Security Resources for Small Businesses
There's a world of security resources out there that you know you should be leveraging as a small business — especially the free ones. But how do you know where to find them?
Let this index be your guide.
I. GOVERNANCE, RISK, AND COMPLIANCE (GRC) A. Policies, Procedures, and Standards (PPS)
Health Insurance Portability and Accountability Act Collaborative of Wisconsin (HIPAA COW): Provides a myriad of whitepapers, template policies, procedures, forms, and training documents to help implement HIPAA’s Privacy, Security, and EDI Standard Transaction provisions.
System and Network Security (SANS): Becoming a member of SANS gives you access to the largest source for information security information in the world...for free. SANS also offers a number of training courses. They’re expensive and class size can be quite large, but the instructors are top-notch.
B. Security Education Management (SEM)
KnowBe4: KnowBe4 is a CG Silvers partner that offers security awareness training, automated alerting, and simulated phishing attacks. Find a range of free tools and resources on their website.
GO PHISH: A free, open-source phishing framework that makes it easy to test your organization’s exposure to phishing.
C. Data Privacy and Compliance (DPC)
HIPAA COW Toolkit: Provides a valuable risk assessment and risk management toolkit. A risk assessment can help your organization ensure it is compliant with HIPAA’s administrative, physical and technical safeguards. It can also help reveal areas where your organization’s protected health information (PHI) could be at risk.
US Department of Health and Human Services (HHS) SRA Tool (Security Risk Analysis Tool): This tool guides you on a compliance gap assessment instead of a full-blown risk assessment.
Payment Card Industry Data Security Standard (PCI-DSS):The PCI Security Standards Council is a global forum for the ongoing development, enhancement, storage, dissemination and implementation of security standards for credit card payment account data protection.
PCI-DSS Scoping and Segmentation PDF: This guide makes previous guidance more official and can help you reduce your compliance burden through reducing the number of systems in scope for PCI DSS compliance.
Penetration Testing Guidance PDF: This guide specifies how a penetration test is to be conducted to meet the requirements in PCI DSS requirement 11.3. Since not all penetration tests are created equal, this guidance is important to understand before conducting them.
General Data Protection Regulation (GDPR): A handy resource for understanding European data protection regulations, particularly for organizations who handle data concerning European citizens, whether they are customers, partners, or employees.
California Consumer Privacy Act (CCPA): If your organization does business with Californians or in California, then you want to make sure you understand and comply with the new regulations that protect consumer data. In addition to the link above, PwC offers a “roadmap” on their website that explains how companies can be ready for the January 2020 compliance deadline.
D. Enterprise Risk Management (ERM)
CIS-RAM: Provides instructions, examples, templates, and exercises for conducting a cyber risk assessment.
CIS-CSAT: The CIS Controls Self-Assessment Tool is a free web application that enables security, IT, or business leaders to track and prioritize their implementation of the CIS Controls.
NIST (National Institute of Standards and Technology): NIST’s cybersecurity programs seek to enable greater development and application of security technologies and methodologies that enhance the country’s ability to address security challenges.
NIST CSF (Cyber security framework): The NIST CSF reference tool provides a strategic view of an organization’s management of cybersecurity risk.
Special Publication “Safeguarding Covered Defense Information and Cyber Incident Reporting”: For organizations that work with or contract with suppliers to the US Department of Defense, this handbook provides guidance for implementing NIST SP 800-171 in response to DFARS.
II. TECHNICAL CONTROLS A. Core Security Solutions
pfSense: A free, powerful, and flexible firewalling and routing platform.
Microsoft LAPS: Use LAPS to automatically manage local administrator passwords so that passwords are unique on each managed computer, randomly generated, and securely stored.
Microsoft Defender Suite: Among other security tools, Windows Defender includes an antivirus solution that delivers comprehensive protection against software threats like viruses, malware, and spyware.
B. Security Operations Center
Security Onion: Security Onion is a free and open-source Linux distribution for intrusion detection, enterprise security monitoring, and log management.
Elastic Stack (ELK): Elasticsearch, Logstash, and Kibana are three open source projects that can aid in security monitoring and can provide a security information and event management solution.
C. Threat Intelligence and Awareness
Google alerts: Using strategic key words, set up google alerts to monitor security breaches or to simply be aware of current cybersecurity threats specific to your company or industry.
HelpNetSecurity: Offers daily security news with a focus on enterprise security.
KrebsOnSecurity: Brian Krebs, a journalist formerly with The Washington Post, offers in-depth security news and investigation.
Packet Storm Security: Stay aware of vulnerabilities that might affect your systems by keeping up with the latest cyber security news.
SANS Internet Storm Center: SANS constantly monitors the internet for any signs indicative of a malicious attack and makes its findings available--for free--to any internet user.
ScamSurvivors: Get the scoop on current scams in the media and how to avoid being a victim of online fraud.
SocEngineerInc: Twitter account run by phenomenal Christopher Hadnagy, the founder and CEO of Social-Engineer, LLC.
Steve Gibson: Steve Gibson, the founder of Gibson Research Corporation, provides a more personal perspective on cyber security.
Lance Spitzner: Lance Spitzner is a self-described security Geek, board member of the National Cyber Security Alliance, and the Director of SANS Security Awareness.
Hacking-Humans: Each week, the CyberWire’s Hacking Humans Podcast looks behind the social engineering scams, phishing schemes, and criminal exploits that are making headlines.
Recorded Future: This podcast takes you inside the world of cyber threat intelligence. Hear stories from the trenches as well as get the skinny on established and emerging adversaries.
The Privacy, Security, & OSINT Show: This weekly podcast presents ideas that help you become digitally invisible, stay secure from cyber threats, and make you a better online investigator.
III. TECHNICAL ASSESSMENTS A. Security Vulnerability Management
OpenVAS: OpenVAS is a free, open-source vulnerability scanner which can implement pretty much any type of vulnerability test.
KALI: This all-in-one box not only gives you access to OpenVAS, but also provides access to other tools used in security vulnerability assessment and penetration testing. (It’s okay. We all giggle when we read “penetration testing”, too.)