Month: February 2017

Cyber Security is Serious Business

No company is truly safe from having their systems hacked and their data stolen. Most companies store or transmit some type of sensitive data that could be monetized by a malicious individual.

Examples of this include:

  • Personally identifiable information
  • Protected health records
  • Credit card information
  • Intellectual property

These records are not only valuable to the company, but they are also very attractive to a nefarious individual. This is why cyber security should be taken seriously, no matter if it’s an enterprise level company or small business with three staff members. The risks of a breach are too high. Some companies never recover from a breach. The costs cane become astronomical.

Most enterprise level organizations have big budgets and dedicated cyber security teams to protect their data and investigate any security incidents. Attackers are getting wind of this and targeting smaller companies knowing they lack the budget and skills to effectively protect their data. That is mostly true. Small businesses cannot afford a dedicated security team. They do not have the budget for it.  That does not mean all hope is lost.

In my experience, there are a few security initiatives that small companies should implement at a bare minimum. By doing the following it significantly limits their attack exposure and the likelihood of a breach is decreased.

The security initiatives discussed will include:

  1. Create cyber security policies and produces
  2. Patch your systems on a monthly basis
  3. Perform user awareness training
  4. Run anti-virus
  5. Create a separate administrative user account
  6. Implement a network perimeter firewall
  7. Do not allow servers to have direct internet access


Cyber Security Initiatives for Small Businesses

1. Create cyber security policies and procedures

Examples include acceptable use policies and email usage policies. These are the guiding principles of organizations and their staff must adhere to them. It becomes more challenging to enforce effective cyber security without having policies and procedures in place.

2. Patch your systems on a monthly basis at the very least

This is one of the most effective security controls one can implement. The patches are developed for a reason. To plug security vulnerabilities. So, patch the vulnerable systems as soon as you can. Of course, the patches should be installed on test systems first before being pushed into production.

3. User awareness training on good security practices – specifically focusing on detecting phishing emails

I cannot stress enough how important this is. One of malware’s primary mode of infection has been phishing emails. All it takes is one user clicking on a phishing email which contains malware and the bad guy has a foothold in the company’s network. Or the company’s data has now been encrypted by a bad guy and he is demanding a ransom to unencrypt it. By frequently conducting user awareness training on how to spot a phishing email and conducting simulated phishing attacks can raise awareness on these types of attacks. The hope is that makes people think twice before clicking on that attachment.

4. Run antivirus on all your systems and ensure their virus signatures are up to date on a daily basis

Antivirus’ may not catch everything but it can detect commonly known malware. It is not a silver bullet by any means but it is a semi effective tool when used in conjunction with other security tools. Ensure you have done your research on what is the most effective antivirus programs. There are some really good ones and some poor performing ones in terms of detection rate.

5. Use a separate user account for all administrative or high privilege tasks

A regular user account, usually used on your desktop, is for everyday use and should not have much network level access. This would bring a higher likelihood that this regular user account can introduce something malicious onto their desktop. By using a lower privilege account, one can contain the damage from the malware to possibly one system as opposed to many systems when an account with significant amount of access is used. 

6. Implement a network perimeter firewall

This is a simple yet effective method of protecting your internal assets from most of the outside threats. Specifically, bots performing reconnaissance to determine what ports are open from the outside.

7. Do not allow servers to have direct internet access

Most servers should never have a requirement to access the internet. Nobody should ever use a server to surf the web. If, for some reason, the server did require internet access then a firewall rule should be configured allowing the server to only communicate with the destination external server. An example would be an Anti-Virus management server. It needs to communicate with the vendor’s system to get the updates so a firewall rule would be configured only allowing access to the vendor’s server. If the server must have internet access then ensure it goes through a web proxy.

8. Implement a web proxy and configure all desktops/laptops to use the proxy for internet access. Block all other raw internet access.  Allow on a case by case basis 

A web proxy provides a layer of security between the desktop and the web.  The web proxy can enforce policies on what categories of sites are permissible and block known malicious sites. This decreases the chance of a system compromise from malware hosted on a website.  Most malware that I have experiences with are not proxy aware. Thus, the malware cannot exfiltrate data or communicate with its command and control server if there is no direct internet connection.

9. Encrypt all sensitive data at rest and transit

This should be done where any sensitive data resides. There are numerous commercial or free tools available which can be used to encrypt the data at rest. Sensitive data should also be encrypted during transport whenever possible. Most protocols which support data transfers have a secure option. Examples include HTTPS, (s)FTP(s), and scp.

If you found this article to be valuable, please share it with your friends, family, and coworkers. To read more articles like this one, visit my article catalogue.