Best Practices 101
As is the case in many security arenas, Jewish organizations are at higher risk, therefore, all Jewish organizations should work to ensure that they are following “best practices” in order to protect their websites and their reputations:
The Australian Cyber Security Centre (ACSC) has published guidance to organizations on risks posed by malicious email. Systems infected through targeted email phishing campaigns act as an entry point for attackers to spread throughout an organization’s entire enterprise, steal sensitive business or personal information, or disrupt business operations.
US-CERT encourages users and administrators to review the ACSC publication on Malicious Email Mitigation Strategiesand US-CERT Alert TA15-213A for additional information.
- Institutions should always make the effort to have their Website hosted with a professional web hosting company and avoid having the Website reside on an Institution or member’s home or business computer.
- Institutions should meet or conference with their web hosting service and ask about: active back-up of their website, what security measures does the hosting company use to prevent Denial of Service (DoS) attacks and unauthorized website access; and ask if their disaster recovery procedures include someone available 24/7 as a contact for emergencies.
- Choose a web host that regularly updates its technologies. Some of them provide content management systems, so they would most likely keep them up to date as well. Web hosts’ logs are very important. Having access to your web host’s access/error logs will help in troubleshooting problems as they arise.
- As with institutional email addresses, an effort should be made to limit and control the number of people with website administrator or webmaster permissions. Also there should be a policy for password assignments and a schedule for changing passwords.
- How to Evaluate Cloud Security. From TechSoup.org. Cloud security continues to be one of the greatest concerns of anyone considering putting any type of data into the cloud or a mobile app. If your data includes – donor, constituent, health care-related, or financial data, then cloud security jumps to the number one criterion on most organizations’ vendor selection list — or at least it should be. Continued increases in the incidence and sophistication of cyber attacks should have any reasonable person cautiously paranoid about who could get access to data in the cloud
- It is in the best interest of any computer owner to be aware of who has access to their computer, the permissions granted to each account, who has system administrator authorization and who assigns passwords.
- It is now considered a good practice to segregate general office and bookkeeping/member information to the greatest degree possible.
- If a computer system is connected to the Internet, an institution should consider using a primary carrier (Comcast, TimeWarner, Verizon, etc) for Internet service.
- Companies who re-sell other company’s services should be avoided where possible.
- It is always prudent to have active and up-to-date firewall, anti-virus and threat detection software.
- Although not all Websites or personal use of an Institutions’ computers pose a problem, a basic “no personal use” policy is reasonable.
- As a general rule users should be discouraged from connecting personal devices, such as phones, iPods, tablet computers and flash drives to institutional computer systems.
- Downloading of any material from the Internet should be closely supervised to avoid viruses and potential copyright infringement.
If you leave a copy of your housekeys under the mat you’re inviting trouble. The same is true if you use simple, easy-to-guess passwords. Here are some resources on passwords:
- New York Times (November 19, 2014). The Secret Life of Passwords. We despise them – yet we imbue them with our hopes and dreams, our dearest memories, our deepest meanings. They unlock much more than our accounts.
- Just how strong are your passwords? Here are some tips for creating uncrackable passwords. From TechSoup.org
- Computer system intrusion can happen in a variety of ways: access in an unauthorized manner, by an unauthorized user, internally by a member of the Institution or externally by the public.
- Advanced software can alert a system administrator if an unauthorized access has been attempted. Older systems may require a regular manual review of computer logs to detect unwanted access.
- Computer logs and advanced software, if properly configured, can indicate which computer files, if any, have been accessed. A policy should be established to inform members/staff if files containing personal or sensitive information have been exposed. It is likely best to err on the side of caution in such situations.
- Unauthorized computer access is potentially a criminal act. System intrusions rarely happen by accident and, as such, it is best to assume the person violating the system is seeking something. As with Website hacking, those perpetrating a system breach, likely know they are breaking the law and may have motivation to justify that risk.
- As soon as a system intrusion is detected the system administrator must be contacted immediately. Thereafter, contact with law enforcement and FBI (http://www.ic3.gov/default.aspx) computer crime specialists is a possible next step.
- Due to the recent emergence and proliferation of smart mobile communication devices and mobile computing, there is at this time very little anti-virus or anti-malware protection for mobile computing devices. Mobile devices should only be granted access to institutional systems under the supervision of an experienced service provider, who clearly understands the security needs of a Jewish institution.
- Website hacking can take a number of different forms and can happen for a variety of reasons. For this document we are defining a hacking as; Activity in the secure section of a Website that is not the result of action by an authorized individual. How the hacking occurs is secondary, here we are discussing what to do afterward.
- We suggest contacting the hosting company for the Website as soon as the incident is discovered. The hosting company will need to preserve a copy of the hacked page(s) and copies of all relevant server logs. The hacked page(s) need to be removed as soon as possible in case malware is involved and also to limit the hacker’s usual main objective – to gloat.
- Report the event to the police and FBI promptly. At (http://www.ic3.gov/default.aspx). Provide them with a copy of the material left by the hacker especially if it involves threats or hateful language.
- Restore the Website from back-up copy of the Website, but only after the hosting company or ISP acknowledges the issues relating to the hack have been addressed.
Distributed Denial of Service Attack (aka DoS Attack)
- DoS attacks are the simplest and most common form of cyber-attack. A DoS attack is a coordinated effort by a group of computers to request access to a Website. This creates a situation where no one can access the Website or the contents are delivered very slowly. In many cases a Website hosting company will shut down a Website temporarily rather than create a problem for their other customers. If a Website is the potential target of attacks, the Website hosting company should be made aware of the situation and can offer solutions.
Four products in the National Cyber Awareness System offer a variety of information for users with varied technical expertise. Those with more technical interest can read the Current Activity, Alerts or Bulletins. Users looking for more general-interest pieces can read the Tips.
- Current Activity. Provides up-to-date information about high-impact types of security activity affecting the community at large.
- Alerts. Provide timely information about current security issues, vulnerabilities, and exploits.
- Bulletins. Provide weekly summaries of new vulnerabilities. Patch information is provided when available.
- Tips. Provide advice about common security issues for the general public.
- Publications. User-friendly documents to help with everything from setting up your first computer to understanding the nuances of emerging threats.A subscription to any or all of the National Cyber Awareness System products ensures that you have access to timely information about security topics and threats. To learn more or to subscribe, visit the subscription system. You can also visit our Mailing Lists and Feeds page to learn more about how to subscribe or use our syndicated feeds.
Department of Homeland Security – DHS Cybersecurity Resources.
- Cybersecurity Overview. Our daily life, economic vitality, and national security depend on a stable, safe, and resilient cyberspace.
- Combat Cyber Crime. As Americans become more reliant on modern technology, we also become more vulnerable to cyber attacks such as Corporate Security Breaches, Spear Phishing, and Social Media Fraud.
- Secure Cyber Networks. DHS is responsible for overseeing the protection of the “.gov” domain and for providing assistance and expertise to private sector owners and operators of cyber networks.
- Cyber Safety. Every time we connect to the Internet, we make decisions that affect our cybersecurity.
- How to Secure Your Web Browser. Learn to configure your web browser for safer Internet surfing.
- Cybersecurity and Privacy. Learn how DHS privacy staff integrates privacy protections into our cybersecurity operations.
- Cyber Research & Development. DHS continues to research and develop new innovative solutions to complex cybersecurity problems.
Tech Soup is a respected and valuable technology resource for nonprofits (If you don’t know about their deeply-discounted software, you should). They recently published an excellent disaster planning guide: The Resilient Organization. Find their links to the new guide and related webinars below.
Disaster preparedness isn’t just about being ready for a fire or earthquake; it’s a nimble, flexible approach to your organization’s day-to-day programs and operations. A natural disaster may never hit your office, but by adopting certain technologies and strategies, you can deepen your nonprofit’s impact and make you work faster and more efficiently. The resources in this toolkit will not only prepare you for a crisis, but also deepen the impact of your nonprofit or charity in times of health.
The Resilient Organization is a holistic guide to disaster planning and recovery. This book is intended both for organizations striving to be better prepared for an emergency and for organizations striving to rebuild and maintain operations after a disaster. Download The Resilient Organization and browse other disaster planning and recovery resources below.
- Disaster Planning: What You Need to Protect Your Tech
- Disaster Planning: Backup, Backup, Backup!
- After the Crash: Minimize your Downtime
- Backup and Disaster Recovery in the Cloud
- NIST Computer Security Division, Small Business Information Security: The Fundamentals. Since most nonprofit requirements are similar to small businesses, this publication is a good starting point.
- Techsoup Global. 12 Tips to Being Safer Online. This Safer Internet Guide is designed for nonprofits, charities, and NGOs, who rely on the goodwill of your donors, constituents, and community for support. So it’s very important that they protect their data and infrastructure. This guide is intended to help you keep it safe.