Tag Archives: smb

Think it’s okay to keep running Windows XP?

From this Microsoft blog.

This was an eye opener to me.  I would have thought XP infection rates were in the ball park of Windows 7. And this is while XP is still supported!

While there is some obvious self-interest for Microsoft to promote migration from XP, my gut is that this is reasonable data.

What percentage of your computers are still running on XP?

 

Force Protection & SMB Information Risk Management

chestypullerThe term “force protection” entered the American military vernacular in the late 70’s and 80’s in response to several events.  One of the key drivers, though not the only driver,  was the activities of the Red Army Faction or “Baader Meinhof Group”.  This group was responsible for several bombings, assassinations, & kidnappings over three decades.  As US bases and US military personnel were frequently the targets of these attacks (as well as attacks from other groups), the need to develop specific plans to protect ‘the rear’ began to be articulated. In effect, ‘the rear’ was no longer the rear.

Military organizations have always been aware of the concept of ‘protecting the rear’ or ‘covering your flank.’  However, the asymmetric, unpredictable aspects of these attacks put the military in the position of having to explicitly define a process for protection of assets that were not traditionally in harm’s way. Further, by naming and mandating the process, it was clear that some percentage of resources originally intended for forward operations would need to be diverted to support force protection. This was a shift in thinking.

I believe a similar thing could be occurring with managing information risk and security in small to medium-sized businesses (SMB’s).  Relatively suddenly, these businesses are finding themselves in hostile territory and if they want to stay in business, then they must dedicate some operational resources — whether marketing, production, R&D, revenue, etc — to support these protective and risk-lowering activities.

Early Marine Corps doctrine on force protection

I found a Marine Corps publication, “AntiTerrorism/Force Protection Campaign Plan” from 1998 that presents some operational concepts that could be helpful analogies to the issue of information risk and security for SMB’s.

The publication provides some definition of force protection:

In its purest sense, force protection is an overarching concept. It includes those procedural, training, equipment and leadership principles necessary to ensure … safety and well-being … In essence, force protection is an inherent function of [leadership] and as such should be an integral part of the way we do business on a daily basis.

Similarity in threat analysis

It goes on to describe analysis of the threat as considering a stool with three legs — Does the enemy have

  • motivation
  • means
  • opportunity

We can apply similar analysis to SMB information risk.

  • Does ‘the enemy’ (criminals or nation-state actors) have motivation to attack or compromise an SMB’s information assets?  Yes, certainly.  A successful attack provides, 1) potential revenue, 2) an attack point for attacks on other, possibly larger, more lucrative businesses
  • Do they have the means? Yes. They have readily available computers, pre-built networks for attacks, often anonymity, and sometimes protection from their parent state (country)
  • Do they have the opportunity? Yes. There are many poorly protected and non-resilient SMB computer networks available for attack.
Marine Corps operational doctrine on force protection (from 1998) Potential analogies in SMB information risk management
“Force protection is an operational aspect of every mission …” For example, resources are shifted away from marketing, R&D, production, etc to support SMB’s information infrastructure
Work to “eliminate the belief [by the enemy] that opportunity [for attack] exists” Employ basic measures such as anti-virus, firewalls, managed/standardized computers, and awareness education to create an unappealing risk/value proposition for potential attackers
“The value of alarms and drills…[Leaders] at every level should develop recognizable alarms for potential emergencies and critical incidents.” Rehearse disaster recovery and business continuity plans. Practice activities such as data recovery tests.

The US military found itself in a position of having to develop and evolve a practice to address a fairly sudden new threat that was also evolving, as well as unconventional, and unpredictable. Similarly, to remain relevant and to maximize their respective opportunities for success, I believe that SMB’s need to, in some manner, introduce information risk and security management into their daily activities as well.

Do you think there is currently motivation, means, and opportunity to attack your business?

Avoiding a Tragedy of the Commons

So maybe SMB Information Risk & Security doesn’t have to be a Tragedy of the Commons.

Admittedly, at initial glance it appears that it has to be. So many SMB’s have so few resources — they rarely have security expertise, typically have very little IT expertise, and probably zero information risk management expertise. Again, the reasons for this are not difficult to see. Their resources are limited and many of the traditional enterprise approaches to risk and security simply don’t scale down cost-effectively. 

