What can you do on a limited budget?
When you are a non-profit with a very limited budget that depends on fundraising and providing clients services, IT and IT security are the last things to get looked at. I have approval to put this as a case study for one of the best examples I can put forth on limitations you run into when you have $0 for budget but a volunteer who has some free hours to see what is possible.
Please keep in mind, all software, hardware (donated or repurposed), and time are at a $0 cost for this initiative.
Overall, my biggest concern at any given moment for a small entity, is RansomeWare. Knowing how limited a budget they had and how much impact RansomWare has on an organization, especially small ones, my first task is always getting everything up to a reasonably secure baseline.
First steps to ensure this baseline; anti-virus and patches
Most of the machines in the organization are running the default Microsoft provided windows defender, although I could choose to download other anti-virus provided by vendors for free solutions, I wanted to make sure there was minimal impact and the resources are not chewed up.
After a little further research, a product called Immunet by Talos was showing up repeatedly in my searches for a low impact secondary AV utility. Using cloud resources and a community, it provides a great second real-time view of virus and malwaredetection. The biggest note; it isn’t comprehensive either. Like all AV platforms that are signature based, they only catch what they know about and on this specific instance missed one that was found by another anti-malware software. The other caveat for the free solutions, no central management. Although central management would be nice, I would think AV companies tailor that to generate revenue.
Another big miss on centrally managed information is updates, I know with Microsoft it has the set it and forget type deal and to centrally manage would be a significant cost. This is where some automation and some manual process is up to the organization. Working within requirements, updates are manually installed for now, as without an on-site IT person, a botched update would be significant impact.
Running updates for all installed software to meet the current levels took some time as there were the easy ones, like Adobe , Java, and Microsoft. It was the individual specific applications that were business specific that were more an issue. It took some time and research and ensuring products had updated licenses but ultimately, it went and more secure for it.
A smaller issue but can still be detrimental and a pathway for attackers was the wireless router used as a gateway, Currently there is no budget to replace it with a more business centric appliance, so it’ll have to do. It did require a firmware update and changes to the default password. Thankfully no one owned it before getting a chance to update.
There is still a lot of work to do, but so far the cost has been absolutely $0. I have broken down the costs;
Immunet – free cloud AV – http://www.immunet.com
- Not centrally managed
- Used to supplement any existing AV
Sophos Home https://home.sophos.com/en-us.aspx
- Centrally managed option
- Installed as another option for a manual scan for PUPs and other unwanted programs
- Windows updates
- Java security update – Free (remove if possible)
- Adobe Reader, Flash updates – Free (remove/disable if possible)
Security Assessment – Free
- Fortinet has a free security assessment solution for partners (hardware is provisioned temporarily)
- firmware upgrades – Free
- Change default password – Free
- Explicitly deny access from the internet – Free
- Create allow rule for needed services – Free
- Create Deny all below – Free
- Turn off any unneeded internal services (IPv6, Telnet, SNMP) – Free
- OpenDNS – Free – http://www.opendns.com
- EMET for Windows 7 – Free – https://support.microsoft.com/en-us/help/2458544/the-enhanced-mitigation-experience-toolkit
- ransomfree – Free – https://ransomfree.cybereason.com/
- BitLocker Hard drive encryption – Free
- Install AdBlocker – Free
- Automated updates for software – Heimdal Thor free https://heimdalsecurity.com/en/products/thor-free
- Scanning for vulnerabilities with;
- OpenVas – http://www.openvas.org/
- Qualys community edition https://www.qualys.com/community-edition/
- QRadar Community Edition https://developer.ibm.com/qradar/ce/
- AlienVault OSSIM https://www.alienvault.com/products/ossim
- Security Onion
- Directory as a Service
- JumpCloud https://jumpcloud.com/signup/?free
- Help Desk/IT Management
- Spiceworks https://community.spiceworks.com/tools
Turn off unneeded services (Telnet, SNMP, Appletalk, IPX/SPX, Internet Print) – Free
- Security awareness material – Free
- PhishMe CBT Free https://cofense.com/cbfree/
- Phishing Tools
- How to use VirusTotal to scan links and files http://www.virustotal.com – Free
- Phishing Awareness
- PhishMe community edition https://cofense.com/free/
- GoPhish https://getgophish.com/
Documentation of environment
I am looking to provision some extra hardware for some of the other utilities mentioned but obviously cost is a limitation. Will update with some of those stats as well.
Additional note: This document is based on a non-profit with <25 users and a community/town supported budget. I wrote this article primarily to raise awareness of how many non-profits are at risk due to lack of funding. The hardest part is that all it takes is one breach and the community they server will be at a greater risk and since information security, along with community is a passion for me, I took on this challenge. smb security
I have added some updates to the various categories, based on feedback as well. Removed Nexpose, as there is no more link to a community edition
To order cheaper licensing for non-profits, techsoup has discounted licensing