SAFETAG

8 Tips for Facilitating a Remote Training of SAFETAG Auditors

Fri, 04 Dec 2020 09:00:00 +0000

Over the last few months and as a direct result of the COVID-19 pandemic, the world has had to shift to a fully-remote workflow. Organizational security audits and trainings for new SAFETAG auditors are no exception. Thankfully, a few Internews partners have already implemented remote trainings, and have shared some lessons learned and resources.

Lessons learned from implementing a fully virtual Training of SAFETAG Auditors:

Provide multiple methods of engagement for participants. In addition to live sessions for the training, assign homework, related podcasts, or asynchronous work that can be completed by participants on their own time. This helps keep participants engaged and allows for more flexibility in their schedules.
Keep the live sessions short (2-3 hours), and spread them over the course of a few weeks. Keeping live sessions short, in combination with multiple methods of engagement, will allow participants to maintain engagement without losing focus. Shorter sessions also make it easier for individuals to participate fully as they are able to balance their time and focus on other competing tasks or priorities for the remainder of the day.
Introduce participants to the platform you will be using for the training. Prior to the training (or as one of the first training sessions), show participants how you will be using the platform, and allow time for them to become more familiar with using it.
Choose a platform that allows participants to access materials and sessions all in one place. For example, one partner used Google Classroom for a 10-day training.This platform allowed participants to see the curricula, complete the homework assignments, listen to podcasts, and join the live sessions all in one place. This makes the experience more organized and it is easier for participants to follow.
When possible, record live sessions and allow participants to access. You will likely have some participants with poor internet connection which may prevent them from being able to join the live sessions. By giving participants access to recorded sessions, they will be able to catch up on any missed sessions and continue to participate in the training without falling behind.
Allow participants to access training materials and resources even after the training ends. Participants have noted that it is useful to be able to continue accessing materials for reference after the training. It is also helpful to be able to reach out to trainers with questions or for any clarifications.
Create a group chat for quick updates and outreach during the training. Creating a group chat (on Signal or some other tool of your choosing) enables coordination between trainers and participants, and provides a space where trainers can reach everyone quickly with any announcements, questions, or changes.
Reminding participants to read through materials, ask questions, and attempt the assignments is key. Not all participants will complete the assignments and attend every session. Remote trainings will often mean that participants are working from their homes, with additional distractions and competing priorities. Reminders can go a long way to increase participation.

How to implement a remote SAFETAG audit: A step by step guide.

Fri, 04 Dec 2020 09:00:00 +0000

Since the pandemic, the information security community has been experimenting with how to make security auditing and risk assessments safer, adapting them to be remote where possible. This is the third blog post in a series exploring how we can improve the remote SAFETAG auditing experience, capturing guidance that will be useful for other security practitioners using the SAFETAG framework.

Our Goals Don’t Change Simply Because We’re Remote

Whether you’re using the SAFETAG framework or a standard like NIST or ISO 27001/2, the key to a good information security assessment starts with understanding what the organization values most. This is the reason we have security in the first place. If we do not understand what the organization is trying to protect, we will not be able to recommend appropriate and effective mitigations or controls to improve their security.

The challenge we often face as practitioners is eliciting this information from the organization quickly and accurately. Simply asking an organization what they value often does not result in the most accurate of information. It is the auditor’s job to read between the lines, ask the right questions, infer, and follow-up to develop a list of “assets”, or things the organization is trying to protect.

Not surprisingly, this is foundational to the approach of the remote risk assessment using the SAFETAG framework. It is important to remember the approach to SAFETAG can be broken down into three important bodies of work, referred to as the TRI Approach:

Technical
Research
Interpersonal

In the remote auditing context, it can be tempting to reduce the amount of time dedicated to the Interpersonal type of work such as the interactive threat or process mapping exercises. However, practitioners should resist avoiding the interactive modules, as oftentimes these are the most fruitful and illuminating. Instead, pivoting and reimagining modules is better than eliminating them altogether.

Minimum Viable Audit vs Remote Audit

One of the biggest challenges we’ve faced as we’ve had to transition and adapt our audits to be more remote-friendly is that we didn’t want to lose the fiercely pragmatic and capacity-driven nature of the SAFETAG audit.

So how does the Minimum Viable Audit come into play?

Through our remote auditing experience, we’ve tried to keep as much of the Minimum Viable Audit components as possible to ensure we’re holistically assessing the organization. In a remote setting, there are often more constraints due to the realities and contexts you’re working in, but there are still core components of SAFETAG that should be attempted across the three areas: Technical, Research, and Interpersonal.

In some instances, the team had to reimagine a module based on the function rather than the form. For example, the Process Mapping exercise was difficult for us to conduct remotely, and we pivoted instead to one-on-one interviews to get the same information.

Implementing Your Remote Audit

Unlike face-to-face audits where in-person time with the organization can be used as a great way to divide up the stages of the process, in remote assessments, the timeline can feel more lengthy and less clear. This includes the end of the audit, which can feel blurry and less definitive since the activities can follow a completely different timeline compared to more “traditional” engagements. In this context, planning becomes key, so we can have a complete picture of all the activities that will be conducted and their status, given many of them will seem to have less defined boundaries.

