📖
📖
📖
📖
Citizen Clinic
Search…
Welcome to ​the Citizen Clinic Cybersecurity Education Center
Case Studies
Clinic Curriculum
Syllabus
Lesson Modules
Condensed Bibliography
Low-Resource Organizations
Introduction
Section 1: Why do Low-Risk Organizations Need Cybersecurity?
Section 2: Common Cybersecurity Controls
Section 3: Additional Cybersecurity Best Practices
Appendices
Clinic Infrastructure
Virtual Private Network (VPN)
Creating Virtual Identities
Security Evaluation Framework for OSINT Tools
Powered By GitBook
Condensed Bibliography

Introduction to Public Interest Cybersecurity

Sean Brooks, Center for Long-Term Cybersecurity. “Defending Politically Vulnerable Organizations Online” [https://cltc.berkeley.edu/wp-content/uploads/2018/07/CLTC_Defending_PVOs.pdf]
Citizen Lab’s Security Planner. [https://securityplanner.org/]
Sandro Contenta, Toronto Star. “How these Toronto sleuths are exposing the world’s digital spies while risking their own lives” [https://www.thestar.com/news/canada/2019/12/13/from-a-tower-in-toronto-they-watch-the-watchers-how-citizen-lab-sleuths-are-exposing-the-worlds-digital-spies-while-risking-their-own-lives.html]
Havron et al. "Clinical computer security for victims of intimate partner violence." In Proceedings of the 28th USENIX Security Symposium (pp. 105-122).[https://www.nixdell.com/papers/2019-usenix_clinical_security_FULL.pdf]
Deji Olukotun, Access Now. “Spyware in Mexico: an interview with Luis Fernando García of R3D Mexico” [https://www.accessnow.org/spyware-mexico-interview-luis-fernando-garcia-r3d-mexico/]

Ethics and the Citizen Clinic Code of Conduct

Citizen Clinic. "Student Code of Conduct" [https://www.citizenclinic.io/Clinic_Curriculum/Modules/Ethics/Student_Code_of_Conduct/]
Shannon Vallor, The Markkula Center for Applied Ethics. “An Introduction to Cybersecurity Ethics” [https://www.scu.edu/media/ethics-center/technology-ethics/IntroToCybersecurityEthics.pdf]

Old School INFOSEC: Basic Controls

Le Blond et al. “A look at targeted attacks through the lense of an NGO” [www.usenix.org/system/files/conference/usenixsecurity14/sec14-paper-blond.pdf]
Sean Brooks, CLTC, TechSoup Webinar. “Cybersecurity in Low-Risk Organizations: Understanding Your Risk and Making Practical Improvements.”: [https://cltc.berkeley.edu/2019/02/25/cltc-and-citizen-clinic-present-cybersecurity-in-low-risk-organizations-webinar/]
Citizen Lab’s Security Planner. [https://securityplanner.org/]
Electronic Frontier Foundation’s Surveillance Self-Defense guide. [https://ssd.eff.org/]
Alex Gaynor. “What happens when you type google.com into your browser's address box and press enter?" [https://github.com/alex/what-happens-when]

Digital Surveillance of Politically Vulnerable Organizations: The Threat Landscape

Stephen Arnold. “Telestrategies - An Interview with Dr. Jerry Lucas” [http://www.arnoldit.com/search-wizards-speak/telestrategies-2.html]
John Scott-Railton et al, Citizen Lab. “Bittersweet: Supporters of Mexico’s soda tax targeted with NSO exploit links” [https://citizenlab.ca/2017/02/bittersweet-nso-mexico-spyware/]

Problem Diagnosis and Reframing

Arthur Turner. “Consulting Is More Than Giving Advice” [https://hbr.org/1982/09/consulting-is-more-than-giving-advice]
Thomas Wedell-Wedellsborg. “Are You Solving the Right Problems?” [https://hbr.org/2017/01/are-you-solving-the-right-problems]

Threat Modeling & Bounding Risk Assessments

Electronic Frontier Foundation, “Surveillance Self-Defense: Your Security Plan” [https://ssd.eff.org/en/playlist/activist-or-protester#your-security-plan]
NIST SP 800-37 “Risk Management Framework for Information Systems and Organizations.” Chapter 2 only. [https://csrc.nist.gov/CSRC/media/Publications/sp/800-37/rev-2/draft/documents/sp800-37r2-draft-ipd.pdf or Shutdown Mirror]
NIST SP 800-39 “Managing Information Security Risk.” Chapter 2 only. [https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-39.pdf or Shutdown Mirror]
NISTIR 8062 “An Introduction to Privacy Engineering and Risk Management in Federal Systems.” [https://nvlpubs.nist.gov/nistpubs/ir/2017/NIST.IR.8062.pdf or Shutdown Mirror]

Contextual & Capacity Research

SAFETAG, Internews. "SAFETAG Guide" Skim to Section 2.2, then read Section 2.2 and Section 2.3. [https://safetag.org/guide/]
Read and Explore Examples About PESTLE. (use an ad-blocker!) [https://pestleanalysis.com/what-is-pestle-analysis/]
Jorge Luis Sierra. “Digital and Mobile Security for Mexican Journalists and Bloggers” [https://freedomhouse.org/sites/default/files/Digital%20and%20Mobile%20Security%20for%20Mexican%20Journalists%20and%20Bloggers.pdf]

Information Gathering

Ruba Abu-Salma et al. “Obstacles to the Adoption of Secure Communication Tools” [https://ieeexplore.ieee.org/abstract/document/7958575/]
Jeanette Blomberg et al. "An Ethnographic Approach to Design" [https://www.researchgate.net/publication/262363851_An_Ethnographic_Approach_to_Design]
Jenna Burrell. "The Field Site as a Network: A Strategy for Locating Ethnographic Research" [https://doi.org/10.1177/1525822X08329699]
Collaboration on International ICT Policy in East and Southern Africa. “Safeguarding Civil Society: Assessing Internet Freedom and the Digital Resilience of Civil Society in East Africa” - Read each chapter, but for one country only. [https://cipesa.org/?wpfb_dl=237]
Lofland and Lofland. Read Chapter 5 (66-98) "Logging Data" in "Analyzing social settings: A guide to qualitative observation and analysis" [https://searchworks.stanford.edu/view/10531063]

Open Source Research Methods, Safety, and Tools

Ian Barwise. “Open-Source Intelligence (OSINT) Reconnaissance” [https://medium.com/@z3roTrust/open-source-intelligence-osint-reconnaissance-75edd7f7dada]
Conor Fortune, Amnesty International. “Digitally dissecting atrocities – Amnesty International’s open source investigations.” [https://www.amnesty.org/en/latest/news/2018/09/digitally-dissecting-atrocities-amnesty-internationals-open-source-investigations/]
OSINT Framework [https://osintframework.com/]
OSINT.link [https://osint.link]
Travis Lishok, Protective Intelligence. “Part I: An Introduction To OSINT Research For Protective Intelligence Professionals” [https://www.protectiveintelligence.com/blog/osint-intro-for-protective-intelligence-pt1]
Travis Lishok, Protective Intelligence. “Part 2: An Introduction To OSINT Research For Protective Intelligence Professionals” [https://www.protectiveintelligence.com/blog/osint-intro-for-protective-intelligence-pt2]
SECALERTS - Automated Security Audit [https://secalerts.co/security-audit]

Security Law and Policy Factors

James C. Scott. “Seeing Like a State” - Chapter 9 [https://libcom.org/files/Seeing%20Like%20a%20State%20-%20James%20C.%20Scott.pdf]
Kim Fong et al. “A CRIMSon Tide of Data: An Assessment of Potential Privacy Problems of the Consolidate Records Information Management System” [http://people.ischool.berkeley.edu/~strush/CRIMS_FongRowlandTrush_Feb2018.pdf]

Adversary Persona Development

Julian Cohen. “Playbook Based Testing.” [https://medium.com/@HockeyInJune/playbook-based-testing-5df4b656113a]
Bill Marczak and John Scott-Railton, Citizen Lab. “Keep Calm and (Don’t) Enable Macros: A New Threat Actor Targets UAE Dissidents” [https://citizenlab.ca/2016/05/stealth-falcon/]
Nick Merrill, Daylight Security Research Lab. "Adversary Personas" [https://daylight.berkeley.edu/adversary-personas/]

Threat Scenario Development

Mitre’s ATT&CK Wiki. [https://attack.mitre.org/]
Mitre’s PRE-ATT&CK Techniques. [https://attack.mitre.org/techniques/pre/]
Mitre’s Common Vulnerabilities and Exposures search.[https://cve.mitre.org/cve/]

Changing Security Behaviors

The Engine Room. “Ties That Bind: Organisational Security for Civil Society” [https://www.theengineroom.org/civil-society-digital-security-new-research/]
Adrienne Porter Felt et al. “Improving SSL Warnings: Comprehension and Adherence” [https://dl.acm.org/citation.cfm?id=2702442]
Francesca Musiani and Ksenia Ermoshina. “What is a Good Secure Messaging Tool? The EFF Secure Messaging Scorecard and the Shaping of Digital (Usable) Security” [https://www.westminsterpapers.org/articles/10.16997/wpcc.265/]

Social Engineering and Phishing

Citizen Clinic. "Phishing Simulation Policy" [https://www.citizenclinic.io/Clinic_Infrastructure/Phishing_Simulation/]
Masashi Crete-Nishihata et al, Citizen Lab. "Spying on a Budget: Inside a Phishing Operation with Targets in the Tibetan Community" [https://citizenlab.ca/2018/01/spying-on-a-budget-inside-a-phishing-operation-with-targets-in-the-tibetan-community/]]
Micah Lee, The Intercept. “It’s Impossible To Prove Your Laptop Hasn’t Been Hacked. I Spent Two Years Finding Out.” [https://theintercept.com/2018/04/28/computer-malware-tampering/]
Rachel Tobac. Social Proof Security. “How I would Hack You: Social Engineering Step-by-Step” [https://www.youtube.com/watch?v=L5J2PgGOLtE]

Designing Security Training

Electronic Frontier Foundation. “Am I the Right Person?” [https://sec.eff.org/articles/right-person-to-train]
Electronic Frontier Foundation. “How to Teach Adults” [https://sec.eff.org/articles/how-to-teach-adults]
Browse the rest of EFF’s Security Education Companion. [https://sec.eff.org/]
Rachel Weidinger et al. “How To Give A Digital Security Training” [https://medium.com/@geminiimatt/how-to-give-a-digital-security-training-4c83af667d40]
Rachel Weidinger et al. “Digital Security Training Resources for Security Trainers, Fall 2019 Edition” [https://medium.com/cryptofriends/digital-security-training-resources-for-security-trainers-spring-2017-edition-e95d9e50065e]

Psychosocial Resilience

Rated R for Resilience resource site. [https://sites.google.com/view/ratedr/basics]
Angela Chen. The Verge. “Moderating content doesn’t have to be so traumatic” [https://www.theverge.com/2019/2/27/18243359/content-moderation-mental-health-ptsd-psychology-science-facebook]
Sam Dubberley and Michele Grant. First Draft. “Journalism and Vicarious Trauma” [https://firstdraftnews.org/wp-content/uploads/2017/04/vicarioustrauma.pdf]
Sarah Jeong, Charlie Warzel, Brianna Wu, Joan Donovan. New York Times. “Everything is GamerGate” [https://www.nytimes.com/interactive/2019/08/15/opinion/gamergate-twitter.html] - Read all of the four essays.

Harmful Information (Misinformation and Harassment)

