5 Open Source Security Tools for Small Business

by Carla Schroder

Try these small business security tools to foil the NSA, hackers, and any other jerks who want to stick their unauthorized noses into your business.

The National Security Administration has been in the news a whole lot lately, and it's been a busy little snoop, spying on virtually every form of communication used by humankind. Those of us who care about our privacy—and small business security—can turn to good, strong open source tools to try to protect our information from snoops. Or at least make it harder for them to get it.

I'm not sure it is possible to foil the National Security Administration, because they have unlimited, unaccountable authority to spy wherever they please, to trade the data they collect with other government agencies, and to get unlimited data dumps of customer data directly from vendors and service providers such as Google, Apple, Facebook, Microsoft, and Verizon. It never hurts to try, though some experts think that trying to protect your communications marks you as suspicious.

At any rate, it's good to understand where your communications are vulnerable, and at the very least protect them from non-government thieves and snoops. All of your Internet activities pass through countless routers and servers, and admins at any of these stops can easily snoop on your data, and even make copies of it. Fortunately, you can stop this sort of nosiness cold.

small business security

Figure 1: Spying was more interesting when it involved Mata Hari instead of anonymous computer nerds.

Here are five open source security software tools to help you lock down your data and improve your small business security.

Open Source Email Encryption

People routinely expose all sorts of sensitive information by using unencrypted email, and I'm pretty sure that anyone who wants to exploit your sensitive data is not going to be deterred by those silly legal disclaimers that organizations like to stick in their email footers. You know the ones I'm talking about, they look something like this:

"This e-mail is intended for the addressee shown. It contains information that is confidential and protected from disclosure. Any reviews, dissemination or use of this transmission or its contents by persons or unauthorized employees of the intended organizations are strictly prohibited…blah blah, blah."

If you really want to protect your sensitive business emails, you must encrypt them. The good news: it's not hard to do. The best tool for this is GnuPG, which is the free-of-cost open source implementation of PGP, Pretty Good Privacy. PGP was invented by brainiac Phil Zimmerman way back in the early 1990s for protecting personal Internet communications.

PGP passed through several commercial ventures, and it is now owned by Symantec. The commercial version doesn't do anything the free version can't do, but you get support and nice management tools.

Encryption only protects the contents of your email and not the so-called metadata. This is the routing information, which cannot be encrypted because then it would be undeliverable, like blacking out the address on a paper letter. So any snoops rifling through your email transmissions will know who, where and when…but not what.

Open Source File Encryption

Is there anyone left out there who still doesn't encrypt their important files? How many laptops full of sensitive data are lost or stolen every day? How much information gets poached from servers and workstations? You're not protected if you have a login for your computer because all a thief has to do is remove the hard drive and then plunder it at will. The strongest protection is encrypting entire disk partitions with TrueCrypt, which is a brilliantly easy-to-use yet super-strong encryption program. Best of all, it's open source, it's top-of-the-line, and it's free.

The law requiring people to surrender their encryption keys to law enforcement is not settled, so practice your forgetful act, because if you forgot your super-long super-strong passphrase what are they going to go? Suck it out of your brain? And, TrueCrypt has a cool feature they call plausible deniability. You can hide entire partitions and operating systems so they are not visible to anyone who forces you to give them your password.

A Safer Search Engine

Your Web-surfing habits are virtual gold mines and literal generators of massive wealth for the likes of Google, Facebook, Akamai, and pretty much every marketer alive with that insatiable hunger for more, more, more customer data, no matter how invasive or ethically questionable the means to get it. It's very difficult to hide your tracks, and you don't even have to visit websites to become ensnared in their data-collection nets. 

Donttrackus has a great presentation on how your data gets vaccumed up and shared. The NSA looks for connections with shady persons and, since we're all just a few clicks away from any random Internet user, we all look guilty.

small business security

Figure 2: The National Security Agency wants all your data (parody logo courtesy Wikimedia Commons, Creative Commons Attribution 3.0 Unported license).

Avoid Google and use DuckDuckGo for Web searches. DuckDuckGo does not collect and mine your search data, it forces HTTPS when it's available (which encrypts your searches to block snoops), and it prevents search leakage. Search leakage sounds like something you should treat with adult hygiene products, but it's more sinister. With other search engines your search terms are known not only to the search engine, but to every site you click on as a result of that search.

Many sites also collect personally-identifiable information from the session between your computer and their site. DuckDuckGo routes your session traffic in a way that foils this kind of personally-identifiable data collection.

Anonymous Web Surfing

Tor, The Onion Router, is a network of thousands of relays that anonymize and obscure your back-trail as you wander the Internet. Tor foils traffic analysis and search leakage. The weak points of Tor are the exit nodes, because just like a prairie dog with a giant network of underground tunnels, you have come to out to visit your destination sooner or later. But theoretically Tor is large enough and dynamic enough to prevent any kind of mapping and analysis of the exit points.

The easiest and most secure way to use Tor is to get TAILS, the Amnesic Incognito Live System. This is a customized live Debian Linux distribution that routes all of your Internet traffic through Tor: Internet chat, Web surfing, email, instant messaging, Skype—everything. TAILS does not install to your hard drive, but runs only from bootable media such as a DVD or USB stick. When you shut it off there are no traces of it on your host system.

End-to-End Encryption

Tor does not provide encryption, so you still need encryption tools to protect your traffic from source to destination. If you have fixed endpoints, such as a remote worker logging in to your work servers, or branch offices connecting directly to each other, then you want a VPN, or Virtual Private Network. This is an exclusive encrypted tunnel between two endpoints over untrusted networks, and it's very strong protection. The best is OpenVPN. OpenVPN offers both a free-of-cost version, which is not hard to setup, and various inexpensive commercial options.

Carla Schroder is the author of The Book of Audacity, Linux Cookbook, Linux Networking Cookbook,and hundreds of Linux how-to articles. She's the former managing editor of Linux Planet and Linux Today.

Do you have a comment or question about this article or other small business topics in general? Speak out in the SmallBusinessComputing.com Forums. Join the discussion today!
This article was originally published on Monday Oct 21st 2013
Mobile Site | Full Site