Building Minimum Viable Security in SMBs

welcome to the show actually this is not a show so the curtains are closing again because I as I see it this talk that I've built is about the truth facing almost every company in existence today and the reason it's almost every company is because almost every company is a small to medium business the big companies that some of you may work for are rare globally seen but we'll get to that so for SMBs for small to medium businesses the realities that they face when it comes to security is something I've been working with my whole life I've been working only for small to medium companies in the whole career and they have unique and identical issues

across all of these small companies and I believe these issues are very very important due to the overweight of SMB sloppily and due to the fact that when you go to conferences or when you read security blogs or you read on Twitter on peer list almost nobody cares about this and bees in fact this very talk about securing SMBs up to a minimum viable level was rejected at ten conferences before it was accepted a few weeks ago at virus bulletin so few people care about SMB security so I'm very glad to see you're here listening to what it's all about you just already introduced me you can find me on pls you can find me on

Twitter you can find me active with the cavalry which is a group of volunteers working to secure the internet of connected things in areas that have the potential to impact human life so we work at the intersection between safety and security I'm also an intersect librarian which means basically it's it's another way to say that I have no skills at all in security I can't do anything of what you guys can probably do I spend all my time trying to understand a little bit about everything and then catalog the uses of what other people do put it on the shelf so I know where to find it that's my role in security trying to understand what everybody else

is doing and what they have done previously and how it all fits together so Aneesa is one of the few entities globally that cares about SMB ease recently also NIST and others have put out guidance to us and B's guidance that I consider horribly lacking in sophistication and comprehensiveness but at least they are starting to slowly care Anisa has been caring for many many years and has been putting our guidance for small to medium companies to secure themselves for a long time but as you see from the graph these are the large companies the small ones are much more prescient actually this graph is a joke because that's not how it is at all this is a

representation of the distribution of company sizes in the US and all these three added together are SMBs and large companies only the tiny tiny fraction down here you have to stack these on top of each other and compared to that that is why isn't be security matters that is why isn't bees need better security than they have today because today what do they have well I don't have any money for security nothing they don't have any budget but its assigned to security they also don't have the time to do security we're talking about a company of maybe 30 maybe 50 maybe 100 maybe 200 people I've seen as a piece of 150 people who had one IT employee

horribly horribly busy IT employee how on earth is someone like that supposed to do security that's a hard question that's a really hard question because the bosses screen might break down the battery in his mouse might run out and the IT person is the one doing all of these 450 people alone so this is a basic fact of what security is like is in an SMB they also don't have any skills the few IT employees that they do have they don't know anything about security how on earth should they they're busy changing batteries in mice updating maybe if we're lucky that patching servers maybe they're patching windows maybe they're patching them Macs but how'd they know supposed to know how

security works it's not reasonable to expect them to know a lot about security so they'd also don't know much about the threats that we know exist they may by now have heard of wanna cry and ransomware they may know that malware exists as a general topic and that hackers criminals out there they don't know that hackers are the good guys which I hope all of us know they consider hackers like the media use the term as a bad thing what you should never do a plig Ettore reminder hackers are the immune system of the internet trying to keep us all safe and the other guys we call them cyber criminals such as criminals right so they don't know

that the threats are out there [Music] they don't know that firewall rules need to be deny any any and then allow what you need they don't know that a switch can have ACLs maybe they do maybe they have some knowledge of switches they don't know that on a firewall if it's a next-generation firewall you can turn on different things to improve they just don't know all the things you have spend your time reading about turning on the Windows Firewall so that you don't you can't connect from workstation to workstation for lateral movement things to prevent ransomware from working they have no idea about anything nothing of this they don't they just don't know as well they have someone who founded the

company or has been running the company or has just been hired to run the company who come from no matter where it could be anything it can be a former librarian who starts her own company and she doesn't know about security management in SMPS are not like these big MBA people who lead the big companies they come from any background they have no knowledge about security no formal education from a big school that at least includes basics of IT and security so how are they supposed to know that they should be allocating funding for security hiring at least maybe one person to start doing something they can't it's impossible they just don't know should they following not picture become

interested in doing something about security they can't find what they should be doing they may find reading and tech target or dark reading about seven common threats that face SM B's but it's [ __ ] it's not actionable it's not precisely targeted at what they can be doing and should be doing with the skills the people the time and the money that they don't have it's really hard for them to find out what to do if they even care about searching for it so we in a situation overall where SMBs may now and then careful about security for a few weeks when the mainstream media cover something like not Pecha and then it just dies out again and that is

