Nonprofits Lack Website Maintenance

Do you work for a nonprofit organization, or do you run one yourself? When was the last time your organization's website was updated with the latest security patches? Does anyone know? 

My Investigation

Unfortunately, nonprofit websites have become pretty notorious for lacking in the security they need. I've come across a lot (a LOT) of insecure nonprofit websites, some of which were last updated years ago. These websites could be missing 30+ security patches that have come out since they were last updated! For one nonprofit website in particular, I did my own investigation into what tool and version they were using and what critical security patches have been released since they last updated their website (they're not protected against these possibilities):

1. Unauthorized (Arbitrary) Code Execution

This is an attacker's ability to execute whatever command they choose on a target machine or in a target process (Wikipedia).

Basically, if this happens, a hacker can change anything on your website. For example, they could take it over and place ads all over it, or they could automatically redirect the website's users to inappropriate material somewhere else, like pornography. They could even clone a portal, capture the user's login information, and instantly get all of the data that user is responsible for.

2. Information Disclosure

Information disclosure is when an application reveals too much sensitive information, such as mechanical details of the environment, web application, or user-specific data (Infosec Institute).

For example, a hacker can use information disclosure to get access to get admin privileges, thus having the control to change anything on the website. In some cases, a hacker only needs to send the right request to gain access to a list of users, like on an eCommerce website.

3. Protection Against Brute Force CSRF

Cross-site request forgery (CSRF) is a type of malicious exploit of a website where unauthorized commands are transmitted from a user that the website trusts (Wikipedia).

With this, hackers can inject malicious code into the website that can be activated anytime. For example, they could leave it in a comment, and once the comment is viewed, the code causes malware to automatically be downloaded.

4. Security Enhancements for Cross-Site Scripting

Cross-site scripting enables attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls (Wikipedia).

This type of attack is similar to the CSRF listed above. Malicious code is injected into a website or sent in an email, and it can be used for a variety of operations, like forcing a user to automatically download malware or stealing a user's identity and gain access to all their information.

This information about this nonprofit's website's version was very easy to find, and it can be inspected using any browser. Luckily, it doesn't list the plugins/modules that the website is using; this information could be far more vulnerable than the core code for the website.

Having a Plan

We're all busy, right? But it's crucial to put together a website security maintenance plan for your website, especially if it uses a content management system (CMS) like Wordpress, Drupal, or Joomla. Security updates need to be applied regularly, just like your computer's updates do. How long would you put off applying updates to your computer? Or, if you're using Windows, how long would Microsoft let you put off applying the latest updates before they apply them automatically for you?

We've discussed the importance of website security and maintenance in recent posts (Website Maintenance Tasks and Critical Website Security Challenges), but we're constantly finding websites that don't keep their security up to date, and we especially see this in nonprofit websites. Remember last year, when all of those IoT (Internet of Things) devices, like remote cameras, home routers, and even large networks were exploited by a botnet called Mirai? In a Mirai attack last November, there were 500,000 compromised devices that were used to take the internet down on the East Coast.

Wordpress in particular is the open source CMS that's most used and neglected by nonprofits. A website is one of the easiest and most affordable ways to make your message available to the public. But, if it's security is neglected, it can also be the best way for your organization's image to be ruined or to have your integrity challenged.

What would happen if someone came to your nonprofit's website and they saw a pirate flag that mentioned your website was hacked by 'ABC hacker group'? Or, what if your website was hacked, and it sent users to inappropriate locations or pornography?  

What if your website forced your users to automatically download ransomware or malware?  How much would that hurt your organization's brand?

A breach could cause your nonprofit website to be blacklisted from search engines, and this situation takes anywhere from days to months to recover from. If your website was blocked, how much would your donation revenue be dampened? And, what would occur due to the drop in funding? Would staff members need to be let go or have their hours shortened? Would it create even more work for employees due to lack of funding?

If a breach occurs, your website may easily be destroyed by the hacker, also compromising your organization's image. What would your next step be? An unplanned website rebuild could cost thousands of dollars. With a proper maintenance plan, you would spend 5-10% of what a new website's cost would be. Why not be proactive rather than reactive?