Another consideration is that people frequently shift their attention to different kinds of tasks with different people in the remote work dynamic. In this context, it’s harder to have staff engaged in the same way you would have previously when in a room together focused on an activity, like a risk matrix construction or a data mapping exercise. Because of this, it is important to aim for concrete interactions and reduce unnecessary synchronous group activities.

One way to address this is to very clearly communicate and classify the activities by the involvement of the organization and its staff, including the specific amount of time required. By communicating this to the organization, you will come to a better shared understanding of which activities can be done independently and which will need organization participation. Examples might include deploying a capacity assessment survey that can be completed asynchronously instead of individual one-on-one interviews with the entire staff. The survey would still take some amount of staff time, but likely less than the interview.

With all of this in mind, a general workflow to implement a remote audit could look something like the following, but should ultimately be built upon the realities and constraints with which you’re dealing.

Prepare and plan: Determine and communicate the activities that will be done without staff members participating such as open source intelligence (OSINT) gathering, Reconnaissance, Web Application Testing, as well as others which will require the attention of people in the organization. In our experience, remote audits have spanned across a much longer time frame. It is important to immediately start logistics coordination on all exercises you want to do synchronously with the organization. You should also aim to integrate into the initial activities any possible information gathering about the organization’s threat model and data interactions usually obtained in physical activities.
Start your asynchronous activities: Starting these asynchronous activities while coordinating larger or one-on-one meetings can help get the audit process moving forward. Some examples of these activities are:
- OSINT
- Reconnaissance
- Website Assessment
- Policy Reviews
- Capacity Assessment Surveys
Set up common synchronous activities: As mentioned throughout the article, we cannot overemphasize being organized when doing everything in a remote setting. There are more logistics, more technological difficulties, and overall more challenges with building trust when interacting with staff through a screen. Some examples of synchronous activities you may prioritize to complete during your audit include:
From Process Mapping to Interviews

When conducting more and more remote SAFETAG audits it became painstakingly apparent that one-on-one interviews would be increasingly important and necessary to capture much of the information from modules previously completed in-person. The team transitioned things like Process Mapping to a one-on-one exercise with as many of the organization’s staff from different departments as possible. While individual interviews may be more time consuming, they also have their benefits. You can build trust quickly while capturing very honest feedback and information to support the organization in their security improvements.

Running Remote Virtual Group Exercises

Virtual facilitation is tough and will have a learning curve. However, through our experience, exercises like data mapping or threat mapping have been successful with the right tool and right preparation. Reduce the technology burden where possible. Use technologies the organization may already be familiar with and only introduce new tools if needed. A few we’ve used in our experience are Jamboards and Google Sheets (depending on the organization and constraints at hand).
Synthesize: With remote audits, where the outcomes are obtained from perhaps a greater mix of activities, it can be challenging to distill into actionable results. However, the same as an on-site audit, one of the primary goals of a remote audit is to have a good and as complete as possible understanding of the organization’s security weaknesses and strengths. We also want to ensure we capture feasible and relevant recommendations. It is important to take the time to review all your notes and artifacts from exercises (especially from the one-on-one interviews, if applicable) and transform them into a holistic and complete picture of the organization to better connect their needs to recommendations.
Presentation and debrief: The virtual debrief and report presentation of findings does not change significantly, since often these are delivered after the in-person audit. However, like any remote presentation or meeting, it can be easier if you have a visual to review with the organization such as top strengths and recommended improvements.

Remember, the flow presented above is something that has worked for us. There are of course more ways to implement a remote audit, but we tried to come up with a list of learnings based on our experience thus far. You can find more of our lessons learned here.

We understand remote adaptations to the SAFETAG framework can be challenging in a variety of ways for a variety of reasons. However, SAFETAG audits are still possible with a little adaptation and planning. Get creative and think outside the box when it comes to building a fuller and more complete picture of the organization so that your recommendations will address real-world challenges. And remember, if we’re able to improve our remote audit processes this only helps us reach more organizations in need of security audits, making them more accessible to groups who need them.

15 Tips for Conducting Remote SAFETAG Audits

Thu, 05 Nov 2020 09:00:00 +0000

The COVID-19 pandemic has led to a dramatic increase in the need for remote audits and other virtual digital security interventions. Auditors are having to adapt their approaches and respond to new security threats and landscapes. In coordination with auditors across the globe, Internews has developed a Remote Audit Playlist, a collection of SAFETAG activities that can be performed remotely under varying conditions from low bandwidth to distributed team scenarios. While remote audits are new for some practitioners, others have been implementing them for years. Below are some of the lessons Internews and our partners have learned while conducting remote SAFETAG audits.

