Page 2 of 2 FirstFirst 12
Results 11 to 18 of 18

Thread: Basic Small Office IT Security?

  1. #11
    Join Date
    Oct 2008
    Location
    /var/log/uk :-)
    Beans
    208
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Basic Small Office IT Security?

    Me personally, i'd lock down everything as much as possible, try and perform an audit of your systems.

    what ports/services are open to the net? Do we need this to be open etc?

    Do you have any sort of hardware firewall?

    I'd also consider, depending on your hardware running the webserver in a separate dmz.

  2. #12
    Join Date
    Sep 2011
    Beans
    1,531

    Re: Basic Small Office IT Security?

    Quote Originally Posted by Grandma_DOG View Post
    I agree, too.

    Which is why we need to button up first. The question is how much.
    Lots. I'm a glutton for punishment so I'm going to give you some reading material. There is absolutely no way that anyone can give you all the security measures needed in a help forum thread. The best you can hope for is a good reading list. It sounds like you're totally opposed to hiring a professional to set it up properly, so at least do some SERIOUS reading on the subject.

    At the very least PLEASE read these:

    (google for this PDF in the SANS reading room) A Small Business No Budget Implementation of the SANS 20 Security Controls

    csrc.nist.gov/publications/nistir/ir7621/nistir-7621.pdf

    http://www.applicure.com/blog/databa...-best-practice

    And then if you're still interested, read these too:

    http://internalaudit.wayne.edu/security-practices.php

    http://www.belltcg.com/index.php/bes...usinesses.html (written for windows but the basic concepts are the same across platforms)

    http://www.metroinfo.com/keeping-the...businesses.php

    http://operationstech.about.com/od/i...-Practices.htm

    http://www.corporatecomplianceinsigh...est-practices/

  3. #13
    Join Date
    Oct 2009
    Beans
    Hidden!
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Basic Small Office IT Security?

    Quote Originally Posted by mr-woof View Post
    Me personally, i'd lock down everything as much as possible, try and perform an audit of your systems.

    what ports/services are open to the net? Do we need this to be open etc?

    Do you have any sort of hardware firewall?

    I'd also consider, depending on your hardware running the webserver in a separate dmz.
    This pretty much sums it up. I'm still kinda curious why VNC would be exposed to the internet on an accounting box. That seems like all sorts of bad as VNC is not encrypted and easily cracked if a strong password is not in use.

    TBH, it is better not to use VNC unless it is being used over SSH or a VPN.

    If remote access is really needed, I would set up a VPN and only have that exposed to the internet. Connect to the VPN and you have access to everything on the internal network.

    Quote Originally Posted by Ms. Daisy View Post
    Lots. I'm a glutton for punishment so I'm going to give you some reading material. There is absolutely no way that anyone can give you all the security measures needed in a help forum thread. The best you can hope for is a good reading list. It sounds like you're totally opposed to hiring a professional to set it up properly, so at least do some SERIOUS reading on the subject.
    +1. It takes a while to get good at security and it involves a ton of reading.
    Come to #ubuntuforums! We have cookies! | Basic Ubuntu Security Guide

    Tomorrow's an illusion and yesterday's a dream, today is a solution...

  4. #14
    Join Date
    Oct 2008
    Location
    /var/log/uk :-)
    Beans
    208
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Basic Small Office IT Security?

    Like Charles, I'm also very curious why you have vnc open to the internet and totally agree on the VPN point. Get yourself a hardware firewall and setup a vpn

  5. #15
    Join Date
    May 2012
    Beans
    52

    Re: Basic Small Office IT Security?

    There's no quick, cheap, easy fix to this. It will take time, knowledge and money; especially if the Chinese have painted a target on you.

    I've been a desk jockey at several DoD facilities over the years and was good friends with a lot of the IT guys. I can't get in to specifics, but I will say they employed everything that everyone here is telling you and more.

    If you really need to keep the Chineese out of your data then you need to hire a pro with a mil-spec background in state level IT espionage.

    I'd recommend that you start reaching out to folks you know for somebody with a good rep and the right background; preferably someone with Cyber Command experience. Or at the very least CEH and CISSP.

    And then be prepared to keep them on retainer. This is not going to be a "set it and forget" solution.

    How important is your data to you? Because now that the Chinese after it you're in an arms race. Every new trick under the sun will be tried on you as soon as it comes out until they either own you and your data or own you and determine that you have nothing of value.

  6. #16
    Join Date
    Sep 2011
    Beans
    1,531

    Re: Basic Small Office IT Security?

    If you're legitimately being targeted then I would agree. However, based on the information given by the OP, this company's services are low-hanging fruit. The attacks the OP experienced are likely just automated ones scanning for poorly configured internet-facing apps.

    Honestly, in order to configure security you need to understand your risks. Again a professional can tell you whether you're actually being targeted by the Chinese or if it's just a basic bot attack. It's important to answer that and defend appropriately. You'll be totally wasting resources if you defend against targeted attacks if there are no chances of any happening. Vice versa if you only defend against basic bots then you'll get owned quickly by a targeted attack.

  7. #17
    Join Date
    May 2012
    Beans
    52

    Re: Basic Small Office IT Security?

    I agree 100% on the pro.

    But, I'll have to disagree on the low hanging fruit; even if it is just auto scanners at the moment. Especially since the Chinese are very fond of both "thin edge of the wedge" and "boot strapping" tactics.

    If your data is only of use to 100 computers in the world then I'll assume (with all of the inherient associated risks) that the data you're warehousing will, at some point, play in to projections of national reserves. Which is data the Chinese (and a lot of others) would absolutely kill for (literally); espeically with all of the wild variations coming out of the projections for the Williston and Marcellus basins.

    Which is why you need a *pro* with the right background. Not just one with a handle on the IT aspec, but who will also understand the market and strategic value of your data so that they can design an appropriate solution for you.
    Last edited by computeratin; May 21st, 2012 at 05:31 PM. Reason: clarification / typos

  8. #18
    Join Date
    Nov 2009
    Beans
    919
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Basic Small Office IT Security?

    It wouldn't do to just safeguard the production data against the risks of industrial espionage if you aren't also protecting your financial and payroll transactions from regular financially motivated thieves, who prefer to hit small businesses (assuming your shop's in the US, basically individual bank account holders are not liable for fraudulent charges/transfers, but business account holders are, so if you get hit you're pretty much on your own).

    Luckily that part's easy and pretty cheap. All you need to do is have a computer that is dedicated to only doing the financial transactions and that is never under any circumstances used for web browsing or email. It should be shut off whenever it isn't being used to perform a transaction. I say it's cheap because the cost of acquiring a separate computer for this is way lower than the cost of implementing monitoring systems/software and then actually spending the time to constantly watch them, and it's also less than the labor cost of repairing a computer that is used for financial transactions and browsing/email if it gets malware on it.

    As to the production systems and data, well that is quite a big topic. The above advice about key-based remote authentication over SSH and not using VNC is the most important. Have a look at the links provided in previous posts. A good place to start might be making a list of things that absolutely have to happen in order for you to meet your business requirements, and go from there. A well configured system should do everything you need and only what you need.

Page 2 of 2 FirstFirst 12

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •