SlideShare a Scribd company logo
1 of 64
Download to read offline
Cultivating Security
It’s almost like cultivating your garden
© MAP for Nonprofits - 2013
© MAP for Nonprofits - 2013
Cultivating Security in the
Small Nonprofit:
Steps to help you decrease risk
Roger Hagedorn, CISSP
Technology Consultant @ MAP for Nonprofits
MAP’s Services Overview
• Legal Counsel and Hotline
• Board Leadership Development
• Accounting and Finance Services
• Technology Services
• Marketing Planning
• Strategic Planning
• Leadership Development
• Project ReDesign
• Fundraising Planning
© MAP for Nonprofits - 2011
Agenda:
© MAP for Nonprofits - 2013
• 6 Security Basics
• Tips and Techniques for Today’s
Changing Environment
• Questions
Please feel free to ask questions at
any time. This session is for you.
Stop me if I use a term or acronym
you’re not familiar with
Preface:
As an IT professional, I work to make
technology assist you with your
mission and strategic plans; I want it
to help you be innovative and
successful. I want your organization
to thrive.
© MAP for Nonprofits - 2013
Preface:
But today I’ll talk about "due diligence:”
things that folks should be doing in order
to keep you, your computers, your data,
and your organization’s reputation safe.
© MAP for Nonprofits - 2013
© MAP for Nonprofits - 2013
“It takes twenty years to build a
reputation and five minutes to
ruin it. If you think about that,
you’ll do things differently.”
—Warren Buffett
Conflicting Goals
• What most end-users want:
– Simplicity/Ease of use
– Accessibility
– Support
• What most Information Security people want:
– Control
– Compliance
– Security
• The trick is to strike the balance that’s
appropriate for your environment
© MAP for Nonprofits - 2013
Conflicting Goals
• Large organizations and corporations, where
striking that balance can be relatively simple:
– Team of technicians
– Serious investment in security systems (e.g.,
IPS/IDS)
– Internal technical controls (Active Directory)
• What most small organizations have:
– “Accidental Techie”
– Dedication
– Good will
© MAP for Nonprofits - 2013
Illusions and Misconceptions
• “Our organization will never be a target of hackers.”
– We do good work
– We’re too small to be noticed
– We have nothing of value
• What small organizations may not realize:
– Hackers use automated tools (search on “automated hacking
tools” but don’t visit the sites)
– All organizations have things of value:
• Computing power (botnets)
• Email contacts (other potential victims)
• Personal information (identity theft)
© MAP for Nonprofits - 2013
State of the World
What this means is that even though you’re from a
small organization, it’s essential to recognize the
importance of information security. It concerns all
of us.
That means everybody needs to get on board. And
the message that security is important has to come
from the top and reach all levels of the
organization.
Now let’s get on with it . . .
© MAP for Nonprofits - 2013
© MAP for Nonprofits - 2013
Six Security Basics
What most organizations already
have in place
© MAP for Nonprofits - 2013
Security Basics 1: Passwords
Let’s start with everyone’s favorite subject:
Passwords!
But really, it’s our first line of
defense in so many situations.
So let’s discuss . . .
© MAP for Nonprofits - 2013
• real name
• e-mail address
• street address
• pet’s name
• birth date
• phone number
• social security number
Best Practices:
Your password should not contain personal
information such as your:
Likewise, it shouldn’t be a fact associated
with your spouse/partner, children, etc.
Why not?
© MAP for Nonprofits - 2011
Because this kind of information is easy to find . . .
© MAP for Nonprofits - 2013
• Your passwords must not be any single word in
any language.
More things about passwords you
already know:
• Passwords should contain at least
three distinct character classes:
uppercase, lowercase, number, non-
alphabetic (@#$%, etc.).
• Never use the password you’ve
picked for your email account at any
online site.
© MAP for Nonprofits - 2013
More things about passwords you
already know:
• Use different ones for different
situations. Avoid using the same
password at multiple Web sites.
• It’s generally safe to re-use the
same password at sites that do not
store sensitive information about
you (e.g., a news Web site)
© MAP for Nonprofits - 2013
• Never give out passwords over the phone or in
email.
Just a couple more things about passwords
you already know:
• Consider changing your most critical
passwords on a regular basis (e.g.,
once a year).
© MAP for Nonprofits - 2013
Enough about “Password Don’ts”
What to do?
Did you know that when it comes to passwords,
length is more important than just about
anything?
For example, which of these is
harder to crack:
•The hills are alive!
•qX8#hp02
© MAP for Nonprofits - 2013
Password Strategy No. 1
Now ask yourself “Which is easier to remember?”
and you’ll realize the power of using a passphrase
instead of a password. You still have to include
numbers and a mix of upper- and lower-case
characters, but it’s very easy to remember
•Tul1ps R pretty
•Pl@nt bulbs B4 Spring!
•I8lunch2day
© MAP for Nonprofits - 2013
Password Strategy No. 1
Passphrases can be very impressive but still simple
to remember:
1.“Iw20yatSPttbtpthbgiaoosbtagtras.”
2.“HwmyrsmtBeyuclhm?”
Group Exercise:
Create your own phrase!
For example, "My sister Peg is 24
years old” can become “MsPi24yo."
© MAP for Nonprofits - 2013
Password Strategy No. 2
Consider using a collection of random words:
1.“Brown T3L3phone nickel s@ndwich”
Group Exercise:
Think of four words (but not
“elephant”)
© MAP for Nonprofits - 2013
Password Strategy No. 3
Consider using a prefix or a suffix:
1.“R3@dy4” + [Gmail, shopping, surf!]
• R3@dy4yahoo!
• R3@dy4Craig
• R3@dy4cloudstorage
2.[onlinenews] + “N3wssite”
• NytimesN3wssite
• startribuneN3wssite
• huffingtonpostN3wssite
© MAP for Nonprofits - 2013
Password Strategy No. 4
Consider using a password vault:
that stores all your passwords in an encrypted
format and allows you to use just one master
password to access all of them. Most will also
automatically fill in forms on Web pages, and you can
Keepass Password Safe
LastPass 1Password
RoboForm Keeper
even get versions that allow you to take
your password list with you on a
smartphone or USB thumb drive.
© MAP for Nonprofits - 2013
Security Basics 2: Anti-malware
Many companies sell excellent anti-virus solutions:
•McAfee, TRENDnet, Symantec
But there are also free anti-virus programs that do
everything the famous solutions do: offer real-time
virus protection, scan
for viruses, and
automatically
download the latest
anti-virus signatures
for maximum
protection.
© MAP for Nonprofits - 2013
Anti-malware Options
For Windows, consider AVG Anti-Virus, Avast, and
Microsoft’s Security Essentials. Malwarebytes too.
For Apple computer,
the time is coming to
seriously to consider
protection. Avast,
Clam, and Sophos all
offer free programs
worth considering.
Mac Flashback?
Security Basics 3:
Use a Better Browser
• Avoid Internet Explorer if at all possible
• Use Google’s Chrome
• Mozilla’s Firefox is pretty good too
• Keep your browser up-to-date
© MAP for Nonprofits - 2013
Security Basics 4: Update Devices
Operating Systems:
•Turn on Microsoft’s Windows Update
•Respond to Apple’s alerts
Application Software – new tools can help
•Secunia’s Small Business Software Inspector
•Qualys’ BrowserCheck
•Filehippo’s Update Checker
•Metaquark’s AppFresh (not free)
© MAP for Nonprofits - 2013
Security Basics 5: Backup that data
Data is generally considered an organization’s first or
second most valuable asset -- right behind its people.
Someone in your organization needs to know how to verify
your backups and recover that data.
Backup in the 1980s-2000 = tape or cassette
Backup in the 2000-2010 = disk (SAN, NAS, etc.)
Backup in today’s world:
A. cloud or cloud and on-site:
• CrashPlan, IDrive, MozyPro, et al.
B. cloud and on-site virtualization:
• Datto SIRIS, Veeam, Unitrends backup/BC
© MAP for Nonprofits - 2013
Security Basics 6: Firewall
A firewall is like a moat around a castle:
It’s a perimeter defense designed to control
incoming and outgoing network traffic.
© MAP for Nonprofits - 2013
On Firewalls
Firewalls range from a simple gadget that keeps
bad data packets out, to sophisticated multi-
function gateways (“second-generation firewalls.”)
Firewalls can be purchased appliances or
software running on computers.
pfSense, ModSecurity, and
Smoothwall are free, open
source customized Linux
distributions.
© MAP for Nonprofits - 2013
6 Security Basics
1. Strong passwords well managed--vault
2. Anti-malware to fight off viruses, worms, and
trojans
3. A better browser to make surfing safer
4. Fully-patched and maintained computers
5. A backup solution that protects your data
6. A firewall to keep your network safe
So we’re safe and secure, at peace with the world.
© MAP for Nonprofits - 2013
© MAP for Nonprofits - 2013
If only that were true.
Sadly, it’s no longer so in today’s world.
Audience Participation Time!!
Can anyone think of an easy way of
getting around your firewall?
© MAP for Nonprofits - 2013
How to Circumvent these Defenses
•Dropbox (iCloud, SkyDrive, et al)
•USB devices
•Rogue wireless access points
•Smartphones
•Social Engineering
All of these can be very useful … or very dangerous
© MAP for Nonprofits - 2013
Dropbox and its cloud cousins
Offer a direct route from workstation (or other
device) to the cloud, circumventing your firewall
and any other network monitoring.
“Data exfiltration”
Conversely, an easy and unmonitored way to
introduce viruses, trojans and worms into your
environment.
No “audit trail”
© MAP for Nonprofits - 2013
USB Devices—Thumb Drives et al.
portable storage devices that connect to a computer
via its USB port. Great for sharing documents,
photos, etc.
But those same characteristics
—ease of use and portability—
explain why they’ve become
one of the most popular and
effective ways for hackers to
infect computers.
Consider Stuxnet
© MAP for Nonprofits - 2013
Rogue Access Points
A rogue access point is one of two things:
•a wireless access point that a staff person might
set up on an organization’s network without
authorization (malicious or not).
•or set up so a hacker can conduct a ”man-in-the-
middle” attack.
© MAP for Nonprofits - 2013
Smartphones
Wonderful devices that can be used:
•To send/receive email
•To manage your time
•To find your location
•To play Angry Birds
But also:
•For data exfiltration
•As a rogue access point
•To scan your network for
vulnerabilities
•As a source of malware
© MAP for Nonprofits - 2013
Social Engineering
The Easiest Way In of All
Social engineering is the art of manipulating people
into performing actions or divulging confidential
information. While it is similar to a confidence
game, it is typically deception for the purpose of
information gathering, financial fraud, or computer
system access.
© MAP for Nonprofits - 2013
Social Engineering
Social engineers often rely on the natural trusting
nature and helpfulness of people as well as on their
weaknesses. They might, for example, call an
authorized employee with some kind of urgent
problem that requires immediate network access.
© MAP for Nonprofits - 2013
Phishing
For example, an attacker may send
email seemingly from a credit card
company or financial institution that
requests account information, often
suggesting that there is a problem with
your account.
Phishing is a special form of social
engineering: use email or malicious
websites to solicit personal information by
posing as a trustworthy organization.
© MAP for Nonprofits - 2013
Phishing
The next slide is an image of a real
phishing attack. The email appears to be
from the American Express Company, but
look carefully at it.
© MAP for Nonprofits - 2013
Phishing
© MAP for Nonprofits - 2013
Phishing
Did you notice that the email address was
strange? “americanexpress@...,” the domain it
used was “email2.americanexpress.com” which is
not the same thing as “americanexpress.com.”
What about the embedded links?
They look OK . . .
Take another look at the message…
© MAP for Nonprofits - 2013
Phishing
© MAP for Nonprofits - 2013
Phishing
This is a classic phishing attack. At first glance,
the message looks fine. It even uses real
logos. But beware of links in email. Instead of
clicking on them, rest your mouse (but don't
click) on the link to see if the address matches
the link that was typed in the message.
And just where does
http://bit.ly/ZgyvOM take you?
© MAP for Nonprofits - 2013
So there you go: even with the 6 security
basics in place, there are many serious
risks to consider in today’s world.
It’s all about learning to
live with risk.
And not all risks are
created equal:
© MAP for Nonprofits - 2013
Risk is the likelihood that something bad will happen
that causes harm to an asset (or the loss of the
asset).
A vulnerability is a weakness that could be used to
cause harm to an informational asset.
A threat is anything that has
the potential to cause harm.
Risk (due to a threat) =
Threat X Vulnerability
www.sans.org
© MAP for Nonprofits - 2013
Responding to a Particular Risk:
Make Risk a Conscious Decision
Mitigation = fix the vulnerability or provide some type
of control measure to reduce the likelihood or impact
associated with the flaw/vulnerability.
Transference = allow another party to accept the risk
on your behalf (rare in IT; think of insurance)
Acceptance = simply allow the system to operate
with a known risk.
Avoidance = remove the vulnerable aspect of the
system or even the system itself.
© MAP for Nonprofits - 2013
Easy Risks to Mitigate:
•Create an inventory of devices so you can tell
what belongs and what’s rogue
•Create an inventory of software
•Password protect all your devices and change all
default passwords (firewalls, routers, servers,
laptops, workstations, printers)
•Make sure anti-malware is working
•Make sure your wireless is locked down
•Test your backups (make sure you can restore)
•Limit people’s access to what they need
•Train your staff about risk
© MAP for Nonprofits - 2013
Easy Risks to Transfer:
•Some backup solutions (most cloud solutions)
•Some wireless setups (e.g., Meraki)
•Certain business systems (Office 365)
•Outsource your website hosting
© MAP for Nonprofits - 2013
Easy Risks to Accept:
•For business reasons, keeping an old system on-
line (e.g., Windows Server 2003 running a phone
system)
© MAP for Nonprofits - 2013
Easy Risks to Avoid:
•Consider banning the use of USB devices (or
squirt glue into the actual port
•Choose not to have a wireless network
•Don’t allow BYOB (Bring Your Own Device)
•Limit administrative privileges on devices
© MAP for Nonprofits - 2013
4 Last Suggestions for Mitigating Risk
1. If you accept Smartphones:
• No jailbreaking. Software should only be
installed from the official app store, marketplace,
etc.
• Vet your app sources, especially Android users
• Screen-lock password. Should kick in
automatically after around 5 minutes of inactivity.
• Password protect your SIM card so that if it’s
lost, people can’t use it.
• Disable Bluetooth if you don’t use it.
© MAP for Nonprofits - 2013
4 Last Suggestions for Mitigating Risk
2. Use Admin Privileges Carefully
There are several kinds of user accounts for
most systems:
• Guest (disable)
• User
• Administrator
© MAP for Nonprofits - 2013
4 Last Suggestions for Mitigating Risk
Only computer administrators should use
administrative accounts . . . and use them only
when administering computers.
On my personal computer:
Administrator – disabled (too easy to guess)
Guest – disabled
RDHadmin – my own administrative account
Roger – my non-administrative account
© MAP for Nonprofits - 2013
4 Last Suggestions for Mitigating Risk
3. Implement Security Policies, and then
enforce them
• Computer Acceptable Use Policy
• BYOD Policy
• Password Policy
• Laptop Usage Policy
• Remote Access Policy
• Guest Access Policy
• Encryption Policy
• Social Network Policy (Facebook, et al)
© MAP for Nonprofits - 2013
4 Last Suggestions for Mitigating Risk
4. Educate Your Staff
Don’t assume people know what to do
Create a Security-Aware environment
•Official “Security Awareness Training”
•Create a library of articles on security
issues
•Brown-bag lunch-and-learn
•Share videos (see Sophos)
Any Questions or Comments?
2012 MAP TechWorks, a program of MAP for Nonprofits
Thank you!
© MAP for Nonprofits - 2013
Roger Hagedorn, CISSP
Technology Consultant at MAP
rhagedorn@mapfornonprofits.org
www.cultivatingsecurity.com
Resources
• SonicWALL Phishing IQ Test: http://www.sonicwall.com/furl/phishing/
• SANS NewsBites, a semiweekly summary of the most important
news articles on computer security during the past week:
http://www.sans.org/newsletters/newsbites/
• @Risk summarizes the 3-8 vulnerabilities that matter most, tells what
they do and how to protect yourself from them:
http://www.sans.org/newsletters/risk/
• Brian Krebs on Security is a daily blog on computer security and
cybercrime: http://krebsonsecurity.com/
• Sophos’ “1-minute security tips for the workplace:”
http://www.youtube.com/playlist?list=PLD88EACF404839195
AP for Nonprofits - 2013
Resources
• CNET article on password vaults:
http://www.infoworld.com/d/security/review-7-password-managers-
windows-mac-os-x-ios-and-android-189597
• 26 Online Backup Services Reviewed (April 2013):
http://pcsupport.about.com/od/maintenance/tp/online_backup_services
.htm
• Man in the Middle Attack Explained:
http://en.wikipedia.org/wiki/Man-in-the-middle_attack
• The SANS Institute’s 20 Critical Controls :
http://www.sans.org/critical-security-controls/
• the SANS Security Policy Project:
http://www.sans.org/security-resources/policies/
AP for Nonprofits - 2013
Free Tools
• Secunia Small Business identifies
vulnerabilities in non-Microsoft (third-party)
programs:
http://secunia.com/products/smb/smallbusiness/
• Qualys BrowserCheck will perform a security
analysis of your browser and its plugins to
identify any security issues:
https://browsercheck.qualys.com/
• FileHippo.com Update Checker scans your
computer for installed software (Please note that not all
programs are supported):
http://filehippo.com/updatechecker/
© MAP for Nonprofits - 2013

More Related Content

What's hot

Brian Henger - Psychological Warfare: How Cyber Criminals Mess With Your Mind
Brian Henger - Psychological Warfare: How Cyber Criminals Mess With Your MindBrian Henger - Psychological Warfare: How Cyber Criminals Mess With Your Mind
Brian Henger - Psychological Warfare: How Cyber Criminals Mess With Your Mindcentralohioissa
 
Jeffrey Sweet - Third Party Risk Governance - Why? and How?
Jeffrey Sweet - Third Party Risk Governance - Why? and How?Jeffrey Sweet - Third Party Risk Governance - Why? and How?
Jeffrey Sweet - Third Party Risk Governance - Why? and How?centralohioissa
 
Five things I learned about information security
Five things I learned about information securityFive things I learned about information security
Five things I learned about information securityMajor Hayden
 
Privacies are Coming
Privacies are ComingPrivacies are Coming
Privacies are ComingErnest Staats
 
Event Presentation: Cyber Security for Industrial Control Systems
Event Presentation: Cyber Security for Industrial Control SystemsEvent Presentation: Cyber Security for Industrial Control Systems
Event Presentation: Cyber Security for Industrial Control SystemsInfonaligy
 
Tre Smith - From Decision to Implementation: Who's On First?
Tre Smith - From Decision to Implementation: Who's On First?Tre Smith - From Decision to Implementation: Who's On First?
Tre Smith - From Decision to Implementation: Who's On First?centralohioissa
 
Phil Grimes - Penetrating the Perimeter: Tales from the Battlefield
Phil Grimes - Penetrating the Perimeter: Tales from the BattlefieldPhil Grimes - Penetrating the Perimeter: Tales from the Battlefield
Phil Grimes - Penetrating the Perimeter: Tales from the Battlefieldcentralohioissa
 
Ruben Melendez - Economically Justifying IT Security Initiatives
Ruben Melendez - Economically Justifying IT Security InitiativesRuben Melendez - Economically Justifying IT Security Initiatives
Ruben Melendez - Economically Justifying IT Security Initiativescentralohioissa
 
Helen Patton - Cross-Industry Collaboration
Helen Patton - Cross-Industry CollaborationHelen Patton - Cross-Industry Collaboration
Helen Patton - Cross-Industry Collaborationcentralohioissa
 
Deral Heiland - Fail Now So I Don't Fail Later
Deral Heiland - Fail Now So I Don't Fail LaterDeral Heiland - Fail Now So I Don't Fail Later
Deral Heiland - Fail Now So I Don't Fail Latercentralohioissa
 
Security in the News
Security in the NewsSecurity in the News
Security in the NewsJames Sutter
 
Top Cybersecurity Challenges Facing Your Business
Top Cybersecurity Challenges Facing Your BusinessTop Cybersecurity Challenges Facing Your Business
Top Cybersecurity Challenges Facing Your BusinessNicholas Davis
 
Jason Samide - State of Security & 2016 Predictions
Jason Samide - State of Security & 2016 PredictionsJason Samide - State of Security & 2016 Predictions
Jason Samide - State of Security & 2016 Predictionscentralohioissa
 
Your cyber security webinar
Your cyber security webinarYour cyber security webinar
Your cyber security webinarIntergen
 
How to assess and manage cyber risk
How to assess and manage cyber riskHow to assess and manage cyber risk
How to assess and manage cyber riskStephen Cobb
 
Privacies are coming
Privacies are comingPrivacies are coming
Privacies are comingErnest Staats
 
The Hacking Team Hack: Lessons Learned for Enterprise Security
The Hacking Team Hack: Lessons Learned for Enterprise SecurityThe Hacking Team Hack: Lessons Learned for Enterprise Security
The Hacking Team Hack: Lessons Learned for Enterprise SecurityStephen Cobb
 

What's hot (20)

Brian Henger - Psychological Warfare: How Cyber Criminals Mess With Your Mind
Brian Henger - Psychological Warfare: How Cyber Criminals Mess With Your MindBrian Henger - Psychological Warfare: How Cyber Criminals Mess With Your Mind
Brian Henger - Psychological Warfare: How Cyber Criminals Mess With Your Mind
 
Jeffrey Sweet - Third Party Risk Governance - Why? and How?
Jeffrey Sweet - Third Party Risk Governance - Why? and How?Jeffrey Sweet - Third Party Risk Governance - Why? and How?
Jeffrey Sweet - Third Party Risk Governance - Why? and How?
 
Five things I learned about information security
Five things I learned about information securityFive things I learned about information security
Five things I learned about information security
 
Privacies are Coming
Privacies are ComingPrivacies are Coming
Privacies are Coming
 
NTXISSACSC2 - Top Ten Trends in TRM by Jon Murphy
NTXISSACSC2 - Top Ten Trends in TRM by Jon MurphyNTXISSACSC2 - Top Ten Trends in TRM by Jon Murphy
NTXISSACSC2 - Top Ten Trends in TRM by Jon Murphy
 
Event Presentation: Cyber Security for Industrial Control Systems
Event Presentation: Cyber Security for Industrial Control SystemsEvent Presentation: Cyber Security for Industrial Control Systems
Event Presentation: Cyber Security for Industrial Control Systems
 
Top 12 Threats to Enterprise
Top 12 Threats to EnterpriseTop 12 Threats to Enterprise
Top 12 Threats to Enterprise
 
Tre Smith - From Decision to Implementation: Who's On First?
Tre Smith - From Decision to Implementation: Who's On First?Tre Smith - From Decision to Implementation: Who's On First?
Tre Smith - From Decision to Implementation: Who's On First?
 
Phil Grimes - Penetrating the Perimeter: Tales from the Battlefield
Phil Grimes - Penetrating the Perimeter: Tales from the BattlefieldPhil Grimes - Penetrating the Perimeter: Tales from the Battlefield
Phil Grimes - Penetrating the Perimeter: Tales from the Battlefield
 
Ruben Melendez - Economically Justifying IT Security Initiatives
Ruben Melendez - Economically Justifying IT Security InitiativesRuben Melendez - Economically Justifying IT Security Initiatives
Ruben Melendez - Economically Justifying IT Security Initiatives
 
Helen Patton - Cross-Industry Collaboration
Helen Patton - Cross-Industry CollaborationHelen Patton - Cross-Industry Collaboration
Helen Patton - Cross-Industry Collaboration
 
Personal Digital Hygiene
Personal Digital HygienePersonal Digital Hygiene
Personal Digital Hygiene
 
Deral Heiland - Fail Now So I Don't Fail Later
Deral Heiland - Fail Now So I Don't Fail LaterDeral Heiland - Fail Now So I Don't Fail Later
Deral Heiland - Fail Now So I Don't Fail Later
 
Security in the News
Security in the NewsSecurity in the News
Security in the News
 
Top Cybersecurity Challenges Facing Your Business
Top Cybersecurity Challenges Facing Your BusinessTop Cybersecurity Challenges Facing Your Business
Top Cybersecurity Challenges Facing Your Business
 
Jason Samide - State of Security & 2016 Predictions
Jason Samide - State of Security & 2016 PredictionsJason Samide - State of Security & 2016 Predictions
Jason Samide - State of Security & 2016 Predictions
 
Your cyber security webinar
Your cyber security webinarYour cyber security webinar
Your cyber security webinar
 
How to assess and manage cyber risk
How to assess and manage cyber riskHow to assess and manage cyber risk
How to assess and manage cyber risk
 
Privacies are coming
Privacies are comingPrivacies are coming
Privacies are coming
 
The Hacking Team Hack: Lessons Learned for Enterprise Security
The Hacking Team Hack: Lessons Learned for Enterprise SecurityThe Hacking Team Hack: Lessons Learned for Enterprise Security
The Hacking Team Hack: Lessons Learned for Enterprise Security
 

Similar to Cultivating security in the small nonprofit

Top 6 things_small_businesses_q12015
Top 6 things_small_businesses_q12015Top 6 things_small_businesses_q12015
Top 6 things_small_businesses_q12015anpapathanasiou
 
Users awarness programme for Online Privacy
Users awarness programme for Online PrivacyUsers awarness programme for Online Privacy
Users awarness programme for Online PrivacyKazi Sarwar Hossain
 
Executive Directors Chat:It's easy to stay safe online.pdf
Executive Directors Chat:It's easy to stay safe online.pdfExecutive Directors Chat:It's easy to stay safe online.pdf
Executive Directors Chat:It's easy to stay safe online.pdfTechSoup
 
Privacy for tech startups
Privacy for tech startups Privacy for tech startups
Privacy for tech startups Marc Gallardo
 
The 10 biggest threats to your information (caused by yourself the CEO)
The 10 biggest threats to your information (caused by yourself the CEO)The 10 biggest threats to your information (caused by yourself the CEO)
The 10 biggest threats to your information (caused by yourself the CEO)Humoback
 
Enterprise 2.0 information technology for business
Enterprise 2.0 information technology for businessEnterprise 2.0 information technology for business
Enterprise 2.0 information technology for businessUgochukwu Ezeagwula
 
LoginCat - Mini Presentation
LoginCat - Mini PresentationLoginCat - Mini Presentation
LoginCat - Mini PresentationRohit Kapoor
 
Login cat tekmonks - v5 (mini)
Login cat   tekmonks - v5 (mini)Login cat   tekmonks - v5 (mini)
Login cat tekmonks - v5 (mini)Rohit Kapoor
 
The Cloud 9 - Threat & Solutions 2016 by Bobby Dominguez
The Cloud 9 - Threat & Solutions 2016 by Bobby DominguezThe Cloud 9 - Threat & Solutions 2016 by Bobby Dominguez
The Cloud 9 - Threat & Solutions 2016 by Bobby DominguezEC-Council
 
Continuing Education Conferance
Continuing Education ConferanceContinuing Education Conferance
Continuing Education ConferanceTommy Riggins
 
SocialSafe for SMEs/SMBs - V1
SocialSafe for SMEs/SMBs - V1SocialSafe for SMEs/SMBs - V1
SocialSafe for SMEs/SMBs - V1Julian Ranger
 
Webinar - Keep Your Connected Nonprofit or Library Secure - 2015-10-01
Webinar - Keep Your Connected Nonprofit or Library Secure - 2015-10-01Webinar - Keep Your Connected Nonprofit or Library Secure - 2015-10-01
Webinar - Keep Your Connected Nonprofit or Library Secure - 2015-10-01TechSoup
 
We Must Start Up Your Computer
We Must Start Up Your ComputerWe Must Start Up Your Computer
We Must Start Up Your ComputerNatalie Parnell
 
Ten Top Tips on Keeping Your Business Secure
Ten Top Tips on Keeping Your Business SecureTen Top Tips on Keeping Your Business Secure
Ten Top Tips on Keeping Your Business SecureBurCom Consulting Ltd.
 
An Introduction To IT Security And Privacy In Libraries & Anywhere
An Introduction To IT Security And Privacy In Libraries & AnywhereAn Introduction To IT Security And Privacy In Libraries & Anywhere
An Introduction To IT Security And Privacy In Libraries & AnywhereBlake Carver
 
ISMS Awareness Training (2) (1).pptx
ISMS Awareness Training (2) (1).pptxISMS Awareness Training (2) (1).pptx
ISMS Awareness Training (2) (1).pptxvasidharta
 
IMPACT OF REMOTE WORK:NEW THREATS AND SOLUTIONS
IMPACT OF REMOTE WORK:NEW THREATS AND SOLUTIONSIMPACT OF REMOTE WORK:NEW THREATS AND SOLUTIONS
IMPACT OF REMOTE WORK:NEW THREATS AND SOLUTIONSPreetiDevidas
 

Similar to Cultivating security in the small nonprofit (20)

Top 6 things_small_businesses_q12015
Top 6 things_small_businesses_q12015Top 6 things_small_businesses_q12015
Top 6 things_small_businesses_q12015
 
Users awarness programme for Online Privacy
Users awarness programme for Online PrivacyUsers awarness programme for Online Privacy
Users awarness programme for Online Privacy
 
Executive Directors Chat:It's easy to stay safe online.pdf
Executive Directors Chat:It's easy to stay safe online.pdfExecutive Directors Chat:It's easy to stay safe online.pdf
Executive Directors Chat:It's easy to stay safe online.pdf
 
Privacy for tech startups
Privacy for tech startups Privacy for tech startups
Privacy for tech startups
 
Team black
Team blackTeam black
Team black
 
The 10 biggest threats to your information (caused by yourself the CEO)
The 10 biggest threats to your information (caused by yourself the CEO)The 10 biggest threats to your information (caused by yourself the CEO)
The 10 biggest threats to your information (caused by yourself the CEO)
 
DWP Cybersecurity 101 for Nonprofits
DWP Cybersecurity 101 for NonprofitsDWP Cybersecurity 101 for Nonprofits
DWP Cybersecurity 101 for Nonprofits
 
Enterprise 2.0 information technology for business
Enterprise 2.0 information technology for businessEnterprise 2.0 information technology for business
Enterprise 2.0 information technology for business
 
LoginCat - Mini Presentation
LoginCat - Mini PresentationLoginCat - Mini Presentation
LoginCat - Mini Presentation
 
Login cat tekmonks - v5 (mini)
Login cat   tekmonks - v5 (mini)Login cat   tekmonks - v5 (mini)
Login cat tekmonks - v5 (mini)
 
Judy Taylour's Digital Privacy Day 2014 Presentation
Judy Taylour's Digital Privacy Day 2014 PresentationJudy Taylour's Digital Privacy Day 2014 Presentation
Judy Taylour's Digital Privacy Day 2014 Presentation
 
The Cloud 9 - Threat & Solutions 2016 by Bobby Dominguez
The Cloud 9 - Threat & Solutions 2016 by Bobby DominguezThe Cloud 9 - Threat & Solutions 2016 by Bobby Dominguez
The Cloud 9 - Threat & Solutions 2016 by Bobby Dominguez
 
Continuing Education Conferance
Continuing Education ConferanceContinuing Education Conferance
Continuing Education Conferance
 
SocialSafe for SMEs/SMBs - V1
SocialSafe for SMEs/SMBs - V1SocialSafe for SMEs/SMBs - V1
SocialSafe for SMEs/SMBs - V1
 
Webinar - Keep Your Connected Nonprofit or Library Secure - 2015-10-01
Webinar - Keep Your Connected Nonprofit or Library Secure - 2015-10-01Webinar - Keep Your Connected Nonprofit or Library Secure - 2015-10-01
Webinar - Keep Your Connected Nonprofit or Library Secure - 2015-10-01
 
We Must Start Up Your Computer
We Must Start Up Your ComputerWe Must Start Up Your Computer
We Must Start Up Your Computer
 
Ten Top Tips on Keeping Your Business Secure
Ten Top Tips on Keeping Your Business SecureTen Top Tips on Keeping Your Business Secure
Ten Top Tips on Keeping Your Business Secure
 
An Introduction To IT Security And Privacy In Libraries & Anywhere
An Introduction To IT Security And Privacy In Libraries & AnywhereAn Introduction To IT Security And Privacy In Libraries & Anywhere
An Introduction To IT Security And Privacy In Libraries & Anywhere
 
ISMS Awareness Training (2) (1).pptx
ISMS Awareness Training (2) (1).pptxISMS Awareness Training (2) (1).pptx
ISMS Awareness Training (2) (1).pptx
 
IMPACT OF REMOTE WORK:NEW THREATS AND SOLUTIONS
IMPACT OF REMOTE WORK:NEW THREATS AND SOLUTIONSIMPACT OF REMOTE WORK:NEW THREATS AND SOLUTIONS
IMPACT OF REMOTE WORK:NEW THREATS AND SOLUTIONS
 

Recently uploaded

LF Energy Webinar - Unveiling OpenEEMeter 4.0
LF Energy Webinar - Unveiling OpenEEMeter 4.0LF Energy Webinar - Unveiling OpenEEMeter 4.0
LF Energy Webinar - Unveiling OpenEEMeter 4.0DanBrown980551
 
Flow Control | Block Size | ST Min | First Frame
Flow Control | Block Size | ST Min | First FrameFlow Control | Block Size | ST Min | First Frame
Flow Control | Block Size | ST Min | First FrameKapil Thakar
 
IT Service Management (ITSM) Best Practices for Advanced Computing
IT Service Management (ITSM) Best Practices for Advanced ComputingIT Service Management (ITSM) Best Practices for Advanced Computing
IT Service Management (ITSM) Best Practices for Advanced ComputingMAGNIntelligence
 
Novo Nordisk's journey in developing an open-source application on Neo4j
Novo Nordisk's journey in developing an open-source application on Neo4jNovo Nordisk's journey in developing an open-source application on Neo4j
Novo Nordisk's journey in developing an open-source application on Neo4jNeo4j
 
Automation Ops Series: Session 2 - Governance for UiPath projects
Automation Ops Series: Session 2 - Governance for UiPath projectsAutomation Ops Series: Session 2 - Governance for UiPath projects
Automation Ops Series: Session 2 - Governance for UiPath projectsDianaGray10
 
Technical SEO for Improved Accessibility WTS FEST
Technical SEO for Improved Accessibility  WTS FESTTechnical SEO for Improved Accessibility  WTS FEST
Technical SEO for Improved Accessibility WTS FESTBillieHyde
 
Introduction - IPLOOK NETWORKS CO., LTD.
Introduction - IPLOOK NETWORKS CO., LTD.Introduction - IPLOOK NETWORKS CO., LTD.
Introduction - IPLOOK NETWORKS CO., LTD.IPLOOK Networks
 
Graphene Quantum Dots-Based Composites for Biomedical Applications
Graphene Quantum Dots-Based Composites for  Biomedical ApplicationsGraphene Quantum Dots-Based Composites for  Biomedical Applications
Graphene Quantum Dots-Based Composites for Biomedical Applicationsnooralam814309
 
Scenario Library et REX Discover industry- and role- based scenarios
Scenario Library et REX Discover industry- and role- based scenariosScenario Library et REX Discover industry- and role- based scenarios
Scenario Library et REX Discover industry- and role- based scenariosErol GIRAUDY
 
EMEA What is ThousandEyes? Webinar
EMEA What is ThousandEyes? WebinarEMEA What is ThousandEyes? Webinar
EMEA What is ThousandEyes? WebinarThousandEyes
 
Extra-120324-Visite-Entreprise-icare.pdf
Extra-120324-Visite-Entreprise-icare.pdfExtra-120324-Visite-Entreprise-icare.pdf
Extra-120324-Visite-Entreprise-icare.pdfInfopole1
 
The Importance of Indoor Air Quality (English)
The Importance of Indoor Air Quality (English)The Importance of Indoor Air Quality (English)
The Importance of Indoor Air Quality (English)IES VE
 
Design and Modeling for MySQL SCALE 21X Pasadena, CA Mar 2024
Design and Modeling for MySQL SCALE 21X Pasadena, CA Mar 2024Design and Modeling for MySQL SCALE 21X Pasadena, CA Mar 2024
Design and Modeling for MySQL SCALE 21X Pasadena, CA Mar 2024Alkin Tezuysal
 
My key hands-on projects in Quantum, and QAI
My key hands-on projects in Quantum, and QAIMy key hands-on projects in Quantum, and QAI
My key hands-on projects in Quantum, and QAIVijayananda Mohire
 
Top 10 Squarespace Development Companies
Top 10 Squarespace Development CompaniesTop 10 Squarespace Development Companies
Top 10 Squarespace Development CompaniesTopCSSGallery
 
Explore the UiPath Community and ways you can benefit on your journey to auto...
Explore the UiPath Community and ways you can benefit on your journey to auto...Explore the UiPath Community and ways you can benefit on your journey to auto...
Explore the UiPath Community and ways you can benefit on your journey to auto...DianaGray10
 
20140402 - Smart house demo kit
20140402 - Smart house demo kit20140402 - Smart house demo kit
20140402 - Smart house demo kitJamie (Taka) Wang
 
Patch notes explaining DISARM Version 1.4 update
Patch notes explaining DISARM Version 1.4 updatePatch notes explaining DISARM Version 1.4 update
Patch notes explaining DISARM Version 1.4 updateadam112203
 
Q4 2023 Quarterly Investor Presentation - FINAL - v1.pdf
Q4 2023 Quarterly Investor Presentation - FINAL - v1.pdfQ4 2023 Quarterly Investor Presentation - FINAL - v1.pdf
Q4 2023 Quarterly Investor Presentation - FINAL - v1.pdfTejal81
 
SIM INFORMATION SYSTEM: REVOLUTIONIZING DATA MANAGEMENT
SIM INFORMATION SYSTEM: REVOLUTIONIZING DATA MANAGEMENTSIM INFORMATION SYSTEM: REVOLUTIONIZING DATA MANAGEMENT
SIM INFORMATION SYSTEM: REVOLUTIONIZING DATA MANAGEMENTxtailishbaloch
 

Recently uploaded (20)

LF Energy Webinar - Unveiling OpenEEMeter 4.0
LF Energy Webinar - Unveiling OpenEEMeter 4.0LF Energy Webinar - Unveiling OpenEEMeter 4.0
LF Energy Webinar - Unveiling OpenEEMeter 4.0
 
Flow Control | Block Size | ST Min | First Frame
Flow Control | Block Size | ST Min | First FrameFlow Control | Block Size | ST Min | First Frame
Flow Control | Block Size | ST Min | First Frame
 
IT Service Management (ITSM) Best Practices for Advanced Computing
IT Service Management (ITSM) Best Practices for Advanced ComputingIT Service Management (ITSM) Best Practices for Advanced Computing
IT Service Management (ITSM) Best Practices for Advanced Computing
 
Novo Nordisk's journey in developing an open-source application on Neo4j
Novo Nordisk's journey in developing an open-source application on Neo4jNovo Nordisk's journey in developing an open-source application on Neo4j
Novo Nordisk's journey in developing an open-source application on Neo4j
 
Automation Ops Series: Session 2 - Governance for UiPath projects
Automation Ops Series: Session 2 - Governance for UiPath projectsAutomation Ops Series: Session 2 - Governance for UiPath projects
Automation Ops Series: Session 2 - Governance for UiPath projects
 
Technical SEO for Improved Accessibility WTS FEST
Technical SEO for Improved Accessibility  WTS FESTTechnical SEO for Improved Accessibility  WTS FEST
Technical SEO for Improved Accessibility WTS FEST
 
Introduction - IPLOOK NETWORKS CO., LTD.
Introduction - IPLOOK NETWORKS CO., LTD.Introduction - IPLOOK NETWORKS CO., LTD.
Introduction - IPLOOK NETWORKS CO., LTD.
 
Graphene Quantum Dots-Based Composites for Biomedical Applications
Graphene Quantum Dots-Based Composites for  Biomedical ApplicationsGraphene Quantum Dots-Based Composites for  Biomedical Applications
Graphene Quantum Dots-Based Composites for Biomedical Applications
 
Scenario Library et REX Discover industry- and role- based scenarios
Scenario Library et REX Discover industry- and role- based scenariosScenario Library et REX Discover industry- and role- based scenarios
Scenario Library et REX Discover industry- and role- based scenarios
 
EMEA What is ThousandEyes? Webinar
EMEA What is ThousandEyes? WebinarEMEA What is ThousandEyes? Webinar
EMEA What is ThousandEyes? Webinar
 
Extra-120324-Visite-Entreprise-icare.pdf
Extra-120324-Visite-Entreprise-icare.pdfExtra-120324-Visite-Entreprise-icare.pdf
Extra-120324-Visite-Entreprise-icare.pdf
 
The Importance of Indoor Air Quality (English)
The Importance of Indoor Air Quality (English)The Importance of Indoor Air Quality (English)
The Importance of Indoor Air Quality (English)
 
Design and Modeling for MySQL SCALE 21X Pasadena, CA Mar 2024
Design and Modeling for MySQL SCALE 21X Pasadena, CA Mar 2024Design and Modeling for MySQL SCALE 21X Pasadena, CA Mar 2024
Design and Modeling for MySQL SCALE 21X Pasadena, CA Mar 2024
 
My key hands-on projects in Quantum, and QAI
My key hands-on projects in Quantum, and QAIMy key hands-on projects in Quantum, and QAI
My key hands-on projects in Quantum, and QAI
 
Top 10 Squarespace Development Companies
Top 10 Squarespace Development CompaniesTop 10 Squarespace Development Companies
Top 10 Squarespace Development Companies
 
Explore the UiPath Community and ways you can benefit on your journey to auto...
Explore the UiPath Community and ways you can benefit on your journey to auto...Explore the UiPath Community and ways you can benefit on your journey to auto...
Explore the UiPath Community and ways you can benefit on your journey to auto...
 
20140402 - Smart house demo kit
20140402 - Smart house demo kit20140402 - Smart house demo kit
20140402 - Smart house demo kit
 
Patch notes explaining DISARM Version 1.4 update
Patch notes explaining DISARM Version 1.4 updatePatch notes explaining DISARM Version 1.4 update
Patch notes explaining DISARM Version 1.4 update
 
Q4 2023 Quarterly Investor Presentation - FINAL - v1.pdf
Q4 2023 Quarterly Investor Presentation - FINAL - v1.pdfQ4 2023 Quarterly Investor Presentation - FINAL - v1.pdf
Q4 2023 Quarterly Investor Presentation - FINAL - v1.pdf
 
SIM INFORMATION SYSTEM: REVOLUTIONIZING DATA MANAGEMENT
SIM INFORMATION SYSTEM: REVOLUTIONIZING DATA MANAGEMENTSIM INFORMATION SYSTEM: REVOLUTIONIZING DATA MANAGEMENT
SIM INFORMATION SYSTEM: REVOLUTIONIZING DATA MANAGEMENT
 

Cultivating security in the small nonprofit

  • 1. Cultivating Security It’s almost like cultivating your garden © MAP for Nonprofits - 2013
  • 2. © MAP for Nonprofits - 2013 Cultivating Security in the Small Nonprofit: Steps to help you decrease risk Roger Hagedorn, CISSP Technology Consultant @ MAP for Nonprofits
  • 3. MAP’s Services Overview • Legal Counsel and Hotline • Board Leadership Development • Accounting and Finance Services • Technology Services • Marketing Planning • Strategic Planning • Leadership Development • Project ReDesign • Fundraising Planning © MAP for Nonprofits - 2011
  • 4. Agenda: © MAP for Nonprofits - 2013 • 6 Security Basics • Tips and Techniques for Today’s Changing Environment • Questions Please feel free to ask questions at any time. This session is for you. Stop me if I use a term or acronym you’re not familiar with
  • 5. Preface: As an IT professional, I work to make technology assist you with your mission and strategic plans; I want it to help you be innovative and successful. I want your organization to thrive. © MAP for Nonprofits - 2013
  • 6. Preface: But today I’ll talk about "due diligence:” things that folks should be doing in order to keep you, your computers, your data, and your organization’s reputation safe. © MAP for Nonprofits - 2013
  • 7. © MAP for Nonprofits - 2013 “It takes twenty years to build a reputation and five minutes to ruin it. If you think about that, you’ll do things differently.” —Warren Buffett
  • 8. Conflicting Goals • What most end-users want: – Simplicity/Ease of use – Accessibility – Support • What most Information Security people want: – Control – Compliance – Security • The trick is to strike the balance that’s appropriate for your environment © MAP for Nonprofits - 2013
  • 9. Conflicting Goals • Large organizations and corporations, where striking that balance can be relatively simple: – Team of technicians – Serious investment in security systems (e.g., IPS/IDS) – Internal technical controls (Active Directory) • What most small organizations have: – “Accidental Techie” – Dedication – Good will © MAP for Nonprofits - 2013
  • 10. Illusions and Misconceptions • “Our organization will never be a target of hackers.” – We do good work – We’re too small to be noticed – We have nothing of value • What small organizations may not realize: – Hackers use automated tools (search on “automated hacking tools” but don’t visit the sites) – All organizations have things of value: • Computing power (botnets) • Email contacts (other potential victims) • Personal information (identity theft) © MAP for Nonprofits - 2013
  • 11. State of the World What this means is that even though you’re from a small organization, it’s essential to recognize the importance of information security. It concerns all of us. That means everybody needs to get on board. And the message that security is important has to come from the top and reach all levels of the organization. Now let’s get on with it . . . © MAP for Nonprofits - 2013
  • 12. © MAP for Nonprofits - 2013 Six Security Basics What most organizations already have in place
  • 13. © MAP for Nonprofits - 2013 Security Basics 1: Passwords Let’s start with everyone’s favorite subject: Passwords! But really, it’s our first line of defense in so many situations. So let’s discuss . . .
  • 14. © MAP for Nonprofits - 2013 • real name • e-mail address • street address • pet’s name • birth date • phone number • social security number Best Practices: Your password should not contain personal information such as your: Likewise, it shouldn’t be a fact associated with your spouse/partner, children, etc.
  • 15. Why not? © MAP for Nonprofits - 2011 Because this kind of information is easy to find . . .
  • 16. © MAP for Nonprofits - 2013 • Your passwords must not be any single word in any language. More things about passwords you already know: • Passwords should contain at least three distinct character classes: uppercase, lowercase, number, non- alphabetic (@#$%, etc.). • Never use the password you’ve picked for your email account at any online site.
  • 17. © MAP for Nonprofits - 2013 More things about passwords you already know: • Use different ones for different situations. Avoid using the same password at multiple Web sites. • It’s generally safe to re-use the same password at sites that do not store sensitive information about you (e.g., a news Web site)
  • 18. © MAP for Nonprofits - 2013 • Never give out passwords over the phone or in email. Just a couple more things about passwords you already know: • Consider changing your most critical passwords on a regular basis (e.g., once a year).
  • 19. © MAP for Nonprofits - 2013 Enough about “Password Don’ts” What to do? Did you know that when it comes to passwords, length is more important than just about anything? For example, which of these is harder to crack: •The hills are alive! •qX8#hp02
  • 20. © MAP for Nonprofits - 2013 Password Strategy No. 1 Now ask yourself “Which is easier to remember?” and you’ll realize the power of using a passphrase instead of a password. You still have to include numbers and a mix of upper- and lower-case characters, but it’s very easy to remember •Tul1ps R pretty •Pl@nt bulbs B4 Spring! •I8lunch2day
  • 21. © MAP for Nonprofits - 2013 Password Strategy No. 1 Passphrases can be very impressive but still simple to remember: 1.“Iw20yatSPttbtpthbgiaoosbtagtras.” 2.“HwmyrsmtBeyuclhm?” Group Exercise: Create your own phrase! For example, "My sister Peg is 24 years old” can become “MsPi24yo."
  • 22. © MAP for Nonprofits - 2013 Password Strategy No. 2 Consider using a collection of random words: 1.“Brown T3L3phone nickel s@ndwich” Group Exercise: Think of four words (but not “elephant”)
  • 23. © MAP for Nonprofits - 2013 Password Strategy No. 3 Consider using a prefix or a suffix: 1.“R3@dy4” + [Gmail, shopping, surf!] • R3@dy4yahoo! • R3@dy4Craig • R3@dy4cloudstorage 2.[onlinenews] + “N3wssite” • NytimesN3wssite • startribuneN3wssite • huffingtonpostN3wssite
  • 24. © MAP for Nonprofits - 2013 Password Strategy No. 4 Consider using a password vault: that stores all your passwords in an encrypted format and allows you to use just one master password to access all of them. Most will also automatically fill in forms on Web pages, and you can Keepass Password Safe LastPass 1Password RoboForm Keeper even get versions that allow you to take your password list with you on a smartphone or USB thumb drive.
  • 25. © MAP for Nonprofits - 2013 Security Basics 2: Anti-malware Many companies sell excellent anti-virus solutions: •McAfee, TRENDnet, Symantec But there are also free anti-virus programs that do everything the famous solutions do: offer real-time virus protection, scan for viruses, and automatically download the latest anti-virus signatures for maximum protection.
  • 26. © MAP for Nonprofits - 2013 Anti-malware Options For Windows, consider AVG Anti-Virus, Avast, and Microsoft’s Security Essentials. Malwarebytes too. For Apple computer, the time is coming to seriously to consider protection. Avast, Clam, and Sophos all offer free programs worth considering. Mac Flashback?
  • 27. Security Basics 3: Use a Better Browser • Avoid Internet Explorer if at all possible • Use Google’s Chrome • Mozilla’s Firefox is pretty good too • Keep your browser up-to-date
  • 28. © MAP for Nonprofits - 2013 Security Basics 4: Update Devices Operating Systems: •Turn on Microsoft’s Windows Update •Respond to Apple’s alerts Application Software – new tools can help •Secunia’s Small Business Software Inspector •Qualys’ BrowserCheck •Filehippo’s Update Checker •Metaquark’s AppFresh (not free)
  • 29. © MAP for Nonprofits - 2013 Security Basics 5: Backup that data Data is generally considered an organization’s first or second most valuable asset -- right behind its people. Someone in your organization needs to know how to verify your backups and recover that data. Backup in the 1980s-2000 = tape or cassette Backup in the 2000-2010 = disk (SAN, NAS, etc.) Backup in today’s world: A. cloud or cloud and on-site: • CrashPlan, IDrive, MozyPro, et al. B. cloud and on-site virtualization: • Datto SIRIS, Veeam, Unitrends backup/BC
  • 30. © MAP for Nonprofits - 2013 Security Basics 6: Firewall A firewall is like a moat around a castle: It’s a perimeter defense designed to control incoming and outgoing network traffic.
  • 31. © MAP for Nonprofits - 2013 On Firewalls Firewalls range from a simple gadget that keeps bad data packets out, to sophisticated multi- function gateways (“second-generation firewalls.”) Firewalls can be purchased appliances or software running on computers. pfSense, ModSecurity, and Smoothwall are free, open source customized Linux distributions.
  • 32. © MAP for Nonprofits - 2013 6 Security Basics 1. Strong passwords well managed--vault 2. Anti-malware to fight off viruses, worms, and trojans 3. A better browser to make surfing safer 4. Fully-patched and maintained computers 5. A backup solution that protects your data 6. A firewall to keep your network safe So we’re safe and secure, at peace with the world.
  • 33. © MAP for Nonprofits - 2013
  • 34. © MAP for Nonprofits - 2013 If only that were true. Sadly, it’s no longer so in today’s world. Audience Participation Time!! Can anyone think of an easy way of getting around your firewall?
  • 35. © MAP for Nonprofits - 2013 How to Circumvent these Defenses •Dropbox (iCloud, SkyDrive, et al) •USB devices •Rogue wireless access points •Smartphones •Social Engineering All of these can be very useful … or very dangerous
  • 36. © MAP for Nonprofits - 2013 Dropbox and its cloud cousins Offer a direct route from workstation (or other device) to the cloud, circumventing your firewall and any other network monitoring. “Data exfiltration” Conversely, an easy and unmonitored way to introduce viruses, trojans and worms into your environment. No “audit trail”
  • 37. © MAP for Nonprofits - 2013 USB Devices—Thumb Drives et al. portable storage devices that connect to a computer via its USB port. Great for sharing documents, photos, etc. But those same characteristics —ease of use and portability— explain why they’ve become one of the most popular and effective ways for hackers to infect computers. Consider Stuxnet
  • 38. © MAP for Nonprofits - 2013 Rogue Access Points A rogue access point is one of two things: •a wireless access point that a staff person might set up on an organization’s network without authorization (malicious or not). •or set up so a hacker can conduct a ”man-in-the- middle” attack.
  • 39. © MAP for Nonprofits - 2013 Smartphones Wonderful devices that can be used: •To send/receive email •To manage your time •To find your location •To play Angry Birds But also: •For data exfiltration •As a rogue access point •To scan your network for vulnerabilities •As a source of malware
  • 40. © MAP for Nonprofits - 2013 Social Engineering The Easiest Way In of All Social engineering is the art of manipulating people into performing actions or divulging confidential information. While it is similar to a confidence game, it is typically deception for the purpose of information gathering, financial fraud, or computer system access.
  • 41. © MAP for Nonprofits - 2013 Social Engineering Social engineers often rely on the natural trusting nature and helpfulness of people as well as on their weaknesses. They might, for example, call an authorized employee with some kind of urgent problem that requires immediate network access.
  • 42. © MAP for Nonprofits - 2013 Phishing For example, an attacker may send email seemingly from a credit card company or financial institution that requests account information, often suggesting that there is a problem with your account. Phishing is a special form of social engineering: use email or malicious websites to solicit personal information by posing as a trustworthy organization.
  • 43. © MAP for Nonprofits - 2013 Phishing The next slide is an image of a real phishing attack. The email appears to be from the American Express Company, but look carefully at it.
  • 44. © MAP for Nonprofits - 2013 Phishing
  • 45. © MAP for Nonprofits - 2013 Phishing Did you notice that the email address was strange? “americanexpress@...,” the domain it used was “email2.americanexpress.com” which is not the same thing as “americanexpress.com.” What about the embedded links? They look OK . . . Take another look at the message…
  • 46. © MAP for Nonprofits - 2013 Phishing
  • 47. © MAP for Nonprofits - 2013 Phishing This is a classic phishing attack. At first glance, the message looks fine. It even uses real logos. But beware of links in email. Instead of clicking on them, rest your mouse (but don't click) on the link to see if the address matches the link that was typed in the message. And just where does http://bit.ly/ZgyvOM take you?
  • 48. © MAP for Nonprofits - 2013 So there you go: even with the 6 security basics in place, there are many serious risks to consider in today’s world. It’s all about learning to live with risk. And not all risks are created equal:
  • 49. © MAP for Nonprofits - 2013 Risk is the likelihood that something bad will happen that causes harm to an asset (or the loss of the asset). A vulnerability is a weakness that could be used to cause harm to an informational asset. A threat is anything that has the potential to cause harm. Risk (due to a threat) = Threat X Vulnerability www.sans.org
  • 50. © MAP for Nonprofits - 2013 Responding to a Particular Risk: Make Risk a Conscious Decision Mitigation = fix the vulnerability or provide some type of control measure to reduce the likelihood or impact associated with the flaw/vulnerability. Transference = allow another party to accept the risk on your behalf (rare in IT; think of insurance) Acceptance = simply allow the system to operate with a known risk. Avoidance = remove the vulnerable aspect of the system or even the system itself.
  • 51. © MAP for Nonprofits - 2013 Easy Risks to Mitigate: •Create an inventory of devices so you can tell what belongs and what’s rogue •Create an inventory of software •Password protect all your devices and change all default passwords (firewalls, routers, servers, laptops, workstations, printers) •Make sure anti-malware is working •Make sure your wireless is locked down •Test your backups (make sure you can restore) •Limit people’s access to what they need •Train your staff about risk
  • 52. © MAP for Nonprofits - 2013 Easy Risks to Transfer: •Some backup solutions (most cloud solutions) •Some wireless setups (e.g., Meraki) •Certain business systems (Office 365) •Outsource your website hosting
  • 53. © MAP for Nonprofits - 2013 Easy Risks to Accept: •For business reasons, keeping an old system on- line (e.g., Windows Server 2003 running a phone system)
  • 54. © MAP for Nonprofits - 2013 Easy Risks to Avoid: •Consider banning the use of USB devices (or squirt glue into the actual port •Choose not to have a wireless network •Don’t allow BYOB (Bring Your Own Device) •Limit administrative privileges on devices
  • 55. © MAP for Nonprofits - 2013 4 Last Suggestions for Mitigating Risk 1. If you accept Smartphones: • No jailbreaking. Software should only be installed from the official app store, marketplace, etc. • Vet your app sources, especially Android users • Screen-lock password. Should kick in automatically after around 5 minutes of inactivity. • Password protect your SIM card so that if it’s lost, people can’t use it. • Disable Bluetooth if you don’t use it.
  • 56. © MAP for Nonprofits - 2013 4 Last Suggestions for Mitigating Risk 2. Use Admin Privileges Carefully There are several kinds of user accounts for most systems: • Guest (disable) • User • Administrator
  • 57. © MAP for Nonprofits - 2013 4 Last Suggestions for Mitigating Risk Only computer administrators should use administrative accounts . . . and use them only when administering computers. On my personal computer: Administrator – disabled (too easy to guess) Guest – disabled RDHadmin – my own administrative account Roger – my non-administrative account
  • 58. © MAP for Nonprofits - 2013 4 Last Suggestions for Mitigating Risk 3. Implement Security Policies, and then enforce them • Computer Acceptable Use Policy • BYOD Policy • Password Policy • Laptop Usage Policy • Remote Access Policy • Guest Access Policy • Encryption Policy • Social Network Policy (Facebook, et al)
  • 59. © MAP for Nonprofits - 2013 4 Last Suggestions for Mitigating Risk 4. Educate Your Staff Don’t assume people know what to do Create a Security-Aware environment •Official “Security Awareness Training” •Create a library of articles on security issues •Brown-bag lunch-and-learn •Share videos (see Sophos)
  • 60. Any Questions or Comments? 2012 MAP TechWorks, a program of MAP for Nonprofits
  • 61. Thank you! © MAP for Nonprofits - 2013 Roger Hagedorn, CISSP Technology Consultant at MAP rhagedorn@mapfornonprofits.org www.cultivatingsecurity.com
  • 62. Resources • SonicWALL Phishing IQ Test: http://www.sonicwall.com/furl/phishing/ • SANS NewsBites, a semiweekly summary of the most important news articles on computer security during the past week: http://www.sans.org/newsletters/newsbites/ • @Risk summarizes the 3-8 vulnerabilities that matter most, tells what they do and how to protect yourself from them: http://www.sans.org/newsletters/risk/ • Brian Krebs on Security is a daily blog on computer security and cybercrime: http://krebsonsecurity.com/ • Sophos’ “1-minute security tips for the workplace:” http://www.youtube.com/playlist?list=PLD88EACF404839195 AP for Nonprofits - 2013
  • 63. Resources • CNET article on password vaults: http://www.infoworld.com/d/security/review-7-password-managers- windows-mac-os-x-ios-and-android-189597 • 26 Online Backup Services Reviewed (April 2013): http://pcsupport.about.com/od/maintenance/tp/online_backup_services .htm • Man in the Middle Attack Explained: http://en.wikipedia.org/wiki/Man-in-the-middle_attack • The SANS Institute’s 20 Critical Controls : http://www.sans.org/critical-security-controls/ • the SANS Security Policy Project: http://www.sans.org/security-resources/policies/ AP for Nonprofits - 2013
  • 64. Free Tools • Secunia Small Business identifies vulnerabilities in non-Microsoft (third-party) programs: http://secunia.com/products/smb/smallbusiness/ • Qualys BrowserCheck will perform a security analysis of your browser and its plugins to identify any security issues: https://browsercheck.qualys.com/ • FileHippo.com Update Checker scans your computer for installed software (Please note that not all programs are supported): http://filehippo.com/updatechecker/ © MAP for Nonprofits - 2013

Editor's Notes

  1. Nonprofits have been hit so hard by the recession, and this is really having an impact on how we serve our clients Legal Counsel and Hotline – helping nonprofits get incorporated to providing a legal hotline… Board Leadership Development – includes placing people on boards and providing training on how to be an effective board member Accounting and Finance Services – one of our fastest growing and in-demand areas. Some nonprofits are saving money through outsourcing their accounting function. Others are trying to get a better understanding of their financial data for decision making. Recently added a position that’s more focused on business planning and business modeling. Technology Services – like our accounting area, some nonprofits outsource their technology function to us, other nonprofits use of for technology planning and/or implementation. We also host online and in-person ways for nonprofits to share technology best practices. Marketing Services – marketing planning, brand development, etc. Strategic Development – strategic planning for nonprofits. We are finding that given the current economic environment and pace of change, many organizations are choosing more streamlined strategic planning processes or are moving to more ongoing strategic conversations, vs. a more traditional in-depth process that yield a 3-5 year plan Leadership Development – training on emotional intelligence and adaptive leadership, as well as the facilitation of Leaders Circles – tightly facilitate peer learning groups that support leaders Project ReDesign – another one of our most in-demand service areas – we help nonprofits look at merger and other types of realignment including program transfer, joint operating agreements and dissolutions Fundraising Consulting
  2. So = no funds to hire experts, no funds to implement sophisticated technical controls
  3. So = no funds to hire experts, no funds to implement sophisticated technical controls
  4. So = no funds to hire experts, no funds to implement sophisticated technical controls
  5. I hope that all of you already have these 6 in place, so I’ll move relatively quickly through them. Stop me if I’m wrong or if you have questions
  6. Having a unique passphrase on each account is the single best practice you can do to boost your online security. provided you don’t use this same password at sites that are sensitive.
  7. Any idea how long servers keep their log files?
  8. So let’s talk strategy Believe it or not, it’s the first one.
  9. Passphrases can be of any arbitrary length and they're much easier to remember than conventional passwords.
  10. Passphrases can be of any arbitrary length and they're much easier to remember than conventional passwords. Looks complex, but it’s based on the lyrics of Sgt. Pepper's Lonely Hearts Club Band by Lennon/McCartney (“It was twenty years ago today…”) 2. is based on Bob Dylan's Blowin' In The Wind , and is derived from the first and last letter of each word. (“How many roads must a man walk down…”) Example of the 4-word technique Simply choose four random words and funk them up a bit. Example of my prefix + suffix technique: create a unique prefix that can then introduce a hint that you understand to the website it’s for
  11. Example of the 4-word technique Simply choose four random words and funk them up a bit. “ Animals Africa symphony clearance” can become “@nimalzFriquesimfonyclearAntz." This is a case where bad spelling is an asset!
  12. Example of my prefix + suffix technique: create a unique prefix that can then introduce a hint that you understand to the website it’s for #2 uses a suffix that identifies the website category. You could in effect group your
  13. Whatever you do, don’t store your list of passwords on your computer in plain text. Passwords held in email accounts or password-protected Word or Excel documents are very easily exposed, so they represent a security risk. Some folks love the free, open-source KeePass for this duty, while others prefer another free, open-source offering, Password Safe , and still others swear by the cross-platform, browser-based LastPass .) . Mac users can use 1Password which even has an iPhone application so you can take them with you too.
  14. The best thing about a product like Symantec’s Endpoint Protection is that it can be centrally administered. But if you don’t have an administrator…
  15. Flashback Trojan, a nasty piece of malware designed to steal personal information by masquerading as an Adobe Flash update. It targeted the Java runtime on OS X
  16. Use an alternative browser (and no matter what, make sure your browser is the latest version). Both Internet Explorer and Safari have issues (though IE is generally regarded as the worst of breed), there are better browsers in existence. My current favorite is Google Chrome. Brian Krebs: of the three browsers, Internet Explorer was the only one that had critical, unpatched vulnerabilities that were demonstrably exploited by attackers before patches were made available. According to Microsoft’s own account, there were at least six zero-days actively exploited in the past 18 months in IE.  All but one of them earned Microsoft’s most dire “critical” rating, leaving IE users under zero-day attack for at least 152 days since the beginning of 2011. If we count just the critical zero-days, there were at least 89 non-overlapping days (about three months) between the beginning of 2011 and Sept. 2012 in which IE zero-day vulnerabilities were actively being exploited.  
  17. The majority of malware that infects people today infects people through software vulnerabilities. These are bugs discovered within legitimate applications that hackers can exploit to get their malicious code running on your machine. The more software you have running on your machine, the greater the surface area of risk.. We need to know and control the software that is on our computers and make sure it’s correctly patched and up to date.
  18. CrashPlan is my favorite online backup service because of its feature set, cost effective plans, and it’s local! Best known is probably Carbonite
  19. Whether on a dedicated firewall, router, or computer, it should always be on (except for rare occasions) As with all devices, make sure to change the default password
  20. Whether on a dedicated firewall, router, or computer, it should always be on (except for rare occasions) As with all devices and systems, make sure to change the default password All networks need a firewall (including your home network) Low-cost solution: use an old PC and convert to a firewall simply by adding a second NIC and installing software
  21. None of these is inherently bad or dangerous—but their usage in your office should be considered carefully
  22. Lock down USB ports   Consider this: what if your Accountant puts a spreadsheet of staff salaries on a thumb drive and loses it on the way to the parking lot? How can this situation be avoided? Don’t allow USB devices Only allow USB devices that are encrypted
  23. can potentially allow access to a secure network to unauthorized parties.
  24. Develop a Smartphone Acceptable Use Policy that outlines who can connect to your network and to what extent. Make sure to address using a password on the device
  25. Why the easiest way in? Because it’s us end-users who do all the work. Do not give sensitive information to anyone unless you are sure that they are indeed who they claim to be and that they should have access to the information.
  26. Do not give sensitive information to anyone unless you are sure that they are indeed who they claim to be and that they should have access to the information.
  27. Phishing is a special form of social engineering.
  28. Phishing is a special form of social engineering.
  29. Phishing is a special form of social engineering.
  30. Phishing is a special form of social engineering.
  31. Phishing is a special form of social engineering.
  32. Never trust a link in an email message. Enter the URL into your browser instead. Similarly, only use bit.ly or other shortened links if you trust the source.
  33. It starts with becoming aware of the risks involved
  34. We can’t control threats but we can control vulnerabilities. It’s impossible to eliminate all risk, so need to learn how to track, manage and mitigate it.
  35. Mitigate = apply a patch, change a password, secure your wifi Transference = consider when outsourcing or moving to the cloud. Is the provider solely in change or your data or do they too outsource? Is that risk transferred?
  36. Inventories help you determine what belongs and what does not, as well as what and how to maintain things
  37. Inventories help you determine what belongs and what does not, as well as what and how to maintain things
  38. Inventories help you determine what belongs and what does not, as well as what and how to maintain things
  39. Inventories help you determine what belongs and what does not, as well as what and how to maintain things
  40. Remember what kind of data is available on your phone: names, addresses, the content of email messages… But in today’s world, the average computer user should be set up as a regular user and administrative privileges are reserved for administrators only. To cut down risk: admin accounts can change configurations admin accounts have access to more data and resources, potentially putting more things at risk unless carefully managed
  41. Back in the days of Windows 98 and into the era of XP, most users were set up as local administrators. Ease of use, lack of threats, awkwardness of OS. But in today’s world, the average computer user should be set up as a regular user and administrative privileges are reserved for administrators only. To cut down risk: admin accounts can change configurations admin accounts have access to more data and resources, potentially putting more things at risk unless carefully managed
  42. Non-administrative accounts cannot install software. Consider the issue of appropriately patching all software—if you don’t know it’s installed, you won’t patch it (threat). Now consider if a user installs unlicensed software (risk to org) or, even worse, software that’s infected (huge risk). Now consider this: drive-by malware or phishing campaigns: with admin privileges, they have the potential to compromise the entire system. Without admin privileges, they can’t do very much. Malware is after admin privileges so it can make chances to the configuration of the computer—this we wish to squash.