Basic Small Office IT Security?

[mr-woof]

Me personally, i'd lock down everything as much as possible, try and perform an audit of your systems.

what ports/services are open to the net? Do we need this to be open etc?

Do you have any sort of hardware firewall?

I'd also consider, depending on your hardware running the webserver in a separate dmz.

[Ms. Daisy]

I agree, too.

Which is why we need to button up first. The question is how much.

Lots. I'm a glutton for punishment so I'm going to give you some reading material. There is absolutely no way that anyone can give you all the security measures needed in a help forum thread. The best you can hope for is a good reading list. It sounds like you're totally opposed to hiring a professional to set it up properly, so at least do some SERIOUS reading on the subject.

At the very least PLEASE read these:

(google for this PDF in the SANS reading room) A Small Business No Budget Implementation of the SANS 20 Security Controls

csrc.nist.gov/publications/nistir/ir7621/nistir-7621.pdf

http://www.applicure.com/blog/databa...-best-practice

And then if you're still interested, read these too:

http://internalaudit.wayne.edu/security-practices.php

http://www.belltcg.com/index.php/bes...usinesses.html (written for windows but the basic concepts are the same across platforms)

http://www.metroinfo.com/keeping-the...businesses.php

http://operationstech.about.com/od/i...-Practices.htm

http://www.corporatecomplianceinsigh...est-practices/

[CharlesA]

Me personally, i'd lock down everything as much as possible, try and perform an audit of your systems.

what ports/services are open to the net? Do we need this to be open etc?

Do you have any sort of hardware firewall?

I'd also consider, depending on your hardware running the webserver in a separate dmz.

This pretty much sums it up. I'm still kinda curious why VNC would be exposed to the internet on an accounting box. That seems like all sorts of bad as VNC is not encrypted and easily cracked if a strong password is not in use.

TBH, it is better not to use VNC unless it is being used over SSH or a VPN.

If remote access is really needed, I would set up a VPN and only have that exposed to the internet. Connect to the VPN and you have access to everything on the internal network.

Lots. I'm a glutton for punishment so I'm going to give you some reading material. There is absolutely no way that anyone can give you all the security measures needed in a help forum thread. The best you can hope for is a good reading list. It sounds like you're totally opposed to hiring a professional to set it up properly, so at least do some SERIOUS reading on the subject.

+1. It takes a while to get good at security and it involves a ton of reading.

[mr-woof]

Like Charles, I'm also very curious why you have vnc open to the internet and totally agree on the VPN point. Get yourself a hardware firewall and setup a vpn

[computeratin]

There's no quick, cheap, easy fix to this. It will take time, knowledge and money; especially if the Chinese have painted a target on you.

I've been a desk jockey at several DoD facilities over the years and was good friends with a lot of the IT guys. I can't get in to specifics, but I will say they employed everything that everyone here is telling you and more.

If you really need to keep the Chineese out of your data then you need to hire a pro with a mil-spec background in state level IT espionage.

I'd recommend that you start reaching out to folks you know for somebody with a good rep and the right background; preferably someone with Cyber Command experience. Or at the very least CEH and CISSP.

And then be prepared to keep them on retainer. This is not going to be a "set it and forget" solution.

How important is your data to you? Because now that the Chinese after it you're in an arms race. Every new trick under the sun will be tried on you as soon as it comes out until they either own you and your data or own you and determine that you have nothing of value.

[Ms. Daisy]

If you're legitimately being targeted then I would agree. However, based on the information given by the OP, this company's services are low-hanging fruit. The attacks the OP experienced are likely just automated ones scanning for poorly configured internet-facing apps.

Honestly, in order to configure security you need to understand your risks. Again a professional can tell you whether you're actually being targeted by the Chinese or if it's just a basic bot attack. It's important to answer that and defend appropriately. You'll be totally wasting resources if you defend against targeted attacks if there are no chances of any happening. Vice versa if you only defend against basic bots then you'll get owned quickly by a targeted attack.

[computeratin]

I agree 100% on the pro.

But, I'll have to disagree on the low hanging fruit; even if it is just auto scanners at the moment. Especially since the Chinese are very fond of both "thin edge of the wedge" and "boot strapping" tactics.

If your data is only of use to 100 computers in the world then I'll assume (with all of the inherient associated risks) that the data you're warehousing will, at some point, play in to projections of national reserves. Which is data the Chinese (and a lot of others) would absolutely kill for (literally); espeically with all of the wild variations coming out of the projections for the Williston and Marcellus basins.

Which is why you need a *pro* with the right background. Not just one with a handle on the IT aspec, but who will also understand the market and strategic value of your data so that they can design an appropriate solution for you.

[OpSecShellshock]

It wouldn't do to just safeguard the production data against the risks of industrial espionage if you aren't also protecting your financial and payroll transactions from regular financially motivated thieves, who prefer to hit small businesses (assuming your shop's in the US, basically individual bank account holders are not liable for fraudulent charges/transfers, but business account holders are, so if you get hit you're pretty much on your own).

Luckily that part's easy and pretty cheap. All you need to do is have a computer that is dedicated to only doing the financial transactions and that is never under any circumstances used for web browsing or email. It should be shut off whenever it isn't being used to perform a transaction. I say it's cheap because the cost of acquiring a separate computer for this is way lower than the cost of implementing monitoring systems/software and then actually spending the time to constantly watch them, and it's also less than the labor cost of repairing a computer that is used for financial transactions and browsing/email if it gets malware on it.

As to the production systems and data, well that is quite a big topic. The above advice about key-based remote authentication over SSH and not using VNC is the most important. Have a look at the links provided in previous posts. A good place to start might be making a list of things that absolutely have to happen in order for you to meet your business requirements, and go from there. A well configured system should do everything you need and only what you need.