Security in S, M, L, and XL - Solem & Marcano

welcome to the afternoon of b-sides quick programming note we're 230 here right after the talks will be having a networking event in case you didn't see it at John Harvard's brew house so it's pretty much just across Harvard down to Harvard Square about a five minute walk which is beautiful up so hopefully you all can make it yeah Johnson Street there you go and so without further adieu we'll get started here with Pedro and Vic giving us a great talk about security in many sizes as one size does not sell it fit all so let's give a warm welcome to Pedro today thanks Josh so as you noticed if you've never been to B sides before every tone

is a little bit light my name is Pedro this is Vic we're known as Pedro and Vic nothing special about that so the talk today it's funny because you get on these on the mood of doing the talk and you hear what you want to talk about in other people's talk especially this late in the day it's that there's a lot of talk about how to do security for $0 small businesses all the things that they should do so we're going to talk about how to do security for small businesses medium businesses large businesses but we're gonna put a twist to that we're going to compare that to kind of people in fashion alright so

some people have come up to me today and say hey you got a shirt with ninjas on well this is Deadpool and other people for some reason can only see the yellow spots those are tacos and then in between we have swords so my fashion sense is just not the best but I'm ok I'm ok with that I'm ok so I'm talking about fashion I just want to talk about people that go into stores right there is a particularly large large stores there's a lot of mirrors around so you see people walking through and thirsty on the wrists of mirrors they just walk through thanks oh yeah do I look fat in this hey of course you do but you're as well

some people some people are very realistic about what they look like and then you know there is some of us that just walk into the store just go this shirt looks good on me it's like I'm all pumped up right so what does that have to do with security better oh Allah there's a lot of people that are looking at their security programs and they're just you know they're very happy they feel protected they feel nurtured for some reason and they're happy with with with the state of security and then you have consultants come in and say your baby's ugly you got to throw it up there is in usually the those are the ones

that are most comfortable with their security programs right it's like we're doing everything we have all the products we have all the labels we got the gardener's we got the other analysts and the old come in and the blister program well you're less than covered right the the emperor has no clothes and to stick with their fashion sense today for those of you that are here because they saw my previous talk and some months ago and you got salsa lessons for free big is going to be doing most of their talking and none of the dancing so sorry to disappoint you you're gonna have to come to another talk at some other point in time but with that I'll leave you a big

thank you better so we're going to talk about small medium large and extra-large the topic of the talk I'm Vic Solem the MEI security we do physical and digital security consulting so as part of every talk I have to start by saying I'm not kidding there's an emergency exit here there's another money exit out the door to the right and turn right there's a fire line pull up there asmath our extinguisher here because we're the paranoid ones who really take this stuff seriously it's how we live and work it's not a lot of fun sometimes but today we're going to talk about sizing so forgive me I'm going to try not to stretch the analogy a little in

some ways we're going to be talking about acting as a security tailor getting your program to fit just right we are going to focus on small and medium businesses later on but for right now we're going to talk about small medium large and extra-large we'll say what that means in a little bit going to cover a little bit about points of view on security and that has to do with what you're wearing and what you're buying and why and we're going to talk a little bit about specifics on what a small business can do we do cover zero dollar budget because some of some folks are in that boat sometimes we talk to you just

don't have budget for security but they know they need to do something and there are things that you can do and if you have budget you may be using some freeware tools and that's really okay the other thing I want to say is that when we talk about security we want to be sure that we get the size right and to pay those point when we're going shopping I may want to be a large but I'm an extra-large that's the way it is I haven't beaten this back yet it's still here I can't put on a large shirt it's just not going to work right but for security you've got to get the size exactly right for instance I'm going

into a hazardous environment I'm gonna want to look at the chart and I'm gonna want to know that not only am I not an extra-large I'm a double extra-large and if I'm going to put on a hazmat suit I better get the right thing that doesn't matter how much I like something at the store if I need it to fit right if it absolutely has to fit right like insecurity you've got to get the size right and if you think your environment is a certain size you better be sure your environment is a certain size be sure you know your environment we'll talk about that a lot here and by our environments come in all shapes and

