GiveCamp is a weekend-long event that occurs in cities across the United States and beyond. Its purpose is to pair local nonprofit organizations with technology talent in those areas. Projects often involve, but are not limited to, tasks such as: updating or revamping nonprofits' websites to improve functionality and make them better-fitting for their missions. Over the past six years, Cleveland GiveCamp has had a shift in focus toward being more cognizant of the need for information security, with a growing awareness that nonprofits face some unique challenges. Let's take a look at some things nonprofits can do to decrease their threat surface and keep the bad guys out.
Nonprofits face security-related challenges
The culture surrounding nonprofits is focused on gaining attention, enlisting support for a cause, and ultimately making the world a better place. It can be difficult for those working in this environment to imagine the mindset of the bad guys, who are out to leverage organizations for their own gains. There's also the fact that the nonprofits wouldn't typically view themselves as having anything worth stealing -- particularly when it comes to intangibles like data.
The reality is that cybercriminals are looking for "easy" vulnerabilities that are often prevalent in nonprofits. Things such as being understaffed, not having the capabilities to maintain best security practices, and other weak points, make these systems easy to hack.
It's also good to keep in mind that what happens online doesn’t always stay online. Vulnerabilities can (and have) put the physical security of people going about their normal lives in jeopardy. The thought that simply being connected to a nonprofit could put individuals at risk isn't a pleasant one to consider. No one likes to dwell on such things; however, nonprofits that want to be responsible and compassionate toward its members, need to consider these things.
What can be done to better manage risk?
There are quite a few recommended actions to take in order to minimize risk and make your nonprofit less of a target. Even if your organization isn't able to implement all of these suggestions, doing something is better than doing nothing.
1.) Conduct threat modeling
The previously mentioned challenges show the importance of threat modeling, and modeling conducted in a manner that's fitting for your unique environment. A volunteer group that reads to the blind, for instance, would not necessarily face the same adversaries as a group focused on teaching English to new immigrants in the inner-city (both hypothetical examples).
2.) Examine web applications
Next steps would include an examination of all web applications utilized by your nonprofit. Best practices would include research, from a security standpoint, on each included element. For example, if starting with WordPress, what are the security issues that have been found with it? All plug-ins should get the same scrutiny -- you should be looking for known vulnerabilities, as well as track record and history of maintenance. Let’s say you have an amazing, open-source widget whose code hasn’t been given any love for two years… This untouched bit of code is most likely weak and has vulnerabilities.
Running tests against web apps can ensure nothing gets overlooked. Hidden default settings can easily betray the goodwill a nonprofit has worked hard to build. Tests may reveal issues to address, such as a server setting that developers don’t have the access to modify because of the chosen platform, or an inadvertently viewable text file with sensitive information. Knowing and being aware of potential security issues allows your nonprofit the opportunity to discuss with the provider, decide the level of risk, and what course to take.
3.) Ensure strong password creation
Any platform that does not allow developers to support users in setting up strong passwords, and ensure that they are handled securely, is not an appropriate choice. Sessions, as good as they may be, really need to have an end. Any other element that accepts input or any type of file also needs be be hardened against malicious code.
If your website has a section to login or sign up for something, you need to make sure that it is not an easily accessed source of information. Available emails and other information set the hackers up with available avenues for things like phishing, among other tactics.
4.) Check third-party elements
Every third-party component, such as those for data storage and payment processes, should be looked at in terms of how it handles users’ PII and any form-filled information given. Make sure to look into data storage practices: Do they retain it? Is users’ data encrypted at rest? For instance, is there a compelling need for women connected to a battered women’s shelter to have any of their data held by a third party and unencrypted?
PCI compliance is only a beginning. There can be other indicators regarding corporate attitude. Is the organization's marketing page up-to-date? If their last reference was back in 2014, does this mean they're just unmotivated to make updates? A business lacking the ambition to make their front-facing information current is unlikely to be keeping up with their behind-the-scenes security issues.
Organizations should also keep in mind that promises made in the Terms of Service, or elsewhere regarding whether data will be shared, are always subject to change. Given these uncertainties, it should go without saying that the nonprofit should establish at the start what information is necessary to do their work (liability becomes a big issue in this area). Overall risk assessment should go beyond technical security controls and take in the big picture.
5.) Maintain consistent transport protocols
Transport protocols need to be secure and consistent. Best practices would be to encrypt all traffic to a website using TLS. With free Let’s Encrypt certificates, this shouldn’t be an exceptional burden. Any content management system that makes it so, or charges a lot of money to do, should ring some warning bells.
A check should also be made of commenting in the code that could reveal information useful to an attacker. For the same reason, a web-facing app shouldn’t give errors with information that a normal user would never find helpful.
6.) Engage penetration testing
Time waits for no one, not even code. Maintenance is another issue that needs to be planned for. Cleveland GiveCamp had training sessions on how to use WordPress and on basic security hygiene over the weekend. Developers and nonprofits also had the chance to experiment in a lab environment set-up with pen testing tools, in order to better understand how easily an aging vulnerability can be exploited.
Of course, web applications are not the only way for someone with malicious intent to create chaos. A grant was received that enabled one of the organizations to have a more extensive pen test done, and the hope is to expand for next year. If a nonprofit’s web app has been hardened against any possible misuse, but the devices on its network have weak security, it is a bit like wearing a raincoat that consists only of gloves.
Get proactive with a strategic, systematic approach to security
All of this can seem like a lot for a nonprofit to handle on top of all of the other work that they do. However, best security practices really need to become as standard as making sure all windows and doors are closed and locked at night. With a thoughtful and systematic approach to security, plus a bit of help from technical people like us, nonprofits at Cleveland GiveCamp can make it a little harder for the hackers to get in and a lot better for furthering their mission.