Watch to learn the top fatal flaws in SMB security and how to address them.
Having issues accessing the video above? Watch the video here.
“Sorry to keep you up at night, but they (hackers) are after you. They want your secrets. And even your non-secrets.”
Any IT professional at an SMB knows that gaps in network security are a major attractant for hackers. So why do security analysts see so many “fatal flaws” on SMB networks?
“Whenever we install a firewall for a new customer, we get to see every nook and cranny: good, bad, and ugly, and we see the same problems pop up again.” Greg and his team sifted out the top 10 mistakes they see at businesses, ordered by potential for risk and damage. He shows attendees the ultimate “what if” list–from flat networks to what firewall traffic to allow–this list is indispensable security training for any IT team.
This webinar was hosted on September 23rd, 2020, as part of SecurityMetrics Summit 2020.
Well, hello there. My name is Greg Stefan. I'm the director of the managed security services team at Security Metrics.
You know, we've been managing firewalls for our small business customers for years, and we have seen our fair share of small business networks.
You know, it's interesting. Whenever we begin a firewall installation process for a new customer, we get to see their network every nook and cranny, every detail, good, bad, and ugly.
You know, we see a lot of the same problems pop up again and again. So we got together, and we picked the top ten most common problems. We sorted them in order of potential risk, and we're gonna count them down for you.
So, as we go along, we're gonna discuss why each one is important and how you can resolve them or avoid them.
So that's what we're gonna do. Are you ready to jump in?
Alrighty. Coming in at number ten, we have messy network cabling. Now you may be saying to yourself, I don't see how messy network cabling is really a big security issue. Well, it can be, but mostly it's a risk of disruption. So let's talk about some of the things that happen when your cables are a mess or some of the things that could happen at any rate.
Device failures could take a lot longer to troubleshoot. So, you know, something important, your TV stops going or something, and you're trying to figure out what it is.
If nothing's labeled and it's just a big mess, then it's gonna take you a lot longer to to solve it and get it back going again.
Another issue is that you might be going to do something, a planned, you know, improvement of some sort. Maybe you got a new printer or something like that, and you wanna plug it in. But, hey. There's no ports available. Oh, well, this one's not being used. You unplug it, and suddenly your cash register goes offline. So, you know, now you're gonna start causing problems, not even just extending the length of time to fix problems that the universe caused.
So we we wanna know where things are. You know, we want good labeling and all that sort of thing.
Another issue that we that we run into is the devices end up in very awkward locations.
Why? Because their network cables weren't really long enough.
We can confirm, by the way, that firewalls do not like to be deep fried or soaked in soda. So, you know, get on Amazon, get the right length of cables so that you can put things right where they go.
There are other issues as well. You can literally create trip hazards. So you've got employees because they were trying to get back into wherever, but you've got, you know, cables kind of a mess. And and and usually when the employee goes down, they also drag some equipment with them, so that's not good.
The last thing, and this is really what hits us every time, is a firewall installation ideally should take fifteen minutes, but it we've had them take days, and it's because we don't know where the wires are going. The the the customers in their in their offices have no idea. And, boy, we so it's hard to make improvements when everything's a mess. So how do you fix it? Well, get on Amazon, get some Velcro cable straps to kinda tie them and make them neat and tidy.
I already mentioned you can get longer cables. You can even get colors.
And, last but not least, it never hurts to do a nice little network diagram. You can do lots of free tools to diagram them online, but, also, just get a napkin and sketch it out, take a picture. You're good to go. So there you go. That's number ten, messy network cables.
Okay. Let's talk about number nine really quick. This is weak third party service providers. Now what do we mean by that? We mean, for example, your Internet service provider or perhaps your point of sale system provider, security or surveillance systems, streaming entertainment, things like that.
What are some of the things that can go wrong with these guys? Well, for one thing, it's it sure can be hard. If they're not a strong provider, it can be hard to get help when you need Right? You're gonna spend all day on the phone and then get disconnected, or you leave a message and they'll call you back a week later. Right? If they're if they're sharp, if they're on it, they're gonna be available when you need their help, and they're gonna get you the help that you need.
