Security practices cross-share

From DevSummit
Jump to: navigation, search
  • have clarity about where you meet and communicate--with full transparency about the security tradeoffs of different channels
  • meet people where they're at--harm reduction approach, don't make the perfect the enemy of the good, lean into imperfection while also being transparent about the risks that remain +1+1 +1 +1
  • "do just enough" approach to EVERYTHING +1
  • doubling down on phishing awareness and related trainings bc of rise in scamming and phising esp covid related
  • it's been ongoing for years, but have been moving away from desktops and toward laptops, more portable models+1
  • when pandemic struck suddenly swamped setting up tablets & laptops
  • very few, but powerful tools: what's app (or signal); zoom;
  • remote access to most devices to offer support when needed
  • E: testing things remotely on multiple devices before giving them to clients to use; rewriting instructions to be as clear as possible over several iterations, with feedback; trying not to heighten security without giving the users some extra ability/benefit ++1
  • h: having a good set of screenshots -- it's a challenge to zoom zoom! I need strategies for helping people with phone and printer issues. held a workshop n password management that was popular but not sure about tracking success.+1

E: it feels like all I have are worst practices given the current mess; so hard to get people to think about security when they are all overwhelmed with things that seem more urgent than security and so intertwined with proprietary systems. HELP! +1 +1+1+1 Especially difficult for malware analysis of mobile phones

  • M: trying to connect with people on a platform they are already familiar/comfortable with first +1+1+1
  • C: Everyone has different plugins/configurations/operating systems on their local devices or browsers, and it makes debugging and remote triage extremely time consuming and difficult+1
  • Raised money to give each activist a new phone when let out of jail. Getting those devices configured seurely has been hard. (so glad to see this as a strategy!!)
  • trying to find ways to get people to remotely share access to devices they think are infected has proven difficult. Zoom and screensharing helps a little but there is no good way to remotely inspect someone's phone for malware.
  • as an IT in nonprofit space, I push a flat-fee maint, so as to try and ensure better security, rather an a la carte model, it shifts the incentives. You're paying me anyway, might as well let me do all that is needed, rather than hourly rate.+1 such a good practice and so much better for the client!

Information Ecology has a checklist about basic security practices/improvement that has now been updated for extended WFH: https://ecl.gy/orgsec-assess

Framing support and advice from a perspective of consent, and care

BTW, on our previous discussion: I find pointing to articles, mailing lists, etc. on the bad consequences of not keeping information secure can help convince people. Info about bad financial or legal consequences, so it's not just you telling them to do something. Bad mission consequences too - organization getting very bad press because they were compromised.

  1. Best practices to strengthen your and your colleagues' knowledge and skills
  • monitoring news/industry sources for reporting about how the landscape is changing (big for me recently has been https://www.upturn.org/reports/2020/mass-extraction/) (+1 as shitty as the infosec industry is it's good to keep up with what's going on, new knowledge, and best practices, watching conferences talks and makign contacts with the good people in the industry is super helpful and important.) +1
  • DOCUMENTATION! Document your processes, document your knowledge, document, document, document! +1 +1 (and peer review of documentation so things can be vetted and become common resources where appropriate +1)
  • Budget for people on your team to buy books and take courses
  • remember to appreciate the work of others, reinforce all efforts to increase knowledge and skills
  • be aware of reality -- gaining knowledge through online courses is about 15% effective
  • encourage hands-on and 1-on-1 learning +1 +1+1+1
  • not having a formal education, 1-on-1 and hands on is how I've learned everything, it's sooooo important and so powerful!!

I end up searching online, setting things up for myself, testing a while, then sending it out to the client. StackExchange, etc.

When people ask me questions, I tend to share my thoughts and logic as a way to model how I'd like them to think through similar questions, but also for transparency (I don't have all the answers and don't pretend to) +1(nice!)+1

  • do your research on the person/client's situation to more holistically understand the situation/threat model/context they may be in
  • welcome newer colleagues to collaborate on/shadow security assessment processes and reports

also being aware of who is & isn't willing to learn, and adjusting expectations accordingly; some people wanna have NOTHING to do with tech, data, or anything+1(often because of fear)+1

  • network of trusted help desks helping activists and human rights defenders, to get support on specific issues (e.g. forensics, malware analysis of devices) https://www.civicert.org/
  • Talk through scenarios with colleagues/share stories of hard decision points/tradeoffs
  • Dedicated reflection and feeedback time
  • if designing a threat mitigation (or security design): try to find the part of the problem that is hardest to solve, that stumps me. focus most effort on that. come up with 2 or 3 possible solutions to how i think i might solve the problem. shop them around to people who are smarter than me. write down what i learn and share it with my coworkers. refine solutions. repeat.+1

I have dreams about funded apprenticeships so people can get paid a living wage for being trained up and onboarded into this kind of work