What's one more fish? (Image by Earth'sbuddy [CC-BY-SA-3.0] via Wikimedia Commons

What’s one more fish?
(Image by Earth’sbuddy [CC-BY-SA-3.0] via Wikimedia Commons)

This is why risk and security for SMB’s can appear to be a Tragedy of the Commons. As discussed a couple of posts ago, a Tragedy of the Commons as introduced by Hardin in 1968 covers such scenarios as overfishing a portion of the ocean or overgrazing a pasture. Each individual actor, whether fisher getting one more fish or farmer putting one more cow on the pasture, contributes to the demise of the shared resource for all in the long-term while acting on self-interest in the short-term.

Similarly, it was suggested in the post, that the Internet is a shared resource for SMB’s. When an individual business is attacked, 1) the business can suffer itself, and/or 2) the business is used as an attack platform on other businesses which diminishes, i.e. depletes, the utility of the resource. However, in the short-term, the SMB has a hard time justifying risk management and security investment on its own behalf because it requires internal resources bound for marketing, R&D, production and similar.

Solution to Prisoner’s Dilemma Approach

The Tragedy of the Commons idea introduced by Hardin is similar to the Prisoner’s Dilemma  where it is assumed that there is no (or little) communication between actors – prisoners, in this case. While working independently and integrating previous and existing research, Elinor Ostrom  , 2009 Nobel Prize Winner for Economic Sciences (shared with Oliver Williamson), showed that there were many examples of successful sharing of a common pool resource (CPR). She asked the question, “Are rational individuals helplessly trapped in dilemma’s?” To answer this, she studied irrigation systems in Nepal, forests around the world, fisheries, police and government systems, as well as studies in her own laboratory.

Among other things, she clearly pointed out that there was indeed communication between the actors that were successfully sharing a Common Pool Resource. Further, a key component amongst actors in successful common sharing was trust.

Polycentric Governance Success

Follows are a number of her observations from her Prize Lecture entitled, “Beyond Markets and States: Polycentric Governance of Complex Economic Systems” . I am not suggesting that these observations directly map into the Common Pool Resource problem of SMB’s sharing the Internet. However, I do believe that they are worthy of reflection in this context and can serve as the basis for further discussion. (That said, I think the title itself may hold clues to the SMB Tragedy of the Commons problem.)

  • panaceas are potentially dysfunctional
  • small to medium-sized cities are more effective monitors of performance & costs
  • dissatisfied citizens (group members) can ‘vote with their feet’ and move to another group
  • large, incorporated communities can change contracts with external providers, but urban, less structured, districts have no voice
  • Re police in metropolitan areas, large number of direct service producers (e.g. patrol) more efficient while small number of indirect service producers (e.g. dispatch, crime lab analysis) more efficient — that is, most efficient was mix of large and small
  • complexity is not the same as chaos and it is often worth the investment to better understand the complexity
  • groups that did not communicate were more likely to overuse the shared resource
  • 5 types of property rights discovered, not just one (access, withdrawal, management, exclusion, & alienation rights)

Successful shared resource scenarios tended to have these traits:

  • boundaries of users & resource are clear
  • congruence between benefits & costs
  • actors had procedures for making their own rules
  • regular monitoring of resource and actors
  • graduated sanctions (against rule violators)
  • conflict resolution mechanisms
  • minimal recognition of rights by government
  • nested enterprises
  • users/actors themselves are active monitors of resource consumption (i.e. not a 3rd party)

Other observations:

  • users monitoring resource themselves more important than type of resource ownership
  • stronger when local communities have strong rule-making autonomy and incentives to monitor
  • behavioral theorists now looking at actors/individuals where individual is boundedly rational, but can learn
  • learning to trust others is central to cooperation
  • healthy resources have actors/users with long-term interests in the resource and invest in monitoring and building trust

What are parallels between these observations and secure-SMBs-on-the-Internet-Tragedy-of-the-Commons issue? Should government intervene? (these observations don’t make a strong case for it) Should trade groups organize rules? Should small, geographically similar SMB’s develop their own working groups somehow? Should SMB’s across the globe of similar size organize and develop membership rules re Internet participation? Are there other natural alignments amongst SMBs?

How do we increase the safety and security and lower the risk profile of SMB’s on the Internet?

SMB Information Risk & Security — A Tragedy of the Commons?

Do small and medium sized businesses (SMB’s) erode their common resource, the Internet, by not making an investment in managing information risk and security in their own operations?

Garrett Hardin -- between a rock and a hardplace

Garrett Hardin — between a rock and a hardplace

Garrett Hardin (1915-2003) introduced the idea of individual actors depleting a common resource in his 1968 paper published in Science entitled The Tragedy of the Commons.  The idea is that individuals, making use of a common resource, will make decisions in their own interest to the detriment of the the group as a whole — even knowing that they are a part of that same group that will suffer.

Overfishing

A classic example is overfishing an area.  In theory, all of the individuals fishing know that if they catch more than X fish in a certain period of time that they are contributing to the permanent depletion of that resource — which ultimately affects them.  However, when thinking for themselves, they think, ‘if I don’t get that extra fish, someone else will. So it might as well be me.’

Cow_female_black_white-wikiAnother example is multiple farmers with cows grazing on the same common pasture.  Some number of total cows is sustainable and the grass will regrow in time to continue feeding all of the cows.  Beyond that point, the pasture will degrade until it is eventually totally consumed.  While overgrazing is detrimental to all, each individual farmer thinks, ‘if I don’t maximize this and put more cows on the field, I’ll suffer in the short term — I’m not even thinking about the long term.  I’m just trying to keep up with or beat the farmer next to me this week.’ As a result, the resource becomes completely depleted.

Hope on the horizon?

Elinor Ostrom (1933-2012) received the Nobel Prize for her work showing that in many systems with a common resource, individuals communicate with each other and develop working relationships such that the resource is not depleted.  More on her work in a subsequent post.

Elinor Ostrom -- maybe we can figure it out

Elinor Ostrom — maybe we can figure it out

Internet as Common Pool Resource (CPR)

It’s not hard to draw the analogy of Internet as common resource for SMB’s (as well as large enterprises and consumers).  When a company connects to the Internet, it is participating in that resource.  It gets value from the resource.  It also has the potential to harm the resource, and in effect, deplete the resource.

Large enterprises have more resources available for risk management and security activities and can be more motivated to protect their own investments.  I would hazard a guess that, on average, SMB’s have more risk tolerance than most large established enterprises.

When an SMB is attacked or ‘compromised’, a couple of things can happen: 1) the SMB suffers financial or reputation loss or both, and/or 2) the SMB’s resources (computers) are used as assets to attack the computers of other businesses.  This weakens, or depletes, the community resource.

SMB’s typically have less resources when compared to their large enterprise counterparts.  It’s a hard decision to divert limited cash from marketing, production, and R&D to spend it on information risk management and security.  However, not making an investment in security and risk management, significantly exposes themselves as well as the common pool resource of the Internet to harm.

So whose responsibility is it?  SMB’s represent a large portion of the workforce, with each workforce member potentially with one or many computing devices.  If SMB’s aren’t motivated to invest in risk management and security, this means that a substantial part of the economy is operating while poorly protected.

Should SMB’s be held accountable if their computers are hacked and then used to attack other computers? Should SMB’s have a minimum standard for computing devices, to include smartphones? Would this stifle innovation? Should trade organizations establish standards?  The government?

Or, do SMB’s simply represent a tragedy of the commons?

Meet the New Boss … Reincarnated malware returns to SMB’s

Same as the old boss …

A popular form of malware called ZeuS/Zbot has made a comeback and SMB’s are particularly at risk.  Initially identified in 2007,  the malware typically steals user credentials for banking activity.  SMB’s have higher risk exposure because they typically don’t have the resources for risk and security programs.  One SMB, a Maine construction company, was robbed of almost $600,000 in 2009.

ZeuS/Zbot source code is known to be readily available on underground informal networks as well as, apparently, even available for sale.

Back because it works

Once thought to be largely eradicated, ZeuS/ZBot is back because of market analysis and software upgrades.  SMB’s typically have a richer target (bigger accounts) than individuals and are also generally less protected than larger businesses.  Facebook is also providing a new and effective ‘attack vector’ for getting the malware onto user computers to steal data.

How does it work ?

ZeuS/Zbot uses a ‘Man-In-The-Browser’ (MITB) attack. Once a machine is infected, Zbot is able to monitor web activity and watch for particular banking sites.  User credentials are copied and replicated on a database maintained by the attacker. With this information, attackers or their proxies (‘mules’) can login and transfer money wherever they’d like.  By downloading a configuration file established by the attacker, the list of banking sites can be updated.

Prevention/due care activity for SMB’s includes:

  • Move banking activity to dedicated machines used for no other purpose than banking
  • Educate employees on threats, risks, and behavior
  • Review high risk accounts (eg big balances) and access/authorization to them
  • Keep antivirus/antimalware software current
  • Implement a simple information risk management plan (Shocking!)

