Community IT Webinar - IT Security for Nonprofits
•Download as PPTX, PDF•
1 like•815 views
Recommended
More Related Content
What's hot
What's hot (20)
Viewers also liked
Viewers also liked (20)
Similar to Community IT Webinar - IT Security for Nonprofits
Similar to Community IT Webinar - IT Security for Nonprofits (20)
More from Community IT Innovators
More from Community IT Innovators (20)
Recently uploaded
Recently uploaded (20)
Community IT Webinar - IT Security for Nonprofits
- 1. Community IT Innovators Webinar Series IT Security New and Emerging Best Practices Presenters: Steve Longenecker Matthew Eshleman #ITSecurity October 23, 2014
- 2. Webinar Tips • Ask questions Post questions via chat • Interact Respond to polls during webinar • Focus Avoid multitasking. You may just miss the best part of the presentation • Webinar PowerPoint & Recording PowerPoint and recording links will be shared after the webinar
- 3. About Community IT Community IT Innovators partners with nonprofits to help them solve their strategic & day-to-day IT challenges. Strategic Proactive approach so you can make IT decisions that support your mission and grow with you Collaborative Team of over 30 staff who empower you to make informed IT choices Invested We are committed to supporting your mission, and take care of your IT network as if it were our own Nonprofit focus Worked with over 900 nonprofits since 1993
- 4. Presenters Steve Longenecker, Project Manager slongenecker@communityit.com @CommunityIT Matt Eshleman, Chief Technology Officer meshleman@communityit.com @meshleman
- 5. Agenda • The Big Picture • Security Culture • Security Best Practices • Questions
- 6. The Big Picture Source: From geograph.org.uk, Author: Tom Munro http://commons.wikimedia.org/wiki/File:View_across_the_Valley_of_the_Stones_-_geograph.org.uk_-_435889.jpg
- 8. What are your organization’s CIA requirements? It varies, and depends on the information... PDF of signed Annual Performance Review • Confidentiality: Limit to HR and Supervisor (this may be a regulatory issue) • Integrity: Data should not change and must have utmost confidence file is not altered. • Availability: Needed only upon request, within 2-3 days. Your Accounting System • Confidentiality: Limit to Finance Department and President • Integrity: Data constantly updated. Need ability to roll back last thirty days’ activity. Must have record of who changed what. • Availability: Up to 8 hours of downtime is acceptable.
- 9. CIA Worksheet Security Objective LOW MODERATE HIGH Confidentiality Disclosure of information could be expected to have a limited adverse effect Disclosure of information could be expected to have a serious adverse effect Disclosure of information could be expected to have a severe or catastrophic effect Integrity Modification or Destruction of data could be expected to have a limited adverse effect Modification or Destruction of data could be expected to have a serious adverse effect Modification or Destruction of data could be expected to have a severe adverse effect Availability The disruption of access to or use of information could be expected to have a limited adverse effect The disruption of access to or use of information could be expected to have a serious adverse effect The disruption of access to or use of information could be expected to have a severe adverse effect
- 10. Assessing Risk • NSA reads your email. • You are the victim of hacker attack targeted at your organization specifically. • You are the victim of general hacker attack, probably a script downloaded from the Internet. • Data compromise due to known vulnerabilities in your IT infrastructure’s software/firmware. • Data compromise due to action of disgruntled employee or former employee. • Loss of data due to run-of-the-mill hardware failure. • Data compromise due to end user carelessness.
- 11. http://www.strozfriedberg.com/wp-content/uploads/2014/01/Stroz-Friedberg_On-the- Pulse_Information-Security-in-American-Business.pdf The Stroz Friedberg report describes an online survey of 764 information workers in the United States working for companies with more than 20 people, conducted by KRC Research in the fall of 2013.
- 12. Find the balance between CIA requirements and accessibility/cost. Artist: Winslow Homer, Title: The See-Saw, Current location: Arkell Museum, Source/Photographer: The Athenaeum http://commons.wikimedia.org/wiki/File:Winslow_Homer_-_The_See-Saw_(1873).jpg
- 13. Security Culture Source: New York City Department of Transportation, Author: Nicholas Whitaker Photography https://www.flickr.com/photos/nycstreets/9970004423/
- 14. Policies for End Users • Appropriate Use Policy and Controls • Password Policy • BYOD and BYOA Policies
- 15. Policies for the IT Department • Patching Policy. • Data Retention Policies • Identity and Access management.
- 16. Who “owns” security • Office Manager? • HR person? • CIO? • CFO? • CRO?
- 17. Security Best Practices Source: by Iphone4 , Author Dicti0nary0 http://commons.wikimedia.org/wiki/File:Authentication_devices.jpg
- 18. Foundational Practices Passwords Backups Patching Antivirus
- 19. Our Experience • Most common cause of data loss – Hardware failure • Second most common cause of data loss – Viruses • Recovery from “unmanaged backup” - measured in multiple days
- 20. Evolving Org Trends • Cloud based services • Elimination of workplace borders • Bring Your Own Device • Bring Your Own App
- 21. Emerging Best Practices • Single Sign On • 2FA • Mobile Device Management • Application Approval • Encryption • Adaptive Defense
- 22. Practical Next Steps • Have a data inventory: Know what data you have, where it is and how its protected • Make sure you have good passwords (and don’t use the same ones) • Start planning for 2FA
- 23. Questions? Author: DuMont Television/Rosen Studios, New York-photographer, Uploaded by We hope at en.wikipedia http://commons.wikimedia.org/wiki/File:20_questions_1954.JPG
- 24. Upcoming Webinar Thursday November 20 4:00 – 5:00 PM EST The Future of Nonprofit CRM: Takeaways from BBCon and Dreamforce David Deal and Kyle Haines
- 25. After the webinar • Connect with us • Provide feedback Short survey after you exit the webinar. Be sure to include any questions that were not answered. • Missed anything? Link to slides & recording will be emailed to you.
Editor's Notes
- Matt’s
- Matt’s
- Matt, then Steve
- Matt
- Matt – current events (heartbleed, shellshock, cryptolocker, sandworm,Target, HomeDepot) Steve’s slide – Looking for images for this PPT on the Wikipedia Commons page. I was having trouble finding a good image to sum up IT Security issues. My searches were turning up lots of pictures of security guards or of firewalls. So then I searched on “The Big Picture” and found this lovely image of a view, with a gate in front of it. It’s a great “Big Picture” image about security because of its focus on the gate. This is a common mistake made when people think about IT security (or home security for that matter), they focus on the main way in. A hole in the fence may be just off frame.
- Steve’s There are three things that we want when we say we want information to be secure… confidentiality, integrity and availability. These are not in conflict with each other, it’s not a balance, so that’s not the idea of the diagram. More that there are three components to saying some information is “secure” Confidentiality Confidentiality refers to preventing the disclosure of information to unauthorized individuals or systems. If an unauthorized person gains access to the information, a breach in confidentiality has occurred. Integrity In information security, data integrity is trusting the accuracy and consistency of your data. Are modifications to data accurate? Who made the modifications? If a mistake is made, can you roll back? If data is modified in an unauthorized manner, will you detect it? Very simple example of Information integrity gone awry is copying and pasting a column from one spreadsheet to another and getting off one cell so the data is matched to the wrong row. Or, errors in a data export from one system to another. More nefarious example is a virus altering records. Availability For any information system to serve its purpose, the information must be available when it is needed. So here were talking about redundant servers and the like.
- Steve’s – so let’s talk about the CIA framework with two examples. And I admit I’m an IT guy, not a finance or HR expert, so my apologies if I’ve misunderstood how these systems work.
