1. “Who's knocking at my firewall door?”
And, other sundry things to know for the non-profit hands-on CIO
Security is like play putty these days; everything is malleable and every changing. How is a CIO
or IT manager with limited experience in a low-budget nonprofit to keep up without breaking the
bank?
First off, for 2010, there are some security items you should be aware of as trends emerge.
•Robots.txt...Ever see that file on your webserver? (Ro)bots (or spiders) are scripts or applications that
search out information on the web. Search engines constantly scour the web for information using this
method. The robots.txt file can be a powerful tool to exclude the search bots from reading/indexing
your webpages. But, bots also are used by those nasty folks on the web that like to steal your
information or trash your website. They are the basis for most cybercrime as they constantly will knock
on your servers' door constantly without any user interaction. Bots are of those that constantly knock
on our firewall door or seek our passwords to break into our “secure” portals and websites.
•Where did my month's bandwidth allowance go? Malicious hacking of websites using SQL
injections, open ports, poor permissions, etc., leads to malware installation. They get to use your server
to meet their profitable needs.
•Is my hardware secure? Well, really, the question is more about whether the operating system is
secure. While Microsoft Windows still carries its woes on attacks, Macintosh, as a viable commercial
product and now with Leopard on a near open source platform, proves it can possibly stay ahead of the
malware infiltrators. Time will tell. But, you don't have to be brave anymore to play around with other
operating systems. Try a flavor of Linux like Ubuntu or Linux Mint or the 20+ other distributions out
there. Even Google's Chrome OS is a prime choice slated to be the next netbook OS of choice.
•Software piracy. Careful about buying cheap software from unknown sources. They may be infected.
Remember the malware scare about free downloads a decade ago. Well, it's back.
•Social networking sites, yes, are the next and prime targets for cyber do-no-gooders. We recently saw
this in the Google/China case where Chinese crackers (bad hackers) broke into activist Gmail accounts.
Bad China country, bad.
•Is it the wave or my surfboard that is muy mal? Malvertising and toxic web search results will be
on the rise. Those poor newbie Luddites will have your day humming and your work queue crashing.
Other platforms like Java and Flash could end up being the (once again?) culprits. Maybe it is time to
invest in another operating system and migration now save your hair and fingernails.
•Smartphones. Smart for you but dumb enough for the malicious hacker to inject all kinds of nice stuff
in there. While Windows still is the most vulnerable, the other operating systems may “light” enough to
also be affected eventually. It will be interesting to see how Apple's iPhone and Google's Android will
evolve.
•Hands-on hacking. There are reports all over the web that long-term plans for inside jobs maybe on
the rise. (see http://arunaurl.com/3cd2) Check your new IT staff or contractors out very well. Getting
referrals from known friends and colleagues may be the way to go even if it costs you a few bucks
more. For more info, web search for: hacking “inside job”
(As of late, the China/Google scandal commandeers at least the first three search pages. Click ahead for
more variety.)
•Cloud computing. A network cloud is just a collection of servers living out on the Internet providing
various services much like how websites are served from a webserver but in a much larger scalable

2. fashion. Software as a Service (SaaS) are online applications that frequently live on cloud servers much
like how you access your webmail account. The jury is still out on where and what it's evolving into but
be assured if you're passing vital information constantly over the web to who knows where to be
processed heavily on the cloud, someone will figure out how to 'wiretap' your line.
•Clickjacking or User Interface (UI) Redressing. According to Wikipedia: “a malicious technique of
tricking Web users into revealing confidential information or taking control of their computer while
clicking on seemingly innocuous Web pages. A vulnerability across a variety of browsers and
platforms, a clickjacking takes the form of embedded code or script that can execute without the user's
knowledge, such as clicking on a button that appears to perform another function.” Get it?!
For many of these issues, good spam/virus filtering is essential. At my organization, we use
http://Zimbra.com's Collaboration Suite Network Edition which has a good configuration of
SpamAssassin designed for it. But, I also use http://Death2Spam.net as an incoming mail filter proxy.
In addition, ZCS has a robust access control list (ACL) management system to customize which staff
gets access to what on a very granular level. It's fairly reasonable for a non-profit and works quite well.
These and others are plenty to watch out for and educate yourself on but could take some semesters in
studying to get comfortable with. I am a trained social worker and life coach besides being a self-taught
computerist since 1976 on my Commodore Vic20. The promise of learning a trade yourself is true and
can be realized if dedicated to it. Hooking up with a cohort or a group of like-minded folks that has
each others' interests and backs to support is a great way to not only learn but to build, gain and
exchange trust with your peers. I have 3 or more people (and discussion boards) I can contact at any
time of the day (really!) when trouble arises to get an instant answer. Plus, there is always the trusty
search engine.
But, there is an even more basic, fundamental problem that only recently has information technology
begun to tackle. This being passwords. This has got to be the most vulnerable access point for the
majority of login instances ever. Think about it.
You just finished six months of review and in the sandbox with a new open-source collaborative
communications system for your office staff. A central oasis of tools, functions and widgets that will
excel productivity for the organization. Comes with a speed server software, powerful spam/virus
blocker, ample security, ACL in such granularity it will prevent an flea from accessing any feature and
so on. You also invested in two rack-mounted dual quad-core w/ 16gb of RAM powerhouse “pizza
boxes” to boot and a new router. You're cranked up and ready to go!
You give your staff the pre-training, the pre-launch training and the on-launch training.
You set them up with their profiles and temporary passwords that are already randomly hardened with a
combination of numbers, capital letters and punctuation symbols. After logging in for the first time they
are instructed to change their temporary password.
But, as you make your rounds to check in on how they are doing, you oversee a few logging in with
their dog's name, the name of the org, the current year and make of their car, or even their birthday
which is now seen by the millions of Facebook, MySpace, Friendster, Tribe, Twitter and who knows
what other social networking profiles out there!
I have little hair left on my head but that is hereditary but for you it could be diagnosed as latent onset
of Trichotillomania. I get my calm from 30 years of T'ai Chi practice. But, I digress.

3. There is an answer that could hold you over for the time being. Many web-based applications and
SaaS products are beginning to adopt http://OpenID.net standards. This means one cryptic, difficult
password for your staff to remember to log into many online websites. In fact, the password doesn't
even get stored on the website and there is no way to trace it back. Yes, if there is keylogger malware
that made it into a computer you could be tracked that way but this is a viable alternative.
In addition, if you are a little more concerned (sorry cynics, this is way short of paranoia), keyed
password certificates on a thumb drive could work, too.
Security is always changing and evolving. It morphs this way and transmogrifies that way and reveals
new cracks in the systems we use each and every day from our cellphones to ATMs to voting machines
providing fertile ground for those with malicious intentions to infiltrate our data and productivity every
day, if not, every second. It is not only a full time job but also though process gnawing at us with
anxiety whether we are going to be the next victim of tampering.
If you set up enough monitoring and preventive measures, even if you get a lot of port-knockers, any
apparent breach will become very, very noticeable thus reducing your time in research as the culprit
pops up on your screen or in a email notification, and in psychological therapy due to lack of sleep and
excessive anxiety and delusional paranoia.
There is no real protection anywhere in life. But, what you can do is prevent like learning a self-defense
martial art by educating yourself enough and using powerful tools developed by trustworthy others that
have direct meaning and service to your needs.
Live long and prosper.
~ Spock
Bruce M. Wolfe, has a masters degree in Social Work with an emphasis on Social Development and is
the Chief Information & Technology Officer for http://MarinInstitute.org, an alcohol industry
watchdog and president of vCampaign, Inc., developers of low-budget modern campaign websites. He
is a 35+ year practitioner of a variety of martial arts of which most has been in the Chinese internal
school.