Beruflich Dokumente
Kultur Dokumente
A Master Thesis
of
by
Stephanie Juniel
of
August 2018
COST EFFECTIVE SCALABLE INFOSEC FOR SMALL BUSINESS 2
Charles Town, WV
COST EFFECTIVE SCALABLE INFOSEC FOR SMALL BUSINESS 3
TABLE OF CONTENTS
DEDICATION .............................................................................................................................................. 8
ACKNOWLEDGEMENTS .......................................................................................................................... 9
I. INTRODUCTION ....................................................................................................................................... 13
V. BACKGROUND ......................................................................................................................................... 50
Background Checks..................................................................................................................................... 82
X. CONCLUSION ........................................................................................................................................... 88
COST EFFECTIVE SCALABLE INFOSEC FOR SMALL BUSINESS 7
LIST OF TABLES
LIST OF FIGURES
DEDICATION
I dedicate this creative project to my devoted daddy Thomas Juniel. R.I.P. Vietnam war hero forever
loved and never forgotten, you will always be missed; and to my loving momma Wanda Jo Dickson, the
champion in my corner. Without your love, sacrifice, and encouragement I wouldn’t have believed I was smart
and strong enough to reach my goals in life. Thank you so much for pushing me towards excellence.
COST EFFECTIVE SCALABLE INFOSEC FOR SMALL BUSINESS 9
ACKNOWLEDGEMENTS
I wish to thank my family, friends, mentors, and instructors for their support. A special thank you to my
sponsors Mychal McDonald and Brice Richard, as well as professor Dr. Novadean Watson-Stone for her
thoroughness and passion to encourage and guide me to the finish line, and to all the instructors over the years
who have instilled in me the power to be my best self and have given me the gift of knowledge. Finally, I would
like to thank American Public University for delivering a comprehensive Masters Degree program and growth
opportunities that have and will contribute to my success for the rest of my life.
COST EFFECTIVE SCALABLE INFOSEC FOR SMALL BUSINESS 10
COPYRIGHTS PAGE
I Stephanie Juniel the owner of the Cost Effective Scalable Infosec for Small Business hereby grants the
American Public University System the right to display these contents for educational purposes.
X
Stephanie Juniel
The author assumes total responsibility for meeting the requirements set by United States copyright law for the
inclusion of any materials that are not the author’s creation or in the public domain.
by
Stephanie Juniel
Cyber security is a particularly complex discipline worldwide and cybercrime is constantly evolving weekly. The
perception of cyber security is very expensive overhead costs that require an abundance of resources. Many large
companies have spent money to invest in information security to shore up their systems. As a result, smaller
companies are being targeted for a security breach. There have been many articles released with tips about how a
small business can spruce up security, however the articles are not comprehensive, cost-effective, agile, and
COST EFFECTIVE SCALABLE INFOSEC FOR SMALL BUSINESS 12
scalable. The dynamics of security mechanisms to implement can get applied in various and very powerful ways to
enhance information security for even the smallest of companies without costing a fortune. This project will use
research and analysis as inputs to creating a methodical approach to security for small business. Whether the goal
for small business owners is to support private and/or government sector customers, information security should be
a top priority.
Introduction
Problem Statement
Cyber defense is a new industry that is ever evolving and arguably, no one has their hands around it yet. The
articles selected for the creative project cover several key areas of consideration needed to create a comprehensive
solution including information such as government mandates, customer expectations, security and privacy controls,
risk assessments, etc. Small business operations utilize information systems for processing private information to
provide products and services as well as manage corporate assets. Large companies have often been a target of
attack for cybercrime, triggering big businesses to tighten up on security prior to an attack, inherently, causing
cyber criminals to redirect their attention to the less secure smaller companies (Kerner, 2011). The operations of
small business are similarly defined to that of big business, and its constituents expect to have their information
protected as companies are entrusted with confidentiality and tasked with the handling of their data. Resources for
building a more resilient security infrastructure are limited for small companies; however, they are not exempt from
being held to the same privacy standards as large companies. The creative project will take 16 weeks to deliver.
COST EFFECTIVE SCALABLE INFOSEC FOR SMALL BUSINESS 14
This research project will provide an agile foundation for a scalable cost-effective method to increase security for
small businesses.
The purpose of the selected project relative to the course of study pursuant to the Master of Science in
Information Assurance and Security, is to create a cost-effective framework from startup conception until it grows
into a more mature capability model. The project selection offers a conglomerate of independent security
mechanisms analyzed to provide solutions for companies looking to increase security on a restrictive budget. The
master thesis will seek to extrapolate the best practices from industry experts and organizations respectively.
Special consideration is given to small businesses as recent studies have shown many cyber criminals have
redirected their targets for attack away from big business. Large companies have invested more money in shoring
up their organization’s assets to provide increased security and reduce risks. There are no known methods to be
completely cybercrime free, but there are ways to lessen the impact of a successful security breach and prevent
reckless information security practices. This creative project adds value to the discipline, through examination and
COST EFFECTIVE SCALABLE INFOSEC FOR SMALL BUSINESS 15
analysis of known security mechanisms to date and applying those concepts with the least amount of procured
Research Questions
• How can a company with little money for security get the maximum protection in an agile and
scalable way?
• What process model can support a seamless and transparent gradual increase of security control?
A preliminary literature review has revealed a gap in cyber security methodology for creating a
comprehensive cost-effective solution for small business. Past studies have shown security breaches are on the rise
for small businesses. A significant amount of consideration on business continuity, disaster recovery, and most
importantly how to protect information systems are part of an ongoing effort to create more security parameters
generally. There has been little implication on affordability for organizations with limited financial resources and
their ability to invest in a security program enabling them to keep a smooth-running operation, so the issues remain
COST EFFECTIVE SCALABLE INFOSEC FOR SMALL BUSINESS 16
dormant. As a result, this creative project will extract best practices from research to create an end to end cyber
solution that can grow into a more mature information assurance capability model.
Concurrently, this project shall outline a strategy for developing an end to end solution for creating a basic
security infrastructure for a small business at the lowest possible costs. Using the minimalist approach, The project
will involve acquiring solutions that render improved security mechanisms and are agile in addition to, considering
ways to expand the security program seamlessly. The project will incorporate requirements that satisfy government
and private sector standards in best practice and regulatory guidelines. The long-term goal of this project is to create
an affordable standard process for creating a security framework. The Steph Standard as defined herein is the
information security basics every small company can deploy to safeguard its corporate assets. The objective of this
current study will provide a comprehensive review of industry best practices, instructional materials, and a
Project Timeline
Methodology
The primary method used for this project is literature review, analysis of information security standards and
security risks. This study will collect statistical information and process the information obtained to create a
strategy for any do it-yourself security mechanisms that can be enabled/disabled or may already come built into the
system’s design package. To reduce costs on the initial discovery of risks, the security risk assessment process will
consist of utilizing existing company resources in a structure guided identification of risks approach. A
comparative market analysis will be conducted to produce options and solutions for security needs outside of the
company’s capabilities.
COST EFFECTIVE SCALABLE INFOSEC FOR SMALL BUSINESS 19
The acceptance criteria for this research project will be based on the End of Program Capstone Manual
released by American Public University Systems and sponsored by Dr. Novadean Watson-Stone, a highly
credential professor and facilitator of the creative project final capstone delivery requirements. Additionally, the
efforts brought forth in this research project are aimed at explicitly meeting the requirements for a passed with
distinction designation, this is for consideration of being published in the American Public University library.
Completion of this project seeks to provide a scalable cost effective and agile security infrastructure that can
grow with the company. The intended purpose is to protect small businesses from threats and vulnerabilities
allowing businesses to recover quickly from operational failure and shore up corporate assets. To wrap up this
project, the reader should have a foundational understanding of the importance of protecting corporate assets and
what security mechanisms will prevent threats and vulnerabilities while ensuring continuity of operations.
Literature Review
Countless publications have been released about how to tackle information security and best practices, with
each author adding their own insight as to handle information security challenges in the business environment.
COST EFFECTIVE SCALABLE INFOSEC FOR SMALL BUSINESS 20
Information security is not a stagnant discipline and requires continuous analysis and applied practice to try and
stay ahead of the learning curve as new ways to breach security are constantly evolving. As a result of this potential
debacle, it is imperative business owners and designated leadership stay diligent in deploying information security
solutions and set expectations that build a corporate culture of security awareness and evolution in a cost-effective
fashion.
The Computer Security Institute conducted a survey for the FBI to identify the frequency of attacks, type of
attacks, and if available, where the attack is emanating from. 42% of the respondents acknowledged an
unauthorized breach within the previous year. The testimony of Richard G Power was released back in June of
1996 and explains the observations of the survey responses wherein the discovery thereby produced a list of lack of
preparedness and things needing to be done to shore up security. Consequentially, the testimony by Power of the
Computer Security Institute speaks to the nature of the behavioral patterns for attacks brought forth by adversaries
According to the Small Business Administration there are over 28 million small businesses nationwide
which makes up 46% of the United States’ economic revenue stream. On behalf of NIST, (Paulsen & Toth, 2016)
COST EFFECTIVE SCALABLE INFOSEC FOR SMALL BUSINESS 21
released Small Business Information Security Fundamentals providing guidance to small business for protecting
their information systems. The National Institute of Standards and Technology Interagency Report (NISTIR) details
the basic security infrastructure small businesses should seek to employ to create a more secure environment for the
business, customers, staff, technologies, process, etc. Some of the information security recommendations for small
business include:
The information listed above is several security actions of the comprehensive list of security measures that
NISTIR recommends using information obtained from the Framework for Improving Critical
Infrastructure Cybersecurity (CSF14) to help create an approach for the risk management process. (NIST, Paulsen,
& Toth, 2016) briefly cover other components of security outside of cybersecurity including physical security,
personnel security, contingency planning and disaster recovery, operational security, and privacy. Additionally, the
publication provides justification for the need to invest in information security as small business are a target for
attack and the impact of damages that can be detrimental to sustainability of the operation should a breach become
realized. This publication provides guidance on implementing a security program, information security techniques
to create a more resilient infrastructure, and ongoing recommendations to foster a more secure environment overall.
The National Institute of Standard in Technology released Special Publication 800-30 to provide best
practice guidance for conducting risk assessments and is considered to be one of the key components of the
organizational risk management process. The risk assessment is meant to provide leadership with the information
COST EFFECTIVE SCALABLE INFOSEC FOR SMALL BUSINESS 23
needed to prioritize risks and help with determining which security investments take precedence. NIST SP 800-30
offers a comprehensive process for assessing information security risk using a three-tier risk management hierarchy
including tier 1 organizational level, tier 2 mission/business process level and the tier 3 information system level.
The publication also provides templates, tables and assessment scales to aid in the risk assessment process. For
Tier 1 and 2, risks assessments are used to evaluate management related activity, business process models,
architecture, funds allocated for security, etc. While Tier 3 information system level is used for security control
selection, implementation, monitoring, and system authorization using the NIST Risk Management Framework
(RMF) as highlighted in NIST SP 800-37. NIST fulfills security requirements standards for government agencies
According to NIST, the fundamentals of the risk management process includes risk framing to create a
foundational risk management strategy through providing a description of the environment on which risk based
decisions are made, assessing the risks through identification of threats and vulnerabilities as well as assessing the
impact and likelihood of the occurrence, responding to the risks in an organization-wide unified way and gauging
risk tolerance to determine course of action and alternatives, and monitoring risks for updates while continuously
COST EFFECTIVE SCALABLE INFOSEC FOR SMALL BUSINESS 24
measuring the effectiveness of risk management activities. NIST SP 800-30 primarily provides guidance on the
Pal, (2017) highlights the minimum compliance security requirements for Department of Defense (DOD)
Contractors thereby mandated in the Defense Federal Acquisition Regulation Supplement (DFARS) to be
implemented no later than December 2017. DOD affirms the minimum standards of security mechanisms
Contractors are required to deploy, can be attained by conforming to the National Institute of Standards and
Technology (NIST) Special Publication (SP) 800-171. NIST SP 800-171 covers best security practices for
configuring IT securely including policy and process. However, NIST SP 800-171 does not cover prescriptive
needs of an organization meeting the requirements of DOD necessities, NIST 800-53 Security and Privacy Controls
for Federal Information Systems and Organizations does offer discretionary guidance for implementing security.
Subjectively, there are security standards in circulation that can get applied to an operation doing business with
Small businesses tend to be low hanging fruit for hackers. Kerner (2011) highlights 10 tips for securing
small business networks. The articles states that hackers are looking to exploit holes in network security through
usage of automated scanners and botnets no matter what the size of the company is. Specifically, Kerner offers 10
low cost network security tips for shoring up defenses. The first tip recommends getting a firewall to lock down any
unnecessary open ports attackers may use to infiltrate the network. Most cable companies include a firewall with
the router; however, some folks make the mistake of thinking the desktop application firewalls act as a defense
against network traffic which simply isn’t true. For the firewall to be effective, it needs to be safeguarding the
For Tip # 2, Kerner (2011) suggests configuring the firewall with a custom password as the default
password can be located using various means such as locating the user manual online once the brand and model
number have been identified. Additionally, for Tips 2-5 the article mentions updating the router firmware security
bugs and fixes, turning on black network pings so hackers are unable to identify devices to exploit, scanning the
network as an attacker would do to look for any open ports and vulnerabilities. Tip # 6 of Kerner’s article mentions
COST EFFECTIVE SCALABLE INFOSEC FOR SMALL BUSINESS 26
locking down IP addresses if guests don’t regularly access the network. Many small businesses use DHCP which
automates the IP address assignments to devices connected to the network, but it also makes it easier for hackers to
connect to the network. To prevent this, the system administrator will want to consider only allowing the specified
IP addresses to connect to the network. Tip # 7 delves into usage of the VLANs to propagate access to network
assets, since everyone does not need access to the same information this is especially helpful for cross functional
A bulk of traffic on the network goes over Port 80 for the web which leaves vulnerabilities and risks an
attack on the open port. Kerner (2011) suggests using an Intrusion Prevention System (IPS) as the primary network
security mechanism to monitor network traffic for anomalies and suspicious activity. Though, IPS is sometimes
bundled in with the router as a Unified Threat Management device, larger small business should consider obtaining
another separate box or using open source technologies such as SNORT. Tip # 9 on the contrary to a network
firewall, Web Application Firewalls (WAF) protect applications rather than the network respectively, some risks
can be mitigated/transferred by using third party vendor applications that are hosted by an external source, but in
the event the small business is the host, a WAF network box is the better option or open source technologies such as
COST EFFECTIVE SCALABLE INFOSEC FOR SMALL BUSINESS 27
ModSecurity. Finally, Tip # 10 covers the usage of Virtual Private Networks (VPN) for mobile and remote
employees providing the same protection as employees on the network onsite and preventing unsecure users from
untrusted mobile environments. Kerner’s article provides cost effective solutions for creating a more secure
network infrastructure and protecting small business from vulnerabilities lurking beyond the corporate network
security parameters.
Advanced Persistent Threat (APT) is a new class of threats aimed at infiltrating economic, proprietary and
sensitive information through highly skilled attackers creating operatives and slowly making successful and non-
successful attempts over years to penetrate a network, then building upon the knowledge from those attempts to
create more advanced capabilities that will defeat common security mechanisms (Lockheed Martin, 2016).
(Hutchins, Cloppert, & Amin, 2016) describe using a phased Kill Chain Model to gather intelligence on the
adversary wherein the information obtained will be used to create counterintelligence and surveillance resources,
tools, and other defense strategies to get ahead of attacker and reduce the overall likelihood of the attacker’s
COST EFFECTIVE SCALABLE INFOSEC FOR SMALL BUSINESS 28
success. Ideally, this methodology establishes justification for network defense prioritization; and investment
Specifically, James Andrew Lewis from the Center for Strategic and International Studies testified that a
majority of the intrusion incidents are emanating from China in an attempt to collect information not only from the
government and military systems but its contractors’ information systems as well. The results of the investigation
also showed continuous advancement of intrusion techniques and the “calculated nature” of APT. In essence, China
was persistent and patient with their malicious intent to access unauthorized information.
Hutchins, Cloppert, and Amin (2016) suggest moving to an intelligence-based approach to triage
vulnerabilities and threats simultaneously as intrusion events occur and move through the phases of the model. The
indicator life cycle provides a significant amount of information that can be used to collect data around the intrusion
incident. The kill chain method is used to pinpoint and engage the attacker to gain intel and create countermeasures.
Hutchins, Cloppert, and Amin (2016) developed a new intrusion kill chain model specially designed for intrusions.
1) Reconnaissance- Data collection and intel on the intruder and intrusion methods
COST EFFECTIVE SCALABLE INFOSEC FOR SMALL BUSINESS 29
2) Weaponization- Remotely accessing the environment and inserting a trojan with the deliverable payload
4) Exploitation- After the payload has been received, the exploitation code is triggered to run on victims’ asset
5) Installation- The installation of the trojan allows the intruder to have backdoor access and continuously
6) Command and Control (C2)- Channel established for malware to allow intruder to have access to the
A. Actions on Objectives- Intruders now have access to the network and can move around the targeted
environment for a multitude of reasons such as data exfiltration, compromising other information systems
Ideally, counterintelligence sources would use the information gathered throughout the phases to create a
protective approach by learning the adversaries’ activities, behavioral patterns and create a superior defense
COST EFFECTIVE SCALABLE INFOSEC FOR SMALL BUSINESS 30
mechanism. A kill chain method for the larger small businesses that have a little more money to invest in security
The evolution of risk management is a progressive approach that is iterative as with other IT concepts.
Northcutt (2014) quotes Adam Shostack’s Threat Modeling: Designing for Security questioning What is being
built? What problem can potentially go wrong? What are the courses of actions should they go wrong? Did you do
a thorough analysis (Shostack, 2014)? Northcutt (2014) attributes the Project Management Body of Knowledge
(PMBOK) for covering Risk Management as one of the key knowledge areas of the project management discipline.
Northcutt (2014) examines Josh Sokol’s SimplifiedRisk methodology developed as a result of budgetary constraints
and other barriers limiting governance, risk, and compliance tools for risk management. As a resolution to this
dilemma, Sokol developed SimplifiedRisk, an open source technology that is highly configurable and includes
reporting capabilities. Free technology is available to help automate, track, and asses risks in a systematic and
structured way.
COST EFFECTIVE SCALABLE INFOSEC FOR SMALL BUSINESS 31
According to the Small Business Administration (SBA), 80% of small businesses fail within the first 18
months of operation. Horton (2017) attributes small business failure to the lack of risk mitigation strategies and
tools, while marketing costs of goods and services that match economic demands. Other contributing factors
include lack of capital, inadequate management, business plan and infrastructure issues, and marketing mishaps.
Horton (2017) explains how a more through exploration of the aforementioned factors could have prevented small
business from failure. The risks associated with having a small business can have a cascading effect on cross
functional areas that rely on an in-depth applied understanding of factors that can impact its operation.
According to The Security Risk Assessment handbook by Douglas Landoll, there are 4 key elements of a
security risk assessment which are identified as a project. The key elements are planning, tracking, correction, and
reporting (Landoll, 2011). A project manager is the person responsible for making sure the project is successful.
The planning element of a security risk assessment is where the PM reviews the SOW for time and resource
constraints as well as the stakeholder’s expectations. This review allows the PM to look for any changes before
accepting the project. The PM can then use MS projects to create a project plan that breaks the project down into
more manageable parts in terms of the duration for activities, phases, and milestones.
COST EFFECTIVE SCALABLE INFOSEC FOR SMALL BUSINESS 32
According to Landoll (2011), the manageable phases are pre-onsite for project initiation activities, onsite
assessment for gathering data and other related information onsite, results analysis to analyze the collection of
information, and report to present the findings to the customer. Project management supports the pre-onsite phase
by kicking off the project to ensure there is a coming understanding of the project, getting the necessary approvals,
information requests, and meeting with key personnel to ensure communication and engagement.
The Onsite Assessment is supported by project management as this is the part of the project that reviews the
security controls that are already in place. The results data analysis phase generates the risk statements and provides
recommendations for a team consensus. There are project management methods such as Delphi, nominal group, and
consensus techniques that can assist the Project Manager (PM) with an organized approach to facilitating these
results (PMI, 2013). Project management will help support the reporting phase by delivering documentation that the
team helped create as an organized outline of the final project information and team assignments (Landoll, 2011).
Microsoft Projects (MS Projects) provides a Gantt chart view of interrelated project tasks. Project management has
COST EFFECTIVE SCALABLE INFOSEC FOR SMALL BUSINESS 33
a role in information security and allows for the assigned PM to take corrective and preventative measures to get
the project back in-line with the agreed upon constraints with the project stakeholder.
Brotby (2009) suggests gauging the security program effectiveness and this can be done using technical
Capturing security metrics and monitoring the effectiveness help with ongoing refinement of a security plan.
COST EFFECTIVE SCALABLE INFOSEC FOR SMALL BUSINESS 34
According to Peltier (2014), the difference between administrative, technical, and physical security controls
are administrative controls revolve around policies, procedures, personnel background, training, etc., where as
technical controls use computer software to regulate access to systems such as smart card readers, biometrics,
passwords, etc. and physical security controls focus more on facility access such as security guards, electronic
access, alarms, etc. The following are examples of how to gather data on each security control:
• Administrative-a few things one can do to gather information around the security requirements for
administrative controls are to work with human resources and legal to get policies and contractual obligations,
verify employee background are sufficient and have been vetted, and etc.
• Physical- a few things one can do to gather data around physical security includes figuring out the access points,
• Logical- a few data gathering techniques to get data around access controls are get the system log files, archival
data, etc.
COST EFFECTIVE SCALABLE INFOSEC FOR SMALL BUSINESS 35
Administrative, physical, and logical security controls are important pieces of information for a security risk
assessment because they help to understand the current state and the to-be state of the security posture. It is
important to understand the what the controls are that are in place, so an evaluation can be done to make
recommendations. Once there is an understanding of how the security controls are maintained, the scope of the
security program can be based around the operation and the constraints associated with it implementation. Overall,
the security control safeguards help create a recommendation for developing a comprehensive security program.
The purpose of a risk analysis is to help senior management determine which security projects to initiate.
The risk analysis provides a security risk assessment with insight on multiple facets of security around
According to the Landoll, there are four stages to the security risk management process; security risk
assessment, test and review, security risk mitigation, and operational security (Landoll, 2011). As an information
security professional, I would apply the elements of the aforementioned four stages.
COST EFFECTIVE SCALABLE INFOSEC FOR SMALL BUSINESS 36
Many low risk data businesses have not made an adequate investment in establishing an information
assurance framework. Hasse (2002), examines the information security needs for a small defense agency Draft DoD
Information Assurance Policy and Instruction known as DoDD 8500.aa and DoDD 8500.bb. Hasse has extrapolated
guidelines and requirements contained within the two aforementioned DoD drafts to create an information
assurance framework suitable for a small defense agency. In doing so, Hasse will make use of the Defense in Depth
pillars of an information assurance framework; People, Operations, and Technology. The security needs of a small
defense agency must still provide suitable and effective security measures, however all of the information security
tools and techniques used by larger agencies are not necessarily an obligation to that of a small defense agency,
People, as a defense in depth pillar speaks to the consideration of people and technology. Users of
technology come from several perspectives when interacting with information systems as well as designing and
building the systems. The significance of the factorization of people and the intricacies of an information assurance
program require compliance after key policies have been established across the board and due diligence in talent
selection. Operations as a Defense in Depth pillar states the need to establish policy and procedures as an
COST EFFECTIVE SCALABLE INFOSEC FOR SMALL BUSINESS 38
overarching governance to be fused into the corporate environment and enforced as the standard. Additionally,
Operations includes defense mechanisms, audits, continuity planning, readiness assessments, etc. The technology
pillar advocates the usage of security tools and skills and are broken out into 5 main areas to include: defend the
networks and infrastructure, defend the enclave boundary, defend the computing environment, supporting
infrastructures, and system security methodology and framework. The pillars of Defense in Depth can be an
effective approach if the methodology is adopted into the overall business strategy (Hasse, 2002).
According to Information Security Fundamentals by Thomas Peltier there are three types of security control
Administrative Controls:
• Awareness training
• Background checks
Physical Controls:
COST EFFECTIVE SCALABLE INFOSEC FOR SMALL BUSINESS 39
• Security guards
• Locking laptops
Technical/logic controls:
• Encryptions
• Smart cards
There are quite a few strategies an organization or individual user can implement to practice effective
information security.
Deployment considerations involved with using network security products to obtain full content data
include deciding which assets need to get monitored and determining who the attacker might be. According to Wild
COST EFFECTIVE SCALABLE INFOSEC FOR SMALL BUSINESS 40
(2006) There are several classifications of attackers including external attackers who use the internet to launch the
attack, external attackers who launch the intrusion from the wireless segment, internal attackers who launch an
intrusion from within the wired LAN, and external attackers who launch an intrusion from the wireless segment.
Other deployment considerations include the perimeter needed for collecting threat intelligence data of the external
attacker who uses the internet for the attack as well as the perimeter network used to watch a host that would most
likely be compromised. For the external attacker using the wireless segment, the deployment consideration should
be whether it can be used to detect attacks against the intranet. Finally, the internal attackers with access to internal
networks is another consideration as their permissions have been granted by the organization (Wild, 2006).
Network security monitoring products will collect full content data including the entire packet and capturing
the information that is passed above the Transport layer 2. Network security monitoring products include tools such
as network protocol analyzer and real-time traffic analyzers do an analysis on packet logging of IP networks.
