12  Simple  Cybersecurity  Rules  for  Your  Small  Business  

James  Cannady,  Ph.D.  

Purpose  of  this  presenta@on  

•  Small  businesses  form  the  founda@on  of  our  economy.    Their  need  for  informa@on  security  is  as  great  as  a  mul@-­‐na@onal  business,  but  they  usually  do  not  have  the  resources  to  dedicate  to  protec@ng  their  systems.  

•  Security  does  not  have  to  be  as  complicated  (or  expensive)  as  it  may  seem  

•  The  following  rules  are  designed  to  serve  as  guidelines  for  small  businesses  as  they  consider  op@ons  for  securing  their  computer  resources.  

Rule  #1:  Focus  on  the  Business  

Concentrate  on  the  Business    •  Security  is  a  support  func@on  for  the  business.    It  is  not  “the”  business.  

 

2

•  Choose  security  technologies  and  techniques  that  support  and  enable  the  business  •  Avoid  changing  the  business  to  accommodate  security  products  (there  are  lot’s  of  op@ons)  

Concentrate  on  the  Business  

         

Business  Requirements  

       

Security  Policy  

     

Security  Services  

 Security  Technologies  

Secure  Opera@ons  

Rule  #2:  Decide  How  Much                                    Security  You  Really  Need  

What  do  you  need?  

•  There  are  a  variety  of  available  security  technologies  

•  Price/availability/interoperability  must  all  be  considered  

•  Some@mes  doing  nothing  is  OK  •  Defense  in  Depth  as  a  strategy  for  a  secure  infrastructure  

What  do  you  need?  

•  Security  is  cumula@ve  •  No  single  solu@on  

•  “We  have  a  firewall!!!”  

•  Examine  cost/benefit  of  each  approach  vs.  cost  of  security  incidents  •  Focus  first  on  biggest  vulnerabili@es  

•  Get  what  you  need,  but  no  more.  

3

Rule  #3:  Preven@on  Is  Easier  Than  The  Cure  

Security  is  more  than  technology  

•  Employee  awareness  of  need  for  security  –  Formal  training  vs  teaching  moments  

•  Opera@ons  Security  –  The  whole  point  of  opera@ons  security  is  to  have  a  set  of  opera@onal  (daily,  habit  ingrained)  prac@ces  that  make  it  harder  for  another  group  to  compile  cri@cal  informa@on.    

 

Rule  #4:  Understand  Your  Security  

It’s  Your  Security  

•  Not  everything  can  be  done  in-­‐house  –  You  will  have  to  buy  at  least  some  commercial  products  –  You  may  need  to  bring  in  outside  consultants  

•  Make  sure  that  all  security  components  are  well  documented    –  Configura@on,  installa@on,  etc.  –  Changes  will  need  to  be  made  eventually  

•  Be  careful  with  faculty  defaults  –  Easier  for  remote  tech  services,  but  poten@al  vulnerabili@es  

Rule  #5:  Start  With  The  Security        That  You  Already  Have  

Use  The  Security  Sodware  That  You  Already  Own  

•  OS  built-­‐in  security  –  Firewall  –  Built-­‐in  file  encryp@on    

•  Not  the  strongest,  but…  

•  Browser  Security  –  No  pop-­‐ups  –  Limit  access  to  certain  websites  –  Lock  segngs  to  avoid  changes  that  may  compromise  security  

5

Rule  #6:  Back-­‐up  Your  Important  Data  

Data  Back-­‐ups  

•  Simple  vs.  Complex  •  Cheap  vs.  Expensive  •  Timeconsuming  vs.  Scheduled  • Manual  vs.  Automated  

•  Op@ons  •  CD-­‐Roms/Thumb  drives  •  Carbonite  

•  How  Oden?  

