This document discusses steps that small nonprofits can take to improve security and decrease risks. It begins with an overview of six security basics: strong passwords, anti-malware software, using an updated browser, keeping devices patched, backing up data, and installing a firewall. However, it notes that these alone are not sufficient, as there are ways to circumvent defenses like using cloud services, USB drives, rogue wireless networks, smartphones, and social engineering. The document provides tips on how to assess and respond to risks through mitigation, transference, acceptance, or avoidance. It suggests easy initial steps like inventorying devices and software, changing defaults, training staff, and limiting administrative privileges.
27. Security Basics 3:
Use a Better Browser
• Avoid Internet Explorer if at all possible
• Use Google’s Chrome
• Mozilla’s Firefox is pretty good too
• Keep your browser up-to-date
62. Resources
• SonicWALL Phishing IQ Test: http://www.sonicwall.com/furl/phishing/
• SANS NewsBites, a semiweekly summary of the most important
news articles on computer security during the past week:
http://www.sans.org/newsletters/newsbites/
• @Risk summarizes the 3-8 vulnerabilities that matter most, tells what
they do and how to protect yourself from them:
http://www.sans.org/newsletters/risk/
• Brian Krebs on Security is a daily blog on computer security and
cybercrime: http://krebsonsecurity.com/
• Sophos’ “1-minute security tips for the workplace:”
http://www.youtube.com/playlist?list=PLD88EACF404839195
AP for Nonprofits - 2013
63. Resources
• CNET article on password vaults:
http://www.infoworld.com/d/security/review-7-password-managers-
windows-mac-os-x-ios-and-android-189597
• 26 Online Backup Services Reviewed (April 2013):
http://pcsupport.about.com/od/maintenance/tp/online_backup_services
.htm
• Man in the Middle Attack Explained:
http://en.wikipedia.org/wiki/Man-in-the-middle_attack
• The SANS Institute’s 20 Critical Controls :
http://www.sans.org/critical-security-controls/
• the SANS Security Policy Project:
http://www.sans.org/security-resources/policies/
AP for Nonprofits - 2013
Nonprofits have been hit so hard by the recession, and this is really having an impact on how we serve our clients Legal Counsel and Hotline – helping nonprofits get incorporated to providing a legal hotline… Board Leadership Development – includes placing people on boards and providing training on how to be an effective board member Accounting and Finance Services – one of our fastest growing and in-demand areas. Some nonprofits are saving money through outsourcing their accounting function. Others are trying to get a better understanding of their financial data for decision making. Recently added a position that’s more focused on business planning and business modeling. Technology Services – like our accounting area, some nonprofits outsource their technology function to us, other nonprofits use of for technology planning and/or implementation. We also host online and in-person ways for nonprofits to share technology best practices. Marketing Services – marketing planning, brand development, etc. Strategic Development – strategic planning for nonprofits. We are finding that given the current economic environment and pace of change, many organizations are choosing more streamlined strategic planning processes or are moving to more ongoing strategic conversations, vs. a more traditional in-depth process that yield a 3-5 year plan Leadership Development – training on emotional intelligence and adaptive leadership, as well as the facilitation of Leaders Circles – tightly facilitate peer learning groups that support leaders Project ReDesign – another one of our most in-demand service areas – we help nonprofits look at merger and other types of realignment including program transfer, joint operating agreements and dissolutions Fundraising Consulting
So = no funds to hire experts, no funds to implement sophisticated technical controls
So = no funds to hire experts, no funds to implement sophisticated technical controls
So = no funds to hire experts, no funds to implement sophisticated technical controls
I hope that all of you already have these 6 in place, so I’ll move relatively quickly through them. Stop me if I’m wrong or if you have questions
Having a unique passphrase on each account is the single best practice you can do to boost your online security. provided you don’t use this same password at sites that are sensitive.
Any idea how long servers keep their log files?
So let’s talk strategy Believe it or not, it’s the first one.
Passphrases can be of any arbitrary length and they're much easier to remember than conventional passwords.
Passphrases can be of any arbitrary length and they're much easier to remember than conventional passwords. Looks complex, but it’s based on the lyrics of Sgt. Pepper's Lonely Hearts Club Band by Lennon/McCartney (“It was twenty years ago today…”) 2. is based on Bob Dylan's Blowin' In The Wind , and is derived from the first and last letter of each word. (“How many roads must a man walk down…”) Example of the 4-word technique Simply choose four random words and funk them up a bit. Example of my prefix + suffix technique: create a unique prefix that can then introduce a hint that you understand to the website it’s for
Example of the 4-word technique Simply choose four random words and funk them up a bit. “ Animals Africa symphony clearance” can become “@nimalzFriquesimfonyclearAntz." This is a case where bad spelling is an asset!