Another problem that's communication related is it can be very hard to coordinate with multiples of these at the same time. And that's very important with some of these, especially being firewall providers like we are.
Boy, getting getting together with the point of sale system provider at the same time and the customer, that can be almost impossible sometimes. And it really hampers. Right? Who loses? The customer loses. And so it's important to pick one that's gonna be available and will help to to work through these complex issues.
There are other problems. Sometimes these service providers, if they have to put something inside your network, they just to make it easy so they can get done and get out, they're gonna they're gonna ask you to put great big holes in your firewall in terms of the rules. Rules that'll just, like, open all the traffic up. Well, that certainly will get their system working, but it also lets the entire, you know, all the hacker community in China come sit on your cash register, and you don't want that either.
So aside from that, then the other killer is, oh, the finger pointing. That's horrible. So what do you do? Recommendations.
Well, before you've committed, for sure, check reviews and do your homework. Right? See what their customers are saying about them, and know what your options are. Who are the top few, you know, providers in that space, and choose wisely.
Also, keep all of your own documentation. Don't lose that contact information, the account information, the technical information. Keep all of that. So many things would have been easier if only the customer had remembered to log into their firewall.
But they don't. Now they have to go back and get the ISP involved, and everything's hard. So that is number nine, weak third party service providers. And coming in at number eight, we've got outdated Wi Fi encryption.
Now why exactly is that important?
As you probably know, the hacker community is out there twenty four seven, three hundred sixty five days a year trying to hack through the latest encryption codes, and, they always get through eventually. So it's always just a matter of time. So we always have to be moving on to the next one. Right?
Now with with Wi Fi technology, there's an awful lot of jargon and and complexity. What we're focusing on here are the firmware updates and your ability to keep the firmware updated on your Wi Fi device. As long as you can continue to update the firmware, you should be fine. Right?
Now, what does that mean? Well, some some Wi Fi devices are managed through an app, and so you can go in and usually you it'll you'll be able to see where it tells you that it's been updated recently, or you can do it manually. Some of them, you log in to the the Wi Fi device itself, and you're able to go in and and either see that it's happening automatically or you can manually update it. Sometimes you'll use the utility.
So you'll go to the manufacturer's website and download what you need and, you know, update that patch, using a procedure that they'll give you. Now what happens if you can't do any of those things and you don't really you're not you're not really confident that it's being updated at all? Well, that's a problem. Even if it's okay right now, it just means that in in due time, it's gonna be, vulnerable to the hackers.
Right? Also, if it's just old, like if the Spice Girls were still popular when you bought that thing, it's probably time for a new, Wi Fi device. So, the good thing about that though is the the newer Wi Fi devices, their performance is actually a lot better and their management tools are are really good too. So what you're looking for, you wanna be on WPA two or possibly WPA three for the encryption protocol.
You'll know this when you try to connect to it with your your device or your laptop.
So, that's what you need. You need to make sure that your Wi Fi device is being constantly updated, and, and if it has to happen manually, that you're taking care of that. So that is number eight, outdated Wi Fi encryption.
Alrighty. Coming in at number seven, we have DIY network configuration.
Now, we all love our DIY projects, but your business network is not the place for this sort of thing. Right? It's the problem is that it'll work. You'll connect to the Internet, but you you won't know if you've got big gaping holes and you every hacker in China has come in and parked on your cash register.
Right? It's too hard to know. And, you have to understand that even though you might have a pretty solid understanding of the technology, the hacker community has, like, an infinitely advanced knowledge of the same technology, so they win. And, you just you can't afford to to guess with this.
Right?
Especially if you've got any sort of a credit card transaction type of, resource or process going on inside your network.
You just can't. So, what what are the recommendations? Well, unless you've got, you know, just an incredible amount of knowledge, our recommendation is to get some help. Right?
In a lot of cases, what we find helpful are, local resources. It might be a national or or a larger, entity, but they they they got a local presence. It's also, especially helpful if you can find somebody where you can, reuse the same individuals, so that you get to know them, they get to know your network.
Another option is to, engage a company to provide a fully managed firewall service. That way, they could supplement. So if your technical your local technical support resources are kind of more generalists, then you can have the the firewall the managed firewall provider really focus closely on the network and the security of your network. Usually, those sorts of vendors also can perform external scans of your network to check for any vulnerabilities.
Right? And they'll use the same types of tools that the hackers will use. So if they find it, then you know that the hackers are gonna find it too, and they'll help you to to close those gaps.
So, that is number seven, DIY network configurations.
Okay.
Coming in at number six, we have thinking your ISP modem is a firewall.
Well, is it or isn't it? Every ISP gives you a device, and it does sort of protect you from the bad guys. So is that a firewall?
A little bit yes, but mostly no. The key features that we need, that are missing here, one is the ability to have customized rules, and the other is to segment your network.
For extra measure, we'll also throw in that you cannot, take the firewall logs or the logs of the traffic from the ISP device and analyze those. So there are some important things, especially with the rules. That's the thing that makes it possible for you to to protect certain portions of your network and allow more free traffic to flow in other parts of your network. Very, very important.
So, yes, you do have certain information or a certain functionality that you're getting out of that, that that ISP provided device. But every business network needs to have an actual, no kidding firewall right behind that, and and then everything else should plug into that firewall.
So recommendation is go get yourself a firewall. Another great, option, actually, is to go for a fully managed firewall service. Right?
They will lease you a firewall for a pretty low amount each month and then take care of all the details, make sure that it fits your needs, and, then also you'll get monitoring services so that if they do detect any sort of sketchy traffic going on through your network, they can let you know.
So there's a couple of good options for you, but what you cannot do, must not do, is think that that thing that the ISP gave you is a firewall.
So there you go. Number six, thinking your ISP modem is a firewall. Coming in at number five is having a flat network. You never knew that was a crime, did you? But k. The earth isn't flat. Your network shouldn't be flat.
Most people believe that. Anyways, here's the problem with a flat network. A flat network is where everything's plugged in the same and everything can talk to everything. There's no restrictions, nothing prohibiting total communication between any devices on your network.
That's a flat network. Problem with that is that the hacker just needs to find the easiest, you know, soft spot in your in your security. And when they're in, boom, they're all the way in, and they've got the whole thing. Right?
That's not nice. And besides, some of your systems in in your network are gonna need holes in your network. They're gonna need to be able to, you know, send traffic in and out pretty easily. But then there's other systems that, they don't need that.
They don't want that. Right? You don't want all those swimming in the same little pot there. So on your network, you wanna be able to to segment it into different, network segments.
Right? How clever is that? And so you'll do this with a router or with a firewall. Those are devices that allow you to segment your network into different, subnets or segments.
And then what you do is you'll set up rules that say, you know, this is super tight. This is my credit card system. Nothing gets in and out of here unless I know about it, and I say it's okay. This might be guest Wi Fi over here.
I'm gonna let that be, you know, much more open and and, you know, whatever. And then maybe in the middle might be your employee network where, yeah, you understand. They'll be browsing to different places, and that's okay.
Anyway, so it's the firewall or a router that allows you to do these things. So, what you need to do if if if when you think about your network, if you're not really thinking about rules and segments and things like that, that definitely means you've got a flat network. Right? So probably, this is one of those areas where it gets kinda complicated. You're probably gonna wanna get some help. Right?
And you might need different equipment. None of it's terribly expensive. You might need to so if you don't have a firewall, you'll definitely need a firewall. Usually, that provides all the functionality that you need.
Also, another good check is to have a vendor come in not come in, but a vendor a vendor do a scan over the network. When you think you're done, then, have them do a a vulnerability scan, and they'll let you know if you missed any spots. Right? They have the same basic tools as the hackers do. So, that is number five, having a flat network. Coming in at number four, we have poorly managed guest Wi Fi.
Everybody loves guest Wi Fi, especially the guests, but it can get you into trouble if you're not careful. Let's talk about the main problems.
The worst of them is when you've got a teeny little company and there's just a sense of trust, and so they all they open their employee network, their Wi Fi to actual guests.
Never, never, never do that. K?
The next thing though that you gotta watch out for is you might have Wi Fi and you named it guest, but it might actually still be connected to your main employee network. Right? That does you no good at all. You need to make sure that the device that you're using, if it allows you to have a separate, like, perhaps two separate Wi Fi, networks, one that you could name whatever, you know, so so that you would have one for your employees and one for your guests, you need to make sure that those truly are separate inside the box, right, kind of virtually separate.