Building trust is critical, but comes less naturally during remote audits. Accept that you will need to address this ‘confidence gap’. Establish trust relationships with senior people or ‘champions’ of the audit in the organization and allow them to introduce you to other participants and interviewees. Use video during online calls (if possible) to make up for the loss of in-person body language. During group calls schedule strategic breaks in the programming or meeting for ice breakers. Sharing your own style and personal way of reporting with participants is also important. This helps to establish a better connection and mutual level of trust. Frequent check-ins can also help you gauge how participants are feeling at any given moment.
Get organized with your remote tooling and processes. Start with clear communication and planning with the organization. Ensure they understand what to expect and when. Practice your remote facilitation with the tools and activities you plan to run in your audit. Templatize your data assessment exercise, your semi-structured interviews, your risk mapping activities. Whatever you can do to make things easier to repeat is great to have in your toolbox for next time and helps with keeping things organized.
Allow extra time for the full engagement. While you may be able to carry out all interviews, group discussions, and technical investigations over the course of a few days when engaging in-person, expect remote engagements to take longer. Most people have a limit to the amount of time they can commit to online calls and may already be overwhelmed with them. Leave sufficient breathing room in your audit schedule.
Share a pre-audit survey with staff members. An online survey sent to all staff members can help you, as an auditor, find out which members of the organization are most interested in knowing about the security gaps and mitigation strategies. It can also help you identify different user experiences, levels of security practice, and levels of awareness within the organization. Send reminders and enlist the help of senior management or leadership to encourage respondents to complete the survey. Know that not all staff will respond but seek to obtain a key sample of staff such as IT personnel, a mix of technical and non-technical staff, management, and staff in high-risk programmatic positions. Getting a variety of user views and experiences is important.
When sharing an online form or survey related to baseline best practices, closed-ended questions work best. This will keep the survey short and more people are likely to respond. Save the open-ended questions for the interview.
Resist the urge to only do the technical pentesting exercises. SAFETAG is made up of a variety of different components, of which only some are technical. The Interpersonal methods are very important to help build your understanding of what the organization values and how they protect them.
Interweave group, one-on-one, and technical activities. Plan an audit strategy which combines key moments of group engagement (for instance an audit kick-off call, risk assessments, team/department meetings, and presentation of preliminary findings) with one-on-one interviews, and technical assessment activities (such as vulnerability assessment, open source intelligence, and network scanning). Remember that the audit process is iterative - as you discover new information from group calls, you will uncover new assets to scan, and add questions to discuss with individual team members.
Schedule interviews with key staff members to follow-up on survey responses and ask clarifying questions. It is best to limit these interviews to one hour, as anything longer than this can feel overwhelming and can be difficult to schedule. Agree on the logistics in advance (i.e. the platform you will use to connect, etc.).
Familiarize yourself with the technology that the organization uses prior to the remote audit. If you are not yet familiar with the platforms or tools that they use, do some research prior to the audit so that learning about the technology does not take up your limited interview time. Also spend time using the SAFETAG reconnaissance activities to form an independent understanding of their digital footprint and technology used.
It can be helpful to share the interview questions and/or checklists prior to the interview. This can help staff members understand what to expect and prepare for the interview. Since time is limited, this can help eliminate the need for staff to spend interview time finding answers to your questions.
Have a script and an agenda ready to go prior to the meeting. In person, it is easier to go with the flow and dive into topics as they come up, but unstructured conversations online are much more difficult to navigate. It is helpful to have a plan and a structure to follow during the remote assessment.
Prepare for internet connectivity issues. At times there will be challenges with internet connectivity from both the interviewee and the auditor. In order to set yourself up for a successful remote audit interview and user device assessment, consider the internet connection available before proceeding with the task. Also, have a clear plan of action established in case you are disconnected. For example, specify what communication channel you will follow-up on.
Give staff members an indication of what to expect. Before remote interactions, let them know you will be looking into their device and browser. This will give participants the opportunity to close out of any windows they do not want to share. Also be sure to flag any tools you may be using during the interview (such as TeamViewer). Explain what the tool is capable of and provide instructions for installation before the interview and deinstallation once the interview is complete.
Different organizations will have different challenges. Online assessments are easier for smaller organizations. Simpler infrastructures have fewer potential issues and are typically easier to manage. For organizations that are already accustomed to a remote-work culture, online assessments come more naturally. For larger organizations with customized systems, remote audits can be more complicated, and in some cases impossible.
Make it fun! Use interactive approaches to engage participants especially in group calls. Consider using shared pads, polls, quizzes, whiteboards, and other visual simultaneous collaboration tools.

Responding to COVID-19: A Transition to Remote SAFETAG Audits

Wed, 28 Oct 2020 09:00:00 +0000

For the past several years, the SAFETAG community has explored what remote support could be provided to organizations in situations where the auditor cannot travel to the organization or meet with staff in-person. There are also organizations which have distributed teams operating fully remotely or from multiple physical locations, making it difficult or impossible to conduct in-person audits. Though these conversations around remote audits began years ago, the recent COVID-19 pandemic has reignited discussions and led to a dramatic increase in the need for remote audits and other virtual digital security interventions. Civil society organizations around the world have been forced to migrate to a fully-remote workflow. This transition, in addition to creating new security challenges, has also required auditors to adapt the way in which they are providing support.

Internews, in coordination Digital Security Lab Ukraine, Defend Defenders, and Conexo, along with other partners around the globe, has developed a remote audit playlist, or collection of activities that can be performed remotely under varying conditions from low-bandwidth to distributed team scenarios. Some activities (such as reconnaissance) were already remote-friendly and do not require the auditor to be in-person. Other activities (such as device assessments) have been adapted to fit the remote context.