sizes and people's companies and teddy bears come in all sizes I have the cool slides that Jack has I wish I had talked before Jack you got to deal with what you got well we'll move forward so you talk a little lot sizing when you're buying off the rack you're getting whatever is happens to be there and you may be customizing it on your own right if you're super expensive on the big end of the scale the vendors are coming to you and customizing everything you want so there's sort of the analogy between I'm small and I can't afford to tell or I say what they're going to do or I'm big and I'm going to tell them

this is what you're going to deliver and you've got to keep this in mind when you think about what products you're looking at and what companies are dealing with a big company is less likely to be customizable for you than a small one it also depends a lot on your environment right what are you wearing you're wearing Vera Wang or Eddie Bauer you're making your own clothes are you a barracuda shop that's your way of doing things are you a Cisco shop that's it right that's how you work do you build fires out of OpenBSD by hand the way God intended all right I mean whatever whatever your culture is you've got to know that you have to fit your security

solutions to that and each of them has merit but you got to be sure that you know what your environment is what size you are so when you're going shopping you know what you're looking for sorry my screen didn't scroll correctly so presentation there a couple of images I don't have a clue one's jack head I do have some and I will tell you if you go looking on the web for images having to do with size medium large and extra-large please turn safesearch on for your own protection I'm not going to share the details of everything that I saw when I was looking at this but my ISP has that and if you want you can contact them

gonna be happy to sell it to you I'm sure no problem it's about being prepared knowing your environment knowing where you're going right if you're walking into a boardroom at a traditional company you've got to dress the part which like it looked that good you've got a dressed apart and your security systems have to fit you the same way they have to fit you well so that whatever you're preparing them for whatever day you're going to have your systems are ready for it so we're gonna talk about points of view so we're going to cover four points of view we're going to cover in the trenches when you're working when you're actually using the clothes you're going to cover shopping

when you're buying clothes or buying the security systems and a little bit from the other side with the attacker seized and why you want them to see a certain thing or not a little bit about style and frameworks so from the trenches I couldn't I couldn't not show those pictures from the trenches you got to know which trenches you're talking about going into right for fashion are you in World War one are you walking into the hazmat environment I mentioned before are you going after neo in the matrix you have to know ahead of time what exactly you're you're trying to do with your security program you have to be prepared getting the right size at least as

important is knowing what you where you're going and what you need to wear for that and I talked about the boardroom before and one of the things to remember is that even if you think you know what a boardroom should look like like if I get the chance to get that pitch to that company in Manila because I want to go back and live with some family there and then switch it back and forth between totnes oh that would be really cool I'm going to know that in Manila you wear belong to dialogue on a boardroom so it's not as simple as I know what I have to wear for this situation you have to be sure you know everything about the

situation what's really about what's what's your environment what's your company what your company needs for security what's what what are the different environments will your company needs to function well are you taking your security program and applying it to an environment that has a different culture and has to have a different style for your security program now if you have a program it's working really great in Cambridge or Boston and you all of a sudden acquire 50 developers sitting in India you better make sure that your security program is going to match the culture the different environments a lot of other problems in there as well so what do you want to wear today depends a lot on where you're

going boardroom you're racking servers from racking servers I do actually tuck the tie in though I don't I still keep the tie on but I tuck it in it's like what what do you do what's your security program have to react to what's happening today right if you're here sitting at B sides you're not patching your Microsoft machines this weekend right as an example are you still running the broken Adobe that we heard about recently what's what's happening today and what tools you need to handle that and if you're working in a small start-up and you've got 20 people in a room and that's your cubicle farm then patching that there's a completely different task than if you've

got 200 people spread across different cities in in the country or if you've got 2,000 people on different continents right these are different security programs completely different orders of magnitude right in a small shop you can stand up and say hey our IT guys coming today is going to patch everything so everybody just go away from 11:00 to 12:00 and you know it's done right doesn't work when you've got multiple cities or multiple continents so you got to be sure that the tools that you're using right for your environment and right for where your environment is going to go let's talk a little bit about shopping as I said I'm I'm a well okay I'll say I'm a

large but I'm going to be an extra-large although I wish you were going the other way not many companies are going to tell you we're really large and we want to get smaller but that's not what companies want to do you want to grow so when you're buying a security solution you want to buy a little bit extra to be able to fit where you think you're going to be in six months down the road too small is really hard to fix too large can usually be tucked in sorry the other point I want to make here is about how long you're going to own stuff I don't like to dryclean stuff it's not that I don't like that particular fabric

it's that I don't want to pay for dry-cleaning every time I spill something on my shirt or my jacket it's just ridiculous because I spill coffee it happens these things happen that means general upkeep and dry clean suit is going to be a lot more than not if you're talking to a vendor or looking at a solution and they're telling you this is great you're going to love it it's just awesome you want to talk to people who are using because if you find out oh by the way this great tool ArcSight requires an entire FTE just to keep it running you might want to say hold on a second I don't have a full-time person for that or you may be

a great University and say we got three people we'll throw it that that's great but you got to be sure that whatever you're doing fits your environment will it last for your environment is it is it the right size for where you want to be in six months you don't want to get too big obviously to want to spend the budget it can also look a little silly and and the thing I've been harping on all this time is one size doesn't fit all in security there are places where you just want to be a Cisco shop and they're places where really you want to do stuff by hand because you're super paranoid or whatever each environment is

different in each has its merits but you want to keep in mind that you're what you're looking at for your security solution may not be what the vendor had mind when they told their marketing person to give you a call on the phone and tell you how awesome their tool is you're the one who's to be on the hook for making it work the way it's supposed to not the vendor so the point of view of an attacker I'm short on time preview an attacker I'm not talking specific about a physical attack against clothing so but that's a physical tax or different class or not covering that here but if you think of attacks against

clothing as what is it clothing trying to defend against your clothing is trying to keep you warm your clothing is trying to protect you from the elements give you a place to put your valuable stuff and to make you convey the image that you want to convey right this is this is how big looks this is just it this is the image I convey if I'm walking into a computer room this may not convey the image that I want to talk to people who sit at a keyboard all day because I may look like a sales guy so you want to be sure that your clothing convey the image you want and you want your we're stretching it a little bit

here you want your security tools to convey the right image to your employees about the culture of your company as well as to your potential investors people who may want to spend money on your company going to be sure that that you're conveying the right image for everyone who's going to be looking at your security program a lot of the time its customers we've had a lot of people who are contacting customers of ours saying here here's a 10 page questionnaire or a twenty page query I see the head nodding tell us a bunch of security program and you better believe that there are questions on page two that are double-checking answers you give on page nine because they want to

be sure that you're not lying about it and then you hand that off and you think you're done and then they send you back hey you said that you do antivirus it using this concept and that you keep your logs show us the logs they want evidence they want you to tell the truth and they're going to make you prove it it's like they really care about security or something yeah I don't have a good answer for that I'm stretching the analogy a little bit here sometimes you actually want to tell the attacker things that are not true you want to change honey pots or you want to change the banners that you're advertising on us is a demon or on your

HTTP demon to say a version that they're not and then watch for the faulty attacks come in which is kind of fun in a weird sort of way but I don't have a way to say that you don't want you know I'll use it again arcsight instead of what alienvault cubed ro sim right I don't have a way to say that you don't want that so the attacker to see that it breaks down a little bit here I'm ripping the analogy if you'll permit me link but the some of the things apply you are you are using your security program to protect you from adverse outcomes bad whether you are using it to protect your stuff your

valuables but you're right the analogy doesn't doesn't hold all the way here you got me but my next slide is so cool okay though no that's okay

the norm in the industries to hide as much as you can but it kills some tools are required to put out certain information here's some things you can't hide but really eventually on the body that you're actually projecting some of it's not necessarily to the attacker it's to the other folks in your organization it's making it fit you organization so for instance if you're a small one location shop and you're doing a big giant implementation of I started so I'll keep going the park site right that's insane for a tiny little shop right are sites for like you know thirty thousand computers right so what you don't want to secure a program that's too big for you this is the segue to my

next picture you don't want it too big for you because then if it's too big you it'll may protect you in some areas but you spent money so you don't have protection in other places and it's hard to move quickly there we go so so the the big giant program the big giant tool can be hard to be agile with right you're right it's not necessarily in point of view of the attacker that I don't want them to think that I'm running where were alienvault for my sim but from the point of view of being able to move around in my organization and make a difference quickly I don't want something that's too big because you

couldn't move quickly although they look pretty happy but move on to the point of view of style of frameworks and I'm stretching the analogy again but I'm saying that a security framework whatever you're using for organizing your security program is similar to your style of your fashion so this is if I said this is this is how big dresses this is it when I'm going to shop I'm not shopping when Hitler would shop because it looks cooler than I do I couldn't pull off the shirt like that this is what I got now we talked about that that's because I'm an extra large so the you want to be sure that your style is fitting your

organization there are there are people I haven't seen people in particular I'm thinking about at this conference but the people who will tell you that you can't use NIST to develop your security framework it's not big enough it's not good enough this won't work and heavens bid you talk about using the CIA's top 20 because that's just tiny and yet from talking to a company that has 30 people that's the whole company and I start talking about the CIA's top 20 right they could stay just hand of a top to write inventory of the devices in your environment just give me an inventory of the devices simple everybody knows you can start with that inventory the

software but they don't have to go even down to the bottom 20 and they've already made a huge difference in their environment right on the other hand if you're you know GE if you better be using ISO right you need a real program that handles it enterprise-wide so figure out what's appropriate for your environment and be sure that you're acting appropriately that you have the right style for what you want to do so pulling at you a little bit hard here but I think you see what I'm getting at is want to pick the right framework if you're in the government supply chain we have customers that manufactured pivot if you're making chips that go into

circuit boards that go into modules that go into jet fighters for the military you're in the government supply chain and you better be looking at this 171 even if you're only a 20% shop because you're going to get the questionnaires from the Raytheon's or though all the way down all the way down to you to say tell me about your security program or I can't buy from you the SEM 20:17 and so you have to figure out what's right for your environment for the size of your company based on what you've got going on in addition to your to your size and you want to be sure that that what you fit what you get

doesn't have any unintended consequences because the vendor may tell you this looks really great on you really really though this this appliance will look really grating it server accent too pretty color it has blinking lights but when you put it in and it starts running is it not right for you is it going to get caught in that will tell me that's not going to get caught in that wheel she's coming off the back of that and and I want to talk about the guy with the shredder Italian sorry stop touching the day so be sure that whatever you're looking at is right for what you plan to do in the real world not just what the vendor says or the

sales person who's trying to sell you whatever the services happen to be so now we're to the the part I promise we're going to talk about medium to small businesses I've separated them by size extra small do it yourself limited to no budget small medium large extra large there are many different ways to figure out what you think people should be spending on IT security what you think your your company should be spending the best evidence from Gartner has to do with industry because IT spending is dependent on industry and IT security spending is typically dependent on that we're technical people here right you know I had this spreadsheet with all these dimensions and the

multiple values by industry and the multiple values by different sizes of security programming and yeah but it doesn't work in a presentation so I took the average of North America which is three point five percent two point five percent of revenue is your IT program and ten percent of that variety security and that's how these numbers came to be these are rough numbers for comparison only I'm not saying that if you have twenty five million in revenue that you have seven three hundred to spend I'm saying relative to the others they're useful numbers and I doubt the ones in gray at the top I think a lot of small companies don't even have that but this is the rough

sizing I'm talking about for comparison and this is just the slide with different small medium/large because it had to go into presentation somewhere so taking those same extra small-extra-large and start talking about what what people can actually do so the dollars per month is across the top the people that you have is the second line that should be less than one person not greater than one person you if you're a small company you've got you know 20 people you don't have a whole person dedicated IP let alone IT security if you're a small company you've got an IT person probably but that person is also going to be doing IT security so you got part of a

person who's doing the car driven system right who's doing patching for antivirus who's doing awareness for security that's all coming out of your IT person when you get to be a medium-sized company you got a whole person that one FTE to do that security work which is awesome large gets a department next large gets a big department they're not going to be the focus for the rest of this they're the other ones with lots of money and would be nice to be there but a lot of companies are not in that situation if you're go ahead I'll get that but thank you it's coming it's next so this line is antivirus if you're running a BG and

you're a small company check the License Agreement because I'm the only person in the world who reads it and you can find one that's free better if you don't use one that might cause you a problem later but you're doing something but you're doing a free service if you're small you've got commercial-off-the-shelf you're buying semantics or Kaspersky or McAfee or whatever if you're medium-sized company you have a console which is awesome you can track all of your machines and all your antivirus right now it's a little bit we've all seen this right consoles anyway you're tracking all of your different machines and making sure they're up-to-date you're getting alerts but say hey this machine has been on the network for a

week and it's antivirus without a date if you're large you have consoles because you've got consoles working with each other you've got a Mac at the console and you've got your cue radar console and they've got all these different consoles that are working together because when you're meeting you can only afford one seaboard antivirus because that vendor got to you first extra large covers and vulnerability management programs which are really cool but they're out of reach for small to medium sized companies it's not going to happen if you're training let me rephrase that when you're training your employees about information security because that matters because people are the weakest link right we're training people telling

them don't click on the link it should be a chant at a small company you're just talking to people being sure that they just know right that's an extra small that's small you may be gathering together at lunch to have a single conversation and covered in a class where you stand there and you say this is how you're not going to click on the link the note that says it's from the director of the FBI is not to you really people medium you're doing online online training is ok better if you can hire a trainer to come in and do the job right the larger an extra large company taking people off site for backups at a small company you've got a

USB Drive preferably not a little USB stick a real USB Drive and you're taking it with you home and bringing it back and you get to be a small company you've got two USB drives at home and two USB drives at the office and you back up to one and then you take that one with you you still got one at the office now you put that one here and you take the other one from home and bring it back you've always got backups off-site and up-to-date geographic distribution at least within wherever your IT person lives so you can do a real backup solution for a small company without actually spending more than the cost of a USB Drive

right these are the solutions part we were talking about before if you medium you do more either real off-site you work with Iron Mountain large and extra-large they have other cool stuff that they're doing but you get the point so the reason to believe in all this about small and medium-sized business is this so this a while ago in it it made sense based on risk tolerance for small companies but sixty percent after they have a cyber attack gone in six months so if you're talking with small and medium sized business they've got real risk now when you start a company small you take on a lot of risk right to go a bigger take a little less

risk because you've now got some more money invested and things are working well by the time you get to be a medium-sized company you've got people depending on you for payroll every day you may have 3040 people who need that payroll you can't be taking the same risks you were taken back here right so it's understandable that you take on more risk but small companies should know that they're taking on this risk and not just bear the risk without understanding it right sixty percent out of business after a cyber attack not prepared not ready to handle the aftermath I don't have the details on that obviously but so that's a bad number what I'm talking about for

small business is time versus money when you're running a small company you don't have a lot of money if you do that would be awesome and I want you to invest in my small company but typically you don't have a lot of money you just can't spend the money you don't have it so you're spending time as you grow that will change and there's a theoretical crossover point I don't have units on here for a reason but the idea is you're spending time to get things done so a lot of small business security is about time management if you say I'm going to periodically check my whisp because I'm a company in Massachusetts I know that I

have to have a written information security program and that the law says I have to check it every year with 1207 visa every year right then you better put a tickler on your schedule to say after year I got a check-in as a security person because if you're the security person who's operating as I've been there I handle whatever I can out of my Inbox I can't scroll to the bottom the next day I handle what I can out of my inbox and these messages are not getting seen right there are some networks where if you lose a packet it's no big deal and some networks are if you lose a packet the plane crashes if you're the

