This document discusses improving cyber security practices for organizations. It finds that many organizations have lax security practices, like regularly sharing passwords and not changing them for years. The biggest risks are social engineering attacks that trick users. The document recommends adopting a security mindset through staff training. It provides tips for improving security of email, social media, laptops and phones. This includes enabling two-factor authentication, using password managers, encrypting devices, and implementing data retention policies. Regular security updates and training help staff maintain safe practices.

1. Cyber Security In a Trump Era
Ann Lewis, MoveOn.org @ann_lewis ann.lewis@moveon.org
Matt Mitchell, Color Of Change @geminiimatt

2. Wake up call
Nov 9 was a rude awakening for all of us. The weekend after the election we
spent fighting DDoS attacks, hacking attempts, and received wave after wave of
hateful and prejudiced spam and threats.
We realized we are entering a world where we’ll be playing more defense, and
that we need to take a much more careful look at security: our policies, our tools,
how we protect our staff and members

3. How Safe Are We?
Things we discovered when we started digging into our policies and tools:
● Staff regularly shared passwords in chat, email, even google docs. One of
these google docs was inadvertently made public!
● Many of our social media accounts hadn’t had passwords changed in years
● We had 20K google docs by default shared with everyone in the org. This
meant an archive of data and strategic information would be made available
to any hacker who hacked anyone’s account

4. What are our biggest risks?
Every organization will have different key risks, and different strategic information
and assets that are most important to protect.
But we all have one thing in common: all of our staff are vulnerable to social
engineering:
● Phishing emails that trick you into clicking on malicious links that steal
credentials
● Emails that contain attachments that infect staff computers with malware
Social engineering is a very common attack vector: we are all vulnerable.

5. Adopting a security mindset
The first step in improving the overall security of your organization is to
communicate to staff that everyone needs to adopt a security mindset.
There are many ways to do this. One strategy that worked for MoveOn: we hired a
security firm to run a phishing exercise on staff, and then announced the results of
the test in a staff meeting.
● 15 (!) staff were caught in the phishing test
● Staff now realize the way they think about security now affects not just
individuals but also the entire organization, and staff are accountable for
doing their part to keep the organization safe.

6. Improving the Security of Email
● Enable 2-factor authentication on organizational email (
https://twofactorauth.org )
● Even better: 2-factor authentication enforcement!
● Password-protect any mobile devices that have access to org email
● Ensure the email accounts listed as the backup emails for organizational
email accounts also have 2-factor authentication enabled
● If your email provider offers backup “security questions” to grant staff access
to email when they forget their passwords, ensure that the answers to these
security questions don't match the questions and are stored in a password
manager.
● Questions?

7. Be aware of who / what you trust with your email
Do you trust tech companies more than you
trust your partner? If not, don’t grant them full
access to your email! This is like handing over
your email account to another person- they can
see all the emails you send and receive.

8. Strong Passwords
● Different accounts have different password requirements, but as a general rule the longer the
password the harder it is for hackers to guess
● Never reuse passwords across accounts
● Use only organizationally approved tools for sharing passwords.
○ Use a password manager to store & generate passwords (recommended password managers
are 1password, lastpass, dashlane, keypassx, or padlock.io)
○ Never share passwords in email or chat.
○ Never save passwords in the browser
● Regularly rotate passwords
● Top passwords for 2016 list (avoid these!):
http://www.darkreading.com/endpoint/authentication/123456-leads-the-worst-passwords-of-
2016/d/d-id/1327952
● EFF’s guide on creating strong passwords: https://ssd.eff.org/en/module/creating-strong-passwords
● Check if your email has been compromised on: https://haveibeenpwned.com/

9. Improving the Security of Social Media
● Enable two factor authorization (sometimes called login enforcement) on all organizational social
media accounts
● Enable two factor authorization on all personal social media accounts. ( https://twofactorauth.org )
● Audit the email accounts associated with social media accounts: is this an individual email or a
group?
● If it’s a group:
○ ensure the owner of the account understands that everyone subscribed to this group has the
power to change the password and take control of the social media account
○ use a google voice number that is linked to a shared google account set up for this purpose
● If the social media service offers backup “security questions” to grant staff access to email when
they forget their passwords, ensure that the answers to these security questions don't match the
questions and are stored in a password manager. (e.g the answer to what is your favorite color?
would be New York.)
● Questions?

10. Laptops and Mobile Phones
● Encrypt staff laptop hard drives: if a laptop is stolen, thieves can’t get access
to the data stored on the hard drive.
● Encrypt staff mobile phone hard drives
● Make sure all staff devices are password protected
● Staff must keep laptops and phones current with software updates: these
updates include critical security fixes
● Bonus: install software on laptops that allows for hard drives to be remotely
wiped in the event of loss or theft
● Bonus: install software on phones that allows for hard drives to be remotely
wiped in the event of loss or theft
● Questions?

11. Secure Communication Tools
● Assume that all staff communication can be made public, unless staff are
using secure communication tools
● Know the difference between encrypted vs unencrypted email, chat
● All cell phone conversations should be considered public.
● All phone calls can be "spoofed" (caller id can be made to display any number
including those of your contacts)"
● All SMS messages should be considered public
● All SMS messages can be "spoofed" ( made to look like they came from
anyone including your contacts )"
● Organizations can evaluate the types of communication staff engage in,
determine their risk model, and choose communication tools accordingly
● Questions?

12. Retention Policies
Hackers can’t steal and the government can’t subpoena information you don’t
store:
● Email retention policies: how long to keep historical email
● Document retention policies: how long to store or retain sharing permissions
● Chat retention policies: how long to keep group and individual chat
● Data retention policies: what data to include in, and how long to keep
databases, spreadsheets, and records

13. Staff Training
● Cyber security training is critical for staff
● Example training programs used by MoveOn:
○ Group conversations on cyber security in team meetings
○ Weekly “security bulletins” with action items sent to staff
○ Team leads track and are accountable for reports completing security training
○ Regular “phishing exercises” keep staff alert to potential threats
● SANS: Securing The Human cyber security training series
● Nonprofit organizations like Access Now, Electronic Frontier Foundation
(EFF), Tactical Technology, Freedom of The Press Foundation, offer updated
free high quality information.
● Once training is concluded schedule regular "fire drills" where teams practice
what they learned

14. QUESTIONS?