





































Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
Keeping security software up to date and patching your computers regularly will make it more difficult for this type of malware to infiltrate your network. 6.
Typology: Study notes
1 / 45
This page cannot be seen from the preview
Don't miss anything!






































Table of Contents
Thank you for using the FCC’s Small Biz Cyber Planner, a tool for small businesses to create customized cyber security planning guides. Businesses large and small need to do more to protect against growing cyber threats. As larger companies take steps to secure their systems, less secure small businesses are easier targets for cyber criminals.
This planning guide is designed to meet the specific needs of your company, using the FCC’s customizable Small Biz Cyber Planner tool. The tool is designed for businesses that lack the resources to hire dedicated staff to protect their business, information and customers from cyber threats. Even a business with one computer or one credit card terminal can benefit from this important tool. We generally recommend that businesses using more sophisticated networks with dozens of computers consult a cyber security expert in addition to using the cyber planner. The FCC provides no warranties with respect to the guidance provided by this tool and is not responsible for any harm that might occur as a result of or in spite of its use.
The guidance was developed by the FCC with input from public and private sector partners, including the Department of Homeland Security, the National Cybersecurity Alliance and The Chamber of Commerce.
Section Page #s
Privacy and Data Security PDS-1 - PDS-
Scams and Fraud SF-1 - SF-
Network Security NS-1 - NS-
Website Security WS-1 - WS-
Email E-1 - E-
Mobile Devices MD-1 - MD-
Employees EMP-1 - EMP-
Facility Security FS-1 - FS-
Operational Security OS-1 - OS-
Payment Cards PC-1 - PC-
Incident Response and Reporting IRR-1 - IRR-
Policy Development, Management PDM-1 - PDM-
Cyber Security Glossary CSG-1 - CSG-
Cyber Security Links CSL-1 - CSL-
F C C S M A L L B I Z C Y B E R P L A N N I N G G U I D E
Social networking applications present a number of risks that are difficult to address using technical or procedural solutions. A strong social media policy is crucial for any business that seeks to use social networking to promote its activities and communicate with its customers. At a minimum, a social media policy should clearly include the following:
Lastly, all users of social media need to be aware of the risks associated with social networking tools and the types of data that can be automatically disclosed online when using social media. Taking the time to educate your employees on the potential pitfalls of social media use, especially in tandem with geo-location services, may be the most beneficial social networking security practice of all.
4. Identify potential reputation risks
All organizations should take the time to identify potential risks to their reputation and develop a strategy to mitigate those risks via policies or other measures as available. Specific types of reputation risks include:
All businesses should set a policy for managing these types of risks and plans to address such incidents if and when they occur. Such a policy should cover a regular process for identifying potential risks to the company’s reputation in cyberspace, practical measures to prevent those risks from materializing and reference plans to respond and recover from potential incidents as soon as they occur.
Helpful links
3. Establish a social media policy
Scams and Fraud
New telecommunication technologies may offer countless opportunities for small businesses, but they also offer cyber criminals many new ways to victimize your business, scam your customers and hurt your reputation. Businesses of all sizes should be aware of the most common scams perpetrated online.
Cyber Plan Action Items:
1. Train employees to recognize social engineering
Social engineering, also known as "pretexting," is used by many criminals, both online and off, to trick unsuspecting people into giving away their personal information and/or installing malicious software onto their computers, devices or networks. Social engineering is successful because the bad guys are doing their best to make their work look and sound legitimate, sometimes even helpful, which makes it easier to deceive users.
Most offline social engineering occurs over the telephone, but it frequently occurs online, as well. Information gathered from social networks or posted on websites can be enough to create a convincing ruse to trick your employees. For example, LinkedIn profiles, Facebook posts and Twitter messages can allow a criminal to assemble detailed dossiers on employees. Teaching people the risks involved in sharing personal or business details on the Internet can help you partner with your staff to prevent both personal and organizational losses.
Many criminals use social engineering tactics to get individuals to voluntarily install malicious computer software such as fake antivirus, thinking they are doing something that will help make them more secure. Users who are tricked into loading malicious programs on their computers may be providing remote control capabilities to an attacker, unwittingly installing software that can steal financial information or simply try to sell them fake security software.
