Information Security: For Small Business

by Julius Clark Sr.
, MBA, CISSP, CISA
INFORMATION SECURITY
FOR SMALL BUSINESS
About Me
Julius Clark Sr.
Location: Charlotte, NC
Current home, been residing in
Charlotte, NC for over 10 years
Hometown
Boston, Ma
Profession
Information Security Professional.
BDPA History
2010-2012
2010-2012
2007-2009
2006-2004
2001-2003
Education
MBA in Information Security
Charlotte President
National BDPA CISO
Charlotte President-Elect
VP of SITES (Education)
Charlotte HSCC Coordinator
Salem International University, Salem, WV
MSIS in Information Security

University of Fairfax, Fairfax, VA
BS in Electronic Engineering
Wentworth Institute of Technology, Boston, MA
Certifications
Certified Information Systems Security

Professional (CISSP)
Certified Information Systems Auditor
(CISA)
Microsoft Certified System Engineer
(MSCE).
Agenda
Information Security for Small Business
IT Security & Business
Wholeness
What Is Information Security?

Components of
Information Security
Architecture
Cyber Crime in the News
Agenda
(Continued)
Information Security for Small Business

Business Continuity &
Disaster Recovery Planning
Indentifying Business
Critical Assets
Safeguarding Critical Assets
Highly Recommended IT
Security Practices
4
IT SECURITY &
BUSINESS WHOLENESS
5
Maslows Hierarchy of Needs

Being aware of ones
Wholeness keeps bad things
from happening. A solid
foundation must be built to
advance. Understanding your
environment, your health and
activities helps one to
continually perform a risk
assessments and move to
the next level.
Self Actualization Being All You

Can Be
Esteem - Recognition for Good Work
Love - Acceptance
Safety & Security Stability
Needs Air , Food, Water, Shelter
6
Maslows Business Comparison

Maslows Hierarchy of Needs
can be applied to building a
successful business. IT
Security is a foundation that
businesses must build upon
to lower IT Security risks,
which can help your business
gain a competitive edge.
Self Actualization Meeting the Mission

Statement
Esteem - Recognition in Market Place
Love - Acceptance by Clients or Customers
Safety & Security IT Security & Insurance
Needs Capital & People
Importance of Small Businesses
Statistic:
There are over 26
million small businesses
in the U.S.
Source: NIST
What Is At Stake?
Your Business!
Your business is at risk of being

damaged due to:
Financial loss
Lawsuits
Reputation loss
loss of market share
Theft of its technology , resources
and products
Denial of service attacks
Blackmail
WHAT IS
INFORMATION SECURITY?
10

Protecting your
information, technology,
property, products and
people, thus protecting
your business.
The Information Security
Triad is the foundation for
Information Security and is
based on concepts and
principles known as CIA.
Confidentiality
Integrity
Availability
11

Confidentiality
Concept of protecting
information from improper
disclosure and protecting the
secrecy and privacy of
sensitive data so that the
intellectual property and
reputation of an organization
is not damaged and that data
related to individuals is not
released in violation of
regulations or the privacy
policy of the organization.
- From the CISSP CBK
12
Integrity
Addresses two objects, which
are protecting data and
processes from improper
modification, and ensuring the
operations of the information is
reliable and performing as
expected.
- From the CISSP CBK
13

Availability
The concept of ensuring
that the systems and data
can be accessed when
required. Availability is
impacted by human error,
cabling problems, software
bug, hardware failures,
loss of skilled staff,
malicious code, and the
many other threats that
can render a system unusable or unreliable.
- From the CISSP CBK:
14
COMPONENTS OF
INFORMATION SECURITY
ARCHITECTURE
15
Components of Information
Security Architecture
The process of
instituting a complete
information security
solution to the
architecture of a
business, ensuring the
security of business
information at every
point in the architecture.
People
Processes
Technology
People
Processes
Technology
16
People
People are the weakest
link of a business process.
You all know why!
17
Processes
The operational aspects of
small business.
Safeguards can be
automated or manual.
18
Technology
All of the tools, applications,
software, and infrastructure
that allows a business
process to work and perform
efficiently. Thus as a
business owner you must
ensure that you have
adequate logical controls in
place to help you stay on
track with your business
mission or purpose.
19
CYBER CRIME
IN THE NEWS
20
Who Are The Actors?
Their Roles:
Experimenters
Hacktivists
Cyber criminals
Information Warriors
Employees
Dumpster divers
Natural disasters
Terrorist activities
21
Who Are The Actors?
Malicious Code!
Key loggers Stealing
your keystrokes
Viruses
Denial of service
Turning your computer
into a zombie aka Bot
22
Cyber Crime In the News
23
Cyber Crime Statistics!

Insider threats are responsible for over 80% of small business issues.
There are over 70,000 active viruses ; and exponentially growing
Information Security threats can damage or destroy small business
33% businesses with 100 employees or less had a computer incident
Source: NIST
24

Small Business Cyber Crime Report
42 % of businesses has a Laptop theft
44% of businesses suffered from Insider Abuse
21% of businesses reported Denial of Service
50% of businesses detected a viruses
20% of business systems became a Bot
Source: Computer Security Institute Survey
25

Reported Data Breaches
2007 - there were 445 data breaches reported
2008 there were 656 data breaches reported
2009 approx. 392 data breaches reported.
Source: October 9, 2009 USAToday
26
Chronology of Data Breaches

www.privacyrights.org
27
Chronology of Data Breaches

www.privacyrights.org
The 354,537,108 indicates the total number of records

compromised
28
BUSINESS CONTINUITY AND

DISASTER RECOVERY PLANNING
29
Business Continuity & Disaster Recovery Planning

NIST IT Security Fundamentals For Small Business
Contingency and Disaster Recover planning considerations
What happens if there is a disaster (flood, fire, tornado, etc) or a contingency (power outage,
sewer backup, accidental sprinkler activation, etc)? Do you have a plan for restoring business
operations during or after a disaster or a contingency? Since we all experience power outages or
brownouts from time to time, do you have Uninterruptible Power Supplies (UPS) on each of your
computers and critical network components? They allow you to work through short power outages
and to save your data when the electricity goes off.
Conduct an inventory of all information used in running your business.
Do you know where each type of information is located (on which computer or server)?
Have you prioritized your business information so that you know which type of information is most
critical to the operation of your business and, therefore, which type of information must be
restored first in order to run your most critical operations?
If you have never (or not recently) done a full inventory of your important business information,
now is the time. For a very small business, this shouldnt take longer than a few hours. For a
larger small business, this might take from a day to a week or so.
While you are doing this inventory, ensure that the information is prioritized relative to importance
for the entire business, not necessarily for a single part of the business. When you have your
prioritized information inventory (on an electronic spreadsheet), add three columns to address the
kind of protection that each type of information needs. Some information will need protection for
confidentiality, some for integrity, and some for availability.
30
IDENTIFYING BUSINESS
CRITICAL ASSETS
31
Identifying Business Critical Assets
32
33
34
Actions for The Business Owner To Take

Identify what threats are a danger to your business? Many threats
are found in a specific geographic area what is a common threat
in your area?
As you read/research your trade/professional publications, take

note of the data security issues covered in these publications. Ask
yourself Is my business vulnerable to something like this? If so,
what have others done that I could copy to protect my business?
As you network with your peers, talk cyber security issues. Give
and get advice, hints, tips, etc.
Make every effort to stay in touch with and on top of every threat or
incident that does or could affect your business.
Join InfraGard to get critical information about current threats in
your local area (and to act as eyes and ears to help protect our
nation!).
(www.infragard.net - membership application form is online
membership is free in most areas of our nation)
35
SAFEGUARDING
CRITICAL ASSETS
36

The Absolutely
Necessary actions that
a small business should
take to protect its
information, systems,
and networks.
People
Processes
Technology
37
People
People are the weakest link of the three

components of Information Security!
38

People
1.
2.
Control physical access to your computers

and network hardware
Do not allow unauthorized persons to have
physical access to any of your business PCs.
Lock up laptops when they are not in use.
Control who has access to your systems and
networks, this includes cleaning crews. No
one should be able to walk into your office
space without being challenged by an
employee.
Vendors and service persons should provide
appropriate identification.
Limit employee access to data and information,
and limit authority to install software.
Employees should not install unauthorized software .
Do not provide access to all data to any employee,
Only give employee enough access privileges
necessary to perform job.
Do not allow a single individual to both initiate and
approve a transaction (financial or otherwise).
39
Processes
The operational aspects of small business;

needs checks and balances aka controls.
40

Processes
1.
Backup important business data and

information.
Recommended to be done automatically.

Backup can be done inexpensively if copied to
another hard drive that can hold 52 weeks of backups;
500GB should be sufficient for most businesses.
Backups should be performed at a minimum weekly,
but better if done daily.
A full backup should be performed once a month and
taken off site incase of a fire, flood, theft or other
disaster.
Portable USB Drive is recommended ; 1000GB.
Regularly test your backup data.
Train your employees on basic security principles
2.
Employees using any programs containing sensitive

information should be trained on how to properly protect it.
Employees should review computer usage policies on the
1st day of work.
Train them about expectations concerning limited use of
telephones, printers and other business resources.
After training they should sign a a statement that they
understand these policies and the penalties for violation of
business policies.
41

Processes
3.
Requires individual user accounts for each

employee on business computers and for
business applications.
Create an account for all individual users and require

strong passwords consisting of 8-10 characters in
length, made up of random letters, numbers and
special characters.
To protect information and systems, employees
should not operate computers with administrative
privileges.
Malicious code will gain the same privileges and install
itself on a system if the user is using an account with
administrative privileges.
Password should never be shared and changed every
3 months.
Train your employees on basic security principles
4.
Employees using any programs containing sensitive

information should be trained on how to properly protect it.
Employees should review computer usage policies on the
1st day of work..
Train them about expectations concerning limited use of
telephones, printers and other business resources.
After training they should sign a a statement that they
understand these policies and the penalties for violation of
business policies.
42
Technology
1. Protect information, systems, networks
from damage by viruses, spyware, and
other malicious code
Install anti-virus software & anti-spyware software

on all computer systems.
It is recommended to have the anti-virus software,
spyware and malicious code software to update
automatically; frequently.
Obtain copies for employees home computers.
2. Provide security for your internet

connection(s)
2.
Install operational firewall between your internal

network and the Internet.
Ensure that your employees home PCs have a
firewall installed between your/ their systems(s)
and the Internet.
Change the administrative password upon
installation and regularly thereafter.
Good idea to change the administrator name too.
43
Technology
3. Secure your wireless access points
and networks.
Change default administrator password.

Set wireless device to not broadcast its
Service Set Identifier (SSID).
Recommended encryption is WiFi Protected
Access 2 (WPA-2) using Advanced Encryption
Standard (AES).
NOTE: WEP (Wired-Equivalent Privacy) is not
a good wireless security protocol.
It is recommended to configure Desktop /
Server Operating systems to update
automatically.
44
Technology
4. Install and activate software firewalls on
all of your business systems.
If you use Microsoft Windows XP or higher it will

have a firewall included.
Make sure that the firewall is turned on.
Ensure that your employees home PCs have a
firewall and turned on as well.
5. Patch your operating systems and

applications.
Microsoft releases new patches on the second

Tuesday of each month; sooner for serious
threats.
It is recommended to configure systems to update
automatically.
Ensure employees home PCs are configured to
update automatically as well.
If you have many systems consider purchasing a
product that can manage the process for your
business.
Update Microsoft Office regularly.
45
HIGHLY RECOMMENDED
IT SECURITY PRACTICES
46
Highly Recommended IT Security Practices!

Business Policies Should Be In Place
Every business needs written policies to identify acceptable
practices and expectations for business operations.
Some policies will be related to human resources.
Some will relate to expected employee practices for using business
resources, such as telephones, computers, printers, fax machines, and
Internet access.
Legal and regulatory requirements may also require certain policies to be
put in place and enforced.
Policies for information, computer, network, and Internet security, should
communicate clearly to employees the expectations that the business
management has for appropriate use.
47

These policies should identify those information and other resources which
are important to management and should clearly describe how
management expects those resources to be used and protected by all
employees.
Policies should be communicated clearly to each employee and all
employees should sign a statement agreeing that they have read the
policies, that they will follow the policies, and that they understand the
possible penalties for violating those policies.
This will help management to hold employees accountable for violation of
the businesses policies.
There should be penalties for disregarding business policies. And, those
penalties should be enforced fairly and consistently for everyone in the
business that violates the policies of the business.
48

Security emails requesting sensitive information.
Security concerns about email attachments and emails requesting sensitive

information.
Do not open email attachments unless you are expecting the email with the
attachment and you trust the sender. If you are not sure why someone sent you and
email with attachments or links. Call them or email them back asking questions.
Be cautious of emails asking for sensitive personal or financial information

regardless of who the email appears to be from. No responsible business will ask for
sensitive information in an email.
Security concerns about web links in email, instant messages, social media, or
other means.
Do not click on links in email messages. Recently, scams are in the form of
embedded links in emails. Once a recipient clicks on the link, malicious software (for
example, key stroke logging software) is installed on the users computer. Dont do it
unless you know what the web link connects to and you trust the person who sent the
email to you.
49

Security concerns about popup windows and other hacker tricks.
When connected to and using the Internet, do not respond to popup windows requesting that you
to click ok for anything.
If a window pops up on your screen informing you that you have a virus or spyware and
suggesting that you download an antivirus or antispyware program to take care of it, close the
popup window by selecting the X in the upper right corner of the popup window.
Hackers are known to scatter infected USB drives with provocative labels in public places where
their target businesss employees hang out, knowing that curious individuals will pick them up and
take them back to their office system to see whats on them. What is on them is generally
malicious code which installs a spy program or remote control program on the computer. Teach
your employees to not bring USB drives into the office and plug them into your business
computers (or take them home and plug into their home systems). It is a good idea to disable the
AutoRun feature for the USB ports on your business computers to help prevent such malicious
programs from running.
50

Security considerations for web surfing.
No one should surf the web using a user account which has administrative
privileges.
It is best to set up a special account with guest (limited) privileges to avoid this
vulnerability.
Issues in downloading software from the Internet.
Do not download software from any unknown web page.
Only those web pages belonging to businesses with which you have a trusted
business relationship should be considered reasonably safe for downloading
software. Such trusted sites would include the Microsoft Update web page
where you would get patches and updates for various versions of the Windows
operating system and Microsoft Office or other similar software. Most other web
pages should be viewed with suspicion.
Be very careful if you decide to use freeware or shareware from a source on the
web. Most of these do not come with technical support and some are
deliberately crippled so that you do not have the full functionality you might be
led to believe will be provided.
51

Doing online business or banking more securely.
Online business/commerce/banking should only be done using a secure browser
connection. This will normally be indicated by a small lock visible in the lower right
corner of your web browser window.
After any online commerce or banking session, erase your web browser cache,
temporary internet files, cookies, and history so that if your system is compromised,
that information will not be on your system to be stolen by the individual hacker or
malware program.
Recommended personnel practices in hiring employees.
When hiring new employees, conduct a comprehensive background check before

making a job offer.
Ensure that you do criminal background checks on all prospective new employees.
If possible, it is a good idea to do a credit check on prospective employees. This is
especially true if they will be handling your business funds. Do your homework call
their references and former employers.
Note: It is also an excellent idea for you the business owner to do a background
check of yourself. Many people become aware that they are victims of identity theft
only after they do a background check on themselves and find arrest records and
unusual previous addresses where they never lived.
52

How to protect against Social Engineering.
Social engineering is a personal or electronic attempt to obtain unauthorized information or

access to systems/facilities or sensitive areas by manipulating people.
The social engineer researches the organization to learn names, titles, responsibilities, and
publically available personal identification information. Then the social engineer usually
calls the organizations receptionist or help desk with a believable, but made-up story
designed to convince the person that the social engineer is someone in, or associated with,
the organization and needs information or system access which the organizations
employee can provide and will feel obligated to provide.
Train employees to protect against social engineering techniques, employees must be
taught to be helpful, but vigilant when someone calls in for help and asks for information or
special system access. The employee must first authenticate the caller by asking for
identification information that only the person who is in or associated with the organization
would know.
If the individual is not able to provide such information, then the employee should politely,
but firmly refuse to provide what has been requested by the social engineer.
The employee should then notify management of the attempt to obtain information or
system access.
53

NIST IT Security Fundamentals For Small Business
How to dispose of old computers and media.
When disposing of old business computers, remove the hard disks and destroy
them. The destruction can be done by taking apart the disk and beating the hard disk
platters with a hammer.
It is very common for small businesses to discard old computers and media without
destroying the computers hard disks or the media. Sensitive business and personal
information is regularly found on computers purchased on Ebay, thrift shops,
Goodwill, etc, much to the embarrassment of the small businesses involved (and
much to the annoyance of customers or employees whose sensitive data is
compromised).
Consider Using Full Disk Encryption if you handle sensitive data and information.
54
Information Security Resources for Small Business
Small Business Information Security : The Fundamentals (Security Guide for Small Business)
http://csrc.nist.gov/publications/drafts/ir-7621/draft-nistir-7621.pdf
Small Business Center Documents
http://csrc.nist.gov/groups/SMA/sbc/library.html
InfraGard FBI Sponsored Cyber Security Program

http://www.infragard.net
Protecting Personal information
www.ftc.gov/infosecurity
Computer Security Training, Network Research & Resources
www.SANS.org
On Guard Online - Protect Your Personal Information
http://www.onguardonline.gov/
55
Closing Remarks
Remember the IT Security
Triad!
The Information Security Triad is
the foundation for Information
Security and is based on
concepts and principles known
as CIA.
Confidentiality
Integrity
Availability
56
References
Surviving SecurityHow to Integrate People, Process and Technology, 2nd Edition
http://www.isaca.org/Template.cfm?Section=Home&CONTENTID=27320&TEMPLATE=/ContentMan
agement/ContentDisplay.cfm
Introduction to the Business Model for Information Security , 2009 ISACA
http://www.isaca.org
Small Business Information Security : The Fundamentals (Security Guide for Small
Business)
http://www.nist.gov/cgi-bin//get_pdf.cgi?pub_id=903080
Small Business Center Documents
http://csrc.nist.gov/groups/SMA/sbc/library.html
InterHack,- Information Security: Friend or Foe, 2002
http://web.interhack.com/publications/whatis-security.pdf
57
Contact Information
Julius Clark
Email: Julius.Clark.Sr@gmail.com
Tel: 704-953-379
Blog:
www.clarkthoughtleadership.blogspot.com
58

Information Security: For Small Business

Uploaded by

Copyright:

Available Formats

You might also like

Information Security: For Small Business

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Information Security: For Small Business

Uploaded by

Copyright:

Available Formats

by Julius Clark Sr.

, MBA, CISSP, CISA

Information Security Professional.

MBA in Information Security

Salem International University, Salem, WV

MSIS in Information Security

Certified Information Systems Security

What Is Information Security?