Rev Up Your Small Business and Nonprofit Revenue with E-marketing
Cultivating security in the small nonprofit
-
Upload
roger-hagedorn -
Category
Technology
-
view
653 -
download
6
description
Transcript of Cultivating security in the small nonprofit
![Page 1: Cultivating security in the small nonprofit](https://reader038.fdocuments.us/reader038/viewer/2022110307/55577c78d8b42ad4278b4775/html5/thumbnails/1.jpg)
Cultivating SecurityIt’s almost like cultivating your garden
© MAP for Nonprofits - 2013
![Page 2: Cultivating security in the small nonprofit](https://reader038.fdocuments.us/reader038/viewer/2022110307/55577c78d8b42ad4278b4775/html5/thumbnails/2.jpg)
© MAP for Nonprofits - 2013
Cultivating Security in the Small Nonprofit:
Steps to help you decrease risk
Roger Hagedorn, CISSP Technology Consultant @ MAP for Nonprofits
![Page 3: Cultivating security in the small nonprofit](https://reader038.fdocuments.us/reader038/viewer/2022110307/55577c78d8b42ad4278b4775/html5/thumbnails/3.jpg)
MAP’s Services Overview
• Legal Counsel and Hotline
• Board Leadership Development
• Accounting and Finance Services
• Technology Services
• Marketing Planning
• Strategic Planning
• Leadership Development
• Project ReDesign
• Fundraising Planning
© MAP for Nonprofits - 2011
![Page 4: Cultivating security in the small nonprofit](https://reader038.fdocuments.us/reader038/viewer/2022110307/55577c78d8b42ad4278b4775/html5/thumbnails/4.jpg)
Agenda:
© MAP for Nonprofits - 2013
• 6 Security Basics
• Tips and Techniques for Today’sChanging Environment
• Questions
Please feel free to ask questions at any time. This session is for you.
Stop me if I use a term or acronym you’re not familiar with
![Page 5: Cultivating security in the small nonprofit](https://reader038.fdocuments.us/reader038/viewer/2022110307/55577c78d8b42ad4278b4775/html5/thumbnails/5.jpg)
Preface:
As an IT professional, I work to make technology assist you with your mission and strategic plans; I want it to help you be innovative and successful. I want your organization to thrive.
© MAP for Nonprofits - 2013
![Page 6: Cultivating security in the small nonprofit](https://reader038.fdocuments.us/reader038/viewer/2022110307/55577c78d8b42ad4278b4775/html5/thumbnails/6.jpg)
Preface:
But today I’ll talk about "due diligence:” things that folks should be doing in order to keep you, your computers, your data, and your organization’s reputation safe.
© MAP for Nonprofits - 2013
![Page 7: Cultivating security in the small nonprofit](https://reader038.fdocuments.us/reader038/viewer/2022110307/55577c78d8b42ad4278b4775/html5/thumbnails/7.jpg)
© MAP for Nonprofits - 2013
“It takes twenty years to build a reputation and five minutes to ruin it. If you think about that, you’ll do things differently.”
—Warren Buffett
![Page 8: Cultivating security in the small nonprofit](https://reader038.fdocuments.us/reader038/viewer/2022110307/55577c78d8b42ad4278b4775/html5/thumbnails/8.jpg)
Conflicting Goals
• What most end-users want:– Simplicity/Ease of use
– Accessibility
– Support
• What most Information Security people want:– Control
– Compliance
– Security
• The trick is to strike the balance that’s appropriate for your environment
© MAP for Nonprofits - 2013
![Page 9: Cultivating security in the small nonprofit](https://reader038.fdocuments.us/reader038/viewer/2022110307/55577c78d8b42ad4278b4775/html5/thumbnails/9.jpg)
Conflicting Goals
• Large organizations and corporations, where striking that balance can be relatively simple:
– Team of technicians
– Serious investment in security systems (e.g., IPS/IDS)
– Internal technical controls (Active Directory)
• What most small organizations have:– “Accidental Techie”
– Dedication
– Good will
© MAP for Nonprofits - 2013
![Page 10: Cultivating security in the small nonprofit](https://reader038.fdocuments.us/reader038/viewer/2022110307/55577c78d8b42ad4278b4775/html5/thumbnails/10.jpg)
Illusions and Misconceptions
• “Our organization will never be a target of hackers.”– We do good work
– We’re too small to be noticed
– We have nothing of value
• What small organizations may not realize:– Hackers use automated tools (search on “automated hacking
tools” but don’t visit the sites)
– All organizations have things of value:• Computing power (botnets)
• Email contacts (other potential victims)
• Personal information (identity theft)
© MAP for Nonprofits - 2013
![Page 11: Cultivating security in the small nonprofit](https://reader038.fdocuments.us/reader038/viewer/2022110307/55577c78d8b42ad4278b4775/html5/thumbnails/11.jpg)
State of the World
What this means is that even though you’re from a small organization, it’s essential to recognize the importance of information security. It concerns all of us.