2. Protect against online fraud
Online fraud takes on many guises that can impact everyone, including small businesses and their employees. It is helpful to maintain consistent and predictable online messaging when communicating with your customers to prevent others from impersonating your company.
Be sure to never request personal information or account details through email, social networking or other online messages. Let your customers know you will never request this kind of information through such channels and instruct them to contact you directly should they have any concerns.
3. Protect against phishing
Phishing is the technique used by online criminals to trick people into thinking they are dealing with a trusted website or other entity. Small businesses face this threat from two directions -- phishers may be impersonating them to take advantage of unsuspecting customers, and phishers may be trying to steal their employees’ online credentials.
Businesses should ensure that their online communications never ask their customers to submit sensitive information via email. Make a clear statement in your communications reinforcing that you will never ask for personal information via email so that if someone targets your customers, they may realize the request is a scam.
Employee awareness is your best defense against your users being tricked into handing over their usernames and passwords to cyber criminals. Explain to everyone that they should never respond to incoming messages requesting private information. Also, to avoid being led to a fake site, they should know to never click on a link sent by email from an untrustworthy source. Employees needing to access a website link sent from a questionable source should open an Internet browser window and manually type in the site’s web address to make sure the emailed link is not maliciously redirecting to a dangerous site.
F C C S M A L L B I Z C Y B E R P L A N N I N G G U I D E
Helpful links
Network Security
Securing your company’s network consists of: (1) identifying all devices and connections on the network; (2) setting boundaries between your company’s systems and others; and (3) enforcing controls to ensure that unauthorized access, misuse, or denial-of-service events can be thwarted or rapidly contained and recovered from if they do occur.
Cyber Plan Action Items:
1. Secure internal network and cloud services
Your company’s network should be separated from the public Internet by strong user authentication mechanisms and policy enforcement systems such as firewalls and web filtering proxies. Additional monitoring and security solutions, such as anti-virus software and intrusion detection systems, should also be employed to identify and stop malicious code or unauthorized access attempts.
Internal network
After identifying the boundary points on your company’s network, each boundary should be evaluated to determine what types of security controls are necessary and how they can be best deployed. Border routers should be configured to only route traffic to and from your company’s public IP addresses, firewalls should be deployed to restrict traffic only to and from the minimum set of necessary services, and intrusion prevention systems should be configured to monitor for suspicious activity crossing your network perimeter. In order to prevent bottlenecks, all security systems you deploy to your company’s network perimeter should be capable of handling the bandwidth that your carrier provides.
Cloud based services
Carefully consult your terms of service with all cloud service providers to ensure that your company’s information and activities are protected with the same degree of security you would intend to provide on your own. Request security and auditing from your cloud service providers as applicable to your company’s needs and concerns. Review and understand service level agreements, or SLAs, for system restoration and reconstitution time.
You should also inquire about additional services a cloud service can provide. These services may include backup- and-restore services and encryption services, which may be very attractive to small businesses.
2. Develop strong password policies
Generally speaking, two-factor authentication methods, which require two types of evidence that you are who you claim to be, are safer than using just static passwords for authentication. One common example is a personal security token that displays changing passcodes to be used in conjunction with an established password. However, two-factor systems may not always be possible or practical for your company.
Password policies should encourage your employees to employ the strongest passwords possible without creating the need or temptation to reuse passwords or write them down. That means passwords that are random, complex and long (at least 10 characters), that are changed regularly, and that are closely guarded by those who know them.
3. Secure and encrypt your company’s Wi-Fi
Wireless access control
Your company may choose to operate a Wireless Local Area Network (WLAN) for the use of customers, guests and visitors. If so, it is important that such a WLAN be kept separate from the main company network so that traffic from the public network cannot traverse the company’s internal systems at any point.
Website Security
Website security is more important than ever.
Web servers, which host the data and other content available to your customers on the Internet, are often the most targeted and attacked components of a company’s network. Cyber criminals are constantly looking for improperly secured websites to attack, while many customers say website security is a top consideration when they choose to shop online. As a result, it is essential to secure servers and the network infrastructure that supports them. The consequences of a security breach are great: loss of revenues, damage to credibility, legal liability and loss of customer trust.
The following are examples of specific security threats to web servers:
Cyber Plan Action Items:
1. Carefully plan and address the security aspects of the deployment of a
public web server.
Because it is much more difficult to address security once deployment and implementation have occurred, security should be considered from the initial planning stage. Businesses are more likely to make decisions about configuring computers appropriately and consistently when they develop and use a detailed, well-designed deployment plan. Developing such a plan will support web server administrators in making the inevitable tradeoff decisions between usability, performance and risk.
Businesses also need to consider the human resource requirements for the deployment and continued operation of the web server and supporting infrastructure. The following points in a deployment plan:
F C C S M A L L B I Z C Y B E R P L A N N I N G G U I D E
2. Implement appropriate security management practices and controls when
maintaining and operating a secure web server.
Appropriate management practices are essential to operating and maintaining a secure web server. Security practices include the identification of your company’s information system assets and the development, documentation and implementation of policies, and guidelines to help ensure the confidentiality, integrity and availability of information system resources. The following practices and controls are recommended:
security requirements.
The first step in securing a web server is securing the underlying operating system. Most commonly available web servers operate on a general-purpose operating system. Many security issues can be avoided if the operating systems underlying web servers are configured appropriately. Default hardware and software configurations are typically set by manufacturers to emphasize features, functions and ease of use at the expense of security. Because manufacturers are not aware of each organization’s security needs, each web server administrator must configure new servers to reflect their business’ security requirements and reconfigure them as those requirements change. Using security configuration guides or checklists can assist administrators in securing systems consistently and efficiently. Initially securing an operating system initially generally includes the following steps:
requirements.
In many respects, the secure installation and configuration of the web server application will mirror the operating system process discussed above. The overarching principle is to install the minimal amount of web server services required and eliminate any known vulnerabilities through patches or upgrades. If the installation program installs any unnecessary applications, services or scripts, they should be removed immediately after the installation process concludes. Securing the web server application generally includes the following steps:
F C C S M A L L B I Z C Y B E R P L A N N I N G G U I D E
protocol (HTTP) content and, more recently, extensible markup language (XML) content. Different active content technologies pose different related vulnerabilities, and their risks should be weighed against their benefits. Although most websites use some form of active content generators, many also deliver some or all of their content in a static form.
8. Use authentication and cryptographic technologies as appropriate to
protect certain types of sensitive data.
Public web servers often support technologies for identifying and authenticating users with differing privileges for accessing information. Some of these technologies are based on cryptographic functions that can provide a secure channel between a web browser client and a web server that supports encryption. Web servers may be configured to use different cryptographic algorithms, providing varying levels of security and performance.
Without proper user authentication in place, businesses cannot selectively restrict access to specific information. All information that resides on a public web server is then accessible by anyone with access to the server. In addition, without some process to authenticate the server, users of the public web server will not be able to determine whether the server is the “authentic” web server or a counterfeit version operated by a cyber criminal.
Even with an encrypted channel and an authentication mechanism, it is possible that attackers may attempt to access the site by brute force. Improper authentication techniques can allow attackers to gather valid usernames or potentially gain access to the website. Strong authentication mechanisms can also protect against phishing attacks, in which hackers may trick users into providing their personal credentials, and pharming, in which traffic to a legitimate website may be redirected to an illegitimate one. An appropriate level of authentication should be implemented based on the sensitivity of the web server’s users and content.
9. Employ network infrastructure to help protect public web servers.
The network infrastructure (e.g., firewalls, routers, intrusion detection systems) that supports the web server plays a critical security role. In most configurations, the network infrastructure will be the first line of defense between a public web server and the Internet. Network design alone, though, cannot protect a web server. The frequency, sophistication and variety of web server attacks perpetrated today support the idea that web server security must be implemented through layered and diverse protection mechanisms, an approach sometimes referred to as “defense-in- depth.”
10. Commit to an ongoing process of maintaining web server security.
Maintaining a secure web server requires constant effort, resources and vigilance. Securely administering a web server on a daily basis is essential. Maintaining the security of a web server will usually involve the following steps:
Email has become a critical part of our everyday business, from internal management to direct customer support. The benefits associated with email as a primary business tool far outweigh the negatives. However, businesses must be mindful that a successful email platform starts with basic principles of email security to ensure the privacy and protection of customer and business information.
