Benjamin Caudill – a veteran penetration tester - has broken into organizations, large and small, just about everywhere. In doing so, he has exposed security vulnerabilities and numerous pathways for hackers to do their worst to unsuspecting businesses.
Caudill, who was dubbed a ‘deadly force that could easily penetrate and exploit a firm’s most private files’, was always on the right side of the law – a good guy whose cyber hacking is intended to strengthen cyber defenses. Today he is also founder and CEO of Seattle-based Rhino Security Labs, where he still does penetration testing as well as application security assessments.
We recently asked Caudill to list the most vital cyber security considerations for the SMB, based on his extensive hands-on experience. Here’s what was said.
Ignore the basics – at great risk. With security certainly in the SMB, probably 80% of the attacks and threats can be mitigated by 20% of the protections that should be in place. These aren’t the sexy ones either. They are the basics, like password control, patch management, defining policies, educating all employees about being cautious about opening emails they can’t identify, and don’t make your WiFi public. These basics are usually inexpensive, even free at times. Attending to basic security principles will make it very hard for the every-day hacker. Many of the successful attacks we have analyzed result from one or more of these basics simply not being followed or in place. Don’t be overwhelmed as an SMB when you read about the really big guys getting breached. They have their own problems. For the SMB, basics can and do make a big difference.
Attackers follow a path of least resistance. If you leave a door open at home, it’s not like it takes a lot of sophistication to break in. Attackers are very opportunistic. Valid email addresses, a company website, and seemingly common things can be used for malicious purposes like hosting illicit content or sending spam emails. I see it very commonly from start-ups to big companies that the sense is ‘well we aren’t a hospital or credit card company and therefore who’d want to hack into us?’ In the huge Home Depot breach a couple years ago, one famous quote attributed to company managers when employees asked for advanced security training was, “We sell hammers.” But what was stolen was data on 56 million credit cards. That mentality is seen in all sorts of companies, certainly in SMBs.
Security goes beyond the technology. In reality, technology is a minority of what the overall cyber security focus should be. People, process and culture are what matters most. We worked with a large start-up whose culture was very open in every sense. Our penetration testing showed they were just Swiss cheese when it came to information security. They pretty much had all the technology in place. But you could walk in off the street and just about stroll into the data center. There was no badging, no questioning of people. Technology was not the problem. It was their culture as it pertained to security. Do you in the SMB know what people, based on their specific roles, should have access to what data? We see that many if not most security problems are people or process problems. Employees must understand why security is mission-critical, and also understand their specific role in promoting it. That kind of message has to come from the top.
Know your data. We see situations where all data is protected equally, and that is not right. If you don’t know the value of your data and what is most valuable, you won’t protect it properly. As the saying goes if you protect your toothbrushes like you protect diamonds, you are going to lose a lot more diamonds! Also you must know where your data is going. Are you sharing credit card information with an overseas partner? Do you know what their security protocols are? What governing body there is in charge should something go very wrong with that data? There is an important data sensitivity criticality process that needs to be followed, and all too often we see this acknowledged only after a major breach.
Don’t go it alone. We typically rely on specialists for everything from building houses to doing our taxes. Doing security alone is risky. Yes the IT department can take care of firewalls and some intrusion prevention measures. But for total cyber security the SMB needs third party specialists. They have the resources, people and experience to analyze and advise. Look for a partner that really puts two-way communications at the forefront of your relationship. Don’t worry about vertical market expertise, which is maybe 5% of the security equation. And talk to your peers to see whom they like.