004 - Small Business Security Risks and Tips with David Kelleher - Jan. 28-09

Episode 4 of SWSZP has a great, business-oriented, educational discussion of information security in Small Businesses, that is also very relevant for larger enterprises. I conduct an interview (about 50 minutes) with David Kelleher, a security expert with GFI, a leading security software provider for Small and Medium-sized Businesses (SMB), based in Europe. David and I discuss a wide range of security topics, to help convey the important issues that can and must be addressed, initially, through education and communication within the organization.

GFI (at http://www.gfi.com) has a range of security software offerings for SMB’s, which gives David a good perspective on these issues. Our discussion in this audio podcast can be used as a way of initially presenting security education, policy and resource requirements to management.

Streetwise Security Zone Podcast - Episode 4, January 28, 2009 (Show Notes)

Small and Medium-sized Business (SMB) Security

To listen directly on the website, just click on the Play button above. The numbers you see beside the headings below mark the approximate times in the audio program timeline. To download this audio as an MP3 file, click on the “down arrow” on the left side of the player bar at the top of this page. You can also subscribe via iTunes or stay up to date on this series using the options and links on the left side of the page.

Introduction 0:00

Just a quick introduction to this episode.

Risks in the News

A particularly bad computer virus (this one’s actually called a worm), called “Downadup” or “Conficker”, is estimated to have infected almost 1 out of every 9 computers in the world to date. This is an extremely virulent and ubiquitous bug. Your computer ends up downloading a bunch of other dangerous software, and likely steals your information and makes it part of a “Botnet”. This could be controlled by the remote master, directing it to do various illicit things for the hacker. The bottom line is that your computers could be used to commit computer crimes without your knowledge. It spreads by three possible means:

1. Attacking Windows computers that have not been updated since before October 2008;
2. Attacking administrative accounts for computers nearby on the same network as the infected computer
3. Spreading through the use of USB Flash Drives and other removable media

The best way to prevent it, if you aren’t already infected, is to turn on Microsoft automatic updates, and make sure your version of Windows is up to date. Also, make sure that ALL of your computers’ accounts, especially any with administrative privileges, have complex passwords that are not easy to guess; and if possible, turn off any “auto-run” or “auto-play” options on removable media or CD drives.

If you think your system is already infected, you will have to download Microsoft’s "Malicious Software Removal Tool" (MSRT) - not an anti-virus product, but it is able to clean up some known infections. If you are having trouble reaching Microsoft, or your anti-virus program is behaving strangely, that could be a sign that you are already infected, and you may need professional help in restoring the system to it’s normal state.

More information on this malware threat is available by clicking HERE for a detailed Computerworld article.

Oh, by the way, there’s another virus threat that’s been growing, and takes the form of a Valentines Day or other greeting. Sadly, online greeting card messages are one of the biggest virus threats. So, be careful by turning off HTML and previewing in your email program, and don't click on links or attachments in emails. It's best to type out the URLs directly, and only go to reputable sites. I also like to use McAfee SiteAdvisor to screen dangerous sites.

Yay! - The Streetwise Security Zone reaches 60 members. Thanks again to all who joined! Current SWSZ member benefits include the ability to download a free audio training program on a new security topic, as well as other benefits like access to our monthly Live Netcasts where you can ask questions or give comments on security topics. I’ll be adding new value on an ongoing basis, but free memberships will be ending after we reach 100 members. So, please join now and get one year of free membership.

Free Features now available in The Streetwise Security Zone - 6:00

The Streetwise Security Awareness Non-Trivia Quiz - 6:25

This is a little Powerpoint presentation I created that emulates the movie theatre trivia quizzes you see before the movie trailers start. It’s a great way to educate people and keep them engaged, at the same time. Use it any time you have a meeting where you have a computer and/or a projector. This version, with 6 trivia questions, runs for about 5 minutes on its own, and repeats in a loop. The file is available for direct download (no email or registration is required), and Creative Commons copyright licensing is included which grants you the right to use, modify and distribute. I plan to produce larger versions with current security awareness news. So, contact me if you are interested in obtaining one to your specifications. The free download, and more information, is available at: http://www.streetwise-security-zone.com/freequiz.html

Free Honey Stick Testing Trial for Security Awareness Measurement - 7:50

I am offering a limited version of my Honey Stick Testing service for free to anyone who joins The Streetwise Security Zone. If you aren’t familiar with Honey Stick Testing, check out my Honey Stick Project blog at http://www.streetwise-security-zone.com/honeystickblog.html . It’s a way of measuring real human risk decisions in a simulated threat environment that uses specially configured, but safe, USB Flash Drives. This type of metric can tell you if your organization is ONE CLICK AWAY from having your employees bring down your operational information systems. You can learn more about the free limited testing service by following the link on the home page of The Streetwise Security Zone after you join.

Small and Medium-sized Business Security - Interview with David Kelleher of GFI

Introducing David Kelleher - 10:00

Introducing GFI - 12:00

Content security - Server security, Email security, Web monitoring

Messaging - Fax server, Email archiving

Network security - Vulnerability management, Event log management for larger SMB companies.

Endpoint security - Data leakage prevention

Network server monitoring - Server availability monitoring

Taking the time for employee security awareness in the office - 16:00

When “dumbing down” security guidance isn’t really a dumb thing to do - 19:30

Why IT security people need to be able to speak to different audiences - 23:30

Have you communicated the simplest of policies, like password complexity? - 24:00

How lack of simple security fundamentals have caused high profile problems in major corporations around the world - 27:00

What are the trade-offs between denying all employee access to the Internet and accepting risks of Internet sites? - 29:00

What are the benefits of separating operational information systems from employees’ Internet accessible computers (Least Privilege)? - 32:00

A little bit of employee knowledge and a little bit of IT staff security knowledge is a dangerous combination (Vicarious Liability) - 36:00

What can be monitored by administrators to detect violations and risks? - 38:00

What should you do when monitoring tools identify violations? - 40:30

What can the volumes of data traveling on the network tell you? - 43:00

What other organizations may have access to your data, and are they taking care of it properly? - 45:30

Mandating your USB sticks for business use only (Endpoint security) - 47:00

Watching out for Drive-By Downloads” triggered by email, portable devices, web forums, etc. (Not just floppy disks any more) - 48:30

Putting your team’s heads together to discuss key areas where layers of security should be focused - 50:00

How can you approach budgeting for security? - 51:30

What is the first thing you can spend money on that can make the way ahead more easy to justify and navigate? - 55:00

The fallacy of “Security by Historical Good Fortune” (It hasn’t happened to us in the past, so it’s unlikely to happen in the future...) 56:00

Why SMB's can be as much of a target as any other organization... nobody is immune - 57:30

Wrapping up - 58:30

Conclusion

If you enjoyed this podcast, don’t forget to submit a rating in iTunes. You can get there by clicking on the subscribe via iTunes link above.

You can also rate this podcast by clicking on the Star rating system below this text.

Thanks for listening!

(If you'd rather see written transcripts of my audio podcasts, please let me know.)

rate this post: