Security outlook challenging for SMBs in 2008

Getting in compliance

SMBs, particularly private companies, may think government regulations are only for publicly traded, usually larger, companies. But that's not always the case. For SMBs servicing public companies, regulators and auditors looking downstream will knock on their doors, too. Compliance with the Sarbanes-Oxley Act (SOX) for public companies, the Health Insurance Portability and Accountability Act (HIPAA) for health care providers, and the Payment Card Industry Data Security Standard (PCI DSS) for companies accepting credit card payments will continue to nag SMBs, just as they do their larger corporate brethren.

What are the big components of compliance? Access management and application and network systems security are all part of the mix. They can't be separated and treated as individual pieces. To be compliant, an SMB will have to satisfy all of these requirements.

Each regulation has its unique twist. While compliance with SOX and HIPAA will continue to be an issue, the red flag for SMBs in 2008 will be PCI DSS. Unlike SOX and HIPAA, which are government regulations, PCI is an industry standard governed by a consortium of the five largest credit card companies -- Visa International, MasterCard International Inc., American Express Co., Discover Financial Services LLC and JCB Co. Companies found not in compliance can be fined or barred from processing cards through consortium members.

Although many parts of PCI DSS affect SMBs directly, the particular pain point in 2008 will be Section 6.6, which governs application security. This section, which is currently just a recommendation, will be elevated to a requirement in June.

Securi

To read more you must become a member of SearchCIO-Midmarket.com

As an existing member of the TechTarget network please provide your password to activate your account (Forgot your password?):

Password:

By joining SearchCIO-Midmarket.com you agree to receive email updates from the TechTarget network of sites, including updates on new content, magazine or event notifications, new site launches and market research surveys. Please verify all information and selections above. You may unsubscribe at any time from one or more of the services you have selected by editing your profile or unsubscribing via email.

TechTarget cares about your privacy. Read our Privacy Policy

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Security for the midmarket Locking down security in the move to electronic medical records A CIO's advice for implementing single sign-on solutions Options for outsourcing security grow, offer IT budget savings Network access control: Pointers for getting the knack of NAC Stopping malware viruses from attacking Web 2.0 technology Virtual servers no escape from IT security management concerns Unified communications: Securing access to OCS Unified communications security: How safe is it? Risk assessment frameworks easy to employ Midmarket regulatory compliance management: Don't let your guard down Information security management for the midmarket Using key risk indicators to sell your information security program IT security spending a bright spot in '09, with more growth predicted Gartner: Vetting security of third-party partners in five steps Locking down security in the move to electronic medical records Security and risk management in the midmarket Identity and access management planning guide for the midmarket Information systems management for the midmarket CIOs share advice on doing more with less Get smart about patching security vulnerabilities A CIO's advice for implementing single sign-on solutions Security tools for the midmarket IT security spending a bright spot in '09, with more growth predicted Security and risk management in the midmarket Identity and access management planning guide for the midmarket A CIO's advice for implementing single sign-on solutions Options for outsourcing security grow, offer IT budget savings Network access control: Pointers for getting the knack of NAC Unified communications: Securing access to OCS Unified communications security: How safe is it? Database security: Who should have access? San Francisco network lockup justifies CIO fears

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

ng applications and Web sites

Section 6.6 requires all Web-facing applications to be protected from known attacks by one of two methods, both of which could be costly for an SMB. The first method is to have all custom application code reviewed for common vulnerabilities by an organization specializing in application security. The other way is to simply install an application-level firewall around Web applications. The first is costly in terms of staff, the second in terms of money.

But there are indications the PCI council can live without full-blown reviews of every line of Web application code. Popular Web scanning tools within reach of SMBs, such as WebInspect from SPI Dynamics Inc. and AppScan from Watchfire Corp., may be adequate. Even though these tools don't review application code, they can uncover common vulnerabilities in Web sites and applications. If an SMB can demonstrate that it can remediate the vulnerabilities uncovered by these scans, it could pass muster without hiring yet another expensive consultant to review hundreds of thousands of lines of code.

Access management also falls under the compliance umbrella, not only for PCI DSS, but for SOX and HIPAA, too. All of these regulations are sticklers for complete records of who has access to systems, including proof of regular pruning of inactive accounts. This requires the ability to assemble reports at regular intervals that are available for auditors and regulators on demand. For cash-strapped SMBs, the built-in reporting tools in Active Directory, a popular access management system, are adequate for compliance.

Endpoint security to the fore

With the proliferation of remote workers, laptop-toting road warriors and managers with BlackBerrys, endpoint security has become critical for SMBs. This is in addition to the use of USB keys and other pocket-sized portable storage devices that carry presentations and other data for off-site work. All these devices are big cost savers for SMBs, since they reduce the need for expensive office space by allowing employees to work remotely.

But that freedom also comes with serious risks to network security. These devices, if not properly configured, can connect directly to the network, basically circumventing traditional firewalls. They can both bring malware into the network and take sensitive information or customer data out of the network.

Besides properly configuring remote devices to access the network only through a firewall or dedicated gateway, devices need to be checked to make sure they have been sufficiently hardened and are free of malware. In other words, they should be allowed to connect to the network only if their patches and antivirus software are up to date. As for USB keys and other external storage devices, they should be restricted to users who need them for business purposes, or blocked from the enterprise network altogether.

SMB-friendly products in the endpoint security market include Safend Protector from Safend Ltd. and DeviceWall from Centennial Software Ltd. Both products are easy to install and have easy-to-use Web-based interfaces for monitoring and controlling endpoints and devices on the network.

Guard your sites

Web and application security will continue to be a concern for SMBs in 2008. Hackers will continue, as they did in 2007, to go downscale and target smaller companies, which they believe have weaker defenses than larger enterprises with better-staffed security departments. SMBs' Web sites are just as susceptible to attacks as Web sites of larger companies through cross-site scripting, SQL injection and session hijacking.

The best defense against Web attacks is to follow safe coding practices, as outlined by the Open Web Application Security Project (OWASP). Following OWASP, the industry standard for Web security, is also required for PCI DSS compliance. Here again, compliance comes up as part of a separate issue, in this case, application security. In addition to safe coding practices, OWASP outlines best practices for secure Web design, such as Web server configuration.

While 2008 will prove to be another difficult year for IT security at SMBs, the challenges won't be insurmountable.

Joel Dubin, CISSP, is an independent computer security consultant. He is a Microsoft MVP, specializing in Web and application security, and is the author of The Little Black Book of Computer Security, available from Amazon.com. He has a regular radio show on computer security on WIIT in Chicago and runs The IT Security Guy blog at www.theitsecurityguy.com.