Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Cyber security in a trump era [1/15/2017]

101 views

Published on

Cyber security principles and tactics for political nonprofits

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Cyber security in a trump era [1/15/2017]

  1. 1. Cyber Security In a Trump Era Ann Lewis, MoveOn.org @ann_lewis ann.lewis@moveon.org Matt Mitchell, Color Of Change @geminiimatt
  2. 2. Wake up call Nov 9 was a rude awakening for all of us. The weekend after the election we spent fighting DDoS attacks, hacking attempts, and received wave after wave of hateful and prejudiced spam and threats. We realized we are entering a world where we’ll be playing more defense, and that we need to take a much more careful look at security: our policies, our tools, how we protect our staff and members
  3. 3. How Safe Are We? Things we discovered when we started digging into our policies and tools: ● Staff regularly shared passwords in chat, email, even google docs. One of these google docs was inadvertently made public! ● Many of our social media accounts hadn’t had passwords changed in years ● We had 20K google docs by default shared with everyone in the org. This meant an archive of data and strategic information would be made available to any hacker who hacked anyone’s account
  4. 4. What are our biggest risks? Every organization will have different key risks, and different strategic information and assets that are most important to protect. But we all have one thing in common: all of our staff are vulnerable to social engineering: ● Phishing emails that trick you into clicking on malicious links that steal credentials ● Emails that contain attachments that infect staff computers with malware Social engineering is a very common attack vector: we are all vulnerable.
  5. 5. Adopting a security mindset The first step in improving the overall security of your organization is to communicate to staff that everyone needs to adopt a security mindset. There are many ways to do this. One strategy that worked for MoveOn: we hired a security firm to run a phishing exercise on staff, and then announced the results of the test in a staff meeting. ● 15 (!) staff were caught in the phishing test ● Staff now realize the way they think about security now affects not just individuals but also the entire organization, and staff are accountable for doing their part to keep the organization safe.
  6. 6. Improving the Security of Email ● Enable 2-factor authentication on organizational email ( https://twofactorauth.org ) ● Even better: 2-factor authentication enforcement! ● Password-protect any mobile devices that have access to org email ● Ensure the email accounts listed as the backup emails for organizational email accounts also have 2-factor authentication enabled ● If your email provider offers backup “security questions” to grant staff access to email when they forget their passwords, ensure that the answers to these security questions don't match the questions and are stored in a password manager. ● Questions?
  7. 7. Be aware of who / what you trust with your email Do you trust tech companies more than you trust your partner? If not, don’t grant them full access to your email! This is like handing over your email account to another person- they can see all the emails you send and receive.
  8. 8. Strong Passwords ● Different accounts have different password requirements, but as a general rule the longer the password the harder it is for hackers to guess ● Never reuse passwords across accounts ● Use only organizationally approved tools for sharing passwords. ○ Use a password manager to store & generate passwords (recommended password managers are 1password, lastpass, dashlane, keypassx, or padlock.io) ○ Never share passwords in email or chat. ○ Never save passwords in the browser ● Regularly rotate passwords ● Top passwords for 2016 list (avoid these!): http://www.darkreading.com/endpoint/authentication/123456-leads-the-worst-passwords-of- 2016/d/d-id/1327952 ● EFF’s guide on creating strong passwords: https://ssd.eff.org/en/module/creating-strong-passwords ● Check if your email has been compromised on: https://haveibeenpwned.com/
  9. 9. Improving the Security of Social Media ● Enable two factor authorization (sometimes called login enforcement) on all organizational social media accounts ● Enable two factor authorization on all personal social media accounts. ( https://twofactorauth.org ) ● Audit the email accounts associated with social media accounts: is this an individual email or a group? ● If it’s a group: ○ ensure the owner of the account understands that everyone subscribed to this group has the power to change the password and take control of the social media account ○ use a google voice number that is linked to a shared google account set up for this purpose ● If the social media service offers backup “security questions” to grant staff access to email when they forget their passwords, ensure that the answers to these security questions don't match the questions and are stored in a password manager. (e.g the answer to what is your favorite color? would be New York.) ● Questions?
  10. 10. Laptops and Mobile Phones ● Encrypt staff laptop hard drives: if a laptop is stolen, thieves can’t get access to the data stored on the hard drive. ● Encrypt staff mobile phone hard drives ● Make sure all staff devices are password protected ● Staff must keep laptops and phones current with software updates: these updates include critical security fixes ● Bonus: install software on laptops that allows for hard drives to be remotely wiped in the event of loss or theft ● Bonus: install software on phones that allows for hard drives to be remotely wiped in the event of loss or theft ● Questions?
  11. 11. Secure Communication Tools ● Assume that all staff communication can be made public, unless staff are using secure communication tools ● Know the difference between encrypted vs unencrypted email, chat ● All cell phone conversations should be considered public. ● All phone calls can be "spoofed" (caller id can be made to display any number including those of your contacts)" ● All SMS messages should be considered public ● All SMS messages can be "spoofed" ( made to look like they came from anyone including your contacts )" ● Organizations can evaluate the types of communication staff engage in, determine their risk model, and choose communication tools accordingly ● Questions?
  12. 12. Retention Policies Hackers can’t steal and the government can’t subpoena information you don’t store: ● Email retention policies: how long to keep historical email ● Document retention policies: how long to store or retain sharing permissions ● Chat retention policies: how long to keep group and individual chat ● Data retention policies: what data to include in, and how long to keep databases, spreadsheets, and records
  13. 13. Staff Training ● Cyber security training is critical for staff ● Example training programs used by MoveOn: ○ Group conversations on cyber security in team meetings ○ Weekly “security bulletins” with action items sent to staff ○ Team leads track and are accountable for reports completing security training ○ Regular “phishing exercises” keep staff alert to potential threats ● SANS: Securing The Human cyber security training series ● Nonprofit organizations like Access Now, Electronic Frontier Foundation (EFF), Tactical Technology, Freedom of The Press Foundation, offer updated free high quality information. ● Once training is concluded schedule regular "fire drills" where teams practice what they learned
  14. 14. QUESTIONS?

×