Published: 11 Feb 2009
Times are tough for the good guys, but a recession is always an opportunity for criminals. Threats to your sensitive data, your customers and your infrastructure are increasing dramatically, from compromised and malicious websites, to unhappy employees, to poorly controlled partners.
The good news is that you can tighten your security and tighten your belt at the same time. Quick-payoff strategies can help you stay on top of evolving security threats without neglecting your network infrastructure.
There are many clever ways to do this. We'll look at 10 steps you can take to improve your threat management posture that require minimum costs, manpower and give you a fast return on your investment.
1. Secure powered-down switches.
For a small effort, you can lock down unused network ports and at the same time save money by reducing your overall power consumption with switches (from Adtran and D-Link, for example) that turn off or power down when they're not needed. Your investment in this new equipment will pay for itself in a year or less.
Auto shut-off is a good way to secure your unused ports, by keeping prying PCs from entering your network at unexpected places and also helps physical security, especially in publicly accessible buildings such as hospitals and government offices.
2. Check out lower-cost endpoint security.
There are dozens of endpoint security appliances and agents that come with hefty price tags and long implementation lead times.
If you want some of the benefits without the hassles and cost, then one solution is to purchase TPM-enabled laptops and start using some form of protection, such as fingerprint scanners or encryption keys that are stored on the TPM to keep unauthorized users away. The combination is a potent one since the TPM ensures that no one else can tamper with the scanned fingerprint to access the laptop.
Also, consider an appliances from Napera or eEye Digitial Security's Blink software. These are representative of a trend to lower-cost endpoint security products that are drop-and-replace solutions for Windows-only environments.
Napera looks like a network switch and works with a combination of agent-based software and firmware on the switch. You can enable protection on various ports and make sure that each PC that connects to these ports has updated anti-virus signatures and OS patches, and is malware-free before it connects to your network. It starts at $3,500 for a 24-port device, so this could be appealing for many small businesses. Or it could be deployed to protect public areas of your campus such as conference rooms and visitors' offices, where a lot of unknown laptops connecting to your network.
Blink offers a lot of protection for less than $30 a seat per year, including personal firewall, anti-virus and host intrusion prevention modules that are all part of its single agent.
3. Get VPNs for free.
If you haven't implemented a VPN yet, now is the time to start. As your workforce becomes more mobile, there is more potential exposure to eavesdroppers at Wi-Fi hotspots and hotels. VPNs also come in handy when you want to extend a network share across the Internet securely, and have access to your files when you are on the road.
Certainly, you can spend tens of thousands of dollars on VPN technology. But if you just want some basic and simple protection there are plenty of low or no-cost software alternatives that can do the trick, as long as you have a broadband connection at your disposal. One open-source offering is available at OpenVPN.org; LogMeIn's Hamachi is another service that is free for personal use (otherwise it has a low monthly fee) and easy to set up. There is also a listing at FileShareFreak with some other offerings too.
The trick is making them universal for your staff to use, and providing support resources to guide the first-time VPN-ers through the process. The free VPNs could also serve as a stepping-stone to more capable products with heftier price tags and a way to justify their purchase later in the year.
4. Avoid the Cisco "tax".
With the New Year, it is time to look at your annual support bills from Cisco, which you pay to keep current with IOS versions and for maintenance response time. I call this the "Cisco tax," and you should see if it makes sense to buy either a replacement device that you can keep as a spare or else find another vendor that doesn't charge for upgrades to their firmware/router operating system software (Adtran is one that comes to mind). Again, this could be a very quick payoff, although it does involve spending some money to produce savings down the road.
5. Deploy (Almost) Effortless Encryption.
Certainly, encryption is one of those "nice to have, but hard to do" technologies that always seems to get on these lists. But, in recent years, a number of free or low-cost email and disk encryption tools have gotten better, so this could be the year to actually encrypt your removable disks and emails.
Two good places to start are the free open-source TrueCrypt and Voltage Security's low-cost but easy-to-implement Voltage Security Network service.
TrueCrypt has a disk encryption client for Mac, Linux and Windows machines. Though it lacks enterprise management tools, it's excellent for small companies, executives and workgroups. Voltage offers hosted email encryption that doesn't require any client installation and can work with Outlook and Webmail installations, all for about $65 per seat per year. Voltage handles all the administrative details, and the hosted service is quick and easy to implement.