reality working in SMB oh and feel free to jump in if you have questions if you have comments or anything because I'll just keep rambling on if you don't so just summarizing what we went through so far this is the reality for maybe 99% of all companies out there I do consulting for some of these companies to try to help them get started on the road of security and it's it's so rewarding to see what happens if you just sit down with the IT people and some I may be a manager for an SMB for four hours and just talk it's so rewarding to see what happens in half a year after that if you make them aware

of the threats the easy good ways you can start countering and building a hardened better infrastructure so they may have an anti-virus in an SMB that's the only thing that you can be reasonably sure that they might have which is why last night at this biggest their house having or yesterday it had Lewis having discussion with people about antivirus I don't know how many of you know this but antivirus s a concept is fundamentally broken it cannot secure anything plus it increases your attack surface you can actually be hacked by advanced actors just by having antivirus because most of them are very easily hacked and they all have a shim into your files so when you receive a file if

it has an expert for your AV your hacked it's kind of that easy once you know what you're doing that's an attacker but still even if they cannot catch malware even if you can be hacked by having it I still believe in having AV because it's the only thing that SMB is having and we need AV to be more efficient and secure all right so so far it's looking a little bit bleak as amis don't have a lot going for them right but it's not hopeless because I've I've been in the situation my previous job I was working as CIO for a bank and in charge of the security also has C so and it's it is

hopeless but it's also not and the reason it's not is exactly the thing I've experienced in my previous job and in my consulting in Luxembourg for smaller companies you need to just reach one one person and make them care and know a little bit about the threats and what you can start doing and they can really really start making substantial changes over time following that so to secure some B's we need not to fix the time the money the people we just need that one individual to become aware of the threats and of ways to start countering them and that is the challenge getting one person in every SMB to do this to reach them to make them aware that is

also a very hard question so in the years that I worked in my previous job for the bank we did a lot of work on security because when I started in my job the end it is a real bank actually but it had no security it had nothing this is like seven eight years ago it had nothing when I started the firewall was allow any any a few ACLs on a switch behind that the last server had been patched three and a half years previously workstations mostly the same everything was shut to pieces everything was just horrible and we had no way of knowing if the whole thing was hacked beyond any chance of ever recovering the

hardware so the first thing I did was I hired a team of IT to people rather quickly and laid on a few more and then we started working and in the time I was there I got budget once for something and that was to replace all the hardware every single piece of hardware in the whole Bank was replaced because the servers were eight years old they were we had another server die like every two weeks the workstations also in the morning just wouldn't turn on because power supplies were dead or memory or that everything was dying everything was the company had inherited it from its mother company in Sweden and the hardware was so old and it was just it

just couldn't do any more so I got budget once in my whole time there and that was to replace every single piece of hardware which we did over a period of one year while building hotend OSS and putting in place a new hardware in succession in the hopes that then we start with a clean infrastructure that we can reasonably assume it's not totally hacked so that's what we did and that was only the beginning over the course of three four five years we implemented a lot of security mitigations and basically none of them required budgets skills time they were all something you can do on an SMP six IT staff skill level reasonably quick they were doable realistic for some B's

to do so it took everything that we did and I I put it into a framework I called Minimum Viable security which I published online it has every single control that we did we implemented over those years and I know I know that SMBs can do these because I've done them with my team and together we knew maybe something about IT but very little about security at least initially and that of course grows while you're working with it while you're implementing but this is doable everything in NBS is something that an SMP can do if only one person in the company cares about starting so what I need you to do is if you know anyone

working in SMB so if you work in s and B's give you the medicine give them VM the minimum viable security framework give it to them because if you only you give it to them and you tell them why they should care and that they can do this it could make a big difference for their company you can find it there the slides will also I hope beyond the b-side lockberg website if not you can find this on that link on P list so this is the basics of the talk that I did and I met a person in in Las Vegas this summer for hacker summer camp at business San Francisco area name is Russell he's and co-author

of a new paper that took the work I did with NBS and they built upon it they made it more they in the paper they say some very good and true things that as soon as you have an SMB that starts to build skills and security and to care then you can really actually do very very good security not just Minimum Viable you can do actual security that gives you a very good chance of not getting bridged ever the reasons you can do that all that for an SMB all the things that slow the big companies down that make them unable to patch unable to make decisions unable to be flexible all these reasons do not exist for an SMB in an SMB you

