Introduction
THE mass media that covers IT often fixates on network security issues that are sensational, yet rare. If you follow IT issues too, you’ve probably seen the extensive reporting of a virus or a worm that refers to a notorious celebrity – even if in reality it is low-risk, and slow-spreading.
Sometimes the mainstream reporting on network security isn’t even factual. The upshot of all this sloppy reporting is that it’s difficult to find reality-based, accurate reporting on what the network security threat really is today for the average business.
WatchGuard Security, a global security outfit, in its latest report listed the top 10 most common vectors of data compromise from its experience as security analysts for SMEs. The report also suggests practical techniques and defences to counter each vector.
The observations in the new report are to assist small businesses reach their internet safety goals – so that you don’t find your organization as the subject of the next sensationalized (and possibly exaggerated) data security headline.
Last year, WatchGuard passed the milestone of 500,000 security appliances installed. The majority of these installations occurred at businesses having between 20 and 1,000 networked users. The report views a “typical” SME network as having qualities like fewer than 3,000 networked devices; most of the computers within one release earlier or later than XP SP2; Vista in the minority; a few Linux or Unix servers; up to 20 per cent of users on Mac OS X; heavy use of the Microsoft Office suite and Internet Explorer;
Exchange server; SBS. Alternate software might be present, but does not dominate (for example, the IT staff might use Firefox but most users do not). Other attributes include the fact that whether self-hosted or staged by an ISP. Whether at company headquarters or out on the road (probably both), many of the organization’s end users connect via Wi-Fi among others.

Top 10 Threats
While the report points out the confidence in the list of the identified threats, it says attempt to rank them by how frequently they occur is subjective. “We believe that Threat No 1 happens far more often than Threat No 10, but the exact ranking is not really the point,” the report said. “Our goal was to identify the most common data security failures so that an IT staff can address them explicitly and intentionally.
“Today, the internet must always be considered a hostile environment and to visit it carelessly is like visiting the toughest neighborhood in a big city after dark, flashing a roll of cash, and paying no attention to your surroundings. In short: unless you exercise caution, you’re asking for trouble.”

Threat No 10: Insider Attacks
The report investigated 500 intrusions in four years and could attribute 18 per cent of the breaches to corrupt insiders. Of that 18 per cent, about half arose from the IT staff itself. This indicates that senior management would do well to keep an eye on the IT staff.
Insider attacks occur less frequently in SMEs than in major corporations. This is attributed to environmental constraints. If an SME’s chief information officer is disciplined and diligent, poor practices are much easier to log, notice, and correct on a small network than in a network with tens of thousands of users. There is also more likelihood in SMEs that every employee knows every other employee. It’s harder to bury suspicious activities in a crowd when your co-workers are friends (or at least, not strangers). Plus, if corrupt people make up a percentage of the global population, in raw numbers, a smaller user population contains fewer corrupt people.
The flip side of this coin, though, is that a smaller staff more often entrusts sensitive duties to a single person, with no one co-responsible to provide checks and balances. A sensational illustration of the problem of entrusting too much to a single person played out recently when a disgruntled contractor locked an organisation out of its own new multi-million dollar fiber WAN network. He could do so because no one else on staff fully understood the network architecture. Resolving the situation cost the organization about $200,000

Mitigating Inside Attacks
Implement the principle of dual control. Even if your key IT person has earned your complete trust, can your company’s work continue tomorrow if she gets hit by a bus? Implementing dual control means that for every key resource, you have a fallback. For example, you might choose to have one technician primarily responsible for configuring your servers. But at the very least, login credentials for those servers must be known or available to another person. Honest people tend to stay honest if they know that another observer could drop in at any time.
Formalize your hiring. If you’re still hiring on the friend-of-a-friend method, perhaps it’s time to step up to professional processes for hiring, including doing basic background checks. Depending on the type of data that resides in your network, criminal and credit checks might be appropriate, too. Always check the applicant’s references – that practice is essentially free.
Reduce opportunity for mischief. Many insider compromises occur opportunistically. Promote the policy of locking computers into password-protected screensaver mode when leaving a desk unattended. Remind your users not to share their passwords with co-workers (middle-managers trying to empower their staff typically are the worst at password overshare). Use firewalls internally to subdivide your network; for example, you can cordon off sensitive network segments such as R&D or HR to their own contained segments. Consider rearranging floor plans and furniture so that workspaces are open to more lines of sight, reducing chances for sneakiness. Resuscitate any security awareness campaigns that may have fallen by the wayside.

