cultivating security in the small nonprofit

Cultivating SecurityIt’s almost like cultivating your garden

© MAP for Nonprofits - 2013


Cultivating Security in the Small Nonprofit:

Steps to help you decrease risk

Roger Hagedorn, CISSP Technology Consultant @ MAP for Nonprofits

MAP’s Services Overview

• Legal Counsel and Hotline

• Board Leadership Development

• Accounting and Finance Services

• Technology Services

• Marketing Planning

• Strategic Planning

• Leadership Development

• Project ReDesign

• Fundraising Planning


Agenda:


• 6 Security Basics

• Tips and Techniques for Today’sChanging Environment

• Questions

Please feel free to ask questions at any time. This session is for you.

Stop me if I use a term or acronym you’re not familiar with

Preface:

As an IT professional, I work to make technology assist you with your mission and strategic plans; I want it to help you be innovative and successful. I want your organization to thrive.


Preface:

But today I’ll talk about "due diligence:” things that folks should be doing in order to keep you, your computers, your data, and your organization’s reputation safe.



“It takes twenty years to build a reputation and five minutes to ruin it. If you think about that, you’ll do things differently.”

—Warren Buffett

Conflicting Goals

• What most end-users want:– Simplicity/Ease of use

– Accessibility

– Support

• What most Information Security people want:– Control

– Compliance

– Security

• The trick is to strike the balance that’s appropriate for your environment


Conflicting Goals

• Large organizations and corporations, where striking that balance can be relatively simple:

– Team of technicians

– Serious investment in security systems (e.g., IPS/IDS)

– Internal technical controls (Active Directory)

• What most small organizations have:– “Accidental Techie”

– Dedication

– Good will


Illusions and Misconceptions

• “Our organization will never be a target of hackers.”– We do good work

– We’re too small to be noticed

– We have nothing of value

• What small organizations may not realize:– Hackers use automated tools (search on “automated hacking

tools” but don’t visit the sites)

– All organizations have things of value:• Computing power (botnets)

• Email contacts (other potential victims)

• Personal information (identity theft)


State of the World

What this means is that even though you’re from a small organization, it’s essential to recognize the importance of information security. It concerns all of us.

That means everybody needs to get on board. And the message that security is important has to come from the top and reach all levels of the organization.

Now let’s get on with it . . .



Six Security Basics

What most organizations already have in place


Security Basics 1: Passwords

Let’s start with everyone’s favorite subject:

Passwords!

But really, it’s our first line of defense in so many situations.

So let’s discuss . . .


• real name• e-mail address• street address• pet’s name• birth date• phone number• social security number

Best Practices:Your password should not contain personal information such as your:

Likewise, it shouldn’t be a fact associated with your spouse/partner, children, etc.

Why not?


Because this kind of information is easy to find . . .


• Your passwords must not be any single word in any language.

More things about passwords you already know:

• Passwords should contain at least three distinct character classes: uppercase, lowercase, number, non-alphabetic (@#$%, etc.).

• Never use the password you’ve picked for your email account at any online site.


More things about passwords you already know:

• Use different ones for different situations. Avoid using the same password at multiple Web sites.

• It’s generally safe to re-use the same password at sites that do not store sensitive information about you (e.g., a news Web site)


• Never give out passwords over the phone or in email.

Just a couple more things about passwords you already know:

• Consider changing your most critical passwords on a regular basis (e.g., once a year).


Enough about “Password Don’ts”

What to do?

Did you know that when it comes to passwords, length is more important than just about anything?

For example, which of these is harder to crack:

•The hills are alive!•qX8#hp02


Password Strategy No. 1

Now ask yourself “Which is easier to remember?” and you’ll realize the power of using a passphrase instead of a password. You still have to include numbers and a mix of upper- and lower-case characters, but it’s very easy to remember

•Tul1ps R pretty •Pl@nt bulbs B4 Spring! •I8lunch2day



Passphrases can be very impressive but still simple to remember:

1.“Iw20yatSPttbtpthbgiaoosbtagtras.”

2.“HwmyrsmtBeyuclhm?”

Group Exercise:Create your own phrase!

For example, "My sister Peg is 24 years old” can become “MsPi24yo."



Consider using a collection of random words:

1.“Brown T3L3phone nickel s@ndwich”

Group Exercise:Think of four words (but not “elephant”)



Consider using a prefix or a suffix:

1.“R3@dy4” + [Gmail, shopping, surf!]• R3@dy4yahoo!• R3@dy4Craig• R3@dy4cloudstorage

2.[onlinenews] + “N3wssite”• NytimesN3wssite• startribuneN3wssite• huffingtonpostN3wssite



Consider using a password vault:

that stores all your passwords in an encrypted format and allows you to use just one master password to access all of them. Most will also automatically fill in forms on Web pages, and you can

Keepass Password SafeLastPass 1PasswordRoboForm Keeper

even get versions that allow you to take your password list with you on a smartphone or USB thumb drive.


Security Basics 2: Anti-malwareMany companies sell excellent anti-virus solutions:•McAfee, TRENDnet, Symantec

But there are also free anti-virus programs that do everything the famous solutions do: offer real-time

virus protection, scan for viruses, and automatically download the latest anti-virus signatures for maximum protection.


Anti-malware Options

For Windows, consider AVG Anti-Virus, Avast, and Microsoft’s Security Essentials. Malwarebytes too.

For Apple computer, the time is coming to seriously to consider protection. Avast, Clam, and Sophos all offer free programs worth considering.

Mac Flashback?

Security Basics 3: Use a Better Browser• Avoid Internet Explorer if at all possible

• Use Google’s Chrome

• Mozilla’s Firefox is pretty good too

• Keep your browser up-to-date


Security Basics 4: Update Devices

Operating Systems:•Turn on Microsoft’s Windows Update•Respond to Apple’s alerts

Application Software – new tools can help•Secunia’s Small Business Software Inspector•Qualys’ BrowserCheck•Filehippo’s Update Checker

•Metaquark’s AppFresh (not free)


Security Basics 5: Backup that dataData is generally considered an organization’s first or second most valuable asset -- right behind its people. Someone in your organization needs to know how to verify your backups and recover that data.

Backup in the 1980s-2000 = tape or cassette

Backup in the 2000-2010 = disk (SAN, NAS, etc.)

Backup in today’s world: A. cloud or cloud and on-site:

• CrashPlan, IDrive, MozyPro, et al. B. cloud and on-site virtualization:

• Datto SIRIS, Veeam, Unitrends backup/BC


Security Basics 6: Firewall

A firewall is like a moat around a castle:

It’s a perimeter defense designed to control incoming and outgoing network traffic.


On Firewalls

Firewalls range from a simple gadget that keeps bad data packets out, to sophisticated multi-function gateways (“second-generation firewalls.”)

Firewalls can be purchased appliances or software running on computers.

pfSense, ModSecurity, and Smoothwall are free, open source customized Linux distributions.


6 Security Basics

1. Strong passwords well managed--vault2. Anti-malware to fight off viruses, worms, and

trojans3. A better browser to make surfing safer4. Fully-patched and maintained computers5. A backup solution that protects your data6. A firewall to keep your network safe

So we’re safe and secure, at peace with the world.


If only that were true.

Sadly, it’s no longer so in today’s world.

Audience Participation Time!!

Can anyone think of an easy way of getting around your firewall?


How to Circumvent these Defenses

•Dropbox (iCloud, SkyDrive, et al)

•USB devices

•Rogue wireless access points

•Smartphones

•Social Engineering

All of these can be very useful … or very dangerous


Dropbox and its cloud cousins

Offer a direct route from workstation (or other device) to the cloud, circumventing your firewall and any other network monitoring.

“Data exfiltration”

Conversely, an easy and unmonitored way to introduce viruses, trojans and worms into your environment.

No “audit trail”


USB Devices—Thumb Drives et al.portable storage devices that connect to a computer via its USB port. Great for sharing documents, photos, etc.

But those same characteristics—ease of use and portability—explain why they’ve become one of the most popular and effective ways for hackers to infect computers.

Consider Stuxnet


Rogue Access PointsA rogue access point is one of two things:

•a wireless access point that a staff person might set up on an organization’s network without authorization (malicious or not).

•or set up so a hacker can conduct a ”man-in-the-middle” attack.


SmartphonesWonderful devices that can be used:•To send/receive email•To manage your time•To find your location•To play Angry Birds

But also:•For data exfiltration•As a rogue access point•To scan your network for vulnerabilities•As a source of malware


Social EngineeringThe Easiest Way In of All

Social engineering is the art of manipulating people into performing actions or divulging confidential information. While it is similar to a confidence game, it is typically deception for the purpose of information gathering, financial fraud, or computer system access.


Social Engineering

Social engineers often rely on the natural trusting nature and helpfulness of people as well as on their weaknesses. They might, for example, call an authorized employee with some kind of urgent problem that requires immediate network access.


Phishing

For example, an attacker may send email seemingly from a credit card company or financial institution that requests account information, often suggesting that there is a problem with your account.

Phishing is a special form of social engineering: use email or malicious websites to solicit personal information by posing as a trustworthy organization.


PhishingThe next slide is an image of a real phishing attack. The email appears to be from the American Express Company, but look carefully at it.


Phishing


PhishingDid you notice that the email address was strange? “americanexpress@...,” the domain it used was “email2.americanexpress.com” which is not the same thing as “americanexpress.com.”

What about the embedded links? They look OK . . .Take another look at the message…


Phishing


PhishingThis is a classic phishing attack. At first glance, the message looks fine. It even uses real logos. But beware of links in email. Instead of clicking on them, rest your mouse (but don't click) on the link to see if the address matches the link that was typed in the message.

And just where does http://bit.ly/ZgyvOM take you?

http://bit.ly/ZgyvOM


So there you go: even with the 6 security basics in place, there are many serious risks to consider in today’s world.