can very easily complete your entire asset management database and keep it up to date you can make decisions very quickly you can adapt you know your environment you know your networks you know what you have where you can baseline your infrastructure you can baseline your network devices you can baseline your operating systems you can baseline your web server logs your database logs everything is doable because it's so small and this is a both it's both a strategic and a tactical advantage for SMBs as compared to others an SMB let's say hunt people with two people working in security and maybe another two or three and IT can do better security then the largest bank you've ever heard of or Deloitte I hope

not here no one here is from Deloitte but apparently anyone can do better security than them so this is the important thing for us in bees we have them all at a point where they have nothing but we can get them up to a minimum level a minimum viable level of security and once it's there they can actually progress to as good as it almost gets in security and all it takes is reaching one person in that company and convincing them to care and giving them the framework mvs and letting them know that you can do this everything here can be done and I believe that can make a difference if only somehow we can

give them and make them aware of this all right that's every single word I have to say I think that might have been even close to the 20 minutes questions please all right thank you 1 Maurice you have noticed around us in bees because they used my first toe back said it was one he's not whatever chose to go for either open the source or closed platform they will always have to pay for it so open the source because that was commented before handsome becomes misconception that it's T or free no it's not because you need to specialize people to deal with this and again someone will have to be on the road I do maintain it now if you get a

closer solution I can you have to pay a lot of money and possibly also run around maintenance after a few years anyways because you have as much support when you first buy the product so after awareness I believe that's the next problem because they usually go for free solutions and that they tried to integrate together with slopey patchwork and it doesn't quite work and so at the end they have bigger problem than they originally started to solve again talking on the with a background of a company that was running on five people one being the CEO and the other one the secretary you can imagine how that was running

you have to make choices and your choices will stick with you and sometimes haunt you but even if you choose an open-source framework you can still leverage advantages from it yes there will be work maintaining it but for an SMB it's it's doable it's not that bad you can also whatever tool it is that you're looking into if you need software you can usually get commercial tools rather cheap when you're an SMB because you can negotiate with most of the tool vendors and for every tool they sometimes have a free tier which is often sufficient for your needs like Splunk you may not have more logs than you need to stay within the free tier or

you can just go with grey log the open source alternative there well the Alex stack but you have to make choices and you will suffer the consequences of your choices because no choice is ever perfect that's true

so thanks because it's I think it's a really important problem was discussing with some friends also about this and one of the issue I think is also the especially for the small medium companies is the retention of the people because there is already okay we hear about the lack of talent and the thing is that we are less than I mean the demand is very high and we're fewer so it's for a small smaller companies more difficult to keep with people because like okay if you are like two people show how do you keep those people do you have like any advice especially given your experience with like small companies who will do advice to keep how

to do retention for people in the smaller like small environment like those in all the smbs that I have worked with or for the employee retention has always been very high because the people in charge have been very responsible and relatively sane people I've seen of course people in SMPS where people you they leave a lot but I think for an SMB with a good mission a good product and rather good management employee retention usually tends to be very very high I mean in places I work people stayed there for 15 years easy Oh some pieces often don't have security people so first you need to actually hire someone to do security well how to keep them pay them well

because they will have to be medicines of every tray jack-of-all-trades so you need to pay them well if you pay your security person less and you pay your IT admins they're gonna leave and this is what we see right now that ITR the kings of the castle and get higher salaries and security people and it's just not gonna last yeah you have to pay them all

so if you have to pay them more then that money has to come from somewhere and you have to convince them that this is actually a good idea that's gonna be hard the other hand maybe not but on the other hand one of the problems that I still think that we are in is that security is too hard and we need to make this we make me we need to make this easier you you briefly mentioned one of your remarks during the presentation was need to set you a firewall to deny everything that that comes with a lot of work because then yes it does because then all of a sudden all of your customers all of your employees need to

come to you and ask you for to put in new rules in the firewall you need to manage the firewall and then that comes with a lot of management cost on the specific example of the firewall for an SMP analyzing the rules in the segments you have and putting it in place in less than a week's work yeah and then you don't need to basically ever change it again

