BSidesAtlanta 2019 - Hudson Bush - Too Small to Fail - Securing Small and Medium Businesses

we're guys our next figure come up Hudson Bush who's a security architecture design he does index falling at every little thing he does as job he actually works with government compliance business impact analysis and risk management today we teach about his mistakes so we don't have people resume too small to fail the reason that I started giving talks the reason I started speaking at conferences because I as I started coming to conferences I realized that every single person I talked to was working at a small business they were the only sysadmin they were on a small team but almost every single talk that was going to was and then our incident response team of 15 people and I'm like

it makes sense because a lot of times it's the more international conferences things like that you the only people that are not coming they're the only people that it ended up having the budget to speak or large company so a little bit of ice so I'm an interesting place where I work at MSP and MSSP and I mostly work with small and medium businesses that kinda makes you part I guess because it isn't something that happens most of the time when I tell people that I work at small meeting with small medium business and security people either statewide or power and that's essentially the whole point of this talk I'm going to medium businesses matters I'm gonna get on a

soapbox for a moment here this this slide when I do not do any time at the end I do as you saw as you see in the bottom right there is a hashtag tweet hashtag you can send me I don't care do whatever but the reason I don't do that it because a lot of times especially people who look like me we're kind of horrible so I don't know if you've noticed this but what happens a lot of time so I'm going to looks like me you've been talking afterwards all the questions a week so that was great what do you think about high-level security concept or good question or something and then a lot of times people

who again don't what let me in various different ways we get a question or have you ever considered business bored why didn't she do that that is not a question that is a I really wish that I had the confidence to speak and I didn't so because of that I noticed that too many times it kind of in solidarity I've just realized that Q&A is not inclusive or either speakers or participants because the people who usually ask the questions are generally people know something inner little more confident and they do want to speak anyways so with that same way if you are someone that's willing to shout out you can yell at me if I say something that

you do not understand you that's the question if you're a little more shy if you're not seriously oh you'll help me I'm fine you know elaborate explain yourself you know something so let me start off saying so you know that you're in the right talk do you know what I'm trying to essentially and still here I talked about this bit on the intro slide but if you work with this small medium business I know a lot of people use as I mean I don't like that acronym because it's subject matter expert and every come so I use SME and I know it's an older afternoon but I prefer so give you a starting point and that's in a lot of

different ways that's if you are really new to this industry gives you place it to research if you don't know if you do know security but you have no idea where to start same and then give you tools to convince management if you are not a speaker you are not someone who wants to talk to management for a half hour and why to do security if you are a solstice admin then you can just hand them a slide this slide or this talk backing up for a second you if I know that people are gonna take pictures of slides that's that's fine but also if if you want I have the slides posted online the last

slide will give you the link to that and everyone else you don't work in SMB especially if you work at a vendor or an MSP this is essentially saying small new businesses are important and secure a lot of people think it's just a fuse how that's exercise I think that's obviously wrong so here are my two this is just telling you where I'm gonna split this up into the first is why why RS and beans important than I'm going to do how how do we secure them

first why there are twenty-eight point eight million SMEs and small India businesses in the US and this is actually old statistics I think this was 2017 that represents fifty five percent of all jobs in the US but then at the same time 65% of all spear phishing attempt attempts are aimed at SMB so you just think that they're targeted and then they're also important because chances are one and every two people that you know which means a good chance people here are working in small and medium businesses and you you do know people who work at them I mean their jobs are in danger when we're when they're losing income when they're getting breached when they're losing

data so and then this I mean it's an it's an easy talking point target breach was a result of a small 8-track vendor be brief so supply chain attacks if you're not carrying and you're seeing more and more large companies are carrying for example like Raytheon they just bought force point there's no and they're they're now targeting they're actually Raytheon's working as a as an MSP MSN MSSP for a lot of their customers so in order it's really interesting and a lot of their suppliers so so then the question is why do we is Miss Swami when it comes to InfoSec and and I've seen it I mean there's a lot of I I have

to even define small and medium business because a lot of times talking at these conferences people to find that is anything under about 1500 employees 1500 is actually pretty large I'm talking I'm generally talking from my experience and medium businesses between about 50 and 200 but I know obviously a lot of these applied to smaller and even much larger but there's too many vendors there's water but next gen ends of our companies or or even EDR companies that will do not even sell to you if you have less than 150 employees that best student I mean there's no other way to put it that stupid than endangering companies is to not even sell a lot of MSPs

