Upload
nsugscis
View
189
Download
1
Embed Size (px)
DESCRIPTION
James Cannady, Ph.D., Professor at Nova Southeastern University's Graduate School of Computer and Information Sciences will present on "12 Simple Cybersecurity Rules For Your Small Business." In this online presentation twelve simple and inexpensive techniques for protecting small businesses from cyber threats will be discussed. While complex and expensive solutions exist to improve the security of information technology most of these products are not designed for the specific needs of small businesses. The techniques that will be discussed in the presentation are designed to address the most common threats encountered by small businesses without requiring significant expertise and expense.
Citation preview
12 Simple Cybersecurity Rules for Your Small Business
James Cannady, Ph.D.
Purpose of this presenta@on
• Small businesses form the founda@on of our economy. Their need for informa@on security is as great as a mul@-‐na@onal business, but they usually do not have the resources to dedicate to protec@ng their systems.
• Security does not have to be as complicated (or expensive) as it may seem
• The following rules are designed to serve as guidelines for small businesses as they consider op@ons for securing their computer resources.
Rule #1: Focus on the Business
Concentrate on the Business • Security is a support func@on for the business. It is not “the” business.
2
• Choose security technologies and techniques that support and enable the business • Avoid changing the business to accommodate security products (there are lot’s of op@ons)
Concentrate on the Business
Business Requirements
Security Policy
Security Services
Security Technologies
Secure Opera@ons
Rule #2: Decide How Much Security You Really Need
What do you need?
• There are a variety of available security technologies
• Price/availability/interoperability must all be considered
• Some@mes doing nothing is OK • Defense in Depth as a strategy for a secure infrastructure
What do you need?
• Security is cumula@ve • No single solu@on
• “We have a firewall!!!”
• Examine cost/benefit of each approach vs. cost of security incidents • Focus first on biggest vulnerabili@es
• Get what you need, but no more.
3
Rule #3: Preven@on Is Easier Than The Cure
Security is more than technology
• Employee awareness of need for security – Formal training vs teaching moments
• Opera@ons Security – The whole point of opera@ons security is to have a set of opera@onal (daily, habit ingrained) prac@ces that make it harder for another group to compile cri@cal informa@on.
Rule #4: Understand Your Security
It’s Your Security
• Not everything can be done in-‐house – You will have to buy at least some commercial products – You may need to bring in outside consultants
• Make sure that all security components are well documented – Configura@on, installa@on, etc. – Changes will need to be made eventually
• Be careful with faculty defaults – Easier for remote tech services, but poten@al vulnerabili@es
Rule #5: Start With The Security That You Already Have
Use The Security Sodware That You Already Own
• OS built-‐in security – Firewall – Built-‐in file encryp@on
• Not the strongest, but…
• Browser Security – No pop-‐ups – Limit access to certain websites – Lock segngs to avoid changes that may compromise security
5
Rule #6: Back-‐up Your Important Data
Data Back-‐ups
• Simple vs. Complex • Cheap vs. Expensive • Timeconsuming vs. Scheduled • Manual vs. Automated
• Op@ons • CD-‐Roms/Thumb drives • Carbonite
• How Oden?
Rule #7: Use An@viral Programs
An@virus
6
• Rela@ve cheap • User friendly • Scan every download • Also consider spyware/adware protec@on • Keep it up-‐to-‐date
Rule #8: Limit Access To Your Sensi@ve Data
Access Control
• System administra@on is a one person job – Only one person needs to be able to have full control over the system (backup sysadmin ok, but no more)
• The crown jewels of the business need to be limited to specific personnel – How?
• Password-‐protected files • Separate computers for sensi@ve data
4
Rule #9: Secure Your Wi-‐Fi
Secure Your Wi-‐Fi
• Almost every business has one. • They are easy to find and easy to exploit, especially if simple secure measures are not used
• Current encryp@on standards for WIFI are not par@cularly strong, but it is usually enough to dissuade the bad guys, especially since there are almost certainly unsecured WiFi’s nearby
1
Rule #10: Create a Security Policy
Security Policies � Start with a wrinen Security Policy.
� You must have a plan � Know your assets and know your risks
� Cover the basics first. � Then apply technology to support your policy and solve specific problems. � Authen@ca@on � Confiden@ality and Integrity � Perimeter defense � Intrusion Detec@on and Audit
8
Rule #11: Don’t Forget to Lock the Door
Physical Security
• Physical security is as important as any other form of informa@on security
• Computers should not be accessible by unauthorized users
8
• Servers should be guarded with sufficient care to protect the data they contain.
• Challenge strangers
Rule #12: Security is Not Magic
There is no panacea
7
You will not have perfect security, no maner how much money you are able to spend …but it doesn’t have to be perfect.
Security is the process of enabling the protected informa@on system to do what it was designed to do. Nothing more, nothing less.
Take Home Points
• Security is not the business, it supports the business • Decide what you need, don’t rely on a vendor to tell you what you need
• There are a variety of inexpensive (or free) approaches to security that provide excellent protec@on
• Physical security is at least as important as any other form of protec@on
• Don’t strive for perfect security. You only need to secure enough that its not worth the effort required of the bad guys
James Cannady, Ph.D.
Graduate School of Computer and Informa@on Sciences
Nova Southeastern University [email protected]
Photo Acknowledgements
1. hnp://www.pcworld.com/ar@cle/2052158/5-‐wi-‐fi-‐security-‐myths-‐you-‐must-‐abandon-‐now.html
2. hnp://www.lbcc.edu/business/ 3. hnp://www.walt.com/case-‐studies/ssh/ 4. hnps://wiki.duke.edu/display/oitwebstyle/Informa@on+Display+-‐+Slide+Examples 5. hnp://blogs.sans.org/securingthehuman/files/2012/04/[email protected] 6. hnp://[email protected]/run-‐regular-‐an@-‐virus-‐updates-‐and-‐scans/ 7. hnp://www.thisisvisceral.com/2013/08/development-‐@ps-‐tricks-‐summer-‐2013/ 8. hnp://[email protected]/2012/12/09/developing-‐informa@on-‐security-‐policy/