Several companies offer this service such as Snort, Tethereal, etc. Seguil is an open source suite that combines
alerts, sessions, and full content data on one GUI with real time analyzers encompassed within one network security
Bejtlich (2009) explains TCPDump captures full content data and allows the most flexibility that can be
analyzed for network security monitoring. TCPdump can sniff, writes, and is not subject to selectivity by the
creator. Packets are saved and can get replayed through any traffic analysis tools. Many possibilities are available
for post incident network-based forensics and it encrypts content not headers. Most sniffing tools use a Libcap
library. Raw TCPdump data can be reviewed using ethereal.com and TCPdump behavior can get modified using
Berkley Packet Filter. There are external vendors that record everything going in and out of networks and all you
Session data can be collected using Argus which interprets the IP, TCP, UDP, etc. and summarizes the
traffic in conversation or session format (Cotrell, 2017). Session tables are generated without header storage or full
content and parses on the back end and can bypass encryption because it is not getting application data however
intruders can bypass Argus by using sessionless covert channels. Argus uses live data collection and batch data
collection. A couple products used for session data generation include StealthWatch which is flow based and
generates data and NetIntercept that generates session data after collecting it raw then parsing it (Bejtlich, 2009).
COST EFFECTIVE SCALABLE INFOSEC FOR SMALL BUSINESS 42
Trafd shows statistics on data collected on interfaces, collects information in memory and dumps results
periodically, and shows real time statistics collected on an interface. Also, reactive mode quickly checks what flow
is using bandwidth. There are products that generate statistics that are using for provisioning and network health.
StealthWatch is a tool that can be used to generate statistics and there are other open source tools that can be used to
Kane (2014) distinguishes between alert data (including generation tools) and previously covered Network
Security Monitoring (NSM) (including collection tools). Intrusion Prevention Systems (IPS) and Intrusion
Detection Systems (IDS) are used as Network Security Monitoring mechanisms that look for malicious activity or
policy violations as well as monitor network traffic to and from all devices that are connected to the network.
Activities detected as violations are reported to the admin and/or collected using a security information and event
management (SIEM) system (Sebastian, 2013). The SIEM has alarm filtering techniques to differentiate between
malicious and false alerts. Host based IDS monitor operating system files and network IDS analyzes incoming
network traffic. IDS are sometimes classified by the method used for detection and one of the most popular variants
COST EFFECTIVE SCALABLE INFOSEC FOR SMALL BUSINESS 43
include detecting corrupted patterns such as malware or anomalies from “good traffic” using machine learning.
• Flow data management tools such as cisco netflow collector, arbor peakflow, and netstat that log per packet end
point info
• Transaction data which logs connection level info using tools such as bro, colasoft, and network proxy
• Alert data which matches signatures against the packet content such as Snort, Suricata, Bro, etc. (Kane, 2014)
Some tools are used for generation and collection, but some also have the ability to respond. Separately,
firewalls are the liaison between an enterprise network and the internet. The firewall will look at a packet and
extract the packet header and look for information such as the source IP, destination IP, and also the port number
and based on these 3 elements it would look up a security policy and the rule set will dictate how the policy logic
should behave. For example, if traffic is coming from a specific port number then block the traffic entirely or
maybe block a range of IP addresses. In essence, it blocks traffic by default and allows the packets meeting certain
COST EFFECTIVE SCALABLE INFOSEC FOR SMALL BUSINESS 44
criteria to pass the threshold. The firewall takes a traditional outward approach to monitoring the system instead of
The Open Systems Interconnection (OSI) model uses protocol layers as a network framework for the
architecture. There are seven layers in the OSI model: physical, data-link, network, transport, session, presentation,
and application layers (Jacob, 2016 p. 14). Some of the possible security risks associated with each layer include
the following:
Application Layer: top layer of the OSI model that is recognized by end users for email programs, web
browsers, office suites, etc. This is where many malicious program are such as trojans, virus, worms etc.
Presentation layer: aka layer 6 takes data that is passed up from lower layers and puts it into a format the
application can understand such as ASC II, ANSI, etc. Encryption and decryption is a critical security element of
this layer.
Session layer: aka layer 5 creates, controls, and shuts down a TCP session. The vulnerabilities that are
Transport Layer: aka Layer 4 ensures the end to end flow control and error recovery. Security concerns with
Network layer: aka Layer 3 is the layer that handles addressing and routing. Security concerns with this
Data Link Layer: aka Layer 2 formats and organizes the data before it is sent to the physical layer. Security
concerns with this layer is the address resolution protocol (ARP) which resolves known network layer addresses to
Chapter 10 of Engineering Information Security covers a few Layer 2 Data Link security mechanisms
including:
• IEEE 802.1X-used for fiber optic and wired switch ethernet and gives you port based network access
• IEEE 802.1ae-Mac sec ethernet security standard and used for connectionless data integrity, data
• IEEE 802.11 and IEEE 802.11i-data is encrypted using algorithms with methods such as RC4 and AES. It
performs algorithms such as 128 bit key or Temporal key that changes while using the system (Jacob,
2016).
Physical Layer: aka Layer 1 is bit level communication and it defines BIT time and transmission. Security
concerns with this layer revolves around a hacker getting physical access. (Greg, 2006)
Elmore (2013) released an information security plan template that can be used to create an information
security plan and provides descriptions and instructions for each section of the security plan. Elmore’s template
provides a guided aid in creating a comprehensive security plan. The template covers a multitude of areas such as
application/system identification, security roles and responsibilities, vulnerability and threat assessment, risk
assessment, change management control, security control selection and documentation, etc.
A strong security awareness program and pen testing could also help with physical and logical security
especially since most violations come from within the organization. Policies and procedures built into the
COST EFFECTIVE SCALABLE INFOSEC FOR SMALL BUSINESS 47
organizations process is another good way to remain secure such as removing access to information systems a week
prior to terminating an employee or contractor. There are many different things an organization can do to keep their
data assets secure, but it can get sticky when security and usability become contributing factors to decreased
productivity. A risk assessment and analysis can assist with identification of an acceptable and unacceptable
amount of risk and the hindrance of applying security mechanisms to operational information systems (Jacob,
2016).
In conclusion, there are a great deal of tools and techniques that can be used to keep data assets secure.
Some of the most effective tools and techniques to utilize are logical and physical security mechanisms that can
prevent misuse of data. A few of the logical tools and techniques to make use of are business continuity and
disaster recovery, cryptography, authentication, security policy, IDS, traffic analysis, role-based access, network
controls, packet filtering etc. (Jacob, 2016). Several physical tools and techniques that can be used to keep an
organization secure include restricted server room access, facility access control, lighting and surveillance,
personnel verification, alarms systems and sensors, security personnel, etc. (Jacob, 2016). Collectively, much
information exists to try and reduce the chances of a successful security breach, and as information security is ever
COST EFFECTIVE SCALABLE INFOSEC FOR SMALL BUSINESS 48
evolving, as is the need to stay abreast of security awareness regardless of business size. The creative project Cost
Effective Scalable Infosec for Small Business will use the intelligence gathered from the sources in this literature
Background
Information security is a relatively new discipline to the modern and contemporary era respectively. This
creative project is designed to capture elements of highly respected cyber security industry contributors and subject
matter experts. Additionally, this creative project entitled “Cost Effective Scalable Infosec for Small Business”
extrapolates and aggregates the information captured from generally accepted authoritative organizations to utilize
industry best practice methodologies; and deliver an affordable small business security manual. Cyber security is
constantly evolving with cyber criminals finding new ways to infiltrate security parameters. Today, cybercrime has
begun to shift to small business targets as larger companies have tightened up on their security mechanisms. A
cyber-attack hit to any company can be detrimental, but especially harmful to a small business who may be
unprepared for such an event. There are several considerations to shore up information security defenses including:
financial constraints, risk management, security controls administrative/technical/physical, disaster recovery and
business continuity, security awareness, agility, and scalability. This creative project adds to the cyber security
COST EFFECTIVE SCALABLE INFOSEC FOR SMALL BUSINESS 51
discipline by providing a comprehensive cost-efficient approach to information security that can grow with The
Company.
According to Information Security Fundamental by Thomas Peltier, a survey published by the Computer
Security Institute discovered that “60%-80% of network misuse comes from inside the enterprise where the misuse
has taken place.” (Peltier, 2014, p.333) Meaning, an employee may violate the security polices before an external
intruder. Employee can leave you vulnerable to security risks such as denial of service attacks,
crackers/hackers/phreaks, logic bombs, trojan horses, worms, and other malicious intentional and unintentional
behaviors that expose information systems to vulnerabilities. It is as equally important to prevent people from
walking right up and getting unauthorized access to ports or allowing outsiders and visitors to access your network.
Project Design
Information security is a relatively new discipline that requires preparation, planning, protection and prevention.