That means everybody needs to get on board. And the message that security is important has to come from the top and reach all levels of the organization.
Now let’s get on with it . . .
© MAP for Nonprofits - 2013
![Page 12: Cultivating security in the small nonprofit](https://reader038.fdocuments.us/reader038/viewer/2022110307/55577c78d8b42ad4278b4775/html5/thumbnails/12.jpg)
© MAP for Nonprofits - 2013
Six Security Basics
What most organizations already have in place
![Page 13: Cultivating security in the small nonprofit](https://reader038.fdocuments.us/reader038/viewer/2022110307/55577c78d8b42ad4278b4775/html5/thumbnails/13.jpg)
© MAP for Nonprofits - 2013
Security Basics 1: Passwords
Let’s start with everyone’s favorite subject:
Passwords!
But really, it’s our first line of defense in so many situations.
So let’s discuss . . .
![Page 14: Cultivating security in the small nonprofit](https://reader038.fdocuments.us/reader038/viewer/2022110307/55577c78d8b42ad4278b4775/html5/thumbnails/14.jpg)
© MAP for Nonprofits - 2013
• real name• e-mail address• street address• pet’s name• birth date• phone number• social security number
Best Practices:Your password should not contain personal information such as your:
Likewise, it shouldn’t be a fact associated with your spouse/partner, children, etc.
![Page 15: Cultivating security in the small nonprofit](https://reader038.fdocuments.us/reader038/viewer/2022110307/55577c78d8b42ad4278b4775/html5/thumbnails/15.jpg)
Why not?
© MAP for Nonprofits - 2011
Because this kind of information is easy to find . . .
![Page 16: Cultivating security in the small nonprofit](https://reader038.fdocuments.us/reader038/viewer/2022110307/55577c78d8b42ad4278b4775/html5/thumbnails/16.jpg)
© MAP for Nonprofits - 2013
• Your passwords must not be any single word in any language.
More things about passwords you already know:
• Passwords should contain at least three distinct character classes: uppercase, lowercase, number, non-alphabetic (@#$%, etc.).
• Never use the password you’ve picked for your email account at any online site.
![Page 17: Cultivating security in the small nonprofit](https://reader038.fdocuments.us/reader038/viewer/2022110307/55577c78d8b42ad4278b4775/html5/thumbnails/17.jpg)
© MAP for Nonprofits - 2013
More things about passwords you already know:
• Use different ones for different situations. Avoid using the same password at multiple Web sites.
• It’s generally safe to re-use the same password at sites that do not store sensitive information about you (e.g., a news Web site)
![Page 18: Cultivating security in the small nonprofit](https://reader038.fdocuments.us/reader038/viewer/2022110307/55577c78d8b42ad4278b4775/html5/thumbnails/18.jpg)
© MAP for Nonprofits - 2013
• Never give out passwords over the phone or in email.
Just a couple more things about passwords you already know:
• Consider changing your most critical passwords on a regular basis (e.g., once a year).
![Page 19: Cultivating security in the small nonprofit](https://reader038.fdocuments.us/reader038/viewer/2022110307/55577c78d8b42ad4278b4775/html5/thumbnails/19.jpg)
© MAP for Nonprofits - 2013
Enough about “Password Don’ts”
What to do?
Did you know that when it comes to passwords, length is more important than just about anything?
