Cybersecurity For Businesses

The Internet allows businesses to instantly access information, easily communicate externally and internally, and allows employees to work more efficiently by using computer and web-based tools and capabilities. If your business utilizes cloud computing, emails, or website services, it's imperative that cybersecurity is addressed.

Digital information is a high-value target for hackers of all skill-sets. Even some terrorist groups are beginning to turn their focus towards cyber crime. Every business that uses the Internet in some aspect has the responsibility to develop and maintaining cybersecurity best practices.

Email has become a critical part of everyday operations, from internal management to direct customer support. The benefits associated with email as a primary business tool far outweigh the negatives. However, organizations must be mindful that a successful email platform starts with basic principles of email security to ensure the privacy and protection of customer and operational information.

1. Setup a Spam Email Filter

It has been well documented that spam, phishing attempts, and otherwise unsolicited and unwelcome email often accounts for more than 60% of all email that an individual or organization receives. Email is the primary method for spreading viruses and malware and it is one of the easiest to defend against. Consider using email-filtering services that your email service provider offers. An email filter application is an important component of a solid antivirus strategy. 

2. Train Employees on Responsible Email Usage

The last line of defense for all of your cyber risk efforts lies with the employees. Technology alone cannot make an organization secure. Employees must be trained to identify risks associated with email use, how and when to use email appropriate to their work, and when to seek the assistance of professionals. Employee awareness training is available in many forms, including printed media, videos and online training. Consider requiring security awareness training for all new employees and refresher courses every year.

3. Protect Sensitive Information Sent Via Email

Emails often include sensitive work-related information. Whether it is information that could harm your business or regulated data, such as personal health information or personally identifiable information, it is important to ensure the information is only sent and accessed by those who are entitled to see it. Organizations that handle this type of information should consider whether such information should be sent via email, or at least consider using email encryption. Encryption is the process of converting data into an unreadable format to prevent disclosure to unauthorized personnel. Only individuals or organizations with access to the encryption key can read the information. Other cloud services offer “Secure Web-Enabled Drop Boxes” that enable secure data transfer for sensitive information, which is often a better approach to transmitting between companies or customers.

4. Develop an Email Usage Policy

Policies are important for setting expectations with employees or users and for developing standards to ensure adherence to your published polices. Your policies should be easy to read, understand, define and enforce. Key areas to address include what the email system should and should not be used for and what data is allowed to be transmitted. Other policy areas should address retention, privacy and acceptable use. Depending on operational needs, you may have a need for email monitoring. The rights of the organization and the user should be documented in the policy as well. The policy should be part of your general end user awareness training and reviewed for updates on a yearly basis.

Businesses can experience a compromise through the introduction of malicious software, or malware. Malware can make its way onto machines from the Internet, downloads, attachments, email, social media, and other platforms. One specific malware to be aware of is key logging, which is malware that tracks a user’s keyboard strokes. Many businesses are falling victim to key-logging malware being installed on computer systems in their environment. Once installed, the malware can record keystrokes made on a computer, allowing intruders to see passwords, credit card numbers and other confidential data. Keeping security software up to date and patching your computers regularly will make it more difficult for this type of malware to infiltrate your network.

Malware is the greatest external threat to most hosts, causing damage and requiring extensive recovery efforts within most organizations. The following are the classic categories of malware:

Virus - A virus self-replicates by inserting copies of itself into host programs or data files. Viruses are often triggered through user interaction, such as opening a file or running a program. Viruses can be divided into the following two subcategories:

  • Compiled Viruses: A compiled virus is executed by an operating system. Types of compiled viruses include file infector viruses, which attach themselves to executable programs; boot sector viruses, which infect the master boot records of hard drives or the boot sectors of removable media; and multipartite viruses, which combine the characteristics of file infector and boot sector viruses.
  • Interpreted Viruses: Interpreted viruses are executed by an application. Within this subcategory, macro viruses take advantage of the capabilities of applications’ macro programming language to infect documents and templates.

Worms - A worm is a self-replicating, self-contained program that usually executes itself without user intervention. Worms are divided into two categories:

  • Network Service Worms: A network service worm takes advantage of vulnerabilities in a network service to propagate itself and infect other hosts.
  • Mass Mailing Worms: A mass mailing worm is similar to an email-borne virus but is self-contained, rather than infecting an existing file.

Trojan Horses - A Trojan horse is a self-contained, non-replicating program that, while appearing to be benign, actually has a hidden malicious purpose. Trojan horses either replace existing files with malicious versions or add new malicious files to hosts. They often deliver other attacker tools to hosts.

Malicious Mobile Code - Malicious mobile code is software with malicious intent that is transmitted from a remote host to a local host and then executed on the local host, typically without the user’s explicit instruction.  Popular languages for malicious mobile code include Java, ActiveX, JavaScript, and VBScript.

Blended Attacks - A blended attack uses multiple infection or transmission methods. For example, a blended attack could combine the propagation methods of viruses and worms.

Securing your business’ network consists of identifying all devices and connections on the network. This can be accomplished by setting boundaries between your organization’s systems and others by enforcing controls to ensure that unauthorized access, misuse, or denial-of-service events can be thwarted or rapidly contained and recovered from if they do occur.

1. Antivirus Software

Antivirus software is the most commonly used technical control for malware threat mitigation. There are many brands of antivirus software, with most providing similar protection through the following recommended capabilities:

  • Scanning critical host components such as startup files and boot records.
  • Watching real-time activities on hosts to check for suspicious activity. A common example is scanning all email attachments for known malware as emails are sent and received. Antivirus software should be configured to perform real-time scans of each file as it is downloaded, opened, or executed, which is known as on-access scanning.
  • Monitoring the behavior of common applications, such as email clients, web browsers and instant messaging software. Antivirus software should monitor activity involving the applications most likely to be used to infect hosts or spread malware to other hosts.
  • Scanning files for known malware. Antivirus software on hosts should be configured to scan all hard drives regularly to identify any file system infections and depending on organization security needs, to scan removable media inserted into the host before allowing its use. Users should also be able to launch a scan manually as needed, which is known as on-demand scanning.
  • Identifying common types of malware as well as attacker tools.
  • Disinfecting files removes malware from within a file and quarantining that file. Files containing malware are stored in isolation for future disinfection or examination. Disinfecting a file is generally preferable to quarantining it because the malware is removed and the original file restored; however, many infected files cannot be disinfected. Accordingly, antivirus software should be configured to attempt to disinfect infected files and to either quarantine or delete files that cannot be disinfected.

2. Secure Internal Network and Cloud Services

Your organization’s network should be separated from the public Internet by strong user authentication mechanisms and policy enforcement systems, such as firewalls and web-filtering proxies. Additional monitoring and security solutions, such as antivirus software and intrusion detection systems, should also be employed to identify and stop malicious code or unauthorized access attempts.

Internal Network

After identifying the boundary points on your organization’s network, each boundary should be evaluated to determine what types of security controls are necessary and how they can be best deployed. Border routers should be configured to only route traffic to and from your organization’s public IP addresses, firewalls should be deployed to restrict traffic only to and from the minimum set of necessary services, and intrusion prevention systems should be configured to monitor for suspicious activity crossing your network perimeter. In order to prevent bottlenecks, all security systems deployed onto a network’s perimeter should be capable of handling the bandwidth your carrier provides.

Cloud-Based Services

Carefully consult your terms of service with all cloud service providers to ensure your organization’s information and activities are protected with the same degree of security that you would intend to provide on your own. Request security and auditing from your cloud service providers as applicable to your organization’s needs and concerns. Review and understand service level agreements for system restoration and reconstitution time. You should also inquire about additional services a cloud service can provide. These services may include back up and restore services and encryption services.

3. Develop Strong Password Policies

Password policies should encourage employees to use the strongest passwords possible without creating the need or temptation to reuse passwords or write them down. Use passwords that are random, complex and long (at least 10 characters), are changed regularly and are closely guarded by those who know them. Passwords should also contain both numbers and letters.

4. Secure and Encrypt Wi-Fi

Organizations may choose to operate a Wireless Local Area Network (WLAN) for the use of customers, guests and visitors. It is important that such a WLAN be kept separate from the main company network so traffic from the public network cannot traverse the organization’s internal systems. Internal, non-public WLAN access should be restricted to specific devices and specific users to the greatest extent possible while meeting your organization’s needs. All users should be given unique credentials with preset expiration dates to use when accessing the internal WLAN.

New telecommunication technologies may offer countless opportunities for organizations, but they also offer cyber criminals many new ways to victimize your organization, scam customers, and hurt your reputation. Organizations of all sizes should be aware of the most common scams perpetrated online. To protect your organization against online scams, be cautious when visiting web links or opening attachments from unknown senders. Make sure to keep all software updated and monitor credit cards for unauthorized activity.

