Cybersecurity and Non-profits
Non-profits, as indicated by their name, are not designed to profit from their activities. They provide services, goods (e.g. clothing or food), and other items to those who can’t afford them. By design, there is not the profit motive in work with these organizations.
When you are planning an attack, one of the first areas you can look at are the crown jewels, or what the attack is focused on. The attackers may also have the mission of simply being malicious. However, with how the attacks have been operationalized, generally, there is something (e.g. money or data) the attackers want.
Target
A recent breach has been no exception to this. The Jewish Federation of Greater Washington was recently targeted and breached. This organization is a non-profit located in Maryland. The not-for-profit has 52 employees.
Attack
There are cybersecurity dangers regardless of where you are working. To resolve these, the user needs awareness as a general baseline of what to and not to do. Their systems, if not using the business’ equipment, have to be up-to-date. Having outdated, unpatched apps and programs creates an opportunity for attackers and allows for an easier attack. This is analogous to leaving the front door shut, but unlocked.
In this learning experience, a staff member, working from home on their system, was successfully attacked. The compromise led to the attacker stealing $7.5M. The attack and theft were possible due to one person’s oversight and the organization not maintaining a proper level of cybersecurity for the staff.
The attack was not known to the organization until August 4th. This was detected by a security contractor and not the organization. The red flag in this instance was an anomalous amount of activity with a staff member’s email account.
Post-Attack
After this was detected, the FBI was contacted. As the investigation continues, there is no comment as to who may have accomplished this. While this is an issue, the CEO, Gil Preuss, did announce the compromise from a virtual conference call with the employees.
The organization also investigated the breach. The data indicated the attacker had access long before the issue was detected by the cybersecurity contractor. The time period for the unauthorized access was estimated to have started early in the summer. The investigation continues on the systems and servers as these are being analyzed for other cybersecurity issues. Wisely, the organization is no longer allowing the staff to use personal computers for the workplace. The issues abound with allowing this at any time, and especially now with the pandemic forcing most people to work from home. The organization appears to be reviewing what other controls to put in place to mitigate the potential for this to occur again.
Discussion
In our current situation working from home, for the most part, is not an option. This has taken the form of necessity. The users may feel a little more at ease working from home, and let their guard down. They may also not have the same level of defensive measures in place. For the measures in place, the apps and programs may not be patched or up-to-date. All of these create the potential vulnerability the attackers look for. Unfortunately, all it takes is one person in the right department or with access to other systems, and there’s a breach.
Cybersecurity does not take a break from the office. This is a 24 hour a day, everyday task. The users still have to be vigilant. There is no vacation or sick day for cybersecurity.
On the last point, please push for more training for the users. They do not need to be cybersecurity experts. They do however need to be aware of what to look for, and what not to click on. A stranger is not going to send you a link for their cousin’s hilarious birthday party or a picture of their kitten that you have to open to see the details in the kitten’s fur.
From the finance administrative side, there should have been controls or alarms in place to monitor any large transfers at once or in a short period of time. This may have also limited the depth of the attack.
About the Author - Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.