Part 2: Covered Systems and Security Tools
In the 21st century, broadband networks and information technology have become powerful tools for small businesses. They help business reach new markets and increase sales and productivity. However, the same technology that powers business improvement is vulnerable to attack. Businesses must implement the best tools and tactics to protect themselves, their customers, and their data.
As discussed in Part 1, federal contractors face a December 31 deadline for compliance with new rules for safeguarding contractor information systems. In Part 2, we’ll discuss the devices and systems that must be secured, including suggestions for best practices and affordably priced tools that small businesses can use to comply. Note that in many cases vendors offer multiple tools. These are listed by category rather than by vendor.
What Must Be Secured?
All contractor information systems, which are defined as systems owned or operated by contractors that “process, store, or transmit federal contract information” must be secured. Let’s take a look at each category and applicable security tips and tools.
Hardware (NIST Category 7):
Firewalls, Routers, Servers, PCs, Laptops, Tablets, Mobile Phones, IP phones, Network Printers
All hardware that stores or transmits data requires protection from unauthorized access and malware such as viruses and spyware. This generally involves the use anti-virus software, firewalls and Virtual Private Networks, which are discussed in more detail below.
Tips: Ensure that all firmware is updated, devices are encrypted (where available/appropriate) and that devices have passcodes or PINs. Make sure mobile devices (including laptops) can be remotely wiped in case of theft or loss.
Taking steps to prevent unauthorized network access is important for a wide number of reasons, including preventing others from installing malware or stealing or deleting important files.
Tips: Unauthorized persons should never have access to your business network! Make sure both home and office networks have secure passwords. Create a separate guest network for sharing with family, friends, and visitors.
Your network should be protected with a Firewall (hardware and/or software) and/or Virtual Private Network.
A firewall is a network security system that uses rules to control incoming and outgoing network traffic. A firewall acts as a barrier between a trusted network and an untrusted network. Firewalls come in two varieties: hardware and software. You can purchase a physical firewall device or run a firewall application. Many routers have firewall software built into them.
A greater level of security can be provided through a Virtual Private Network, which is a method employing encryption to provide secure access to a remote computer over the Internet. VPN tools for small businesses to consider included Avast SecureLine VPN and PureVPN.
Mobile Devices (phones and tablets)
The ease of doing business anytime, anywhere comes with a price. Mobile device security threats are on the rise. According to IT Web, the number of new malware programs detected each day has reached over 230,000–many of which target mobile devices.
Tips: Use mobile antivirus and security tools such as Avast Mobile, Avira and Lookout to secure mobile devices. Avast and Avira offer both free and more robust paid plans for devices running on Android and iOS. Lookout’s mobile security suite includes mobile endpoint security, app security, personal device security and threat intelligence
Wi-Fi and Bluetooth
Wi-Fi and Bluetooth are protocols allowing computers, smartphones, or other devices to connect to the Internet or communicate with one another wirelessly within a particular area.
Tips: Keep them off until needed. They are doors through which hackers can access your device or network. In addition, they drain batteries on mobile devices.
Do not use free public Wi-Fi. Ever. Many people have access, and the network is unsecured. It’s laughably easy to hack other users on the same network. Use your phone’s hotspot, a mobile hotspot, or trusted network (such as that of a client or vendor). If and when you use public Wi-Fi, use a Virtual Private Network to access your network or the internet in general.
Software (NIST Category 7)
Commercially available software represents one of the biggest vulnerabilities in information security. Don’t let hackers exploit holes in your software to access your information!
Tips: Ensure that all updates and patches are installed. Developers release security patches on a regular basis. Consider auto updates to plug any holes. Outdated software, even with updates or patches, is vulnerable because developers eventually stop supporting old software. If your software is more than 4 years old, check to see if you are still receiving updates and patches. Hackers know that companies run old software, and developers stop supporting it, so they look for ways to break in.
Online Services and Accounts
Email (NIST Category 8, 14)
After the recent presidential race, it’s hard to believe that anyone is unaware of the importance of safeguarding email communications. Email accounts are easily hacked. Take steps to protect them.
Tips: Keep separate accounts for business and personal email. Do not cross contaminate them. Keep business in business and personal in personal.
Use a professional domain for your business. If you are a small business, buy a domain, secure it, and use it. Do not send business email from Yahoo, Hotmail, AOL, Gmail, etc. Even if you designate one of these as a business account, it comes from a public domain, which reflects poorly upon your business and opens you up to hacking and other issues.
Keep in mind that if you keep multiple email accounts on a single device (as we all do), a hack from one account can easily bleed to the other accounts, causing release of information or unpleasant emails sent on your behalf.
To be clear, if you’re using Google’s G Suite (formerly Google Apps) for work, the security features are different than a personal Gmail account. That said, in our humble opinion, Gmail has one of the most secure personal email platforms, with multi-factor authentication (discussed below) and SPAM filtering.
Like email, keep separate accounts/services for work and personal. We recommend separate services, so it’s clear that one is business and one is personal. Do not cross contaminate. Do not store business documents on your personal service and vice-versa. Cloud storage services to consider include:
It’s too common to see hacking of LinkedIn, Facebook, Instagram, Twitter and other accounts. If hackers make disparaging posts or comments, it can affect your brand and reputation.