IT security and you've got a note in there that says your website's been hacked and you need to do something about this now and you didn't see it because it was below the fold or below the scroll line on your email and your company's in deep trouble so if you're running an IT security program at a small company you've got to be very sure that you're careful with your time management if you set these things up and that you're watching all the information is coming in to you which can be really really difficult we sue you budget time to view things periodically we've been talking about the typical vendor presentation I'm not down on vendors I'm ok with vendors they

do good stuff but a lot of times their slides look like this right if you're extra small we can't help you if you're small we can give you something but if you spend a lot of money boy have we got a long list for you right you've seen these but for you this is the diagram if you're a small company you can find stuff just not with that vendor right you can't afford the big giant gorgeous console if you're at a tiny company so don't talk to them unless they're going to buy you lunch just go look for the solution that fits what you need to do you can do something no matter your size

so we're talking about these size companies for now this time we have five minutes okay so again we're talking about extra small companies that have almost no budget too small to medium-sized companies have real budget can have a real person working there it's about having your mindset that there are solutions that I can use they have to pick the right ones that don't break my budget and don't take too much of my time you've got to balance what you're doing and what you're buying to be sure that it's right for your company and remember the big picture is your security program not whether thoroughness would be a really cool solution because you can backtrack and

watch what happened on the file system right that's awesome stuff but if you're a small company I'm sorry it's not a scope it's just it's not it's too expensive it solves only one solution and you're leaving yourself wide open in other areas so if you're doing inventory and you have some specific examples my example before with the the 20 people in a room small startup their cubicles 20 people in a room right you can do inventory on a piece of paper really you can it's not fun but you can you can walk around with a black magic marker and tack the Machine I wrote down the serial number and go to the next one and

then the next month or the next year when you have to the inventory again use a different color magic marker and you can do inventory for no budget you don't have to listen to the vendor who wants to sell you this awesome tool that will go to automatically inventory your machines of course if you graduate to having more time than you can script it which is even cooler of course a medium-sized company will buy the tool and they'll have it automated so that we've been a real inventory that then they can get a report item instead they have to work with Excel or have somebody else work with Excel because you can't someone else on a company to do it for

you patching we already talked about bring your own device I've heard a lot of people say I'm in a small company I can't help bring BYOD I can't be done there's nothing I can do and I argue that's not true if you want to handle bring your own device and you've got a company with almost no budget you get a guest access point and you take the password for that access point because we secure all of our access points right everybody secure all of our access points none of them going secure but take the password you put it up on the wall I wouldn't write it on this wall but you put it up on the wall

you put on the whiteboard you let people know this is the pass for the guest access point and you leave it alone and you let it stay that way for a year or two years however long you want it to go then you change the password on your internal access point and you only put that on machines that you know our company owned and then a month later you change it again because somebody's going to have caught it but you keep you rotate that every once in a while and all of a sudden you've got to bring your own device policy because everyone who brought in their iPhone or their iPad or anything else they want to do the stream

their movies is now stuck on the guest network because you keep changing the flip and password they get tired of coming and asking you about it bring your own device free policy though you had to buy an Access Point right like that small company that's too small no budget of course yes if you've got budget and you can afford an AK go for it they're awesome you can kick people off automatically and there's a middle ground with scripting where you're watching your network and you're watching the the MAC addresses go by and you're filtering by vendor and your chain you can you can script this and you can hire somebody to script it but it can be done on a sort of a middle

ground when you got more time but for a quick simple solution just change the access point and lock people out you'll find out who's using it you'll see them at their desk going why doesn't this work so user education we talk about antivirus we talked about you can use komodo it's free free for commercial entities you don't have to use AVG got two more of these and then the clothes so disk encryption yes you can do disk encryption as a small company what scares people out is what if they change the passphrase on me so you have a rescue phrase you when you when you do it you use a product or a UNIX tool that