So there's no opportunity or, for the the for being in one and and having access to the the devices that are in the other network. Right? So you gotta you gotta make sure. Check the documentation, test it yourself, make sure.
Okay. The next one is easier than that. Guest Wi Fi passwords that never ever change.
If it never ever changes, you're just asking the world to come and and use your network for things that you have nothing to do with your business. Right?
And then the other version of that is if the password is visible externally. If you can come up to your store window and kind of look in there let's see. It says password one. Ah, okay. And now they've got it. So you're being the ISP free Internet for the world, and that's not what you want to do. Right?
The other one that you it's a little bit next level, but, what you probably wanna do, and you've all experienced this. When you go to a place and you have to sign in before you get to use their guest Wi Fi, that is actually the best way to go of all.
That gives you some controls over the amount of time that a guest can spend on there, tells you a little bit about the guest, you get some good information from that. So recommendations, make sure that you're not sharing that network, that your equipment is truly keeping guest Wi Fi separate from everything else. If you need new gear to let you do that, then go get yourself some new gear. Change those Wi Fi passwords regularly. And, if any of this is sounding like, what?
Go get some help because it's it's too important. It's your net your network. You don't wanna you don't wanna make a mistake and, allow people access into your network that you don't want in there. So there you go. That is number four, poorly managed guest Wi Fi. Alrighty. Coming in at number three, we have poor password hygiene.
Now we're all talking a lot about hygiene these days, but let's don't forget our digital hygiene.
Here are some common mistakes. You see if some of these sound familiar to you.
Shared passwords for network or system access. Right? If everybody knows, oh, the password to log into this is password one, and everybody knows that, then guess what? You've made it really hard to know who's accessing the system, and it's also hard to revoke access if you have an employee, that's terminated or leaves you. So don't share passwords.
Another problem is passwords that never change. Right? And we love those, don't we? Because then we don't have to learn new ones, but that's kind of the gift that keeps on giving. If that password gets cracked, then that hacker can just quietly sit there forever, And you're just gonna keep letting them have access, and they'll get whatever new data comes across. They it's entirely possible. You'll never know that they've broken in through your password.
And so, yep, not a good idea. Passwords that never change.
We don't like changing our passwords, but we need to.
The next one is shared passwords across multiple systems. So if you have your kind of favorite password and you use that for all your stuff at work, at home, whatnot, that can be a problem because that's another one of those gifts that keep on giving. It's it's like a bonus access for the hackers. If they can figure out one of them through some means that you know the first thing they're gonna do is now try it out on all your other standard accounts.
You know? Hey. Look at that. It also gets into Facebook. We're gonna have some fun with this one, aren't we?
So, yeah, can't share our passwords. Next one up is weak passwords.
So if you take a password that is nine letters only, to do a brute force, cracking of that takes about one hour. But as simple as adding a couple of special characters or capitalize a letter, and it jumps to months or years to crack that password. So, make sure that you're using strong passwords. Another one is sending usernames and passwords electronically.
Don't do it. Right? None of those electronic means are safe. So never send it electronically.
The last one is storing that information in an unencrypted file on your computer or your device. Not ever a good idea. You need to assume that whatever is on your computer or your device is just kinda out there. And so don't don't sit there and have a file that has, you know, username, password, username, password, dah dah dah dah.
Because at some point, someone's gonna read that and say, oh, thank you very much. You've made it super easy for me. So recommendations, get some sort of a a password manager. There's quite a few of those.
Even Chrome is is one version of it. It'll manage your passwords for you.
And they will securely store your passwords, and they'll generate strong passwords for you that you can use in your various different accounts. And as an employer, make sure that the systems that you use in your company, require good password practices.
So there you go. That is number three, poor password hygiene. Okay. Coming in at number two, we have allowing inbound traffic into your network.
Holy cow. That sounds scary. Well, it is kinda scary. Now what would this how how does this even show up on your network?
