Digital Security Assessment for Human Rights Organizations: A guide for facilitators

From Gender and Tech Resources

Revision as of 01:08, 6 September 2017 by Anamhoo (Talk | contribs) (How to use this guide)

01 ManualSD TR.png

Introduction

24 ManualSD TR.png

Advances in Information and Communications Technologies (ICT) have played a critical role in expanding the potential of human rights organizations to make a difference by enabling wider reach, scaling-up and increasing efficiency in essential activities including internal and external communication, remote collaboration, data collection and analysis, and documentation. Simultaneously, the integration of digital technologies into their day to to day work has exposed activists to new risks evidenced by reports of widespread intrusions on privacy from the hacking of emails and Facebook accounts to the infecting of computers with government-purchased spyware and the monitoring of telephone communication. These new risks are also present in the physical robbery of computers, as well as the loss or theft of cellphones containing both personal and professional data. Unwanted access to confidential information can expose activists to a range of threats including blackmail, public humiliation, obstruction of campaign strategies and day-to-day operations through physical, economic or technical interventions, and attacks on their physical security and that of their families and allies in the field.

Our increasing awareness of the surveillance capacities of the state, criminal or terrorist organizations and even private individuals can frighten us to the point of self-censorship. At some point, most of us end up making a choice, whether consciously or unconsciously, between two extremes: Either resign to using technology in spite of the risks because it is indispensable for the work we want to do, or stop using ICTs all together because it is not worth the risk.

At Técnicas Rudas, we favor an alternative approach, one that responds to the power of technology not with resignation but with self-determination. While technology alone is neither the cause of nor the solution to the challenged faced by human rights activists, a conscientious use of ICTs can scale up our actions, allow us to avoid or mitigate risks, and help us take care of one another. This requires analyzing how we use technology, identifying our vulnerabilities and finding tools that work for us. Consolidating this knowledge builds internal capacity to incorporate digital security within a holistic security strategy.

Unfortunately, due to lack of time, resources and information, civil society organizations and activists rarely embark on a deliberate process for developing a digital security strategy beyond receiving input from technical experts to resolve immediate issues or learning about best practices and new tools. As a result, agreements to use certain tools or abide by certain protocols are abandoned over time.

For a digital security process to be effectively appropriated by an organization, it is essential that the voices of experts form part of an exercise in the collective construction of knowledge within the organization. The first step in this process is the participatory diagnostic. In this guide, Técnicas Rudas proposes a complete methodology for implementing a participatory digital security diagnostic with human rights organizations.

How to use this guide

02 ManualSD TR.png

This guide is directed primarily at the digital security training community, but may also prove useful for an organization that chooses to initiate a digital security process on its own. The activities and structure proposed herein can and should be adapted to the specific circumstances and needs of the organization. The guide can also be a useful reference for facilitators throughout the implementation of the diagnostic. The methodology can also be applied to individual assessments with minimal adjustments.

Methodological Foundations

The building blocks of the methodology for the participatory diagnostic are a technopolitical analytical framework, transhackfeminism and popular education.

Why "technopolitical"?

A dichotomous reading of the role of ICTs in society is problematic in part due to the unhelpful, reductionist responses that it engenders. For example, in the debate on individual privacy, silo mentality prompts declarations such as "I have nothing to hide", which does not consider the consequences of mass surveillance on a societal level. On the technical front, solutions are often reactive, responding to micro-threats as they occur by applying "patches" or "bugfixes".

03 ManualSD TR.png

A technopolitical approach moves us toward a more holistic perspective on ICTs by directing our attention to underlying political-economic realities. A technopolitical perspective takes into account the political and economic interests behind the creation, dissemination and use of technology together with existing power relations. Therefore, it can be applied to assess how our use of technology affects our security and our impact on society. This manual primarily applies the technopolitical approach to security assessment, however it also incorporates criteria related to social impact in its guidance on how to develop recommendations.

One example of applying a technopolitcal perspective to security analysis highlights the existence of a pervasive economic interest in obtaining personal data of consumers through their use of digital media (for example, see the research of Coding Rights).

Integrating a technopolitical perspective pushes us to consider the broader global and regional geopolitical context in making digital security decisions, such as the ample evidence of government-driven surveillance and espionage taking place on a global scale. In Latin America, leaks from the company Hacking Team's email account exposed that governments in the region have invested enormous resources to purchase surveillance hardware and software. As this manual goes to print, Mexico reacts to revelations of the systematic use of government-purchased spyware against human rights activists and journalists.

Other examples of and practical resources on technopolitics: Everything you read by the Electronic Frontier Foundation; Tactical Tech's Politics of Data project; a Human Rights Watch series on “Digital Disruption of Human Rights”; research projects by the Engine Room; the Data&Society Institute's program on Data, Human Rights & Human Security.

Understanding the political and economic interests at play is especially relevant in corrupt or repressive regimes, where social activists are often prime targets of digital surveillance, all the while relying on ICTs as indispensable tools in their strategies for change. A technopolitical approach can help to develop contextualized responses to the security challenges posed by ICTs to activists and their causes.

Transhackfeminism

04 ManualSD TR.png

Among the many types of feminism, our method for co-constructing a digital security risk assessment draws primarily from the three guiding principles of transhackfeminism:

a) Trans: a prefix that refers to transformation, transgression, transience, fluid boundaries. 
b) Hack: in its origins, refers to repetitive mechanical work. It's that persistent drop of water on the same spot that pierces through to the other side, or Marie Curie processing a ton of Pitchblende to obtain just one gram of the material that led her to discover the radio.
c) Feminism: a critical perspective of the dominant social system that values capital over life, perpetuates the labour of women as solely biological, and relies on the oppression, discrimination and exploitation of women across history and cultures to sustain itself. From Latin America, community-based ecofeminism is also intrinsically linked to land rights and decolonization. 

Transhackfeminism makes it possible to identify asymmetries in access to knowledge and strategies. It puts community at the center and challenges existing power structures by expanding knowledge.

Popular Education

05 ManualSD TR.png

Popular education starts with the recognition that education is a political act. This political act can be repressive if it establishes hierarchical power relations, or emancipatory if it breaks them. In line with popular education, we are proponents of the emancipatory role of education. Our methodology for the facilitation of the participatory diagnostic is guided by the following three axioms:

1) theory and practice are dialectically related

2) consciousness - as its etymology indicates - comes from knowledge learned in the company of others

3) The world not a static reality, but a reality in process (Paulo Freire) [1]


Preparation

06 ManualSD TR.png

Though the bulk of the diagnostic is carried out in situ with the organization, adequate preparation is critical for effective facilitation. Being prepared means 1) coming in with a prior understanding of the technopolitical context, 2) providing the organization with a clear explanation of the how the diagnostic will be carried out, its purpose, and the scope of participation required from its members, and 3) making sure to bring all necessary supplies/equipment. In this section we provide specific recommendations for undertaking these preparations. This is not a strict checklist; some of the preparations outlined below might need more emphasis than others. The key is to be creative and adapt to the requirements of your particular situation.

Research

26 ManualSD TR.png

a) Get to know the organization.

Most likely, you already know something about the organization before deciding to work with them. However, it's important to expand that knowledge as much as possible for two objectives: 1) to evaluate risk for the facilitation team, and 2) to ensure that the assessment process itself is appropriate for the context and culture of the organization.

Take care not to be invasive or alarmist in the preparatory research, which could trigger distrust and/or defensiveness from the organization. Background research should be limited to publicly available information. Should you consider it helpful, during the in situ participatory diagnostic, you can illustrate how it is possible to connect the dots between different types of public information in order to deduce certain non-public information, or how certain actors may have greater access to private information, such as providers of email and social media platforms.

When collecting "public information" for this initial review, consider anything that can be found in media outlets, press releases, political statements, posts on social media, as well as information about the server, legal representative and technical team associated with the domain, any sub-domains and official web address (which can be relatively easily found using websites such as https://whois.net/default.aspx), and if possible, the company that provides the organization's email services.

Using this information, try to answer questions such as: What issues do they work on? Which actors might be interested in obstructing their work or might be affected by the results of their work? How much public presence do the members of the organization have? Which other organizations, networks or social movements could they be associated with? In which country is their web server located? What personally identifiable information (PII)[2] could be found on the members of the organization? Is it possible to determine the exact location of the organization's office? Is it possible to obtain the office's telephone number and personal telephone numbers of staff? Has the organization publicly reported prior security incidents?

b) Analysis of the regional, national and local technopolitical context

In this step, we determine the positions of government, at both the local and national levels, with respect to the issues that the organization works on. It's important to search for indications that government has purchased equipment or has connections with companies that sell surveillance or spy technology/services,[3] as well as to determine if there have been documented acts of repression or surveillance. It can also be helpful to look deeper into the profiles of relevant government officials.

It is also important to ascertain the extent to which applicable legal frameworks permit surveillance and identify which bodies are authorized to exercise surveillance. If no reports of surveillance are found, it may be necessary to submit freedom of information requests if this mechanism exists in the country where the organization operates.

c) Get up-to-date on programs and tools

This step involves polishing your knowledge on the state of surveillance/spy technology, such as false cellphone towers (IMSI catchers), signal blockers and spyware. It's also helpful to evaluate the accessibility of these technologies based on how much they cost, how they work and what knowledge or technical abilities are required to be able to obtain and operate them.

It is also indispensable to be familiar with the business models, privacy policies, and transparency reports of the major companies that provide common ICT services, as well as the security features and any reported security flaws in connection with their products. Consider:

  • email
  • instant-messaging apps
  • file sharing, calendars, real-time shared document editing and other cloud services
  • video conferencing
  • online tech support programs
  • social media platforms
  • operating systems
  • mobile telecommunications

Useful Materials

For the participatory diagnostic: kraft paper (a less expensive and more environmentally friendly alternative to flipchart), crayons, markers, whiteboard markers, paper for drawing, colored thread, color-coding labels (green, yellow, red), tape, scissors.

08 ManualSD TR.png

For the computer diagnostics: At least two completely clean pin drives; live versions of antivirus software (e.g. ESET SysRescue and Avira) and a live version of the GNU-Linux operating system.


Planning and communicating the agenda

Excluding the time required for preparations and drafting the final report, the diagnostic will require approximately 10 hours of work in situ. However, the facilitators should be prepared to dedicate additional time between sessions.

Depending on how the organization is structured, it is crucial that at least one member from each area participate in the diagnostic. This requirement should be extremely clear in the communications with the organization leading up to the diagnostic, as they are likely to only invite technical staff and/or directors. The purpose of requiring at least one person from each area is to obtain the most accurate and complete portrayal of how the organization works.

We recommended the following distribution of activities over the course of 1-2 consecutive days:

Day One

Morning session (approximately 4 hours): Collective risk analysis, guided by two facilitators with the participation of the organization's staff. Simultaneously, the third facilitator runs the computer diagnostics and assesses the facilities (estimate from 20 minutes to a couple of hours per computer; see detailed instructions below).

Afternoon session (Facilitation team only, approximately 4 hours): Facilitators meet to transcribe and review findings and to draft the preliminary report.

Day Two

Morning session (approximately 2 hours): The complete facilitation team presents the preliminary report to the organization and receives feedback.

09 ManualSD TR.png

It is very important that the facilitators communicate the precise agenda to the organization as clearly and explicitly as possible. This communication should include the schedule and the amount of time required from the organization's members for the collective risk analysis, as well as the hardware diagnostics and the presentation of the preliminary report.

Note: It is possible to condense the entire participatory diagnostic to one day if the facilitators prepare a much more limited version of the preliminary report in the space of one-two hours and present it to the organization at the conclusion of the first day, for a total of 8 hours from start to finish. Alternatively, the diagnostic may require two full consecutive days if you only have two facilitators because you will have to run the computer diagnostics in the afternoon of Day 1 and/or morning of Day 2.

Planning your trip

10 ManualSD TR.png

In planning your trip consider the following factors: budget, security assessment for the facilitators, adequate rest, and conditions that permit you to work late into the night (just in case).

While it may go without saying, it is important to confirm all logistical details ahead of time. For example, the exact address of and route to the organization, means and duration of local transportation, and name and phone number of primary contact person at the organization. In addition, coordinate ahead of time with the organization to ensure that you have access to the office for the length of time required to carry out the evaluation of the computers and the facilities.