know there are obviously small boutique MSP that only work with small medium businesses but then when you get with larger ones they're like oh it's not even worth my time so and that that's part of again when I'm talking here so the the question and actually I was in the speakers lounge before this and one of the other speakers said oh you work with small meeting business is my least favorite part I love working small medium businesses now I'm talking the very next slide about why I love working with them but this is the plant or most people hate they I hate having to convince them to give me budget and and I'm in a privileged

position that I work with mostly manufacturing companies military manufacturing tend to have a little more money mostly military manufacturing so there is compliance so just like with eating I mean there there are two reasons that anyone ever spends money on security there is because the government towards you and because you got breached so essentially because the government told you to order a customer closer to more or less what it comes down to now I was working on that an engagement recently and I'm doing the scoping I'm sitting down and I'm just confused and after about 15 minutes talking online I'm really confused so you never in brief you know know combines these know so we're we here keep like well because

I'm scared about security and I keep them so you're smart you don't run into that you don't run into people who just want security for the sake of security they want it because someone something is forced their hands so that's obviously going to be one of your biggest the biggest motivators but I think guarantee unique situation with small and medium businesses because they do not have that same resilience they do not have that same resources like if we lose 10 million dollars today it's no big deal he works at one of those companies but the thing is a lot of times you're talking to an owner or a manager or someone with direct stake in this

company you can appeal to their pride you can I can't tell you how many times I've sat down with an owners and instead of just saying hey let me pitch you this you sit down and say so how to start your business tell me your story then they get this pride well up in them telling the last 25 30 40 50 years about how they have built this company from scratch and all it takes is you saying so how important is this to you this is a major risk out here and you don't want to lose what you have built and you know I think I hate but a hint care and certainty in doubt like I don't

like to just say you're going to be breached and it's going to be terrible you're going to lose millions of dollars that is not the way to get anyone to sure you you if you if you have to give scary statistics I like to leave people with hope you essentially say hey it's a scary world out there they're terrible people trying to do terrible things but there's a way out and not even a salesy way but just if you leave on just but you leave on just fear no no people don't like to buy on fear you you talked about about the hope you talked about what you can how you can prevent against it you always end with practical and

again I mean some of this because I am an MSD sounds like I'm talking from outside but if your internal it's that same sales even if you're a sysadmin trying to talk to a CEO or a president of the company whatever it's that same sales pitch you have to say hey security matters this is why so unfortunately you do have to be a bit of a salesperson there now this last point is is actually one of one of my favorites this was introduced me I forget the speaker's name but that b-side San Francisco a couple years back that InfoSec cybersecurity is not a profit Center it's never really going to be a profit Center doesn't make money

it's a cost center but one of the ways to turn that on its head is introduce security as a sales and marketing tact and the easiest way to do that not the cheapest but the ease most efficient way to do that is getting ISO certification now that obviously cost money it may not be the first thing you do but if you can pursue that put it on your website beat the every single conversation your silly will have with the customer first thing you say one of the first things you say before they ask Katie what do you do about security you say oh by the way here's our security brochure you prepare that marketing information you give them that

information before they ask because generally the first time a company ever talks about security is after a breach that's the wrong time to talk about it we want and I have actually seen this tactic and obviously you don't need ISO you don't need to spend that money but if you do it gives that key finding and I don't just believe in that certification I just know that especially with manufacturing so many of our customers already have to be ISO certified for QA it's an easy so they're like oh one more ISO certification I can get this and boom and it really does work if you are a number and if you are at want you can give those numbers and

start talking to sales and say hey how many more sales do you think you've gotten you know do a/b testing have a couple sales people talk security have them not do that it's it's interesting and it really is it's a different approach and I think after time you can start talking about security not as a cost center but as a profit Center where you can start talking about security as by the way this is how much money you have saved but you could have been breached you could have lost efficiency you could have done this or that and then also adding the sales tactic into it so this is this is a bit of the how

you can convince people biggest pain point working the small meeting businesses and then this is the why why it's so fun why working with larger businesses you have complicated change of control you have so many different approval processes but if you're sitting with the president or the CEO of a company and you asked him something a lot of times they'll just say here do it he can give you a broom right then you start right then you don't have to then go to purchasing and acquisitions and everything you don't have to do every single every single piece you can just so so I love that about these companies and it can be so much easier because again I talked about

that already I guess the easier access to decision-makers personal buy-in from management it's not an abstract concept what happens to this business if they get breached the owner knows I mean they know that risk it's keeping them up at night what happens it's my business if I go out of business in these 300 people at least 200 people these thousand people that I'm employing directly cannot eat tomorrow that keeps them up also easier experienced experimentation and piloting I mean you have direct access to users you don't have that bureaucracy so you can you can push something out to a subset of PCs and it's it's much easier because again the bureaucracy now this last point I'm going to talk

