecurity company, and I think the idea of having a security incident, and for us as a major reputation issue, and everybody in the company needs to be concerned with that.
We do a number of things, so, we have IT send out emails that look like they’re coming from people that they’re not actually from. We send out links, saying “your password has been reset, login here.”
The page looks like a login system that the customer would normally use, or the employee would normally use, and things of that nature. But, I think to your comment, one of the issues that I have seen in small- to medium-sized businesses, is that idea that well, the CEO and the CFO, they’re going to get targeted.
Right, of course, but, me, I work in support. Nobody cares about what I got.
But I think if you would do a proper assessment of employees, types of systems they have access to and what type of access they have, you’ll find out that support person getting infiltrated in any way is actually substantially impactful to the business and should not be overlooked. And, same goes for interns. A finance intern has access to the accounting drive; well that’s a major issue.
And so, it’s important that everybody from top to bottom understands what impact infiltration of their credentials or infiltration of their identity on the network will have the entire company.
Mistake #11: Don’t Understand The Supply-Chain Threat
BB: OK, now, let’s talk about the supply chain. With the SolarWinds supply-chain breach in the headlines, everybody’s looking at their supply chains and looking for where attacks are coming from.
But, in our discussions, we talked about how often businesses don’t look at their own role in the supply chain. Maybe we can talk a little bit about that. Timur, would you kick us off?
TK: Sure, I can take that. We’ve been hearing more about supply-chain attacks recently, but they’re not that recent of a development. I think they’ve been around for quite some time.
In 2013, Target’s point-of-sale system was compromised and as a result, a lot of customer information was stolen.
I think in 2015 the version of X-code, which is a development tool for macOS, was released with a a ghost version that not only had the infection of the tool itself, but it would affect any software that was built using the tool and subsequently propagate to a lot of customers.
Today, we build software differently than we did back in the nineties. Most software employs third-party packages, you’re actually taking code that somebody else wrote, and providing that implicit trust to the fact that that code is going to be secure.
And understanding that, if suddenly a JSON parsing library gets hacked, how that code impacts my software is very important.
But I think one of the things that we don’t look at when we consider a supply-chain attack is the fact that a lot of SMBs themselves are part of the supply chain for larger institutions.
For example, if we at Untangle do business with financial institutions, a malicious actor might be interested in something that our customers have, right?
So at that point, we become, essentially, moving pieces and that attacker can say, in order to get to the institution that you were working with, we’re going to infiltrate ourselves into your code base or into your own deployment process, et cetera.
And so, when you are evaluating that type of risk and that type of an attack, you should not just consider the inputs into your production, you should also consider your outputs, those inputs into somebody else’s production, and understand how the pie, there might be much bigger than what you have to offer.
BB: Understood. Erich, what do you think about that?
Erich: Yeah, I agree with what he’s saying. I’m gonna switch it real quick to the other thing that, that comes to my mind when we talk about this idea that you are a threat to other people.
And I’m gonna go back to email.
So if somebody gets into your email account, or, let’s say, Greg’s e-mail account as the CEO of an organization, they have access to their address book, and they can start sending stuff to other people who trust it because it came from him.
We see all kinds of business email compromise, fraud, invoice redirection, stuff like that, when they get into these organizations that you can help spread stuff just because at your contact list. I mean, it doesn’t really matter.
One of the worst virus outbreaks that I ever had to deal with early in my career actually came from one of our suppliers who used to email jokes to the president of the company.
And they got infected, sent something. He opened it because he’s used to seeing stuff from them, and I spent 26 hours rebuilding a mail server.
This is just what it is. But we don’t always think about just even something as simple as your email accounts and what they could do to other places.
BB: Greg, what do you think? Do you have anything to add on the supply chain topic?
GM: I think that one thing that I would observe is that SMBs are very often part of the supply chain, or larger organizations, and I, as someone running a business, I would also point that there’s going to be increasing regulation in this area.
We’ve already seen that happen if you’re in defense, your supply chain, the regulations are coming down, that you need to have basic cybersecurity controls put in place.
Whether you’re a large organization and are very small organization, Congress just passed regulation for those who want to sell devices into the government. And that regulation is going to start to trickle out into enterprise and those standards, security frameworks are going to be implemented by other organizations. So to me, this is one of those things. you’d better have an understanding about it because it could start to affect your revenue as an organization, if you don’t have the ability to sell to the people that you want to.
Mistake #12: No Business Continuity Plan
BB: Right, and on the revenue topic, the business continuity plan, I mean, Timur said it best, I think. What would you pay for your data the day after it was exfiltrated?
This is a big topic. And how do you start to sit down to figure out what your business continuity plan is, what does a good one look like?
TK: Sure. A while ago, the business-continuity plan, you know, really revolved around what’s going to happen at the key person leaves, or if you have a fire in your office. Our circumstances have changed. And so, we really need to assess what systems are actually critical for us to conduct our business, and how quickly will we be able to recover from this, those systems being gone?
And they can be gone for numerous reasons. They can be gone because there is a fire.
That could be gone because there’s a crypto locker infection that could be gone because there’s Amazon outage or something like that. And so, understanding how all that fits into your ability to do the day-to-day operations is extremely important. And I think that fits into a lot of the other things that we’ve been talking about.
