How To Keep Your Organization Safe

Online SafetyWhat would happen if your organization were to suffer a security breach?

As an administrator you have a responsibility to protect the data of your players and their parents. It’s time to get serious and vigilantly take matters into your own hands when it comes to preparing yourself for potential issues.

Privacy Policy

You need a Privacy Policy in place for your organization. Whether required by your state or not, documenting and publishing your Privacy Policy online is an essential step in preparing your organization for an emergency. Your policy should be easily accessible on your website and able to be viewed any time user data is being collected.

If your organization utilizes any third-party services, those outside sources should also have an available Privacy Policy listed on their site to outline how your shared member data will be used.

When crafting a policy you should always include:

  • Description of Collected Information: Write out in full what information you will be collecting from your members.
  • Data Storage: List the location of where the data will be stored.
  • Data Usage: How is your organization planning on using the information that you’ve just collected?
  • Contact Information: Provide your users with a way to ask your organization questions.

In-Office Security

Never share your password. Each individual administrator with access to your organization’s data should have their own login. Organizations need to reserve the ability to remove users from the system in the event that they are no longer working for the company. Separate logins also act as a way to pinpoint which user’s account accessed breached information if a leak is detected.

Do not physically write down credit card numbers when taking payments. Type secure information directly into the system – even if taken over the phone. Once that information is written down on a piece of paper there is no definitive way to know where it will eventually end up.

If you are exporting information to shared desktop computers make sure you are deleting files appropriately. When taking information out of the system make sure it isn’t being saved to a temporary file. By taking that information out of the secure environment you are introducing it to risk of virus, remote access, or other users.

Background Checks

Background Checks work to limit the liability that you could potentially face as an organization. Sometimes just announcing that you will be performing background checks will deter individuals from volunteering to work within your organization.

Chargebacks

A chargeback occurs when somebody attempts to get a refund back through their credit card company. These scenarios are rare, but your organization can prevent these occurrences altogether by being as descriptive as possible when describing your refund policies. Listing out policies ahead of time in great detail will only lessen the chance that a future chargebacks will be validated.

Amongst Users

Review passwords every six months. In situations when data is constantly changing, like with registration systems, reviewing your password every few months can prevent people from hacking into your account. When new information is constantly being added to the system hackers might repeatedly try to return. By changing your password every few months you can block them out of the system.

Make sure you’re accessing information on the most secure channel possible. Access the site using a secure URL, do regular virus/spyware scans, and make sure you’re wiping the data from your hard drive whenever throwing away or donating an old computer.

For more suggestions about how to keep your organization safe, watch this special security edition of Maximize Demosphere.

Demosphere Safe From POODLE Vulnerability

POODLE SSL3The latest in a recent string of web vulnerabilities was revealed earlier this week and Demosphere is safe!

Called POODLE, it centered around data compromised through an older SSL protocol called SSLv3.

Demosphere’s servers do not allow connections via this protocol. For end users, this issue only impacts people using older browsers like Internet Explorer version 6 and certain versions of Windows XP.

If affected, users should upgrade their operating systems and browsers to be able to connect to Demosphere’s secure registration systems.

Demosphere continues to stay up-to-date on all possible vulnerabilities to maintain secure systems.

 

Demosphere Safe From ‘Shell Shock’ Exploit

PasswordLate last week, news broke about a new security vulnerability online. Some were calling it more severe than the Heartbleed bug from earlier this year.

Thankfully, Demosphere’s systems were never at risk from this bug. Very few of our servers are accessible to the general public – and those few that are do not run the specific scripts that allow external forces to exploit the bug.

That said, all of our servers were updated to correct the underlying issue. To be clear, no customers were ever at risk.

Demosphere continues to stay up-to-date on all possible vulnerabilities to maintain secure systems.

Security Issue: Demosphere’s Response to OpenSSL “Heartbleed” Vulnerability

heartbleedThe Development team at Demosphere has been working dili­gently to correct any exposure that our systems may have had to the OpenSSL “Heartbleed” vul­ner­a­bility. We want to share our progress as well as steps that you can take to protect yourself going forward.

Please NOTE: Due to corrective measures, we experienced some earlier issues with the Online Registration and Team Application pages; both public and administrative. All has been resolved. Please see our Twitter page for updates (@diisupport).

OpenSSL Vulnerability: “Heartbleed Bug”

You may already be aware of this widespread vul­ner­a­bility, but if not, the “Heartbleed Bug” (CVE-2014–0160), is a vul­ner­a­bility in the extremely popular OpenSSL crypto library, allowing nefariously-minded people to view snippets of the memory content of servers. Most of the Internet uses this library to com­mu­nicate, pri­vately, with itself. So, if com­mu­ni­cation that was intended to be private/secure is no longer that way, it’s a really big deal.

Our Development team has no evidence that this vul­ner­a­bility has been used against any of our servers. However, such an attack would also be very dif­ficult to detect. Therefore, we are taking actions to patch any potential vulnerability that may exist.

What could have been vulnerable?

  • Our firewall is the first line of defense in a highly secure, PCI-compliant network infrastructure. It uses a secure operating system that is NOT among those which are being categorized as vulnerable to Heartbleed.
  • However, we are taking an extremely conservative view of our exposure, so we must include our public-facing Demosphere web appli­cations delivered over SSL including:
  • Online Registration (OLR)
  • RosterPro Registration
  • Team Applications

as potentially vulnerable, including our load balancer infrastructure, which is all behind the firewall.

What’s been done?

Here is a list of the steps we are taking to correct the potential vulnerability.

  • Deployed updated versions of OpenSSL to load balancers and any affected server environments.
  • Replaced vul­nerable versions of OpenSSL that Demosphere processes were using, and restarted those Demosphere processes.
  • We are working to cycle all new SSL cer­tificates and expire/reject old ones.

What should you do?

We are encouraging all our users to act with caution. This isn’t to cause alarm, but we want people to know the facts. This is what you can do:

  • Login to OLR (if applicable) and update your password
  • Login to RosterPro (if applicable) and update your password
  • Login to WebWriter/ClubSite (if you use the Team Applications) element and update your password

Please note: It’s not mandatory that passwords be changed and there is no indi­cation that the “Heartbleed” exploit was utilized against our systems, but changing passwords is encouraged. Plus, it is a good practice anyway. Do not use passwords from any other websites, email, or social media platforms that could themselves already be compromised. Always use a new password you have never used before.

Questions?

If you have addi­tional questions or concerns about this event, please reach out to us. You can contact us via Twitter (@diisupport) or via email, at: support @ ​blog.demosphere.com.
We will keep you up-to-date on any changes or new devel­opments. Please follow us on twitter and keep an eye on our blog for addi­tional information.