The StephStandard is a basic security minimalist doctrine that implies growth capability, gradual maturity, financial
consideration, and fiduciary duty for small business owners. The creative project entitled cost effective scalable
Infosec for small business takes a Holistic approach to information security fundamentals for small business owners
COST EFFECTIVE SCALABLE INFOSEC FOR SMALL BUSINESS 52
to help create a resilient security infrastructure. Many articles have been published independently about cyber
security however, the publications lack a comprehensive solution for addressing the information security needs of a
small business as well as consideration of budgetary constraints. The following illustration is a step by step diagram
of the experiment.
Theoretical Framework
This project will introduce an analysis of multiple resources to develop a framework for creating a security
infrastructure with the least amount of resources procured to standup and manage a security program. The resources
used to substantiate the theoretical framework will come from professional organizations, scholarly periodicals,
COST EFFECTIVE SCALABLE INFOSEC FOR SMALL BUSINESS 53
university library database engines, web content, etc. Further emphasis on the need to hone in on developing
security mechanisms in a structured way will allow for an easier transition to advanced security, and more mature
capability models while maintaining cost effectiveness. According to an article published in Forbes magazine
“Fighting Internet Crime: Protecting your Small Business from Cyber Attacks” written by Dinah Brin, of the 200
small business owners who were interviewed, 5 % said they were fully secured against cyber-attack and of the 200
The Steph Standard as contained herein, reflects a barrage of information released to the general population
about cyber security techniques and methods to secure their infrastructure. The information released provides a
great deal of information about current events in standards of information security however, all companies are not
big business and don’t have the resources to pump into security concerns. As a fiduciary duty to the patrons of a
particular business type regardless of the industry, business owners need to do their due diligence in making sure
their consumer’s private information is protected. The Steph Standard 1.0 models the maximum amount of security
that can be obtained from a do it yourself perspective, the standard will also look to procure applications that can
help with monitoring security events and will look to compare the capabilities across tools and applications. The
COST EFFECTIVE SCALABLE INFOSEC FOR SMALL BUSINESS 54
idea is to get the maximum amount of security appropriate for handling information with minimal cost and optimal
performance. As part of the research I will look at metrics, statistics, surveys, costs, implementation time,
complexity, procurement, etc. to determine the most befitting solution as a basis for a framework which is subject
Professional Contributions
This creative project is designed to extrapolate and aggregate the authorities of cyber security knowledge
respectively by examining known security tools, policies, procedures, protocols, best practices, etc. The Project will
parse information from a multitude of sources to create a security framework based on affordability and examine
the possible current state, and the predatory nature of cybercrime as well the To-be state and future state ideal for
maximum protection and awareness. The Project provides a guide to understanding information security and how to
tackle information assurance. This creative project contributes to the discipline through intelligence analysis, survey
research and statistical sampling. The literature reviews conducted for this creative project will assist with the
Limitations
The limitations for the creative project are somewhat difficult to pinpoint as cybercrime is ever evolving and with
even the basic cyber infrastructure, you can never fully know what’s ahead for a cyber-attack. The cyber security
needs of a small business have varying factors related to the respective industry and line of business as and may
require the organization to apply only the portion of information security mechanism identified in this research
relevant to their area and what they do. It is inevitable that the implementation of the suggested framework will
require some applied knowledge on the organization’s part based on the information contained within this creative
project. In essence, while the creative project can be used as a guideline to establish the security infrastructure, not
all of the security parameters will apply to the respective business reading this publication.
Equifax Data Breach 145.5 Million Accounts breached Apache Struts was outdated
COST EFFECTIVE SCALABLE INFOSEC FOR SMALL BUSINESS 56
developers at Uber
NSA Cyber Weapons Stolen Attack on critical infrastructure Cache if cyber weapons and
outdated patch
Agencies breached
COST EFFECTIVE SCALABLE INFOSEC FOR SMALL BUSINESS 57
Risk handling strategy is a critical element to security systems engineering because of the costs associated
with developing defense mechanisms into the design, and the amount of uncertainty involved with protecting
organizational assets. It is important to be prepared for internal and external threats and vulnerabilities. Chapter 5 of
Jacob’s Engineering Information Security book discusses Information Systems Audit and Control Association’s
(ISCA) Risk IT Framework and how to manage it within the organization from all levels. Security controls built
into systems engineering ensures risk management practices are rooted within the enterprise’s governance and can
assist with establishing a commonality among risk views, risk assessments, tolerance thresholds, inadvertently
promote a security awareness culture, maintain accountability, etc. Risk response is another area of the Risk IT
Framework to incorporate for performing activities to manage risks such as data collection, risk event monitoring,
analysis, mapping IT resources to business processes, risk profile, risk indicators, etc. Risk management ensures
A security risk assessment will aid with the identification and analysis of threats and vulnerabilities of
information systems and business processes to determine the impact of risks and applicable security
COST EFFECTIVE SCALABLE INFOSEC FOR SMALL BUSINESS 59
countermeasures. An Information Security Plan template was published by the Office of Information Technology
Services for the State of New York government and is available online
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=2&cad=rja&uact=8&ved=0ahUKEwjB0c2
KmOXZAhVuhuAKHYWTDzcQFggwMAE&url=https%3A%2F%2Fits.ny.gov%2Fsites%2Fdefault%2Ffiles%2F
contained therein, provides structure and format for understanding the discovery process around the encompassing
components for delivering a comprehensive information security plan. The key to usage of this template, is to use
as many sections of the template as possible on your own until a security professional can substantiate
modifications and/or additional entries. The CIA triad model, Confidentiality, Integrity and Availability are key
considerations to incorporate while collecting and aggregating data for the information security plan. Additional
information around the CIA Triad model can be found https://resources.infosecinstitute.com/cia-triad/#gref. This
research project is designed to outline security best practices for small business constituents, to provide guidance
Make use of your staff to gain insight for risks inherently associated to their respective job functions. List
the roles and responsibilities of your staff and the associated systems with their work duties; as well as their
privileges such as developer, manager, administrator, users, editor, contributor, designer, etc. This information can
be obtained from your staff and/or verified and validated yourself by checking the settings already built into the
respective system. For assistance with checking user permissions consult the information system manuals and/or
technical support; also check these sources for additional information about the security controls already built into
the system’s design. Remember, all information doesn’t have to be found just in an article, YouTube is a great
For scalability considerations and as more financial resources become available, you can use the
information contained within the documentation collected such as the risk identification, business process models,
security roles and responsibilities etc. for regular reviews and updates of your security needs. To that end, cost
savings will be realized prior to hiring a consultant to identify the gaps for you if needed, insight is available to help
COST EFFECTIVE SCALABLE INFOSEC FOR SMALL BUSINESS 61
with purchasing decisions, and it will empower you to go with systems that meet your business needs or acquire
systems with security countermeasures customized and built into the system design early on. In addition to saving
on the costs associated with tailoring the information systems to your unique business requirements after it has
already been developed, this method will provide some agility while increasing security mechanisms, and a great
starting point to identify what risk mitigation tools can get built into the data processing systems used before it is
implemented. The National Institute of Standards and Technology(NIST) published Special Publication 800-64 and
can provide the full gambit of guidance on this; which is an especially important guide for United States (US)
defense contractors.
The first step in the process is to identify and record the applications and systems that need safeguarding.
Again, make use of your current employees and staff members to assist with identifying business processes and the
potential risks associated with performing their duties. To get a fundamental understanding of how communication
is processed in telecommunications and computing systems, a familiarity with the Opens Systems Interconnection
https://www.networkworld.com/article/3239677/lan-wan/the-osi-model-explained-how-to-understand-and-
transmitted and accessed by cybercriminals. Also, a fundamental understand of routers and how they work is
useful. Routers facilitate communication between networks. The router reads the address and places it onto the
appropriate network. When the packet leaves the router, it goes to the internet which is made up of multiple
networks. After the packet goes to the internet, it goes through the router switch which then direct the packets to the
proxy server. The server directs the packet to the firewall then the packet is retrieved by the router and placed on
the bandwidth. The routers and switches establish links between networks.
The Transmission Control Protocol/Internet Protocol (TCP/IP) allows the sender and receiver to
communicate via the internet. Mac addresses change while the IP addresses stay the same helping the packet get to
the router. One router method is circuit switching which uses one transmission method for all packets. Another
method is multi packet switching which will consist of a packet going through multiple routers before it reaches the
server. The end user enters data on the application layer of the OSI model which then goes to the transport layer and
adds a header to the data when combined is called a segment, at which point it is then sent down to the network
COST EFFECTIVE SCALABLE INFOSEC FOR SMALL BUSINESS 63
layer adding another header/frame called a data gram which is then sent to the data link layer and process repeats
until the final router is reached. The last router on the network verifies the information is correct, then removes the
headers before sending the information back to the sender’s application. Transport and data headers are not read by
the router. Transport and application layers are end to end because they are only looked at by the end point hosts
and the network, datalink, and physical layers are called host to host because they are read and looked at by the host
along the way. The information associated with communication in networks, OSI model, and routers will help give
systems, and what areas during information processing leave you vulnerable for an attack. Conceptualizing this
process will help drive perspective input from resources that may not be available to assist you with steering the
security project.