What percentage of your computers have current antivirus scanning? How do you know?

Poorly Defended & Under Attack — SMB’s in the Spotlight

Cyberattacks on Small and Medium-sized Businesses (SMB) continue to grow, causing damage to the individual SMB’s as well as the international business network infrastructure itself.

Why attack SMB’s ?

SMB’s are under increasing attack for several reasons:

  • They are often poorly defended because of resource constraints
  • The are typically connected to other SMB’s and larger organizations, providing an attack path (or ‘attack vector’) to other businesses
  • There are a lot of them

Simply because of their size, SMB’s are typically poorly defended because they are resource constrained and don’t have the IT and/or security expertise on staff.

A recent UK survey showed only 14% of SMBs thought that cyber security threats were of highest priority and felt that they had sufficient skills and resources in place to manage the threat.  In another study commissioned by Microsoft, AMI-Partners found that of Involuntary IT Managers (non-technical staff assuming technical duties) surveyed:   

  • 30% thought IT management was a nuisance
  • 26% did not feel qualified to manage IT
  • 60% wanted to simplify their organizations IT systems to make their management more feasible
SMBs are easy and lucrative for attack

SMBs are easy and lucrative for attack

The AMI-Partners survey was of 538 Involuntary IT Managers across 5 countries in companies of 100 employees or less.  The survey also found an aggregate loss of over $24 billion due to inefficiencies stemming from the Involuntary IT Manager not performing their primary job duty.

Another reason for targeting SMB’s is that their interconnectivity with other businesses can provide an attack path to larger businesses.

Finally, there are a lot of SMB’s  .  In industrialized countries, a few very large companies live side by side with many small and medium-sized companies.

 What to do about information security and risk management in SMB’s ?

That, then, is the question.  The resource constraints that SMB’s face aren’t going to magically disappear anytime soon.  Should the government assist? Or conversely, should that security and risk management be a cost of doing business for the SMB?  Should SMB’s face penalties for insecure environments or poor infrastructure support practices? Will that stifle innovation?

I lean towards a hybrid solution where the SMB is responsible for knowledge and awareness of itself and its information risks, but I would like to see the government make resources available to SMB’s (or support industry groups to do the same).  These resources could include:

  • simple guidelines and minimum configuration standards.  (Some of the current policies and directives are so convoluted and difficult to read as to be impossible to implement.)
  • simple asset inventory tools
  • network mapping tools that assist SMB’s with self-documentation
  • simple penetration test tools coupled with results analysis tools
  • simple risk management tools

SMB’s themselves, professional organizations/networks, or governments must find a way to better educate and prepare SMB’s.

  • How do you think SMB’s should manage their IT & Information Management systems?
  • What do you do to protect your business?  
  • Do you actively manage information risk?
  • Do you turn it over to someone else?
  • How well do you understand your exposure to cyber attack and compromise?
  • Do you avoid altogether because it’s simply overwhelming?

Managing Small Business Rival Online Trash Talk

Per a recent Wall Street Journal article, competing small to medium businesses with questionable ethics can have an effect on your business via online posts.  A 2011 survey shows that of consumers surveyed:

  • 80% changed purchasing decisions based on negative online reviews
  • 87% did the same based on positive reviews
  • 69% did online research before buying
  • 64% read consumer/user reviews
  • 42% read articles and blogs

WSJ suggests the following:

  • Be alert for rival activity — negative messages are often the same or similar across multiple sites
  • Take your suspicions to site administrators
  • Once posts are gone, follow-up on forums to remove any lingering suspicions (old posts can still show up on Google searches)
  • If any attacks were effective, supply a Q&A on your web site or social media page
  • When countering claims, keep cool — keep your tone helpful & neutral
  • Develop a presence in relevant online forums early, before an attack happens — this will give you credibility when you have to respond to attacks

More here.

Cloud Security Alliance Establishes SMB Working Group

The Cloud Security Alliance (CSA) has established a new working group for small and medium sized businesses.  The group plans to:

  • Provide guidance to SMB’s on cloud services
  • Help cloud providers better understand the SMB market and SMB needs
  • Create an SMB version of the CSA Security Guidance along with supporting materials
  • Organize online workshops to identify SMB cloud services requirements
  • Issue a CSA SMB Cloud Guidance document by the end of the year

This is a good thing …

More here