
Ask HN: Security assessment for small non-profit - ogennadi
Hey all,<p>I work with a small non-profit  (~10 people)  and we&#x27;d like an assessment done on our online presence (Wordpress, Roundcube email, Google Docs, Mailchimp, Twitter, Facebook) to ensure that it cannot be hijacked or destroyed.<p>While, I have a programming background, I&#x27;d like a professional&#x27;s take on how vulnerable we are to, for instance, ransomware or hijacking.<p>Are there any companies that specialize in security assessments of small organizations?<p>Alternatively, know of any good pen-testing checklists that cover 80% of what a professional would test?
======
hluska
I'm not going to entirely answer your question, rather, I'll tell you about
how we dealt with this issue in a non-profit that I co-founded.

Our organization had a large and strong online presence. Because of this and
my technical background, I really wanted to get a security audit done. We
looked around quite a bit and found that auditors fell into two camps. There
were those who simply cost too much for our organization to possibly afford,
and there were those who simply couldn't demonstrate competence.

In the end, we decided on kind of a hybrid strategy. To start, we decided that
all of our applications were 100% vulnerable to a motivated attacker. From
there, we developed a strategy to mitigate the possible damage. For example,
we took frequent backups and practiced to make sure we could fully restore
from backups. And, we monitored the hell out of our stack in hopes of
(hopefully) knowing quickly whether we had been compromised. The "hopefully"
was actually an important part of our strategy - we assumed we were 100%
vulnerable which meant that everything that was connected could also be
compromised.

Then, we wrote some solid policy. In retrospect, writing the policy was about
half cover our ass and half useful security. Our policy covered things like
password reuse, frequency/responsibility for backups/automatic updates/etc,
and the like.

To summarize, at the time (this was 2007 ~ 2010 so the market may have
changed), we couldn't find a company to do a security audit within our budget.
Rather than settle on an organization we had little confidence in, we
developed a hybrid approach where we decided we were 100% vulnerable and
enacted procedures to mitigate the possible damage.

Edit - Fixed a sentence that made no sense.

~~~
ogennadi
Thanks for this response. It seems like writing the policy might capture most
of the value of an audit since it'll make all staff members aware of the risks
we face.

~~~
Bucephalus355
Check out the “Defensive Security Handbook” from O’Reilly. It has some
technical stuff, but it’s a lot more about policy and documentation.

Side Bonus of Book: made me much more organized as a person in my life in
general

[https://www.amazon.com/Defensive-Security-Handbook-
Practices...](https://www.amazon.com/Defensive-Security-Handbook-Practices-
Infrastructure/dp/1491960388)

NOTE: This book / the principles applies whether you manage your own
infrastructure or just run off of web apps.

~~~
hluska
Great suggestion - that is a great read and I used it quite extensively the
last time I wrote a security policy.

