As we, hopefully, all know “data protection” is a key challenge and a serious issue for all Associations. In order to provide the required and expected levels of data protection we need first to have good security.
I’m not going to write about the ramifications or requirements of any EU directives, but I’d like to talk about steps we can take to most effectively improve security, and reduce risks we are exposed to. We can work towards a more secure environment by taking a simple steps and applying some common sense.
For security to be achieved it needs to be built into the thoughts and practice at every stage of information technology planning and deployment. The planning needs to be at every stage right from the start of the software development process, to the final stages of sharing information on any public platform. Any service an association provides to the public on any internet connected system is a potential break in the security chain.
You may think your data is dull and boring but history has shown that almost any data you hold is of an interest to someone. If they can access your data, they’ll use that to exploit anyone and everyone they can. To provide good security you need to know your boundaries. You need to understand what defines the line between the private data you do not want to share and public data you want to share to the world. You need to consider the layers of security. It is clear that some things you need to keep more secret than others.
Well configured Firewalls can be used to reduce exposure to the world, and define a boundary between your private secrets and your public information. The best way to start is to block everything! Only allow traffic that is essential for your system to operate and only unblock if there is a real business need and the repercussions are fully understood and the risks accepted for there is a risk to any open port. Layer the protection taking account of the network as a whole, the servers that sit on that network and then local workstations that individuals use. Never rely on default settings, delve in and understand the terminology and check and double-check to make sure you are protected.
To be safe we should encourage a security oriented mindset in our staff and in our members. There is no point in having the best locks in the world if you habitually leave the doors open!
Often security is breached by use of social engineering (SE). Social engineering is one of the easiest, cheapest tools in the hackers’ arsenal!
A telephone call to helpdesk saying I’ve locked myself out of my email, “please reset my password”. “Please read the attached Document”. “Click this link to unlock your account”… How easily we fall for these tricks over and over again.
Phishing, in all its forms, are types of social engineering designed to extract information from you. We all need to be aware that we are not to blindly trust what we find on the internet and in emails. Trust your instincts. Does it smell right? Would this organisation behave in this way?
A good rule of thumb is never open a .ZIP or .EXE file and always look at the actual email address something is come from often it says one thing but comes from a domain in China, Russia or other place. Even the most High-Tech security companies have been breached in this way.
HBGary, who provided technology security and who’s client list included information assurance companies, computer emergency response teams, and computer forensic investigators, was famously hacked using SQL Injection attack and a small SE trick.
In the HBGary attack a small web server was compromised by exploiting an SQL injection (making a database do something via a URL command) vulnerability in the content management system (CMS). This hack exposed the usernames and the passwords of the site administrators. The passwords were encrypted using one way encryption (hashed) , but hackers made use of special tools and "rainbow tables" to work out the plaintext password. Not only did the hacker now know the password for admin on the web server, but the same username and password combination was used on other servers allowing deeper penetration. Once the hackers had got this far in they were able to use internal email to social engineer a system administrator to set the password for a root administrator account to "changeme123". It took the hackers only a few minutes to compromise the entire network. Within hours all HBGary’s emails and confidential data had been published on the internet. Needless to say HBGary are no more.
Just from this one attack we can learn a lot.
Can your Websites be breached?
Even a small CMS (content management system – a content database) that is not even connected to your main IT system can provide hackers with backdoor.
Have you subjected your web sites and CMS’s to penetration testing?
Websites need to be tested over and over again for vulnerabilities that change over time. In much the same way as a website may be scanned for PCI compliance testing, your sites need to be evaluated for any weaknesses. There are free tools online that can help you with this.
Are you checking for leaks?
Sometimes systems we may consider private may be exposing your data. I recently came across a tech company that makes use of an online tracking system. While the developers were communicating with clients the threads were visible on the internet. The technical details that were being disclosed would be gift horse to any malicious hacker.
One advantage of using products like ASI’s iMIS 20 engagement management system is it has security developed into it. The software has been validated as compliant for new deployments with the Payment Application Data Security Standard (PA-DSS) version 2.0 by the PCI Security Standards Council. (Most UK software for Associations has not been validated). Websites built using iMIS’s RiSE web engagement platform, and correctly configured, will pass PCI compliance.
Backing up your data. Important data should be backed up to secure storage. We at Ifinity always strongly advise also using off-site back-ups. In the event of a catastrophic event taking out your systems you’ll have a better chance of recovery if you have an off-site back up of your important data.
Just last week the electrical supply for a Google data centre in Belgium was struck 4 times by lightning. Fortunately only a small amount of data was destroyed.
We need to consider how this data is stored, and how we can restore this data.Offsite data is usually encrypted with high level powerful algorithms. Without the Encryption key it is impossible to restore this backup.
One day I had a call from a client. Their server had a disk issue. It shouldn’t have been a big problem as they were using RAID 5 on their server. They hired an inexperienced technician and he thought it’d be helpful to take each of the disks out. He put the disks back in the wrong positions this, of course, broke the RAID and rendered it useless. No problem they thought as they had an off-site backup.To get to the back-up data they needed the encryption key. A key that only they had a copy of, the same key they were advised to keep safe in case of emergency. Where was the key? Stored on the server’s drive, the same drive rendered useless by a techie. All their data was gone!
Protection where it’s needed. Security is only as good as its weakest spot. What good is powerful encryption if we leave the keys laying around? A key point in security is passwords. How we use and store passwords is of utmost importance. Weak shared common passwords may make life easier, but will eventually lead to your systems being hacked.
Does your organisation have a password policy? It’s often normal for employees to share passwords and accounts. It makes life easier, at least until such a time as it leads to a breach. I strongly believe that each user should have their own account and that sharing accounts is to be discouraged. If we are sharing user accounts then we lose any chance of attribution should a breach occur – and it’s not because we want to blame people, but we need to learn and understand how a breach was possible to prevent further intrusion. Personally and organisationally we need to promote good password use.
I prefer to use pass phrases, for example: “NeverGoingToGiveYouUp” is much stronger than “2cOjSoSN3”, also much easier to remember.
- Don’t reuse your passwords: you can use variations for each web site, for example: “NeverGoingToGiveGoogleUp”.
- Never disclose your password.
- Never email password, or any sensitive information for that matter
- Use 2-step authentication where possible.
Personally I need to manage and maintain 100s of passwords. I use encryption tools to keep my passwords safe.
Remember, longer passwords are far stronger and they would take far longer to crack! Millions of years instead of a few hours! Be aware that while many sites will accept very long passwords, some sites like Hotmail, and Live have a maximum password length of 16 characters.
Be very cautious about using unknown networks and especially unknown WIFI systems. While BYOD usage is becoming ever more popular we are creating an ever-expanding problem for security. If a staff member uses their phonedevice to connect to your email system via an insecure “free” wifi they may unwittingly expose their credentials to a hacker.
Make sure every time you log in to a website that it is using HTTPS, and has a current certificate that you trust.
I have Anti-virus, therefore I am safe. Not so.. Do not rely on Anti-Virus. Most anti-virus is less than 50% effective at identifying current threats. Really, read that again: Most anti-virus is less than 50% effective at identifying current threats! Even the best Anti-Virus is less than 65% effective.
I’m not saying uninstall your antivirus – I’m saying do not rely on anti-virus to keep you secure!
Update, update, update! By applying regular updates for your software you will help reduce the vulnerabilities and render most viruses useless. A small easy step, but it is highly effective. Hackers rely on you not taking steps to ensure your system are kept up to date. Once a vulnerability has been made public an army of hackers we be developing scripts to infiltrate any systems that are not patched.
Most viruses can be avoided by common sense. Visiting dodgy websites, phishing attacks, poisoned links, all those fake update your Flash plugins. Not usingsharing untrusted USB sticks. And, of course, those pesky phishing emails.
Make sure you go beyond your standard anti-virus software by using tools such Malwarebytes to check your PC once in a while.
Make sure you aware of current threats and vulnerabilities. Keep an eye on industry publications and web sites dedicated to IT security.
Plan Ahead. Recently a number of high-profile cases have come to light where organisations have been held to ransom. “Pay us 50 Bitcoins or we’ll shutdown your website”. Unfortunately these type of attacks are becoming more frequent. It is relatively easy for criminals to launch a DDOS type of attack on your infrastructure. It is advisable to have a plan for how you can deal with such an event. Work with your ISPs to plan how you can mitigate such attacks.
Reduce your exposure. The case of Ashley Madison has exposed some organisations to attack. Staff have used their “work” email address when signing up. Now that information is being used to blackmail.Make it a policy not to use work emails for personal activities!
Contact Tony: [email protected]
About iFINITY plc:
iFINITY plc have been working with leading not for profit organisations in the UK, Europe and Worldwide since 1993 and were formally an independent IT company within the HW Fisher & Company group. The company is an aISP for the #1 Association engagement management solution, iMIS 20 and has been an award-winning partner of ASI since 1994. We specialise in helping associations with complex performance improving computer systems based around a single database and we have a particular focus on association joining and renewal processes and building fully integrated workflow tools. Our tools for iMIS are used by large associations, non-profits and government worldwide.
iFINITY plc is a MemberWise Recognised Supplier.