Ideally, the longevity of employee involvement prior to hiring a professional security professional can be
dramatically lower than paying security professional for continuous discovery of this information. A template will
help guide the risk discovery process in a structured way. The Health and Safety Executive, a publication released
by the government in the United Kingdom found at http://www.hse.gov.uk/risk/casestudies/; puts risk assessment
COST EFFECTIVE SCALABLE INFOSEC FOR SMALL BUSINESS 64
into the worker perspective. This publication has intuitive questions that can help aid with development of
templatized questions providing a guided approach to your staff for identifying risks. The information found on the
site is not related to information security however, the information contained on the risk assessment templates have
cognitive questions that can be applied to information security. A reference guide with information extrapolated and
aggregated on what data can help augment unearthing the knowns and known unknowns can be created by visiting
Other templates are available to assist with recording risks in a structured fashion and can be found at
There are also strategies for risk identification such as FRAAP sessions. Based on the reports and the action
plan received after the FRAAP (Facilitated Risk Analysis and Assessment Process) session that was completed,
senior leadership can determine whether the threat level for several high rated risks impacting the project are
acceptable, require additional remediation, or are unacceptable. This is an opportunity for the PM to place control
around the risk and prepare with a contingency plan as a failsafe to the original project baseline. (Peltier, 2000)
COST EFFECTIVE SCALABLE INFOSEC FOR SMALL BUSINESS 65
Types of Risks
Some weaknesses with administrative controls include timely user account termination, background checks
not being done thoroughly, and retention of security awareness training as well as implementation of those policies
and procedures. Weaknesses with regards to physical security controls include making sure security is alert,
stolen/lost badges that can’t restrict unauthorized personnel, and leaving laptops and other valuable corporate assets
unprotected and unattended. Technical weak areas include inefficient securing of cloud data, poor privilege
management, insufficient port monitoring etc. This risk column of the figure 4.1 identifies the emanant peril nature
by which a security breach would impact the organization, the reason column addresses how the risk can impact an
operation.
COST EFFECTIVE SCALABLE INFOSEC FOR SMALL BUSINESS 66
Figure 5.1 Information System Target Layers (Johnson & Central Intelligecy Agency, 2008)
COST EFFECTIVE SCALABLE INFOSEC FOR SMALL BUSINESS 67
Prioritizing Risks
There are many tools available for prioritizing risks. Rules and regulations are among the most important
factors to consider when prioritizing itemized risks. Other factors include the cause and effects, impact of the risk,
whether it is mission essential, hinderance on operations, and likelihood of occurrence. For risk identification and
COST EFFECTIVE SCALABLE INFOSEC FOR SMALL BUSINESS 68
management, NIST SP 800-30 has tables and descriptions in the appendixes of how to fill in the tables; and is the
most popular trusted source for information security best practices. Similarly, the Project Management Body of
Knowledge (PMBOK) recommends using a Probability and Impact matrix to quantify risks based on the likelihood
of an occurrence and the problems that could arise from such an event. Numeric values are assigned to the criteria
that produce a weighted score where the higher the number is, the higher the risk. An over simplified method would
be to simply assign High/Low/Medium ratings and note that the High risks are the highest priority non-negotiable
According to Fast Forward MBA in Project Management by Eric Verzuh the stakeholders are everyone
involved in the project and will be impacted by it (Verzuh, 2016). During the project initiation phase, identify the
stakeholders, start with reviewing the project portfolio, proposal, and business case to create a technical framework
that will help with linking the strategic goals to a measurable outcome. Then conduct a stakeholder analysis to
systematically identify the interests of individuals affected by the program to qualitatively determine the amount to
which the functional areas or organization will be impacted and which resources need to be involved and updated
COST EFFECTIVE SCALABLE INFOSEC FOR SMALL BUSINESS 69
throughout the course of the project to gain buy in, support, acceptance, and add additional insight to the overall
project and what we hope to get out of it. Other things to do would be to identify stakeholders to include, involving
management, going through surveys, stakeholder interviews, review/create the project charter, and etc.
To ensure a quality stakeholder list, involve leadership from the functional areas to make sure they involve the
leads or key people who can contribute to my stakeholder list, this will help with identification of resources later as
well as continuous ongoing stakeholder communication. It will also help with the change impact assessment that is
an output from the impact analysis. The project charter needs to include high-level requirements which assists with
identifying the primary stakeholders that should know what is going on with the project at all times and be included
throughout the project to ensure they provide insight on how their areas will be impact and if the project adds and
takes away value. The stakeholder identification process is irritative and should be continuously updated if
necessary. Have brainstorming sessions to help identify other stakeholders that may not have been expressly
4. Shareholder impacts?
Whether you’re a member of the management team, or providing senior leadership authorization for handling of the
newly discovered vulnerabilities, collectively, management and their senior counterparts should start looking at the
You’ll want to prioritize critical areas that need to get addressed first notwithstanding the criticality of other high
Many defense contractors and private sector businesses follow the National Institute of Standards in
Technology’s (NIST) Risk Management Framework. This framework is used by the federal government to
establish a baseline for the core framework of building an IT security infrastructure. Although a company may be a
small business in the private sector, they are still responsible for following regulatory guidelines as standards for
information management. This may not only be required because The Company supports federal employees, but
there are also regulatory standards for managing information such as protecting the general public’s personally
identifiable information (PII) and Protected Health Information (PHI). The two primary publications that delve into
details around the Risk Management Framework (RMF) are NIST Special Publication 800-37 which is a Guide for
Applying the RMF to Federal Information Systems and NIST Special Publication 800-53 Security and Privacy
Controls for Federal Information Systems and Organizations. This method encompasses risk management and
information security into the system development lifecycle. These publications are foundational concepts that can
be tailored to the organization comprehensively rather than just the minimum requirements to support the US
government.
COST EFFECTIVE SCALABLE INFOSEC FOR SMALL BUSINESS 72
Generally, the risk analysis tells Senior management which projects to initiate. The role of asset inventory
is a “prerequisite to establishing a security baseline, managing change, automating closed-loop patch management,
supporting internal and external compliance requirements (Pas Global, 2018).” Create an asset baseline so you
know what to secure and have a record of IT assets. The purpose of the security assessment is to assess the value of
the information assets, the security program strength, and give you the information needed to make planned
improvements of the organization’s information security risks. This helps with preventing a siloed approach to
security planning as well as staying ahead of information security rather than relying on the results from an audit
(Landoll, 2011). On the contrary, usage of Landoll’s methodology might prove to be a bit more cost effective than
other methods, though his risk management process seems to be simplistic in nature.
According to Landoll, the risk management process has four stages including: a security risk assessment,
test and review, risk mitigation, and operational security (Landoll, 2011).
Conduct a review of critical systems and the environment’s security control vulnerabilities, threats, likelihood of
Use the security requirements to examine and test the administrative, technical, and physical security controls
Based on the outcomes of The Company’s risk tolerance of accepted and unacceptable risks, improve existing
security controls by implementing new security mechanisms to mitigate the chance of loss.
Ensure operational responsibilities are verified, validated, and are being followed. The operations team is
responsible for security awareness, account maintenance, and ongoing patch management (Landoll, 2011).
Be sure to utilize tools and techniques such as pen testing, compliance audits, vulnerability scanning, trend
analysis of activities using historical data, business process modelling and workflow, gap analysis, etc. The
information obtained will be used to assess, triage, and implement as well as improve the organization’s overall
security and assets. There are so many things that can go wrong if risk management is not handled properly, with
many factors that can influence the project’s outcome. Quality is also a contributing factor to the product and
whether the final project produced the desired results. Financial considerations are probably one of the most critical
areas to continuously monitor as it goes hand in hand with the project resources, schedule, etc. Business risks is an
overarching analysis that has implication on whether the project can add any value or if it should cease, so it is
critical not to overlook whether the project should even commence or be halted.
Your information systems and infrastructure most likely consist of various web applications connected to
servers. To keep costs relatively inexpensive, try to focus on subscribing to or purchasing systems that are highly
COST EFFECTIVE SCALABLE INFOSEC FOR SMALL BUSINESS 75
configurable. Using systems that are highly configurable will use active directory and global address lists to help
manage the cross functional relationship of dependencies and access control. This will help manage communication
and access control across multiple platforms. For the novice IT folks, I would only using tools that integrate with
Microsoft and if that is not possible, consider hiring a consultant to review the application for security and usability.