about it as a positive here I'm going to talk about it as a negative later you get smaller environment increases the ability to know where everything is what it does I mean the first thing we do when securing is we we have to know what we're securing we have to do and we have to do an asset assessment it's a lot easier to do that when you have three rooms four rooms even this 200 you can almost walk around an inventory of the manual you don't want to but you can confirm you can look in every room and say wait I just counted 203 pcs but I'm gonna see 202 Omni and Active Directory are in the asset

inventory so and with that it's also you can know when someone asks you a question you can pull that up in your mind and instead of just having a look at some sheet because obviously you don't know everything about 1,500 pcs or 2,000 pcs or 32 servers but if you have 8 servers and 300 people you can know them so that again talking about it was positive I'm going to shift that in a second because it does have a negative side obviously so then how obviously like to make things practical there is there are different approaches obviously because you can't just say oh this worked really well at this large business let me apply this I we were

working with a relatively small relatively small manufacturing company about 250 people and they brought in this guy who had previously been a C so at a huge company hundred thousand people huge company and he he started moving to consulting and he just kept saying oh did he just do this it's easy just do this just just implement the firewall rules I'm like sure that might be easy if your networking team is thirty people which he mentioned that his networking team was around 30 people if you can you already know the environment that will help but it's a lot harder when you have one guy on site one sysadmin who's already overworked who's also the database admin and everything else and

you're like telling him to just implement these firewall rules and I'm laughing at him like you know how much testing is it sure if you have 30 people you know in one hour they can spend 30 man hours I mean it but but it's you do obviously have to think about things a little bit so in in my bio I in my Bible that you mentioned that I threat model everything and I risk assess everything I am NOT a typical quant I am not someone who just sees numbers for everything but this is someone who terrible is an industry can he do not fret why well we do not want to do risk management assessment because we want to

do what's fun with shiny what's cool so but that is risk assessment and threat modeling is even more important with small and medium businesses because the thing is you don't have all of these resources to throw at things if you only have limited resources you have to say what actually is going to happen to me what is most likely to happen to me and how do I prioritize and secure against that first what is it that the business has that they do not want to lose our chemicals do that first don't just come in and take well I heard about meltdown inspector so I'm gonna spend all my time we are protecting against that you know

that may not be the right way to do it um understand the types of attacks and the threats to expect and then do not attempt to secure the same way a large enterprise would okay and this this applies no matter what size business you are working with this is not this is a really simplified definition of threat modeling but no of what you're protecting and to know what you're protecting against you you can't just you're not gonna secure you're not gonna scare two items the same you're not gonna secure you know a little kick scooter and a Tesla the same you're not gonna secure these things differently you're you're gonna have to secure them differently so you have to think you

have to know where your data is you have to run through data classification you have to find where your crown jewels are and you have to also know as a small business what most likely are my attacks now obviously if you're working in a huge company if you're working in at Google you do need to protect against just about everything but different but here I most of us should know the defenders do I'm gonna wear blue teamers an attacker only needs to exploit one weakness but a defender needs to protect against all weaknesses I think that's wrong I I think that is wrong it's misleading and it's scary because the thing is especially at a small medium

business it just bet an attacker is never gonna use all weaknesses they're going to get to a certain point they're gonna give up because even trying to attack anyways I don't even know what this company does they're gonna give up so and I say it's my definition of attackers dilemma it is a bit different but the reality is that we not enough people are talking about the attackers women I think this is what how we need to reframe it a defender only needs to make it too expensive for an attacker to exploit a target given the value of that target I'm going to repeat it and then I'm going to explain it the defender needs to make it too expensive

for an attacker to exploit a target given the value of that target so instead of the typical definition of the defenders dilemma is you're on a boat with a thousand holes and you're one person and you need to plug all those holes and in here is this picture of someone frantically around trying to plug all these holes with only ten fingers and ten toes and that obviously never going to work but the reality is there there are two things that typically are going to happen there - small and medium businesses fishing I mean really the non targeted attacks opportunistic attacks as I like to call them because more automated things so I we had a st. st. same guy who kept

saying oh it's so easy just you know just change these firewall rules was when he came in the very first thing that he just kept saying we needed to do was hard driving prick no not a bad thing to do great thing to do actually but he just kept saying just push our Drive Encryption now just push BitLocker up just push it out and I'm like and he's like why don't we just do that it's do that first in the wing now thinking of threat modeling for a second what are you trying to get and what do you have to do for hard drive encryption to even matter one that means you're trying to get a hard drive it's not it in transit

