Common Sense Security

In 1974, Moore’s law posited that the processing power of a computer doubles every two years, and the phrase quickly became popular shorthand for what we now call “Information Overload”. Today, the biggest advancements in technology have less to do with processors and everything to do with the internet, which is now accessible from cars, TV sets, and many of our children’s toys. This has provided some amazing utility to our lives, when our phones can tell us how to get home from anywhere; we can watch the news on a wristwatch, and we can see who’s ringing our doorbell while vacationing in the Bahamas. The down side is that just about anything that can be plugged in or charged can now be hacked. And the best practices in information security are rapidly evolving as the definition of technology keeps expanding.

The basic premise that technology security was founded on was that you can put appropriate locks on your systems and only authorized users will have the keys. This assumed that you stored all of your data on your computer, or on a server in the same physical building that your computer sat in. In a world without the internet or the cloud, it was a solid approach, but in a world where those servers can be accessed through the locked doors, or one where our data no longer sits on our servers, it’s not valid. And in a world where our PC’s live in our backpacks or our pockets or on our wrists, it’s completely invalid. We still need to physically protect our servers and system, but protecting our data is a completely different challenge.

Attackers either want something you have or want to use what you have to attack others. Common examples include:

♦ Fraudulent financial requests

♦ Encrypting your systems for ransom

♦ Using your servers to host spam and phishing sites

♦ Theft of sensitive constituent data

 Additionally, protecting data is a regulatory requirement. HIPAA, PCI, GDP – new acronyms arrive every year for measures that hold business accountable for breaches of customer/donor data. If you want to purchase cyber-insurance (which you should), you generally have to be compliant with the NIST (the National Institute of Standards and Technology) frameworks for secure organizations.

We’ll go over a lot of the security tools that you can implement, but it’s important to understand that tools are the backup lines of defense – security awareness and informed behavior are the front lines. The best tools still rely on the user to practice discretion, and the most effective attacks play on a user’s ignorance or gullibility. A common “spear phishing” attack is one where the attacker gets some useful information – the name, email, and email signature of your organization’s CEO – and then puts that all together in a spoofed email to the CFO or Controller instructing them to wire transfer money to an account. If you are the CFO, and you don’t know that this type of thing happens or how to recognize a spoofed email, then you might be susceptible to this scam.

A few years ago, news poured in about a massive security breach at Equifax, which is one of the three agencies that maintains credit ratings for all Americans. If you have a credit card, the hackers got sensitive information about you. Equifax was hacked because they were running software with a critical security flaw. That flaw had been discovered and fixed, by the vendor, two months before the breach. But Equifax hadn’t applied the security patch. Subsequently, it was also discovered that Equifax’s customer database in Argentina was secured with the username “admin” and the password “admin” – often the default credentials that you’ll find in software or a new device.  The full severity of Equifax’s negligence to protect our most sensitive security data will never be revealed. Was our data properly encrypted on their servers? Was access to sensitive credit data properly limited to those that need access only? Were they doing any testing to see if the data was vulnerable? These are all things that any company subject to the Health Insurance Portability and Accountability Act (HIPAA) or the Payment Card Industry Data Security Standard (PCI-DDS) compliance must do, and they’re among the basic safeguards that anyone storing sensitive data on their servers should have in place.

Since security standards are always evolving as threats evolve, an article written three months ago with the same title as this one might well be out of date. NIST completely rewrote the rules on passwords about a decade ago. Gone is the requirement that passwords contain mixed case letters, numbers, and additional characters. Demoted is the recommendation that they be changed frequently. The new standards on passwords promote long passwords, more “passphrases”, instead of single words, because hacking a 25 character sentence – even if it’s as plain English as “My automobile is a Chevy Impala” – is much more difficult for hackers to crack than “sHaKespearE17$”. And putting passwords on post-it notes taped to a monitor is deadly, as is using the same password with a different digit (e.g. “SuZie123” one month and “Suzie124” the next). And, worst of all, using the same password for your work, Facebook, and online banking. These are all bad habits that were propagated by the requirement that passwords be hard to remember and changed frequently, and NIST now recognizes that the workarounds effectively defeated the purpose of the old standard rules.

So how should you defend against these threats today? Here are seven areas where you can focus.

♦ Security Awareness: Education, Testing, and Policy

♦ The Old Guard: Firewalls and Security Software

♦ Multi-Factor Authentication

♦ Data Encryption

♦ Passwords: Secure Policies and Management Tools

♦ Information Security Policies

♦ Safety in the Cloud

Security Awareness: Education, Testing, and Policy

The most common way that computers get breached or infected is by fooling users into installing malware. Commonly called “Phishing”, your biggest risk lies in your staff’s behavior upon receiving questionable emails and visiting malicious websites. A new class of software has arisen to help with this. Anti-phishing packages like Knowbe4, Proofpoint, and Cofense offer online training and user testing in integrated packages, allowing you to not only assign learning modules and track who has completed them, but also simulate your own phishing emails that, instead of infecting users, educate them when they’re clicked on. Knowing where your risk lies is the first step in reducing it.

The Old Guard: Firewalls and Security Software

You might still have data on servers in your offices, and you definitely have computers and devices that need protection, so the need for firewalls and anti-virus software isn’t removed. You can consider encrypting your hard drives (encryption tools come with the business versions of Windows). But what is critical is that you are keeping all of your operating systems, servers, major hardware and software systems up to date with the latest security patches. Just a few years ago, the best practice was to “wait and see” on updates, in case they might introduce new issues. That is no longer the case – the frequency in which new strains of ransomware or other threats arise demands that you keep your systems fully protected. Systems management applications, like Microsoft’s System Center Configuration Manager (SCCM) can help with this.