will let you save the underlying passphrase the typically the way disk encryption works is you've got an encrypted disk and you're going to algorithm from crippling the disk and you've got a big long key and that's the key for the desk then you have people enter their own key and that encrypts this special key so that's what gets saved this hash in the middle and then we get rid of the first two and this is people have to match and anything that it's used to generate this that it decrypts the drive well you can save the intermediary key when you're installing it when you're setting it up any product worth its salt for instance the free one

on linux will give you that key that you can save you can write it down it's really long you put it in a safe and if somebody says haha I changed the key and I'm leaving the company you can't have that computer sure you can you get the key in their safe so disk encryption free it's a pain writing stuff on paper and putting it in a safe is a pain but it will work and if you're free and all you've got is time and no money you're small other there's time enough money there's a solution that'll work obviously be better to have a console you can control it or at least centrally managed for this encryption

that's better if you can afford it but if you can't afford it and you need this concretion because you happen to have social security numbers or driver's license numbers or credit card numbers or anything that Massachusetts says is PII or even the government supply chain you have to enlist 171 then for crying out loud you've got to encrypt there's no we don't want to because we don't because we can't afford it you've got two brand alerts this is free for everybody then you can hire a company to watch the brand but I've set these up for multiple customers where I'm watching for their customer name just the domain name also the customer name on free sites like paste

bin right yeah uh-huh yep and you see some interesting stuff go by and paste bin but if you're watching for your customers name there or that was me I'm sorry if you're a company and you're watching for your company name there then you're going to see when someone is saying hey look I broke into Acme widgets look at the cool stuff I got or I'm daxing the CEO isn't as cool and he works at acne is your Google Alert which you set up a free we'll kick that to you right away you can go get it off pay spam and tell people to don't click the link in the email obviously you can do more stuff we

hire companies to monitor your brand and so forth but but this is free right we talked about backups DNS web proxy yes yeah

yep exactly and and and what you're doing is you're you're looking at what would an attacker be doing the opponent pastebin their Pirate Bay and and you're watching for their activity and you're doing it for free it's a great example because in if you're running a software company you know what you could be looking for to catch your stuff as it went out not just your company name obviously well yeah in my province that's a that's an attacker they're inside they've got access but that's an attacker yeah no you're right you're looking for you're looking for bad actors doing stuff and and these ones happen to be inside you're right but yeah that's that's a great example we

talk about backups DNS web proxy yeah good that's like um snack overflow I'm sure your developers would never do this but pasting code from your company asking questions right so you know periodically checking that seeing if you know your company comm shows up on Stack Overflow is a is a good way to see if you know you have a overanxious developer that may be leaking some your source code yeah leaking it yeah oh yeah I totally buy into it yeah yeah yeah well cleansing that stuff can be hard I was in a hurry yeah you can look for your IP addresses in there as well so yeah DNS web proxy sometimes people at a company want to go places on the

internet that would be inappropriate for work sometimes this happens sometimes the places that they're going to want to download malware onto their computer and having set up alerts in systems like your radar to say hey look this she went out then after going out to this place we don't like then it started attacking her the machine on the network so this really does happen web proxies are great if you can afford a web proxy to lock things down to just the sites you want that's awesome but if you can't you can control the DNS on your network now you're not going to stop someone who works in this room who knows that they can go there have their own DNS or they

can tunnel their DNA you're not going to stop security people right but you're going to stop the regular person sitting at their desk who happens to click on links hey take a look at this right you're going to stop them because the site doesn't resolve now Open DNS had a solution this is it's still free I think Open DNS isn't francisco has a free one ok so the there are three solutions Cisco my mic sorry yeah it still use it at my house I yeah they have them shut me off yet but well yeah so you're not again it's not a perfect security solution you're not actually blocking people from going there if they get the