For example, you purchase Microsoft Project to manage your projects as opposed to AutoTask, a one-off company
who may not have been vetted and has unfettered access to your data by way of design. Using highly configurable
systems such as windows server/domain across all applications enables you to manage job responsibilities with the
enterprise functions lines of business, knowledge management, reduce human error etc. The information system’s
backend should be scalable, policy and compliance built into the system, transparent, with permission controls, and
a user-friendly interface built into the graphical user interface, that is highly configurable and allowing for ease of
use in keeping the operation secure and without hindering production. Remember to factor in human error,
Common Safeguards
This section focuses on creating a secure environment. Common safeguards recommended to ensure viable
trust in an organization include application of the CIA (Confidentiality, Integrity, Availability) triad model. The
CIA triad model is a standard theme amongst information security professionals. A few techniques around this
model for an IT Company might include: security policy and domain evaluation and analysis, access control lists,
non-repudiation, authorization-access control, data integrity, data origin authentication, cryptography, mapping
security services etc. Other policies and procedures can include making sure data is scrubbed, disallowing program
development in production, and ensuring no production data is being processed in a development environment.
Control the environment by putting in place and enforcing standard operating procedures.
To shore up defenses consider immediate removal of terminated users from the systems, remote port
protection, security guards, cameras, restricted access, network segregation through use of a firewall, physical
distance, operating system access controls, VLANS, network address translation, routing, scanning system logs
records for compromised accounts, and security awareness programs tailored to the organization as well as job
responsibilities. Some of the keys to implementing strong access controls include training and awareness as well as
COST EFFECTIVE SCALABLE INFOSEC FOR SMALL BUSINESS 77
retention of information and implementation by personnel, proactive and preventative security breach strategies,
and having documented corrective controls in place. Incident handling and archival data can help gauge the
Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) are used for network security
monitoring. These tools monitor network traffic coming in and out to look for anomalies and suspicious activities
such as policy violations on all devices connected to the network. When violation activities are detected, the
incidents are reported to an admin or collected via a security information and event management (SIEM) system
(Sebastian, 2013). The SEIM has capabilities to filter the malicious activities and false alerts. Host IDS use the
operating system’s files for monitoring whereas the network IDS analyze the incoming network traffic. Review the
method of detection with a few service providers to get a thorough understanding of the method used to for
detection as this is how IDS’s are sometimes classified. To get a better understanding of the different types of
network security monitoring research information regarding flow data management tools, transaction data, and alert
data. There are tools that can respond and some that are used just for generation and collection or both. For
example, a friend works at the National Rifle Association, and keeps seeing security violations emanating from
COST EFFECTIVE SCALABLE INFOSEC FOR SMALL BUSINESS 78
china, so he cut off all IP addresses from that country using the firewall. The firewall is liaison between the internet
and the network allowing packets that meet criteria to push through (Sebastian, 2013).
As more funds become available for information security; other common safeguards can be deployed including:
• Asymmetric Encryption
• Biometric Attribute
• Nonce-time stamps
• Routing Controls
• Security Tokens
Security Controls
• Administrative controls encompass policies and procedures, training, background of personnel, etc. A few ways
to gather security requirements for administrative controls include working with legal and Human Resources to
COST EFFECTIVE SCALABLE INFOSEC FOR SMALL BUSINESS 79
get a better understanding of contractual obligations and policies and verify employee have been vetted and are
adequate.
• Technical Controls use software to control and regulate access to systems by way of technology such as;
biometrics, passwords, smart card readers, etc. A couple ways to gather data from technical controls could be to
• Physical Security Controls revolve around facility access such as electronic access alarms and security guards.
To get data around physical security one could look at physical barriers and figure out the access points
These 3 controls are important pieces of information to include in a security risk assessment because it helps you
understand the current state and set goals for the to-be State. Once there is an understanding of the controls that are
in place, an evaluation can be conducted to make recommendations on using better security controls. The security
program scope can be based on your operations also considering the constraints relative to its implementations.
Safeguards of the security controls help with recommendations for creating a comprehensive security program.
Security controls and safeguards small business can put in place include:
Segregate the more sensitive controls and give more privilege to employees
Security sheriff tool to ensure compliance with policies through office suite scanners
Hide network, deny access cloud/one drive or similarly related web platforms, etc.
Consider implementing the Principle of Least Privilege (POLP), to control user access. Remember to consider
human factors and perspectives to create an enhanced security plan, everything is not always plain view.
There are many tools available to help keep data assets secure and prevent misuse of data such as;
authentication, security policy, business continuity and disaster recovery, cryptography, role-based access, packet
COST EFFECTIVE SCALABLE INFOSEC FOR SMALL BUSINESS 81
fileting, traffic analysis, intrusion detection systems, etc. Some physical controls to implement would be to get
security guards, restrict server room access, personnel verification, controlled facility access, lighting and
surveillance, and alarms and sensors, etc. There are several things you can do to lessen the impact of an adverse
event include regularly backing up data offsite/remotely by a third party, safety planning, disaster recovering
solutions for offsite products and services such as teleworking, cloud computing, continuity of operations planning,
etc. There are a great deal of tools and techniques that can be used to shore up The Company’s security parameters,
therefore conduct and analysis and prioritize which controls are most important to put in place.
One of the considerations to review are the legal requirements regarding PII and any other contract
specifications The Company needs to comply with. As part of a cost efficiency, look at the business process and
immediately limit the number of individuals who have access to PII if we can look at the process and re-engineer it
until the security controls can get built-into the logic of the information systems. For instance, when I was in help
desk a first-tier rep would need to call me in tier 2 to either finish handling the call when accessing certain
information, or I would have to input my password to allow them to continue navigating the system. That way there
is an audit trail and information are restricted for certain users. Other things you can do to implement security and
COST EFFECTIVE SCALABLE INFOSEC FOR SMALL BUSINESS 82
keep costs low include using security features that are already built into programs, disabling external devices, role-
based access with programs that integrate with active directory, look at personnel backgrounds, and outsource
security work. These are cost effective strategies because re-engineering the business process, turning off external
devices, etc. are cheap things that can be done immediately, and outsourcing security can be some mitigate risks
and can be used as needed instead of hiring a bunch of full-time security personnel.
There are human factors that can go into creating security controls such as removing an employees or
contractor’s access to systems a week or two prior to them leaving the company to reduce the chance of stolen
intellectual property, information misuse, data integrity, etc. There are a ton of ways to make the organization more
secure, but usability becomes a prevalent issue if it causes a hinderance in production. The key here is to analyze
the identified risks, determine its priority, and whether it would be a hinderance to operations by applying the
Background Checks
Background checks are a form of risk management and used when making hiring decisions. Put a
background check policy in place, consider the corporate assets that need to be protected and any regulatory and
COST EFFECTIVE SCALABLE INFOSEC FOR SMALL BUSINESS 83
compliance requirements that are mandated contractually and by law as the bare minimum standards for a person
Key components of a background check include a statewide/nationwide criminal records search in all 50
states including any counties the individual has lived in, employment/education verifications, credit check,
international criminal checks, reference checks, sex offender registry, drug testing, foreign contact/travel checks,
etc. (Brosnan Risk Consultant, 2015). Background checks can address key loss events by telling you the nature of
which an employee or contractor may have pursued a position with the company and can provide insight as to why
the person would have launched the attacked, where they could have infiltrated security parameters, whether there
is a foreign influence for the breach, etc. The overall security risk relative to background checks can affect the
entire organization. Background checks should be thorough enough to determine the suitability of the individual to
have access, get employed, and remain employed. Some industries may not have as many security risks such as
telemarketing but there will still need to be security controls in place since people would be dealing with personal
information and/or access to a facility. If the company is doing government contracting, it is especially important to
COST EFFECTIVE SCALABLE INFOSEC FOR SMALL BUSINESS 84
consider compliance, regulatory and contractual requirements for security, foreign infiltration, and personnel. The
liability could be so great it impacts national security critical systems, PII, PHI, financial information, etc.
