Ask HN: Security assessment for small non-profit
Hey all,
I work with a small non-profit (~10 people) and we'd like an assessment done on our online presence (Wordpress, Roundcube email, Google Docs, Mailchimp, Twitter, Facebook) to ensure that it cannot be hijacked or destroyed.
While, I have a programming background, I'd like a professional's take on how vulnerable we are to, for instance, ransomware or hijacking.
Are there any companies that specialize in security assessments of small organizations?
Alternatively, know of any good pen-testing checklists that cover 80% of what a professional would test?
5 comments
[ 5.1 ms ] story [ 21.9 ms ] threadOur organization had a large and strong online presence. Because of this and my technical background, I really wanted to get a security audit done. We looked around quite a bit and found that auditors fell into two camps. There were those who simply cost too much for our organization to possibly afford, and there were those who simply couldn't demonstrate competence.
In the end, we decided on kind of a hybrid strategy. To start, we decided that all of our applications were 100% vulnerable to a motivated attacker. From there, we developed a strategy to mitigate the possible damage. For example, we took frequent backups and practiced to make sure we could fully restore from backups. And, we monitored the hell out of our stack in hopes of (hopefully) knowing quickly whether we had been compromised. The "hopefully" was actually an important part of our strategy - we assumed we were 100% vulnerable which meant that everything that was connected could also be compromised.
Then, we wrote some solid policy. In retrospect, writing the policy was about half cover our ass and half useful security. Our policy covered things like password reuse, frequency/responsibility for backups/automatic updates/etc, and the like.
To summarize, at the time (this was 2007 ~ 2010 so the market may have changed), we couldn't find a company to do a security audit within our budget. Rather than settle on an organization we had little confidence in, we developed a hybrid approach where we decided we were 100% vulnerable and enacted procedures to mitigate the possible damage.
Edit - Fixed a sentence that made no sense.
Side Bonus of Book: made me much more organized as a person in my life in general
https://www.amazon.com/Defensive-Security-Handbook-Practices...
NOTE: This book / the principles applies whether you manage your own infrastructure or just run off of web apps.