Even Non-Profits are Targeted
To an attacker, data is data. It is a commodity to look for, breach a target for, steal, and sell. The focus and process itself is not that complicated. The target data is the same for a profit and non-profit. The difference to the attacker though is the non-profit may not have the ability to put a full defense-in-depth in place to secure its enterprise.
A specific, troubling issue affecting the non-profits has been social engineering and the phishing attacks. This can take the form of the “CEO” emailing the accounting department for employee tax information to be emailed to him. This example of spear phishing is not unusual. One tool or method used by the attackers to increase the potential success for their attack is pretexting. This involves completing a mass amount of research on the target. An issue here is that the non-profits, in order to show they are good stewards of the donations, publicize in as many sites and areas possible. This publication of their work is needed, but is also provides a mass amount of data for the attackers. From this and also other areas of the non-profit's website, the attackers can use these to create a backstory to steal from the non-profit. This could consist of the “CEO” requesting confidential information to be forwarded via a PDF, wiring money for an accounts payable invoice immediately, and other attacks.
The attacker may also leave a road-apple or USB on the ground in the parking lot. The natural tendency is for the employer to pick this up and plug it into the system at their desk. This may have malware on it, so that once it is plugged in, the malware is on the system.
These are only two attacks facing the non-profits at this time. Due to a lack of training and focus, these have been successful attacks. Although the non-profit’s mission is to spend the donations for the charitable causes, there still needs to be the safeguards in place for the data and enterprise, otherwise a portion of this may need to be spent in other areas than expected and budgeted for.
About the Author - Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.