• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Cultivating security in the small nonprofit
 

Cultivating security in the small nonprofit

on

  • 600 views

This is an expanded version of a previous presentation; that I did for the Nonprofit Technology & Communications Conference held on April 10, 2013 in Minneapolis MN

This is an expanded version of a previous presentation; that I did for the Nonprofit Technology & Communications Conference held on April 10, 2013 in Minneapolis MN

Statistics

Views

Total Views
600
Views on SlideShare
376
Embed Views
224

Actions

Likes
0
Downloads
0
Comments
0

4 Embeds 224

http://cultivatingsecurity.com 219
http://www.365dailyjournal.com 2
http://cultivatingsecurity.wordpress.com 2
http://translate.googleusercontent.com 1

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

CC Attribution-NonCommercial-NoDerivs LicenseCC Attribution-NonCommercial-NoDerivs LicenseCC Attribution-NonCommercial-NoDerivs License

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • Nonprofits have been hit so hard by the recession, and this is really having an impact on how we serve our clients Legal Counsel and Hotline – helping nonprofits get incorporated to providing a legal hotline… Board Leadership Development – includes placing people on boards and providing training on how to be an effective board member Accounting and Finance Services – one of our fastest growing and in-demand areas. Some nonprofits are saving money through outsourcing their accounting function. Others are trying to get a better understanding of their financial data for decision making. Recently added a position that’s more focused on business planning and business modeling. Technology Services – like our accounting area, some nonprofits outsource their technology function to us, other nonprofits use of for technology planning and/or implementation. We also host online and in-person ways for nonprofits to share technology best practices. Marketing Services – marketing planning, brand development, etc. Strategic Development – strategic planning for nonprofits. We are finding that given the current economic environment and pace of change, many organizations are choosing more streamlined strategic planning processes or are moving to more ongoing strategic conversations, vs. a more traditional in-depth process that yield a 3-5 year plan Leadership Development – training on emotional intelligence and adaptive leadership, as well as the facilitation of Leaders Circles – tightly facilitate peer learning groups that support leaders Project ReDesign – another one of our most in-demand service areas – we help nonprofits look at merger and other types of realignment including program transfer, joint operating agreements and dissolutions Fundraising Consulting
  • So = no funds to hire experts, no funds to implement sophisticated technical controls
  • So = no funds to hire experts, no funds to implement sophisticated technical controls
  • So = no funds to hire experts, no funds to implement sophisticated technical controls
  • I hope that all of you already have these 6 in place, so I’ll move relatively quickly through them. Stop me if I’m wrong or if you have questions
  • Having a unique passphrase on each account is the single best practice you can do to boost your online security. provided you don’t use this same password at sites that are sensitive.
  • Any idea how long servers keep their log files?
  • So let’s talk strategy Believe it or not, it’s the first one.
  • Passphrases can be of any arbitrary length and they're much easier to remember than conventional passwords.
  • Passphrases can be of any arbitrary length and they're much easier to remember than conventional passwords. Looks complex, but it’s based on the lyrics of Sgt. Pepper's Lonely Hearts Club Band by Lennon/McCartney (“It was twenty years ago today…”) 2. is based on Bob Dylan's Blowin' In The Wind , and is derived from the first and last letter of each word. (“How many roads must a man walk down…”) Example of the 4-word technique Simply choose four random words and funk them up a bit. Example of my prefix + suffix technique: create a unique prefix that can then introduce a hint that you understand to the website it’s for
  • Example of the 4-word technique Simply choose four random words and funk them up a bit. “ Animals Africa symphony clearance” can become “@nimalzFriquesimfonyclearAntz." This is a case where bad spelling is an asset!
  • Example of my prefix + suffix technique: create a unique prefix that can then introduce a hint that you understand to the website it’s for #2 uses a suffix that identifies the website category. You could in effect group your
  • Whatever you do, don’t store your list of passwords on your computer in plain text. Passwords held in email accounts or password-protected Word or Excel documents are very easily exposed, so they represent a security risk. Some folks love the free, open-source KeePass for this duty, while others prefer another free, open-source offering, Password Safe , and still others swear by the cross-platform, browser-based LastPass .) . Mac users can use 1Password which even has an iPhone application so you can take them with you too.
  • The best thing about a product like Symantec’s Endpoint Protection is that it can be centrally administered. But if you don’t have an administrator…
  • Flashback Trojan, a nasty piece of malware designed to steal personal information by masquerading as an Adobe Flash update. It targeted the Java runtime on OS X
  • Use an alternative browser (and no matter what, make sure your browser is the latest version). Both Internet Explorer and Safari have issues (though IE is generally regarded as the worst of breed), there are better browsers in existence. My current favorite is Google Chrome. Brian Krebs: of the three browsers, Internet Explorer was the only one that had critical, unpatched vulnerabilities that were demonstrably exploited by attackers before patches were made available. According to Microsoft’s own account, there were at least six zero-days actively exploited in the past 18 months in IE.  All but one of them earned Microsoft’s most dire “critical” rating, leaving IE users under zero-day attack for at least 152 days since the beginning of 2011. If we count just the critical zero-days, there were at least 89 non-overlapping days (about three months) between the beginning of 2011 and Sept. 2012 in which IE zero-day vulnerabilities were actively being exploited.  
  • The majority of malware that infects people today infects people through software vulnerabilities. These are bugs discovered within legitimate applications that hackers can exploit to get their malicious code running on your machine. The more software you have running on your machine, the greater the surface area of risk.. We need to know and control the software that is on our computers and make sure it’s correctly patched and up to date.
  • CrashPlan is my favorite online backup service because of its feature set, cost effective plans, and it’s local! Best known is probably Carbonite
  • Whether on a dedicated firewall, router, or computer, it should always be on (except for rare occasions) As with all devices, make sure to change the default password
  • Whether on a dedicated firewall, router, or computer, it should always be on (except for rare occasions) As with all devices and systems, make sure to change the default password All networks need a firewall (including your home network) Low-cost solution: use an old PC and convert to a firewall simply by adding a second NIC and installing software
  • None of these is inherently bad or dangerous—but their usage in your office should be considered carefully
  • Lock down USB ports   Consider this: what if your Accountant puts a spreadsheet of staff salaries on a thumb drive and loses it on the way to the parking lot? How can this situation be avoided? Don’t allow USB devices Only allow USB devices that are encrypted
  • can potentially allow access to a secure network to unauthorized parties.
  • Develop a Smartphone Acceptable Use Policy that outlines who can connect to your network and to what extent. Make sure to address using a password on the device
  • Why the easiest way in? Because it’s us end-users who do all the work. Do not give sensitive information to anyone unless you are sure that they are indeed who they claim to be and that they should have access to the information.
  • Do not give sensitive information to anyone unless you are sure that they are indeed who they claim to be and that they should have access to the information.
  • Phishing is a special form of social engineering.
  • Phishing is a special form of social engineering.
  • Phishing is a special form of social engineering.
  • Phishing is a special form of social engineering.
  • Phishing is a special form of social engineering.
  • Never trust a link in an email message. Enter the URL into your browser instead. Similarly, only use bit.ly or other shortened links if you trust the source.
  • It starts with becoming aware of the risks involved
  • We can’t control threats but we can control vulnerabilities. It’s impossible to eliminate all risk, so need to learn how to track, manage and mitigate it.
  • Mitigate = apply a patch, change a password, secure your wifi Transference = consider when outsourcing or moving to the cloud. Is the provider solely in change or your data or do they too outsource? Is that risk transferred?
  • Inventories help you determine what belongs and what does not, as well as what and how to maintain things
  • Inventories help you determine what belongs and what does not, as well as what and how to maintain things
  • Inventories help you determine what belongs and what does not, as well as what and how to maintain things
  • Inventories help you determine what belongs and what does not, as well as what and how to maintain things
  • Remember what kind of data is available on your phone: names, addresses, the content of email messages… But in today’s world, the average computer user should be set up as a regular user and administrative privileges are reserved for administrators only. To cut down risk: admin accounts can change configurations admin accounts have access to more data and resources, potentially putting more things at risk unless carefully managed
  • Back in the days of Windows 98 and into the era of XP, most users were set up as local administrators. Ease of use, lack of threats, awkwardness of OS. But in today’s world, the average computer user should be set up as a regular user and administrative privileges are reserved for administrators only. To cut down risk: admin accounts can change configurations admin accounts have access to more data and resources, potentially putting more things at risk unless carefully managed
  • Non-administrative accounts cannot install software. Consider the issue of appropriately patching all software—if you don’t know it’s installed, you won’t patch it (threat). Now consider if a user installs unlicensed software (risk to org) or, even worse, software that’s infected (huge risk). Now consider this: drive-by malware or phishing campaigns: with admin privileges, they have the potential to compromise the entire system. Without admin privileges, they can’t do very much. Malware is after admin privileges so it can make chances to the configuration of the computer—this we wish to squash.

Cultivating security in the small nonprofit Cultivating security in the small nonprofit Presentation Transcript

  • Cultivating SecurityIt’s almost like cultivating your garden© MAP for Nonprofits - 2013
  • © MAP for Nonprofits - 2013Cultivating Security in theSmall Nonprofit:Steps to help you decrease riskRoger Hagedorn, CISSPTechnology Consultant @ MAP for Nonprofits
  • MAP’s Services Overview• Legal Counsel and Hotline• Board Leadership Development• Accounting and Finance Services• Technology Services• Marketing Planning• Strategic Planning• Leadership Development• Project ReDesign• Fundraising Planning© MAP for Nonprofits - 2011
  • Agenda:© MAP for Nonprofits - 2013• 6 Security Basics• Tips and Techniques for Today’sChanging Environment• QuestionsPlease feel free to ask questions atany time. This session is for you.Stop me if I use a term or acronymyou’re not familiar with
  • Preface:As an IT professional, I work to maketechnology assist you with yourmission and strategic plans; I want itto help you be innovative andsuccessful. I want your organizationto thrive.© MAP for Nonprofits - 2013
  • Preface:But today I’ll talk about "due diligence:”things that folks should be doing in orderto keep you, your computers, your data,and your organization’s reputation safe.© MAP for Nonprofits - 2013
  • © MAP for Nonprofits - 2013“It takes twenty years to build areputation and five minutes toruin it. If you think about that,you’ll do things differently.”—Warren Buffett
  • Conflicting Goals• What most end-users want:– Simplicity/Ease of use– Accessibility– Support• What most Information Security people want:– Control– Compliance– Security• The trick is to strike the balance that’sappropriate for your environment© MAP for Nonprofits - 2013
  • Conflicting Goals• Large organizations and corporations, wherestriking that balance can be relatively simple:– Team of technicians– Serious investment in security systems (e.g.,IPS/IDS)– Internal technical controls (Active Directory)• What most small organizations have:– “Accidental Techie”– Dedication– Good will© MAP for Nonprofits - 2013
  • Illusions and Misconceptions• “Our organization will never be a target of hackers.”– We do good work– We’re too small to be noticed– We have nothing of value• What small organizations may not realize:– Hackers use automated tools (search on “automated hackingtools” but don’t visit the sites)– All organizations have things of value:• Computing power (botnets)• Email contacts (other potential victims)• Personal information (identity theft)© MAP for Nonprofits - 2013
  • State of the WorldWhat this means is that even though you’re from asmall organization, it’s essential to recognize theimportance of information security. It concerns allof us.That means everybody needs to get on board. Andthe message that security is important has to comefrom the top and reach all levels of theorganization.Now let’s get on with it . . .© MAP for Nonprofits - 2013
  • © MAP for Nonprofits - 2013Six Security BasicsWhat most organizations alreadyhave in place
  • © MAP for Nonprofits - 2013Security Basics 1: PasswordsLet’s start with everyone’s favorite subject:Passwords!But really, it’s our first line ofdefense in so many situations.So let’s discuss . . .
  • © MAP for Nonprofits - 2013• real name• e-mail address• street address• pet’s name• birth date• phone number• social security numberBest Practices:Your password should not contain personalinformation such as your:Likewise, it shouldn’t be a fact associatedwith your spouse/partner, children, etc.
  • Why not?© MAP for Nonprofits - 2011Because this kind of information is easy to find . . .
  • © MAP for Nonprofits - 2013• Your passwords must not be any single word inany language.More things about passwords youalready know:• Passwords should contain at leastthree distinct character classes:uppercase, lowercase, number, non-alphabetic (@#$%, etc.).• Never use the password you’vepicked for your email account at anyonline site.
  • © MAP for Nonprofits - 2013More things about passwords youalready know:• Use different ones for differentsituations. Avoid using the samepassword at multiple Web sites.• It’s generally safe to re-use thesame password at sites that do notstore sensitive information aboutyou (e.g., a news Web site)
  • © MAP for Nonprofits - 2013• Never give out passwords over the phone or inemail.Just a couple more things about passwordsyou already know:• Consider changing your most criticalpasswords on a regular basis (e.g.,once a year).
  • © MAP for Nonprofits - 2013Enough about “Password Don’ts”What to do?Did you know that when it comes to passwords,length is more important than just aboutanything?For example, which of these isharder to crack:•The hills are alive!•qX8#hp02
  • © MAP for Nonprofits - 2013Password Strategy No. 1Now ask yourself “Which is easier to remember?”and you’ll realize the power of using a passphraseinstead of a password. You still have to includenumbers and a mix of upper- and lower-casecharacters, but it’s very easy to remember•Tul1ps R pretty•Pl@nt bulbs B4 Spring!•I8lunch2day
  • © MAP for Nonprofits - 2013Password Strategy No. 1Passphrases can be very impressive but still simpleto remember:1.“Iw20yatSPttbtpthbgiaoosbtagtras.”2.“HwmyrsmtBeyuclhm?”Group Exercise:Create your own phrase!For example, "My sister Peg is 24years old” can become “MsPi24yo."
  • © MAP for Nonprofits - 2013Password Strategy No. 2Consider using a collection of random words:1.“Brown T3L3phone nickel s@ndwich”Group Exercise:Think of four words (but not“elephant”)
  • © MAP for Nonprofits - 2013Password Strategy No. 3Consider using a prefix or a suffix:1.“R3@dy4” + [Gmail, shopping, surf!]• R3@dy4yahoo!• R3@dy4Craig• R3@dy4cloudstorage2.[onlinenews] + “N3wssite”• NytimesN3wssite• startribuneN3wssite• huffingtonpostN3wssite
  • © MAP for Nonprofits - 2013Password Strategy No. 4Consider using a password vault:that stores all your passwords in an encryptedformat and allows you to use just one masterpassword to access all of them. Most will alsoautomatically fill in forms on Web pages, and you canKeepass Password SafeLastPass 1PasswordRoboForm Keepereven get versions that allow you to takeyour password list with you on asmartphone or USB thumb drive.
  • © MAP for Nonprofits - 2013Security Basics 2: Anti-malwareMany companies sell excellent anti-virus solutions:•McAfee, TRENDnet, SymantecBut there are also free anti-virus programs that doeverything the famous solutions do: offer real-timevirus protection, scanfor viruses, andautomaticallydownload the latestanti-virus signaturesfor maximumprotection.
  • © MAP for Nonprofits - 2013Anti-malware OptionsFor Windows, consider AVG Anti-Virus, Avast, andMicrosoft’s Security Essentials. Malwarebytes too.For Apple computer,the time is coming toseriously to considerprotection. Avast,Clam, and Sophos alloffer free programsworth considering.Mac Flashback?
  • Security Basics 3:Use a Better Browser• Avoid Internet Explorer if at all possible• Use Google’s Chrome• Mozilla’s Firefox is pretty good too• Keep your browser up-to-date
  • © MAP for Nonprofits - 2013Security Basics 4: Update DevicesOperating Systems:•Turn on Microsoft’s Windows Update•Respond to Apple’s alertsApplication Software – new tools can help•Secunia’s Small Business Software Inspector•Qualys’ BrowserCheck•Filehippo’s Update Checker•Metaquark’s AppFresh (not free)
  • © MAP for Nonprofits - 2013Security Basics 5: Backup that dataData is generally considered an organization’s first orsecond most valuable asset -- right behind its people.Someone in your organization needs to know how to verifyyour backups and recover that data.Backup in the 1980s-2000 = tape or cassetteBackup in the 2000-2010 = disk (SAN, NAS, etc.)Backup in today’s world:A. cloud or cloud and on-site:• CrashPlan, IDrive, MozyPro, et al.B. cloud and on-site virtualization:• Datto SIRIS, Veeam, Unitrends backup/BC
  • © MAP for Nonprofits - 2013Security Basics 6: FirewallA firewall is like a moat around a castle:It’s a perimeter defense designed to controlincoming and outgoing network traffic.
  • © MAP for Nonprofits - 2013On FirewallsFirewalls range from a simple gadget that keepsbad data packets out, to sophisticated multi-function gateways (“second-generation firewalls.”)Firewalls can be purchased appliances orsoftware running on computers.pfSense, ModSecurity, andSmoothwall are free, opensource customized Linuxdistributions.
  • © MAP for Nonprofits - 20136 Security Basics1. Strong passwords well managed--vault2. Anti-malware to fight off viruses, worms, andtrojans3. A better browser to make surfing safer4. Fully-patched and maintained computers5. A backup solution that protects your data6. A firewall to keep your network safeSo we’re safe and secure, at peace with the world.
  • © MAP for Nonprofits - 2013
  • © MAP for Nonprofits - 2013If only that were true.Sadly, it’s no longer so in today’s world.Audience Participation Time!!Can anyone think of an easy way ofgetting around your firewall?
  • © MAP for Nonprofits - 2013How to Circumvent these Defenses•Dropbox (iCloud, SkyDrive, et al)•USB devices•Rogue wireless access points•Smartphones•Social EngineeringAll of these can be very useful … or very dangerous
  • © MAP for Nonprofits - 2013Dropbox and its cloud cousinsOffer a direct route from workstation (or otherdevice) to the cloud, circumventing your firewalland any other network monitoring.“Data exfiltration”Conversely, an easy and unmonitored way tointroduce viruses, trojans and worms into yourenvironment.No “audit trail”
  • © MAP for Nonprofits - 2013USB Devices—Thumb Drives et al.portable storage devices that connect to a computervia its USB port. Great for sharing documents,photos, etc.But those same characteristics—ease of use and portability—explain why they’ve becomeone of the most popular andeffective ways for hackers toinfect computers.Consider Stuxnet
  • © MAP for Nonprofits - 2013Rogue Access PointsA rogue access point is one of two things:•a wireless access point that a staff person mightset up on an organization’s network withoutauthorization (malicious or not).•or set up so a hacker can conduct a ”man-in-the-middle” attack.
  • © MAP for Nonprofits - 2013SmartphonesWonderful devices that can be used:•To send/receive email•To manage your time•To find your location•To play Angry BirdsBut also:•For data exfiltration•As a rogue access point•To scan your network forvulnerabilities•As a source of malware
  • © MAP for Nonprofits - 2013Social EngineeringThe Easiest Way In of AllSocial engineering is the art of manipulating peopleinto performing actions or divulging confidentialinformation. While it is similar to a confidencegame, it is typically deception for the purpose ofinformation gathering, financial fraud, or computersystem access.
  • © MAP for Nonprofits - 2013Social EngineeringSocial engineers often rely on the natural trustingnature and helpfulness of people as well as on theirweaknesses. They might, for example, call anauthorized employee with some kind of urgentproblem that requires immediate network access.
  • © MAP for Nonprofits - 2013PhishingFor example, an attacker may sendemail seemingly from a credit cardcompany or financial institution thatrequests account information, oftensuggesting that there is a problem withyour account.Phishing is a special form of socialengineering: use email or maliciouswebsites to solicit personal information byposing as a trustworthy organization.
  • © MAP for Nonprofits - 2013PhishingThe next slide is an image of a realphishing attack. The email appears to befrom the American Express Company, butlook carefully at it.
  • © MAP for Nonprofits - 2013Phishing
  • © MAP for Nonprofits - 2013PhishingDid you notice that the email address wasstrange? “americanexpress@...,” the domain itused was “email2.americanexpress.com” which isnot the same thing as “americanexpress.com.”What about the embedded links?They look OK . . .Take another look at the message…
  • © MAP for Nonprofits - 2013Phishing
  • © MAP for Nonprofits - 2013PhishingThis is a classic phishing attack. At first glance,the message looks fine. It even uses reallogos. But beware of links in email. Instead ofclicking on them, rest your mouse (but dontclick) on the link to see if the address matchesthe link that was typed in the message.And just where doeshttp://bit.ly/ZgyvOM take you?
  • © MAP for Nonprofits - 2013So there you go: even with the 6 securitybasics in place, there are many seriousrisks to consider in today’s world.It’s all about learning tolive with risk.And not all risks arecreated equal:
  • © MAP for Nonprofits - 2013Risk is the likelihood that something bad will happenthat causes harm to an asset (or the loss of theasset).A vulnerability is a weakness that could be used tocause harm to an informational asset.A threat is anything that hasthe potential to cause harm.Risk (due to a threat) =Threat X Vulnerabilitywww.sans.org
  • © MAP for Nonprofits - 2013Responding to a Particular Risk:Make Risk a Conscious DecisionMitigation = fix the vulnerability or provide some typeof control measure to reduce the likelihood or impactassociated with the flaw/vulnerability.Transference = allow another party to accept the riskon your behalf (rare in IT; think of insurance)Acceptance = simply allow the system to operatewith a known risk.Avoidance = remove the vulnerable aspect of thesystem or even the system itself.
  • © MAP for Nonprofits - 2013Easy Risks to Mitigate:•Create an inventory of devices so you can tellwhat belongs and what’s rogue•Create an inventory of software•Password protect all your devices and change alldefault passwords (firewalls, routers, servers,laptops, workstations, printers)•Make sure anti-malware is working•Make sure your wireless is locked down•Test your backups (make sure you can restore)•Limit people’s access to what they need•Train your staff about risk
  • © MAP for Nonprofits - 2013Easy Risks to Transfer:•Some backup solutions (most cloud solutions)•Some wireless setups (e.g., Meraki)•Certain business systems (Office 365)•Outsource your website hosting
  • © MAP for Nonprofits - 2013Easy Risks to Accept:•For business reasons, keeping an old system on-line (e.g., Windows Server 2003 running a phonesystem)
  • © MAP for Nonprofits - 2013Easy Risks to Avoid:•Consider banning the use of USB devices (orsquirt glue into the actual port•Choose not to have a wireless network•Don’t allow BYOB (Bring Your Own Device)•Limit administrative privileges on devices
  • © MAP for Nonprofits - 20134 Last Suggestions for Mitigating Risk1. If you accept Smartphones:• No jailbreaking. Software should only beinstalled from the official app store, marketplace,etc.• Vet your app sources, especially Android users• Screen-lock password. Should kick inautomatically after around 5 minutes of inactivity.• Password protect your SIM card so that if it’slost, people can’t use it.• Disable Bluetooth if you don’t use it.
  • © MAP for Nonprofits - 20134 Last Suggestions for Mitigating Risk2. Use Admin Privileges CarefullyThere are several kinds of user accounts formost systems:• Guest (disable)• User• Administrator
  • © MAP for Nonprofits - 20134 Last Suggestions for Mitigating RiskOnly computer administrators should useadministrative accounts . . . and use them onlywhen administering computers.On my personal computer:Administrator – disabled (too easy to guess)Guest – disabledRDHadmin – my own administrative accountRoger – my non-administrative account
  • © MAP for Nonprofits - 20134 Last Suggestions for Mitigating Risk3. Implement Security Policies, and thenenforce them• Computer Acceptable Use Policy• BYOD Policy• Password Policy• Laptop Usage Policy• Remote Access Policy• Guest Access Policy• Encryption Policy• Social Network Policy (Facebook, et al)
  • © MAP for Nonprofits - 20134 Last Suggestions for Mitigating Risk4. Educate Your StaffDon’t assume people know what to doCreate a Security-Aware environment•Official “Security Awareness Training”•Create a library of articles on securityissues•Brown-bag lunch-and-learn•Share videos (see Sophos)
  • Any Questions or Comments?2012 MAP TechWorks, a program of MAP for Nonprofits
  • Thank you!© MAP for Nonprofits - 2013Roger Hagedorn, CISSPTechnology Consultant at MAPrhagedorn@mapfornonprofits.orgwww.cultivatingsecurity.com
  • Resources• SonicWALL Phishing IQ Test: http://www.sonicwall.com/furl/phishing/• SANS NewsBites, a semiweekly summary of the most importantnews articles on computer security during the past week:http://www.sans.org/newsletters/newsbites/• @Risk summarizes the 3-8 vulnerabilities that matter most, tells whatthey do and how to protect yourself from them:http://www.sans.org/newsletters/risk/• Brian Krebs on Security is a daily blog on computer security andcybercrime: http://krebsonsecurity.com/• Sophos’ “1-minute security tips for the workplace:”http://www.youtube.com/playlist?list=PLD88EACF404839195AP for Nonprofits - 2013
  • Resources• CNET article on password vaults:http://www.infoworld.com/d/security/review-7-password-managers-windows-mac-os-x-ios-and-android-189597• 26 Online Backup Services Reviewed (April 2013):http://pcsupport.about.com/od/maintenance/tp/online_backup_services.htm• Man in the Middle Attack Explained:http://en.wikipedia.org/wiki/Man-in-the-middle_attack• The SANS Institute’s 20 Critical Controls :http://www.sans.org/critical-security-controls/• the SANS Security Policy Project:http://www.sans.org/security-resources/policies/AP for Nonprofits - 2013
  • Free Tools• Secunia Small Business identifiesvulnerabilities in non-Microsoft (third-party)programs:http://secunia.com/products/smb/smallbusiness/• Qualys BrowserCheck will perform a securityanalysis of your browser and its plugins toidentify any security issues:https://browsercheck.qualys.com/• FileHippo.com Update Checker scans yourcomputer for installed software (Please note that not allprograms are supported):http://filehippo.com/updatechecker/© MAP for Nonprofits - 2013