This presentation discusses the topic of Information Security for Small Business

1. Information Security For Small Business by Julius Clark Sr., CISSP, CISA | October 13th 2009

3. MSIS in Information Security

5. Certified Information Systems Auditor (CISA)

6. Microsoft Certified System Engineer (MSCE). 2

7. Agenda Information Security for Small Business 3

8. Agenda (Continued)Information Security for Small Business 4

9. Small Business Wholeness 5

11. Esteem - Recognition for Good Work

12. Love - Acceptance

13. Safety & Security – Stability

14. Needs – Air , Food, Water, Shelter6

16. Esteem - Recognition in Market Place

17. Love - Acceptance by Clients or Customers

18. Safety & Security – IT Security & Insurance

19. Needs – Capital & People7

20. What is Information Security? 8

22. Integrity

23. Availability9

24. What Is Information Security? Confidentiality Concept of protecting information from improper disclosure and protecting the secrecy and privacy of sensitive data so that the intellectual property and reputation of an organization is not damaged and that data related to individuals is not released in violation of regulations or the privacy policy of the organization. - From the CISSP® CBK® 10

25. What Is Information Security? Integrity Addresses two objects, which are protecting data and processes from improper modification, and the ensuring the operations of the information is reliable and performing as expected. - From the CISSP® CBK® 11

26. What Is Information Security? Availability Addresses two concepts, which are protecting data and processes from improper modification, and the concept of ensuring the operations of the information system is reliable and performing as expected. - From the CISSP® CBK®: 12

27. Importance Of Small Business Statistic: There are over 26 million small businesses in the U.S. Source: NIST 13

29. Lawsuits

30. Reputation loss

31. loss of market share

32. Theft of its technology , resources and products

33. Denial of service attacks

34. Blackmail14

36. Hacktivists

37. Cyber criminals

38. Information Warriors

39. Employees

40. Dumpster divers

41. Natural disasters

42. Terrorist activities15

44. Viruses

45. Denial of service

46. Turning your computer into a zombie aka “Bot”16

47. Cyber Crime In the news 17

48. Cyber Crime In the News 18

49. Cyber Crime Statistics! Insider threats are responsible for over 80% of small business issues. There are over 70,000 active viruses ; and exponentially growing Information Security threats can damage or destroy small business 33% businesses with 100 employees or less had a computer incident Source: NIST 19

50. Cyber Crime Statistics! Small Business Cyber Crime Report 42 % of businesses has a Laptop theft 44% of businesses suffered from Insider Abuse 21% of businesses reported Denial of Service 50% of businesses detected a viruses 20% of business systems became a “Bot” Source: Computer Security Institute Survey 20

51. Cyber Crime Statistics! Reported Data Breaches 2007 - there were 445 data breaches reported 2008 – there were 656 data breaches reported 2009 – approx. 392 data breaches reported so far this year. Source: October 9, 2009 USAToday 21

52. Privacy Rights Clearinghouse www.privacyrights.org 22

53. Privacy Rights Clearinghouse www.privacyrights.org The 339,861,901 indicates the total number of records compromised 23

54. The components of Information Security 24

56. Processes

57. Technology25

58. The Components of Information Security People People are the weakest link of the three components of Information Security! 26

59. The Components of Information Security Processes The operational aspects of small business 27

60. The Components of Information Security Technology All of the tools, applications, software, and infrastructure that allows a business process to work and perform efficiently. 28

62. Some will relate to expected employee practices for using business resources, such as telephones, computers, printers, fax machines, and Internet access.

63. Legal and regulatory requirements may also require certain policies to be put in place and enforced.

64. Policies for information, computer, network, and Internet security, should communicate clearly to employees the expectations that the business management has for appropriate use. 29

66. Policies should be communicated clearly to each employee and all employees should sign a statement agreeing that they have read the policies, that they will follow the policies, and that they understand the possible penalties for violating those policies.

67. This will help management to hold employees accountable for violation of the businesses policies.

68. There should be penalties for disregarding business policies. And, those penalties should be enforced fairly and consistently for everyone in the business that violates the policies of the business. 30

69. Business Continuity and Disaster Recovery Planning 31

70. Highly Recommended Practices! NIST IT Security Fundamentals For Small Business Contingency and Disaster Recover planning considerations What happens if there is a disaster (flood, fire, tornado, etc) or a contingency (power outage, sewer backup, accidental sprinkler activation, etc)? Do you have a plan for restoring business operations during or after a disaster or a contingency? Since we all experience power outages or brownouts from time to time, do you have Uninterruptible Power Supplies (UPS) on each of your computers and critical network components? They allow you to work through short power outages and to save your data when the electricity goes off. Conduct an inventory of all information used in running your business. Do you know where each type of information is located (on which computer or server)? Have you prioritized your business information so that you know which type of information is most critical to the operation of your business – and, therefore, which type of information must be restored first in order to run your most critical operations? If you have never (or not recently) done a full inventory of your important business information, now is the time. For a very small business, this shouldn’t take longer than a few hours. For a larger small business, this might take from a day to a week or so. While you are doing this inventory, ensure that the information is prioritized relative to importance for the entire business, not necessarily for a single part of the business. When you have your prioritized information inventory (on an electronic spreadsheet), add three columns to address the kind of protection that each type of information needs. Some information will need protection for confidentiality, some for integrity, and some for availability. 32

71. Identifying The Business’ critical assets 33

72. Identifying The Business’ critical assets 34

73. Identifying The Business’ critical assets 35

74. Identifying The Business’ critical assets 36

76. As you read/research your trade/professional publications, take note of the data security issues covered in these publications. Ask yourself “Is my business vulnerable to something like this? If so, what have others done that I could copy to protect my business?”

77. As you network with your peers, talk cyber security issues. Give and get advice, hints, tips, etc.

78. Make every effort to stay in touch with and on top of every threat or incident that does or could affect your business.

79. Join InfraGard to get critical information about current threats in your local area (and to act as eyes and ears to help protect our nation!).

80. (www.infragard.net - membership application form is online – membership is free in most areas of our nation)37

81. Safeguarding critical assets 38

83. Processes

84. Technology39

85. Safeguarding Critical Assets People People are the weakest link of the three components of Information Security! 40

87. Lock up laptops when they are not in use.

88. Control who has access to your systems and networks, this includes cleaning crews. No one should be able to walk into your office space without being challenged by an employee.

90. Do not provide access to all data to any employee,

91. Only give employee enough access privileges necessary to perform job.

92. Do not allow a single individual to both initiate and approve a transaction (financial or otherwise).41

93. Safeguarding Critical Assets Processes The operational aspects of small business; needs checks and balances aka controls. 42

95. Backup can be done inexpensively if copied to another hard drive that can hold 52 weeks of backups; 500GB should be sufficient for most businesses.

96. Backups should be performed at a minimum weekly, but better if done daily.

97. A full backup should be performed once a month and taken off site incase of a fire, flood, theft or other disaster.

98. Portable USB Drive is recommended ; 1000GB.

100. Employees should review computer usage policies on the 1st day of work.

101. Train them about expectations concerning limited use of telephones, printers and other business resources.

102. After training they should sign a a statement that they understand these policies and the penalties for violation of business policies.43

104. To protect information and systems, employees should not operate computers with administrative privileges.

105. Malicious code will gain the same privileges and install itself on a system if the user is using an account with administrative privileges.

107. Employees should review computer usage policies on the 1st day of work..

108. Train them about expectations concerning limited use of telephones, printers and other business resources.

109. After training they should sign a a statement that they understand these policies and the penalties for violation of business policies. 44

111. It is recommended to have the anti-virus software, spyware and malicious code software to update automatically; frequently.

113. Ensure that your employees home PCs have a firewall installed between your/ their systems(s) and the Internet.

114. Change the administrative password upon installation and regularly thereafter. Good idea to change the administrator name too. 45

116. Set wireless device to not broadcast its Service Set Identifier (SSID).

117. Recommended encryption is WiFi Protected Access 2 (WPA-2) using Advanced Encryption Standard (AES).

118. NOTE: WEP (Wired-Equivalent Privacy).

119. It is recommended to configure systems to update automatically. 46

121. Make sure that the firewall is turned on.

123. It is recommended to configure systems to update automatically.

124. Ensure employees home PCs are configured to update automatically as well.

125. If you have many systems consider purchasing a product that can manage the process for your business.

126. Update Microsoft Office regularly. 47

127. Highly Recommended Practices! NIST IT Security Fundamentals For Small Business Security emails requesting sensitive information. Security concerns about email attachments and emails requesting sensitive information. Do not open email attachments unless you are expecting the email with the attachment and you trust the sender. If you are not sure why someone sent you and email with attachments or links. Call them or email them back asking questions. Be cautious of emails asking for sensitive personal or financial information – regardless of who the email appears to be from. No responsible business will ask for sensitive information in an email. Security concerns about web links in email, instant messages, social media, or other means. Do not click on links in email messages. Recently, scams are in the form of embedded links in emails. Once a recipient clicks on the link, malicious software (for example, key stroke logging software) is installed on the user’s computer. Don’t do it unless you know what the web link connects to and you trust the person who sent the email to you. 48