While the remote audit playlist includes a multitude of activities that can be done remotely, it is important to consider SAFETAG’s Minimal Viable Audit, designed as the starting point for an assessment to be considered viable under the SAFETAG framework.

Initial groundbreaking work to build a remote-friendly SAFETAG audit approach was first developed by the SAFETAG community during a 2017 content sprint. In 2020, however, remote-first audits have gone from being the exception to the rule, to driving the creation and refinement of approaches by Internews staff and partners in recent months.

This blog highlights some considerations auditors should keep in mind when organizing and facilitating a remote audit. We’ve also highlighted below where to find existing content for your next virtual audit.

General considerations when conducting a remote audit

Prepare for the audit to take more time than normal. When conducting remote audits, there are various factors to take into consideration in addition to those you would need to consider during in-person audits. A remote audit for example, almost certainly will require additional time due to scheduling, coordination, and remote logistics management. Be prepared for additional mishaps and factor in slow internet connections in any remote engagement.

Prepare to be flexible. Given we’re in the time of COVID, it is also wise to prepare to be flexible. Scheduling a team for a group exercise was difficult before the pandemic. Now it’s even more challenging with alternate schedules and balancing life both in and outside of work. Think about smaller meetings and be intentional with who you invite. Don’t require the entire organization if you don’t really need every single person at the organization.

Build trust as best you can. This is an important factor to consider during remote audits, as your opportunity to ensure staff feel comfortable with you the auditor will be dependent on how you present yourself to them in a virtual setting. Remote meetings, particularly with individuals you are meeting for the first time, may require more effort to begin building that trust relationship with the individuals. Whereas in-person meetings allow for human connection and understanding through body language, remote meetings make nonverbal interactions more difficult. As such, it is helpful to use video meetings whenever possible.

There is no perfect virtual replacement for in-person activities. Auditors conducting a remote assessment must also accept this reality and be sure to communicate the limitations to the organization you are working with. Remote audits have additional constraints and we must live within this reality for the moment or circumstance. A remote audit may require a combination of tactics and ultimately some compromises. When meeting in-person with an organization, it is easier to gain buy-in and encourage participation. If individuals are working remotely, it may be more difficult to maintain engagement. Replacing a two-hour in-person meeting to map behaviors and workflows with a 50-question survey requesting the same information will likely not yield the same results.

Be prepared to not have all the information. Sometimes the very nature of the remote audit where you can’t check the office’s network or don’t have access to all the staff you need during the assessment process can leave you with information gaps that can be difficult to fill. Be creative in finding ways to connect the dots and look for the information as best you can.

Consider the size and structure of the organization. A smaller organization, or one that is already remote, is easier to assess since staff members typically have a better internet connection and are more comfortable with virtual meetings. Large organizations who are used to working together in an office setting may have more challenges with remote working and may make it more difficult to assess virtually.

While remote audits require additional considerations and are not a perfect replacement for in-person audits, they can be done effectively. In upcoming posts we will provide a step-by-step guide for conducting remote assessments, as well as an introduction to the new SAFETAG web interface, which will allow users to customize a playlist based on the specific needs of the organization being audited.

SAFETAG Community Feedback

Thu, 24 Sep 2020 09:00:00 +0000

This is a cross-posted blog from Internews’ USABLE.tools project which is advancing usable organizational security tools, including SAFETAG. Read more about this effort on the Global Technology Blog

Over the last few months, we have been working with Tafka, a Mexico-based design firm, to develop a new visual identity for the SAFETAG framework. As part of these efforts, we hosted 3 community feedback calls to gather feedback. Additionally, we shared an open survey for those who were unable to join the calls. In total, we received feedback from over 25 SAFETAG users around the globe.

We have highlighted some of the feedback we received below.

SAFETAG could be described as:

“Complex, yet comprehensive”
“Your really smart friend that you like a lot, but gives very detailed answers to very simple questions”
“Flexible and adaptive”

What makes SAFETAG and its community unique?

We take the time to get to know, listen, and engage with the organization before starting hands-on work during the audit
We are driven by the opportunity to support organizations advocating for civil and human rights, allowing them to do their work more safely and effectively
We strive to provide holistic support to organizations, taking into consideration digital, physical, and psycho-social components of their security
We enable organizations to make informed decisions regarding their digital security, and contribute to building a more resilient and sustainable foundation

SAFETAG users believe the framework’s visual identity should be:

Building blocks, or individual pieces that come together to form something larger and more comprehensive
Colorful and approachable
Casual, yet professional

What challenges do users face when navigating the framework?

It is big. As a new auditor, it is difficult to understand the “big picture”
The document is overwhelming, and it is hard to decide which parts are relevant
No clear hierarchy or organization
The information architecture is not intuitive, and it is difficult to search for content that will be relevant for a specific organization, community, or context

What changes or features would make it easier to navigate?

