In our previous post we looked closely at computer fraud. We gained a better understanding of what a fraud perpetrator may look like as well as identified how no business or nonprofit organization is immune to the potential for fraud. Today we are going to take it to the next level by looking at computer attacks and social engineering and ways nonprofit organizations can maintain a computer virus-free environment.
Every computer connected to the internet, which is basically every computer, is at risk of computer attacks. Hackers, foreign governments, terrorist groups, disaffected employees, industrial spies, and competitors are attacking computers in search of data or seeking to harm the system. This means that preventing computer attacks is a full time job. Attacks can take on a number of different forms. Let’s take a look at a few of them.
Hacking involves the use of a computer to gain unauthorized access to data in a system. Generally hackers will break into systems through known flaws or weaknesses within an application or program. Some hackers are looking to steal data such as trade secrets, customer lists, credit card numbers, etc. Others are motivated by the challenge of breaking into a system. Either way a breach of this type can be destructive and set your organization back for hours, days, or even months.
Denial of Service In computing, (DoS) attack is an attempt to make a machine or network resource unavailable to its intended users, such as to temporarily or indefinitely interrupt or suspend services of a host connected to the Internet.
Zero- day attack, vulnerability refers to a hole in software that is unknown to the vendor. This security hole is then exploited by hackers before the vendor becomes aware and hurries to fix it—this exploit is called a zero day attack.
Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side script into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy.
Buffer overflow, or bufferoverrun, is an anomaly where a program, while writing data to a buffer, overruns the buffer’s boundary and overwrites adjacent memory locations. This is a special case of the violation of memory safety
SQL injection is a code injection technique, used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker).
Man-in-the-middle attack (often abbreviated to MITM, MitM, MIM or MiM attack or MITMA) is an attack where the attacker secretly relays and possibly alters the communication between two parties who believe they are directly communicating with each other.
Dictionary attack is a technique for defeating a cipher or authentication mechanism by trying to determine its decryption key or passphrase by trying hundreds or sometimes millions of likely possibilities, such as words in a dictionary.
Another vulnerability to companies is called Social Engineering. Social engineering is a non-technical method of intrusion hackers use that relies heavily on human interaction and often involves tricking people into breaking normal security procedures. It is one of the greatest threats that organizations today encounter.
In order to avoid or minimize social engineering, consider establishing the following policies and procedures.
- Be aware of people entering a restricted building. If your organization has key card access restrictions, be sure that others are not gaining access by following you in.
- Avoid logging in for someone else on any computer. This is particularly important if you have administrator rights.
- Do not give away sensitive information via phone or e-mail.
- Do not share passwords or user IDs
- Be aware! Exercise caution if anyone you do not know is attempting to gain information or access through you.
In light of the above, you can infer that there are numerous ways in which computer systems are vulnerable to attack, thus making them susceptible to fraud. Becoming aware of the potential risks is one of the best ways to ward off attack. Continue to educate yourself and your staff, create a culture of integrity, and implement efficient internal controls to keep your nonprofit organization safe.