And typically, the response that I hear about developing such a plan usually comes from having a contract with a larger company that asks you for the plan. When you say, wait a second, where do I find a template for this?
I think understanding where your vulnerabilities are, in that sense is very important, and so, I think there’s a component of understanding what digital assets are and so forth, but also understanding where your current implementations may fail.
Again, another example, as working with a company and talking to them about their IT infrastructure — do you guys do backups? Yes, we do. Backups are great. What does the backup go? It goes on the second drive on the system.
Oh, well, that’s great. So, as long as long as just one drive dies, you’re OK. But if there’s a fire, you’re in trouble. And so, understanding some of these criteria in terms of where the data’s stored and where the data should live, and where the data should go, is extremely important.
And I feel like a lot of people in the business continuity plan for financial issues or personnel issues but they’re not necessarily encompassing the infrastructure issues that may drive business to a halt.
BB: Greg, what do you think about that? What do you think a smart business continuity plan looks like?
GM: Know, it’s funny, because Timur, you mentioned the small organizations putting together the business continuity plans, often driven by outside parties. In California, we used to joke, it was the bus and earthquake pans. Like, what happens if the CEO is hit by a bus, which is never my favorite topic. And then there’s, like, what happens if there’s an earthquake? How are you going to keep operating your business?
And I’d say, you’re on both of those fronts, issues of cybersecurity are probably a lot more likely. Your business in 2021, a CEO getting hit by a bus, or, knock on wood, an earthquake, that takes out all of Silicon Valley, those, those are still important subjects.
But so is making sure that your business continuity plan is encompassing cybersecurity, and making sure that the security team has a place at that table, is absolutely essential for any organization today.
BB: And how do those conversations go, Eric? How do those sound?
EK: And in the small- to medium-sized business, those can be tough conversations, honestly, they’re time consuming.
I think they do take time to sit down and look at your continuity plan. And a business continuity plan is only as good as how often you run through those scenarios. You gotta test, right?
And so for a lot of organizations, they don’t really necessarily see the value in that. The environmental impacts need to be taking into account to, which sometimes they forget about their only thinking about technology.
I mean, from Texas, the south part of the U.S. has turned into a giant icicle for the last couple of weeks, right? It’s all been frozen tundra. And a lot of places are gonna be caught off guard with what to do when they don’t have power. Or, OK, great, I had an emergency generator that lasted me 14 hours and now what? I’ve had things impacted like getting shipments to me just from stuff that I’ve ordered in that time.
Organizations, they think it’s a lot of effort to put into this, and it is, but they don’t necessarily always see the value in putting that effort into things, and I think that’s a mistake.
BB: Understood. We are coming up at the top of the hour, and luckily, we’ve, covered a lot of these questions, luckily,
Mistake #13: Lack of Strategic Asset Allocation and Budgeting
BB: But I do want Timur to have an opportunity to talk about balancing asset allocation and budgeting against risk, and the right way to think about that inside the small to medium sized business.
TK: Right. And this is an interesting topic, because I wish I could tell you what the dollar amount is, to make yourself 100 percent vulnerability-proof. And the truth is, there is no such dollar amount.
And I think the key part here is that, you talked about looking at the cybersecurity budget as a top-down thing, as opposed to looking at it from what actually rescue protecting from more of an insurance perspective on that allocation.
But I think the, the thing that that should really resonate with our audience here, is that not all cybersecurity initiatives are expensive, and a lot of them are actually free.
And really, what, what the small to medium sized business owner needs to be aware of, is where these opportunities lie, and you can, have tons of layers. You can have an organization that manages and network, all this other stuff. But you could also just enable two factor authentications.
You could segment your network, do all these things that are cheap or free, and a lot of folks don’t do it because it’s complex to look at the business problems.
The ideas that it’s going to cost a lot of we start looking at that, and so forth, and that’s not a proper first step. I think you should look at your infrastructure.
You should realize where the risks are. And you should figure out what your cheap or free solutions are in order to mitigate those things, and you will be a long way ahead compared to a lot of organizations out there if you do that.
Mistakes # 14 & 15: Failing to Backup and Lax Patching
BB: I think that’s an excellent place to stop. And the last two points failing to backup and patching, we’ve covered under fundamentals. Automate it, do it, don’t forget.
So, if anybody has any other questions, we covered most of the questions in our presentation. If you have any follow ups at all, Timur, Eric, and Greg are willing to be resources, and we’re very grateful for that.
Here’s the way to contact them, please, also reach out to me. I’m always happy to help connect you or answer any questions you have.
And, again, thank you all for joining us today. I appreciate our panel.
A copy of the webinar will be sent to all the registrants e-mail addresses so you can refer back along with the handout that outlines our 15 common mistakes.
Again, thank you. And please check back to Threatpost for our ongoing coverage. And please tune in next month for our upcoming monthly webinar. Thank you all. Have a great day. We’ll talk soon.
Check out our free upcoming live webinar events – unique, dynamic discussions with cybersecurity experts and the SACUT community:
- April 21: Underground Markets: A Tour of the Dark Economy (Learn more and register!)