Collective care

12 ManualSD TR.png

A positive work environment maximizes the focus and energy levels of both the participants and the facilitators. Here are some collective-care measures that facilitators can take before and during the diagnostic:

1. Coordinate with the organization to provide coffee, water, and healthy snacks throughout the collective work sessions.11 ManualSD TR.png

2. Be prepared to take breaks or introduce an energizing activity when they seem necessary, even if they are not scheduled in the agenda. Be aware of the mood and energy levels of the participants as well as of your co-facilitators.

Facilitators

In our experience the ideal team is made up of three people for every 8-12 participants. Between them, they should cover the following abilities:

  • Systems Administration
  • Analysis of ICTs, and digital security tools
  • Pedagogical techniques
  • Research on technopolitical topics
  • Sensitivity in situations of high emotional stress

You may not be able to put together the ideal team, in which case, try to familiarize yourself with these topics using external resources. Also, aim to not exceed a participant-facilitator ratio of 10:1.

If the team is comprised of biological men and biological women,[4] it is important to be aware that organizations (society in general) tend to give more weight to male voices than to female voices on questions related to technology. Other power asymmetries may also be intrinsic to the composition of the facilitation team. It's important to be aware of the social privileges that may be conferred to different team members and to use this awareness to discourage hierarchical dynamics in the interactions between and among facilitators and participants.


Implementation

13 ManualSD TR.png

The first day of the in situ stage of the assessment is comprised of two activities: collective risk analysis with the members of the organization, simultaneously with the hardware diagnostics and evaluation of the facilities.

Collective risk analysis

07 ManualSD TR.png

Arrive a few minutes ahead of time to set up the work space. Before the beginning of the session:

  • Arrange the tables and chairs in a semicircle or U
  • Distribute crayons, markers and paper on the table
  • Place three long columns of kraft paper on a wall visible to all participants
  • On a separate but also visible spot on the wall, hang another piece of kraft paper which you will use to note terms for a glossary
  • Obtain the WIFI password in case you need to/are able to research doubts online during the session


1. Presentation (Estimated duration: 10 min)

Begin the session by presenting the members of the facilitation team and reiterating the purpose of the diagnostic and the agenda. It is important to communicate that the diagnostic is not a performance evaluation of the staff or the organization as a whole. Instead, it aims to produce a highly tailored digital security strategy via a careful process of ascertaining the specific digital security needs of the organization. It is also important to underline that the facilitation team's role is just that - to facilitate - while the content of the assessment can only be supplied from the active participation of the members of the organization.

To create a constructive environment for conversation, debate and self-expression, it's helpful to agree on some basic guidelines for participation, such as but not limited to:

 1. Listen actively and with an open mind to the contributions of others
 2. Avoid monopolizing the conversation and interrupting others
 3. Be courageous, share your experience and perspective

2. Activity: Around-the-clock (Estimated duration: 45 min)

Objective: Identify the ways that participants use technology (devices, programs and applications) in a typical day.

Description: Ask the participants to use the crayons, pencils, markers and paper that you've distributed to illustrate how they use ICTs throughout a typical day. Each participant works on their own drawing for up to 15 minutes. The drawing should include use of digital technology for both personal and professional reasons. Participants who are more comfortable writing than drawing are welcome to do so.

Tip 1: While the participants are working on their drawings, write "Uses of technology" at the top of the first column of kraft paper and divide the column into four roughly equal sections that you label: Cell phone/tablet; Computer; Computer+Cell/tablet; Other devices. This will help organize the notes you take when the participants present their drawings.

After 15 minutes, the facilitators invite the participants to present their drawings to the group. As they present their drawings, one of the facilitators captures what is said in the "Uses of technology" column of the kraft paper while the other facilitator engages partipants. Encourage participants to narrate their day of technology by formulating statements that specify the device, application and purpose of each interaction with technology. For example:

- "I use the alarm on my cellphone to wake up in the morning" - "I use my computer to listen to music with Spotify" - "I use an app on my cellphone that counts steps" - "I use Whatsapp to share audio files with my colleagues" - "I use Dropbox from my computer to backup my documents"

Tip 2: It is not necessary that each and every participant present their drawing. In the interest of time, after a few people have presented, encourage the remaining participants to share uses of technology that have not yet been presented.

Tip 3: If as a facilitator you intuit that some programs are used both on cell phones and computers, ask the participants to clarify this point and capture the statement in the appropriate section of the "Uses of technology" kraft paper.

