Hello BGSF, I come looking for some help with an assignment, I've mostly finished it, but according to my tutor, I need to add some more research.

What I need are some good articles to do with protection for small businesses, most specifically to do with education and protection against social engineering, and protection from "uninformed" (ie, stupid) employees.
I have plenty of textbooks that deal with the technical side of security, and there are plenty of average sites out there, that just consist of "Install virus protection" and are really aimed at the layman.

So if anyone (DEFRON, I know you work in this field :icecream: ) has any good material, please, share it :thumbsup:

I'll tell you, there is a VERY fine line between security, and annoying the hell out of your office workers to the point they start complaining

One of the most important things is to install a password management system. If it is a local database password manager, keep the databases on a server (or network share if there is no server), off the users computer. On the user's computer have the keyfile. This does a few things:

1. It keeps the user from having to memorize a bunch of passwords -- which in all likelihood they won't do anyway, they are going to just write them down

2. It keeps the user from knowing the various passwords, rather they "just have them all filled in automatically". Social engineering does nothing if they don't know anything

3. It allows you to have complete control over who has access to what work-related sites by making multiple databases that are tuned only to the needs of the particular user.

4. If the user's computer is compromised, the passwords aren't. Only the keyfile is on their computer, not the actual database

One of the controversial areas is content restricton, as in: blocking Facebook and similar websites. You are generally going to have a mutiny on your hands if you outright block them, but there are things you can do to mitigate the risks:

1. Limit the time periods that they can access with content control software (more commonly known as parental control).

2. Limit what content on those sites loads. This isn't easy, and requires a lot of doing on your behalf. You can't just put NoScript (or any similar program) on their computers, because they will kill you. You'll have to pre-configure NoScript (or any similar program) for every website they need before deploying it.

3. Unless required by work, disable Internet Explorer. Install Firefox with PublicFox. PublicFox will keep them from doing things you don't want them to do, like downloading executables or messing with the settings you fine-tuned perfectly. There are ways to do similar for Internet Explorer, but I've not done so in some time. Restricting Internet Options, especially without Group Policies, is not free or absolute. While you are at it you can install AdBlock Plus.

Finally, make them well aware of the dangers of random websites. Web Of Trust does a good job at this in my opinion, the graphic displaying the safety of websites in color-code makes it easy for them to realize that site may not be safe.

One other things: harden your network: Strong passwords for all computers (have them log in automatically if you must, the point is to restrict access from network intruders). If WiFi is a MUST, deploy WPA2. I can't begin to tell you how many small businesses run with WEP still. Worse is offering free wifi for their customers to attract them WITHOUT running it on a separate virtual network. There are ways to do this using Linux or DD-WRT (which is still Linux ) as well as more expensive options. It's also wise to make it a captive portal (Chillispot and WifiDog from the FOSS world, plenty others in the pay world).


FYI: From my experience the two biggest problems Small Business IT faces is lack of funds and license violations. Remember: most free antivirus programs are NOT licensed for commercial use, as are many freeware applications. Same with Microsoft Office Home and Student. Using these programs can and have gotten Small Businesses sued and/or attacked by the BSA. Many times it is the FOSS way or the highway, since you have no money for any other option. Make sure any and all implementations are within your budget AND you are license-compliant.

Dope, how silly of me: Back up everything! Whenever possible, nothing important should be kept on the user's computer. When it cannot be avoided, it should be backed up in the event they FUBAR their computer. Have backups of your backups, and the most important stuff should be encrypted and a copy should be kept off-site

And of course, the usual stuff: antivirus + firewall installed. Run them as limited users whenever possible, when possible, create group policies, etc.


Edit: Oh, sorry, don't have any citable articles. If citable research is what you need, nothing tops interviews in this case I don't think. Ask around your local small businesses, and interview any IT people they have there. There aren't really any published books on "how to secure your small businesses IT infrastructure", at least as far as I know. IT is seen as a magical tool in my experience, which does what they need and isn't looked at any further than that. For the most part we just try to emulate what is done on the higher levels but with very limited budgets, but thankfully on a much smaller scale (otherwise it probably wouldn't be possible)

Edit: I found some articles I agree (mostly) with, either in my browser history (Sometimes it pays to never empty this ) or in a quick google search:

http://www.infusionblog.com/technology/7-tips-to-secure-your-small-business/ -- Really liked this one, and almost completely agreed with everything said

http://www.pcauthority.com.au/News/150922,security-check-how-to-secure-your-small-business-server.aspx -- Pretty solid basic tips

http://www.computerworld.com/s/article/9003012/10_tips_to_secure_your_small_business_network_?taxonomyId=16 -- Besides #2 and #5, it was good

http://www.smallbusinesscomputing.com/buyersguide/article.php/3917016/A-Guide-to-Data-Backup-and-Recovery-for-SMBs.htm and http://www.smallbusinesscomputing.com/biztools/article.php/3924926/5-Cheap-and-Easy-Disaster-Recovery-Tips.htm -- Data security is probably THE most important thing for a small business. It's your bread and butter. Lose something important, and you don't have the base needed to just simply brush it off. As such proper data backups and recovery proceedures are quite important

http://www.smallbusinesscomputing.com/webmaster/article.php/10732_3908811_1/15-Data-Security-Tips-to-Protect-Your-Small-Business.htm

http://smallbusiness.yahoo.com/r-article-a-57769-m-7-sc-31-small_business_advice_7_steps_to_online_security-i?aid=57769&mcid=7&scid=31&small_business_advice_7_steps_to_online_security=i

It doesn't really cover social engineering and dealing with the computer illiterate employee, but the concepts are there to deal with them: follow the principle of least privilege. Don't trust them with passwords they don't need to know (or passwords at all with a proper password manager), don't run them as admins, and leave UAC on (if they are triggering UAC, they are doing something wrong). It's the best way of dealing with them.