Cryptographic Controls For Small – Medium Businesses (SMBs)
Frequent Cryptographic Controls for SMBs
There are multiple cryptographic controls that a small or medium-sized business (SMB) can implement. Cryptographic controls protect sensitive information and secure the SMB’s networks. These include:
- Encryption: Encrypting sensitive data, such as financial information or personal data, can protect it from unauthorized access or breaches.
- Secure communications: Implementing secure protocols, such as HTTPS and VPN, for communications can protect against eavesdropping and man-in-the-middle attacks.
- Two-factor authentication: Adding a second layer of authentication, such as a fingerprint or token, can help protect against password breaches.
- Regular software updates: Keeping all software, including operating systems and applications, up to date can help protect against known vulnerabilities.
- Access controls: Implementing strict access controls can help ensure that only authorized individuals have access to sensitive information. An example is role-based access.
- Regular security audits: Regular auditing and monitoring systems can help identify and address potential security issues.
It is also important to have a Standard Operating Procedure along with an incident response plan and prepare employee awareness training for any situation.
Cryptographic Controls and Encryption: How to Encrypt Data as a Small – Medium Business
There are many ways a small business can encrypt data to protect it from unauthorized access or breaches. Some common methods include:
- File encryption: This involves encrypting individual files or folders on a computer or server. Use software such as Microsoft’s BitLocker or Apple’s FileVault.
- Full-disk encryption: Encrypt the entire hard drive of a computer or server with software such as VeraCrypt or LUKS.
- Cloud encryption: If a small business uses a cloud-based storage service, they can take advantage of built-in encryption options. Examples include Amazon S3’s Server-Side Encryption or Google Drive’s Encryption at Rest.
- Database encryption: Businesses storing sensitive information in a database, can encrypt the data directly in the database using database tools. Examples include Transparent Data Encryption (TDE) in Azure Server or Oracle Advanced Security.
- Email encryption: To encrypt email, businesses can use secure email services. Examples include ProtonMail or email encryption software such as OpenPGP or S/MIME to encrypt messages.
S/MIME as a Cryptographic Control:
- S/MIME (Secure/Multipurpose Internet Mail Extensions) is a standard for public key encryption and digital signatures for email messages. It is built on top of the standard MIME (Multipurpose Internet Mail Extensions) format for email messages. S/MIME allows for the secure exchange of email messages over the internet.
- With S/MIME, email messages are digitally signed to verify the identity of the sender. This ensures that the message has not been tampered with in transit. S/MIME also allows for end-to-end encryption of email messages, so that only the intended recipient can read the message.
- To use S/MIME, users must have an S/MIME certificate, which is issued by a certificate authority. The certificate contains the user’s public key, used to encrypt the email message, and the user’s private key, used to decrypt the email message.
- S/MIME is widely supported by email clients such as Microsoft Outlook, Apple Mail, and Thunderbird. It is also supported by some web-based email services such as Google Workspace.
- It is a way to secure email communication and it is widely used by companies and organizations handling sensitive information.
Secure Communication Guidelines and Cryptographic Controls for SMBs:
Secure communication is an essential Cryptographic Control for any business, particularly small and medium-sized businesses (SMBs), in order to protect sensitive information and prevent data breaches. Here are a few guidelines for SMBs to follow for secure communication:
- Use encryption: Encrypt all sensitive data, such as financial or personal, before transmitting it over the internet. We do this with security protocols such as HTTPS, SSL, or TLS.
- Use VPN: Use a Virtual Private Network (VPN) to establish a secure connection between remote employees and the company’s network. This can help protect against eavesdropping and man-in-the-middle attacks.
- Use secure email services: Use secure email services. Examples include ProtonMail or using software such as PGP or S/MIME.
- Use secure messaging services: Use secure messaging services such as Signal or WhatsApp to send sensitive information.
- Use secure file sharing services: Use secure file sharing services such as Google Drive or DropBox to share sensitive files.
- Secure mobile device: ensure all mobile devices used for business communication have a passcode. Configure the devices to automatically lock after a short period of inactivity.
- Train employees: Regularly train employees on secure communication best practices. Training includes how to spot phishing attempts, how to use encryption, and how to use secure messaging and file-sharing services.