Result: At the conclusion of this exercise, you will have a list of the typical ways that the members of the organization use technology.

3. Activity: What information is produced? (Estimated duration: 45 min)

Objective: Determine what information is produced as a consequence of each use of technology.

Description: Write "Information" at the top of the second column of kraft paper. For each use of technology listed in the first column of kraft paper (the result of Activity 1), ask the participants what information is produced as a result of that use of technology. Encourage discussion and debate because in the course of this activity it is important to be as detailed and exhaustive as possibe. As a consensus is reached, capture the answer in the second column of kraft paper.

Tip 1: Though it may it seem obvious, it is important to provide a clear definition of the word "information". For example, in the case of a photograph, the information is not "the photo", which only refers to the jpg or png file, but the content of the image, such as what is happening, the identities of the people in the picture, their location and the time and date of the event, etc. In the case of an app for taxis, the information produced would be origins and destinations of travel, frequency of certain routes and methods of payment.

Tip 2: When presenting this exercise, introduce the concept of "metadata" and add it to the glossary.

Result: At the conclusion of this exercise, you will have a list of the information that is produced by the organization and its members from their use of technology.

4. Activity: Actor Brainstorm (Approximate duration: 1 hour)

Objective: Make an extensive list of actors that may have a personal, political or economic interest in the information that the organization produces.

Description: Ask participants to brainstorm a list of actors that could be interested in accessing the information listed in the result of Activity 3. The first part of the exercise is a brainstorm, not a debate, so capture all of the actors mentioned and let participants know that there will be an opportunity to debate and narrow down the list in subsequent steps.

After completing the list of actors, connect each actor (from column 3) with the information they would be interested in (from column 2) extending a piece of thread from the actor toward the corresponding information. Throughout the exercise, when you consider it pertinent, contribute information about the technopolitical context that the members of the organization may not be taking into account.

Before concluding the exercise, look back at the actor list. If there are any actors that have no connection to column 2, cross them off the list.

Tip 1: Assign a distinct color of thread to each actor or use any other mechanism that you see fit, e.g. simply drawing an arrow from the actor to the information.

Tip 2: If the participants are having a hard time coming up with ideas, suggest that they consider a range of types of actors, including international, national, local, political, religious groups, media, and even private individuals with personal interests or vendetta against the organization or its members.

Result: At the conclusion of the exercise, you will have a list of actors interested in the information produced by the organization (column 3 of the kraft paper).

5. Activity: Actor brainstorm continued- Narrowing down (Estimated duration: 1 hour)

Objective: Determine which actors, in addition to having interest in the information produced from the organization, also possess the capacities and resources necessary to obtain that information without the organization's consent.

Description: Start from the top of the actors list as it appears at the conclusion of Activity 4. For each actor, discuss whether it has the resources (political, economic, legal, social, technical) and/or is reported to have carried out surveillance or espionage in the past.

Facilitators should provide information about the legal framework and precedents of surveillance in the organization's local and national context to point out which actors are legally authorized to carry out surveillance, as well as those actors which, despite not being authorized, enjoy other forms of power that enable them to exercise surveillance.

In addition, the facilitators should contribute information throughout the exercise about the different mechanisms whereby an actor could obtain an organization's information, such as by trespassing offices and stealing computers, setting up fake cell phone antennas, and infecting phones and computers with spyware.

When the participants determine that an actor in the list does NOT have resources that would enable them to obtain the information of interest, cross the actor off the list.

Tip 1: Keep in mind that all new technical terms should be listed in the glossary, and encourage participants to write them down as well.

Tip 2: During this exercise, it would be extremely useful to have on hand a table, chart, or infographic that clearly illustrates the legal, technical, and economic prerequisites for obtaining and using different surveillance tools, as well as the specific types of ICTs that these distinct surveillance tools are capable of attacking.

Result: At the conclusion of this exercise, you will have narrowed down a list of actors who have a) an interest in obtaining the organization's information and b) the capacity to obtain it.

6. Activity: Traffic lights (Estimated duration: 1 hour)

Objective: Determine which of the organization's information is sensitive.

