The reach and convenience offered by the Internet has opened more doors for charities and non-profit organisations seeking funds to support their causes. Many charities, for example, take credit cards online to accept donations. However, this ability has also made them a target for cyber attacks.
While charities exist to help the disadvantaged, they require the same security controls as large, for-profit enterprises when it comes to safeguarding funds and donor information. TechSoup Global, for example, provides a good lesson in non-profit security. It offers non-governmental, non-profit and community-based organisations as well as libraries the professional hardware, software, and services they need for their IT functions. To fund this effort, TechSoup Global takes donations from large companies and individuals mainly through Web applications. These donations are often processed through credit cards, which require it to be Payment Card Industry (PCI) compliant.
While TechSoup Globals IT infrastructure resembles most organisations, its available security resources are skinnier. Further, its security strategy over-emphasised traditional perimeter and desktop defences, leaving applications and the valuable data transacted vulnerable.
In addition to complying with PCI, vendors donating products to TechSoup Globalsuch as Microsoft, Adobe and Intuitalso mandated data protection policies and standards. Richard Collins, senior director of information systems security at TechSoup Global explained the challenge: We have a responsibility to protect the data for our vendors, partners, clients and employees, as well as the system. It becomes an ecosystem that goes beyond your organisation, and it is really important to make sure the downstream components are protected and are compliant as well. I think the bigger vendors are really realising that and taking that responsibility seriously now.
Recently, TechSoup Global experienced an attempted breach against its applications designed to steal data. Although the attempt was not successful, the main website was down for two days in order for the organisation to locate the vulnerability and fix it.
What can non-profits learn from this experience?
Lesson 1: Protect at the application layer
Charities have to overcome a huge misconception that network security is sufficient. Many feel that they have network firewalls, intrusion prevention systems (IPS), anti-virus and/or virtual private networks, and these should suffice. This strategy leaves a gaping hole.
Why? None of these technologies can adequately defend against attacks on websites and Web applications, such as SQL injection attacks, cross site scripting and session hijacking. Moreover, perimeter technologies operate at the network layer, not the application layer. This means that they can only examine HTTP headers, and do not look into the HTML and the URL of requests. Consequently, these technologies are unable to detect the injection of malicious code to steal information. As Collins explained: You definitely have to secure it at multiple levels, because once the attackers get through that network layer, there is really nothing to stop them. And so you really have to think of it as an ecosystem and really protect all the layers in the architecture stack.
Sign up for Computerworld eNewsletters.