Non-profits, as indicated by their
name, are not designed to profit from their activities. They provide services,
goods (e.g. clothing or food), and other items to those who can’t afford them.
By design, there is not the profit motive in work with these organizations.
When you
are planning an attack, one of the first areas you can look at are the crown
jewels, or what the attack is focused on. The attackers may also have the mission
of simply being malicious. However, with how the attacks have been
operationalized, generally, there is something (e.g. money or data) the
attackers want.
Target
A recent
breach has been no exception to this. The Jewish Federation of Greater Washington
was recently targeted and breached. This organization is a non-profit located
in Maryland. The not-for-profit has 52 employees.
Attack
There
are cybersecurity dangers regardless of where you are working. To resolve
these, the user needs awareness as a general baseline of what to and not to
do. Their systems, if not using the business’ equipment, have to be up-to-date.
Having outdated, unpatched apps and programs creates an opportunity for
attackers and allows for an easier attack. This is analogous to leaving the
front door shut, but unlocked.
In this
learning experience, a staff member, working from home on their system, was
successfully attacked. The compromise led to the attacker stealing $7.5M. The attack
and theft was possible due to one person’s oversight and the organization not
maintaining a proper level of cybersecurity for the staff.
The
attack was not known to the organization until August 4th. This was
detected by a security contractor and not the organization. The red flag in
this instance was an anomalous amount of activity with a staff member’s email
account.
Post-Attack
After
this was detected, the FBI was contacted. As the investigation continues, there
is no comment as to who may have accomplished this. While this is an issue, the
CEO, Gil Preuss, did announce the compromise from a virtual conference call
with the employees.
The
organization also investigated the breach. The data indicated the attacker had
access long before the issue was detected by the cybersecurity contractor. The time
period for the unauthorized access was estimated to have started early in the
summer. The investigation continues on the systems and servers as these are
being analyzed for other cybersecurity issues. Wisely, the organization is no
longer allowing the staff to use personal computers for the workplace. The
issues abound with allowing this at any time, and especially now with the pandemic
forcing most people to work from home. The organization appears to be reviewing
what other controls to put in place to mitigate the potential for this to occur
again.
Discussion
In our
current situation working from home, for the most part, is not an option. This has
taken the form of necessity. The users may feel a little more at ease working
from home, and let their guard down. They may also not have the same level of
defensive measures in place. For the measures in place, the apps and programs
may not be patched or up-to-date. All of these create the potential vulnerability
the attackers look for. Unfortunately, all it takes is one person in the right
department or with access to other systems, and there’s a breach.
Cybersecurity
does not take a break from the office. This is a 24 hour a day, everyday task.
The users still have to be vigilant. There is no vacation or sick day for
cybersecurity.
On a the last point, please push for more training for the users. They do not need to be
cybersecurity experts. They do however need to be aware of what to look for,
and what not to click on. A stranger is not going to send you a link for their
cousin’s hilarious birthday party or a picture of their kitten that you have to
open to see the details in the kitten’s fur.
From the
finance administrative side, there should have been controls or alarms in place
to monitor any large transfers at once or in a short period of time. This may
have also limited the depth of the attack.
No comments:
Post a Comment