Tahmina Ansari, First Draft. “This Muslim journalist embraced social media until it ‘ruined’ his life” [https://firstdraftnews.org/this-muslim-journalist-embraced-social-media-until-it-ruined-his-life/]
Nicholas Monaco and Carly Nyst. Institute For The Future. “State-Sponsored Trolling: How Governments Are Deploying Disinformation as Part of Broader Digital Harassment Campaigns”. Read pages 3 to 21 & 45 to 51. [http://www.iftf.org/statesponsoredtrolling]
Sarah Oh and Travis L. Adkins. InterAction. “Disinformation Toolkit.” [https://staging.interaction.org/documents/disinformation-toolkit/]
Cindy Otis. USA Today. “Americans could be a bigger fake news threat than Russians in the 2020 presidential campaign” [https://www.usatoday.com/story/opinion/2019/07/19/disinformation-attacks-americans-threaten-2020-election-column/1756092001/]
Reply All podcast. “#112 The Prophet” Listen to or read transcript. [https://www.gimletmedia.com/reply-all/112-the-prophet]Introduction to Public Interest Cybersecurity
Sean Brooks, Center for Long-Term Cybersecurity. “Defending Politically Vulnerable Organizations Online” [https://cltc.berkeley.edu/wp-content/uploads/2018/07/CLTC_Defending_PVOs.pdf]
Citizen Lab’s Security Planner. [https://securityplanner.org/]
Sandro Contenta, Toronto Star. “How these Toronto sleuths are exposing the world’s digital spies while risking their own lives” [https://www.thestar.com/news/canada/2019/12/13/from-a-tower-in-toronto-they-watch-the-watchers-how-citizen-lab-sleuths-are-exposing-the-worlds-digital-spies-while-risking-their-own-lives.html]
Havron et al. "Clinical computer security for victims of intimate partner violence." In Proceedings of the 28th USENIX Security Symposium (pp. 105-122).[https://www.nixdell.com/papers/2019-usenix_clinical_security_FULL.pdf]
Deji Olukotun, Access Now. “Spyware in Mexico: an interview with Luis Fernando García of R3D Mexico” [https://www.accessnow.org/spyware-mexico-interview-luis-fernando-garcia-r3d-mexico/]

Ethics and the Citizen Clinic Code of Conduct

Citizen Clinic. "Student Code of Conduct" [https://www.citizenclinic.io/Clinic_Curriculum/Modules/Ethics/Student_Code_of_Conduct/]
Shannon Vallor, The Markkula Center for Applied Ethics. “An Introduction to Cybersecurity Ethics” [https://www.scu.edu/media/ethics-center/technology-ethics/IntroToCybersecurityEthics.pdf]

Old School INFOSEC: Basic Controls

Le Blond et al. “A look at targeted attacks through the lense of an NGO” [www.usenix.org/system/files/conference/usenixsecurity14/sec14-paper-blond.pdf]
Sean Brooks, CLTC, TechSoup Webinar. “Cybersecurity in Low-Risk Organizations: Understanding Your Risk and Making Practical Improvements.”: [https://cltc.berkeley.edu/2019/02/25/cltc-and-citizen-clinic-present-cybersecurity-in-low-risk-organizations-webinar/]
Citizen Lab’s Security Planner. [https://securityplanner.org/]
Electronic Frontier Foundation’s Surveillance Self-Defense guide. [https://ssd.eff.org/]
Alex Gaynor. “What happens when you type google.com into your browser's address box and press enter?" [https://github.com/alex/what-happens-when]

Digital Surveillance of Politically Vulnerable Organizations: The Threat Landscape

Stephen Arnold. “Telestrategies - An Interview with Dr. Jerry Lucas” [http://www.arnoldit.com/search-wizards-speak/telestrategies-2.html]
John Scott-Railton et al, Citizen Lab. “Bittersweet: Supporters of Mexico’s soda tax targeted with NSO exploit links” [https://citizenlab.ca/2017/02/bittersweet-nso-mexico-spyware/]

Problem Diagnosis and Reframing

Arthur Turner. “Consulting Is More Than Giving Advice” [https://hbr.org/1982/09/consulting-is-more-than-giving-advice]
Thomas Wedell-Wedellsborg. “Are You Solving the Right Problems?” [https://hbr.org/2017/01/are-you-solving-the-right-problems]

Threat Modeling & Bounding Risk Assessments

Electronic Frontier Foundation, “Surveillance Self-Defense: Your Security Plan” [https://ssd.eff.org/en/playlist/activist-or-protester#your-security-plan]
NIST SP 800-37 “Risk Management Framework for Information Systems and Organizations.” Chapter 2 only. [https://csrc.nist.gov/CSRC/media/Publications/sp/800-37/rev-2/draft/documents/sp800-37r2-draft-ipd.pdf or Shutdown Mirror]
NIST SP 800-39 “Managing Information Security Risk.” Chapter 2 only. [https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-39.pdf or Shutdown Mirror]
NISTIR 8062 “An Introduction to Privacy Engineering and Risk Management in Federal Systems.” [https://nvlpubs.nist.gov/nistpubs/ir/2017/NIST.IR.8062.pdf or Shutdown Mirror]

