Presented at the Nonprofit Technology & Communications Conference on March 16, 2012 (10:30-11:45am), this session by Matthew J. Harmon and Natascha Shawver of IT Risk Limited, LLC delivers practical, budget-friendly security guidance for nonprofit organizations. Matthew had been working in security since the early 90’s, and Natascha had been working with nonprofits on technology projects since 2002.
Why We Are Here Today
The goals of the session were threefold: raise awareness on what impact lack of security could have for an organization’s mission and why risk matters to decision making; explain why security is not exclusively a matter of money; and help organizations reduce organizational risk and improve resiliency. The presenters were clear about what they were not there to do: “We’re not here to sell you any of the products mentioned, they just happen to be what we use and we like them.” And: “People are afraid of what they don’t know. We want to change that for you.”
Terms and Definitions
Impact: To have an effect upon the confidentiality, integrity, or availability of an asset.
Risk: A function of the likelihood of a given threat-source exercising a particular potential vulnerability, and the resulting impact of that adverse event on the organization (NIST 800-30). Or, as Harmon put it: “how long can you get away without patching before something bad happens.”
Threat (or threat agent): Anything that is capable of acting against an asset in a manner that can result in harm (FAIR). The means through which the ability or intent of a threat agent to adversely affect an automated system, facility, or operation can be manifest (NIATEC). A threat agent has Capability, Intent, and History (OWASP).
Vulnerability: A weakness that could be exploited by a threat. The presence of a vulnerability does not in itself cause harm (NIATEC).
Controls: Measures taken to prevent, correct, or detect a threat.
References: FIPS 199 (2004), NIST SP 800-30, NIATEC (niatec.info), FAIR (fairwiki.riskmanagementinsight.com), OWASP (https://www.owasp.org/index.php/Category:Threat_Agent).
Why Security Matters for Nonprofits
Attacks put your mission at risk through loss of reputation, loss of funding, loss of members, loss of productivity, loss of organizational memory, legal consequences, and fines for compliance violations.
Information Security Fundamentals
Information security is more than just “computer stuff.” Security through obscurity is bad. The pillars are Confidentiality, Integrity, and Availability. Knowledge is everything – ask yourself: What are you protecting? What are you protecting it from? Why are you protecting it? What are your options? Is the protection effective?
The Bare Necessities Checklist
The following list merges NIST and SANS guidance, simplified to make it applicable. The recommendation was to tackle one item every couple of weeks and use the attached worksheets to find your most vulnerable assets. Reference: https://www.sans.org/critical-security-controls/.
#0. Start Writing Down Your Passwords. Safely.
We all have a ridiculous number of passwords to remember – or do we? Use a tool such as LastPass, Password Safe, or KeePass. Two-factor authentication doesn’t have to be hard. Enable account lockout after a reasonable number of attempts; even a value as high as 10 will significantly inhibit brute force attempts. Since you don’t need to remember your password anymore, change it every season or so. See if YubiKey would work for you: http://yubico.com/yubikey.
#1. Create an Asset Inventory & Identify Your Important Information Types
Know what you are trying to protect. Maintain an inventory of authorized (and unauthorized) devices and software, plus an inventory of information types you are trying to protect. Spreadsheets work well – no need to get fancy. This is needed for financial audits anyway. Track assets by make and model, serial number, operating system, location and owner, last updated date, and data stored on device.
#2. Secure Your Internet Connection
Secure configurations for network devices such as firewalls, routers, and switches. Establish a secure perimeter. Enable the security features on the existing hardware from your ISP. Change the default passwords. Use unique passwords for all your devices. Configuration checklists are available at nvd.nist.gov and sans.org.
#3. Secure Your Wireless
When using wireless (WiFi), use WPA2 with AES. WEP or “Wired-Equivalent Privacy” is easy to compromise. Disable “SSID Broadcast” to hide your network. Keep track of the devices connected to your wireless just as you would people working in your office.
#4. Defend Against Malware
Protect information, systems, and networks from damage by viruses, spyware, and other malicious code. Don’t blow your whole budget on anti-virus – training people to not do things that put them at risk is much more effective. Microsoft Security Essentials is free and effective. Use VirusTotal.com, virusscan.jotti.org, and www.metascan-online.com for checking one-off files.
The presentation demonstrated that a cute kitten image was harboring malicious code – no anti-virus engine found it and no fancy tricks were used to hide it (it was the EICAR test string). Only go to sites you know and trust. Use a “guest” computer for Facebook and visiting new sites. If in doubt, disable JavaScript. If it sounds too good to be true, it is. If you must use AV, use tools with the least impact such as ESET NOD32 or Microsoft Security Essentials.