For example, which of these is harder to crack:
•The hills are alive!•qX8#hp02
![Page 20: Cultivating security in the small nonprofit](https://reader038.fdocuments.us/reader038/viewer/2022110307/55577c78d8b42ad4278b4775/html5/thumbnails/20.jpg)
© MAP for Nonprofits - 2013
Password Strategy No. 1
Now ask yourself “Which is easier to remember?” and you’ll realize the power of using a passphrase instead of a password. You still have to include numbers and a mix of upper- and lower-case characters, but it’s very easy to remember
•Tul1ps R pretty •Pl@nt bulbs B4 Spring! •I8lunch2day
![Page 21: Cultivating security in the small nonprofit](https://reader038.fdocuments.us/reader038/viewer/2022110307/55577c78d8b42ad4278b4775/html5/thumbnails/21.jpg)
© MAP for Nonprofits - 2013
Password Strategy No. 1
Passphrases can be very impressive but still simple to remember:
1.“Iw20yatSPttbtpthbgiaoosbtagtras.”
2.“HwmyrsmtBeyuclhm?”
Group Exercise:Create your own phrase!
For example, "My sister Peg is 24 years old” can become “MsPi24yo."
![Page 22: Cultivating security in the small nonprofit](https://reader038.fdocuments.us/reader038/viewer/2022110307/55577c78d8b42ad4278b4775/html5/thumbnails/22.jpg)
© MAP for Nonprofits - 2013
Password Strategy No. 2
Consider using a collection of random words:
1.“Brown T3L3phone nickel s@ndwich”
Group Exercise:Think of four words (but not “elephant”)
![Page 23: Cultivating security in the small nonprofit](https://reader038.fdocuments.us/reader038/viewer/2022110307/55577c78d8b42ad4278b4775/html5/thumbnails/23.jpg)
© MAP for Nonprofits - 2013
Password Strategy No. 3
Consider using a prefix or a suffix:
1.“R3@dy4” + [Gmail, shopping, surf!]• R3@dy4yahoo!• R3@dy4Craig• R3@dy4cloudstorage
2.[onlinenews] + “N3wssite”• NytimesN3wssite• startribuneN3wssite• huffingtonpostN3wssite
![Page 24: Cultivating security in the small nonprofit](https://reader038.fdocuments.us/reader038/viewer/2022110307/55577c78d8b42ad4278b4775/html5/thumbnails/24.jpg)
© MAP for Nonprofits - 2013
Password Strategy No. 4
Consider using a password vault:
that stores all your passwords in an encrypted format and allows you to use just one master password to access all of them. Most will also automatically fill in forms on Web pages, and you can
Keepass Password SafeLastPass 1PasswordRoboForm Keeper
even get versions that allow you to take your password list with you on a smartphone or USB thumb drive.
![Page 25: Cultivating security in the small nonprofit](https://reader038.fdocuments.us/reader038/viewer/2022110307/55577c78d8b42ad4278b4775/html5/thumbnails/25.jpg)
© MAP for Nonprofits - 2013
Security Basics 2: Anti-malwareMany companies sell excellent anti-virus solutions:•McAfee, TRENDnet, Symantec
But there are also free anti-virus programs that do everything the famous solutions do: offer real-time
virus protection, scan for viruses, and automatically download the latest anti-virus signatures for maximum protection.
![Page 26: Cultivating security in the small nonprofit](https://reader038.fdocuments.us/reader038/viewer/2022110307/55577c78d8b42ad4278b4775/html5/thumbnails/26.jpg)
© MAP for Nonprofits - 2013
Anti-malware Options
For Windows, consider AVG Anti-Virus, Avast, and Microsoft’s Security Essentials. Malwarebytes too.
For Apple computer, the time is coming to seriously to consider protection. Avast, Clam, and Sophos all offer free programs worth considering.
Mac Flashback?
![Page 27: Cultivating security in the small nonprofit](https://reader038.fdocuments.us/reader038/viewer/2022110307/55577c78d8b42ad4278b4775/html5/thumbnails/27.jpg)
Security Basics 3: Use a Better Browser• Avoid Internet Explorer if at all possible
• Use Google’s Chrome
• Mozilla’s Firefox is pretty good too
• Keep your browser up-to-date
![Page 28: Cultivating security in the small nonprofit](https://reader038.fdocuments.us/reader038/viewer/2022110307/55577c78d8b42ad4278b4775/html5/thumbnails/28.jpg)
© MAP for Nonprofits - 2013
Security Basics 4: Update Devices
Operating Systems:•Turn on Microsoft’s Windows Update•Respond to Apple’s alerts
Application Software – new tools can help•Secunia’s Small Business Software Inspector•Qualys’ BrowserCheck•Filehippo’s Update Checker
•Metaquark’s AppFresh (not free)
![Page 29: Cultivating security in the small nonprofit](https://reader038.fdocuments.us/reader038/viewer/2022110307/55577c78d8b42ad4278b4775/html5/thumbnails/29.jpg)
© MAP for Nonprofits - 2013
Security Basics 5: Backup that dataData is generally considered an organization’s first or second most valuable asset -- right behind its people. Someone in your organization needs to know how to verify your backups and recover that data.
