Comment Statistics and Economics (Score 1) 396
1. No client talks to any other client directly: managed routers.
2. Servers run A/V.
3. IDS, e.g. snort (free)
4. Firewall departments as well as outside world
5. Patch users machines regularly for the major exploit targets: IE, Firefox, Adobe Acrobat, Flash
6. A $299 netbook, in a safe, that is the only machine used to admin salesforce and other online services.
There are two ways that your organization can be infected before you can react to it:
1. A local network worm, i.e a TCP/UDP from one client to another.
2. An email worm, i.e. Outlook.
Either of these can and will bypass *any* security solution implemented on the client.
Most attacks are neither: they are attacks intended to compromise a single machine. 80% of these are things like Adobe PDF exploits.
Stopping a local network worm is simple: Clients do not talk to each other. All it takes is a managed router. Clients talk to servers. Specifically their own servers.
Stopping an Outlook worm is more complex, unless you want to piss people off. Its pretty easy to strip everything but plain text out of email. But there are other methods. First email spamming the whole company gets quarantined, and the user told (automatically) that mail doesnt work like that. Second, any email to a distribution list is refused if it has an attachment. Use an in-house equivalent of sendthisfile.com, or sharepoint (!), or something like that. That may take some getting used to, so an alternative may be that such email is distributed slowly, e.g. after 30 seconds. Or the user has to confirm it with a second email. There are good reasons not to have users passing around documents in email but instead to have some kind of centralized document management system. There are also good reasons to allow them to. So you are going to have to use your judgment on this. Any solution that *you* write, is going to be immune to automated worms (unless someone with inside knowledge targets you deliberately).
Why NAC/NAP/SEM is a waste of money:
1. The chance of anyone being infected in an organization is fairly small.
2. The chance of the whole organization being infected if just one is infected: very high.
3. When running things like NAC/NAP/SEM, users' machines get pretty slow.
4. NAC/NAP/SEM simply don't offer complete protection against attacks.
5. Running NAC/NAP/SEM etc reduces users productivity when there are no attacks.
6. NAC/NAP/SEM cost a lot of money.
You should read this: End Users Buck Security Advice For Economic Reasons
Herley uses an example of an exploit that affects 1 percent of users per year and takes 10 hours of clean-up time per user. So implementing any security advice, he argues, should incur only 0.98 seconds per user per day to actually reduce the time involved. But it eats up much more time than that, which demonstrates that security advice provides a poor cost-benefit trade=off to users, he argues.
All that other bullshit adds huge costs to your company, and doesn't stop bots. I worked at a company that used SEM or something like it. We got a worm. Still had to bring routers down. Still lost days of network while it was cleaned up. Here's the *big* question: if it works, why is it not guaranteed? If you pay for something like this, and you get a worm, Semantec should come to your building and clean up all your computers for free. Why don't they offer that? Because they would go bankrupt in a month.
Increasingly, small business use things like Salesforce and online services. Online attacks are going to be aimed at stealing users passwords. So the most important thing is getting it into the bosses head that his day-to-day account should not be the one that has full control, i.e. add/delete users, etc. But most successful businessmen are rational, and when you explain that there are viruses that do nothing other than steal salesforce passwords, as you type them, then he/she will get it. Try to persuade him/her to have one machine that is for admin only. It can be a $299 netbook. Tell him to keep it in his safe at home.