where you're trying to catch things on the network you're trying to get a hard drive so how would you get a hard drive well you have to be in the building and then you have to actually remove okay in most of our environments there's not a lot of salespeople so aside from three laptops sure you can push lab you can push a bit longer than three laptops pretty easily but or you can send them new laptops if there were remote salespeople but let's say you have 200 pcs just pushing BitLocker what are you actually getting out of that why not you know maybe secure your you're building a little bit and honestly this is the only place I've

ever not been able to tell me my way into I've never been able to fall someone into someone finally one day he said it again in a meeting he said it with the CEO and he just said we I don't know I bet buggers and pushed everywhere and I just in a fit of rage do not do this do not be me but I just stood up and I'm like okay so you you you must think that the physical security this building is so bad that someone's gonna steal hard drive let's get the facilities in here right now let's get them in here let's let them address your your concerns or how about let's do this

if you're so concerned about hard drives being stolen which that must be what you're concerned about here let's start blocking the seminary door but but here's what's worse so in this you have to get in this building you have to go into the idea office and then into the server room door and neither of those doors are ever longer closed the reason that the server in door is not locked or closed is because the thermostat is on the IP side of it see instead of having a portable you know a secondary thermostat in there having a secondary air conditioning no don't they don't even close or lock it and then there's what the exits door is

not closed and this this thing is that so that the trash could be taken out at night and in but that's the thing so often we hear something and I used to know them as an inspectors examples because the thing is for someone to use speculative execution threats against you means that they have tried everything but also to patch against those things a lot of times you have to reduce your no it's not a bad thing to pass I think you should patch all the things I'm going to talk about that again in a second but that's not what you should rush to be doing if you're not if you're if you're still exposing port 3389 to the Internet but you're so

concerned about spectre and meltdown and you're spending all this time on emergency in Windows maybe spend it on the emergency poor closing windows and that that's my whole point here is that you should be estimating what happens to the business if something happens and the likelihood of that happening and I know that obviously we don't have all the data but you do know as especially small and medium businesses but really any business that is the first thing if you if you aren't confident that you can protect against phishing and ransomware we don't even deserve to be talking about the other things yet I gave a talk on that in in Vancouver a couple months ago where essentially my whole topic was

clean as an industry don't even deserves a lot of these nice fancy comments is where we're sitting talking about things like MFA bypass when no one would ever need to use that when you're going to win when most of your users will still click yes this was me I was listening to a pen tester who says I'm the worst pen tester in the world most of what I do is I'll just request the MFA key and nine times out of ten your user will say yeah this is me and then I'll get into their club their their Club dashboard it's not even just users if he's like I've never had to use any of those MFA bypass tools

that people are talking about so let's start protect against some of those things and since we until we get all excited about the shiny things and shiny things I mean it's fun to talk about all of these threats but when it comes down to it you mean to actually protect your environment and not just protect against imaginary things so that comes down into harmony and this is again kind of my own somewhat funny take on the tick typical definitions of pardoning so pardoning and comes down to a few three major things um principle of least privilege which as I defined it is an account shouldn't be able to access anything that that account shouldn't have access to yeah

make sense I mean obviously you can choose that out of thousand different ways but essentially if if I do a lot of mergers and acquisitions and we came into a company they've bought another company and they I don't know how familiar was all of you or with that dress but there is in but the domain users group was in the administrators group the domain not domain administrators to the built-in which is which is bad that means essentially every single account can do everything that they need to do for the most part and the whole reason for that was that use it users needed to be able to remote to multiple different laptop multiple different pcs from home I mean there's a

whole group for that for a mode access there's a little group for it but it was I mean so so that's that's principle these privileged batch that obviously most of us know that shouldn't happen but it does come down to limit your access as much as you can to the principle at least functionality similar definition a machine shouldn't be able to do anything that that machine shouldn't be able to do so that's you know you don't really need candy crush on that laptop do you I hate them I love that in Windows in Server 2019 they removed it but in Server 2016 Windows Live authentication was a default service now it was never enabled but

it's still just every time I looked in the looking in there me why do I have a window no not windows like an Xbox Live sorry Xbox Live Authenticator on my server if anyone ever used that love I would love to hear why but in a real production and then the again I'm simplifying everything but encrypt all the things pass all the things I made a joke about archive encryption but at the same time it is that I mean encrypt what you can especially in transit I mean please be removing your XP machines and your Windows 7 machines you can't encrypt SMB traffic if you still have Windows 7 so and then patch all the