Backup in the 1980s-2000 = tape or cassette
Backup in the 2000-2010 = disk (SAN, NAS, etc.)
Backup in today’s world: A. cloud or cloud and on-site:
• CrashPlan, IDrive, MozyPro, et al. B. cloud and on-site virtualization:
• Datto SIRIS, Veeam, Unitrends backup/BC
![Page 30: Cultivating security in the small nonprofit](https://reader038.fdocuments.us/reader038/viewer/2022110307/55577c78d8b42ad4278b4775/html5/thumbnails/30.jpg)
© MAP for Nonprofits - 2013
Security Basics 6: Firewall
A firewall is like a moat around a castle:
It’s a perimeter defense designed to control incoming and outgoing network traffic.
![Page 31: Cultivating security in the small nonprofit](https://reader038.fdocuments.us/reader038/viewer/2022110307/55577c78d8b42ad4278b4775/html5/thumbnails/31.jpg)
© MAP for Nonprofits - 2013
On Firewalls
Firewalls range from a simple gadget that keeps bad data packets out, to sophisticated multi-function gateways (“second-generation firewalls.”)
Firewalls can be purchased appliances or software running on computers.
pfSense, ModSecurity, and Smoothwall are free, open source customized Linux distributions.
![Page 32: Cultivating security in the small nonprofit](https://reader038.fdocuments.us/reader038/viewer/2022110307/55577c78d8b42ad4278b4775/html5/thumbnails/32.jpg)
© MAP for Nonprofits - 2013
6 Security Basics
1. Strong passwords well managed--vault2. Anti-malware to fight off viruses, worms, and
trojans3. A better browser to make surfing safer4. Fully-patched and maintained computers5. A backup solution that protects your data6. A firewall to keep your network safe
So we’re safe and secure, at peace with the world.
![Page 33: Cultivating security in the small nonprofit](https://reader038.fdocuments.us/reader038/viewer/2022110307/55577c78d8b42ad4278b4775/html5/thumbnails/33.jpg)
© MAP for Nonprofits - 2013
![Page 34: Cultivating security in the small nonprofit](https://reader038.fdocuments.us/reader038/viewer/2022110307/55577c78d8b42ad4278b4775/html5/thumbnails/34.jpg)
© MAP for Nonprofits - 2013
If only that were true.
Sadly, it’s no longer so in today’s world.
Audience Participation Time!!
Can anyone think of an easy way of getting around your firewall?
![Page 35: Cultivating security in the small nonprofit](https://reader038.fdocuments.us/reader038/viewer/2022110307/55577c78d8b42ad4278b4775/html5/thumbnails/35.jpg)
© MAP for Nonprofits - 2013
How to Circumvent these Defenses
•Dropbox (iCloud, SkyDrive, et al)
•USB devices
•Rogue wireless access points
•Smartphones
•Social Engineering
All of these can be very useful … or very dangerous
![Page 36: Cultivating security in the small nonprofit](https://reader038.fdocuments.us/reader038/viewer/2022110307/55577c78d8b42ad4278b4775/html5/thumbnails/36.jpg)
© MAP for Nonprofits - 2013
Dropbox and its cloud cousins
Offer a direct route from workstation (or other device) to the cloud, circumventing your firewall and any other network monitoring.
“Data exfiltration”
Conversely, an easy and unmonitored way to introduce viruses, trojans and worms into your environment.
No “audit trail”
![Page 37: Cultivating security in the small nonprofit](https://reader038.fdocuments.us/reader038/viewer/2022110307/55577c78d8b42ad4278b4775/html5/thumbnails/37.jpg)
© MAP for Nonprofits - 2013
USB Devices—Thumb Drives et al.portable storage devices that connect to a computer via its USB port. Great for sharing documents, photos, etc.
But those same characteristics—ease of use and portability—explain why they’ve become one of the most popular and effective ways for hackers to infect computers.
