Like what you read?

Subscribe to our Blog Feed to keep up with all the NTENy goodness.

You might also like...

• The Social Media Response to Disaster in Haiti
• Just Being Ourselves: Storytelling with Social Media
• Online Engagement and Giving: Making the Most of Real Numbers
• Tips for Writing Your First Social Media Policy
• Help! I Need Video! (How to Deal with the Question "Why Aren't We Getting 1,000,000 Views"?)
• Things We Like (January 2010)

Bruce M. Wolfe, Marin Institute

Security is always changing and evolving. It morphs this way and transmogrifies that way and reveals new cracks in the systems we use each and every day -- from our cellphones to ATMs to voting machines -- providing fertile ground for those with malicious intentions to infiltrate our data and productivity.

How is a CIO or IT manager with limited experience in a low-budget nonprofit to keep up without breaking the bank?

First off, for 2010, there are some security questions you should ask yourself as trends emerge:

• Are robots attacking my servers? (Ro)bots (or spiders) are scripts or applications that search out information on the web. Search engines constantly scour the web for information using this method -- but bots are also used by those nasty folks on the web that like to steal your information or trash your website. They are the basis for most cyber-crime, as they knock on your firewall door or seek your passwords to break into your "secure" portals and websites without any user interaction.

• Where did my month's bandwidth allowance go? Malicious hacking of websites using SQL injections, open ports, poor permissions, etc., leads to malware installation. They get to use your server to meet their profitable needs.

• Is it the wave or my surfboard that is muy mal? Malvertising and toxic web search results will be on the rise. Newbie staffers may keep your day humming and your work queue crashing. Other platforms like Java and Flash could end up being (once again?) the culprits. Maybe it is time to invest in another operating system and migration now save your hair and fingernails.

• Am I buying/using the right software? Careful about buying cheap software from unknown sources. They may be infected. Remember the malware scare surrounding free downloads a decade ago? Well, it's back.

• Are my staff members sharing too much information online? Social networking sites are the next and prime targets for cyber do-no-gooders. We recently saw this in the Google/China case where Chinese crackers (bad hackers) broke into activist Gmail accounts.

• Am I hiring the right people? There are reports all over the web that long-term plans for inside jobs maybe on the rise. (See http://arunaurl.com/3cd2.) Check your new IT staff or contractors out very well. Getting referrals from known friends and colleagues may be the way to go even if it costs you a few bucks more. For more info, web search for: hacking "inside job". (As of late, the China/Google scandal commandeers at least the first three search pages. Click ahead for more variety.)

• How smart are my phones? Smart for you but dumb enough for the malicious hacker to inject all kinds of bad stuff into. While Windows-based phones are the most vulnerable, the other operating systems may be "light" enough to be affected eventually. It will be interesting to see how Apple's iPhone and Google's Android evolve.

• What's floating in the clouds? A network cloud is just a collection of servers living out on the Internet providing various services -- much like how websites are served from a web server, but in a much larger, scalable fashion. Software as a Service (SaaS) are online applications that frequently live on cloud servers; think of your webmail account. The jury is still out on where and what it's evolving into, but be assured: if you're passing vital information constantly over the web to who-knows-where to be processed heavily on the cloud, someone will try to figure out how to 'wiretap' your line.

• Should I click that "OK" button? According to Wikipedia, clickjacking is "a malicious technique of tricking Web users into revealing confidential information or taking control of their computer while clicking on seemingly innocuous Web pages. A vulnerability across a variety of browsers and platforms, a clickjacking takes the form of embedded code or script that can execute without the user's knowledge, such as clicking on a button that appears to perform another function." 'Nuff said.

So, there's plenty to educate yourself on -- but it could take some semesters in studying to get comfortable with them all. Hooking up with a cohort or a group of like-minded folks is a great way not only to learn but to build, gain, and exchange trust with your peers. I have 3 or more people (and discussion boards) I can contact at any time of the day (really!) when trouble arises to get an instant answer. Plus, there is always the trusty search engine.

For many of these issues, good spam/virus filtering is essential. At my organization, we use Zimbra.com's Collaboration Suite Network Edition, which has a good configuration of SpamAssassin. I also use http://Death2Spam.net as an incoming mail filter proxy. In addition, ZCS has a robust access control list (ACL) management system to customize which staff members gets access to what on a very granular level. It's fairly reasonable for a nonprofit and works quite well.

But there is an even more basic, fundamental problem that information technology has only recently begun to tackle: passwords. This is the most vulnerable access point for the majority of illicit log-in instances.

Think about it:

You train your staff. You set them up with profiles and temporary passwords already randomly hardened with a combination of numbers, capital letters, and punctuation symbols. After logging in for the first time, they are instructed to change their temporary password.

But, as you make your rounds to check in on how they are doing, you oversee a few logging in with their dog's name, the name of the org, the current year and make of their car, or even their birthday -- which can now be seen by millions on Facebook, MySpace, Friendster, Tribe, Twitter, and who knows what other social networking profiles out there!

You might consider moving to OpenID. Many web-based applications and SaaS products are beginning to adopt http://OpenID.net standards. This means one cryptic, difficult password for your staff to remember to log into many online websites. In fact, the password doesn't even get stored on the website, and there is no way to trace it back. (Yes, if there is keylogger malware that made it into a computer, you could be tracked that way, but this is a viable alternative.)

In addition, if you are a little more concerned, keyed password certificates on a thumb drive could work, too.

If you set up enough monitoring and preventive measures, even if you get a lot of port-knockers, any apparent breach will become very noticeable, thus reducing your time in research (and in psychological therapy due to lack of sleep and excessive anxiety and delusional paranoia) as the culprit pops up on your screen or in a email notification.

There is no real protection anywhere in life. But you can take precautions: educate yourself and use the powerful tools developed by other trustworthy people that have direct meaning and service to your needs.

Live long and prosper.

~ Spock

Bruce M. Wolfe, has a masters degree in Social Work with an emphasis on Social Development and is the Chief Information & Technology Officer for http://MarinInstitute.org, an alcohol industry watchdog and president of vCampaign, Inc., developers of low-budget modern campaign websites. He is a 35+ year practitioner of a variety of martial arts of which most has been in the Chinese internal school.