It’s all about learning to live with risk.

And not all risks are created equal:


Risk is the likelihood that something bad will happen that causes harm to an asset (or the loss of the asset).

A vulnerability is a weakness that could be used to cause harm to an informational asset.

A threat is anything that has the potential to cause harm.

Risk (due to a threat) = Threat X Vulnerability

www.sans.org


Responding to a Particular Risk:Make Risk a Conscious Decision

Mitigation = fix the vulnerability or provide some type of control measure to reduce the likelihood or impact associated with the flaw/vulnerability.

Transference = allow another party to accept the risk on your behalf (rare in IT; think of insurance)

Acceptance = simply allow the system to operate with a known risk.

Avoidance = remove the vulnerable aspect of the system or even the system itself.


Easy Risks to Mitigate:

•Create an inventory of devices so you can tell what belongs and what’s rogue•Create an inventory of software •Password protect all your devices and change all default passwords (firewalls, routers, servers, laptops, workstations, printers)•Make sure anti-malware is working•Make sure your wireless is locked down•Test your backups (make sure you can restore)•Limit people’s access to what they need•Train your staff about risk


Easy Risks to Transfer:

•Some backup solutions (most cloud solutions)•Some wireless setups (e.g., Meraki)•Certain business systems (Office 365)•Outsource your website hosting


Easy Risks to Accept:

•For business reasons, keeping an old system on-line (e.g., Windows Server 2003 running a phone system)


Easy Risks to Avoid:

•Consider banning the use of USB devices (or squirt glue into the actual port•Choose not to have a wireless network•Don’t allow BYOB (Bring Your Own Device)•Limit administrative privileges on devices


4 Last Suggestions for Mitigating Risk

1. If you accept Smartphones:

• No jailbreaking. Software should only be installed from the official app store, marketplace, etc.

• Vet your app sources, especially Android users• Screen-lock password. Should kick in

automatically after around 5 minutes of inactivity.• Password protect your SIM card so that if it’s

lost, people can’t use it.• Disable Bluetooth if you don’t use it.



2. Use Admin Privileges Carefully

There are several kinds of user accounts for most systems:

• Guest (disable)

• User

• Administrator



Only computer administrators should use administrative accounts . . . and use them only when administering computers.

On my personal computer:

Administrator – disabled (too easy to guess)Guest – disabled RDHadmin – my own administrative accountRoger – my non-administrative account



3. Implement Security Policies, and then enforce them

• Computer Acceptable Use Policy• BYOD Policy• Password Policy• Laptop Usage Policy• Remote Access Policy• Guest Access Policy• Encryption Policy• Social Network Policy (Facebook, et al)



4. Educate Your Staff

Don’t assume people know what to do

Create a Security-Aware environment•Official “Security Awareness Training”•Create a library of articles on security issues•Brown-bag lunch-and-learn•Share videos (see Sophos)

Any Questions or Comments?

2012 MAP TechWorks, a program of MAP for Nonprofits

Thank you!


Roger Hagedorn, CISSPTechnology Consultant at MAP

[email protected]

www.cultivatingsecurity.com

Resources

• SonicWALL Phishing IQ Test: http://www.sonicwall.com/furl/phishing/

• SANS NewsBites, a semiweekly summary of the most important news articles on computer security during the past week: http://www.sans.org/newsletters/newsbites/

• @Risk summarizes the 3-8 vulnerabilities that matter most, tells what they do and how to protect yourself from them: http://www.sans.org/newsletters/risk/

• Brian Krebs on Security is a daily blog on computer security and cybercrime: http://krebsonsecurity.com/

• Sophos’ “1-minute security tips for the workplace:”http://www.youtube.com/playlist?list=PLD88EACF404839195

AP for Nonprofits - 2013

http://www.sonicwall.com/furl/phishing/

Resources

• CNET article on password vaults: http://www.infoworld.com/d/security/review-7-password-managers-windows-mac-os-x-ios-and-android-189597

• 26 Online Backup Services Reviewed (April 2013):http://pcsupport.about.com/od/maintenance/tp/online_backup_services.htm

• Man in the Middle Attack Explained:http://en.wikipedia.org/wiki/Man-in-the-middle_attack

• The SANS Institute’s 20 Critical Controls : http://www.sans.org/critical-security-controls/

• the SANS Security Policy Project:http://www.sans.org/security-resources/policies/

AP for Nonprofits - 2013

Free Tools

• Secunia Small Business identifies vulnerabilities in non-Microsoft (third-party) programs:http://secunia.com/products/smb/smallbusiness/

• Qualys BrowserCheck will perform a security analysis of your browser and its plugins to identify any security issues:https://browsercheck.qualys.com/

• FileHippo.com Update Checker scans your computer for installed software (Please note that not all programs are supported):

http://filehippo.com/updatechecker/


cultivating security in the small nonprofit

Technology

environment map

garden map

security systems

security basicswhat

information security

small organizations

passwords youalready

password strategy