Remember that security is an ongoing process and it is necessary to regularly review and update the security measures to keep up with the latest threats and technologies.
2FA: How to use two-factor authentication in a Small Medium Business to boost your Cryptographic Controls?
Two-factor authentication (2FA) is a security measure that requires users to provide two forms of identification before accessing a system or service.
The goal of 2FA is to make it more difficult for unauthorized users to gain access to sensitive information by adding an additional layer of security beyond a simple password.
How to enable 2FA:
- To enable 2FA, a user must first register their device (phone or email) with the service or system.
- Once registered, the user will be prompted to enter the one-time code each time they log in.
Some systems also allow users to set up “remember this device” option so they will not be prompted for a 2FA code on a device they trust.
Here’s an example of how to use 2FA as a Cryptographic Control:
- The user attempts to log into a service or system, such as an online bank account or an email service.
- The user enters their username and password.
- The service or system sends a one-time code, often via SMS or through an authenticator app, to the user’s phone or email.
- The user enters the one-time code to complete the login process.
- Access is granted to the user.
- It is important to note that some systems may use other forms of 2FA, such as biometric authentication, security tokens, or push notifications.
It is recommended to use 2FA wherever it is available, as it greatly enhances the security of your online accounts and services.
Regular Software Updates:
Regularly updating software is an important step in maintaining the security of your systems and devices. Here are a few tips on how to do this:
- Keep your operating system and applications up to date: Many operating systems, such as Windows and MacOS, have built-in update mechanisms that check for and install updates automatically. Make sure that these mechanisms are enabled and that your systems are set to install updates automatically.
- Check for updates manually: If your system does not have an automatic update mechanism, or if you want to make sure that you are running the latest version of a particular application, check for updates manually. Most software developers provide a way to check for updates from within the application or from their website.
- Test updates before deploying them: Before installing updates on production systems, it is a good practice to test them on a non-production environment to ensure that they will not cause any issues.
- Keep track of the updates: Keep a record of the updates that have been installed, including the version number and the date. This will help you to identify which systems need to be updated in case of a security vulnerability.
- Keep an eye on security advisories: Stay informed about security vulnerabilities and patches by subscribing to security advisory mailing lists or following security blogs.
By regularly updating software, businesses can ensure that their systems are protected from known vulnerabilities and that they are running the latest features and improvements.
Cryptographic Controls and Controlled Access Examples for SMBs:
Access controls are an important aspect of security for any business, including small and medium-sized businesses (SMBs). Access controls are used to restrict access to sensitive information and systems to only authorized individuals.
Here are a few examples of access controls that SMBs can implement:
- User accounts and permissions: Creating user accounts and assigning permissions based on roles can help ensure that only authorized individuals have access to sensitive information and systems. For example, an accounting employee should only have access to financial data, not to HR data.
- Authentication: Implementing strong authentication methods, such as two-factor authentication (2FA), helps ensure that only authorized users are able to access sensitive information and systems.
- Physical security: Implement physical security measures. These include security cameras, keycard access, or biometric authentication among others. These measures help ensure that only authorized individuals have access to sensitive information and systems.
- Network security: Implementing network security measures, such as firewalls and intrusion detection systems, can help prevent unauthorized access to sensitive information and systems.
- Access logs: Keep track of who is accessing sensitive information and systems and when they are accessing. This can help identify and address any security issues.
- Least Privilege: Assign the least privilege principle to users. Give them access to the minimum resources that they need to do their job. This can help prevent accidental or malicious breaches.
It is important to have a clear and well-defined security policy and access control procedures and to train employees on how to follow them.
How to perform Security Audits in an SMB
Performing regular security audits is an important step in identifying and addressing potential security issues in a small or medium-sized business (SMB). Here are a few steps that SMBs can take to perform security audits:
- Identify critical assets: Determine which systems and data are critical to the business, and prioritize them for auditing.
- Assess vulnerabilities: Perform vulnerability assessments to identify potential weaknesses in systems and networks. This can be done using automated tools or manual testing.
- Evaluate security controls: Evaluate the effectiveness of existing security controls, such as firewalls, intrusion detection systems and access controls.