Threat No 9: Lack of Contingency Planning
Businesses that pride themselves on being nimble and responsive oftentimes achieve that speed by abandoning standardization, mature processes and contingency planning. Many SMEs have found that a merely bad data failure or compromise turns disastrous when there is no business continuity plan, disaster recovery plan, intrusion response policy, up-to-date backup system from which you can actually restore, or off-site storage. Each of these is considered a standard, base-requirement business practice, yet many SMEs treat them as “luxuries” and “overhead.” Though such practices don’t improve the bottom line immediately, your bottom line will experience much worse punishment if you procrastinate on contingency preparation until it’s too late.

Mitigation for Lack of Planning
Policy development has a reputation for being painful, but it doesn’t have to be that bad – nor all that expensive.
Certainly if you have budget for it, hire an expert to help you develop sound information assurance methodologies. If you don’t have much money to work with, leverage the good work others have done and modify it to fit your organization. These resources can help show you the way.

Threat No 8: Poor Configuration Leading to Compromise
Inexperienced or under funded SMEs often install routers, switches and other networking gear without involving anyone who understands the security ramifications of each device. In this scenario, an amateur networking guy is just happy to get everything successfully sending data traffic back and forth. It doesn’t occur to him that he should change the manufacturer’s default username and password login credentials.
Hackers keep long, diligently maintained lists of default logins to virtually every networking device, from the most expensive switch to the cheapest printer. If the configuration hasn’t been changed from its default, anyone capable of doing a basic internet search could feasibly log into your network resources and take control.
Network settings must be chosen with diligence and care. On one hand, most vendors ship their products with wide-open default settings, in order to minimize calls for technical support. Even if you’ve bought very powerful network security gear, those powerful defences might not be turned on by default. On the other hand, mucking about with settings you don’t fully understand could turn off defenses, or put the device in an unsafe listening state. A lot of networking equipment uses terminology that is difficult to understand, or labels that improperly communicate what an option does.

Mitigation for Poor Configuration Choices
Always change the default username and password when installing networked devices. This requires no expertise and has no downside (unless you forget the password). Your password should be at least 15 characters long; using a favourite phrase from a movie, song, or scripture works well. The login credentials should be recorded and stored in a password vault that at least one other administrator can access.
Perform an automated audit scan. If you can afford it, hiring a penetration-testing organization to audit your network is a sound idea. But if you can’t afford to hire consultants, you probably can afford a one-time, automated scan of your network. And if even that surpasses your budget, get your hands on a free tool such as
Nessus or Nmap and find out what is connected to your network. There are many, many vulnerability management products on the market at all price points. Regular use of one or more of them should be part of your network maintenance routine.
Have a consultant check you out. If you can tell you’re in over your head when you try to configure a device, get expert help. Your ISP can probably recommend qualified consultants.
Select solutions that are easy to use. When you add to your network, take advantage of free trials and hands-on demos. All SMEs love a bargain, but give extra consideration to products that make tasks understandable and easy. Getting a great price for gear you can’t understand is a false economy.

Threat No 7: Reckless Use of Hotel Networks and Kiosks
Virtually every business has at least one or two (if not a hundred) road warriors attending industry events, visiting prospective customers, and meeting with clients. These employees most often work from laptop computers.
Hotel networks are notoriously lousy with worms, viruses, spyware and malware and are often run with poor security practices overall. Public kiosks make a convenient place for an attacker to leave a keylogger, just to see what falls into his net. Laptops that don’t have up-to-date personal firewall software, anti-virus and anti-spyware can get compromised at kiosks. Then, the next time the employee attaches to the headquarters network, a smart attacker can use that compromised laptop as the first stepping-stone to penetrate your entire network.

Mitigating Reckless Use of Hotel Networks
Make sure your road warriors have comprehensive defenses on their computers. Any device that’s going to roam the wild and then return to your network should have on board, at minimum, anti-virus, anti spyware/malware and a personal firewall. Make sure that these all updated regularly.
Set and enforce a policy forbidding employees from turning off defenses. Workers used to shifting for themselves on the road often conclude, accurately or inaccurately, that laptop defenses are preventing them from doing their jobs. Many workers then disable the defenses. That practice might “solve” a short-term problem, but it also puts their computers at much greater risk. If you have IT personnel on call, your policy should be that workers are never to turn off defenses unless they call and receive authorization from you. Many popular anti virus solutions can be configured so that they cannot be turned off, even by a user with local administrator privileges; check for such capabilities in your current solution.