Well, there are services that you might have, legitimate services, such as an online ordering system or perhaps a file upload service, maybe for for printing or something like that. Also, very common would be a remote access service so that employees, for example, could log into your network or perhaps, third party technical support or things like that. Right? So these are legitimate, but the problem is that they can, open up gaps in your network that if you don't have it tightened down properly and segmented properly, the hackers can use that, and they can get into the soft and chewy center of your network where you don't want them to be.
So this is clearly a problem, and it doesn't mean that you cannot have these sorts of services. You certainly can. You just have to be very careful about how you, arrange your network configuration and and your security rules, so that only the specified type of of traffic can get in through that little hole that you created. You can create you can come up with rules that are very, very specific about that sort of thing, and they'll keep you safe even though you're going to allow that sort of traffic in.
Also, you'll remember we've talked about segmenting, and so you what you will do is you'll segment and say, alright. This online ordering or whatever the traffic is is only allowed to get into this part of the network over here where all my credit cards are. That no touchy. Right?
So, there are definitely means through which you can very safely do that. But you know what? Best of all is, just don't have what you don't need. Right?
So, but but how do you know if you've got these sorts of inbound traffic rules on your network?
The best way to do it is to have your network scanned by a scanning vendor or, you know, a security provider.
And they use a similar tools as the hackers, and they will let you know if there's any, if there's any gaps there.
Also, of course, you wanna be you wanna know what your network what your firewall rules are. So if there's not somebody in your company who you can point at and say, this person knows my rules and they understand each one, then that's a problem, and you need to you need to work that one out, get some help or whatever it is you might need.
So there you go. That is number two, allowing inbound traffic into your network.
Can you believe it? We made it to number one. And coming in, our first place number one is believing that they are not actually after you.
That's a problem. One of my very favorite sayings of all time, it's not paranoia if they really are after you.
Well, I'm not trying to give you nightmares or anything like that, but they are after you. Now don't take it personally. They're not after you specifically. They're just after everybody.
Right? Who's they exactly? Well, it kinda depends.
It's it's, you know, all the names that we love to talk about, you know, out there in the hacker community.
And it could be a disgruntled employee. It could be just random who knows what. Right?
But the the point is, especially referring and mainly primarily referring to the to the hacker community, they are constantly scanning the networks constantly. And so if you leave an opening, they're gonna find it and exploit it, and there's absolutely no question about it. We hear a lot of excuses like, well, I don't have anything that they would be interested in, or I don't have budget for expensive security systems, or I've been running without a firewall for years, and I'm fine.
And then the one I really like is, well, they probably already have all my secrets anyways, so what's the what's the use? Right?
And there's truth in all of those. Right? And you can talk yourself out of it if you want, but the point is that, for one thing, they can monetize things you wouldn't believe. Right?
But also sometimes they're just in it for the pain, for the suffering that they can, you know, can cause. And you don't need that to be you. Right? It it does you does you no good to let that be you just simply because you stood by and let it happen. So, and for sure, you don't want your customers to suffer.
So, the main thing to remember with all of this is it's it's in your attitude. It's it's your orientation towards this and how seriously you take it, how much of a priority you make. And remember that it's the humans. Right?
None of the security measures that we had talked about today can keep an employee from sharing a password or clicking on a link that brings in in malware or any of those sorts of things. So you need both you and all of your employees, all of the people that that share access to your network, you all need to be aligned on the important things, and you all need to be, acting responsibly, taking it seriously.
So, you know, sorry to sorry to keep you awake at night. They're after you. They're after your stuff. They're after your information, your secrets, and and even your unsecrets.
They they just want it all, and you don't you don't don't want to give it to them. So there you go. That is the last one. That is number one.
Cool. Glad you were with us.
So this has been fun.
I hope something that we've shared here has been useful.
And, you know, I've mentioned it almost in every single slide that, it can get kinda complicated, and don't hesitate to go get help. Right? Don't try and do it by yourself.
The it's it's not it's not gonna break the bank. And in fact, what is very expensive is getting hacked. Right? The ransomware, costs are going up every year.
You do not want to be the next one. Right? You just don't. So if you have any questions about any of the services that Security Metrics offers, of course, you can find us online at w w w dot security metrics dot com.
Thank you very much for your time, and be safe out there.
.svg)
