Tate over at ClearNet Security made a post about a friendly debate over the top 5 things a start-up company (read: small company) can do to start out the right way in regards to a safer computing environment. I thought this would be a good exercise in determining what my own top 5 recommendations to a similar fictional company would be. Granted, doing a top 5 instead of a top 6 or however many top picks it takes to do security right is a little limiting for no real reason, but this limit does help focus a bit more. This can also act as a general checklist for consultants or any outsourcing of solutions a start-up does, especially ones without in-home IT staff. I also try recommend free solutions as a starting point, especially for small companies without IT budgets.
1. Backups. This is the #1 thing to do to keep a business alive and running. My underlying assumption is that incidents will occur. If you don’t have data backups, you will not survive many larger incidents. A requirement would be offsite backups, even if it is just at the CEOs home and maybe the CFOs home. Everything else for security should be dropped until this is done. Backups can be as simple as some batch files like Robocopy dumping data onto firewire or USB drives every night, with manual swapping of cables every day or week. Desktop systems can be set to perform regular system backups to a central storage if need be. Test backups regularly, test restore procedures regularly to ensure that they are working and to keep someone knowledgable about the process. Make sure workers copy important data to central servers every night or Friday, or a location that is backed up. Having even an elaborate file server and backup scheme is defeated internally if users keep their data on their systems and those systems are not backed up themselves.
2. Network firewall on the Internet link. Put up a network firewall on the Internet link and be draconian in the rules. Default Deny, and limited access elsewhere, even if it means nearly zero access from the outside. Small start-ups might be able to contract out to a local Linux expert or friend of the company to throw in a largely free Linux solution. Something like SmoothWall/IPCop may be better, as a slightly tech-savvy worker may be able to understand and work the web-based configs better than Linux iptables and such. But, if possible, invest in a Cisco Pix or Juniper NetScreen or Windows SMS/ISA solution and contract someone to set it up for you.
3. Desktop Antivirus. Evaluate some robust and light-weight products for Antivirus protection. For the most protection, I would not pick Norton of McAfee (most malware that is truly dangerous looks for and disables them anyway), but rather look into Kaspersky or F-Secure instead. For freeness, AVG and ClamWin are decent enough. A good case can be made for network-based Antivirus on the gateway in a smaller company, but most new desktop/laptop systems come with host-based AV anymore, so may already get half done without the extra burden. Obviously, the apps should be set to regularly scan the systems, automatically clean/delete, provide realtime scanning and stopping of virus execution, and be set to update no more than daily, every 8 hours if possible.
4. Patch Management. Turn on your Windows Automatic Updates to force installation upon a subsequent reboot. Try to do this with Office if at all possible. Updates should be done as soon as possible, preferably once a week on a Thursday or Wednesday. Workers should regularly do manual updates, even if it just verifies that automatic updates are working just fine.
5. Man, the dreaded last spot. Do I use physical security here, as losing the time and equipment for a small company can cost dearly? I guess when it comes down to such a short list, I have to look at what will best help the company survive and prosper to a point where the luxuries of security can be afforded. I would side with physical security here. Make sure doors are locked properly and possibly invest in an alarm system. If the company is in a business park, get to know the security stance of the business park owners and possibly work with them to provide for alarms or anything else they may do for you. If possible, lock down all systems at the desktop and secure any server equipment behind another locked door or at least out of sight behind some other door. The costs of these protections far outweighs the loss incurred in their absence.
I will cheat and put in a 5.5, since it is not only dealing with security, but insurance purposes as well. Inventory all systems and keep that up to date. This can just be some spreadsheet available with dates of purchase, serials, hardware details, software licenses, etc. Starting this early helps. Inventory can be morphed into talking about baselining an environment. Know what you have and what is normal in your environment. What systems are expected, what software is expected, what sort of traffic levels you expect, what log entries are normal. This baseline effort can then lead to quickly recognizing when something is abnormal and needs investigating.
A really close next consideration is to acquire desktop/security help either with some low-cost outsourcing or just hire a guy internally to manage systems, clean spyware, try out new software, help test new products, etc. This can help provide a company with someone to turn to for slightly more authority than your average user, and help a budding IT professional get his chops cut on some real experience. There are plenty of IT professionals out there who would be glad to consult either on the side of their daytime gig (be open to only getting support outside business hours) or add you as part of their already established clientele.
Lastly, if the small company insists on a wireless network, then I have to include wireless security as part of the list. The wireless network must not remain open and needs to be protected using WPA. Yes, this might be a hassle with visiting guests and potential clients, but the consequences of some high school kid driving by and mucking in your network can be dire.