And, of course, there is the long-time favorite from PGP, which is priced at less than $100 a seat, depending on what features you want to include. All of these products make managing the encryption keys extremely easy: one of the drawbacks of implementing enterprise encryption is handling expiring keys when employees leave, or recovering them when they forget their key.
You could also turn on BitLocker and FileVault in the native Windows and Mac OS, respectively. They provide extra protection without spending an extra dime. However, they are hard to deploy across the enterprise--you definitely get what you pay for here.
6. Get to Know Your IDS.
You might think simply having an intrusion detection system is enough of an achievement, but it is time to get up close and personal with your IDS and do a better job of tuning it to your particular circumstances. This means adjusting its configuration, understanding its reports and logged activities, and doing some rudimentary analysis.
Granted, there is never enough time in the day, but if you are going to stay on top of the latest threats, you need to spend some more time with your IDS analysis to understand what it is telling you. If you are using Snort as your main IDS, check out Richard Bejtlich's podcast and check out forums on snort.org to gain more expertise.
Another option is to send one or two of your staff to get additional training in understanding your system's features and ways that you can tighten it up. While training budgets are the first to go in a recession, this is one investment that can provide quick paybacks, and provide additional threat protection with very little incremental effort.
7. Really Terminate ex-Employees.
We're talking about the waves of layoffs of all types of employees, not just in the IT department. As your company contracts, the biggest threats are from staff who have been on the inside and are now jobless. Studies have shown that an ex-employee can be a security nightmare. Never changed any of your passwords on key servers? Do you have the same master password for multiple machines? Now is the time to change that behavior.
You should also do an assessment of other risks from newly terminated staff. Are your access control policies up to date? Did you disable all the security keys, passwords and access codes? Do you know if your remote gateways are still be used by these people? Time to check access logs and make sure that the access directory entries of the departed are removed as well.
8. Get Rid of SQL Injection Once and for All.
It is amazing that an exploit so long in the tooth can continue to affect, even destroy so many servers. SQL injection is basically a back door entry into your databases through unprotected Web pages. A hacker can create and execute it without any programming knowledge and little skill. Why is this still a source of pain?
One reason is that really eliminating SQL injection requires the cooperation of several different departments, working together to make sure that the vulnerabilities aren't ignored. Another reason is that vulnerable sites are easy to find, especially since a couple of quick Google searches with a few keywords can often uncover problems without a hacker having to even enter your network with any probes. (Check out this good quick tutorial on protecting yourself from Google hacking.)
So, let's try to stamp this out forever this year; take the time to really go through your applications to make sure that it doesn't find you on someone's list next fall. Do an audit, hire a specialist consulting firm, or get educated on how to fix your database/Web server programming to prevent what is still an unfortunately common exploit from happening. Go to OWASP.org and get lots of tips on how to set up your database access properly and understand exactly why and how you are vulnerable.
If you want something more potent, you can download a free version of Acunetix's Web Vulnerability Scanner and various free trials of HP's assessment tools such as WebInspect.
Of course, just because you downloaded the free scanner and didn't find anything at first doesn't mean that you are protected for all eternity, but at least you can get a start on how to use these tools and understand how you are vulnerable. The trick is doing a regular series of scans to make sure that no one created any new backdoors.
9. Stop Data Leaks.
One data breach lawsuit can ruin your whole day. As more data traverses the Internet, it makes sense to look at lower-cost tools that can stop data leaks or at least be more proactive about them. Code Green Networks and eTelemetry Metron SE are examples of monitoring products that can be easily deployed and don't cost as much as some of the alternatives. They can also scale up to some fairly large installations.
Granted, this is spending probably more dough than you want to -- we are talking five- or six-figure purchases here -- but, still, if you have tried some of the other lower-cost steps we recommend this might be a smart place to make a moderate investment.
10. Pay your own people to find innovative solutions.
This is so simple and easy to implement that you will wonder why you didn't think of it. Set up a reward system to foster out-of-the-box thinking and ways to tune your security posture by having your own staff make and then benefit from their suggestions. You can avoid hiring consultants and increase morale at the same time. Your own people are the real experts when it comes to understanding the major weaknesses of your systems. The more you can encourage them to come forth, the better for everyone around.
David Strom is an expert on Internet and networking technologies who was the former editor-in-chief at Network Computing, Tom's Hardware.com, and DigitalLanding.com. He currently writes regularly for PC World, Baseline Magazine, and the New York Times and is also a professional speaker, podcaster and blogs at strominator.com and WebInformant.tv.