Description: Refer back to column 2, "Information". For each piece of information that is linked to an actor in the final actors list (the result of activity 5), ask participants the following series of questions: What would the actor do with this information? How dangerous would that be for the organization? Consider campaigns, safety of allies, safety of victims that they accompany, safety of the organization's staff, the organization's reputation, financial security, etc. If the participants deem that the consequences would be close to catastrophic, place a red dot next to the piece of information. If the consequences would have a high cost that could eventually be overcome, place a yellow dot. And if the consequences are undesirable but minor, place a green dot.

Insist that participants justify their choice before selecting the color of the traffic light. For instance, by describing a hypothetical but realistic situation or a real-life example that illustrates the possible consequence. Finally, push the participants to imagine the ultimate impact of this consequence on the organization and its ability to pursue its mission. Pushing the participants to provide solid explanations for their perception of risk stimulates discussion and debate and thus helps to ensure that the final results of the diagnostic are both grounded and consensual.

Result: At the conclusion of the exercise, you will have a list of information that the organization has determined needs to be protected from surveillance, i.e. all of the information in column 2 that has a red or yellow dot. For the remainder of the diagnostic, we call the information in this list "high risk information".

7. Activity: Doors and Locks (Estimated time: 20 min)

16 ManualSD TR.png

Objective: Identify mechanisms that could help protect the organization's sensitive information.

Description: Use the metaphor of "doors" to explain that information can be accessed through one or more entry points, i.e. the devices or programs used to create/store/transport data. In the same way that a door can be locked, information can be protected by adding layers of security ("locks") to the tools we use.

Refer back column 1 of the kraft paper "Uses of technology" to extrapolate the access points to the high risk information. Then ask the participants which measures have been taken (if any) to safeguard it or limit access by third parties, e.g. encryption, strong passwords, hidden location, temporality or self-destruct mechanisms, and backups.

Capture the responses in the following table using check-marks and x's, emoticons, or whatever symbols you choose:

Tip: In some contexts it may appear that participants do not have enough technical knowledge to have placed adequate "locks" on all their "doors". However, be wary of making false assumptions. Often, organizations put in place digital security mechanisms intuitively, and as facilitators, you should recognize that and bring these advances to their attention.

Result: At the conclusion of this activity, you will have a list of the organization's uses of technology that require the incorporation of better digital security practices and tools.

8. Closing (Approximate duration: 20 min)

To conclude the collective risk analysis, ask the participants if there is any information that they would like to add, e.g. previous security incidents.

If you perceive discomfort or anxiety in the group upon concluding the risk analysis, try to reassure them that they are on the right track and that the diagnostic was an important first step in a dynamic and continuous process that will ultimately strengthen the organization.

Before parting ways, make sure to briefly explain to the group that the next stage of the diagnostic consists in the revision of the staff's computers and the facilities. Make clear that this review is not a forensic analysis, that no programs will be installed on the computers, and that no technical issues will be fixed. Rather, this part of the assessment will offer a bird's eye view of the type of information that is stored, programs that have been installed, and the state of antivirus protections.

Upon closing the session, remind participants that you will be presenting the assessment's preliminary findings the following day. Reiterate that their participation is crucial as it will be the only opportunity for you to receive their feedback before drafting the final report and recommendations.

22 ManualSD TR.png

The collective risk analysis is now complete. Your final step is to transcribe the results into the preliminary report template (Annex I).

Tip: Take one or two 5-15 minute breaks throughout the collective risk analysis session, plus 1 hour for lunch.

Computer diagnostics and evaluation of facilities

17 ManualSD TR.png

Another aspect of digital security is the environment in which devices are being used. Therefore it is important to undertake a systematic evaluation of some of the specific aspects of the facilities and local ICT infrastructure, including:

a) How easy/difficult it is to access the office from the outside? Verify the quantity, location and security of doors and windows. Estimate the proximity and ease of access from neighboring buildings.

b) Does the office have a doorman/security guard? Does he/she adhere to a protocol for allowing outsiders to enter the building?

c) Are there alarms and security cameras? Are the cameras in good working condition? Do they record? Does the organization have and adhere to protocols to review the recordings? Does the alarm have a backup battery in case electricity is cut off?

d) If there are restricted rooms with locks or locked filing cabinets, who has access, and to which restricted spaces?

e) Does the office have a space to receive visitors separate from the staff's offices? How easy would it be for visitors to move around the office undetected?

f) Evaluate the reliability of the building's construction, especially if there is humidity. Review the conditions of the electrical outlets and connections. Also check if too many devices are plugged into the same connection and if the organization is using breakers.

As part of this general review, consider the following checklist:

 - Determine if the staff's computers are connected to the internet via WIFI or Ethernet 
 - Evaluate the network configuration, the strength of the WIFI password, encryption type, and if they have VPN or VLAN configured 
 - Determine if the modem's original configuration has been changed 
 - Identify the organization's internet service provider 

Depending on the organization's perceived level of risk and its interest in undergoing a more thorough analysis, as well as the technical capacities of the facilitation team, you can opt to map out the entire network, which would permit you to identify all computers, operating systems, users and mobile devices that are connected to the network.

Tip 1: In reviewing the computers, remember that you are not conducting a forensic analysis. The depth and scope of the computer diagnostics depends on your team's level of technical expertise, how much time is available, and the organization's disposition.

Tip 2: Make scripts to automate the computer diagnostics and share them with the community on GitHub.

Tip 3: If you suspect the presence of malware and would like to investigate further, instead of working directly on the computer in question, make a copy of the system and work from there in order to avoid compromising potential legal proceedings. Be aware that this is a separate endeavor not covered in this guide, but you can start off using a live GNU_Linux operating system (the command dd could be a good option).

We recommend running the computer diagnostic on at least 10 different computers, ensuring that you review at least one computer from each area. In this way, even without assessing every computer, you will have a representative sample.

The main points covered in the computer diagnostics are:

 - vulnerabilities due to the absence of an antivirus program, inactive firewall, and lack of security updates
 - installation of programs that contain vulnerabilities such as malware, adware and other malicious software
 - the exposure of sensitive data due to browsing the internet

If evaluating computers that use Windows, this investigation can be conducted from the cmd terminal by inputting the following commands: systeminfo, tasklist and wmic. Afterwards, open the Event Viewer and save the logs for the following "events": security, hardware, application, setup, and system.

In OS X, you can access the "Console" from the Utilities folder to review the system logs. In GNU-Linux, there is a wide variety of commands to generate lists of programs and view logs.

On all operating systems, perform the following steps:

1. Check the status of firewall on all operating systems 2. Check the status of antivirus protections on the computers, including if an antivirus software is installed, if the database is up-to-date, and logs 3. If a computer does not have an antivirus installed or if it is inactive, consider running an antivirus diagnostic using one of the live versions that you brought with you 4. Check which search engines are used, if search history and passwords are saved, and which plugins are installed

Reviewing findings

18 ManualSD TR.png

At this time, you will have a large amount of information to review and process.

With respect to the files you saved during the computer diagnostics, review the programs installed. If any standout as uncommon, conduct additional research to determine if they may be a potential threat.

In reviewing the computers' logs, focus on detecting stark inconsistencies between what is reported in the logs and what you know to be the practices of the organization. For example, if the office is only open to staff in the mornings, then it should raise a red flag if the logs report a computer being turned on at night. Another red flag would be a recurring connection to a suspicious IP address when the computer would not normally be in use.To wrap up the first day of work, the facilitation team should meet to debrief and prepare for the following day. You should share your impressions of the day's activities including what went well and what could have gone better. Discuss scenarios for Day 2 with a view to making the most of the remaining time.

Tip: Prior to implementing the diagnostic, facilitators should familiarize themselves with common processes that are executed in the main operating systems and how those appear in event logs. With this knowledge under your belt, you will be able to more readily detect unusual processes when they are reported in logs. Remember that the goal is not so much to search for specific errors, but to discover patterns and anomalies.

Preparing the preliminary report

With the initial findings from the collective risk analysis, the computer diagnostics and the evaluation of the facilities, systematize the results in a preliminary report (you will find a template in Appendix I).

The preliminary report should clearly explain how the specific ways that the organization uses ICTs create particular vulnerabilities. It is important to provide solid arguments and evidence when claiming that using a certain ICT tool for a certain purpose creates risk. Recommendations that derive from clear, convincing, evidence-based arguments will be more readily understood and accepted by the organization. To this end, it is also helpful to relate the conclusions and recommendations to the local and national technopolitical context in the report.

Your recommendations should be grounded in reality. It's useless to propose purchasing new computers or setting up a local server if the organization does not have the economic resources or physical space to implement the recommendation. However, it is possible to include these more costly solutions in a section on long-term recommendations. In the meantime, more grounded short and medium-term recommendations are a sufficient first step in the implementation of a digital security process.

The recommendations can also raise digital technology options that take into account questions such as environmental sustainability and human rights impacts associated with certain tools and companies, as well as values around privacy and open data. At Técnicas Rudas, we encourage organizations to avoid products with built-in obsolescence and to opt for and free software.

Tip: Be honest and rigorous. Do not overstate the existence of a threat simply due to your intuition or bias. Every conclusion that makes it into the report should be backed by evidence.


Presenting the preliminary report

20 ManualSD TR.png

The estimated time for presenting the preliminary report is two hours. It begins with the facilitators explaining that the report is only preliminary. The purpose of the session is to share and review initial findings and recommendations with the organization in order that their feedback be incorporated into the final report. This is an opportunity to make changes in case something has been misunderstood or left out of the analysis. By the end of the discussion, the goal is to have adopted preliminary recommendations via consensus.

Distribute a copy of the preliminary report to each participant asking them to read and take notes at their own pace. Afterwards, go over the report out loud from beginning to end, encouraging participants to interject when they have feedback.

When presenting the recommendations, it should be very clear exactly what it is that you are proposing, why you are proposing it, and the time/resources required for implementation.

When all the feedback has been given and a consensus has been reached on the content of the preliminary report, the session is essentially adjourned. However, if any time remains, we highly recommend asking the participants to give you feedback on the methodology and facilitation style, as well as their overall sense of the utility of the diagnostic.

Before leaving, advise the participants to destroy the kraft paper that was used, along with the paper versions of the preliminary report (unless they prefer to preserve them in a secure location).

The facilitators must take care to securely transport any files from the computer diagnostics that require further analysis or incorporation into the final report. Securely delete these files once they are no longer needed.

Putting together the final report

19 ManualSD TR.png

The final report should incorporate all of the changes adopted during the feedback session with the organization. It is also an opportunity to include more explanatory detail about the vulnerabilities that you highlight. Completing the final report will inevitably require additional research in order to fill information gaps that were unresolved during the collective risk analysis, as well as to ensure that the report's determinations of risk are based on the most up-to-date information about the tools that were evaluated. This research can help maximize the relevance of the recommendations and the clarity of the justifications.

21 ManualSD TR.png

The last step in the diagnostic is to deliver the final report to the organization. Make sure to send the report using a secure medium as it contains highly sensitive information about the security vulnerabilities of the organization. This is also an opportunity to set a precedent for the handling and transportation of sensitive files.

Additional resources

Staying informed about the new challenges and opportunities in the realm of digital security can be difficult. Technology is constantly changing and one of the most effective ways we have to stay up-to-date is to share new information and tools with one another. In that spirit, there are numerous online resources that can help. Here are just a few:

In Spanish:


Acknowledgments

25 ManualSD TR.png

Técnicas Rudas is immeasurably grateful to Ercilia Sahores (Verbamate) for dedicating more than one sleepless night to helping translate the original Spanish text of this manual into English. We would also like to thank Sophie Elizabeth Lally and Philippa Mary Williams for their meticulous revisions and invaluable contributions in revising and adapting the content of the English-language manual.

Credits

This guide was written by Técnicas Rudas with the support of the Institute for War and Peace Reporting .

Design: María Silva and Yutsil Mangas

Appendix I: Report Template

Digital Security Risk Assesment Report Template

References

  1. Greater detail on popular education is beyond the scope of this manual, however there is an extensive body of literature on the subject. We recommend starting with [Paolo Freire] (https://es.wikipedia.org/wiki/Paulo_Freire).
  2. PII: Personally identifiable information refers to all that information about an individual administered by a third party through which it could be possible to determine their identity and other data related to their identity. See https://en.wikipedia.org/wiki/Personally_identifiable_information.
  3. A potentially helpful resource for answering this question is ShareLab's (metadata investigation of spy company Hacking Team's email communications).
  4. Biological as opposed to self-designated gender identities are relevant because they determine how others perceive us, which in turn can establish hierarchies in the group dynamic.