SMB Disaster Preparedness: A Recipe for Disaster
SMBs are not making disaster preparedness a priority until after they experience a disaster or data loss.
You may have read about the recently discovered vulnerability in Siemens' SCADA (supervisory control and data acquisition) systems. Originally scheduled to be demonstrated by NSS Labs analyst Dillon Beresford and independent researcher Brian Meixell at the TakeDownCon conference in Dallas last month, the talk was postponed mere hours before it was to start. The decision to cancel was understood to have been taken voluntarily after a request from Siemens and the Department of Homeland Security (DHS).
In a statement, Siemens said that the vulnerabilities "were discovered while working under special laboratory conditions with unlimited access to protocols and controllers." This gave the impression that the flaws were atypical and difficult to exploit, and is an assertion that Beresford clearly does not agree with. After all, he discovered the bugs after purchasing the Siemens controllers with funding obtained from NSS Labs - something that he argues the bad guys are equally capable of.
In an online forum posting, Beresford stated, "The vulnerabilities are far reaching and affect every industrialized nation across the globe. This is a very serious issue." For now, NSS Labs says that it will show how the vulnerabilities were exploited at the Las Vegas Black Hat conference in August.
All Computer Systems Are Susceptible to Flaws
First of all, small- and mid-sized businesses must know that all computer systems are susceptible to flaws. This could come in the form of bugs in which software do not perform as expected, or security vulnerabilities that could be exploited to commandeer the entire system. After all, the SCADA systems made by Siemens are used at critical installations ranging from power utilities, water suppliers and even in nuclear reactors, but found to contain flaws nevertheless.
SMBs will do well to architect their computer networks with this awareness in mind; instead of focusing exclusively on creating the "perfect" software, they should endeavor also to build multiple layers of defenses to defend against unidentified flaws. Technologies such as anti-malware software, IPS, VPN and firewall come to mind, which have the added benefit of potentially mitigating and identifying the damage in the event of a successful penetration.
Avoid Having One Employee Programming All the Software
There is often a temptation for mid-sized businesses to do all the programming "in house." While not a detrimental idea by itself, the problem arises when programmers find themselves solely responsible for large chunks of a project due to manpower shortages or poor planning, which is not an ideal situation from a security point of view. General weaknesses in the structure of the code or outright bugs may be overlooked, which can result in serious repercussions when deployed.
My suggestion is to deploy commercially available software from a reputable vendor instead. Where this is not possible or desirable however, an alternative would be to set up a peer-review process where two or more programmers examine each other's work, or pay security professionals for an independent review. Finally, the implementation of well-designed, open-source components can also help reduce the risk vector as opposed to writing the features from scratch.