Consider Stuxnet
![Page 38: Cultivating security in the small nonprofit](https://reader038.fdocuments.us/reader038/viewer/2022110307/55577c78d8b42ad4278b4775/html5/thumbnails/38.jpg)
© MAP for Nonprofits - 2013
Rogue Access PointsA rogue access point is one of two things:
•a wireless access point that a staff person might set up on an organization’s network without authorization (malicious or not).
•or set up so a hacker can conduct a ”man-in-the-middle” attack.
![Page 39: Cultivating security in the small nonprofit](https://reader038.fdocuments.us/reader038/viewer/2022110307/55577c78d8b42ad4278b4775/html5/thumbnails/39.jpg)
© MAP for Nonprofits - 2013
SmartphonesWonderful devices that can be used:•To send/receive email•To manage your time•To find your location•To play Angry Birds
But also:•For data exfiltration•As a rogue access point•To scan your network for vulnerabilities•As a source of malware
![Page 40: Cultivating security in the small nonprofit](https://reader038.fdocuments.us/reader038/viewer/2022110307/55577c78d8b42ad4278b4775/html5/thumbnails/40.jpg)
© MAP for Nonprofits - 2013
Social EngineeringThe Easiest Way In of All
Social engineering is the art of manipulating people into performing actions or divulging confidential information. While it is similar to a confidence game, it is typically deception for the purpose of information gathering, financial fraud, or computer system access.
![Page 41: Cultivating security in the small nonprofit](https://reader038.fdocuments.us/reader038/viewer/2022110307/55577c78d8b42ad4278b4775/html5/thumbnails/41.jpg)
© MAP for Nonprofits - 2013
Social Engineering
Social engineers often rely on the natural trusting nature and helpfulness of people as well as on their weaknesses. They might, for example, call an authorized employee with some kind of urgent problem that requires immediate network access.
![Page 42: Cultivating security in the small nonprofit](https://reader038.fdocuments.us/reader038/viewer/2022110307/55577c78d8b42ad4278b4775/html5/thumbnails/42.jpg)
© MAP for Nonprofits - 2013
Phishing
For example, an attacker may send email seemingly from a credit card company or financial institution that requests account information, often suggesting that there is a problem with your account.
Phishing is a special form of social engineering: use email or malicious websites to solicit personal information by posing as a trustworthy organization.
![Page 43: Cultivating security in the small nonprofit](https://reader038.fdocuments.us/reader038/viewer/2022110307/55577c78d8b42ad4278b4775/html5/thumbnails/43.jpg)
© MAP for Nonprofits - 2013
PhishingThe next slide is an image of a real phishing attack. The email appears to be from the American Express Company, but look carefully at it.
![Page 44: Cultivating security in the small nonprofit](https://reader038.fdocuments.us/reader038/viewer/2022110307/55577c78d8b42ad4278b4775/html5/thumbnails/44.jpg)
© MAP for Nonprofits - 2013
Phishing
![Page 45: Cultivating security in the small nonprofit](https://reader038.fdocuments.us/reader038/viewer/2022110307/55577c78d8b42ad4278b4775/html5/thumbnails/45.jpg)
© MAP for Nonprofits - 2013
PhishingDid you notice that the email address was strange? “americanexpress@...,” the domain it used was “email2.americanexpress.com” which is not the same thing as “americanexpress.com.”
What about the embedded links? They look OK . . .Take another look at the message…
![Page 46: Cultivating security in the small nonprofit](https://reader038.fdocuments.us/reader038/viewer/2022110307/55577c78d8b42ad4278b4775/html5/thumbnails/46.jpg)
© MAP for Nonprofits - 2013
Phishing
![Page 47: Cultivating security in the small nonprofit](https://reader038.fdocuments.us/reader038/viewer/2022110307/55577c78d8b42ad4278b4775/html5/thumbnails/47.jpg)
© MAP for Nonprofits - 2013
PhishingThis is a classic phishing attack. At first glance, the message looks fine. It even uses real logos. But beware of links in email. Instead of clicking on them, rest your mouse (but don't click) on the link to see if the address matches the link that was typed in the message.
And just where does http://bit.ly/ZgyvOM take you?
![Page 48: Cultivating security in the small nonprofit](https://reader038.fdocuments.us/reader038/viewer/2022110307/55577c78d8b42ad4278b4775/html5/thumbnails/48.jpg)
© MAP for Nonprofits - 2013
So there you go: even with the 6 security basics in place, there are many serious risks to consider in today’s world.
It’s all about learning to live with risk.
And not all risks are created equal:
![Page 49: Cultivating security in the small nonprofit](https://reader038.fdocuments.us/reader038/viewer/2022110307/55577c78d8b42ad4278b4775/html5/thumbnails/49.jpg)
© MAP for Nonprofits - 2013
Risk is the likelihood that something bad will happen that causes harm to an asset (or the loss of the asset).
A vulnerability is a weakness that could be used to cause harm to an informational asset.
A threat is anything that has the potential to cause harm.
Risk (due to a threat) = Threat X Vulnerability
www.sans.org
![Page 50: Cultivating security in the small nonprofit](https://reader038.fdocuments.us/reader038/viewer/2022110307/55577c78d8b42ad4278b4775/html5/thumbnails/50.jpg)
© MAP for Nonprofits - 2013
Responding to a Particular Risk:Make Risk a Conscious Decision
Mitigation = fix the vulnerability or provide some type of control measure to reduce the likelihood or impact associated with the flaw/vulnerability.
Transference = allow another party to accept the risk on your behalf (rare in IT; think of insurance)
Acceptance = simply allow the system to operate with a known risk.
Avoidance = remove the vulnerable aspect of the system or even the system itself.
![Page 51: Cultivating security in the small nonprofit](https://reader038.fdocuments.us/reader038/viewer/2022110307/55577c78d8b42ad4278b4775/html5/thumbnails/51.jpg)
© MAP for Nonprofits - 2013
Easy Risks to Mitigate:
•Create an inventory of devices so you can tell what belongs and what’s rogue•Create an inventory of software •Password protect all your devices and change all default passwords (firewalls, routers, servers, laptops, workstations, printers)•Make sure anti-malware is working•Make sure your wireless is locked down•Test your backups (make sure you can restore)•Limit people’s access to what they need•Train your staff about risk
![Page 52: Cultivating security in the small nonprofit](https://reader038.fdocuments.us/reader038/viewer/2022110307/55577c78d8b42ad4278b4775/html5/thumbnails/52.jpg)
© MAP for Nonprofits - 2013
Easy Risks to Transfer:
•Some backup solutions (most cloud solutions)•Some wireless setups (e.g., Meraki)•Certain business systems (Office 365)•Outsource your website hosting
![Page 53: Cultivating security in the small nonprofit](https://reader038.fdocuments.us/reader038/viewer/2022110307/55577c78d8b42ad4278b4775/html5/thumbnails/53.jpg)
© MAP for Nonprofits - 2013
Easy Risks to Accept:
•For business reasons, keeping an old system on-line (e.g., Windows Server 2003 running a phone system)
![Page 54: Cultivating security in the small nonprofit](https://reader038.fdocuments.us/reader038/viewer/2022110307/55577c78d8b42ad4278b4775/html5/thumbnails/54.jpg)
© MAP for Nonprofits - 2013
Easy Risks to Avoid:
•Consider banning the use of USB devices (or squirt glue into the actual port•Choose not to have a wireless network•Don’t allow BYOB (Bring Your Own Device)•Limit administrative privileges on devices
![Page 55: Cultivating security in the small nonprofit](https://reader038.fdocuments.us/reader038/viewer/2022110307/55577c78d8b42ad4278b4775/html5/thumbnails/55.jpg)
© MAP for Nonprofits - 2013
4 Last Suggestions for Mitigating Risk
1. If you accept Smartphones:
• No jailbreaking. Software should only be installed from the official app store, marketplace, etc.
• Vet your app sources, especially Android users• Screen-lock password. Should kick in
automatically after around 5 minutes of inactivity.• Password protect your SIM card so that if it’s
lost, people can’t use it.• Disable Bluetooth if you don’t use it.
![Page 56: Cultivating security in the small nonprofit](https://reader038.fdocuments.us/reader038/viewer/2022110307/55577c78d8b42ad4278b4775/html5/thumbnails/56.jpg)
© MAP for Nonprofits - 2013
4 Last Suggestions for Mitigating Risk
2. Use Admin Privileges Carefully
There are several kinds of user accounts for most systems:
• Guest (disable)
• User
• Administrator
![Page 57: Cultivating security in the small nonprofit](https://reader038.fdocuments.us/reader038/viewer/2022110307/55577c78d8b42ad4278b4775/html5/thumbnails/57.jpg)
© MAP for Nonprofits - 2013
4 Last Suggestions for Mitigating Risk
Only computer administrators should use administrative accounts . . . and use them only when administering computers.