The ability to hide activities so that you can see a smaller version of the framework
Less words, more visuals. A clear naming structure and hierarchy
A search feature, and a way to select specific activities that are relevant for a particular scenario
Using metadata (such as size of organization, theme of activity, etc.) to sort the activities
Videos, tutorials, and lessons learned for activities
Having a clear “table of contents” so it is easy to locate a specific section or activity

What challenges do users face when contributing new content to the framework?

Many users do not feel comfortable contributing content through GitHub
Others reported that contributing content currently takes too long; there are limited options for smaller, less time-consuming contributions
The process of contributing content is difficult

Thank you to all who joined the feedback calls or responded to the survey! The insights you shared have directly informed the design and development of the new visual identity and web interface. We hope that the new visual assets and interface will make SAFETAG easier to use and more accessible for both new and experienced auditors. We are in the final stages of work and look forward to sharing the final products soon. Stay tuned for updates!

Rights Con 2020: What happens between SAFETAG-based audits in NGOs? Long term tech support

Fri, 18 Sep 2020 09:00:00 +0000

RightsCon, the world’s leading event on human rights in the digital age, was held online this year during the month of July 2020. Digital Security Lab Ukraine, Media Diversity Institute Armenia, and Internews led a session entitled “What happens between SAFETAG-based audits and NGOs? Long-term tech support.” This session explored how audit findings and risk reduction plans can be converted into post-audit change; how long-term support and engagement with organizations can significantly boost both accuracy of security modeling and adoption of the best and context-relevant security practices; and the successes and failures they have experienced in practicing long-term organizational security. Lessons and best practices shared during the session can be found below.

The panel was comprised of the following individuals:

Maksym Lunochkin, Security Auditor and Tech Support Specialist for Digital Security Lab Ukraine
Anton Koushnir, Security Auditor and Trainer, Digital Security Lab Ukraine
Vadym Gudyma, Security Auditor and Trainer, Digital Security Lab Ukraine
Iryna Chulivska, Executive Director, Digital Security Lab Ukraine
Mykola Kostynyan, Community Engagement Manager, Internews
Artur Papyan, Director, Media Diversity Institute Armenia

What is SAFETAG?

SAFETAG is a professional audit framework that adapts traditional penetration testing and risk assessment methodologies to be relevant to smaller non-profit organizations based or operating in the developing world. SAFETAG audits serve small scale civil society organizations and independent media houses who have digital security concerns by working with them to identify the risks they face and providing capacity-aware, pragmatic next steps to address them.

How can your team prepare to provide long-term support?

All trainers and auditors have their own opinions on best practices, but it is critical to maintain humility and work with the organization to make sure that as an auditor, you are meeting them where they are and giving them what will be most useful for them - not what is most comfortable for you.

One way to prepare your team to provide support is to build a high-level checklist to think through prior to engagements. This checklist can include questions to consider prior to an audit, such as:

How many people will provide support?
Who will coordinate the team and serve as the main point of contact for the organization?
How will the team securely communicate with each other?
Which organizations are we willing to support? Which are we not?
How much time are we willing to dedicate to support?
How will we measure the success of our support?
How and what will we document?
How can we as a team create interchangeable roles and back each other up?

What approaches should we consider when implementing long-term support?

It is important to emphasize that organizations MUST own their own approach to risk and safety. As an auditor, you cannot push an organization to do one thing or another. You must explain, teach, support, and guide. Help implement as needed. If the organization cannot adopt and implement their own choices, their safety will not improve. If you are conducting an audit or monitoring incidents of digital security attacks, which are common against journalists and human rights defenders, your job is not only to respond to the attack - it is also to make sure the organization understands what has happened and what risks they are facing.

It is also important to avoid fear mongering. Too many digital security experts approach organizations by lecturing them on the risks they are facing and try to scare or pressure them into taking security measures. That is a really bad approach. Those facing risk are the best suited to understand it, navigate it, and mitigate it. You cannot force safety. You need to listen, provide guidance, and work with them to develop a plan and approach that makes sense for them. Threat models vary, and one is not like the other. Digital security is not a one size fits all approach, and one organization’s approach to safety will not be the same as the other. When providing support, your job is to make sure that both you and the organization have the information and support needed to make informed choices.

Can we provide support remotely?

Oftentimes, organizations’ websites are poorly maintained and no one within an organization takes on the role of maintaining security updates and recommendations. Through a project in Eastern Europe, Internews helps support the web development and digital security needs of media outlets and CSOs across the region. A particular dynamic of supporting websites is that, if an organization gives you login credentials, you can provide remote support. This is different from providing infrastructural support to the organization, which may require physical access to servers, machines, etc. However, providing remote support also means that you must establish clear ethical lines - with credentials and remote access, you need to be very clear with the organization on roles and rules throughout the process.

How has Digital Security Lab Ukraine contextualized SAFETAG to the needs of their specific region?

SAFETAG is an incredibly flexible framework and the similar technical infrastructure in many media outlets and CSOs means that some approaches to infrastructure can be streamlined. Additionally, DSLU pays a lot of attention to social media accounts and messaging apps, and often teaches on topics such as phishing because that is where they see a lot of risk being generated. They also focus on secure passwords, two-factor authentication (2fa), and developing best practices for how accounts are used. Additionally, DSLU hosts parties at their office to build community and will often join events where organizations who may need help will gather.

