Information Security Recommendations for Small and Medium Business (SMB)
Hi, Habr! I present to your attention the translation and adaptation of the article " CIS-Controls Implementation Guide for Small- and Medium-Sized Enterprises (SMEs) ".
Credit card information leaks, personal data theft, extortion programs (for example, WannaCry), intellectual property theft, breach of confidentiality, denial of service - these information security incidents have become common news. Among the victims come across the largest, most wealthy and most protected enterprises: government agencies, large retail chains, financial structures, even manufacturers of information security solutions.
Such companies have multimillion budgets allocated to information security, and yet they do not cope with the usual attacks. Many such attacks could be prevented by known methods of protecting information, such as regular updates and the practice of using secure configurations.
')
What, then, to everyone else? How can organizations with a small budget and limited staff respond to the increasing number of cyber crimes? This document is designed to provide SMB owners with tools to protect their business, based on CIS Controls. CIS Controls is a comprehensive set of well-proven information security techniques that counteract the most common threats and vulnerabilities. These methods of information security developed by experts in the subject area.
Among the threats to SMB are:
Theft of confidential information is a type of attack in which external violators or dissatisfied employees steal information that is important to the company.
Site deface is a type of attack in which the page of a web site is replaced with another page, most often containing advertisements, threats or causing warnings.
Phishing is a type of attack in which an attacker obtains important information (for example, usernames, passwords, or credit card data) by forging messages from a trusted source (for example, an e-mail created as legitimate, fraudulently causes the recipient to click the link in the e-mail software on computer).
An extortioner is a type of malicious software that blocks access to data on a computer, as a result of which criminals extort a ransom for unlocking locked data.
Data loss due to natural phenomena or accidents.
The document contains a small set of CIS Controls information security measures specifically selected to protect SMB. Since information security tools are constantly changing, you can contact us on the site and get the latest information.
Security is closely related to IT infrastructure management: a well-managed network is harder to crack than a poorly managed one. To understand how well your organization is protecting information, ask yourself the following questions:
Listed below are various free or low-cost tools, as well as procedures that will help you answer the questions listed and increase the security level in your organization The listed tools are not exhaustive, but they reflect a wide range of available free or low-cost tools that any SMB can use to increase its level of information security.
These Recommendations suggest using a phased approach to building an information security system:
At each stage, you will be presented with questions that need to be answered, as well as actions and tools that will help you achieve your goals.
At the very beginning, in order to advance in the issue of information security, you need to deal with the local network, connected devices, critical data and software. Without a clear understanding of what you need to protect, it will be difficult to make sure that you provide an acceptable level of information security.
Key questions to keep in mind:
You may lose your business if your company's critical data is lost, stolen or damaged. Accidental events and natural disasters also have the potential to cause irreparable damage. In addition, potential intruders target data that may have value to them. These attackers can be hackers as well as employees of your company who want to steal your customers, financial information or intellectual property. To use valuable information, they must access it, and access, as a rule, they receive through the organization's local network.
To protect your business, you need to understand the value of your data and how you can use it. It is also necessary to determine what information is required to be protected within the framework of the legislation, for example, payment information or personal data. The following are examples of data that you need to identify and inventory:
It also presents the main federal laws that define the requirements for the protection of information (which may apply to the SMB) [from the translator: the documents are inserted taking into account the Russian legislation] :
If you know which devices are connected to your network, then your infrastructure becomes easier to manage, and you understand which devices you need to protect. The following are steps you can do to find out about devices on your network.
Instruments:
Monitoring installed software is a key component of both good IT management and effective information protection. Malicious software on your network can create risks that need to be minimized, but you can also include legal liability for using unlicensed software. Non-updated software is a common cause of malware intrusion, which leads to attacks on your information systems. If you understand what software is installed on your network, control the installed software, and protect administrator accounts, you reduce the likelihood and impact of information security incidents.
Employees are your most important asset, and this expression is true not only in business, but also in information security. Protecting your information requires not only technological solutions, but also employee awareness of preventing accidental disruption of your systems. As part of this phase, not only the protection of your computers will be described, but also the training of your employees in important aspects of information security.
A few questions you need to answer:
In order to gain access to your information system, malicious programs and attackers most often use either insecurely configured applications or vulnerability applications. You need to make sure that your operating system and applications (especially web browsers) are updated and properly configured. In addition, it is recommended to use anti-malware protection mechanisms that can be embedded in your operating system. For example, Windows Device Guard, Windows Bitlocker and others mentioned below.
Information security is a story not only about technology, but also about processes and people. It is not enough to have information security tools only. To ensure the security of your organization, your employees must also strictly comply with information security requirements. There are two key factors for teaching your employees information security issues: to convey information to them, to constantly maintain their level of knowledge.
After your organization has developed a solid foundation for information security, you need to build incident response mechanisms. This approach includes an understanding of how to cope with an information security incident and how to restore the company's work after it.
Key issues:
Creating and managing backups can be a routine and not a very interesting task, however, this is one of the best ways to protect your data, recover from a crash, and get your business back to normal. This is important because ransomware programs can encrypt all of your data and block them until repurchase. A robust response plan, supplemented by current and supported backups, is the best defense when dealing with an information security incident.
Nobody wants an information security incident to happen, but the better prepared you are, the sooner you can recover from the incident. Information security incidents include a “denial of service” attack that violates access to your site, an ransomware attack that blocks your system or your data, a malware attack that results in the loss of your client’s or employee’s data, and stealing a laptop containing unencrypted data.
To be prepared, you need to know who to contact in case of an incident. You can contact your internal IT staff for help, or maybe you rely on a third-party incident management company. In any case, you should know the roles of those responsible for managing incidents before an event occurs.
Introduction
Credit card information leaks, personal data theft, extortion programs (for example, WannaCry), intellectual property theft, breach of confidentiality, denial of service - these information security incidents have become common news. Among the victims come across the largest, most wealthy and most protected enterprises: government agencies, large retail chains, financial structures, even manufacturers of information security solutions.
Such companies have multimillion budgets allocated to information security, and yet they do not cope with the usual attacks. Many such attacks could be prevented by known methods of protecting information, such as regular updates and the practice of using secure configurations.
')
What, then, to everyone else? How can organizations with a small budget and limited staff respond to the increasing number of cyber crimes? This document is designed to provide SMB owners with tools to protect their business, based on CIS Controls. CIS Controls is a comprehensive set of well-proven information security techniques that counteract the most common threats and vulnerabilities. These methods of information security developed by experts in the subject area.
Among the threats to SMB are:
Theft of confidential information is a type of attack in which external violators or dissatisfied employees steal information that is important to the company.
Site deface is a type of attack in which the page of a web site is replaced with another page, most often containing advertisements, threats or causing warnings.
Phishing is a type of attack in which an attacker obtains important information (for example, usernames, passwords, or credit card data) by forging messages from a trusted source (for example, an e-mail created as legitimate, fraudulently causes the recipient to click the link in the e-mail software on computer).
An extortioner is a type of malicious software that blocks access to data on a computer, as a result of which criminals extort a ransom for unlocking locked data.
Data loss due to natural phenomena or accidents.
The document contains a small set of CIS Controls information security measures specifically selected to protect SMB. Since information security tools are constantly changing, you can contact us on the site and get the latest information.
Overview
Security is closely related to IT infrastructure management: a well-managed network is harder to crack than a poorly managed one. To understand how well your organization is protecting information, ask yourself the following questions:
- Do you know that your employees connect to their computers? What devices are connected inside the local network?
- Do you know what software is used in your information systems?
- Did you set up computers with information security requirements?
- Do you control employee access to confidential information or those who have elevated access rights in the systems?
- Do your employees understand their role in protecting your organization from information security threats?
Listed below are various free or low-cost tools, as well as procedures that will help you answer the questions listed and increase the security level in your organization The listed tools are not exhaustive, but they reflect a wide range of available free or low-cost tools that any SMB can use to increase its level of information security.
These Recommendations suggest using a phased approach to building an information security system:
- Stage 1 allows you to understand what is in your network, and defines the basic requirements for information security;
- Phase 2 focuses on providing basic security requirements and educating staff on information security.
- Stage 3 helps your organization prepare for information security incidents.
At each stage, you will be presented with questions that need to be answered, as well as actions and tools that will help you achieve your goals.
Stage 1. Know your infrastructure
At the very beginning, in order to advance in the issue of information security, you need to deal with the local network, connected devices, critical data and software. Without a clear understanding of what you need to protect, it will be difficult to make sure that you provide an acceptable level of information security.
Key questions to keep in mind:
- Do you know what information needs to be protected? Where is the most important information stored on your network?
- Do you know which devices are connected to your network?
- Do you know what software is installed on employees' computers?
- Do your system administrators and users use strong passwords?
- Do you know which online resources your employees use (i.e., they work or sit on social networks)?
What information needs to be protected. Where the most important information is stored in your network
You may lose your business if your company's critical data is lost, stolen or damaged. Accidental events and natural disasters also have the potential to cause irreparable damage. In addition, potential intruders target data that may have value to them. These attackers can be hackers as well as employees of your company who want to steal your customers, financial information or intellectual property. To use valuable information, they must access it, and access, as a rule, they receive through the organization's local network.
To protect your business, you need to understand the value of your data and how you can use it. It is also necessary to determine what information is required to be protected within the framework of the legislation, for example, payment information or personal data. The following are examples of data that you need to identify and inventory:
- Credit cards, banking and financial information;
- Personal Information;
- Customer databases, purchase / supply prices;
- Commercial secrets of the company, formulas, methodologies, models, intellectual property.
It also presents the main federal laws that define the requirements for the protection of information (which may apply to the SMB) [from the translator: the documents are inserted taking into account the Russian legislation] :
- Federal Law of 27.07.2006 N 152- “On Personal Data”;
- Federal Law of 27.06.2011 N 161- “On the National Payment System”;
- Federal Law of 21.11.2011 N 323- “On the basis of the protection of public health in the Russian Federation”;
- Federal Law of 29.11.2010 N 326- (“On Compulsory Health Insurance in the Russian Federation”;
- Federal Law of 27.07.2006 N 149- “On Information, Information Technologies and Protection of Information”;
- Federal Law of July 29, 2004 No. 98- “On Commercial Secrets”.
What devices are connected to your network
If you know which devices are connected to your network, then your infrastructure becomes easier to manage, and you understand which devices you need to protect. The following are steps you can do to find out about devices on your network.
Actions:
- If you have a wireless network, check on your router (wireless access controller) which devices are connected and whether strong encryption (WPA2) is used.
- For larger organizations, it is suggested to use a network scanner (commercial or free) to identify all devices on your network.
- Enable logging of events related to the connection of network devices that receive an ip-address via DHCP. Logging of such events will provide convenient tracking of all devices that were on your network. (If you need help, contact your IT professional.)
- In small organizations, you can keep a list of your equipment (computers, servers, laptops, printers, phones, etc.) and a list of protected information in a spreadsheet that needs to be updated when new equipment or data appears.
Instruments:
- Nmap : A well-known multipurpose network scanner used by system administrators and hackers around the world to determine which devices are connected to your network.
- ZenMap : user-friendly graphical interface for Nmap
- Spiceworks : Free Inventory and Resource Management Software (devices and installed software) on your network
What software is installed on employees' computers
Monitoring installed software is a key component of both good IT management and effective information protection. Malicious software on your network can create risks that need to be minimized, but you can also include legal liability for using unlicensed software. Non-updated software is a common cause of malware intrusion, which leads to attacks on your information systems. If you understand what software is installed on your network, control the installed software, and protect administrator accounts, you reduce the likelihood and impact of information security incidents.
Actions:
- Create a list of applications, web services or cloud solutions that your organization uses:
- Limit the number of users with administrative rights to the lowest possible value. Do not allow ordinary users to work in the system with administrator rights.
- Use complex passwords for administrative accounts, as administrators can make major changes to the system. Develop instructions for employees to create complex passwords [from translator: an example of creating a complex password is here ] .
- Make sure that system administrators use a separate user account for reading email, accessing the Internet, and compiling documents.
- Develop a procedure for installing software on your network and disallow installing unapproved applications using, for example, Applocker.
Instruments:
- Applocker : a free Microsoft Windows tool for identifying and limiting software that is allowed to run
- Netwrix : Lots of free tools to identify administrative access information on your systems
- OpenAudIT : software inventory on servers, workstations and network devices
Stage 2. Protect your assets
Employees are your most important asset, and this expression is true not only in business, but also in information security. Protecting your information requires not only technological solutions, but also employee awareness of preventing accidental disruption of your systems. As part of this phase, not only the protection of your computers will be described, but also the training of your employees in important aspects of information security.
A few questions you need to answer:
- Did you set up computers with information security requirements?
- Does your network run anti-virus software that is constantly updated?
- Do you tell your employees about modern methods of protecting information?
Configure basic information security requirements
In order to gain access to your information system, malicious programs and attackers most often use either insecurely configured applications or vulnerability applications. You need to make sure that your operating system and applications (especially web browsers) are updated and properly configured. In addition, it is recommended to use anti-malware protection mechanisms that can be embedded in your operating system. For example, Windows Device Guard, Windows Bitlocker and others mentioned below.
Actions:
- periodically run the Microsoft Security Analyzer security scanner to determine which patches / updates are not installed for the Windows operating system and what configuration changes need to be made;
- make sure your browser and plugins are updated. Try using browsers that automatically update their components, such as Google Chrome [from translator: Yandex Browser can be the Russian equivalent] ;
- use an antivirus with the latest updates of the antivirus database to protect systems from malware;
- limit the use of removable media (USB, CD, DVD) to those employees who really need it to perform their duties;
- Install the Enhanced Mitigation Experience Toolkit (EMET) software tool on Windows computers to protect against code-related vulnerabilities;
- Require the use of multifactor authentication where possible, especially for remote access to the internal network or e-mail. For example, use secure tokens / smart cards or SMS messages with codes as an additional level of security in addition to passwords;
- change the default passwords for all applications, operating systems, routers, firewalls, wireless access points, printers / scanners, and other devices when adding them to the network;
- Use encryption to securely manage your devices remotely and transfer sensitive information.
- Encrypt hard drives on a laptop or mobile device containing sensitive information.
Instruments:
- Bitlocker : built-in encryption for Microsoft Windows devices
- FireVault : Built-in encryption for Mac devices
- Qualys Browser Check : a tool to check your browser for the latest updates
- OpenVAS : a tool to test systems for compliance with basic information security requirements
- Microsoft Baseline Security Analyzer : Microsoft's free tool for understanding how Windows computers can be safely configured.
- CIS Benchmarks : free PDF-files that contain instructions for creating configurations taking into account information security for more than 100 technologies.
Development of processes on information security
Information security is a story not only about technology, but also about processes and people. It is not enough to have information security tools only. To ensure the security of your organization, your employees must also strictly comply with information security requirements. There are two key factors for teaching your employees information security issues: to convey information to them, to constantly maintain their level of knowledge.
Information to be communicated to employees:
- Identify employees in your organization who have access to or process sensitive information and make sure they understand their role in protecting this information.
- The two most common attacks are phishing attacks by email and by phone. Make sure your employees can describe and identify the main signs of an attack. Such signs may include situations where people talk about great urgency, ask for valuable or confidential information, use obscure or technical terms, ask to ignore or bypass security procedures.
- Employees should understand that common sense is the best defense. If what is happening seems strange, suspicious, or too good to be true, these are most likely signs of an attack.
- Encourage the use of complex, unique passwords for each account and / or two-factor authentication where possible.
- Require your colleagues to use "screen lock" on their mobile devices.
- Make sure that all employees constantly update their devices and software.
Knowledge support:
- Explain to your employees how to protect your organization and how these methods can be applied in their personal lives, make sure they understand this;
- Make sure all employees understand that information security is an important part of their work.
- Distribute free information security information materials to your employees, such as the SANS OUCH newsletter! and monthly MS-ISAC newsletters.
- Use online resources such as the National Cybersecurity Alliance StaySafeOnline.org.
Instruments:
- SANS Ouch! Newsletter , video of the month, daily tips and posters;
- MS-ISAC monthly newsletters ;
- Staysafeonline.com ;
- Safe-surf.ru [from translator: Russian equivalent] ;
Stage 3: Prepare your organization
After your organization has developed a solid foundation for information security, you need to build incident response mechanisms. This approach includes an understanding of how to cope with an information security incident and how to restore the company's work after it.
Key issues:
- Do you know when was the last time you backed up your valuable files?
- Do you regularly check the correctness of backups?
- Do you know which colleagues to contact if an incident occurred?
Backup Management
Creating and managing backups can be a routine and not a very interesting task, however, this is one of the best ways to protect your data, recover from a crash, and get your business back to normal. This is important because ransomware programs can encrypt all of your data and block them until repurchase. A robust response plan, supplemented by current and supported backups, is the best defense when dealing with an information security incident.
Actions:
- Automatically perform weekly backups of all computers containing important information;
- Periodically check your backups, restoring the system using a backup;
- Make sure that at least one backup is not available over the network. This will help protect against ransomware attacks, as this backup will not be available for malware.
Instruments:
- Microsoft "Backup and Restore" : a backup utility built into the Microsoft operating system
- Apple Time Machine : a backup tool installed on Apple operating systems
- Amanda Network Backup : A free open source backup tool.
- Bacula : a network solution for backing up and restoring information with open source
Preparing for the incident
Nobody wants an information security incident to happen, but the better prepared you are, the sooner you can recover from the incident. Information security incidents include a “denial of service” attack that violates access to your site, an ransomware attack that blocks your system or your data, a malware attack that results in the loss of your client’s or employee’s data, and stealing a laptop containing unencrypted data.
To be prepared, you need to know who to contact in case of an incident. You can contact your internal IT staff for help, or maybe you rely on a third-party incident management company. In any case, you should know the roles of those responsible for managing incidents before an event occurs.
Actions:
- Identify the people in your organization who will make decisions and give instructions in the event of an incident.
- Provide contact information for IT staff and / or third parties.
- Join associations that focus on sharing information and promoting information security.
- Keep a list of external contacts as part of your plan. These may include legal advisors, insurance agents, if you have insured information security risks, security consultants.
- Check out laws related to information security breaches in your country.
What to do if an incident occurs:
- Consider contacting an information security consultant if the nature and extent of the incident is not clear to you.
- Consider contacting a lawyer if it turns out that confidential third-party information was compromised in the incident.
- Prepare to notify all affected persons whose information was disclosed as a result of the breach.
- If necessary, inform law enforcement officers.
Source: https://habr.com/ru/post/348892/
All Articles