- Matt: the CIA triad comes from the NIST standard 199 http://csrc.nist.gov/publications/fips/fips199/FIPS-PUB-199-final.pdf For each piece of data ask the questions in the column as No Impact, Minimal Impact, Limited Impact or Severe Impact. Example http://www.bloginfosec.com/2012/07/26/the-cia-triad-theory-and-practice/2/ Medical Records Phone Book Twitter
- Steve’s: Ask audience rhetorical questions: which risks are most likely, which are most easily addressed, which have greatest cost, which are most often overlooked. Most of Community IT’s clients are not TARGETS of malicious hackers, at least not personally directed targets. They might have something useful, like a fast Internet connection, that a hacker would be happy to generically exploit. But IT vandalism is not usually directed at nonprofits. Anecdotally, lots of security people would say the generic exploit is very common. We FREQUENTLY see security logs on Internet accessible servers that show probing by bots. These bots aren’t sophisticated so a decent password policy will generally thwart them, but you wouldn’t want to expose server with no password at all. It WOULD be compromised. Finally, probably at the end of the day, user carelessness is probably the largest source of risk that’s out there.
- Matt’s slide. www.strozfriedberg.com/wp-content/uploads/2014/01/Stroz-Friedberg_On-the-Pulse_Information-Security-in-American-Business.pdf
- Steve’s slide – This is the last of the “Big Picture” slides and we just want to point out that there is a compromise between very rigorous CIA requirements and accessibility/costs. High availability systems cost more money than systems that have less guaranteed uptime because you need to pay for redundant servers, switches, etc. Confidentiality can be improved by restricting access to only local users, but then your remote users may be less efficient in their work.
- Steve’s slide: Security Culture: Lots of people with guns at airports, cameras on buildings, Safety Culture: training & education, keeping your data safe Prior data loss impacts the organization culture
- Matt’s slide Appropriate Use: What are users allowed to do on your network and/or with company issued equipment? How that usage is monitored? PW Policy: Frequency, Complexity, Sharing, Storage – can mention the fact that password complexity is over-rated in some ways. Bring Your Own Device: something we are still hashing out Bring Your Own Apps:
- Matt’s slide: These are polices which can be mostly transparent to the end user. Here again, the greater the complexity of your network, the more scrutiny is required. Patching: Scheduling, Staffing (who does the work) Data: Retention, Backup, User Access (both inside and outside your network) Identity and Access management - Who creates accounts and sets passwords? Auditing folder permissions, who closes accounts? What happens to a users data when he or she leaves the organization
- Matt’s slide Chief Security Officer is likely too much, but who on leadership advocates for IT Security? Every client we have has a different person in charge of IT, but the most successful ones have this role delegated or assigned. One person makes the calls, one person serves as the point of contact for IT support. Security and IT concerns can often be neglected when it’s a secondary role or an unofficial one because items in your job description tend to trump side roles. If no one takes point or can implement these changes, or there is no one in charge of following up after changes are made, then you are no more secure then when you started. Why it Matters: More efficient and secure way to make sure that polices and practices are put in place. Like any business endeavor, IT security requires leadership and direction. In this presentation we raise a lot of questions. The first question should be: who should have these answers?
- Matt
- SANS Password Policy Doc https://www.sans.org/security-resources/policies/general/pdf/password-protection-policy IBM attack vectors http://public.dhe.ibm.com/common/ssi/ecm/en/wgl03045usen/WGL03045USEN.PDF
- Steve – Related to CIA The biggest impact to data security is data availability
- Matt: This is talking about how the IT Infrastructure in the NP community is changing
- Matt FireEye security webinar https://www.brighttalk.com/webcast/7451/115295
- Matt
- Matt
- Matt
- Matt Maintain your firewall - backup, firmware, remove old Firewalls can also do perimeter filtering for viruses, credit card numbers, etc. Policies must be established. What sites and services are blocked or allowed through? Who is allowed to make changes?
- Steve
- Steve
- Steve
- Matt
- Matt
- Matt Connections between systems can compromise the “two” factors. User has cached credentials pw database on their phone (and SMS comes to their phone).
- Matt Before slide is over, mention that that’s not all of the technology tools. Wireless security, limiting physical access, SSL encryption on network traffic.
- Note that this is the third Thursday, not the fourth. Our thought was to do a debrief of what we learned both @ bbcon and df. We think that there is no more clarity around a ‘recommended’ direction for nonprofits with respect to CRM and came away from df wondering what in the world the SFDC foundation is thinking. We’d obviously need to modulate that message, but we think that we’re uniquely positioned to be able to offer perspective on the announced direction of both companies while overlaying that with some inside baseball talk…."