There was a little chaos, a lot of learning, and much success.
3.) Ensure strong password creation
Any platform that does not allow developers to support users in setting up strong passwords, and ensure that they are handled securely, is not an appropriate choice. Sessions, as good as they may be, really need to have an end. Any other element that accepts input or any type of file also needs be be hardened against malicious code.
If your website has a section to login or sign up for something, you need to make sure that it is not an easily accessed source of information. Available emails and other information set the hackers up with available avenues for things like phishing, among other tactics.
4.) Check third-party elements
Every third-party component, such as those for data storage and payment processes, should be looked at in terms of how it handles users’ PII and any form-filled information given. Make sure to look into data storage practices: Do they retain it? Is users’ data encrypted at rest? For instance, is there a compelling need for women connected to a battered women’s shelter to have any of their data held by a third party and unencrypted?
PCI compliance is only a beginning. There can be other indicators regarding corporate attitude. Is the organization’s marketing page up-to-date? If their last reference was back in 2014, does this mean they’re just unmotivated to make updates? A business lacking the ambition to make their front-facing information current is unlikely to be keeping up with their behind-the-scenes security issues.
Organizations should also keep in mind that promises made in the Terms of Service, or elsewhere regarding whether data will be shared, are always subject to change. Given these uncertainties, it should go without saying that the nonprofit should establish at the start what information is necessary to do their work (liability becomes a big issue in this area). Overall risk assessment should go beyond technical security controls and take in the big picture.
5.) Maintain consistent transport protocols
Transport protocols need to be secure and consistent. Best practices would be to encrypt all traffic to a website using TLS. With free Let’s Encrypt certificates, this shouldn’t be an exceptional burden. Any content management system that makes it so, or charges a lot of money to do, should ring some warning bells.
A check should also be made of commenting in the code that could reveal information useful to an attacker. For the same reason, a web-facing app shouldn’t give errors with information that a normal user would never find helpful.
6.) Engage penetration testing
Time waits for no one, not even code. Maintenance is another issue that needs to be planned for. Cleveland GiveCamp had training sessions on how to use WordPress and on basic security hygiene over the weekend. Developers and nonprofits also had the chance to experiment in a lab environment set-up with pen testing tools, in order to better understand how easily an aging vulnerability can be exploited.
Of course, web applications are not the only way for someone with malicious intent to create chaos. A grant was received that enabled one of the organizations to have a more extensive pen test done, and the hope is to expand for next year. If a nonprofit’s web app has been hardened against any possible misuse, but the devices on its network have weak security, it is a bit like wearing a raincoat that consists only of gloves.
Get proactive with a strategic, systematic approach to security
All of this can seem like a lot for a nonprofit to handle on top of all of the other work that they do. However, best security practices really need to become as standard as making sure all windows and doors are closed and locked at night. With a thoughtful and systematic approach to security, plus a bit of help from technical people like us, nonprofits at Cleveland GiveCamp can make it a little harder for the hackers to get in and a lot better for furthering their mission.