Baird Straughan, March 2021

At WaterGrass we aspire NOT to work in data security.  Our client organizations are relatively small, unlikely to attract persistent hackers.  For financial transactions, we use the secure connections of much bigger players – Salesforce, Click and Pledge, iATS.  We advise clients to keep credit card numbers and other sensitive information to a minimum.  It’s been thirteen years now, and so far, so good.

But our luck can’t hold.  Last year revealed the Solar Winds hack, an infection of software that’s used to build other software.  Its scope is so broad that six months later we still don’t know the extent of it.  Solar Winds was soon eclipsed by the recent Microsoft Exchange attack.  (If you use Microsoft Outlook, you probably use Exchange.)  The attack is believed to have originated from a Chinese government-related actor seeking pharmaceutical and government secrets, but the code was later leaked.  As I write this, cyber-criminals of all sizes are on a spree and it’s estimated that hundreds of thousands of computer servers have been infected.

My anxiety has me spending way too much time reading reports about security breaches.  So you don’t have to go down the same rabbit-hole, here’s the gist.

The majority of hacks: …

… are just opportunistic applications of already-known bugs to infect computers which haven’t been updated or protected.  There are plenty of those devices lying around, and hackers have automated bots that send emails and test websites in order to find any system with a hole in it.  (For instance, since this article went up, this website has been tested every night by a bot which tries the username “admin” and then 20 different passwords.  If the actors behind the bot test enough websites, they’ll surely get into some where the owners never bothered to change the username and have a common password.)

Ransomware is targeted largely at older infrastructure.

So far, the databases most likely to suffer ransomware attacks are older legacy systems that run from on-premises servers at organizations like hospitals, corporations or government entities with valuable data or financial assets, or that perform a critical service.  It’s notoriously hard to keep these systems up to date – sometimes they use legacy hardware that can’t be replaced and operating systems that can’t be updated.  So far, I haven’t read of an online database like Salesforce allowing a ransomware attack.  (Update as of 8 May 2021: Ransomware attacks are very rapidly moving “downstream,” in some cases attacking even single individuals with threats to share embarrassing data stolen from health provider databases.  However, I still haven’t heard of intrusions into Salesforce.)

Some of your personal information has probably been hacked and published.

Check out the site Have I Been Pwned to find out whether any of your email addresses has been shared along with other personal information on the web.  Most hacks of financial accounts (read “bank accounts”) occur because hackers get a huge list of email/password combinations and try them on the online portals for  banks and financial institutions.  If hackers have your Yahoo password, and you use the same password for your bank account, your savings are in danger.  If you use that password on your work accounts, your organization is in danger.  (You can sign up to be alerted when your email is listed on a hacker website, so that you can immediately change passwords.)

You, human, are the weakest link.

Compared to machines, you are forgetful and flighty.  User error contributes to almost all hacks.  By far the most common errors are outdated operating systems, simple passwords, and clicking on a link in a phishing email.  The SolarWinds exploit arose after someone hacked and published an admin password (“SolarWinds123”) which had not been deactivated.  The DNCC emails were hacked in 2016 because Russian intelligence got a DNCC staffer to click on a link in a decoy email that had been written to look genuine.  As hacks evolve, more and more effort goes into “social engineering,” meaning the practice of customizing malicious emails to look believable and entice human users into a fatal click.  It will be very hard not to make a mistake.

Unencrypted text messages (SMS) to mobile devices are surprisingly unsafe.  

They can easily be captured by listening devices or even forwarded to other phone numbers without your knowledge.  It’s amazing that banks still use them to send confirmation codes.

We can’t stay ahead of the bad guys. 

An increasing number of hacking tools come from nations (like Russia or China or sometimes even our own NSA) or groups that work for hire.  These entities devote huge resources to finding “zero-day exploits,” which means that they actually invent previously unknown entry-points that even the manufacturer of the software itself doesn’t know.   For the SolarWinds intrusion, Microsoft estimates that at least a thousand programmers worked together on the malicious code.  There’s no practical defense against these zero-day exploits until they’re publicly discovered and a patch is developed.

So what can be done?  Luckily for most nonprofits, your system doesn’t need to be impregnable so long as your data isn’t sensitive.  It just has to be harder to hack than the data in it is perceived to be worth.

Take these steps:

Keep your hardware and software up to date.

If your Windows machine can’t run the latest version of Windows, or your Mac the latest version of iOS, then you’ll miss the updates.   Machines connected to the internet (ie virtually all of them) are exposed to malware.  The operating system’s owner (ie Apple, Microsoft, Google) has to update them quickly whenever new malware appears.  Using a machine running Windows7 or OS6 and connecting to the internet is like entering a coronavirus ward without vaccination or a mask.  You should probably throw those old machines away – sigh.

Which means …

Install the $*@&% updates, religiously and promptly.  No excuses.  (Require this in your employee manual.)

Keep your data non-toxic.  

If you would not store a piece of information in an unlocked file cabinet, don’t save it in the database.   If you really must record credit card transactions, store at most the final 4 digits and the expiration date.

Create a unique new password for every online account. 

The biggest problem with passwords is that people use them on multiple accounts.  When one account is hacked, thieves try that password on other accounts.  So use a password safe like Bitwarden, a free product that allows you to easily invent and retrieve unique, secure passwords.  (At WaterGrass we use KeePass, an open-source version.)

Accept the PITA of Multi-Factor Authentication.  

MFA requires you to both enter a password and then (usually) to type in a code sent to your phone or (better) to insert a unique physical “key” into one of the computer ports.  Google employees have used physical keys for years, and report that none have fallen victim to a phishing attack – an amazing record, given Google’s size and value.  It’s not that no Google employee ever shared login information by mistake.  It’s that even after they did, hackers couldn’t get into the system without the physical key.

Get a Virtual Private Network.

Especially if you share sensitive information over the internet.  They’re not expensive and they protect your communications even if you use public wifi at the airport or train station.  (Which you shouldn’t.  Use your phone as a hotspot instead.  Sigh.)

Make this Mandatory but as Easy as Possible for Your Employees.

In your employee manual, require employees to:

  1. Install software upgrades as soon as they are available.
  2. Use a different password for every account.

Then provide them with a password safe program and instruction in how to use it.

Rely on Big Players.

For data security, rely on the big players like Apple, Salesforce or Oracle.  So far, online databases have a better record than those with their servers on-premises, because they can centralize the security functions and enforce security rules.  Salesforce, one of the biggest providers of database services to nonprofits, will soon require users to move to Multi Factor Authentication.  The WaterGrass database is built on Salesforce, so all of our clients will be making that change too.  And we’ll be changing with them.

Ah, the world we live in.