(Looking back, I seem to have kind of vomited out a trail of thoughts in this post…pardon the ramble.)
We really have to live with certain things in security. Issues won’t go away. And none of us will ever agree on what to do about it (get 10 security consultants in the same room, even some from the same firm, fill out a questionnaire, and you’ll get 10 different strategies for security).
Brian Krebs does some great research and coverage (as usual…seriously, why aren’t there more badass [real] security journalists like Brian??) of an escrow firm suing a bank because attackers made an “authorized” wire transfer out of the escrow firm’s account.
This situation where business-owners have computer systems that get owned and then victimize their bank accounts isn’t going to go away. Ignoring what the bank can do to help (multi-factor…), I both like and dislike Brian’s suggestion:
The cheapest and probably most formidable approach involves the use of a free Live CD, a version of Linux that boots from a CD-Rom.
This is really good advice, but I would temper such advice with some cavaets.
First, I’m a firm believer that, ultimately, an OS is only as secure as the person using it knows how to keep it secure. Way more people have a better chance with Windows than they do with Linux in knowing how to keep it secure.
Second, I wouldn’t necessarily expect a Linux OS to always be compatible with (or supported by) whatever your financial institutions implement for their website or authentication scheme. In some cases, I suspect you won’t be officially supported, and that could be a problem when push comes to shove.
Third, if you have any system issues (business owners are usually not computer experts), you’ll have an easier (and cheaper) time trying to find some support for a Windows box than for your Linux livecd. This might depend on how much you intend to DIY and your aptitude for learning Linux…
Fourth, mention Linux and/or livecd and non-geeks will give a look that is worse than a blank stare: the “yeah-I-won’t-ever-understand-that-and-thus-will-trust-it-less-I’ll-say-I’ll-look-into-it-but-really-do-nothing-because-I-don’t-have-the-time” look.
I really, really like the idea of a dedicated netbook or system that is *only* turned on and used for financial operations or updates, but runs on Windows and is not necessarily of the Livecd or USB-operated flavor. Most people understand and take to Windows quite well, banking sites will support it and the popular browsers that run on it, support is usually easy, and so on.
Don’t get me wrong, if a business is willing to go the Linux livecd route, that’s definitely a worthy suggestion, but the reality gutcheck tells me to more often expect the dedicated Windows box to win out.
Really, smaller and even medium businesses are just screwed as a default bottomline reality. They’re almost certainly running Windows with Internet Explorer and don’t have any decent sort of web browsing filter. This means that over time, the line that indicates the odds of being infected approach 1 (that’s math).
Businesses pretty much need some level of IT these days, as simply a necessary part of having a business, much like a telephone, payroll, accounting, desk/printer services, etc. Unfortunately, while everyone eventually does things like accounting in pretty much the same way (unless you’re being dishonest, there are only so many ways you can manipulate numbers, that are acceptable to the government), your computer systems/IT have an infinite number of ways they can be creatively used and built. This is one big reason we get so much angst between business and IT, or the CFO and CTO, or the business and its insecurities. There’s no “correct” way to do it, but rather subjective measures on what the effective ways to accomplish things are (to the business, a cable mess and fans in the server closet to keep 10-year-old servers from overheating is just as correct as a polished, professional data center…as long as they have their availability up and cost down).