Even in the wake of highly publicized security breaches at the likes of Target, Sony and Adobe, many well-heeled organizations fail to address some of the most common issues that leave them in the cross-hairs of nefarious actors – and it’s not just the big guys that they are targeting.
Many small-to-medium sized businesses (SMB) believe they don’t need to pay much attention to security simply because they don’t believe they will be targeted when there are so many other more profitable targets for hackers to go after.
Unfortunately, most SMBs have fewer resources to invest in security, making them extremely attractive to attackers. According to Symantec, attacks on small businesses rose 300 percent in 2012. Small businesses commonly rely on anti-virus software and firewalls, but these security controls, while useful, are not enough because they do not detect unpatched systems that are frequently targeted by attackers.
The good news is that you don’t have to be an IT expert or have a more robust security program to protect your investment. A few simple steps and some powerful free tools can make your network much more secure.
First up, there is Tripwire SecureScan™, a free, cloud-based vulnerability management service for up to for up to 100 devices (IPs) four times a month. This tool makes vulnerability management – a widely recognized security best practice among large corporations – easily accessible to SMBs that do not have the resources for enterprise-grade security technology.
SecureScan is a simple yet powerful vulnerability management solution that requires no hardware or software to be installed or managed. Organizations of any size can use the free service to discover detailed information about networked devices and find vulnerabilities in hardware and software applications that are commonly used in attacks, and provides users with prioritized, in-depth information on how to fix these security weaknesses.
Tripwire SecureScan uses the same proven enterprise-class vulnerability scanning platform behind Tripwire’s award-winning vulnerability products, Tripwire IP360 and PureCloud Enterprise. These products protect many of the largest, most sensitive networks in the world. Here’s how SecureScan stacks up against other similar offerings:
You can also take advantage of another free tool we offer called SecureCheq™, a lightweight, easy to use, free configuration utility that helps evaluate and repair the most common, critical configuration vulnerabilities in Microsoft Windows desktops and servers.
Microsoft Windows operating systems – the backbone of most SMB networks – contain hundreds of configuration parameters that need to work together to maintain the optimal balance between security and business needs. To maintain secure configurations, IT security teams need concise, rapid and easily understandable assessments of their IT security configurations.
SecureCheq tests common configuration errors and provides free insight on the following Microsoft Windows operating systems:
- Windows Server 2003 / 2008
- Windows Server 2012
- Windows XP
- Windows 7
- Windows 8
SecureCheq evaluates over twenty different security configuration errors and provides a comprehensive report that includes detailed remediation guidance for problems discovered in the following configuration categories:
- Operating system hardening
- Data protection
- Communication security
- User account security
- Logs and auditing
SecureCheq reports on configuration vulnerabilities using OVAL® (Open Vulnerability Assessment Language), an open source language designed to support interoperability and automation among security tools and services. To sign up for Tripwire SecureScan, please visit: http://www.tripwire.com/securecheq
In addition to offering these free tools, let’s discuss the following common security missteps that SMBs often make and some tips help you mitigate them and minimize risk to your business:
Maintain an Updated and Comprehensive Inventory of Every Device Connected to Your Network
Small networks often have many devices attached and they change all the time as new devices, employees and partners are added or removed. Every device – including printers, scanners, wireless access points, POS systems, storage devices and smartphones – can be used to compromise the security of your entire network. You can’t protect it if you don’t know it’s there, and given the sheer volume of devices that might be present, you may not know it’s there even if you think you do. You can significantly improve your network security by regularly reviewing every device attached to the network and checking that it is configured safely – SecureScan can help with this by providing an inventory of up to 100 IP addresses.
Data Locations and Classifications
If you don’t know the exact location on your network of sensitive business information including intellectual property, HR data, financial and tax records, and customer data, you can not protect it adequately. You may think you know where all your sensitive information is stored, but it really pays to do a detailed audit at least once every quarter. Data should be properly classified and protected accordingly based on the value and risk it poses to the business, and access to sensitive data should be carefully controlled and any changes to this data should be rigorously monitored. SecureScan can help with this too as it has the ability to detect operating systems, services, databases, and applications running that store sensitive data.
Up to Date and Clear Policies and Procedures
The human element is always the weakest link in the security chain, so it pays to be clear and specific about what you expect from your employees. A written security policy is the best way to clearly identify best practices for internal and remote users. SANS offers great, free security policy templates. However, it’s not enough to just have a policy, you need to review the policy with your users and make sure they understand why you expect them to follow the guidelines. Integrate security policy training into your new hire and training processes and review it periodically so every employee knows the best security practices for your organization.
Password Policies and Controls
Using strong passwords is one of the easiest ways to improve the security of all online transactions and protect your network and the data on it. Microsoft has a tool that allows users to check their password strength, and there are a variety of free password checking tools available online. It’s good security practice to require employees to change their passwords every three months. You can help your employees remember to change their password by sending out reminders.
Out-of-Date or Disabled Anti-Virus Software
Utilizing anti-virus software is a security best practice and is required for companies that handle any credit card data. It is a simple means of detecting, preventing, and, in some cases disarming or removing common malicious software programs. Every computer on your network should have up-to-date anti-virus software installed and running. To improve your security posture, anti-virus software definitions should be updated daily and a full scan should be run weekly. Most anti-virus software is automatically configured to update daily and scan weekly, so you just need to be sure that the software is running on every machine.
Of course, there is no way to guarantee of absolute security, however, it’s not difficult to improve your security with these free tools and tips. It’s really just a matter of making security a priority… Isn’t protecting your business worth the investment?
Editor’s Note: The tool Tripwire SecureScan is no longer in use. For more information, please refer to Tripwire IP360 instead.
- CyberLens: The New Tool Suite for Critical Infrastructure Security
- Top Five Hacker Tools Every CISO Should Understand
- Free Computer Tools for Registry Forensics
- Free Computer Forensic Tools for Data Mirroring
The Executive’s Guide to the Top 20 Critical Security Controls
Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].