**Note: links updated 10 Oct 2019
IT (information technology) is the base upon which cybersecurity knowledge is built: the best practitioners generally start their careers in network administration. Or high school computer clubs. Over time they focus in on infosec as they realize how much fun it is to catch bad actors, or uncover programming bugs, or to break software not-on-purpose-but-maybe.
Small and medium businesses realize their networks are potentially vulnerable to cyberattacks. Many try to get by with a 'security by obscurity' defense. They hope their cloud-based website, and their ISP, will cover all necessary security bases for them. They believe their company is 'too small' to be a target.
Others operate quite hands-on, using servers based at home or at work. They update their software often, back up their drives frequently, download and install the latest (free) antivirus and (free) firewalls recommended by techie friends - and pray they've done everything possible to protect their data and online presence.
Here's the problem: SMBs and smaller nonprofits are major targets for cybercriminals because they generally represent low hanging fruit. Choose the wrong support team - the wrong ISP, the wrong cloud server, even the wrong employees, volunteers, or IT guy or gal - and boom.
If a black hat gains access to a small business database, they know someone in that database probably knows a bigger fish, who probably knows an even bigger whale. Small hacks can pivot to much larger prey.
There is no such thing as a business or nonprofit too small to hack.
So, how does a small business or non-profit protect its' online assets? Cyber security. Physical site security. And by teaching employees and volunteers how to spot potential social engineering scams. This is essentially how large worldwide corporations secure their data, on a smaller scale.
Before any size organization can design an effective cyber security plan, it needs a baseline for the current network - i.e., how things stand today. This baseline is created through an initial system-wide vulnerability assessment. Vulnerability assessments are not penetration tests; the latter is an in-depth stealthy operation which, done properly, takes a good deal of time, talent, and funding.
The goal of a proper vuln assessment is to uncover as many security issues as possible; a pen test is essentially a capture-the-flag game with high level stakes. Both should be summarized, post-exploit, by understandable reports which include practical remediation recommendations.
Until your business matures, the security cycle will look something like:
- assess the network's security vulnerability status,
- mitigate any uncovered vulnerabilities,
- re-assess, and
Links below are for well known, free-to-use, OSINT (open source intelligence) gathering sites and other useful information. Small nonprofits and businesses with limited cybersecurity funds can use these and other programs to evaluate their current security status.
I personally like and use these sites (and more) for basic intelligence gathering and vulnerability assessments. Other folk prefer different tools, especially for in-depth analyses of large corporate footprints - the larger the corporation, the more should be invested in cyber security operations.
Some of these tools are more complicated than others. Use these to begin learning what's out 'in the wild' regarding your business or personal website - and what hackers can learn about you and your employees.
None of these programs conduct intrusive searches; none trespass onto anyone's private intranet.* All information they discover is available for anyone in the world to find, should they go looking for it. Think about that...
I've also noted a few security blogs and books you should check out. They're good resources for both pros and those new to infosec.
If you have questions about any of these tools: DuckDuckGo, YouTube, and the online communities which support their users are your best source for basic information. Good books are available to fine tune your knowledge as well. At minimum, I recommend at least checking out Wizer's security awareness training (my training fav since discovering it several weeks ago) and at least one newsletter - Daniel Miessler's is eclectic and has something for everyone, on many topics.
Of course, if the thought of learning even one more thing about cybersecurity drives you bonkers and keeps you from doing what's really important - running your business well, and enjoying time with family and friends - then I suggest contacting us or another cybersecurity team for assistance. ;)
*so far as I know - always verify before using any software recommended by anyone online, or visiting any unknown or new websites, or listening to anyone who posts anything, anywhere. Use common sense. Your mileage may vary. NO CLAIMS ARE MADE BY POSTING THESE LINKS.
National Cybersecurity Awareness Month (October 2019):
Security awareness training - short, effective, to the point videos:
- *Full disclosure: we partnered with Wizer to offer their advanced training for a small fee. The basic program is awesome, extensive, and totally FREE for everyone.
CyberSecurity books for all by author Scott N. Schober:
Hacked Again! (2016)
Cybersecurity Is Everybody's Business (just published)
Security (and related) blogs:
Search engine for the IoT (Internet of Things):
Internet security and data mining:
Visualizing site data and possible connections:
File and URL scanning tools:
Open source vulnerability assessment scanner:
Searchable databases to learn the potential effects of CVEs (common vulnerabilities and exposures):
Interesting programs and info for increased cybersecurity, etc: