Allies
- Acton Institute
- Adam Smith Institute
- Alabama Policy Institute
- Allegheny Institute
- Alliance for School Choice
- Alliance for Worker Freedom
- America’s Future Foundation
- American Council on Science and Health
- American Enterprise Institute
- American Institute for Full Employment
- American Legislative Exchange Council (ALEC)
- Americans for Tax Reform
- Arkansas Policy Foundation
- Ashbrook Center for Public Affairs
- Atlas Economic Research Foundation
- Atlas Society
- Beacon Center of Tennessee
- Beacon Hill Institute
- Becket Fund
- Bluegrass Institute
- Buckeye Institute for Public Policy Solutions
- Business & Media Institute
- Calvert Institute
- Cascade Policy Institute
- Cato Institute
- Center for Consumer Freedom
- Center for College Affordability and Productivity
- Center for Equal Opportunity
- Center for Health Transformation
- Center for Immigration Studies
- Center for International Private Enterprise
- Center for Strategic and International Studies
- Center of the American Experiment
- Charles G. Koch Charitable Foundation
- Citizens Against Government Waste
- Claremont Institute for the Study of Statesmanship and Political Philosophy
- Club For Growth
- Commonwealth Foundation
- Competitive Enterprise Institute
- Council for Affordable Health Insurance
- Empire Center for New York State Policy
- Ethan Allen Institute
- Evergreen Freedom Foundation
- Federalist Society
- Foreign Policy Research Institute
- Fraser Institute
- Foundation for Defense of Democracies
- Foundation for Educational Choice
- Foundation for Education Reform & Accountability
- Foundation for Research on Economics & the Environment
- Free Congress Foundation
- Free State Foundation
- FreedomWorks
- Galen Institute
- Georgia Public Policy Foundation
- Goldwater Institute
- Grassroot Institute of Hawaii
- Great Plains Public Policy Institute
- Heartland Institute
- The Heritage Foundation
- Heritage Libertad
- Hoover Institution
- Hudson Institute
- Illinois Policy Institute
- IMANI Center for Policy & Education
- Independence Institute
- Independent Institute
- Institute for Health Freedom
- Institute for Energy Research
- Institute for Humane Studies
- Institute for Justice
- Institute for Market Economics
- Institute for Marriage and Public Policy
- Institute for Policy Innovation
- Institute for Research on the Economics of Taxation
- Institute of Economic Affairs
- Intercollegiate Studies Institute
- International Policy Network
- International Republican Institute
- James Madison Institute
- John Jay Institute for Faith, Society & Law
- John Locke Foundation
- Josiah Bartlett Center for Public Policy
- Kansas Policy Institute
- Landmark Legal Foundation
- Leadership Institute
- Lexington Institute
- Mackinac Center for Public Policy
- Maine Heritage Policy Center
- Manhattan Institute
- Maryland Public Policy Institute
- Mercatus Center
- Mississippi Center for Public Policy
- National Center for Policy Analysis
- National Center for Public Policy Research
- National Taxpayers Union
- Nevada Policy Research Institute
- North Dakota Policy Council
- Ocean State Policy Research Institute
- Oklahoma Council of Public Affairs
- Pacific Research Institute
- Palmetto Family Council
- PERC - The Property and Environment Research Center
- Philanthropy Roundtable
- Phoenix Center
- Pioneer Institute for Public Policy Research
- Progress & Freedom Foundation
- Property Rights Alliance
- Public Interest Institute
- Public Policy Foundation of West Virginia
- Reason Foundation
- Rio Grande Foundation
- Sam Adams Alliance
- Science and Public Policy Institute
- Show-Me Institute
- South Carolina Policy Council
- State Policy Network
- Sutherland Institute
- The Tax Foundation
- Texas Public Policy Foundation
- Thomas B. Fordham Foundation
- Thomas Jefferson Institute
- Virginia Institute for Public Policy
- Washington Legal Foundation
- Washington Policy Center
- Wisconsin Policy Research Institute
- Yankee Institute for Public Policy
- Young America’s Foundation
Don’t Invite Strangers Into Your Home: How to Protect Your Think Tank’s Information Technology
These days think tanks are especially attractive targets for hacking, phishing, and other assorted cyber vandalism. Even foreign governments, according to the House Intelligence Committee, are busy trying to pry secrets out of think tanks through cyber espionage.
I was talking the other day to a friend about the types of security we use to help protect The Heritage Foundation’s Information Technology (IT) network and ensure that its digital infrastructure remains secure. IT has become the underlying cornerstone for many of our daily workplace activities, such as messaging, idea formulation, internal and external communication, and information sharing. It is critical to keep that infrastructure secure, reliable, and available.
I rattled off a host of techniques that we use, many of them with abbreviations like SSL, Secure VPN, IPSEC, VDI Infrastructure, PKI, IDS, and IPS. When I received a blank stare of incomprehension I came up with an analogy that helped my friend understand that IT security isn’t just for the IT staff to worry about. He is part of the equation, too. I told him:
There was a rich man who lived in a bad neighborhood. The man had valuables that other people wanted to get their hands on. He took steps to secure his home. He put bars on the windows, installed multiple locks on the doors, and had a company come out to install an expensive security system with sensors and cameras that would alert him if anyone tried to get into his house. Everything was automated and he didn’t really have to worry about the system protecting him. It just worked and he felt very secure. One day the man had to go away on a business trip and decided he did not want to leave his house unguarded so he invited a friend to come and stay there while he was away. He explained that the house was secure with the best technology money could buy and the bars on the windows and doors were made from the strongest steel. The house sitter felt very secure. Later that evening the doorbell rang. The friend answered the door and found a well-dressed man carrying a suitcase on the doorstep. The man explained that he was friend of the homeowner who had some business papers to drop off. The house sitter let the man in. They chatted for a while and the man handed him some papers for the home owner. He then asked if he could use the bathroom, and he walked through the house to use it. The next day the owner returned home and discovered some of his most valuable possessions were missing. The owner asked the house sitter how the loss might have happened. The house sitter said it must have been the visitor who dropped off some business papers. The owner was not pleased. He had spent a lot of money on a security system only to have it rendered pointless by his friend’s gullibility.
No matter how much time, effort, and money you invest in a system to keep the bad guys out, it won’t work if you open the front door and let the bad guys come right in.
Your IT security system is like the door locks, the bars on the windows, and the house alarm system. Firewalls, the IDS, the IPS, the antivirus infrastructure, and all the other technical backend are put in place by IT staff to keep a network secure. Your employees are like the house sitter—dedicated workers researching, downloading, and e-mailing to get theirs jobs done. And rogue states, mafia rings, kids writing scripts to damage networks for fun, spammers, intellectual property thieves, and data thieves are like the well dressed visitor who gains entry via a ruse.
Criminals don’t usually walk around wearing a mask and carrying a bag that says “Loot” on the side of it. The same is true of cyber criminals. There are a number of simple steps that you and your staff can take to protect your network and data. Unfortunately, it takes only a little bit of carelessness to make yourself a victim of “social engineering” techniques that trick people into giving out sensitive data to people who seem trustworthy but really are not. “Social engineering” is very hard to thwart, which is why it is the number one way that networks are compromised.
Clicking the link in an e-mail from an unknown recipient, visiting a website that looks legitimate, and browsing the web with no real goal are prime ways to be hacked. Ninety percent of the time these vulnerabilities can be combated through taking the following precautions:
• Be suspicious of unsolicited phone calls, visits, or e-mail messages from people asking about employees or other internal information. If someone you do not know claims to be from a legitimate organization, verify his or her identity directly with the company first before giving out any information.
• Do not provide personal information or information about your organization, including structure or networks, unless you are certain the person is authorized to have the information.
• Do not send personal or financial information via e-mail and do not respond to e-mail solicitations for this information. And do not follow links that may be in such e-mail solicitations.
• Do not enter sensitive information onto a website without checking the website’s security.
• Pay close attention to website addresses (URLs). Malicious websites may look identical to a legitimate site, but the URL may use a variation in spelling or a different domain (e.g., .com vs. .net).
• Be extra vigilant during events such as natural disasters (e.g., Hurricane Sandy, Indonesian tsunami); during epidemics and health scares (e.g., an influenza epidemic); during peak shopping seasons (e.g., Cyber Monday, Christmas, Valentines Day); and during major elections. Attackers often take advantage of those occasions to steal information.
My friend didn’t need to be educated in the technical aspects of network security to help keep his information safe. He just needed to know to be careful and aware of what the risks were and of social engineering tactics used to gain access to important information. Education and awareness are the keys to keeping us all safe and secure.
Mr. Harris is Director of Information Systems at The Heritage Foundation.
