There's a world of security resources out there that you know you should be leveraging as a small business — especially the free ones. But how do you know where to find them?
Let this index be your guide.
I. GOVERNANCE, RISK, AND COMPLIANCE (GRC)
A. Policies, Procedures, and Standards (PPS)
B. Security Education Management (SEM)
KnowBe4: KnowBe4 is a CG Silvers partner that offers security awareness training, automated alerting, and simulated phishing attacks. Find a range of free tools and resources on their website.
GO PHISH: A free, open-source phishing framework that makes it easy to test your organization’s exposure to phishing.
C. Data Privacy and Compliance (DPC)
Health Insurance Portability and Accountability Act (HIPAA):
Payment Card Industry Data Security Standard (PCI-DSS):The PCI Security Standards Council is a global forum for the ongoing development, enhancement, storage, dissemination and implementation of security standards for credit card payment account data protection.
PCI-DSS Scoping and Segmentation PDF: This guide makes previous guidance more official and can help you reduce your compliance burden through reducing the number of systems in scope for PCI DSS compliance.
Penetration Testing Guidance PDF: This guide specifies how a penetration test is to be conducted to meet the requirements in PCI DSS requirement 11.3. Since not all penetration tests are created equal, this guidance is important to understand before conducting them.
General Data Protection Regulation (GDPR): A handy resource for understanding European data protection regulations, particularly for organizations who handle data concerning European citizens, whether they are customers, partners, or employees.
California Consumer Privacy Act (CCPA): If your organization does business with Californians or in California, then you want to make sure you understand and comply with the new regulations that protect consumer data. In addition to the link above, PwC offers a “roadmap” on their website that explains how companies can be ready for the January 2020 compliance deadline.
D. Enterprise Risk Management (ERM)
CIS (Center for Internet Security)
CIS-RAM: Provides instructions, examples, templates, and exercises for conducting a cyber risk assessment.
CIS-CSAT: The CIS Controls Self-Assessment Tool is a free web application that enables security, IT, or business leaders to track and prioritize their implementation of the CIS Controls.
NIST (National Institute of Standards and Technology): NIST’s cybersecurity programs seek to enable greater development and application of security technologies and methodologies that enhance the country’s ability to address security challenges.
II. TECHNICAL CONTROLS
A. Core Security Solutions
pfSense: A free, powerful, and flexible firewalling and routing platform.
Microsoft LAPS: Use LAPS to automatically manage local administrator passwords so that passwords are unique on each managed computer, randomly generated, and securely stored.
Microsoft Defender Suite: Among other security tools, Windows Defender includes an antivirus solution that delivers comprehensive protection against software threats like viruses, malware, and spyware.
B. Security Operations Center
Security Onion: Security Onion is a free and open-source Linux distribution for intrusion detection, enterprise security monitoring, and log management.
Elastic Stack (ELK): Elasticsearch, Logstash, and Kibana are three open source projects that can aid in security monitoring and can provide a security information and event management solution.
C. Threat Intelligence and Awareness
III. TECHNICAL ASSESSMENTS
A. Security Vulnerability Management
OpenVAS: OpenVAS is a free, open-source vulnerability scanner which can implement pretty much any type of vulnerability test.
KALI: This all-in-one box not only gives you access to OpenVAS, but also provides access to other tools used in security vulnerability assessment and penetration testing. (It’s okay. We all giggle when we read “penetration testing”, too.)