September 06, 2013, 9:33 AM — You have a target on your back. In 2012, 31 percent of cyberattacks were aimed at small businesses, and that staggering number is 100 percent attributable to inadequate--or nonexistent--security measures at many of these firms, which might as well be an open invitation to hackers.
Now, we're not going to hit you with another eat-your-veggies imperative to secure the computers and networks at your business. We understand that it's all too easy to view security as a discretionary expense.
But what if we told you that there were security controls in the tools you already own that could vastly improve your protection if you just used them? And that you could fill any gaps in protection with free security programs that are every bit as effective as their commercial counterparts?
Below are several ways to fend off cyberthreats. The only investment is your time.
Use what you already have
The quickest--and cheapest--way to beef up your defenses is to understand and employ the security measures you already have at your disposal.
Start with the simple things. Make sure that all your user accounts are protected with strong passwords and that only those employees who need administrative privileges have administrator accounts on their PCs.
Next, take a look at the Local Group Policy Editor in Windows. This power tool gives you granular control over groups of users and computers, so it makes sense that Microsoft placed the utility where people can't easily find it. (One way to find it is to type group in the search field in either Windows 7 or Windows 8. 'Edit Group Policy' should appear as one of the top few options available.) From the Editor, you can set password and account lockout policy, firewall policy, software restrictions, and more. Spend a couple of hours learning about the Local Group Policy Editor, and wield its power judiciously.
Zero-day attacks make for ominous headlines, but the reality is that known vulnerabilities are a much bigger threat. Most attackers don't have the skill or the devotion to ferret out new security holes. Once a vendor releases a patch, though, lazy attackers can reverse-engineer it to identify the vulnerability it fixes and figure out how to exploit that flaw.
The longer you go without implementing an applicable patch, the more at risk you are. You should have automatic updates turned on in Windows, as well as in any other applications you use that offer such a function. If you can't take advantage of this feature, you'll have to make a serious effort to stay informed about new updates and test and apply them as soon as they're available.
Supplement with free security tools
Once you've exhausted all the resources you have on hand, it's time to explore outside options. Some of the best security tools available are free and can go toe-to-toe with features offered in big-brand security suites. Here are a few to get you started.
Microsoft Security Essentials: Windows 8 includes Windows Defender, but prior versions of the operating system didn't come with antimalware protection. If you need to protect computers running Windows XP or Windows 7, you can download Microsoft Security Essentials to get comprehensive real-time protection gratis.
Cain and Abel: Using network-packet sniffing, dictionary attacks, and a variety of other methods, Cain and Abel captures and cracks passwords. You can use this handy utility to reveal vulnerabilities, determine whether your policy requirements are secure enough, and recover passwords, which is its primary function.
Aircrack and Kismet: Want to know how secure your wireless network really is? Try Aircrack or Kismet. Aircrack captures wireless network traffic and attempts to crack your WEP or WPA encryption. Kismet is a wireless-network detector, sniffer, and intrusion detection system. Both tools are free, and both are highly rated by those who use them.
Nikto: If your business has a Web server, you might want to put Nikto to use. An open-source Web-server scanner, Nikto can help you identify weaknesses that may expose your server to exploits. It scans for outdated servers, specific vulnerabilities, and known configuration errors to help you protect your server from attack.
For a complete list of the best security utilities, visit SecTools.org, which maintains a regularly updated list of the top 125 as rated by the user community. The list includes both open-source and commercial software, but you'll see that many of the most respected tools don't cost a thing.
If you can spare a dime...
If implementing these free options has whetted your appetite, consider investing in some pay software to bolster your complimentary security measures. We recommend the following three open-source tools. All are still available as free versions, but subscriptions are required to unlock their full power.
Nessus is a vulnerability scanner that examines and monitors your network and PCs for more than 50,000 vulnerabilities and potential configuration errors that may expose your systems to compromise. It also includes specific scans to help ensure compliance with regulatory and industry frameworks such as HIPAA (Health Insurance Portability and Accountability Act) or PCI-DSS (Payment Card Industry Data Security Standard).
Metasploit is a penetration-testing platform that lets you test exploits against your network and computer-security defenses and applications, to determine what impact they might have and to identify weaknesses you should address.
Snort is an intrusion detection and prevention platform that monitors network traffic to find and identify suspicious or malicious activity.
Cybercrime is costly, but defending against it doesn't have to be. Basic protections are built into the operating system and applications you use every day, and if you support them with free and open-source tools, you can protect your PCs and data without so much as bruising your budget. Who says you can't put a price on peace of mind?