Cyber Plan Action Items:
1. Set up a spam email filter
It has been well documented that spam, phishing attempts and otherwise unsolicited and unwelcome email often accounts for more than 60 percent of all email that an individual or business receives. Email is the primary method for spreading viruses and malware and it is one of the easiest to defend against. Consider using email-filtering services that your email service, hosting provider or other cloud providers offer. A local email filter application is also an important component of a solid antivirus strategy. Ensure that automatic updates are enabled on your email application, email filter and anti-virus programs. Ensure that filters are reviewed regularly so that important email and/or domains are not blocked in error.
2. Train your employees in responsible email usage
The last line of defense for all of your cyber risk efforts lies with the employees who use tools such as email and their responsible and appropriate use and management of the information under their control. Technology alone cannot make a business secure. Employees must be trained to identify risks associated with email use, how and when to use email appropriate to their work, and when to seek assistance of professionals. Employee awareness training is available in many forms, including printed media, videos and online training.
Consider requiring security awareness training for all new employees and refresher courses every year. Simple efforts such as monthly newsletters, urgent bulletins when new viruses are detected, and even posters in common areas to remind your employees of key security and privacy to-do’s create a work environment that is educated in protecting your business.
3. Protect sensitive information sent via email
With its proliferation as a primary tool to communicate internally and externally, business email often includes sensitive information. Whether it is company information that could harm your business or regulated data such as personal health information (PHI) or personally identifiable information (PII), it is important to ensure that such information is only sent and accessed by those who are entitled to see it.
Since email in its native form is not designed to be secure, incidents of misaddressing or other common accidental forwarding can lead to data leakage. Businesses that handle this type of information should consider whether such information should be sent via email, or at least consider using email encryption. Encryption is the process of converting data into unreadable format to prevent disclosure to unauthorized personnel. Only individuals or organizations with access to the encryption key can read the information. Other cloud services offer “Secure Web Enabled Drop Boxes” that enable secure data transfer for sensitive information, which is often a better approach to transmitting between companies or customers.
4. Set a sensible email retention policy
Another important consideration is the management of email that resides on company messaging systems and your users’ computers. From the cost of storage and backup to legal and regulatory requirements, companies should document how they will handle email retention and implement basic controls to help them attain those standards. Many industries have specific rules that dictate how long emails can or should be retained, but the basic rule of
Mobile Devices
If your company uses mobile devices to conduct company business, such as accessing company email or sensitive data, pay close attention to mobile security and the potential threats that can expose and compromise your overall business networks. This section describes the mobile threat environment and the practices that small businesses can use to help secure devices such as smartphones, tablets and Wi-Fi enabled laptops.
Many organizations are finding that employees are most productive when using mobile devices, and the benefits are too great to ignore. But while mobility can increase workplace productivity, allowing employees to bring their own mobile devices into the enterprise can create significant security and management challenges.
Data loss and data breaches caused by lost or stolen phones create big challenges, as mobile devices are now used to store confidential business information and access the corporate network. According to a December 2010 Symantec mobile security survey, 68 percent of respondents ranked loss or theft as their top mobile-device security concern, while 56 percent said mobile malware is their number two concern. It is important to remember that while the individual employee may be liable for a device, the company is still liable for the data.
Top threats targeting mobile devices
Cyber Plan Action Items:
A few simple steps can to help ensure company information is protected. These include requiring all mobile devices that connect to the business network be equipped with security software and password protection; and providing general security training to make employees aware of the importance of security practices for mobile devices. More specific practices are detailed below.
1. Use security software on all smartphones
Security software specifically designed for smartphones can stop hackers and prevent cyber criminals from stealing your information or spying on you when you use public networks. It can detect and remove viruses and other mobile threats before they cause you problems. It can also eliminate annoying text and multimedia spam messages.
F C C S M A L L B I Z C Y B E R P L A N N I N G G U I D E
2. Make sure all software is up to date
Mobile devices must be treated like personal computers in that all software on the devices should be kept current, especially the security software. This will protect devices from new variants of malware and viruses that threaten your company’s critical information.
3. Encrypt the data on mobile devices
Business and personal information stored on mobile devices is often sensitive. Encrypting this data is another must. If a device is lost and the SIM card stolen, the thief will not be able to access the data if the proper encryption technology is loaded on the device.
4. Have users password protect access to mobile devices
In addition to encryption and security updates, it is important to use strong passwords to protect data stored on mobile devices. This will go a long way toward keeping a thief from accessing sensitive data if the device is lost or hacked.
5. Urge users to be aware of their surroundings
Whether entering passwords or viewing sensitive or confidential data, users should be cautious of who might be looking over their shoulder.