#5. Secure Your Network
Turn on the software firewall on workstations and servers. If you have the budget, install a hardware firewall directly behind your ISP’s modem/router. Open source solutions such as pfSense, Smoothwall, and Untangle can be installed on inexpensive hardware. “Unified Threat Management” is the new term for a firewall that does a lot more – WatchGuard and SonicWall both deliver quality UTM devices.
#6. Patch & Update
Patch your operating systems and applications on a regular schedule. Enable Auto-Update where possible. Enable Software Update and check for updates weekly. Check your current state with Secunia PSI or CSI. Most vulnerabilities today are in client-side software such as Acrobat Reader, Java, Internet Explorer, Safari, and Firefox.
#7. Make (Automated) Backups
Make sure you have backup copies of important business data and information, and make sure you know how to recover from backups. An external USB drive works well – store it off-site. A file server is not a backup server, it is a file server. Backups should be offline and scanned for malicious code. Use the built-in tools such as Apple Time Machine and Microsoft’s Backup Utility. If you need your backups online, use a service like rsync.net.
#8. Limit Physical Access
Control physical access to your computers, network components, and other sensitive assets. Change locks on doors if there is an issue, and change PINs regularly. Have a machine set aside for guests to use. Build guest accounts with timed auto-logout.
#9. Limit User Access
Limit user access to data and information, and limit authority to install software. Day-to-day user accounts should not have administrator rights. Restrict access to financial data and personnel data and don’t carry it around with you. Limiting “rogue installations” helps support your asset inventory.
#10. Limit User Privileges
Require individual user accounts for each employee on business computers and for business applications. Each individual should have their own account. Every time you share your password you are authorizing someone to impersonate you.
#11. Educate Yourself About Email Security and How to Behave Online
Only open attachments from people you know. Don’t click on links in emails from people you don’t know. Don’t download applications or documents from untrusted sources. Make sure your staff knows how to use the internet and social media safely. If it sounds too good to be true, it is.
#12. Dispose of Old Equipment (and Data!) Safely
Erase hard drives before discarding them. Wipe computers before giving them to the next employee or to goodwill. Shred documents containing sensitive data.
#13. Have a Disaster Recovery Plan
Have a recovery plan in place should an emergency occur despite your best efforts, and make sure people know how to access it. Know who to contact (in-house staff, vendors, etc.). Know where your backups are. Prepare for physical disasters as well (flood, fire, tornado, etc.) or contingencies (power outage, sewer backup).
#14. Have Policies and Procedures in Place
Define acceptable and unacceptable practices and expectations for employees and general business when using your equipment and network.
#15. Beware of Social Engineering
Train your staff and have policies and guidelines in place. Do some social engineering yourself to see where your weak spots are. Don’t send sensitive info over email, and don’t give it out over the phone either. Be a friendly nosy nelly and check out people’s story.
#16. Train Your Staff and Volunteers
Train your staff and volunteers in basic security principles as they apply to your organization. Hold a brown bag lunch to introduce staff to your security policies. Industry groups such as ISSA, the Small Business Association, and SANS have local one-on-one training.
#17. Know What Your Allies & Vendors Are Doing
Make sure your allies and third-party vendors adhere to the same standards you set for yourself. Data you share with allies and volunteers should be handled with care. For web hosting, email hosting, and cloud-based applications, confirm that your vendors store your data safely. Review contracts allowing auditing, data security policies, and check privacy policies.
Final Comments
As nonprofits, you do quite a bit of strategic thinking already – start doing that for technology, too. Security doesn’t have to be expensive. There are a lot of best practices and common sense things you can implement to make you much safer. Tailor your security efforts around your needs, specifically the data you need to protect. You don’t need to change overnight, you just need to take the first step.
Sample Worksheets
The presentation included four sample worksheets:
- Asset Inventory – Track desktops, laptops, software, and peripherals by make/model, serial number, operating system, location/owner, last updated, and data stored on device.
- Information Type Prioritization – Identify and prioritize your organization’s information types (e.g., membership list with third-party vendor, individual donors list on a spreadsheet on Sarah’s laptop, employee and vendor records with SSNs and EINs in an unlocked file cabinet).
- Protection Needs – Map each information type to confidentiality, integrity, and availability requirements (e.g., funder database needs availability; employee files need confidentiality; credit card receipts from a fundraiser need confidentiality; membership list needs all three).
- Cost of Bad Things Happening – For each data type, estimate costs across scenarios (data released, data modified, data lost) including cost of revelation, cost of lost availability, cost of repair/replacement, legal costs/fines, cost of loss of confidence, and cost of loss of productivity.
Contact
IT Risk Limited, LLC – matthew@itriskltd.com, natascha@itriskltd.com
This presentation can be downloaded from https://github.com/itriskltd. Licensed under the Creative Commons Attribution-NonCommercial 3.0 Unported License (http://creativecommons.org/licenses/by-nc/3.0/).