Our resident cyber security guru Paul Rubens has put together this educational resource for charities looking to test their cyber security systems.
Cyber criminals are known to target digital charities because they are seen as easy targets, and that means that effective cyber security systems are essential to mitigate the risk of falling victim to a cyber attack. But this begs an awkward question for charities: how do you know if your cyber security setup is effective?
The answer is quite simple - the best way to find out is to do some cyber security testing. The most effective way to do that is by using the techniques that cyber criminals use to break into your network, and seeing if you are successful. If you are then, a cyber criminal will be too, and that means that your security measures are not good enough.
1.) Test your desktop security software
Desktop security software, sometimes (mistakenly) called anti-virus software, is a key line of defence against malicious software and cyber criminal attacks. Cyber criminals may use malicious software to steal logins and passwords that give them access to charity bank accounts and databases that contain customer details including credit card information, or to encrypt computer systems and then demand a ransom payment to decrypt them. Desktop security software also plays a key role in detecting when users are visiting fraudulent phishing sites, or opening emails that contain links to fraudulent sites.
So it is very important to do some cyber security testing on your desktop security software to check that it is actually working (and has not been disabled or uninstalled either mistakenly or by some other malicious software.) An easy way to check this is by using the Anti-Malware Testing Standards Organization (AMTSO)’s Security Features Check (SFC) cyber security tools.
Click on the links below to verify if your desktop security software:
2.) Carry out a port scan before a cyber criminal does
The first step in many cyber attacks is a procedure known as a port scan. This involves probing your charity’s firewall- which is designed to keep cyber criminals out - to see if it has any holes in which a cyber criminal can take advantage of to get in to your network. These holes are known as ports.
Some ports are meant to be left open by your firewall, for example to allow email, web page or other digital data into your network. But ports that have been left open inadvertently are a needless risk.
An easy way to find out if any ports have been left open unnecessarily is to use a service like ShieldsUp. This carries out a port scan, which means that it probes your firewall and reports which ports, if any are open.
Visit ShieldsUp using a web browser, review the security notices on the site and then click proceed. Then click on "Common Ports" for a quick scan of commonly used ports, or "All Service Ports" for a more comprehensive scan.
It is important to remember that some ports are likely meant to be open, but once you have the results of a port scan you can check online or consult an IT expert to see if any are open unnecessarily. Your charity’s firewall can then be reconfigured to close any unneeded ports.
3.) Do network reconnaissance
If a cyber criminal manages to get in to your network, then the first thing they are likely to do is carry out network reconnaissance. This means trying to establish what computer systems are on your network, what operating systems they are running, and what their network addresses are. This allows them to try to work out which systems to target to find databases and other troves of valuable digital information.
A useful cyber security tool you can use to carry out reconnaissance of your own network is Zenmap. It is fairly easy to use, and it can list all the machines it finds with details about the software each one is running.
At a very basic level, Zenmap could help you find any computers on your network that you may not be aware of – for example a laptop owned by a staff member – which is running Windows 7. Since Windows 7 no longer receives security updates from Microsoft it represents a security risk which could be exploited by a cyber criminal who came across it on your network.
Read the Zenmap User’s Guide and carry out a scan
4.) Scan for vulnerabilities
One of the most common reasons for a charity to fall victim to a cyber attack is because it is running software which is insecure since it contains a known vulnerability which cyber criminals can easily exploit. Software updates usually fix known vulnerabilities, so cyber criminals can only exploit a known vulnerability from the moment it becomes known until the moment that the software update is installed. That’s why it is essential to update all your software as promptly as possible.
An easy way to find out if your charity has overlooked any security fixes is to run a vulnerability scanner. This type of cyber security tool searches your network for any computers running many different types of software with known vulnerabilities and alerts you to any that it finds.
Good commercial security scanners include Tenable Nessus, Qualys Vulnerability Management, and Rapid7 InsightVM, and vulnerability scans should be carried out regularly and especially whenever new software is installed or significant changes are made to your IT infrastructure.
Try out Tenable Nessus free for 7 days by registering for a trial licence
5.) Detect unauthorized Wi-Fi access points
All it takes is a staff member to plug a Wi-Fi access point into your network – perhaps so that they can connect their smartphone to the internet – and your charity’s cyber security systems are seriously undermined. That’s because a so-called "rogue access point" can make it easy for cyber criminals to get on to your network without having to find a way in through your firewall.
The best cyber security tool for detecting rogue access points, called a Wi-Fi stumbler, scans the airwaves and reports any access points it detects, including ones which are configured to be hidden.
Download a Wi-Fi stumbler such as NetSpot, Wi-Fi Scanner, or InSSIDer onto a laptop and walk around your offices to check if it detects any rogue access points. It is also sensible to ensure that all staff are aware of the security risks that installing their own Wi-Fi access point could pose.
6.) Carry out penetration tests
Perhaps the very best way to test your cyber security systems is to carry out a penetration test, which involves attempting to launch a "friendly" cyber security attack on your own network to see if you can breach the defences, or if your cyber security systems can detect and prevent it.
Professional penetration testers can carry out the most effective tests on your network, but these tend to be expensive. Another option for charities is to carry out regular automated penetration tests using penetration testing tools such as Rapid7 Metasploit or Immunity Canvas.
These cyber security tools can be used to scan a network for vulnerabilities, match them with known tricks or "exploits" that cyber criminals use, and break in to computer systems where possible -completely automatically. They then generate a report.
This report allows you to see which of your computer systems may have vulnerabilities. More importantly, it also shows you which ones can easily be exploited by cyber criminals, and which ones may be safe from those attacks despite vulnerabilities because your cyber-security systems protect them effectively. This then allows you to prioritise which vulnerabilities need to be fixed first.
It is worth remembering that an automated penetration test, while convenient and low cost, is not as effective as using a skilled human penetration tester.
Try Metasploit free
7.) Run a bug bounty program
As an alternative to hiring penetration testers, you could also consider getting a company to manage a "bug bounty" program on your behalf. Specialist companies such as BugCrowd or Hackerone recruit security researchers, former hackers and even students, all who are security checked first, to attempt to break into your computers and evade your cyber security systems.
The way that a bug bounty program works is that you specify a fixed bounty or prize fund, and anyone discovering a security flaw reports it to the company managing the program. Once the security flaw has been verified by that company’s security experts, it awards a prize to the finder, and provide details to you so that you can get it fixed.
Talk to a bug bounty company about the feasibility of running a bug bounty program for your computer setup.