This document summarizes a cybersecurity training webinar for nonprofits. The webinar covered the current cybersecurity landscape including persistent brute force attacks and sophisticated spearphishing targeting organizations. It discussed new security tools available and common contemporary attack examples like phishing, malware, and social engineering. The presentation emphasized the importance of the human firewall through cybersecurity awareness training and individual steps like enabling multi-factor authentication and using a password manager. It provided resources for moving forward with both individual cybersecurity practices and formalizing organizational controls.
5. CYBERSECURITY LANDSCAPE
Persistent and ongoing
brute force attacks on
identities
Sophisticated
spearphishing
Organizations targeted
because of the work
they do
Attacks targeting
vendors
6. CYBERSECURITY LANDSCAPE
New security tools available
to combat new threat
types.
Organization’s starting to
ask about where to start in
improving their
cybersecurity.
68% of Nonprofits don’t
have an Incident Response
Plan
Breach response for a small
to medium business is
$149,000
7. HOW MUCH IS BUSINESS DATA WORTH TO
BAD ACTORS?
CREDIT CARD INFO
$2-$5 (per record)
CUSTOMER PII
$20-$450 (per record)
EMPLOYEE PII
$20-$450 (per record)
PROPRIETARY INFO
Competitive Value
SALES/FINANCIAL INFO
Competitive Value
MEDICAL RECORDS
$20-$50 (per record)
43% OF ALL BREACHES INVOLVED SMB VICTIMS6 BILLION DIGITAL RECORDS EXPOSED IN 2018
Per the Verizon Data Breach Investigation Report
Estimated data values from Sociable
20. Malware keeps
increasing
- Malware is defined as
malicious software
- PUA or potentially
unwanted applications
also fall in this category
- Provides adversaries a
foothold into your
systems
21.
22. Cryptojacking
• Malicious JavaScript that
mines cryptocurrencies
• Uses your computer’s power
for adversaries benefit
• Think SETI, but for nefarious
purposes
23. Social Engineering
Trick you into
making payments
1
Trick you into
entering credentials
2
Trick you into
calling for “support”
3
30. Human
Firewall -
Devices
Patch and Update
• OS
• Firmware
• All devices
• Monthly
Enable and use
Antivirus
• Only 50% effective
(but 50% is better than
0%!)
31. Human
Firewall -
Identity
Protect your Identity
• Pick a good password
• Use a password
Manager
• Enable MFA
Know your Data
• Audit access to your
Cloud Systems
34. Putting it
into Action
• Desktop
• Email
• Cloud Services
• Photos
Inventory systems
• 2 locations
• You have control
Backup
35. Putting it into
Action
Update your systems
• Operating System (Windows, Mac,
iOS, Android)
• BIOS and Firmware Updates
Quarterly
• Reboot weekly
36. Putting it
into Action
• LastPass
• 1Password
Get a password manager
• Passphrase
• One for your computer, one for the
password manager
• Here are some guides
• https://communityit.com/how-to-create-
an-excellent-password/
• https://haveibeenpwned.com/Passwords
• Enable MFA
Pick a strong password
39. AntiVirus
• An important layer of
protection
• Traditional AV may miss 50%
of attacks
• New technologies and
approaches are available, in
EDR, but come at a premium
This Photo by Unknown Author is licensed under CC BY-SA-NC
40. Security
Check Up
Audit access to applications
• Facebook -
https://www.facebook.co
m/help/799880743466869
• Google -
https://myaccount.google
.com/intro/security-
checkup?hl=en-US
• LinkedIn -
https://www.linkedin.com
/psettings/
41. Cybersecurity Awareness
SMB Nonprofits (1-249
employees)
• Phase 1 (Initial baseline
results) – 39.4%
• Phase 2 (90 days after initial
training) – 14.9%
• Phase 3 (1 year into training
program) – 4.8%
43. Moving
Forward -
Individual
Steps you can take
• Inventory and backup your data
• Update your computer (OS and Firmware)
• Make sure AV is installed
• Select a good password
• Use a password manager
• Turn on MFA
• Review System access and remove
extra/unnecessary applications
• Schedule time for security
44. Moving
Forward -
Organization
Steps you can take
• Start with a policy
• Formalize your cybersecurity controls
• Implement Regular User engagement
• Baseline phishing test
• Initial training
• Quarterly phishing tests
• Quarterly focused training
• Regular reporting
• Incorporate feedback
45. Cybersecurity
Awareness
Training
Training must have Executive Buy-in
Needs to align with Organizational Culture
Training should be frequent in timing
Incorporate testing and feedback
Build a culture of learning
Don’t punish mistakes
48. Building a Better Nonprofit Software Selection Process
an "ask the experts" panel webinar with Peter Mirus,
Kyle Haines, and David Deal from Build Consulting
November 18th from 3-4pm EST
49. Resources
• Community IT Webinar – https://www.communityit.com
• Stop Think Connect – https://www.stopthinkconnect.org
• TechSoup Covid Response bundle -
https://techsoup.course.tc/catalog/track/coronavirus-mitigation-
track
• KnowBe4 Free Resources - https://www.knowbe4.com/free-it-
security-tools
• Microsoft Free Cybersecurity Training -
https://security.microsoft.com/attackSimulatorTrainings
Editor's Notes
Iconography from Crowdstrike – Chollima (PRNK), Bear (Russia), Panda (China)
This is an example of Malvertising. Specifically the Cryptowall virus which was delivered from exploited FLASH. This is an article from http://news.softpedia.com/news/CryptoWall-2-0-Delivered-Through-Malvertising-On-Yahoo-and-Other-Large-Sites-462970.shtml
This Photo by Unknown Author is licensed under CC BY-NC-SA
This Photo by Unknown Author is licensed under CC BY
Deep dive https://communityit.com/cybersecurity-readiness-for-nonprofits-playbook/
“How do I compare with other organizations who look like me?” To provide a nuanced and accurate answer, the 2020 Phishing By Industry Benchmarking Study analyzed a data set of over 4 million users across 17,000 organizations with over 9.5 million simulated phishing security tests across 19 different industries.