Non-Profits: Methods to Better Their Defensive Posture
Attackers have not been overly picky as to the selection of targets. The focus continues to be the money and data, specifically sensitive data and intellectual property, which would then be sold on the dark web. This set of vulnerabilities leading to issues is due to several reasons including, but not limited to the lack of adequate security. This lack of security is not due to the non-profit intentionally not wanting a secure system. This is more a function of budgetary constraints, staff, issues, lack of security tools, and other aspects of their operations.
This creates an interesting dilemma. The non-profit can’t have an insecure environment, but don’t have the necessary resources available and necessary to fulfill this endeavor. This places the non-profit in dire straits. The management would not be a proper steward of the funds if a compromise were to occur and their funds and/or sensitive data exfiltrated. Worse yet, if the non-profit had to pay a third party to provide a decrypt key so the users could use the system or pay a forensic analyst to remediate the issue, as they are not inexpensive.
The threats to not only non-profits, but all businesses and consumers, abound from several sources from around the globe. With the mass number of people and bots all focused on compromising your system, defending the enterprise appears to be very difficult at best.
As prolonged as defending the perimeter and system is, there are actions to take to further this goal. The users may need updated training as to the acceptable password format. Not every password is acceptable. As examples, 123456, 3456789, the user’s birth month and date or year, or the user’s mother name would not be acceptable. Any data or information that is readily trackable and available on social media should not be used. This is by far too easy for an attacker to secure. The password should be at least eight characters, with upper- and lower-case letters, numbers, and special characters. The parameters for the password may also be configured for this in the case of non-compliance. A poorly configured password is an easy attack point.
Two factor authentication is a useful tool in combatting third party’s unauthorized access. This works as a secondary method to ensure the person attempting to log in truly is the authorized person and not an unauthorized third party. The user is verified with an external source, generally a code sent to the user’s phone or a push.
The entity should use up-to-date software. If the non-profit is using software that is end of life (EOL), the software manufacturer is not, as a rule of thumb, continuing to spend much time and effort with ensuring the software does not have vulnerabilities or patching new vulnerabilities as they arise and are found. For instance, Windows XP has been EOL. The regular patches being pushed from Microsoft are not directed at Windows XP. The attackers look for outdated systems, as they likewise know there are vulnerabilities with these. By the non-profit not having relatively current software in use, the non-profit is leaving the door cracked for the attackers to look in and enter the system.
With budgetary constraints as they are, open source software may be used to fill a gap in function while not incurring operation (OpEx) or capital (CapEx) expenditures. Although serving a function, this application may be problematic. The open source software is there to be used without charge. The service may also charge for the upgraded, non-baseline version with a greater range of functionality. The issue regarding this not having a dedicated staff in place for updates, patches, functions the customers want in the future, etc. This also provides, unfortunately for outdated, insecure software. This encompasses a substantial portion, but not all, of the open source software packages. In the alternative software from manufacturers should be used if possible.
Internal risk is a viable risk vector and attack point. The employees have their innate ability to be the non-profit’s best friend and worst enemy. The employees may exfiltrate data and intellectual property via third party email, USB drives, and other methods. The unintentional effect may also be the user not being very wary of phishing attacks and becoming a primary victim, while the non-profit is the secondary victim of the attack. The attackers with the well-crafted email may be enticing the staff to bring ransomware to be placed onto your system.
Non-profits have many difficulties and obstacles to overcome with their operations to provide a secure system. The C0level need to ensure the cash flow is relatively constant or available in a variety of economic circumstances. Assuredly this has not been an easy task, especially during the economic issues of 2008. The non-profit must maintain its relevancy in a s sea of the other non-profits with like and different mission statements.
Coupled with these issues is the maintenance of enterprise security. The issues with implementing a robust, solid cyber security defensive posture range from the implementation to employees and procedures. Although this is a rather large project, this may be completed with a bit more effort and creativity, but clearly possible.
About the Author - Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.