128. Highly Recommended Practices! NIST IT Security Fundamentals For Small Business Security concerns about popup windows and other hacker tricks. When connected to and using the Internet, do not respond to popup windows requesting that you to click “ok” for anything. If a window pops up on your screen informing you that you have a virus or spyware and suggesting that you download an antivirus or antispyware program to take care of it, close the popup window by selecting the X in the upper right corner of the popup window. Hackers are known to scatter infected USB drives with provocative labels in public places where their target business’s employees hang out, knowing that curious individuals will pick them up and take them back to their office system to “see what’s on them.” What is on them is generally malicious code which installs a spy program or remote control program on the computer. Teach your employees to not bring USB drives into the office and plug them into your business computers (or take them home and plug into their home systems). It is a good idea to disable the “AutoRun” feature for the USB ports on your business computers to help prevent such malicious programs from running. 49

129. Highly Recommended Practices! NIST IT Security Fundamentals For Small Business Security considerations for web surfing. No one should surf the web using a user account which has administrative privileges. It is best to set up a special account with “guest” (limited) privileges to avoid this vulnerability. Issues in downloading software from the Internet. Do not download software from any unknown web page. Only those web pages belonging to businesses with which you have a trusted business relationship should be considered reasonably safe for downloading software. Such trusted sites would include the Microsoft Update web page where you would get patches and updates for various versions of the Windows operating system and Microsoft Office or other similar software. Most other web pages should be viewed with suspicion. Be very careful if you decide to use freeware or shareware from a source on the web. Most of these do not come with technical support and some are deliberately crippled so that you do not have the full functionality you might be led to believe will be provided. 50

130. Highly Recommended Practices! NIST IT Security Fundamentals For Small Business Doing online business or banking more securely. Online business/commerce/banking should only be done using a secure browser connection. This will normally be indicated by a small lock visible in the lower right corner of your web browser window. After any online commerce or banking session, erase your web browser cache, temporary internet files, cookies, and history so that if your system is compromised, that information will not be on your system to be stolen by the individual hacker or malware program. Recommended personnel practices in hiring employees. When hiring new employees, conduct a comprehensive background check before making a job offer. Ensure that you do criminal background checks on all prospective new employees. If possible, it is a good idea to do a credit check on prospective employees. This is especially true if they will be handling your business funds. Do your homework – call their references and former employers. Note: It is also an excellent idea for you the business owner to do a background check of yourself. Many people become aware that they are victims of identity theft only after they do a background check on themselves and find arrest records and unusual previous addresses where they never lived. 51

131. Highly Recommended Practices! NIST IT Security Fundamentals For Small Business How to dispose of old computers and media. When disposing of old business computers, remove the hard disks and destroy them. The destruction can be done by taking apart the disk and beating the hard disk platters with a hammer. It is very common for small businesses to discard old computers and media without destroying the computers’ hard disks or the media. Sensitive business and personal information is regularly found on computers purchased on Ebay, thrift shops, Goodwill, etc, much to the embarrassment of the small businesses involved (and much to the annoyance of customers or employees whose sensitive data is compromised). Consider Using Full Disk Encryption if you handle sensitive data and information. 52

132. Highly Recommended Practices! NIST IT Security Fundamentals For Small Business How to protect against Social Engineering. Social engineering is a personal or electronic attempt to obtain unauthorized information or access to systems/facilities or sensitive areas by manipulating people. The social engineer researches the organization to learn names, titles, responsibilities, and publically available personal identification information. Then the social engineer usually calls the organization’s receptionist or help desk with a believable, but made-up story designed to convince the person that the social engineer is someone in, or associated with, the organization and needs information or system access which the organization’s employee can provide and will feel obligated to provide. Train employees to protect against social engineering techniques, employees must be taught to be helpful, but vigilant when someone calls in for help and asks for information or special system access. The employee must first authenticate the caller by asking for identification information that only the person who is in or associated with the organization would know. If the individual is not able to provide such information, then the employee should politely, but firmly refuse to provide what has been requested by the social engineer. The employee should then notify management of the attempt to obtain information or system access. 53

133. Information Security Resources for Small Business Small Business Information Security : The Fundamentals (Security Guide for Small Business)http://csrc.nist.gov/publications/drafts/ir-7621/draft-nistir-7621.pdfSmall Business C enter Documentshttp://csrc.nist.gov/groups/SMA/sbc/library.html InfraGard http://www.infragard.net 54

135. Integrity

136. Availability55

137. References: Surviving Security Surviving Security—How to Integrate People, Process and Technology, 2nd Edition http://www.isaca.org/Template.cfm?Section=Home&CONTENTID=27320&TEMPLATE=/ContentManagement/ContentDisplay.cfmIntroduction to the Business Model for Information Security , 2009 ISACAhttp://www.isaca.orgSmall Business Information Security : The Fundamentals (Security Guide for Small Business)http://csrc.nist.gov/publications/drafts/ir-7621/draft-nistir-7621.pdfSmall Business C enter Documentshttp://csrc.nist.gov/groups/SMA/sbc/library.htmlI nterHack,- Information Security: Friend or Foe, 2002http://web.interhack.com/publications/whatis-security.pdf 56