- Review logs: Review security logs from systems, applications, and network devices to identify any suspicious activity.
- Test incident response: Conduct incident response testing to ensure that the incident response plan and procedures are effective and that staff is properly trained.
- Compliance check: Check for compliance with any relevant regulations or industry standards, such as HIPAA, PCI-DSS, or SOC2.
- Report and remediate: Report any findings and recommendations to management. Develop a plan to remediate any identified vulnerabilities or weaknesses.
It is recommended to perform regular security audits at least once a year, or more frequently if the business handles sensitive data or is subject to regulatory compliance. It is also important to hire a cybersecurity expert or use a third-party service to perform security audits to ensure that the audit is conducted thoroughly and with the right expertise.
What should be included in an ISMS (Information Security Management System) SOP (Standard Operating Procedure) for cryptographic controls?
An ISMS (Information Security Management System) SOP (Standard Operating Procedure) for cryptographic controls should include the following elements:
- Policy: A statement outlining the organization’s commitment to the secure use of cryptography.
- Key Management: Procedures for the secure generation, distribution, and revocation of cryptographic keys.
- Encryption: Procedures for the use of encryption algorithms and protocols, including the selection of appropriate encryption strengths for different types of data.
- Authentication: Procedures for the use of cryptographic authentication methods, such as digital signatures and certificates.
- Incident Response: Procedures for responding to and reporting cryptographic-related security incidents.
- Compliance: A description of how the organization’s cryptographic controls comply with relevant laws, regulations, and industry standards.
- Monitoring and Auditing: Procedures for monitoring and auditing the use of cryptographic controls to ensure they are being used correctly and effectively.
- Training: Procedures for providing training and education to employees on the proper use of cryptographic controls.
- Review and Update: Procedures for regularly reviewing and updating the ISMS SOP for cryptographic controls to ensure they remain effective and aligned with the latest industry best practices.
Indicative evidence list for cryptographic controls
- Cryptographic keys and key management procedures: Proper generation, storage, and destruction of cryptographic keys. Includes procedures for managing and protecting keys throughout their lifecycle.
- Cryptographic algorithm and protocol implementation: The selection and use of appropriate cryptographic algorithms and protocols to protect data and communications.
- Cryptographic boundary and key strength: The proper use of cryptographic keys to protect data at the appropriate boundary, such as protecting data at rest or in transit. Also includes ensuring that the keys used are of sufficient strength to provide adequate protection.
- Cryptographic module validation: Validation and testing of cryptographic modules to ensure they meet industry standards and are free of known vulnerabilities.
- Secure key generation and key exchange: The use of secure methods for generating and exchanging keys.
- Secure key storage and destruction: The use of secure methods for storing and destroying cryptographic keys, such as using hardware security modules (HSMs) or key management systems.
- Cryptographic key escrow and recovery: The ability to escrow and recover cryptographic keys in case of emergency or key compromise.
- Secure cryptographic key distribution: The use of secure methods for distributing cryptographic keys, such as using a secure key distribution center (KDC) or public key infrastructure (PKI).
- Cryptographic key usage and access controls: The implementation of controls to ensure that cryptographic keys are only used for authorized purposes and by authorized individuals.
- Cryptographic key changeover and retirement procedures: The procedures for changing or retiring cryptographic keys, such as rotating keys on a regular basis.
- Cryptographic module and key audits: The regular auditing of cryptographic modules and keys to ensure they are being used and managed properly.
- Cryptographic module and key incident response and recovery procedures: The procedures for responding to and recovering from incidents involving cryptographic modules and keys, such as key compromise.
Information Security Management System Mappings covered with the Cryptographic Controls Standard Operating Procedure:
- A10. Cryptographic controls
- A10.1.1 Policy on the use of cryptographic controls
- A10.1.2 Key management
AICPA TSC 2017:
- CC6.1 “The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity’s objectives.”
- CC6.7 “The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal to meet the entity’s objectives.”
NIST SP 800-53, Revision 5:
- SC-12 Cryptographic Key Establishment and Management
- SC-13 Cryptographic Protection
- SC-17 Public Key Infrastructure Certificates