Cloud Computing Resources for Small and Midsize Businesses

Cloud Computing for SMBs

Subscribe to Cloud Computing for SMBs: eMailAlertsEmail Alerts newslettersWeekly Newsletters
Get Cloud Computing for SMBs: homepageHomepage mobileMobile rssRSS facebookFacebook twitterTwitter linkedinLinkedIn

SMB Cloud Authors: Pat Romanski, Yeshim Deniz, Harry Trott, Breaking News, Breaking New

Related Topics: Security Journal, SOA & WOA Magazine, Cloud Computing for SMBs, CyberSecurity Journal


Big Security for Small Businesses

In the world of information security, small businesses and the security needs of small businesses are often overlooked

In the world of information security, small businesses and the security needs of small businesses are often overlooked, particularly in the realm of application security. When looking at the investment required to build a robust application security program, it really doesn't make sense financially. For example, an "enterprise" scanning tool, combined with the required hosting infrastructure, salary for a security specialist, and for the sake of argument, tack on static analysis, the total cost will easily exceed $120,000/year, which is decidedly cost prohibitive for a lot of smaller companies. This presents a significant problem due to the fact that as an attacker, well, hacking the little guys is easy. Simply put, when it comes to handling attacks and incidents, small companies are at a significant disadvantage as they frequently lack a dedicated security team, let alone one security specialist. So what's the best way to maintain a secure infrastructure without breaking the bank?

Minimize Your Attack Surface
As companies grow, scaling up becomes a big challenge from a lot of different angles. With regard to technology, scaling can loosely be thought of as enhancing your infrastructure and technologies to provide a wider service offering that is efficient and reliable. Based on this definition, scaling technology and services means adding more "stuff" to the mix. What does this mean for you? Security scales inversely, which is to say that as your infrastructure grows, your attack surface increases, which presents more security risks. That is how insecurity scales.

As your capabilities expand, look at the technologies that power your business and make every effort to ensure that when it comes to exposing assets, applications, and functionality, the only things exposed are those that are required to deliver your service. Always ask yourself, does this need to be online? What happens if it gets hacked? How can we keep it from getting hacked?

Understand the Power of Patching
We're all familiar with the expression, "the best offense is a strong defense," and while that could be debated, assume it's true if you're a small business. As a small business, you lack the ability to defend yourself in comparison to larger companies (and even the big guys frequently fail at security), however, big companies have slow wheels and a monstrous attack surface, which means you can use your small size to your advantage to patch frequently and quickly. With a smaller infrastructure, changes can be made and patches can be applied much more rapidly, but one problem can be keeping track of relevant security issues. To address this issue, I strongly recommend creating a [email protected] e-mail address; identifying the components your platform relies on, such as Apache, MySQL, PHP, Drupal, Oracle, etc.; and subscribing this e-mail address to the security and update feeds for the appropriate software. Once security advisories and updates are available, evaluate their relevance to your system(s) and patch immediately.

Take Advantage of Free Tools
Security tools are very special purpose, but that shouldn't prevent your team from trying to use them to some degree. There are two excellent and free tools for web application scanning at Arachni and W3AF. The tools provide capabilities that are targeted for application specialists, however, the scanning functionality can be tremendously valuable when helping your team scan a site or application for the same low-hanging fruit that attackers and bots often scan for, such as SQL injection and Cross-Site Scripting. Even if you don't have a security expert on hand, I strongly recommend downloading and installing either W3AF or Arachni, taking an hour to get familiar with the tool, and getting in the habit of scanning your application between releases in an effort to ensure that easily identified vulnerabilities do not go unnoticed.

Have a Plan
The unfortunate truth is that one day, hopefully very far down the road, you will have a security incident on your hands. The severity of the breach can vary depending on the attacker's motivations, but things like data loss, destruction, and corruption come to mind. For this reason, it's imperative that you have secure off-site backups. In addition to having secure off-site backups, take the time to verify the integrity of the data routinely so that if and when it's time to restore from backup, the data is actually usable. As an additional note, when I say "secure off-side," what I mean is make sure that access to those backups is one way, i.e., nobody can log in to your web server(s), read the SSH key/password from a backup script, and then log in to the backup server and wreck your data.

Last, and if you can afford it, I strongly recommend having a professional security assessment performed at least once a year, if not quarterly. Even if you are performing your own assessment and QA work, it never hurts to have an unbiased and different set of eyes to look at the security posture of your organization and your applications. Plus, if you're a small company or just getting started, it would likely be a pretty inexpensive way to get some valuable peace of mind.

More Stories By Andrew Brooks

Andrew Brooks is a security professional and frequent contributor to SingleHop. He has a long history of tracking down back doors, finding exploits, and solving complicated problems. We wish we could tell you more, but it's classified.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.