if our roles are not going to be an obstacle both are valid points now that's why I go in between usually and I come from a nice oh by the way for the runners I don't know me usually we advise larger enterprises and why I will make that remark now you'll understand we advise them to separate IT from IT security but in the case of SMEs for start the minimum measure they should do is to at least make the security lifecycle part of ID if they don't have money so then they satisfy both positions if you can afford to have it separate even the better I mean I was working for a large enterprise and for

the first six months of my 3-year employment I was doing firewall configuration management with which is security but it was more like change that rule change that rule that was feeling more like ID that was not instant response or something that's my opinion anyways they never change they nearly never ever change so a week of analyzing what traffic needs to go where from where and you fine you're fine it's work that's doable it can it can be done it can be completed and you'll be very much better off after having done it and it's the same for so many other areas everything I put into MBS is doable and it's not an obstruction to the company

you have to put too many obstacles because then the business starts to complain and invade this okay now what the hell security is that we should start also to talk more with the business we should understand I mean if what you are protective because of course we we all like want to do top security we want to lock everything everything has to be super secured but sometimes what all those measures are more than what you're protecting sometimes if you lock too much the business I mean we all we need to understand more the trade off we need to undercut more to a business understand their needs and some risk has to be taken something cannot be fully secured

or fully like locked because then it's blocking the business so we need to make compromises and we need to understand this morning and this is an issue I started to understand this in the last years I have to admit that right until few years ago was right now this is to be super secure super locked and it just doesn't work then they don't listen to us and they say you know what security is not enabling the business is blocking it so we I think we also on our side need to to understand this and talk to the business and really make like the requirements like what are your top requirements from a city from like

usability from like availability point of view and then we we run our security program and our secure according to this because this is something we really I think we are still failing

yeah so I totally agree with the one person analogy the the local hero is entirely true what thing if you could recommendation to put into the system for lack of a better word would be actual specific recommendations as to the tools for vulnerability assessment these are good options for patch management these are good options because a lot of times they don't have time to research or understand which tools I know we sometimes are reluctant to name specific vendors or if things may change in the future but without giving them a place to go or an example it often leads to newer

perfect in or Western European countries where we know that the economy is mainly done by SMB what are you thinking about responsibility of or government shouldn't the initiative to help SMB get access to those high skilled security people and help them initiating this security initiative inside SMB that would be a really really good thing if governments would provide assistance with qualified consultants to just go out and sit down with them for a few hours and explain to them what to do and give them a framework like this that would be hugely impactful or if Anissa did it if he needs I actually proposed to them a few years ago that they they start an initiative where they visit

every single SMB but of course it's beyond the resources but I just don't believe it's a really good idea so the recommendation of the tools reminded me of the initiatives that they've done in the Netherlands on privacy because in privacy they usually say these tools of shits you shouldn't use Facebook that you shouldn't use what's happened whatever so instead of doing that they said these are the tools that you can use and they respect your privacy and they do this and it is and these are the advantages itself and the whole idea of that is that there is a community behind this and it maintains it so are you going to build the community around these recommendations

so you can update them you

just to few remarks about the problem to keep the security inside the SMB has seen the problem is earlier they don't have the high D to our as you said they don't have to hide the ID to have a security company in 30 girls inside the company I remember I was investigating runs on one case and I take Mecca complain the French law enforcement I'm a member of the French law enforcement and I was investing a run for my case in an SMB and they like to complain in a small local police and the case arrived in my unit and we call the company in low to have the server or encourage the server as they refused to give the server is

that because it is secret information it's because the server which is encrypted is seduced by the company since two months why because some server it's working it's useful for them to get into to go into the internet even it's encrypted it's not all our cryptid as I just keep it because they want to work so they don't have IT guy inside the company they just the guy we just installed a server at the beginning of the company they don't trust him anymore and the server was encrypted and say just now we don't want to give you the server because we need to do the daily business this is a level of awareness we are in reconvene at the other hand the

visit because you talk about government in France since many year we have an agency's an FCC which is dedicated to improve security in critical infrastructure because as you say big company are very well a combined in the security but yes it was a problem for the SMB so the French government launched a new initiative its website a dedicated against cyber malevolence so small company individual catchers report that's the other problem and the website links them to computer specialists in order to try to solve the problem and the deal with the computer specialist they need to follow rules guidance in order to report to this entities the problem the company have so into start use of observe is not a cause

