much  time  and  effort  with  ensuring  the  software  does  not  have  vulnerabilities  or
               patching new vulnerabilities as they arise and are found. For instance, Windows XP has
               been  EOL.  The  regular  patches  being  pushed  from  Microsoft  are  not  directed  at
               Windows XP. The attackers look for outdated systems, as they likewise know there are
               vulnerabilities with these. By the non-profit not having relatively current software in use,
               the  non-profit  is  leaving  the  door  cracked  for  the  attackers  to  look  in  and  enter  the
               system.

               With budgetary constraints as they are, open source software may be used to fill a gap
               in  function  while  not  incurring  operation  (OpEx)  or  capital  (CapEx)  expenditures.
               Although  serving  a  function,  this  application  may  be  problematic.  The  open  source
               software  is  there  to  be  used  without  charge.  The  service  may  also  charge  for  the
               upgraded,  non-baseline  version  with  a  greater  range  of  functionality.  The  issue
               regarding this not having a dedicated staff in place for updates, patches, functions the
               customers  want  in  the  future,  etc.  This  also  provides,  unfortunately  for  outdated,
               insecure  software.  This  encompasses  a  substantial  portion,  but  not  all,  of  the  open
               source  software  packages.  In  the  alternative  software  from  manufacturers  should  be
               used if possible.

               Internal risk is a viable risk vector and attack point. The employees have their innate
               ability to be the non-profit’s best friend and worst enemy. The employees may exfiltrate
               data and intellectual property via third party email, USB drives, and other methods. The
               unintentional effect may also be the user not being very wary of phishing attacks and
               becoming  a  primary  victim,  while  the  non-profit  is the  secondary  victim  of  the  attack.
               The attackers with the well-crafted email may be enticing the staff to bring ransomware
               to be placed onto your system.

               Closing…

               Non-profits  have  many  difficulties  and obstacles  to  overcome  with  their  operations  to
               provide  a  secure  system.  The  C0level  need  to  ensure  the  cash  flow  is  relatively
               constant  or  available  in  a  variety  of  economic  circumstances.  Assuredly  this  has  not
               been an easy task, especially during the economic issues of 2008. The non-profit must
               maintain its relevancy in a s sea of the other non-profits with like and different mission
               statements.

               Coupled with these issues is the maintenance of enterprise security. The issues with
               implementing  a  robust,  solid  cyber  security  defensive  posture  range  from  the
               implementation  to  employees  and  procedures.  Although  this is a  rather large  project,
               this may be completed with a bit more effort and creativity, but clearly possible.






                    64   Cyber Defense eMagazine – October 2017 Edition
                         Copyright © Cyber Defense Magazine,  All rights reserved worldwide.