Example of my prefix + suffix technique: create a unique prefix that can then introduce a hint that you understand to the website it’s for #2 uses a suffix that identifies the website category. You could in effect group your
Whatever you do, don’t store your list of passwords on your computer in plain text. Passwords held in email accounts or password-protected Word or Excel documents are very easily exposed, so they represent a security risk. Some folks love the free, open-source KeePass for this duty, while others prefer another free, open-source offering, Password Safe , and still others swear by the cross-platform, browser-based LastPass .) . Mac users can use 1Password which even has an iPhone application so you can take them with you too.
The best thing about a product like Symantec’s Endpoint Protection is that it can be centrally administered. But if you don’t have an administrator…
Flashback Trojan, a nasty piece of malware designed to steal personal information by masquerading as an Adobe Flash update. It targeted the Java runtime on OS X
Use an alternative browser (and no matter what, make sure your browser is the latest version). Both Internet Explorer and Safari have issues (though IE is generally regarded as the worst of breed), there are better browsers in existence. My current favorite is Google Chrome. Brian Krebs: of the three browsers, Internet Explorer was the only one that had critical, unpatched vulnerabilities that were demonstrably exploited by attackers before patches were made available. According to Microsoft’s own account, there were at least six zero-days actively exploited in the past 18 months in IE. All but one of them earned Microsoft’s most dire “critical” rating, leaving IE users under zero-day attack for at least 152 days since the beginning of 2011. If we count just the critical zero-days, there were at least 89 non-overlapping days (about three months) between the beginning of 2011 and Sept. 2012 in which IE zero-day vulnerabilities were actively being exploited.
The majority of malware that infects people today infects people through software vulnerabilities. These are bugs discovered within legitimate applications that hackers can exploit to get their malicious code running on your machine. The more software you have running on your machine, the greater the surface area of risk.. We need to know and control the software that is on our computers and make sure it’s correctly patched and up to date.
CrashPlan is my favorite online backup service because of its feature set, cost effective plans, and it’s local! Best known is probably Carbonite
Whether on a dedicated firewall, router, or computer, it should always be on (except for rare occasions) As with all devices, make sure to change the default password
Whether on a dedicated firewall, router, or computer, it should always be on (except for rare occasions) As with all devices and systems, make sure to change the default password All networks need a firewall (including your home network) Low-cost solution: use an old PC and convert to a firewall simply by adding a second NIC and installing software
None of these is inherently bad or dangerous—but their usage in your office should be considered carefully
Lock down USB ports Consider this: what if your Accountant puts a spreadsheet of staff salaries on a thumb drive and loses it on the way to the parking lot? How can this situation be avoided? Don’t allow USB devices Only allow USB devices that are encrypted
can potentially allow access to a secure network to unauthorized parties.
Develop a Smartphone Acceptable Use Policy that outlines who can connect to your network and to what extent. Make sure to address using a password on the device
Why the easiest way in? Because it’s us end-users who do all the work. Do not give sensitive information to anyone unless you are sure that they are indeed who they claim to be and that they should have access to the information.
Do not give sensitive information to anyone unless you are sure that they are indeed who they claim to be and that they should have access to the information.
Phishing is a special form of social engineering.
Phishing is a special form of social engineering.
Phishing is a special form of social engineering.
Phishing is a special form of social engineering.
Phishing is a special form of social engineering.
Never trust a link in an email message. Enter the URL into your browser instead. Similarly, only use bit.ly or other shortened links if you trust the source.
It starts with becoming aware of the risks involved
We can’t control threats but we can control vulnerabilities. It’s impossible to eliminate all risk, so need to learn how to track, manage and mitigate it.
Mitigate = apply a patch, change a password, secure your wifi Transference = consider when outsourcing or moving to the cloud. Is the provider solely in change or your data or do they too outsource? Is that risk transferred?
Inventories help you determine what belongs and what does not, as well as what and how to maintain things
Inventories help you determine what belongs and what does not, as well as what and how to maintain things
Inventories help you determine what belongs and what does not, as well as what and how to maintain things
Inventories help you determine what belongs and what does not, as well as what and how to maintain things
Remember what kind of data is available on your phone: names, addresses, the content of email messages… But in today’s world, the average computer user should be set up as a regular user and administrative privileges are reserved for administrators only. To cut down risk: admin accounts can change configurations admin accounts have access to more data and resources, potentially putting more things at risk unless carefully managed
Back in the days of Windows 98 and into the era of XP, most users were set up as local administrators. Ease of use, lack of threats, awkwardness of OS. But in today’s world, the average computer user should be set up as a regular user and administrative privileges are reserved for administrators only. To cut down risk: admin accounts can change configurations admin accounts have access to more data and resources, potentially putting more things at risk unless carefully managed
Non-administrative accounts cannot install software. Consider the issue of appropriately patching all software—if you don’t know it’s installed, you won’t patch it (threat). Now consider if a user installs unlicensed software (risk to org) or, even worse, software that’s infected (huge risk). Now consider this: drive-by malware or phishing campaigns: with admin privileges, they have the potential to compromise the entire system. Without admin privileges, they can’t do very much. Malware is after admin privileges so it can make chances to the configuration of the computer—this we wish to squash.