What does long-term support look like in practice?

When talking about long term support - it’s not three months; it’s not six months; it’s not even a year. Long-term support requires years of commitment to support in auditing, providing guidance, and helping with necessary fixes. DSLU points out that while this requires an additional level of support and funding, it is important and effective when supporting organizations after an audit.

The panelists shared the following tips for providing long-term support to organizations after they have received a SAFETAG security audit:

Consistent follow-up is key. Periodically ask how things are going in the organizations you support.
Build internal processes within your team in order to improve your own capacity to provide support.
Maintain flexibility. In the long-term, organizations and people in them may change. Be flexible and willing to support them through those changes.
Make the process of getting, receiving, and finding help as simple and easy as possible for the organization.
From the beginning of the process, explain your role clearly and let the organization know what support you can offer now and in the long-term.

From Usability to Threat Modeling

Tue, 11 Aug 2020 09:00:00 +0000

Across our portfolio of technology, training, and advocacy to support a free and open Internet that protects and advances human rights, we are assembling a wide array of foundational resources (all released under Creative Commons licenses!).

Threat Modeling in Internet Freedom Projects

It's important to underline that this is not a new concept -- certainly there are many security tools which already carefully consider threat models during development; there is much written on using use cases and "misuse cases" to expose the security and usability requirements for tools -- this paper provides a good overview, and EFF's Security Education Companion coverage of Threat Models introduces the concept for use in training.

These include user personas with community-built lists of needs, and information about the threats or adversaries they face. This collection of different resources is not coincidental – it builds a space in the middle to create detailed threat models around specific tools and practices and paves the way to more expansive and cohesive long term digital safety strategies for resilient communities.

What we have

At-Risk User Personas	Contextual Digital Risk Assessments
Our USABLE.tools project has a user persona library with 30+ user personas from around the world, representing LGBTQI activists, persons with disabilities, human rights defenders in closed states, and many more. These are not simply idealized stereotypes, however - they are created by the at-risk users themselves to provide authentic insight into the lived experiences, needs, and threats of these communities without putting any specific members of their community at risk. These personas provide critical insights into the needs and threats real people face in challenging environments. Tools for these communities need to be resilient against a wide variety of technical, physical, and legal attacks while also being easy to use, with little or no training.	Risk Assessments are a core of Internews' internal risk management process, and we also strongly encourage auditors using the SAFETAG framework to leverage a similar approach to research the technical and social context that they are working in when assessing an organization's security. The framework provides a guide to research the technical capacity of potential threat actors, including both historical attack data and any indicators of changes to their capacity. Auditors are encouraged to also look at focal areas and trends.

At-Risk User Personas

Contextual Digital Risk Assessments

Our USABLE.tools project has a user persona library with 30+ user personas from around the world, representing LGBTQI activists, persons with disabilities, human rights defenders in closed states, and many more. These are not simply idealized stereotypes, however - they are created by the at-risk users themselves to provide authentic insight into the lived experiences, needs, and threats of these communities without putting any specific members of their community at risk. These personas provide critical insights into the needs and threats real people face in challenging environments. Tools for these communities need to be resilient against a wide variety of technical, physical, and legal attacks while also being easy to use, with little or no training.

Risk Assessments are a core of Internews' internal risk management process, and we also strongly encourage auditors using the SAFETAG framework to leverage a similar approach to research the technical and social context that they are working in when assessing an organization's security. The framework provides a guide to research the technical capacity of potential threat actors, including both historical attack data and any indicators of changes to their capacity. Auditors are encouraged to also look at focal areas and trends.

What we’re building

Under the next phase of USABLE’s work, we will be building two new resources - “personas” which represent the needs of organizations and communities and “personas” which capture the capabilities and motivations of realistic but generalized adversaries.

Organizational Archetypes	Adversary Personas
Organizational Archetypes capture the complex needs of organizations and communities, spanning from grassroots communities all the way up to donors in the space facing state-level adversaries. What are the more complex needs and different threats faced when collaborating? Secure messaging, calls, and document collaboration are all significantly more complex when you have multiple people or organizations involved, and tools which are relatively easy to swap in and out at a personal level become incredibly more complex if an entire organization depends upon them as a core part of their workflow.	Adversary Personas will contain realistic details of generalized adversaries’ capacities and what issues these actors are willing to expend resources and build capacity to undermine. Organizations will be able to use these resources to anticipate potential threats and malicious actions and proactively develop practices and responses to realistic situations. This will enable developers, trainers, policymakers, funders, and others to contextualize their work against a wider variety of threat actors without having to rely on any one specific nation-state as a "bogeyman." I specifically hope this enables richer conversation around actual threats while removing cultural stereotypes and prejudices.

Organizational Archetypes

Adversary Personas

Organizational Archetypes capture the complex needs of organizations and communities, spanning from grassroots communities all the way up to donors in the space facing state-level adversaries. What are the more complex needs and different threats faced when collaborating? Secure messaging, calls, and document collaboration are all significantly more complex when you have multiple people or organizations involved, and tools which are relatively easy to swap in and out at a personal level become incredibly more complex if an entire organization depends upon them as a core part of their workflow.

Adversary Personas will contain realistic details of generalized adversaries’ capacities and what issues these actors are willing to expend resources and build capacity to undermine. Organizations will be able to use these resources to anticipate potential threats and malicious actions and proactively develop practices and responses to realistic situations. This will enable developers, trainers, policymakers, funders, and others to contextualize their work against a wider variety of threat actors without having to rely on any one specific nation-state as a "bogeyman." I specifically hope this enables richer conversation around actual threats while removing cultural stereotypes and prejudices.

From Resources to Practice

These are collectively designed to enable unbiased discussions and strategy development around the serious challenges and threats users, organizations, and entire communities face, the tools we use to help, and tools, practices, or policies we wish we had.

Responses focused on threats, not just threat actors Threat actors change and evolve, and often have more capacity than is publicly confirmed (but perhaps less than is presumed through rumor). By extracting and de-personalizing aspects of this, we can have clearer discussions. Further, specifying current existing actors, especially in open source tools, can overly complicate the public profile of the tool as well as those using it. If a tool is clearly built to combat a specific actor, then users of that tool can be seen as inherently being aligned against that actor. This has resulted already in excessive targeting and jailing of activists based on their tool choice.
Identification of common, cross-regional threats What attacks, specific techniques, and even malicious tools are being used and re-used globally? Are there patterns we can detect and build proactive defenses against?
Gap identification What gaps remain when we look at this data mapped out? Is anyone working to address them? What solutions (tools, training, policy changes) could be used? How do we sustainably build these resources?
More dynamic responses, more resilient communities By tackling the inputs into this process separately, we can update our models more agilely and plan against a wider variety of attacks to build tools and guidance that are more resilient to more types of threat actors as well as changes in any specific actor.
Future-looking strategies With these fictional personas and archetypes, we do not have to be as limited to current actors and their capacities. We can (within reason) consider possible future threats that activists may face by remixing and extrapolating from current threats. Anticipating these risks will allow us to build tools to mitigate sooner, rather than later. Dystopian cyberpunk scenarios welcome!
These resources can be used to develop tabletop scenarios to explore current and emerging threats and build creative responses to them. These scenarios are useful in advanced trainings, tool development, and strategy building exercises. Fictional but realistic adversaries and personas can get into detail around specific threats and mitigations without being as personal, risking bias, and helping reduce potential of trauma involved in these discussions.

We are just getting started and would love to hear from you on what data you hope to find in these resources, how you would use and adapt them, and more! You can reach us at connect@usable.tools.

Introducing ADOPTABLE

Mon, 06 Jul 2020 09:00:00 +0000

Equipping at-risk organizations with localized expertise, resources, and tools to mitigate digital attacks

Human rights organizations around the globe continue to face ongoing and increasing digital security threats from state and non-state actors. ADOPTABLE (Adaptable Digital and Organizational Protections by Transforming and Building Long-term Ecosystems) is an Internews project designed to help these at-risk organizations access relevant resources (human, financial, and technical tools) that will allow them to continue to operate safely. Without access to local organizational security experts, usable security and privacy tools, buy-in from decision-makers, and support from funders to adopt stronger safety practices, the organizations and their beneficiaries remain at risk, as does their crucial work.

The project consists of four core components:

Expanding the capacity of regional and local partners to address organizational security risks

Internews will support experienced partners in Latin America, Sub-Saharan Africa, and Eastern Europe to become regionally recognized centers of expertise on organizational security and build out local and regional ecosystems of organizational security auditors. Partners will conduct Trainings of Auditors (ToA’s) to train and/or upskill local security auditors in their regions on the SAFETAG framework. These newly trained auditors will work with experienced auditors to gain first-hand experience in conducting audits, while also collecting feedback on organizational security tools being used by at-risk organizations. To improve the scalability of this localization of expertise, Internews is also working to improve the SAFETAG onboarding and training process and make the framework more accessible by developing a new interface. More on that process here.

Improving the adoption of organizational security practices within at-risk organizations

Internews will fund at least 5 audits or engagements in each of the three target regions. At-risk organizations will undergo a full security audit and receive a detailed Risk Reduction Plan (RRP), which outlines tangible steps they can take to mitigate their risks. Even after a security audit, Internews has found that many organizations lack the resources needed to implement the recommendations provided by an expert. Without the ability to implement these changes, organizations are no more secure than they were before an audit. Internews will ensure that these organizations are able to implement the recommended changes by providing direct financial support after the audits. A variety of mitigation efforts may be eligible for support, including trainings for organization staff, facilitation of a security service by a third party, or the purchase of software and hardware.

