Information Security Guidelines for Small and Medium Businesses (SMB)

Hello, Habr! I present to you the translation and adaptation of the article " CIS-Controls Implementation Guide for Small- and Medium-Sized Enterprises (SMEs) ".

Introduction

Credit card leaks, identity theft, ransomware (such as WannaCry), intellectual property theft, privacy violation, denial of service - these information security incidents have become common news. Among the victims are the largest, wealthiest and most protected enterprises: government agencies, large retail chains, financial institutions, even information security solution manufacturers.

Such companies have multi-million dollar budgets allocated to information security, and yet they can not cope with conventional attacks. Many of these attacks could have been prevented by well-known information protection methods, such as regular updates and the practice of using secure configurations.

What then should everyone else do? How can organizations with a small budget and limited staff respond to the increasing number of cyber crimes? This document is designed to provide SMB owners with tools to protect their businesses based on CIS Controls. CIS Controls is a comprehensive set of well-proven information protection methods that counteract the most common threats and vulnerabilities. These methods of information protection are developed by specialists in the subject field.

Among the threats to SMB are:

Theft of confidential information - a type of attack in which external intruders or dissatisfied employees steal information that is important to the company.

Website deface- the type of attack in which a page of a website is replaced by another page, most often containing advertisements, threats or warning messages.

Phishing is a type of attack in which an attacker receives important information (for example, logins, passwords or credit card information) by forging messages from a trusted source (for example, an email composed as legitimate tricks the recipient into clicking on a link in an email that identifies the malicious computer software).

Ransomware is a type of malware that blocks access to data on a computer, as a result of which criminals extort a ransom to unlock locked data.

Loss of data due to natural events or accidents.

The document contains a small set of information security measures CIS Controls, specially selected to protect SMB. Since information security tools are constantly changing, you can contact us on the site and get the latest information.

Overview

Security is closely related to IT infrastructure management: a well-managed network is harder to crack than a poorly managed one. To understand how well your organization is protecting information, ask yourself the following questions:

• Do you know what your employees are connecting to their computers? What devices are connected inside the local network?
• Do you know what software is used in your information systems?
• Did you configure computers to meet information security requirements?
• Do you control the access of employees to confidential information or those who have elevated access rights in systems?
• Do your employees understand their role in protecting your organization from information security threats?

Listed below are a variety of free or low-cost tools, as well as procedures that will help you answer these questions and increase the level of security in your organization. The listed tools are not exhaustive, but they reflect a wide range of available free or low-cost tools that any SMB can use to increase its level of information security.
These Recommendations suggest using a phased approach to building an information security system:

• Stage 1 allows you to understand what is on your network and defines the basic requirements for information security;
• Stage 2 focuses on providing basic security requirements and training employees in information security.
• Stage 3 helps your organization prepare for information security incidents.

At each stage, you will be presented with questions that need to be answered, as well as actions and tools that will help achieve your goals.

Stage 1. Know your infrastructure

At the very beginning, to advance in the issue of information security, it is necessary to deal with the local network, connected devices, critical data and software. Without a clear understanding of what you need to protect, it will be difficult for you to make sure that you provide an acceptable level of information security.

Key questions to keep in mind:

• Do you know what information you need to protect? Where is the most important information stored on your network?
• Do you know which devices are connected to your network?
• Do you know what software is installed on employee computers?
• Do your system administrators and users use strong passwords?
• Do you know what online resources your employees use (i.e. work or sit on social networks)?

What information needs to be protected. Where your most important information is stored on your network

You can lose your business if your company's critical data is lost, stolen or damaged. Accidental events and natural disasters can also potentially cause permanent damage. In addition, potential attackers target data that may be of value to them. These hackers can be either hackers or employees of your company who want to steal your customers, financial information or intellectual property. To use valuable information, they must get access to it, and access, as a rule, they get through the organization’s local network.

To protect your business, you need to understand the value of your data and how it can be used. It is also necessary to determine what information needs to be protected under the law, for example, payment information or personal data. The following are examples of data that you need to identify and inventory:

• Credit cards, banking and financial information;
• Personal data;
• Customer databases, purchase / supply prices;
• Company trade secrets, formulas, methodologies, models, intellectual property.

The main federal laws are also presented that determine the requirements for the protection of information (which may apply to SMB) [from the translator: documents are inserted subject to Russian law] :

• Federal Law of July 27, 2006 N 152-ФЗ "On Personal Data";
• Federal Law of June 27, 2011 N 161-ФЗ “On the National Payment System”;
• Federal Law of November 21, 2011 N 323-ФЗ “On the Basics of Protecting the Health of Citizens in the Russian Federation”;
• Federal Law of November 29, 2010 N 326-ФЗ (“On Compulsory Health Insurance in the Russian Federation”;
• Federal Law of July 27, 2006 N 149-ФЗ “On Information, Information Technologies and Information Protection”;
• Federal Law of July 29, 2004 N 98-ФЗ "On Commercial Secret".

What devices are connected to your network

If you know which devices are connected to your network, then your infrastructure becomes easier to manage, and you understand which devices need to be protected. Below are the steps you can take to learn about devices on your network.

Actions:

• If you have a wireless network, check on your router (wireless access controller) which devices are connected and whether strong encryption (WPA2) is used.
• Larger organizations are encouraged to use a network scanner (commercial or free) to identify all devices on your network.
• Enable logging of events related to the connection of network devices that receive an IP address via DHCP. Logging of such events will provide convenient tracking of all devices that were on your network. (If you need help, contact your IT professional.)
• In small organizations, you can keep a list of your equipment (computers, servers, laptops, printers, telephones, etc.) and a list of protected information in a spreadsheet that needs to be updated when new equipment or data appears.

Instruments:

• Nmap : A well-known multi-purpose network scanner used by system administrators and hackers around the world to determine which devices are connected to your network.
• ZenMap : User- friendly GUI for Nmap
• Spiceworks : Free inventory and resource management software (devices and installed software) for your network

What software is installed on employee computers

Monitoring installed software is a key component of both good IT management and effective information security. Malicious software on your network can create risks that must be minimized, and legal liability for using unlicensed software can also be attributed here. Non-updated software is a common cause of malware penetration that leads to attacks on your information systems. If you understand what software is installed on your network, control the installed software and protect accounts with administrator rights, then you reduce the likelihood and impact of information security incidents.

Actions:

• Create a list of applications, web services or cloud solutions that your organization uses:
• Limit the number of users with administrator privileges to the minimum possible value. Do not allow ordinary users to work in the system with administrator rights.
• Use complex passwords for administrative accounts, as administrators can make major changes to the system. Develop instructions for employees to create complex passwords [from a translator: an example of creating a complex password is here ] .
• Make sure that system administrators use a separate user account to read email, access the Internet, and write documents.
• Develop a procedure for installing software on your network and prohibit the installation of unapproved applications using, for example, Applocker.

Instruments:

• Applocker : a free Microsoft Windows tool for identifying and restricting software that is allowed to run
• Netwrix : Many Free Tools to Identify Administrative Access Information on Your Systems
• OpenAudIT : software inventory on servers, workstations and network devices

Stage 2. Protect your assets

Employees are your most important asset, and this expression is true not only in business, but also in information security. Protecting your information requires not only technological solutions, but also employee awareness of preventing accidental malfunctioning of your systems. As part of this phase, not only will the protection of your computers be described, but also the training of your employees in important aspects of information security.

A few questions you need to answer:

• Did you configure computers to meet information security requirements?
• Does your network have antivirus software that is constantly updated?
• Do you tell your employees about modern methods of information security?

Configure basic information security requirements

To gain access to your information system, malicious programs and attackers most often use either insecurely configured applications or applications with vulnerabilities. You need to make sure that your operating system and applications (especially web browsers) are up to date and properly configured. In addition, it is recommended that you use anti-malware mechanisms that can be built into your operating system. For example, Windows Device Guard, Windows Bitlocker, and others mentioned below.

Actions:

• periodically run the Microsoft Security Analyzer security scanner to determine which patches / updates are not installed for the Windows operating system and what configuration changes need to be made;
• make sure your browser and plugins are up to date. Try using browsers that automatically update their components, such as Google Chrome [from the translator: Yandex.Browser may be a Russian analogue] ;
• Use an antivirus with the latest anti-virus database updates to protect systems from malware;
• limit the use of removable media (USB, CD, DVD) to those employees who really need it to perform their official duties;
• Install the Enhanced Mitigation Experience Toolkit (EMET) on Windows computers to protect against code vulnerabilities
• require multi-factor authentication where possible, especially for remote access to an internal network or email. For example, use secure tokens / smart cards or SMS messages with codes as an additional level of security in addition to passwords;
• change the default passwords for all applications, operating systems, routers, firewalls, wireless access points, printers / scanners and other devices, when adding them to the network;
• use encryption to securely manage your devices remotely and transmit sensitive information;
• encrypt hard drives on a laptop or mobile device that contain sensitive information.

Instruments:

• Bitlocker : Integrated Encryption for Microsoft Windows Devices
• FireVault : Integrated Encryption for Mac Devices
• Qualys Browser Check : a tool to check your browser for the latest updates
• OpenVAS : a tool for checking systems for compliance with basic information security requirements
• Microsoft Baseline Security Analyzer : A free Microsoft tool for understanding how Windows computers can be safely configured
• CIS Benchmarks : Free PDF files that provide information security configurations for more than 100 technologies.

IS processes development

Information security is a story not only about technology, but also about processes and people. It is not enough to have only information security tools. To ensure the security of your organization, your employees must also strictly comply with information security requirements. There are two key factors for teaching your employees information security issues: to convey information to them, to constantly maintain their level of knowledge.

Information to be communicated to employees:

• Identify employees in your organization who have access to or process sensitive information, and make sure they understand their role in protecting this information.
• The two most common attacks are email and phone phishing attacks. Make sure your staff can describe and identify the main signs of an attack. Such signs may include situations where people speak of great urgency, ask for valuable or confidential information, use obscure or technical terms, ask to ignore or bypass security procedures.
• Employees need to understand that common sense is the best defense. If what is happening seems strange, suspicious, or too good to be true, these are most likely signs of an attack.
• Encourage the use of complex, unique passwords for each account and / or two-factor authentication where possible.
• Encourage your colleagues to use “screen lock” on their mobile devices.
• Make sure all employees are constantly updating their devices and software.

Support knowledge level:

• Explain to your employees how to protect your organization and how these methods can be applied in their personal lives, make sure that they understand this;
• Make sure all employees understand that information security is an important part of their work.
• Distribute free information security material for your employees, such as the SANS OUCH newsletter! and the MS-ISAC Monthly Newsletters.
• Use online resources such as StaySafeOnline.org of the National Cybersecurity Alliance.

Instruments:

• SANS Ouch! Newsletter , video of the month, daily tips and posters;
• MS-ISAC Monthly Newsletters
• Staysafeonline.com ;
• Safe-surf.ru [from the translator: Russian counterpart] ;

Stage 3: Prepare Your Organization

Once your organization has developed a solid foundation on information security, you must build incident response mechanisms. This approach includes an understanding of how to deal with an information security incident and how to restore a company after it.

Key issues:

• Do you know when the last time you backed up your valuable files?
• Do you regularly check for backups?
• Do you know which of your colleagues to contact if an incident occurs?

Backup management

Creating and managing backups can be a routine and not very interesting task, however, this is one of the best ways to protect your data, recover from a failure and return your business to normal. This is important because ransomware can encrypt all your data and block it until the ransom. A robust response plan, complemented by current and maintained backups, is the best defense when dealing with an information security incident.

Actions:

• Automatically perform weekly backups of all computers containing important information;
• Periodically check your backups, restoring the system using a backup;
• Убедитесь, что, хотя бы одна резервная копия недоступна по сети. Это поможет защитить от атак программ-вымогателей, поскольку данная резервная копия не будет доступна для вредоносного ПО.

Инструменты:

• Microsoft «Резервное копирование и восстановление»: утилита резервного копирования, встроенная в операционную систему Microsoft
• Apple Time Machine: инструмент резервного копирования, установленный в операционных системах Apple
• Amanda Network Backup: бесплатный инструмент резервного копирования с открытым исходным кодом
• Bacula: сетевое решение для резервного копирования и восстановления информации с открытым исходным кодом

Подготовка к инциденту

No one wants an information security incident to happen, but the better prepared you are, the faster you can recover from the incident. Information security incidents include a denial of service attack that violates access to your site, an attack by ransomware that blocks your system or your data, an attack by malicious software that leads to loss of data from your client or employee, and stealing a laptop containing unencrypted data.

To be prepared, you need to know who to contact in case of an incident. You can ask your internal IT staff for help, or maybe you rely on a third-party incident management company. In any case, you should know the roles of those responsible for managing incidents before the event occurs.

Actions:

• Identify your organization’s employees who will make decisions and provide guidance in the event of an incident.
• Provide contact information for IT staff and / or third parties.
• Join associations that focus on sharing information and promoting information security.
• Храните список внешних контактов как часть вашего плана. К ним могут относиться юрисконсульты, страховые агенты, если вы застраховали риски по информационной безопасности, консультанты по вопросам безопасности.
• Ознакомьтесь с законами, связанными с нарушениями в сфере информационной безопасности в вашей стране.

Что делать, если произошел инцидент:

• Рассмотрите возможность обращения к консультанту по информационной безопасности, если характер и масштаб инцидента вам непонятен.
• Рассмотрите возможность обращения к юристу, если окажется, что в инциденте была скомпрометирована конфиденциальная информация третьей стороны.
• Подготовьтесь к уведомлению всех затронутых лиц, чья информация была раскрыта в результате нарушения.
• По мере необходимости информируйте сотрудников правоохранительных органов.