Page 63 - Cyber Defense eMagazine - October 2017
P. 63

Defensive Measures for Non-Profits

               by Charles Parker, II; Cybersecurity Lab Engineer


               Attackers have not been overly picky as to the selection of targets. The focus continues
               to  be  the  money  and  data,  specifically  sensitive  data  and  intellectual property,  which
               would then be sold on the dark web. This set of vulnerabilities leading to issues is due
               to several reasons including, but not limited to the lack of adequate security. This lack of
               security is not due to the non-profit intentionally not wanting a secure system. This is
               more a function of budgetary constraints, staff, issues, lack of security tools, and other
               aspects of their operations.


               This creates an interesting dilemma. The non-profit can’t have an insecure environment,
               but don’t have the necessary resources available and necessary to fulfill this endeavor.
               This  places  the  non-profit  in  dire  straits.  The  management  would  not  be  a  proper
               steward  of  the  funds  if  a  compromise  were  to  occur  and  their  funds  and/or  sensitive
               data exfiltrated. Worse yet, if the non-profit had to pay a third party to provide a decrypt
               key so the users could use the system or pay a forensic analyst to remediate the issue,
               as they are not inexpensive.

               Threats

               The  threats  to  not  only  non-profits,  but  all  businesses  and  consumers,  abound  from
               several sources from around the globe. With the mass number of people and bots all
               focused  on  compromising  your  system,  defending  the  enterprise  appears  to  be  very
               difficult at best.

               As  prolonged as  defending  the  perimeter and  system  is,  there  are  actions to  take  to
               further this goal. The users may need updated training as to the acceptable password
               format. Not every password is acceptable. As examples, 123456, 3456789, the user’s
               birth month and date or year, or the user’s mother name would not be acceptable. Any
               data or information that is readily trackable and available on social media should not be
               used. This is by far too easy for an attacker to secure. The password should be at least
               eight characters, with upper- and lower-case letters, numbers, and special characters.
               The parameters for the password may also be configured for this in the case of non-
               compliance. A poorly configured password is an easy attack point.

               Two  factor  authentication  is  a  useful  tool  in  combatting  third  party’s  unauthorized
               access. This works as a secondary method to ensure the person attempting to log in
               truly is the authorized person and not an unauthorized third party. The user is verified
               with an external source, generally a code sent to the user’s phone or a push.


               The entity should use up-to-date software. If the non-profit is using software that is end
               of life (EOL), the software manufacturer is not, as a rule of thumb, continuing to spend
                    63   Cyber Defense eMagazine – October 2017 Edition
                         Copyright © Cyber Defense Magazine,  All rights reserved worldwide.
   58   59   60   61   62   63   64   65   66   67   68