Small business: what should I know about computer security? [closed]

security

Actually, your question is much broader than the title says it is. It involves not only security as in protection against malicious intent, but also protection against things you do not have influence over (i.e. fires, earthquakes, that sort of thing).

I think it would be best to handle this 'bottom up' (or top down, depends on your point of view), so to say, starting with the computers themselves, then going to your own network and ending with your computers on the internet, as it were.

Your computers

Your computers are actually the most important asset. They contain the data that needs protection, so I'll talk about them first.

Backup, or: keeping your data from harm

The first thing to do to keep data safe is to implement a proper backup procedure. This ensures safety of your (their) data in the disaster-protection/recovery sense. What a proper backup procedure is, depends entirely on your budget and the sensitivity of the data you work with. A good starting-point would be an encrypted and off-site backup done via the internet.

Firewall, or: keeping others away from your data

Second would be to look at the protection of the computers in the firewall kind of way. Any computer needs a decent firewall, but there is a choice: you can firewall your individual machines, or you can do what is called 'perimeter firewalling'. I would suggest you choose the third option, a combination of both.

The reason for doing both perimeter and workstation firewalling is simple: a perimeter firewall doesn't stop your workstation getting infected via email-attachment. Your antivirus product might, but a workstation firewall should ensure it doesn't spread via the network to any other computers.

Antivirus, or: keeping data away from your data

Well, the subtitle is slightly weird. That's because this actually could have the same subtitle as the previous header. The third step to protecting the data on your computers is to make sure no data (i.e. programs) with malicious intentions can run on your computers. To do this, of course you need an up-to-date browser as you mention. But you also need a way to inspect what is what and what is and what is not malicious. In other words: you need a virus scanner.

Use the 'net to find a decent one, or, even better: buy a corporate version. From what I've heard McAfee is quite decent, as is Kaspersky.

Common sense

Of course, you can install any security software you want, if the configuration isn't right, it'll do you no good. So make sure you check the settings. For firewalls I'd recommend to basically shut down everything. Nothing goes in, nothing goes out. After that, start to open ports on a need-to-open basis. You will want port 80 going out, for example, because that is the port HTTP uses by default. There are a few others and the internet knows them.

The other thing is choosing decent passwords. The internet has plenty on this, too, but rest assured that it's quite important.

Your network

Now that your computers are essentially secure, it's time to secure your network. It's important to know that any encryption or safety can be breached, given enough time and resources. Also: a possibility that is not there, is no possibility. That sounds obvious enough but it's very important.

Wired network

There is not much to secure about a wired network, to be honest. The most important thing here, in the network-sense, is the perimeter firewall. You can of course do all kinds of neat obfuscation like not using DHCP and using a different private subnet than default (192.168.1/24), but in the end they are not a security measure, they just make it a little bit harder to find out what you're doing.

But then there is also the physical way of viewing it. Security on your box is no good if I can access it physically. Same goes for your network. I take it it's inside your home, but it is still a thought.

Wireless network

The wireless network is much more of a PITA. Unlike the wired network, you don't need a physical plug to access it. So it stands to reason that the security must be that much stronger. Fortunately, 'they' have thought of this and given us wireless encryption.

In the beginning there was WEP. It was good enough at the time, because no-one could crack it in reasonable time. Currently, it takes about two to five minutes to crack it, on a reasonably busy network. So WEP is out.

Then WPA came along and was much better. However, the WPA standard is already under jeopardy. The advent of the GPU as a calculation processor instead of doing graphics only has sped up key-cracking a humongous amount. So WPA is also out of the question.

At this moment, only WPA2 can be expected to offer reasonable security, especially if implemented with RADIUS (and not PSK). This is where the security versus resources comes into play. If you want more security, you will have to install a RADIUS server. This will come at a cost, however, so the added security might not out-weigh the added cost.

I think the best you can do for now is use WPA2-PSK with a sufficient passphrase. Make it long, make it complicated.

Anything like not broadcasting your SSID is bogus, any tool can find your network anyway. So is registering MAC addresses. It takes about a minute to find an accepted MAC and set my adapter to it.

Short summary

  • Good passwords and pass phrases.
  • Offsite backups
  • Firewall your workstations and perimeter
  • Upgrade wireless encryption to at least WPA2-PSK

You should first think about "What do I want to protect and from what" and then come up with measures.

Since you have two machines the most secure solution would be to have all the "data" on one machine and never connect it to a network but to use e.g. USB storage to transfer data.

Besides that I would advise you to consider the following points:

  • Blocking outbound connections by default

  • File Encryption (Full Disk Encryption AND, if possible, Encryption of the "data" itself in containers (try Truecrypt))

  • E-mail encryption

P.S.: Since you are from Germany you SHOULD (No really, do it...) take a look at the BSI homepage (Federal Office for Information Security)

  • BSI for Citizens: https://www.bsi-fuer-buerger.de/cln_174/BSIFB/DE/Home/home_node.html

  • Grundschutzbaustein Laptop https://www.bsi.bund.de/cln_183/ContentBSI/grundschutz/kataloge/baust/b03/b03203.html

  • Grundschutzbaustein XP https://www.bsi.bund.de/cln_183/ContentBSI/grundschutz/kataloge/baust/b03/b03209.html

  • Grundschutzbausteine Netze https://www.bsi.bund.de/cln_183/DE/Themen/weitereThemen/ITGrundschutzKataloge/Inhalt/Bausteine/Netze/netze_node.html


The weakest link in your environment is Windows XP. It is terrible for security. Why? Because everything you do there is done as a user with complete Administrator rights.

Why should your web browser or email client run with Administrative rights over your operating system? It does not need it. Yet this is the route by which most malware arrives on Windows.

I recommend upgrading to Windows 7, where the security model is a little more like Linux or Mac OS. You can run the desktop applications in Windows 7 as an ordinary user, and you will be prompted for your admin password as required for installation of apps and drivers, etc. If while running Windows 7 you see a prompt for your admin password and you did not initiate an install or application update, then you know it was malware about to be installed and you can say cancel. That isn't happening right now in Windows XP, and there is a half decent chance you already have stealthy malware on the system undetectable by the anti-virus product you use. BTW, if you didn't already know, many malware target and cripple the anti-virus products.

As a small operation you are not going to be investing a great amount in data backup and protection. So try for something simple that just works for you. Determine what data cannot be replaced if it were lost. Determine how much data that is. Come up with a plan to periodically back it up to DVD or possibly a USB drive or several. Give that media to someone you trust that lives in another building (maybe your brother, etc.). Now you have off-site backup. (Put your product keys on that media as well.)


PCI standard outlines main branches of business security very well. You may not to strictly follow all the advises here, but it shows main ideas to concentrate on.

Related

Can I mix and match rack mount servers?
How to achieve zero down time
Linux + get the all information about the hardware from machine by tool or script
Multiple ip ban, read from file IP's -> ban in iptables
Forcing the dig tool to return us answers from the root servers
NFS protocol vs iSCSI protocol
Server recommendation for startup company... Cloud or not?
Content Aware Firewall and Encrypted Content
Event ID 1000 Application Error cmd.exe kernelbase.dll
Email to an email account with a subdomain is not being delivered from outside the private network
SMTP with STARTTLS not working properly (postfix)
X-Ham-Report is confusing users