1. Train Employees to Recognize Social Engineering

Social engineering, also known as "pretexting," is used by many cyber criminals to trick unsuspecting people into giving away their personal information and/or installing malicious software onto their computers, devices or networks. Social engineering is successful because criminals are doing their best to make their work look and sound legitimate, which makes it easier to deceive users. Information gathered from social networks or posted on websites can be enough to create a convincing ruse to trick your employees. For example, social media profiles can allow a criminal to assemble information on employees. Teaching people the risks involved in sharing personal or business details on the Internet can help you partner with your staff to prevent both personal and organizational losses.

Many cyber criminals use social engineering tactics to get individuals to voluntarily install malicious computer software, such as fake antivirus software. Fake antivirus software is designed to steal information by mimicking legitimate security software. Users who are tricked into loading malicious programs on their computers may be providing remote control capabilities to an attacker, unwittingly installing software that can steal financial information or simply try to sell them fake security software. The malware can also make system modifications which makes it difficult to terminate the program. The presence of pop-ups displaying unusual security warnings and asking for credit card or personal information is the most obvious method of identifying a fake antivirus infection.

2. Protect Against Online Fraud

Online fraud takes on many guises that can impact everyone, including small organizations and their employees. It is helpful to maintain consistent and predictable online messaging when communicating with your customers to prevent others from impersonating your organization. Never request personal information or account details through email, social networking or other online messages. Let your customers know you will never request this kind of information through such channels and instruct them to contact you directly should they have any concerns.

3. Protect Against Phishing

Phishing is the technique used to trick people into thinking they are dealing with a trusted website or other entity. Phishers may impersonate an organziation in order to take advantage of unsuspecting customers or to steal employees’ online credentials.  Attackers often take advantage of emergenices or disaster and current events, such as:

  • Natural disasters (Hurricane Katrina, Indonesian tsunami)
  • Epidemics and health scares (H1N1)
  • Economic concerns
  • Major political elections
  • Holidays

Employee awareness is your best defense against users being tricked into handing over their usernames and passwords to cyber criminals. Employees should never respond to incoming messages requesting private information. If a stranger claims to be from a legitimate organization, verify his or her identity with his or her stated company before sharing any personal or classified information. 

Employees should never click on a link sent by email from an untrustworthy source. Employees needing to access a website link sent from a questionable source should open an Internet browser window and manually type in the site’s web address to make sure the emailed link is not maliciously redirecting to a dangerous site. This advice is especially critical for protecting online banking accounts belonging to your organization. Criminals are targeting banking more than any other sector. If you believe you have revealed sensitive information about your organization, make sure to:

  • Report it to appropriate people within your organization
  • Contact your financial institution and close any accounts that may have been compromised (if you believe financial data is at risk)
  • Change any passwords you may have revealed, and if you used the same password for multiple resources, make sure to change it for each account

Website security is more important than ever. Web servers, which host the data and other content made available to your customers on the Internet, are often the most targeted and attacked components of a network. Cyber intruders are constantly looking for improperly secured websites to attack, while many customers say website security is a top consideration when they choose to shop online. As a result, it is essential to secure servers and the network infrastructure that supports them. Consequences of a security breach are significant, such as situations of loss of revenues, damage to credibility, legal liability and loss of customer trust. The following are examples of specific security threats to web servers:

  • Cyber intruders may exploit software bugs in the web server to gain unauthorized access to the web server.
  • Denial-of-service attacks may be directed at the web server or its supporting network infrastructure to prevent or hinder your website users from making use of its services.
  • Sensitive information on the web server may be read or modified without authorization.
  • Information on the web server may be changed for malicious purposes. Website defacement is a commonly reported example of this threat.
  • Cyber intruders may gain unauthorized access to resources elsewhere in the organization’s network via a successful attack on the web server.
  • Often, the web browser that comes with an operating system is not set up in a secure default configuration. Not securing your web browser can quickly lead to a variety of computer problems caused by anything from spyware being installed without your knowledge to intruders taking control of your computer.

1. Implement Appropriate Security Management Practices and Controls when Maintaining and Operating a Secure Web Server

Hardware attacks are harder to prevent than software attacks. Appropriate management practices are essential to operating and maintaining a secure web server. Security practices include the identification of your information system assets and the implementation of policies and guidelines to help ensure the confidentiality, integrity and availability of information system resources. The following practices and controls are recommended:

  • A business-wide information system security policy
  • Server configuration and change control and management
  • Risk assessment and management
  • Standardized software configurations that satisfy the information system security policy
  • Security awareness and training
  • Contingency planning, continuity of operations and disaster recovery planning
  • Certification and accreditation

2. Ensure Web Server Operating Systems Meet Organizational Security Requirements

The first step in securing a web server is securing the underlying operating system. Most commonly available web servers operate on a general-purpose operating system. Many security issues can be avoided if the operating systems underlying web servers are configured appropriately. Default hardware and software configurations are typically set by manufacturers to emphasize features, functions and ease of use at the expense of security. Because manufacturers are not aware of each organization’s security needs, each web server administrator must configure new servers to reflect their organization’s security requirements and reconfigure them as those requirements change. Using security configuration guides or checklists can assist administrators in securing systems consistently and efficiently. Initially securing an operating system initially generally includes the following steps:

  • Patch and upgrade the operating system
  • Change all default passwords
  • Remove or disable unnecessary services and applications
  • Configure operating system user authentication
  • Configure resource controls
  • Install and configure additional security controls
  • Perform security testing of the operating system

3. Ensure the Web Server Application Meets Organizational Security Requirements

The secure installation and configuration of the web server application will mirror the operating system process discussed above. The overarching principle is to install the minimal amount of web server services required and eliminate any known vulnerabilities through patches or upgrades. If the installation program installs any unnecessary applications, services or scripts, they should be removed immediately after the installation process concludes. Securing the web server application generally includes the following steps:

  • Patch and upgrade the web server application
  • Remove or disable unnecessary services, applications and sample content
  • Configure web server user authentication and access controls
  • Configure web server resource controls
  • Test the security of the web server application and web content

4. Ensure Only Appropriate Content is Published on Your Website

Websites are often one of the first places cyber criminals search for valuable information. Still, many organizations lack a web publishing process or policy that determines what type of information to publish openly, what information to publish with restricted access and what information should not be published to any publicly accessible repository. Some generally accepted examples of what should not be published or at least should be carefully examined and reviewed before being published on a public website includes:

  • Classified or proprietary business information
  • Sensitive information relating to your business’ security
  • Medical records
  • A business’ detailed physical and information security safeguards
  • Details about a network and information system infrastructure
  • Information that specifies or implies physical security vulnerabilities
  • Detailed plans, maps, diagrams, aerial photographs, and architectural drawings of buildings, properties or installations
  • Any sensitive information about individuals that might be subject to federal, state or, in some instances, international privacy laws

5. Take Appropriate Steps to Protect Web Content from Unauthorized Access or Modification

Although information available on public websites is intended to be public, it is still important to ensure that information cannot be modified without authorization. Users of such information rely on its integrity even if the information is not confidential. Content on publicly accessible web servers is inherently more vulnerable than information that is inaccessible from the Internet, and this vulnerability means businesses need to protect public web content through the appropriate configuration of web server resource controls. Examples of resource control practices include:

  • Install or enable only necessary services
  • Install web content on a dedicated hard drive or logical partition
  • Limit uploads to directories that are not readable by the web server
  • Define a single directory for all external scripts or programs executed as part of web content
  • Disable the use of hard or symbolic links
  • Define a complete web content access matrix identifying which folders and files in the web server document directory are restricted, which are accessible, and by whom
  • Disable directory listings
  • Deploy user authentication to identify approved users, digital signatures and other cryptographic mechanisms as appropriate
  • Use intrusion detection systems, intrusion prevention systems and file integrity checkers to spot intrusions and verify web content
  • Protect each backend server (i.e., database server or directory server) from command injection attacks

6. Employ Network Infrastructure to Help Protect Public Web Servers

The network infrastructure (firewalls, routers, intrusion detection systems) that supports the web server plays a critical security role. In most configurations, the network infrastructure will be the first line of defense between a public web server and the Internet. Network design alone, though, cannot protect a web server. The frequency, sophistication and variety of web server attacks perpetrated today support the idea that web server security must be implemented through layered and diverse protection mechanisms, an approach sometimes referred to as “defense-in depth.”

7. Commit to an Ongoing Process of Maintaining Web Server Security

Maintaining a secure web server requires constant effort, resources and vigilance. Securely administering a web server on a daily basis is essential. Maintaining the security of a web server will usually involve the following steps:

  • Configuring, protecting and analyzing log files
  • Backing up critical information frequently
  • Maintaining a protected authoritative copy of your organization’s web content
  • Establishing and following procedures for recovering from compromise
  • Testing and applying patches in a timely manner
  • Testing security periodicall

Additional Resources