Quality Assurance
One consideration for a security risk assessment project is to use an objective party to review the adequacy
of a security program architecture and administration. Again, to save on costs, be sure to conduct as many security
related activities as possible so the information is at the point where it just needs to be reviewed and analyzed by a
professional rather than hiring a team to conduct the whole gambit of security. Other considerations include a
periodic review of the security assessment to measure the effectiveness, identify the probability of losses to the
assets, budget, scope, objects, measure of success, project and project team selection, etc. The measure of success
includes customer satisfaction, quality of technical work, scope and staying within the parameters of the project
In larger organizations, the project sponsor usually the Senior Security Manager uses an SOW to procure a
security professional usually from a business case. Data gathering, testing analysis and review helps determine the
accuracy of the security risk assessment. A risk-based approach can be used to help with resource allocations to
COST EFFECTIVE SCALABLE INFOSEC FOR SMALL BUSINESS 85
specific areas of security as well as help the Sr security manager get buy in for their own set of security objectives
they want to implement. The security risk assessment team should interview the business units to get additional
information around security risks and can also help validate the accuracy of the risk assumptions. Legal should also
It is important to be able to gauge the security program effectiveness using administrative controls,
processes around the technical controls, and human factors. Business process modeling is a technique used to
evaluate the human factors involved with best security practices to assist with creating a baseline for acceptable
behavioral procedures and compliance; then update the security awareness program. Several metrics can be
captured to gauge the effectiveness of the security program including trend analysis and vulnerability scans,
conformance to standards, and evidence of outcomes, business process modeling benchmarking, values, solution
To keep stakeholders engaged and informed I would determine which stakeholders are my target audience
and ensure that the information I am sending to them is relevant to how the project will impact them. Some
COST EFFECTIVE SCALABLE INFOSEC FOR SMALL BUSINESS 86
communication might consist of regular monthly newsletters, weekly status report meetings, create current state and
future state diagrams and business process flows to highlight changes, workshops and communications plan, create
an information ppt., hold roadshows and show a demo, conduct change impact assessment, create an end
user/stakeholder workspace separate from the technical workspace website where users can find information about
the project, executive steering committee meetings, and etc. I would conduct an organizational readiness
assessment using the information gathered to determine how confident we are that there is awareness and the
project still has buy-in and support from key resources as well as use it as an opportunity for relationship building
and feedback.
Hire a Consultant
By the time you get to the point where you need to hire a consultant, they would only need to spend time
analyzing the information you and your team have already collected. This way, there is more money available for
security mechanism that will help shore up The Company’s assets. Analyze the business continuity plan to ensure a
quick recovery from natural disasters, accidents, and malicious attacks by ensuring the data is backed up using a
regular cadence for disaster recovery efforts. Make sure the data being backed up has been evaluated for
COST EFFECTIVE SCALABLE INFOSEC FOR SMALL BUSINESS 87
information integrity, separation of duty, and functionality. Put an accountability mechanism in place to ensure
capturing the behavior between subjects and object using audits against log files and capturing non-repudiation
proof of origin/delivery including creating business intelligence dashboards to capture trend analysis and predictive
analytics in addition to the SEIM and NSM tools and techniques. A consultant can help you reach the desired level
The future of information security is constantly evolving as cyber criminals find new ways to exploit and
attack. The known unknowns of the varying need of cyber security are contingent upon the industry as information
is processed different ways in many different operations. Future examining internal cyber security measures can be
just as pivotal as preventing unauthorized access to information systems; as your employee can be the main
contributors to a security breach. A one size fits all from the internet providers would be helpful as well if there was
a way for the internet services providers to shore up and optimize information security from the electromagnetic
and wireless transmission level. The future of technology is a moving target as modern technology continues to
advance however, I think there is room for improvements; and with the discovery and applied research of Nano
COST EFFECTIVE SCALABLE INFOSEC FOR SMALL BUSINESS 88
technology (the manipulation of atoms and molecules), in theory, the possibilities are endless for robotics, cyber
Conclusion
To conclude this guide for small business cost effective and scalable solutions in information security, the
takeaway is to review the information contained within this research project and tailor the security solutions to the
business needs. Just because security violations could occur doesn’t mean they will occur and it will be helpful to
remember that when prioritizing the risks to tackle on your bucket list. The security solution you are creating
should be scalable and transparent allowing you to have maximum oversight to any potential holes that need to get
patched. It is imperative to figure out your disaster recovery and back-up plan so you can recover quickly from an
outage caused by any circumstances. Not only will you retain the trust of your customers and associates, you will
foster a resilient environment that can withstand adverse events that can potentially negatively impact the business.
COST EFFECTIVE SCALABLE INFOSEC FOR SMALL BUSINESS 89
References
Bejtlich, R. (2009, April 22). Implementing Network Security Monitoring with Open Source Tools Implementing
Network Security Monitoring with Open Source Tools. Retrieved from http://www.taosecurity.com/
first-commandment-of-background-checks
Brotby, W. K. (2009). Information security management metrics: A definitive guide to effective security
Calyptix. (2018, January 03). Biggest Cyber Attacks 2017: How They Happened. Retrieved from
https://www.calyptix.com/top-threats/biggest-cyber-attacks-2017-happened/
http://www.hse.gov.uk/risk/casestudies/
Computer Security Institute. (1996, June 05). TESTIMONY OF RICHARD G. POWER. Retrieved from
https://fas.org/irp/congress/1996_hr/s960605l.htm
COST EFFECTIVE SCALABLE INFOSEC FOR SMALL BUSINESS 90
http://www.slac.stanford.edu/xorg/nmtf/nmtf-tools.html#nmp-tool
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=2&cad=rja&uact=8&ved=0
ahUKEwjB0c2KmOXZAhVuhuAKHYWTDzcQFggwMAE&url=https%3A%2F%2Fits.ny.gov%2F
sites%2Fdefault%2Ffiles%2Fdocuments%2Ftemplate_nys_infosecplan_v1.doc&usg=AOvVaw2ugx
i2YvmNKKgs1laAZkHN
Greg, M. (2006, May 04). The Technical Foundations of Hacking. Retrieved from
http://www.pearsonitcertification.com/articles/article.aspx?p=462199&seqNum=4
Hasse, J. (2002, April 08). Building an Information Assurance Framework for a Small Defense Agency.
assurance-framework-small-defense-agency-655
COST EFFECTIVE SCALABLE INFOSEC FOR SMALL BUSINESS 91
Horton, M. (2017, June 07). The 4 Most Common Reasons a Small Business Fails. Retrieved from
https://www.investopedia.com/articles/personal-finance/120815/4-most-common-reasons-small-
business-fails.asp
IDG Contributor Network, & Pal, G. (2017, December 05). Department of Defense contractors must
https://www.csoonline.com/article/3239925/compliance/
Jacobs, S. (2016). Engineering Information Security: the application of systems engineering concepts to achieve
Johnson, S. L., & Central Intelligence Agency. (2008, June 27). Toward a Functional Model of Information
publications/csi-studies/studies/97unclass/warfare.html
http://gauss.ececs.uc.edu/Project4/Documents/nsm.pdf
COST EFFECTIVE SCALABLE INFOSEC FOR SMALL BUSINESS 92
Kerner, S. M. (2011, June 02). 10 Network Security Steps for Every Small Business - Page 2. Retrieved
from https://www.smallbusinesscomputing.com/webmaster/article.php/10732_3935021_2/10-
Network-Security-Steps-for-Every-Small-Business.htm
Landoll, D. J. (2011). The security risk assessment handbook: a complete guide for performing security risk
Lockheed Martin. (2016). 1 A Threat- Driven Approach to Cyber Security. Retrieved from
https://lockheedmartin.com/content/dam/lockheed/data/isgs/documents/Threat-Driven Approach
whitepaper.pdf
Manning, K. (2016, November 29). How to Secure Your Mobile Device in Six Steps. Retrieved from
https://www.tripwire.com/state-of-security/security-data-protection/secure-mobile-device-six-steps/
NIST. (2012, September 08). Guide for Conducting Risk Assessments. Retrieved from
http://csrc.nist.gov/publications/drafts/800-30-rev1/SP800-30-Rev1-ipd.pdf
COST EFFECTIVE SCALABLE INFOSEC FOR SMALL BUSINESS 93
NIST, Paulsen, C., & Toth, P. (2016, November). Small Business Information Security: The Fundamentals.
room/whitepapers/riskmanagement/risky-business-35287
management
PMI. (2013). A guide to the project management body of knowledge: (PMBOK Guide). Newtown Square: Project
Management Institute.
Sebastian, S. (2013, May 12). Intrusion Prevention Systems. Retrieved from How does Intrusion Prevention
Systems work?
Security Scorecard. (2018, May 04). Tips for Using an Information Security Risk Assessment Template. Retrieved
from https://securityscorecard.com/blog/tips-for-information-security-risk-assessment-template
COST EFFECTIVE SCALABLE INFOSEC FOR SMALL BUSINESS 94
Strauss, S. (2017, October 20). Cyber threat is huge for small businesses. Retrieved August 9, 2018, from
https://www.usatoday.com/story/money/columnist/strauss/2017/10/20/cyber-threat-huge-small-
businesses/782716001/
http://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&ved=0ahUKEwj886S7s-
bWAhXGbSYKHUl1BcsQFghFMAA&url=http%3A%2F%2Fcs.uccs.edu%2F~cs522%2Fstudentproj%2Fp
rojF2006%2Fbwilds%2Fdoc%2FNetwork%2520Security%2520Monitoring.ppt&usg=AOvVaw1xZgOtP0O
nxkEuDsc5ZVJk