Tips: Use strong passwords and the highest privacy settings on all social media accounts. Change passwords frequently.
Create a social media usage policy for your company. Never forget that anything shared on social media can ultimately be viewed by anyone, anywhere the world. Be careful about what you post, even on private accounts. Ask your employees to do the same, and make sure they don’t comment on company business from unauthorized accounts. Quite apart from embarrassment, you could open yourself up to blackmail or legal consequences.
Online banking, utilities, customer/vendor portals, shopping, shipping, tax reporting/payment sites can all be vulnerable to hacking.
Tips: Use a different, strong password on each account, and change passwords frequently. Use multi-factor identification if available. Check all billing statements on a regular basis for unauthorized charges.
Website & Portals
You may not think your website has anything worthy of hacking. However, even the most mundane websites are compromised all the time. Most hacks are not to steal data, although this is always a concern. However, hackers may be trying to use your server as an email relay for spam, or to set up a temporary web server to serve files of an illegal nature.
Websites that use the standard HTTP protocol transmit and receive data in an unsecured manner. This means it is possible for someone to eavesdrop on the data being transferred between the user and the web server.
Tips: Invest in a secure website that encrypts the messages between the visitor and the site using SSL (secure socket layer) to ensure that no hacker or eavesdropper can intercept the information.
Never transmit personal or financial information via an unsecured site. If the web address begins with https://, instead of just http://, you are accessing a secure website. Most browsers will also display a lock icon somewhere along the edge of the window to indicate a website is secure. SSL tools are discussed below in the tools section.
Security Tools to Consider
According to a recent Verizon Data Breach Investigations Report, 60 percent of cyber-attacks target small and medium-sized businesses, primarily because they are easier targets. Using the tools below will help take the target off your back as well as provide compliance with federal regulations.
Managing passwords can be a pain. However, a strong password is your first line of defense against intruders and imposters.
Tips: You should pick passwords that are difficult to guess. Don’t use names, dates or common words as passwords. Here are some examples of passwords of increasing strength:
- Poor passwords: Password, Sally1
- Fair passwords: pAssWorD2017, sAllY12
- Good passwords: PaSsWoRd2017!!, SaLLy12$
- Better passwords: P@$$w0rd2017#, S@lly12#!
- Best passwords: l#Svr!25Nw^q, h*J47(sB2#xR
Use an encrypted database to store passwords. We still see clients with Word or Excel documents for their list of passwords. Even with a password-protected file, be careful. We’ve seen clients leave the file open on their desktop throughout the day.
The tools listed below can be auto-locked after use or after elapsed time. These tools also work across browsers and devices, making the passwords readily available to you and aid in entering the information in websites. More importantly, they have password generators that create strong passwords. The tools require you to remember only one strong password – the tool remembers everything else. You can also force multi-factor authentication access to the tool (user ID, password, and one-time code generated by a separate device). Several of the tools below have free, premium and enterprise versions to adjust to the size, security needs and budget of your company:
Virus & Malware Protection (NIST Category 7, 13, 14)
According to CNN, more than 317 million new pieces of malware — computer viruses or other malicious software — were created last year. That means nearly one million new threats were released each day.
Tips: Invest in a paid antivirus subscription, then keep the software and virus definitions updated daily (automated). Make sure virus protection is installed on all applicable devices such as servers, PCs, laptops, and mobile phones. Some of antivirus tools you might want to consider are listed below. Several of these vendors offer additional security software and services:
Multi-factor Authentication (NIST Category 5)
Multifactor authentication is a security system that requires more than one method of authentication from independent categories of credentials to verify the user’s identity for a login or other transaction. The use of multiple authentication factors to prove one’s identity is based on the premise that an unauthorized user is unlikely to be able to supply the factors required for access.
Tips: Set authentication factors that are not likely accessible via public records. For example, a user’s mother’s maiden name is less secure than asking a personal question such as the name of the user’s favorite pet. Send randomly-generated codes to verified mobile phones or email addresses.
Choose a service and use it across every account possible (banks, email, servers, etc.) Some options include:
Encryption (NIST Category 8, 13)
A key information security tool, encryption converts information or data into a code to prevent unauthorized access. This protects the confidentiality of digital data stored on computer systems or transmitted via the Internet or other computer networks.
Tips: Encrypt mobile devices and tablets with a passcode or PIN. Encrypt laptops with software. Encrypt your website and servers with SSL certificates as described above. When shopping on the internet, look for https in websites. Only use secure sites to enter your personally identifiable information such as Social Security Number, Federal Employer ID Number, Dun & Bradstreet report number, credit card and bank account numbers, etc.
Encryption tools to consider include:
Next Step: Essential Policies for Compliance
In Parts 1 and 2 of this blog series, we reviewed new cybersecurity requirements for federal contractors, the systems covered by the rules, and affordable tools small businesses can use in their compliance programs. In Part 3, we’ll wrap up the series with a look at policies you need to put in place to ensure and track compliance.
As always, if you have questions about information security or any other aspect of government contract compliance, you can reach me at firstname.lastname@example.org or by callng (614) 556-4415.