Even if you are fully in the cloud, you still need a network in the form of a network directory service, which will authenticate your users to protect your resources, automate system and software updates, and enforce security policies. During the pandemic, many nonprofits ditched their physical networks and just had their users log into their cloud apps directly. Without a network, there’s little way to track who is actually using those cloud applications; you can’t install SSO; and your users are not secure.

Multi-Factor Authentication

When all is said and done, even those passphrases can be hacked, so it’s now standard security to provide additional authentication when accessing sensitive data. Multi-factor authentication (also called Dual-Factor Authentication, or “MFA”) is an additional safeguard that has you confirm your identity using, in most cases, your mobile phone. With MFA, the website vets that it’s you logging in, not some stranger sitting in a Russian cafe. Common MFA, supported by most popular websites like Google and Facebook, works with an authenticator app that provides a secure code. For computers that you use often, you can usually set them as “trusted devices” and reduce the authentications to every few eeks or monthly.

Data Encryption

The Federal Government mandates that all government websites be protected by Simple Sockets Layer (SSL) encryption. You should be doing this as well. With multi-site SSL certificates available for less than $200 a year (or free, even), there’s no reason not to do this.

If you accept credit cards on your website, the best idea is to outsource the actual transaction to a third party like Paypal, Stripe, or Network for Good. If you do collect credit card data, the transaction must be encrypted, and you should not store it on your network. Delete the credit card number once the transaction has completed.

Encrypting emails has traditionally been a process so complex that it made doing so a difficult proposition – nobody is going to read the email if they have to mess with encryption keys. But that’s changing with the advent of digital rights management solutions that store the data on encrypted servers and simplify the verification process. Microsoft includes this in paid Microsoft 365 subscriptions.

Passwords: Secure Policies and Management Tools

As mentioned above, passphrases should replace passwords, and the frequency as to when they must be changed can be reduced or removed. We all have dozens, if not hundreds of passwords these days, so software that remembers the passwords for you is a must. That can be Single Sign-On (SSO) software, installed for your company, or a password management application. Both types of software store your passwords for you securely and fill them in when you load a login page, so that you can maintain complex passwords, unique to each website or application, without having to memorize them or constantly look them up.

An additional NIST recommendation is that passwords be checked against a list of far too common or recently breached passwords, and options for integrating these checks into Windows Server and other authentication systems are coming up. For example, Microsoft’s Azure Active Directory does such a check by default.

Password Managers

Popular password managers include Dashlane, Bitlocker, and LogMeOnce. There are personal and enterprise versions available. In addition to storing all of your passwords securely, they can generate safe passwords for you, and the best ones will alert you if you have weak or duplicate passwords, or a password that was recently subject to a breach.

Single Sign-On

Popular Single Sign-On applications include OneLogin, OKTA, and Microsoft’s Azure AD. The latter is available as part of Microsoft 365’s paid options, such as the E3 or Business Premium offerings. OneLogin and OKTA have nonprofit pricing options as well. Single Sign-On needs to be setup by your IT staff or Managed Services Provider.

Information Security Policies

Key to successfully protecting a network is having clear information management policies and following them. These policies should be understandable for the staff that need to comply with them, written in plain English, and regularly reviewed and modified as conditions change. Some policies will be detailed, some very simple. For example:

♦ A policy regarding guest accounts will establish what type of work warrants creating accounts for vendors and consultants; what type of access is appropriate; and how long the accounts will remain in effect. The famous Target hack in 2012 was accomplished by using a vendor account with far more access than was required.

♦ A mobile/Bring Your Own Device policy will address what happens to company data on mobile devices should they be lost or stolen, or should the employee leave the organization.

♦ An Incident Response policy will outline what should happen and when should a breach occur.

Safety in the Cloud

Established cloud services from major providers such as Google, Microsoft, Salesforce, Adobe, etc., are as safe or safer than your own networks. Either one can be hacked, but Microsoft has far more certified cybersecurity gurus on staff than your average nonprofit. Some contracting terms should be required, such as the ability to obtain full, usable data dumps of your content and a promise that you’ll have full access should the cloud provider go under or be sold. Since most providers store your data on multiple, geographically diverse servers, your data is well-backed up, but accessing those backups in an emergency might be difficult, so cloud-to-cloud backup vendors should be considered for critical data. And while your data might be relatively safe from hackers or disasters, if you store data that you would not be willing to provide in response to a subpoena, you should consider keeping that data on your own servers. Cloud providers might feel obligated to comply in cases where you would not.

Outsource for Safety

Finally, every organization should have a relationship, if not a contract, with a Managed Services Provider (MSP). MSP’s act as outsourced IT departments, managing servers and cloud applications, providing help desk, and completing technology projects for you. Techcafeteria would not advise you to outsource your IT strategy to the same firm that maintains your infrastructure. The MSP’s are generally not as dialed into your mission and strategic plan, and this can create a conflict of interest, where the MSP is recommending strategies that sell their services. But outsourcing the tech maintenance is, in these times, a no-brainer. To have 24/7 support and steady technical resources for (roughly)  the cost of one FTE beats having two or three people on staff who lack that collective knowledge and coverage. And the MSPs tend to be gurus when it comes to implementing the security measures described above.

In Summary

Consider that many of these security requirements also make life on the Internet easier. Single Sign-On solutions secure your applications from hackers while making it unnecessary for users to enter a password for every application. The cloud makes working from anywhere easy. If you have a long way to go to meet the standards listed here, make a game plan and roll out what you can, starting with clear policies and security training. But don’t let your nonprofit get caught with its virtual pants down. Do what is prudent to protect you clients, your staff, and your organization.