Adrian Crenshaw Joseph Hollingsworth

Irongeek.com

Joe

Professor at Indiana University Southeast Computer Science & Informatics departments Director of professional development for faculty

Adrian Runs Irongeek.com Has an interest in InfoSec education (ir)Regular on the ISDPodcast http://www.isdpodcast.com

Irongeek.com

Given only 25 minutes, tell us what a small business could do to help their security posture? You can expect a lot of buts and except fors because thats the nature of the business.

Irongeek.com

Stuff that will ring your bell security wise

The CIA Triad Confidentiality

Who needs to know it?

Integrity

Has anyone changed it?

Availability

Availability

Can the people that need to access it, get to it?

Irongeek.com

Not cool or sexy, but important How often? Daily, Weekly, Monthly? Offsite storage! Why? Check to make sure you can restore from the backup What to use? Tape, another box, cloud? Not sure of a cloud provider to recommend, but check the providers:

Privacy Policy Liability for lost data

Irongeek.com

Don't run as admin on your own machine This somewhat mitigates what malware can do on a system File shares with too open a permissions set? Lots of Windows software is badly designed to require more rights than it needs Tools to help with this include

ProcMon http://technet.microsoft.com/en-us/sysinternals/bb896645 RegFrom App http://www.nirsoft.net/utils/reg_file_from_application.html ProcessActivityView http://www.nirsoft.net/utils/process_activity_view.html

Irongeek.com

Always unique is best, but Levels and domains

Different passwords for different purposes (financial, social network, etc.) Users sharing a password? More secure and easier to remember

Pass phrases

Do you store passwords in apps where others can access them? Password Vaults

KeyPass - http://keepass.info/

Irongeek.com

Microsoft
Remember patch Tuesday and keep it holy Somewhat automated May want to do testing first Windows Server Update Services http://technet.microsoft.com/en-us/windowsserver/bb332157.aspx

Linux

apt-get is lovely for package management, but hand installed web apps are a pain

3rd Party
Adobe auto updating? Shavlik NetChk http://www.shavlik.com/sol-patch-management.aspx GFI Languard http://www.gfi.com/network-security-vulnerability-scanner/ Secunia PSI/CSI http://secunia.com

Irongeek.com

Not a magic bullet If the malware is custom, you are out of luck Should help against wide spread common malware Concentrate on user awareness, patches, and least privilege Some suggestions:

Microsoft Security Essentials http://www.microsoft.com/en-us/security_essentials/default.aspx AVG http://free.avg.com Malware Bytes http://www.malwarebytes.org/

Irongeek.com

Do you have a perimeter (hint not totally) Sites and browser issues WiFi (decreasing levels of protection)

WPA Enterprise > WPA > WEP > Open

Forget about MAC filtering and SSID cloaking VPN

Built into Windows DD-WRT http://www.dd-wrt.com OpenVPN http://openvpn.net

Irongeek.com

What if someone gets access to the physical storage of your data? For Email
Public and private keys GPG http://www.gnupg.org/

For hard drives/data

Truecrypt http://www.truecrypt.org

Irongeek.com

Only hardware that goes public:

Donations Trashed Stolen

Format may not remove as much as you think Data carving File and Drive wiping Secure Erase http://cmrr.ucsd.edu/people/Hughes/SecureErase.shtml DBAN http://www.dban.org/
Irongeek.com

Louisville Infosec Sept 29th http://www.louisvilleinfosec.com DerbyCon 2011, Louisville Ky Sept 30 - Oct 2 http://derbycon.com

Irongeek.com

42

Irongeek.com