In case you haven’t heard, times have changed regarding security for nonprofits. Massive changes have taken place in the technological race between attackers and defenders, which makes new defenses necessary. Also, nonprofits and foundations are increasingly becoming targets of advanced persistent threats.
For high-end security professionals and analysts this is not news. For some foundations and nonprofits, however, all this can come as a shock. I witnessed this at last week’s annual meeting of the Technology Assessment Group, the premier group for IT managers at foundations. Two presentations, one by the Ford Foundation describing how it responded to being thoroughly hacked, and one by a respected group of longtime TAG members outlined the situation.
Also last week, a major report about targeted digital threats against civil society appeared. The report made it clear that civil liberties groups and other NGOs are being attacked by state-level organizations, as are their funders. Together, last week’s revelations should help bring on board the security movement organizations that may have been too complacent. We are way beyond being able to depend on firewalls and signature-based anti-malware scans. Here are some details:
Nonprofits as Targets
Cybercrime has been around for a while, and intrusions into endpoints (individual clients, servers and mobile devices) for financial gain is common. It’s easy for a nonprofit to think that it is a low-priority target, because it doesn’t store huge numbers of credit cards or other assets that can be converted to cash. FireEye, a cyber security vendor, has found otherwise. Last April, it reported that “it appears there are more than 15 distinct advanced threat groups active in NGO networks.” It gave as examples donor information exposed at a Maine nonprofit, possible identity theft at Towards Employment, and a data breach at a Maryland nonprofit serving the disabled.
FireEye explained cyber threat groups’ interest in nonprofits this way: “Hamstrung by limited budgets to establish strong network defenses and few personnel that understand how and why these threats are materializing, NGOs make a relatively easy target. Even if they aren’t profitable, NGOs use credit cards for donations, transact with cash, store personally identifiable information (PII) and, in some cases, even house intellectual property. Many NGOs also work on political issues—an inviting target for opponents who want to monitor their communications and activities. Weak defenses and a target-rich environment make NGOs an enticing victim to maliciously motivated threat actors.”
In a more extensive report released last week, the University of Toronto’s Citizen Lab published a four-year study of cyber attacks on civil society organizations that resulted in the following major findings:
- In the digital realm, CSOs face the same threats as the private sector and government, while equipped with far fewer resources to secure themselves.
- Counterintuitively, technical sophistication of malware used in these attacks is low, but the level of social engineering employed is high.
- Digital attacks against CSOs are persistent, adapting to targets in order to maintain access over time and across platforms.
- Targeted digital threats undermine CSOs’ core communications and missions in a significant way, sometimes as a nuisance or resource drain, more seriously as a major risk to individual safety.
- Targeted digital threats extend the “reach” of the state (or other threat actors) beyond borders and into “safe havens.”
The report particularly addressed the funders of CSOs, saying, “Funders are uniquely positioned within the civil society landscape to contend with targeted digital threats. Both funders themselves, as well as the grantees they support, are at risk for politically-motivated digital compromise. Funders thus have at least two core responsibilities related to targeted digital threats:
- To help their grantees implement better security.
- To secure themselves (thereby also preventing collateral compromise).
This dual responsiblity preents a number of challenges and opportunities to grantmakers, who are, we suspect, still engaged in an internal learning rocess about their own digital security.”
This learning process was evident in the Ford Foundation’s presentation at TAG. The Foundation has come a long way in ridding itself of malware and establishing procedures to limit its exposure going forward. It is taking them time, however. It was a year or so between the time in 2012 when the Foundation learned it had been compromised and the time in 2013 when it finally completely eliminated the damage to its systems. A wide range of preventative measures are still ongoing.
Thus, as Mark Bogliano put it during his TAG presentation, “They’re not just after money. They’re after information.” And the evidence is clear that they are using advanced persistent threats to acquire it.
Industry analysts have recently summarized the consequences of new tactics being employed by cyber threat groups and cyber criminals. Gartner pointed out three in May:
- Effectively dealing with advanced threats that bypass traditional signature-based approaches will require monitoring, detection and response capabilities at endpoints.
- Existing security tools do not have sufficient security monitoring, detection and response capabilities; they are primarily designed for “set and forget” or alert-driven usage.
- Existing EPPs (endpoint protection platforms) are too narrowly focused on prevention, resulting in long dwell times, increased damage and delayed incident response times when breaches inevitably occur.
A Forrester report in June had similar conclusions: “Signature-based AV engines can no longer keep up with the explosion of malware variants. Collective industry statistics point to an increasingly virulent and fast-changing malware landscape, with some reports claiming the annual creation of new malware variants to number in the hundreds of millions. With virus technologies increasing in sophistication and this uncontrolled rate of malware production, it has become impossible for blacklist signature-based engines to keep up.”
What Is to Be Done?
In his TAG presentation, Ford Foundation Chief Technology Officer Dave Roth described the Foundation’s broad five-pronged response:
- Educate Users to Be “Human Firewalls”
- Employ “Best Practice” Security Policies
- Deploy New Technology to Bolster Defenses
- Remove the Malware
- Remain Vigilent to the Continuing Threat
Ongoing efforts also include improving managed security service delivery, deploying file encryption, evaluating additional forensic tools, and extending two-factor authentication beyond IT.
Clearly, there is much to be learned, even to understand what others are doing. But, at least at TAG, it appears our community is waking up.