Getting Started

Securing your organization starts with you.

1. Get organized → be aware of what you have
2. Get safe → take steps to fix any gaps

Get Organized

to arrange one's things or one's affairs so they can be dealt with effectively ~Merriam-Webster.com

Understand your resources

Quantify exactly what your organization uses.

• How many servers / services host your data?  Which ones are in the cloud?
• How many devices does your org own?
• How many personal devices do you / your peers use?

Know your peers and the org

Quantify exactly who your organization is, and any people or services you work with.

• How many people (employees, contractors, volunteers, etc) can access your sites and services?
• What level of access to these people have?  Do you have formal employment contracts in place with everyone?
• Do you have contact info for all software and services you use?  What other vendors or contractors do you work with?
• Have you planned for someone going rogue?  Can any one person / action take down your entire company?

Know your data

Building on Module 3: Data Security & Privacy - we need to quantify exactly what your organization has.  

Especially if you are holding Personally Identifiable Information, or other sensitive data, you'll want to quantify exactly where this data lives and who can access it.

• Do you store PII? Payment Card Info?
• What country / countries is your data stored in?
• Do you have backups of this data? How frequently do they occur?  Who can access these?

Document everything

Document, document, document.  Everything you record from the questions you asked yourself above needs to be recorded, and needs to be kept fresh. 

• Write down all responses and track it in a central location
• Have monthly / quarterly / annual reminders to update these information sources
• Keep separate passwords for everything (remember Module 2: Passwords, Credentials, Keys?).
• Use a password safe to keep accurate records of changes and maintain control over your access.

Get Safe

1:  a precautionary measure, stipulation, or device
2:  a technical contrivance to prevent accident
~Merriam-Webster.com

Using the information from Get Organized, you'll undoubtedly have many gaps to fill.  Be proactive in tackling these issues to save heartache later on.  Ask yourself a few questions to get started.

Email clients and services

Email is one of the original and most pervasive methods of communications.  As such, it provides attackers one of the most reliable ways into your company. 

• Do you run your own email server? Why are you still running your own email server?!
• Does your mail provider provide attachment scanning?  Can you block certain attachment types?
• Does your mail provider filter out spam and other malicious things?
• How many mailing lists and addresses do you have?  Why are there so many? What are they for?
• Can your org be "spoofed"? Can send email on behalf of you or your company?
• Is your email server "open"? Can other organizations send their mail through your server?

Web servers and hosting services

Everything is now on the web.  It is your organization's lifeblood, but of course attackers will use that against you too.  They even use it themselves for their own tools!

• What sites do you have and where?
  • Who has access to make domain name changes? Billing and other admin functions?
  • What type of data is your site hosting or collecting?
  • Do you have a staging environment?
• How is this site maintained?
  • Who has access to your web server or blog admin panels? Can you access this from anywhere?
  • If you use a framework (Wordpress, Magenta, etc), when was it last updated?
  • Do you have any analytics or logs?  Backups?

Content, collaboration and other online services 

Find out more about your company's various online services.  From Gmail and Outlook.com, to GoDaddy to Wix, to Bitbucket and Github, and everything in between... nearly everything can and will be used against you.

• Have an evaluation plan to compare things
  • What's free versus enterprise / business class counterparts?  Do they have a NFP / NGO license?
  • Leverage your networks for reviews and experiences
  • Do you have data sovereignty? Can you download / delete your data from this service?
• What security features can you use?
  • Two Factor Authentication (2FA), IP Access Lists, download / export restrictions?
  • Privilege levels? Authentication options?
  • Restrict sharing for outside users?  Other restrictions...?
• Enable Notifications
  • Get SMS alerts for new registrations and account configuration changes
  • Get email or other confirmation for logins from strange locations
  • Label, mark, and/or save these to an archive folder (even if you can't / won't read them)

Securing your org 

Whether it's to help build that beautiful website, convert that database into simple spreadsheets, or whatever the task - you're going to need some help along the way.  

And even if you can do it all... eventually you'll need that help anyhow in order to scale your organization.

• Have you controlled access to your various tools and services?
  • Use differentiated access. Different employees should get access most appropriate to their job function.
  • Avoid shared accounts.  If you have to use them, put them in a shared password safe.
  • Avoid sharing major secrets or personal issues in company chats and other semi-public forums.  Especially not passwords and other keys.
• How does your org work online?
  • Google yourself; Google your company. See what you come back with.  Is it what you expected?
  • Have social media / employee conduct policy or discussions. Control access tightly to your social media accounts.
  • Have an on-boarding and off-boarding process.  Make sure accounts can be closed or access revoked if someone leaves.
  • Be careful deleting things and the perception it raises. Nearly everything is permanent on the Internet.
  • Be honest whenever you can. Whether it's with staff, supporters, customers etc. honesty will usually fair best.
• Do you have pervasive security awareness, supportive culture, and stakeholder buy-in?

For Example

Let's imagine...

Attacker Compromise

Below you can see an attacker targeting our organization.

1. The attacker runs a bit of code against our blog's contact form function
2. The code lets the attacker do several things:
   1. retrieve data from the blog's database
   2. upload, download or modify any file they wish
3. The attacker uses both information and access from the blog to target employees
4. They send a targeted email or spear-phish to a single employee with an infected file
5. This file is specially crafted to look like a normal payroll update
   1. It is based on information the attacker uncovered
   2. The file also can be uploaded back to the blog or another site to make it even more believable

Employee gets compromised

Next, you'll see the employee fall victim to the attack

1. Our employee receives the email, which appears to be a link to a paystub and a request to update their info
2. The link downloads what looks like a spreadsheet.
3. The file opens using Excel, but it also contains some extra code which requests permission to run
4. The code runs and opens a simple program like Calculator to demonstrate that the attacker has executed a program on your computer
5. Here, we're doing something innocuous such as opening the Calculator app on your computer, but a more skilled attacker or tool will be stealthier and do much more.