but easy to private companies yeah at the end because the company the privates assume computer specialist on a train but it's a way to put a link between because honestly if you remember what I just told about the company will just keep to server encrypted and work with with the flow in it it's yeah we need to do something instead what I think we can teach if we can if we could just somehow get the message to every SMB what we can teach them to do is to compare a hash or file itself with virustotal we can teach them to send it to malware comm that's doable it's free

both what point of view are valid but the problem I'm French as well and if you look at what the French government did is to pass a law called the military program law it was in 2014 I guess and several other countries about the world are doing the same I don't have the list out of my top of my head but basically they defined vital importance operators and this this movement is towards the major infrastructure providers in six or seven major domains infrastructure energy transport finance and so on and in many countries and the French NSA site that's the same it's mostly ironed towards big businesses not assemblies and this initiative is good but the

program is that how do you communicate to the businesses to the assemblies the existence of such initiative and how do you accompany them from for example a month ago there was a report that the small business with eight employees it's somewhere in South of France they simply shut down because they got attacked by ransomware and the backups got screwed as well so the CEO he is 60 years old he is retiring but leaving eight employees on the ground and if he thought he had some appropriate metal protection level basic one but lack of information lack of knowledge lack of support so I like what the NSSE does I support it I work for big business at the moment and

I'm not satisfied about how it works but the problem with putting the bring the awareness to the assemblies this is a major issue in my opinion

you

you

you I came from Germany from the Stuttgart area and apart from the big car makers there are also many many highly innovative SMBs doing machinery and stuff and family owned 5060 hundred people and they don't care a bit about security not not least not least bit last year there was a action made by the I HKD Hughart it's the Assembly of all companies of all small media and medium business medium-sized companies and they made a HTTP or tls/ssl check on all Member websites and mail servers and stuff and I saw when what what they did what IH k was offering and many companies did opt out they said we don't need as we are we know we are good

already and much more companies that ignored is completely and if you if you search for it you can find the results on the i h ke website it's a Germany unfortunately the results were devastating and I bet if you make the same test nowadays it would be exactly the same

yeah editor maybe if I may have so on the topic of the government trying to do their best weld SMB so I just created my own company working as freelance one year ago and the issue is today we have plenty of a site where we can go when there is an issue so if we have a problem yeah we can find information but when you create your company no one is telling you anything for me it's good because ok I'm working in the field I know what to do but ok let's say you create your SMV you have toward to go to the notary to do all this dang stuff for that you have plenty of

information you go to registry of Commerce yeah you get the full stuff all the details what you need to do get a bank account to do the invoicing the VAT very important the VAT but nothing about security and that's that's the issue because if you do not do this at the start then obviously the problem will come and then you can use your website saying this is what you should do and you have an issue sulit and in few cases yeah that's really too late because then the company must shut down so my point is we should have initiative a lot earlier and the states should get budget to create team professionals that are well paid that can advise the SMB which

is not the case for the moment so this will go on and on

you

exactly security by design and privacy by default by design should be both of them may be both taught already in primary school in universities at Camp of Commerce when you start your company you should receive information about this it should be all over you should be bombarded with why you should do this and the consequences of not doing it because as we just heard and there's a bee can go out of business in just one ransomware attack and this is not the only example of this yes'm bees really really do get impacted very hard when they get breached or attacked oh thanks man it hurts because of that we have to go for coffee break alright

we started by the wrong assumption that the same bees have ID it might be as it was mentioned that the majority of cases actually might be that they just bought three computers they have the default administrative privileges they bought a server space and a namespace and that's it so what we said before might be wholly invalid oh yeah hire an IT security person why do I need any security if I don't even have IIT that will take a lot of convincing it's more than awareness it needs to be shaped from the ground at state level maybe we have to promote I believe cyber hygiene the same way they do hygiene in their offices or wherever

they're based you clean your kitchen and your toilet where you don't clean your computer

either a security champion or out stow out source like lately I have seen many companies sell services recurring services once every six months to smaller companies and they go into visit and they do cease alike service and advisory for breaches and all that something like that but these will be promoted by state level I believe as a service because simply there are not enough people to serve the community awareness can do as much but we need hands on

you

I tend to disagree with what you said about IG now there is every company every business has got IT it may not be a complicated a complex one even if if these cloud services or closed cloud-based services like Google Apps and and so on it is IT today you have no no business without a single computer ok my button ok so I see that this is a very interesting topic unfortunately we have now to wrap up so because it's time for coffee right can we must go on with the day so thank you very much closed for the presentation [Applause]