On my personal computer:
Administrator – disabled (too easy to guess)Guest – disabled RDHadmin – my own administrative accountRoger – my non-administrative account
![Page 58: Cultivating security in the small nonprofit](https://reader038.fdocuments.us/reader038/viewer/2022110307/55577c78d8b42ad4278b4775/html5/thumbnails/58.jpg)
© MAP for Nonprofits - 2013
4 Last Suggestions for Mitigating Risk
3. Implement Security Policies, and then enforce them
• Computer Acceptable Use Policy• BYOD Policy• Password Policy• Laptop Usage Policy• Remote Access Policy• Guest Access Policy• Encryption Policy• Social Network Policy (Facebook, et al)
![Page 59: Cultivating security in the small nonprofit](https://reader038.fdocuments.us/reader038/viewer/2022110307/55577c78d8b42ad4278b4775/html5/thumbnails/59.jpg)
© MAP for Nonprofits - 2013
4 Last Suggestions for Mitigating Risk
4. Educate Your Staff
Don’t assume people know what to do
Create a Security-Aware environment•Official “Security Awareness Training”•Create a library of articles on security issues•Brown-bag lunch-and-learn•Share videos (see Sophos)
![Page 60: Cultivating security in the small nonprofit](https://reader038.fdocuments.us/reader038/viewer/2022110307/55577c78d8b42ad4278b4775/html5/thumbnails/60.jpg)
Any Questions or Comments?
2012 MAP TechWorks, a program of MAP for Nonprofits
![Page 61: Cultivating security in the small nonprofit](https://reader038.fdocuments.us/reader038/viewer/2022110307/55577c78d8b42ad4278b4775/html5/thumbnails/61.jpg)
Thank you!
© MAP for Nonprofits - 2013
Roger Hagedorn, CISSPTechnology Consultant at MAP
www.cultivatingsecurity.com
![Page 62: Cultivating security in the small nonprofit](https://reader038.fdocuments.us/reader038/viewer/2022110307/55577c78d8b42ad4278b4775/html5/thumbnails/62.jpg)
Resources
• SonicWALL Phishing IQ Test: http://www.sonicwall.com/furl/phishing/
• SANS NewsBites, a semiweekly summary of the most important news articles on computer security during the past week: http://www.sans.org/newsletters/newsbites/
• @Risk summarizes the 3-8 vulnerabilities that matter most, tells what they do and how to protect yourself from them: http://www.sans.org/newsletters/risk/
• Brian Krebs on Security is a daily blog on computer security and cybercrime: http://krebsonsecurity.com/
• Sophos’ “1-minute security tips for the workplace:”http://www.youtube.com/playlist?list=PLD88EACF404839195
AP for Nonprofits - 2013
![Page 63: Cultivating security in the small nonprofit](https://reader038.fdocuments.us/reader038/viewer/2022110307/55577c78d8b42ad4278b4775/html5/thumbnails/63.jpg)
Resources
• CNET article on password vaults: http://www.infoworld.com/d/security/review-7-password-managers-windows-mac-os-x-ios-and-android-189597
• 26 Online Backup Services Reviewed (April 2013):http://pcsupport.about.com/od/maintenance/tp/online_backup_services.htm
• Man in the Middle Attack Explained:http://en.wikipedia.org/wiki/Man-in-the-middle_attack
• The SANS Institute’s 20 Critical Controls : http://www.sans.org/critical-security-controls/
• the SANS Security Policy Project:http://www.sans.org/security-resources/policies/
AP for Nonprofits - 2013
![Page 64: Cultivating security in the small nonprofit](https://reader038.fdocuments.us/reader038/viewer/2022110307/55577c78d8b42ad4278b4775/html5/thumbnails/64.jpg)
Free Tools
• Secunia Small Business identifies vulnerabilities in non-Microsoft (third-party) programs:http://secunia.com/products/smb/smallbusiness/
• Qualys BrowserCheck will perform a security analysis of your browser and its plugins to identify any security issues:https://browsercheck.qualys.com/
• FileHippo.com Update Checker scans your computer for installed software (Please note that not all programs are supported):
http://filehippo.com/updatechecker/
© MAP for Nonprofits - 2013