6. Employ these strategies for email, texting and social networking
Avoid opening unexpected text messages from unknown senders – As with email, attackers can use text messages to spread malware, phishing scams and other threats among mobile device users. The same caution should be applied to opening unsolicited text messages that users have become accustomed to with email.
Don’t be lured in by spammers and phishers – To shield business networks from cyber criminals, small businesses should deploy appropriate email security solutions, including spam prevention, which protect a company’s reputation and manage risks.
Click with caution – Just like on stationary PCs, social networking on mobile devices and laptops should be conducted with care and caution. Users should not open unidentified links, chat with unknown people or visit unfamiliar sites. It doesn’t take much for a user to be tricked into compromising a device and the information on it.
7. Set reporting procedures for lost or stolen equipment
In the case of a loss or theft, employees and management should all know what to do next. Processes to deactivate the device and protect its information from intrusion should be in place. Products are also available for the automation of such processes, allowing small businesses to breathe easier after such incidents.
8. Ensure all devices are wiped clean prior to disposal
Most mobile devices have a reset function that allows all data to be wiped. SIM cards should also be removed and destroyed.
Employees
Businesses must establish formal recruitment and employment processes to control and preserve the quality of their employees. Many employers have learned the hard way that hiring someone with a criminal record, falsified credentials or undesirable background can create a legal and financial nightmare.
Without exercising due diligence in hiring, employers run the risk of making unwise hiring choices that can lead to workplace violence, theft, embezzlement, lawsuits for negligent hiring and numerous other workplace problems.
Cyber Plan Action Items:
1. Develop a hiring process that properly vets candidates
The hiring process should be a collaborative effort among different groups of your organization, including recruitment, human resources, security, legal and management teams. It is important to have a solid application, resume, interview and reference-checking process to identify potential gaps and issues that may appear in a background check.
An online employment screening resource called the “Online Safe Hiring Certification Course” can help you set the groundwork for a safe recruitment process. The course will teach your teams what to look for in the different stages of the hiring process, how to interview and how to set up a safe hiring program to avoid hiring an employee that may be problematic. The course is available here: http://www.esrcheck.com/ESRonlineSafeHiringCourse.php.
2. Perform background checks and credentialing
Background checks are essential and must be consistent. Using a background screening company is highly recommended. The standard background screening should include the following checks:
Depending on the type of your business, other screening criteria may consist of credit check, civil checks and federal criminal checks. Conducting post-hire checks for all employees every two to three years, depending on your industry, is also recommended.
If you do conduct background checks, you as an employer have obligations under the Fair Credit Reporting Act. For more information about employer obligations under the FCRA, visit http://business.ftc.gov/documents/bus08- using-consumer-reports-what-employers-need-know.
3. Take care in dealing with third parties
Employers should properly vet partner companies through which your organization hires third-party consultants. To ensure consistent screening criteria are enforced for third-party consultants, you need to explicitly set the credentialing requirements in your service agreement. State in the agreement that the company’s credentialing requirements must be followed.
F C C S M A L L B I Z C Y B E R P L A N N I N G G U I D E
4. Set appropriate access controls for employees
Both client data and internal company data are considered confidential and need particular care when viewed, stored, used, transmitted or disposed. It is important to analyze the role of each employee and set data access control based upon the role. If a role does not require the employee to ever use sensitive data, the employee’s access to the data should be strictly prohibited. However, if the role requires the employee to work with sensitive data, the level of access must be analyzed thoroughly and be assigned in a controlled and tiered manner following “least-privilege” principles, which allow the employee to only access data that is necessary to perform his or her job.
If the organization does not have a system in place to control data access, the following precautions are strongly recommended. Every employee should:
Security awareness training teaches employees to understand system vulnerabilities and threats to business operations that are present when using a computer on a business network.
A strong IT security program must include training IT users on security policy, procedures and techniques, as well as the various management, operational and technical controls necessary and available to keep IT resources secure. In addition, IT infrastructure managers must have the skills necessary to carry out their assigned duties effectively. Failure to give attention to the area of security training puts an enterprise at great risk because security of business resources is as much a human issue as it is a technology issue.
Technology users are the largest audience in any organization and are the single most important group of people who can help to reduce unintentional errors and IT vulnerabilities. Users may include employees, contractors, foreign or domestic guest researchers, other personnel, visitors, guests and other collaborators or associates requiring access. Users must: