Late last month, Sunnyvale, Ca.-based Juniper Networks Inc. announced the release of a comprehensive, nearly 900-page reference guide called Security Power Tools, co-authored by members of its Security Engineering team and guest experts. The guide reveals how to make optimum use of the most popular network security applications, utilities and tools for Windows, Linux and Mac OS X operating system environments. The authors also review (though not in areas where the company competes) the best security tools in the industry for both attack and defence. Here are five security strategy tips for SMBs from Avishai Avivi, director of the Juniper Networks Security Engineering and Research group and one of the authors of the guide:
One of the chapters in the guide that may be most helpful to the SMB is the one on host hardening. Host hardening is an important part of a secure security architecture, especially when it comes to Internet-enabled servers such as e-mail, Web or DNS servers. The point is that a security strategy should always consist or multiple tiers and multiple layers of solutions, consisting on the outside of things like routers, firewalls and proxies and, on the inside, devices such as intrusion detection systems.“Just like its name suggests, the main function of host hardening is to harden the key servers within your environment. This takes place to ensure the confidentiality and integrity of your systems,” says Avivi. He says it’s critical for SMBs to make sure their applications are running in a kind of a sandbox, or limited-privilege environment, so the right people have the right level of access to the applications.
During a security breach, the first thing a hacker will do is try to scan your network. A lot of companies setting up wireless access points believe that the wireless encryption protocol (WEP) has perfectly fine protection mechanisms, says Avivi. “Well, there’s a full chapter [in the guide] that tells you that’s not the case, and that WEP is pretty much open to someone who is determined enough to look at it.”The chapter also discusses products such as Metasploit, for example, which is a common tool used by hackers, and explains how an organization can run the same tools hackers use in order to explore their own networks’ strengths and weaknesses.
Unfortunately there has been a surge in the number of attacks targeting lesser-known operating systems lately, including the Mac OS and various Unix and Linux flavours, according to Avivi.These attacks are much more a concern for SMBs than they might have been a few years ago, when a system administrator who knew how to set up a mail system on Linux would have been considered very knowledgeable. “These days the operating systems have evolved to a point where you don’t need a whole a lot of knowledge to set it up, and that’s actually more dangerous than for Windows-type set-ups,” says Avivi. In other words, some of the utilities cost nothing and install quickly, so SMBs are more likely to opt for them to save time and money.
More often than, botnets, spyware and other threats are targeting client machines more so than their actual organizations today. As a result, an organization may have very good security – including a firewall and an intrusion detection device – but remain badly exposed. Users pack up their laptops and go home, then sit behind DSL routers, go out to the network and get seriously infected by worms and vicious malware. Then they bring it back into the perimeter of the organization.Such threats require a different type of thinking, Avivi explains. “There’s no such thing as a single point of defence. You really need to think in broad terms.”
When free is not free
Another threats that has become increasingly dangerous is the so-called public wireless network. Users seem to have a false sense of security about them, says Avivi, “so malicious users will set up a wireless access point, give it a name like “free wireless,” and people use it because, hey, it’s free. But everything they send, including bank information – you name it – goes through a malicious user’s machine.”
Treat every “free” wireless network as a non-secure network and use only ones that you can verify are safe.