You might be thinking to yourself, "Why do we need to talk about security? Isn't open source software at odds with security because of its open nature?" The truth is, open source software tends to be the most secure software out there. For instance, there are studies that show that Microsoft's IIS web server is compromised up to 400% more than the open source Apache web server, despite the fact that Apache is used on around 70% of web sites, and IIS only around 20%.
More important than secure open source software, however, is your computer and your data. We'll look into a few aspects of security, including password strength, password management, viruses & other malware, office security, vendor independance, and on- and off-site backups.
The geek world has been quite focussed on password strength after the well-known geek comic XKCD had one comic about the illusions of password strength:
[ From Password Strength at XKCD ]
The main reason this caused quite a stir was because it challenged the idea that using punctuation and numbers makes a password more secure. It shows that password length, and variety of characters is more important.
So how secure are your passwords? Yes, passwords with an S. You do have multiple passwords, don't you? Keeping a single master password is generally not a good idea, because if someone gets your password, they have access to everything of yours.
Now that you know how long it will take to crack your passwords, you need to figure out exactly how secure that makes your passwords. A good reference point is the password, or more accurately, passphrase which is used as an example in the XKCD comic. That passphrase would take 2 nontillian years to crack. That's 2 x 1030 years!
So, are your passwords secure enough? If you're not happy, there is a site you can use to generate new passphrases. passphra.se generates random passphrases like the one used in the XKCD comic. I recommend playing with it until you find a phrase you like.
One of the more popular tools these days are password managers. These are great because you can store all your different passwords in one place. A lot of password managers can integrate with your web browser, or at least provide copy-and-paste to other applications.
There are two potential problems with password managers though. Firstly, it is what is called a single point of failure. If you can't unlock the password manager, due to a forgotten or lost master key, you cannot retrieve your list of passwords.
Secondly, if you use a password manager that does not give you the source code, you are at the mercy of the people who wrote it. If they decide they are discontinuing it, or worse, that you now need to pay for it, you cannot do anything to retrieve your passwords.
I always recommend using open source security software for this sort of reason. Should anything happen to the software, you are still able to retrieve your data, because the programming code to read and write the data is always available.
Viruses & Other Malware
When security is mentioned, most people instantly think of viruses and other malware. Folks running Linux or other open source operating systems typically wave this off, as these systems are pretty much impenetrable to this stuff.
However, the key thing to remember about viruses is that infection of a virus is 90% social engineering. In other words, most virus infections happen because the user triggers the infection mechanism themselves.
So, while using a more secure operating system helps to stop virus infection, the real problem is the user. Especially the type that blindly trusts every e-mail that enters their inbox.
If you're finding that you're having to clean up the church computer regularly, it may be time to educate your pastor and/or church office staff. It might also prove to be good motivation to move to a more secure operating system.
One of the biggest aspects of security that I think a lot of churches overlook is their office security. If your office is compromised, brilliant passwords will not necessarily keep intruders from accessing your data (especially if computers are left switched on and logged in), or stealing your entire computer.
In my experience, keys are often handed out fairly generously, and then it becomes difficult to trace all the keys to the office.
Then the natural outcome to this is to change the locks on all the doors. This is an expensive and cumbersome excercise, as you need to remember who had keys, and you need to re-issue them with new keys, restarting the cycle.
There are two things you can do to avoid this situation. Firstly, don't hand out so many sets of keys. Secondly, keep track of who has which keys, either in a book or on the computer.
If your church office has an alarm system, change the alarm code every 3-6 months. If there are places where padlocks can be used, use padlocks with a configurable unlock code.
An aspect of security that I hinted at before is not letting any external parties have control over your data. This is commonly called vendor independance.
One of the easiest ways to do this is to ensure that all your data is stored using open standards. Open standards are typically formed when a group of companies works together to create files and formats which all their products can read and write. This means that you are not locked in to using a particular program when you use an open standard file format.
An example of this is Microsoft Word's .DOC format. These days a number of other programs can read those files, thanks to open source programmers, but when Word initially came out, it was the only program that could read and write those files.
Even today, LibreOffice and other programs still do not display those files entirely correctly.
Just imagine for a moment, what would happen if LibreOffice could not read Word documents, Microsoft disappeared, and you could not buy Office any more. Suddenly, you have hundreds of documents that you cannot open.
Now, the Word document example is not a great one because there are many other programs that can read Word documents, but think about your other applications... password manager, church membership database, e-mail client, etc. Can you read your data in other programs? If you can't, it may be a good idea to investigate other possible options.
On-Site & Off-Site Backups
Last, but by no means least, what backups do you have?
You don't have backups?
As a church, backups are essential. You should at least set up on-site backups and investigate in off-site backups.
On-site backups is where you have some sort of external media that you write your backups to. These days external hard drives are relatively cheap (you can get a 2 terabyte drive for a decent amount), and setting up a backup procedure is fairly simple these days.
If you have a central Linux server, you can simply plug the external drive into the server, and get the server to pull the data from various computers on the network and back it all up to the drive.
Off-site backups are always a good idea. If your computers are stolen or destroyed, your on-site backups will likely suffer the same fate.
There are a number of off-site backup solutions. You could have your own system, where you might write your backups to a portable drive which is taken back to its secure location. Alternately, you could back everything up to Amazon's S3 service (a great and yet still relatively cheap option). There are also various online services that you can use, which offer various types of backups and various options for each package they sell.
At the end of the day, whatever route you choose to take, you should not underestimate the importance of backups.