Developing and enhancing feedback collection mechanisms to ensure at-risk users have a voice in the design and development of open source privacy and security tools

As part of the USABLE approach, Internews created feedback loops between at-risk users, digital security trainers, and open source tool developers. Internews will continue to collect feedback from at-risk individual users, while also expanding to capture organization-wide feedback on security and privacy tools. Most notably, the USABLE approach will be integrated into the SAFETAG framework, allowing SAFETAG auditors to identify gaps and usability issues with privacy tools being used at the organizational level. Through virtual Cross-Regional Convenings, Internews will work with partners to update the activities in the UX Feedback Collection Guidebook, develop organizational archetypes to further build out our library of user personas, and map the current landscape of open source tools being used by at-risk communities around the globe. Following the virtual convenings, Internews will launch a pool of funding for trainers and auditors to integrate feedback collection activities into their digital security trainings or organizational audits. The high-quality feedback collected during these engagements will be shared with developers through their preferred channels. Key communities will convene once more at the end of the project for the third UXForum to continue devising ways to scale and sustain feedback loops.

Enhancing the usability and accessibility of open source privacy and security tools

Internews will launch the third round of the UX Fund. This funding pool will provide support to privacy and security tool teams, enabling them to work with UX and accessibility experts to implement human-centered, usability-focused tool improvements. These changes will ultimately strengthen the tools, making them more secure for the at-risk individuals and organizations who need them the most.

Ultimately, we believe that with more localized tools and stronger local support, at-risk organizations will be better equipped to withstand the digital attacks and surveillance they currently face.

IFF Organizational Security Village Day 5

Fri, 12 Jun 2020 09:00:00 +0000

Internews is hosting the virtual Internet Freedom Festival (IFF) Organizational Security Village throughout this week (June 8-12)! The event is bringing together security auditors, digital security trainers, and other experts and practitioners for a five-day program of over 20 community-led sessions exploring five major themes in organizational security.

Sessions on Day 5 focused on funding OrgSec work and Monitoring & Evaluation.

Highlights from Day 5 of the OrgSec village included:

A discussion around how small, local digital support initiatives can fund digital security assistance for nonprofits through strategic networking.
A brainstorm around ways to better support digital security programs through informing and coordinating with donors.
An open dialogue on evaluating audit success from an auditor’s perspective.
A presentation of frameworks to measure the impact of organizational security work.

Key takeaways from the discussions included:

Securing funding is a challenge for OrgSec practitioners. Organizations need to better incorporate digital and organizational security into their budgets and marketing and communications plans. More broadly, there is a need for coordination within the local and international OrgSec community to promote knowledge sharing and establish partnerships in order to educate and coordinate with donors more effectively. Donors also need to adopt digital security practices that allow them to engage with organizations and support their work safely.
Community members debated the value of establishing certifications or skills qualifications for work in the space in order to reduce the reliance on trust networks. This could reduce barriers to funding and opportunities for work for new practitioners who may be less known to both funders and at-risk organizations seeking support. However, establishing community-wide agreed upon standards and mitigating the substantial additional barriers to entry (e.g. cost, training opportunities and locations, personal and unfunded time) caused by any such certification system pose a formidable challenge.
Measuring the impact of OrgSec programs is important in order to evaluate and improve approaches and communicate success to donors. While it is easy to focus on measuring purely digital risk, is it important to bear in mind that effective OrgSec should take a holistic approach also incorporating psychosocial support and physical aspects.
Whether to evaluate OrgSec interventions using shared community standards or by measuring change within an organization and against its own threat model continued to inspire debate among community members. The Engine Room shared a Monitoring and Evaluation Framework for Organisational Security - which takes the latter approach - for practitioners to adapt for their own M&E practices.

Thank you for participating in OrgSec this week! If you’d like to continue the conversation head to https://orgsec.community/display/OS. We will be posting shared notes from the event on the wiki next week!

IFF Organizational Security Village Day 4

Fri, 12 Jun 2020 09:00:00 +0000

Sessions on Day 4 focused on responding to advanced threats.

Highlights from Day 4 of the OrgSec village included:

A conversation on community insights to improve automated threat modeling, gathering inputs from a diverse range of individuals and groups regarding the threats they face.
A session demonstrating how to build a threat lab with your bare hands … and a laptop.
An overview of digital threat information sharing for human rights.

Key takeaways from the discussions included:

Threat detection isn’t only about fancy technology! A lot of endpoint detection is process and practice-oriented. Impressing the importance of antivirus and software updates, teaching partners what abnormal activity looks like, or making sure they know the process for calling first responders takes training, process development, and awareness raising.
Trust is a key component of threat information sharing. Knowing who and where to share information about threats requires personal connections and existing trust relationships, which can feel like a barrier to entering the space. But community networks like the Computer Incident Response Center for Civil Society (CiviCERT) and information sharing standards such as the Traffic Light Protocol (TLP) can lower barriers and facilitate sharing through established community standards.
Getting started in threat analysis requires trust, skills, and time. Though you will eventually need computers powerful enough to run virtual machines, more advanced skills, and connections to other researchers and communities like CiviCERT, don’t be intimidated by the technical jargon! All it takes to get started is a willingness to learn.
Human rights advocates are facing attacks such as phishing and publication of their identifying details by government or state-sponsored adversaries that are based on online open source intelligence (OSINT) gathering. When threat modeling, it is important to identify the types of public data that makes you vulnerable and that adversaries may try to exploit.

Join us for the last day!

Join us for the final sessions this Friday, with a focus on on assessing impact and funding organizational security!