security suggestions for small or medium business 2016

It’s harder than it seems to come up with a quick list of 10 things a small/medium business should do when looking to implement stronger (or a first level of) cyber security. It’s a copout whenever I see a “top steps for security list…” and they go something like, “secure endpoints, secure servers, secure network…” You’re cheating by not saying anything actionable or consumable by relatively average admins and business users.

Here’s my current list of top 10 items an SMB should do (I’m sure I left something obvious out…).

1. Backups. – Mistakes happen. And when shit hits the fan, you need to have backups to restore to. This includes something off-site in case your live backups are bad. You should also have some idea of what to back up, and a general priority of what is most important for the business to remain solvent. This needs to include procedures to verify backups and perform clean restores.

2. Endpoint security software. – Commonly antivirus or antimalware software that runs on end user and server systems. These should automatically update at least daily. Admins should understand this software enough to be able to work with it rather than turn it off for whatever reason when it gets in the way.

3. Patch your systems (and software). – I don’t care if these patch automatically or if a patch management process is in place, but all systems need to be running a patched OS. Software should be patched as much as possible as well, but I understand that can be harder for businesses that do not have automated endpoint management tools in place.

4. Identity management (lock your workstation). – Uniquely identify every user and require strong passwords for their accounts. Do not share accounts. Know which accounts (user and service accounts) have high privileges on your network and thus with your data. Locking the workstation is a form of controlling/limiting unauthorized usage of the unique account assigned to someone.

5. Practice least privilege. – Users should only have access to what they need in order to do their jobs. This is mostly focused on data access, but also applies to system and network (or Internet) access as well.

6. Practice proper password principles. – Don’t write passwords down. Don’t share them. Don’t reuse them. Do make them complex. Do change default passwords. Do change them regularly. Store passwords in something that has some modicum of security (i.e. not a password-protected Excel file).

7. Limit physical access to your IT assets. – Keep network closets, servers, data backups, and other IT assets locked away from unauthorized access. This should also include limiting access to mobile devices and storage devices for theft and tampering prevention.

8. Deploy a network firewall (network segmentation). – For really small business, this might be limited to whatever modem/router comes with their Internet access. But for everyone else, they should have at a minimum a network firewall between their corporate network and the Internet with default deny rules in place. Permit rules should adhere to least privilege principles, again. A firewall between wireless networks and the rest of the corporate network is good. As a bonus, a firewall between workstations and servers is a good next step. But at a base minimum, Internet access into the corporate network/servers should be controlled by a firewall. Limit who can make changes to the firewall.

9. Limit local administrative rights on workstations. – For small to medium businesses, it can be a fight to pry away local administrative rights to systems, but it really needs to be done, not just for security purposes, but also for desktop support sanity (efficiency). This will help prevent malware from running as a local admin, and will prevent users from installing rogue software on their systems.

10. Understand and protect your important data and corporate assets. – Yeah, I’m slightly copping out here on the last one, but every business should know what data is important for business continuity or what data, if divulged or stolen, will result in business closure. Special considerations should be taken to ensure these assets are protected. Most important to this specific bullet point, though, is just making sure the business goes through the exercise of identifying what is vital.

BONUS: Get help. – Get help from staff or a security consultant on how to properly do IT security, both the steps above, and the next steps. And to keep aware of new threats (ransomware) and issues (0-days).
Ultimately, I hate making a list of just 10 things, so here’s a few more more that come next.

11. Email filter for spam/phishing prevention.
12. Web browsing filter.
13. Password protect wireless access and limit only to corporate managed devices.
14. User education and security awareness training.
15. Establish security policies and procedures.
16. Identify your industry regulations and compliance that you need to meet. Get help on these.
17. Establish hardware and software inventory systems. Know when something is lost or mysteriously new.
18. Run vulnerability assessments on servers/systems and prioritize/remediate findings.

terminal23 activity is ramping back up is back up and running! I’ve been absent for a few years due to life and a hardware failure. For years, I ran my site off a system sitting in the corner of my office, but its motherboard decided to finally die out. Life went by pretty quickly, but recently I got the itch to bring this site back up. I picked up a new motherboard and exported all of my contents into a proper format to move back up to a new hosting provider and into WordPress.

This is my first foray into WordPress, so I’ll be playing with the themes/appearance for a while here, and also doing some reviews of my old content to see what needs fixing. But, I have to say the export from MovableType3 into WordPress went far smoother than I had expected. The appearance is a different story. The current layout and theme settings are pretty close to my old site, but not quite close enough to my liking. Still, I’ll take what I can get in the short term here! The colors and general layout work for now. Maybe I’ll just code my own templates like I did previously…

The past 2 years have easily been my largest gap in blogging and having a web presence of my own since 1996. (I don’t count FaceBook or other smaller services.) A lot has changed, and yet a lot remains the same. Perhaps I’ll go into more detail as I decide where I want terminal23 to go or if I want to slice off a more personal blog or FaceBook presence off to the side.

I made for 3 primary reasons. First, I wanted to organize my own thoughts on security in a place that I could reference in the future, either to recall a tool, a script snippet, or just dump out some thoughts going through my head. Second, I wanted a curated place I could consume my favorite links that I found useful, from other blogs to web resources in the security world. Third, I wanted all of this to be viewable by any curious persons, especially those looking to see if I know anything about security and want to employ my services.

Looking back, I have 1724 published posts on this site dating back to 8/9/2004. Probably 98% of those posts are dealing with IT security to some extent or other, from tools to new scripts to commentary in general. During much of that time I had a more personal blog with 268 posts since 10/05/2001. And even older than that, had a site presence of some sort since 1997/1996, though anything from those probably only exist on a floppy in some box somewhere.

At the time of my site going down, I had a listing of over 469 other security blogs, news sites, tools, and various resources.  I do plan to bring those back, but they will take more time to check and port back in.