Friday, December 22, 2006

Security: Thoughts on Security in the SMB space

Ross and Andy both make a good points about the depth of security; or rather, that just doing the basics when it comes to security leaves you predictable, and as a result… vulnerable. In other words, you should be doing more than checking your perimeter logging, looking at your IDS/IPS logs, and making sure your workstations are up-to-date.

If we are only talking about the security of one organization, or of a medium-to-large organization – I think that would be perfectly reasonable. But when I think about our SMB clients… and the SMB market in general… I don’t know of anyone in this market that’s doing much more than playing “night watchman” (using Ross’s terminology). I don’t even know if the SBS Diva Susan Bradley - who is one of the biggest champions of security in the SBS space - is talking penetration testing.

You always need to balance real risk, the client’s perception of risk, and real costs of the meeting what you consider to be valid security objectives. Now maybe, in the SMB-space you don’t have as many valid security objectives… certainly smaller clients will have difficulty justifying the type of security Ross is talking about – and perhaps these activities are ignored, and ignored rightfully so.

I work in a medium-sized organization… but even little things like software licensing, re-purposing servers that are out-of-warranty and trying to justify basic security considerations all represent uphill battles. Coupled with the fact that so much of security sounds like insurance when you’re trying to sell someone (your boss, a client, whomever), and not only is security an up-hill-battle that requires rocking the boat from time-to-time, but it’s something that you need to approach carefully. Closely consider if the risk that you’re attempting to mitigate justifies the time, energy, and opportunity-cost to you’re committing to. Make certain that you’ve got your other bases covered - like your equipment, software licenses, backup/recovery plan, etc. – before trying to tackle new commitments.

Now, none of this is to say that you shouldn’t be improving security for yourself, and/or the organizations that you support. And this is NOT an excuse to start ignoring your logs, or not doing port scans, and the like. But you do need to evaluate the attack surfaces that you’re exposing, and what the risks are to your organization, and your own career as well as the perception of your role in an organization - when you start talking security.

Bottom line… rock the boat when it needs rocking - but don’t rock just for the sake of rocking.

No comments: