network security - what every business needs to know
TRANSCRIPT
Network SecurityWHAT EVERY BUSINESS OWNER NEEDS TO KNOW
“There are two kinds of big companies in the United States. There are those who’ve been hacked…and those who don’t know they’ve been hacked.” - FBI Director James Comey
The dam has broken for small companies when it comes to security. Jeremy Grant, an adviser at the Department of Commerce’s National Institute of Standards and Technology, says in the past two years he has seen "a relatively sharp increase in hackers and adversaries targeting small businesses."
According to the security company Symantec, cyberattacks on small businesses rose 300 percent in 2012 from the previous year.
INK MAGAZINE JANUARY 2014
www.digitalattackmap.com
New York TimesPlus many more!
Cyber Security can feel overwhelming
Our objective today is to empower you to do something
Items to cover today
1. Why would a hacker target your business?
2. What Data should you protect?
3. Avoiding Security Negligence
4. What can I do to protect my company?
What do Hackers attack?
Cause Disruption
Personal Information
Banking information
Access
Gateway to bigger fish
Ransom
Intellectual Property
Personal Information
Free Credit!
SSN of kids
Drivers license
numbers
Social Security numbers
Ransom
Typically comes through email
Encrypts drives, even network drives
Demands a ransom to unencrypt your data
- typically have just a few days
- typically hundreds of dollars
Sometimes will give you a “sample” to prove they have integrity
CryptoLocker, TorrentLocker, CryptoFortress …
To Cause Disruption
Questions to consider
1. If you no longer had access to your company data how long would you be able to function as a business?
2. How long until it becomes really painful?
3. How many past employees would cause you harm if given the chance?
What data should I secure?
Any data that if no longer available would disrupt your business
Any personal information
Data with liability under compliance laws (PCI, HIPAA …)
Intellectual property
Where is your data?
Company data
Local drives
Smart phones
Personal devices
Tablets
The Cloud
Avoid Security Negligence
Failure to use reasonable care, resulting in damage or injury to another.
Indiana Law
The Office of the Indiana Attorney General is committed to enforcing the Disclosure of Security Breach law to better protect Hoosiers from identity theft. This law requires Indiana businesses inform their customers about security breaches that have placed their personal information in jeopardy. The Office can seek up to $150,000 for data breaches that have not been properly disclosed to Indiana customers.
http://www.in.gov/attorneygeneral/2410.htm
What if I have a breach?
Avoid Security Negligence
1. Protect your data to the best of your ability
2. Consider an outside evaluation
3. Review and update plans and policies frequently
4. Consider data breech insuranceFailure to use reasonable care, resulting in damage or injury to another.
What can I do to protect my company?
Level 4 – Data breach could
potentially harm lives; security
breach simply must not happen
Level 3 –Personal/Identity,
compliance, intellectual
property – i.e. account
information, credit card or social
security numbers, HIPAA, PCI,
Sarbanes Oxley, etc.
Level 2 – Some sensitive data but
not relative to health, personal
info, or credit card info
Level 1 – No sensitive data
Detection Prevention
User Policy
Perimeter
End Point
Access
Access
1. All patches, especially security patches must be up to date on your server.
2. Access Policy enforcement – setup employee access to only those areas where they should have access and restrict the rest.
3. Password Policy enforcement –server access should be set to follow your policy. Note guideline in handouts.
4. Centralized Data – keep as much data in one central location as possible for better control.
5. Business continuity plan – create a plan, test and review regularly.
End Point
1. Good Anti-virus program◦ Example: Eset
2. Anti–Malware program◦ Example: Malware Bytes
3. Patching – all software especially the Operating system should have all patches up to date.
4. Restrict ability to install software to Admin only
What I use to get to my data
Perimeter
Firewall◦ Restricted or monitored Internet access
◦ Another layer of Anti- Malware and Anti-Virus at Gateway
Wireless Access points◦ Public access separated from private access
Cable access◦ Every cable goes somewhere
Create a barrier from outside access
Policy and Procedures
1. Use Policy
2. PC/Laptop Policy
3. BYOD (bring your own device) Policy
4. Password policyCreate and enforce
Policy and Procedures
1. New user procedure
2. Terminated user procedure◦ employee
◦ Leader
◦ IT employee or company
3. Hardware disposal procedure
4. Hardware refresh guideline
Create and follow
Summery
1. Access – Secure your data and limit access
2. End Point – Protect yourself from users
3. Perimeter – establish a barrier from the rest of the world
4. Policy and Procedures – this allows for the beginning of education.
5. Review and update regularly
Questions