things I mean this whole slide could be two or three different talks so I'm going through it quick um open source everything know how well you can see that red but please don't now I'm a huge open source man if you're more interested in what I what I have to say about open source at the end of when I give my slides there there is a talk that I gave yesterday actually in Knoxville called building starting from scratch building security program in 365 days and I talked a lot about every single open source tool I use I use a lot but that may be nice to use all open source in a large in a large environment

but as we all know open source does cost less but it costs more in human resources it costs more in technical resources you need to know warrant you don't have time to know more don't just say oh I'm gonna build this from some open source of me consider actually paying for it the larger the company gets the more resources you have the more I say yeah trying to use open source there's a ton of benefits for it if anyone here works at spunk I'm sorry you may not believe I want that million dollar sim even if you can't afford it you probably don't need it there are a lot of great tools out there again I don't make a lot of

friends as one when I'm talking because I like to cost once the coffee breaks in that essentially you do a search you go get coffee and come back you realize you searched you you you come back you realize your search is just finished but you probably wrote your quarry wrong then you go in take a second coffee break and thirty minutes later you might have suddenly you have to consider carefully what resources and scenarios need to be monitored especially if you are using someone fun I'm against punk is a great product it is it's just I think it is a syllabus it's just not always but can consider what resources and scenarios need to be modern now the

benefit and in a small environment is that you can potentially monitor everything because there's less there's less things to monitor but at the same time you may only be able to monitor a few things and my favorite choice you can only monitor one thing DNS logs and you can all or one thing get your annex left monitor room Marc baguette has some really cool tools for enriching DNS logs I probably should have put those on the resource slides at the end but really cool tools where you can see how randomized if it looks like DGA if it looks like a random non legit website and Laura how young because we've done this in our internal network

where essentially we block any woops any domain that was registered in the last 30 days not had a single I know if you're a dev off shop it's gonna be different you are gonna be registering domains if you're dealing with web admins it's gonna be a little different you might have several policies for that but it's something like 90% of all phishing attempts are made by domains that were registered in last 24 hours so so getting your DNS logs and reaching them right that is extremely important and then I haven't talked about it too much because again I don't want to I don't want to seem too biased but there is a reason to consider an MSP and MSSP

if you're a small business it's not always the right tool but I mean if you don't want to have to learn wsus and start patching all of your servers they'll have great tools Robyn are amending tool to patch your servers on em SSDs can be a benefit I know again it's generally a dirty word but doesn't have to be you need a consultant especially I'm a huge fan of lutein ms bees the smaller ones that can actually devote time you that is ideal so a transition plan this is what I like to call outgoing that cyberthreats on insider threat because the reality is if like I said what I said one of the benefits of small medium businesses that

one person can know everything them the negative is that one person knows everything when they leave they know everything so you have to protect their knowledge a little more you have to lock them even more you have to consider this in advance because you may not even know what people use there was an MSSP that I was talking to the other day that they actually built their own password tool internally that every time a password was accessed as long and now other all of their staff can access almost every password I didn't love that but what it did is it showed what passwords they've accessed and that is actually great you want something to show you want to log

what keys what certificates what what who has what because you you need to have a transition plan you need to have a password change plan this is also a fairly easy one ensure that there is a CFA a warning in your exit interview or termination process that is a good way to scare the crap out of someone by the way miss use any of this computer information that you have when you try and access our network remotely later we'll go to jail so um talk to legal about that get that in yeah get that in writing um I I just seen the look on people's faces when they have this kind of smug oh I'm gonna get you and at the moment

that you talk about CFA backup data check your backup test your backup alert on your backup check your alerts and resolve your alerts backups are not fun fun but if you've never tested your backup you don't want to do it after a ransomware attack test it honestly with the new book ransomware that's out there that will be us that will encrypt your archives backups it'll go in it'll live this I believe in Sam Sann reuse all all that fan family will essentially sit in your network and it will encrypt your backups as they're happening in weeks before you even know so I'm starting to try and it's often as possible every single day I try to restore one better

okay I'm gonna wrap up really really quick easy slide SMEs are important they're targeted they're similar you need to back up and then resource of risk assessment are even more important in small businesses than enterprise environments my slide you'll see them if you add me on Twitter I'll post this link and then homebrew SATCOM or glass talks you can see my slides thank you so much for listening to me and in so much [Applause]