Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Community IT Webinar - IT Security for Nonprofits
1. Community IT Innovators Webinar Series
IT Security New and
Emerging Best Practices
Presenters:
Steve Longenecker
Matthew Eshleman
#ITSecurity
October 23, 2014
2. Webinar Tips
• Ask questions
Post questions via chat
• Interact
Respond to polls during webinar
• Focus
Avoid multitasking. You may just miss
the best part of the presentation
• Webinar PowerPoint & Recording
PowerPoint and recording links will be
shared after the webinar
3. About Community IT
Community IT Innovators partners with nonprofits to help them solve their
strategic & day-to-day IT challenges.
Strategic
Proactive approach so you can make IT decisions that support your
mission and grow with you
Collaborative
Team of over 30 staff who empower you to make informed IT choices
Invested
We are committed to supporting your mission, and take care of your IT
network as if it were our own
Nonprofit focus
Worked with over 900 nonprofits since 1993
4. Presenters
Steve Longenecker, Project Manager
slongenecker@communityit.com
@CommunityIT
Matt Eshleman, Chief Technology Officer
meshleman@communityit.com
@meshleman
5. Agenda
• The Big Picture
• Security Culture
• Security Best Practices
• Questions
6. The Big Picture
Source: From geograph.org.uk, Author: Tom Munro
http://commons.wikimedia.org/wiki/File:View_across_the_Valley_of_the_Stones_-_geograph.org.uk_-_435889.jpg
7.
8. What are your organization’s
CIA requirements?
It varies, and depends on the information...
PDF of signed Annual Performance Review
• Confidentiality: Limit to HR and Supervisor (this may be a regulatory
issue)
• Integrity: Data should not change and must have utmost confidence file is
not altered.
• Availability: Needed only upon request, within 2-3 days.
Your Accounting System
• Confidentiality: Limit to Finance Department and President
• Integrity: Data constantly updated. Need ability to roll back last thirty days’
activity. Must have record of who changed what.
• Availability: Up to 8 hours of downtime is acceptable.
9. CIA Worksheet
Security Objective LOW MODERATE HIGH
Confidentiality Disclosure of
information could
be expected to
have a limited
adverse effect
Disclosure of
information could
be expected to
have a serious
adverse effect
Disclosure of
information could
be expected to
have a severe or
catastrophic effect
Integrity Modification or
Destruction of data
could be expected
to have a limited
adverse effect
Modification or
Destruction of data
could be expected
to have a serious
adverse effect
Modification or
Destruction of data
could be expected
to have a severe
adverse effect
Availability The disruption of
access to or use of
information could
be expected to
have a limited
adverse effect
The disruption of
access to or use of
information could
be expected to
have a serious
adverse effect
The disruption of
access to or use of
information could
be expected to
have a severe
adverse effect
10. Assessing Risk
• NSA reads your email.
• You are the victim of hacker attack targeted at
your organization specifically.
• You are the victim of general hacker attack,
probably a script downloaded from the Internet.
• Data compromise due to known vulnerabilities in
your IT infrastructure’s software/firmware.
• Data compromise due to action of disgruntled
employee or former employee.
• Loss of data due to run-of-the-mill hardware
failure.
• Data compromise due to end user carelessness.
12. Find the balance between CIA requirements
and accessibility/cost.
Artist: Winslow Homer, Title: The See-Saw, Current location: Arkell Museum, Source/Photographer: The Athenaeum
http://commons.wikimedia.org/wiki/File:Winslow_Homer_-_The_See-Saw_(1873).jpg
13. Security Culture
Source: New York City Department of Transportation, Author: Nicholas Whitaker Photography
https://www.flickr.com/photos/nycstreets/9970004423/
14. Policies for End Users
• Appropriate Use Policy and Controls
• Password Policy
• BYOD and BYOA Policies
15. Policies for the IT Department
• Patching Policy.
• Data Retention Policies
• Identity and Access management.
19. Our Experience
• Most common cause of data loss – Hardware
failure
• Second most common cause of data loss – Viruses
• Recovery from “unmanaged backup” - measured
in multiple days
20. Evolving Org Trends
• Cloud based services
• Elimination of workplace borders
• Bring Your Own Device
• Bring Your Own App
21. Emerging Best Practices
• Single Sign On
• 2FA
• Mobile Device Management
• Application Approval
• Encryption
• Adaptive Defense
22. Practical Next Steps
• Have a data inventory: Know what data you
have, where it is and how its protected
• Make sure you have good passwords (and
don’t use the same ones)
• Start planning for 2FA
23. Questions?
Author: DuMont Television/Rosen Studios, New York-photographer, Uploaded by We hope at en.wikipedia
http://commons.wikimedia.org/wiki/File:20_questions_1954.JPG
24. Upcoming Webinar
Thursday November 20
4:00 – 5:00 PM EST
The Future of Nonprofit CRM:
Takeaways from BBCon and Dreamforce
David Deal and Kyle Haines
25. After the webinar
• Connect with us
• Provide feedback
Short survey after you exit the webinar. Be
sure to include any questions that were not
answered.
• Missed anything?
Link to slides & recording will be emailed to
you.
Editor's Notes
Matt’s
Matt’s
Matt, then Steve
Matt
Matt – current events (heartbleed, shellshock, cryptolocker, sandworm,Target, HomeDepot)
Steve’s slide –
Looking for images for this PPT on the Wikipedia Commons page. I was having trouble finding a good image to sum up IT Security issues. My searches were turning up lots of pictures of security guards or of firewalls. So then I searched on “The Big Picture” and found this lovely image of a view, with a gate in front of it.
It’s a great “Big Picture” image about security because of its focus on the gate. This is a common mistake made when people think about IT security (or home security for that matter), they focus on the main way in. A hole in the fence may be just off frame.
Steve’s
There are three things that we want when we say we want information to be secure… confidentiality, integrity and availability. These are not in conflict with each other, it’s not a balance, so that’s not the idea of the diagram. More that there are three components to saying some information is “secure”
Confidentiality
Confidentiality refers to preventing the disclosure of information to unauthorized individuals or systems. If an unauthorized person gains access to the information, a breach in confidentiality has occurred.
Integrity
In information security, data integrity is trusting the accuracy and consistency of your data. Are modifications to data accurate? Who made the modifications? If a mistake is made, can you roll back? If data is modified in an unauthorized manner, will you detect it?
Very simple example of Information integrity gone awry is copying and pasting a column from one spreadsheet to another and getting off one cell so the data is matched to the wrong row. Or, errors in a data export from one system to another. More nefarious example is a virus altering records.
Availability
For any information system to serve its purpose, the information must be available when it is needed. So here were talking about redundant servers and the like.
Steve’s – so let’s talk about the CIA framework with two examples. And I admit I’m an IT guy, not a finance or HR expert, so my apologies if I’ve misunderstood how these systems work.
Matt: the CIA triad comes from the NIST standard 199 http://csrc.nist.gov/publications/fips/fips199/FIPS-PUB-199-final.pdf
For each piece of data ask the questions in the column as No Impact, Minimal Impact, Limited Impact or Severe Impact.
Example http://www.bloginfosec.com/2012/07/26/the-cia-triad-theory-and-practice/2/
Medical Records
Phone Book
Twitter
Steve’s:
Ask audience rhetorical questions: which risks are most likely, which are most easily addressed, which have greatest cost, which are most often overlooked.
Most of Community IT’s clients are not TARGETS of malicious hackers, at least not personally directed targets. They might have something useful, like a fast Internet connection, that a hacker would be happy to generically exploit. But IT vandalism is not usually directed at nonprofits.
Anecdotally, lots of security people would say the generic exploit is very common. We FREQUENTLY see security logs on Internet accessible servers that show probing by bots. These bots aren’t sophisticated so a decent password policy will generally thwart them, but you wouldn’t want to expose server with no password at all. It WOULD be compromised.
Finally, probably at the end of the day, user carelessness is probably the largest source of risk that’s out there.
Steve’s slide –
This is the last of the “Big Picture” slides and we just want to point out that there is a compromise between very rigorous CIA requirements and accessibility/costs. High availability systems cost more money than systems that have less guaranteed uptime because you need to pay for redundant servers, switches, etc. Confidentiality can be improved by restricting access to only local users, but then your remote users may be less efficient in their work.
Steve’s slide:
Security Culture: Lots of people with guns at airports, cameras on buildings,
Safety Culture: training & education, keeping your data safe
Prior data loss impacts the organization culture
Matt’s slide
Appropriate Use: What are users allowed to do on your network and/or with company issued equipment?
How that usage is monitored?
PW Policy: Frequency, Complexity, Sharing, Storage – can mention the fact that password complexity is over-rated in some ways.
Bring Your Own Device: something we are still hashing out
Bring Your Own Apps:
Matt’s slide:
These are polices which can be mostly transparent to the end user. Here again, the greater the complexity of your network, the more scrutiny is required.
Patching: Scheduling, Staffing (who does the work)
Data: Retention, Backup, User Access (both inside and outside your network)
Identity and Access management - Who creates accounts and sets passwords? Auditing folder permissions, who closes accounts? What happens to a users data when he or she leaves the organization
Matt’s slide
Chief Security Officer is likely too much, but who on leadership advocates for IT Security?
Every client we have has a different person in charge of IT, but the most successful ones have this role delegated or assigned. One person makes the calls, one person serves as the point of contact for IT support.
Security and IT concerns can often be neglected when it’s a secondary role or an unofficial one because items in your job description tend to trump side roles.
If no one takes point or can implement these changes, or there is no one in charge of following up after changes are made, then you are no more secure then when you started.
Why it Matters: More efficient and secure way to make sure that polices and practices are put in place. Like any business endeavor, IT security requires leadership and direction. In this presentation we raise a lot of questions. The first question should be: who should have these answers?
Matt
SANS Password Policy Doc https://www.sans.org/security-resources/policies/general/pdf/password-protection-policy
IBM attack vectors http://public.dhe.ibm.com/common/ssi/ecm/en/wgl03045usen/WGL03045USEN.PDF
Steve –
Related to CIA
The biggest impact to data security is data availability
Matt: This is talking about how the IT Infrastructure in the NP community is changing
Matt
FireEye security webinar https://www.brighttalk.com/webcast/7451/115295
Matt
Matt
Matt
Matt
Maintain your firewall - backup, firmware, remove old
Firewalls can also do perimeter filtering for viruses, credit card numbers, etc.
Policies must be established. What sites and services are blocked or allowed through? Who is allowed to make changes?
Steve
Steve
Steve
Matt
Matt
Matt
Connections between systems can compromise the “two” factors.
User has cached credentials pw database on their phone (and SMS comes to their phone).
Matt
Before slide is over, mention that that’s not all of the technology tools.
Wireless security, limiting physical access, SSL encryption on network traffic.
Note that this is the third Thursday, not the fourth.
Our thought was to do a debrief of what we learned both @ bbcon and df. We think that there is no more clarity around a ‘recommended’ direction for nonprofits with respect to CRM and came away from df wondering what in the world the SFDC foundation is thinking. We’d obviously need to modulate that message, but we think that we’re uniquely positioned to be able to offer perspective on the announced direction of both companies while overlaying that with some inside baseball talk…."