IP address but you're stopping 90% of people who would go there because they can't get the IP address they know the name of the site which I'm not going to say that they want to go to and then stop because they can't they can't resolve it free solution right it's not technically a web proxy but you've made your network a lot safer ransomware there's at least one company cyber reason offering a free ransomware tool you can actively protect your machines from ransomware now obviously we're security people we don't trust people right so having cyber reason land free software on my end point it's dicey situation but it's a low risk compared to if you know you've got users who are

definitely going to click on those links and definitely going to download the stuff and run the stuff and encrypt your sort your hard drive and they've already done it three times and it went over to the file share and you you know if this happens maybe it's time to look at something like that and extend here your level of trust a little there are free solutions obviously a full antivirus or a full-blown solution is better but there are three ways to handle that I'm getting short on time right okay I got two minutes okay we'll do this one quickly there's a last one so asset protection free asset protection prey project install it on your machine it's

called the prey project it's a script that will run that will check if your machine has if you've told the Central Command that your machine is stolen and if it is then it's does telling you hey I'm here obviously if the attacker wipes the machine doesn't protect that but I can tell you from actual live experience that there are attackers I know at least two examples where they took the machine and took it to their house and turned it on and put it on the network yeah smart one got caught detectives caught him but so prey project blew there our vendor solutions you can buy two particular assets but pre-project works really well and it's free policy is a dicey one you

can write your own security policy if your security professional you're better off letting security positive you know so what you're looking for it's a little bit dicey if in a small company in this room you can pick and choose and write your own policy and make it happen it'll be enough for a small company because again you're looking at the CIS top three maybe not even the whole twenty just a tiny company spam prevention ask your ISP about fixing about making sure that they're doing as much limiting as possible on your mail passwords obviously want a full program but you can go to the server and say we require complex passwords you can do it free on

your own and network segmentation start with subnetting yes network segmentation with firewalls is really awesome and it's a really great way to go and I love the way I feel nice and warm and cozy behind all my firewalls but if you can't afford all these firewalls at least segment the network you'll stop some of the broadcast traffic that some of the viruses are using so skipping through to the end yes so remember that your company is going to try to grow the company maybe small medium or large but you're going to try to grow be sure that the solutions that you spend all this time on are going to be working in six months remember you've

got to handle today but in six months you've got to be ready a year and so forth you don't want to be straight face you want to be like this guy who spent all this time and effort on his solution and set out six months later you couldn't fit into his own suit hey still pretty cool all right you want you want to be sure that what you've got will work for now and will work when it's finally implemented so think ahead and we've got four minutes for questions no questions awesome yes slides will be online we'll give it a D sides right yeah what was the other thing you said oh the product list yeah for the list of

that I went down with all the products that will be also provided via live link in the slides those will go up or they can everyone can attack me yet good they want to record your voice forever you mentioned the USB drive swap back and forth as a low-cost backup option definitely done that I I think if you have a small or even a small to medium size company here you started relatively recently you don't have much local infrastructure you don't have much local data is there is there a comparable low-cost backup solution for when you're using Google Apps or you're using office 365 or is that really no it's not there yet good luck

I have very mixed feelings about a lot of that stuff because running stuff in the cloud is great for some stuff but not for other stuff and and and so I sort of draw lines there and stuff that I really care about not getting out I would never put up there but to answer your question you can export from there onto a USB Drive just pull the data down now I talked with one customer there quite a bit about this and I finally explained to them look if something happens to your license agreement with Amazon and suddenly you can't get in is your company out of business if they decide you haven't paid your bill you're

done is all of your data now there and you can't get to it oh wait there's a clause in the contract that says within like six months you have the right to do a special download as yeah okay I need it today I want to get the company going right so if you've downloaded your data then you've got a way out it does hit your bandwidth oh I don't have a way around that does that answer your question okay I'll just stop come on launch codes I'm going to keep it on an internal server that I secure with my own firewalls on my own you know area then you're running it in the cloud yep yet

mail like mail I put in the cloud mail is easy I was going by SMTP in the clear anyway so I'm sending anything valuable in mail I'm screwed but yeah a lot of stuff runs in the cloud and then some stuff is just not local you're right oh yeah we are