With the amount of stuff published in the public domain one could be forgiven for thinking that society had given up the notion of ‘private’. Share and share alike seems to be the norm, to the extent that it has become tricky to determine just what is to be kept private. And that which is to be kept private of course seems to have become the target for hackers in a never ending quest which one might suppose is to make all data public domain. I suppose it’s a point of view.
In the interim before we reach this dystopia it may be worth giving a thought to what information assets your charity would like to keep private. And before anyone says “charities don’t have any private data” you might want to gather your chief execs, your trustees, your staff, and your supporters around the table and apply the ‘what if we left this on a train’ test to a few select items of information. Full rules of the game are available from a colleague in the CSF. But don’t tell anyone.
Back in the day it was the practice of system administrators to grant every new user account supervisor rights. That way they could guarantee that it wasn’t the network or these new fangled file permissions that was causing the software application to fail. The diligent administrators would carefully allocate time to go back and work with the developers to remove layers of access from said user accounts until the application would work without the user being burdened with an account that could wreak as much havoc across the network as an untrained sysadmin.
Those days, or to be more accurate, that attitude, is still apparent in many organisations. Giving ‘admin rights’ to a user is a practice that is still prevalent, mainly one suspects because it makes the job of the IT department (or IT guy) that much easier – in the short term. And surprisingly there is still software around that won’t run unless operating under a privileged account.
This is the simple stuff. If you want to complete the audit you should check how much server software runs in the admin account, or worse still in the named account of your sysadmin. Let’s hope they don’t leave. Let that practice of escalated privilege become common knowledge and you’ve made it one step easier for unwelcome guests, or disgruntled employees, to run riot with your systems, your files and your data. Lock it, or lose it.
What’s the easiest way to get someone’s password? Hack their PC? Exfiltrate the user database?
Nope, much easier. Just ask them.
No matter how many times tech support staff are told never to ask for a user’s password, it still happens. It’s like no-one can help themselves and the ability to masquerade as an unsuspecting user is the divine right of service desk analysts everywhere. It’s not that it’s a cardinal sin (although certainly very bad practice and an indication of lazy processes), nope, it’s more that it opens the door to what becomes ‘acceptable’.
So when Mr Bad Guy phones one of your users it’s a cast iron certainty that he’ll say he’s from your IT department before proceeding to ask for their password – and probably for their mother’s maiden name, their bank card number, their PIN code, and the name of their favourite song to boot. You’d sort of hope that your users will be so well aware of your infosec policies that they’ll smell a rat and put the phone down. But remember it’s your credibility that’s being degraded, and your users that are being exploited. Just say no.
It takes about six days for folks to realise the enormity of the problem. So imagine a disaster, say, like the tsunami in 2004, or perhaps Hurricane Katrina. For many charities engaged in humanitarian work the need to mobilise, and mobilise quickly, in the face of such enormous natural disasters requires funds. And the human need to support such work results in the generous and unconditional gifting of those funds. So back to the six days. That tends to be the time period after which folks want to respond usually with monetary help. Your charity probably knows this and will gear up to expect this, but the bad guys know it too and you should also be prepared to expect a higher than usual proportion of phishing and scam emails being pumped through the internet. Even perhaps spoof websites mimicking the online donations page of a real charity. You may not see these undercover attempts to milk human kindness but you should be aware of the problem and consider how you might monitor the unscrupulous use of the good name of your organisation.
Back in the bad old days the infosec pro would be facing adversaries who would attempt to disrupt and destroy our systems and our data buy writing malicious code in the shape of viruses and worms. There’s a distinct difference between the two that’s worth understanding if only because one of them needs the complicit assistance of our other arch-enemy, the user. It might be fair to say that double-clicking an attachment in an email needs to be classified as the eighth deadly sin. It’s been popular to assume that viruses are dead, and that the majority of damage to data occurs from deliberate hacks. So antivirus software likewise is seen to be in demise. But spare a moments thought for the re-invention of the virus. Some folks have seen viruses capable of cryptographically denying access to all the files on a disk and demanding a fee to unlock said files. This ‘ransomware’ may be enough to make you think twice about canning your antivirus subscription, or redoubling your infosec awareness campaign. Viruses, like their biological counterpart, need human interaction to spread. So whatever you do, don’t click that attach… K)*Y&^G++.