Rule  #7:  Use  An@viral  Programs  

An@virus  

6

•  Rela@ve  cheap  •  User  friendly  •  Scan  every  download  •  Also  consider  spyware/adware  protec@on  •  Keep  it  up-­‐to-­‐date  

Rule  #8:  Limit  Access  To  Your        Sensi@ve  Data  

Access  Control  

•  System  administra@on  is  a  one  person  job  – Only  one  person  needs  to  be  able  to  have  full  control  over  the  system  (backup  sysadmin  ok,  but  no  more)  

•  The  crown  jewels  of  the  business  need  to  be  limited  to  specific  personnel  – How?  

•  Password-­‐protected  files  •  Separate  computers  for  sensi@ve  data  

4

Rule  #9:  Secure  Your  Wi-­‐Fi  

Secure  Your  Wi-­‐Fi  

•  Almost  every  business  has  one.  •  They  are  easy  to  find  and  easy  to  exploit,  especially  if  simple  secure  measures  are  not  used  

•  Current  encryp@on  standards  for  WIFI  are  not  par@cularly  strong,  but  it  is  usually  enough  to  dissuade  the  bad  guys,  especially  since  there  are  almost  certainly  unsecured  WiFi’s  nearby  

1

Rule  #10:  Create  a  Security  Policy  

Security  Policies  �  Start  with  a  wrinen  Security  Policy.  

�  You  must  have  a  plan  �  Know  your  assets  and  know  your  risks  

�  Cover  the  basics  first.  �  Then  apply  technology  to  support  your  policy  and  solve  specific  problems.  �  Authen@ca@on  �  Confiden@ality  and  Integrity  �  Perimeter  defense  �  Intrusion  Detec@on  and  Audit  

8

Rule  #11:  Don’t  Forget  to  Lock  the  Door  

Physical  Security  

•  Physical  security  is  as  important  as  any  other  form  of  informa@on  security  

•  Computers  should  not  be  accessible  by  unauthorized  users  

 

8

•  Servers  should  be  guarded  with  sufficient  care  to  protect  the  data  they  contain.  

•  Challenge  strangers    

Rule  #12:  Security  is  Not  Magic  

There  is  no  panacea  

7

You  will  not  have  perfect  security,  no  maner  how  much  money  you  are  able  to  spend  …but  it  doesn’t  have  to  be  perfect.    

Security  is  the  process  of  enabling  the  protected  informa@on  system  to  do  what  it  was  designed  to  do.    Nothing  more,  nothing  less.  

Take  Home  Points  

•  Security  is  not  the  business,  it  supports  the  business  •  Decide  what  you  need,  don’t  rely  on  a  vendor  to  tell  you  what  you  need  

•  There  are  a  variety  of  inexpensive  (or  free)  approaches  to  security  that  provide  excellent  protec@on  

•  Physical  security  is  at  least  as  important  as  any  other  form  of  protec@on  

•  Don’t  strive  for  perfect  security.    You  only  need  to  secure  enough  that  its  not  worth  the  effort  required  of  the  bad  guys  

 

James  Cannady,  Ph.D.    

Graduate  School  of  Computer  and  Informa@on  Sciences  

Nova  Southeastern  University  cannady@nova.edu  

Photo  Acknowledgements  

1.  hnp://www.pcworld.com/ar@cle/2052158/5-­‐wi-­‐fi-­‐security-­‐myths-­‐you-­‐must-­‐abandon-­‐now.html  

2.  hnp://www.lbcc.edu/business/  3.  hnp://www.walt.com/case-­‐studies/ssh/  4.  hnps://wiki.duke.edu/display/oitwebstyle/Informa@on+Display+-­‐+Slide+Examples  5.  hnp://blogs.sans.org/securingthehuman/files/2012/04/S@cker.png  6.  hnp://www.cer@fiednerds.com/run-­‐regular-­‐an@-­‐virus-­‐updates-­‐and-­‐scans/  7.  hnp://www.thisisvisceral.com/2013/08/development-­‐@ps-­‐tricks-­‐summer-­‐2013/  8.  hnp://lave@.wordpress.com/2012/12/09/developing-­‐informa@on-­‐security-­‐policy/