Contextual & Capacity Research

SAFETAG, Internews. "SAFETAG Guide" Skim to Section 2.2, then read Section 2.2 and Section 2.3. [https://safetag.org/guide/]
Read and Explore Examples About PESTLE. (use an ad-blocker!) [https://pestleanalysis.com/what-is-pestle-analysis/]
Jorge Luis Sierra. “Digital and Mobile Security for Mexican Journalists and Bloggers” [https://freedomhouse.org/sites/default/files/Digital%20and%20Mobile%20Security%20for%20Mexican%20Journalists%20and%20Bloggers.pdf]

Information Gathering

Ruba Abu-Salma et al. “Obstacles to the Adoption of Secure Communication Tools” [https://ieeexplore.ieee.org/abstract/document/7958575/]
Jeanette Blomberg et al. "An Ethnographic Approach to Design" [https://www.researchgate.net/publication/262363851_An_Ethnographic_Approach_to_Design]
Jenna Burrell. "The Field Site as a Network: A Strategy for Locating Ethnographic Research" [https://doi.org/10.1177/1525822X08329699]
Collaboration on International ICT Policy in East and Southern Africa. “Safeguarding Civil Society: Assessing Internet Freedom and the Digital Resilience of Civil Society in East Africa” - Read each chapter, but for one country only. [https://cipesa.org/?wpfb_dl=237]
Lofland and Lofland. Read Chapter 5 (66-98) "Logging Data" in "Analyzing social settings: A guide to qualitative observation and analysis" [https://searchworks.stanford.edu/view/10531063]

Open Source Research Methods, Safety, and Tools

Ian Barwise. “Open-Source Intelligence (OSINT) Reconnaissance” [https://medium.com/@z3roTrust/open-source-intelligence-osint-reconnaissance-75edd7f7dada]
Conor Fortune, Amnesty International. “Digitally dissecting atrocities – Amnesty International’s open source investigations.” [https://www.amnesty.org/en/latest/news/2018/09/digitally-dissecting-atrocities-amnesty-internationals-open-source-investigations/]
OSINT Framework [https://osintframework.com/]
OSINT.link [https://osint.link]
Travis Lishok, Protective Intelligence. “Part I: An Introduction To OSINT Research For Protective Intelligence Professionals” [https://www.protectiveintelligence.com/blog/osint-intro-for-protective-intelligence-pt1]
Travis Lishok, Protective Intelligence. “Part 2: An Introduction To OSINT Research For Protective Intelligence Professionals” [https://www.protectiveintelligence.com/blog/osint-intro-for-protective-intelligence-pt2]
SECALERTS - Automated Security Audit [https://secalerts.co/security-audit]

Security Law and Policy Factors

James C. Scott. “Seeing Like a State” - Chapter 9 [https://libcom.org/files/Seeing%20Like%20a%20State%20-%20James%20C.%20Scott.pdf]
Kim Fong et al. “A CRIMSon Tide of Data: An Assessment of Potential Privacy Problems of the Consolidate Records Information Management System” [http://people.ischool.berkeley.edu/~strush/CRIMS_FongRowlandTrush_Feb2018.pdf]

Adversary Persona Development

Julian Cohen. “Playbook Based Testing.” [https://medium.com/@HockeyInJune/playbook-based-testing-5df4b656113a]
Bill Marczak and John Scott-Railton, Citizen Lab. “Keep Calm and (Don’t) Enable Macros: A New Threat Actor Targets UAE Dissidents” [https://citizenlab.ca/2016/05/stealth-falcon/]
Nick Merrill, Daylight Security Research Lab. "Adversary Personas" [https://daylight.berkeley.edu/adversary-personas/]

Threat Scenario Development

Mitre’s ATT&CK Wiki. [https://attack.mitre.org/]
Mitre’s PRE-ATT&CK Techniques. [https://attack.mitre.org/techniques/pre/]
Mitre’s Common Vulnerabilities and Exposures search.[https://cve.mitre.org/cve/]

Changing Security Behaviors

The Engine Room. “Ties That Bind: Organisational Security for Civil Society” [https://www.theengineroom.org/civil-society-digital-security-new-research/]
Adrienne Porter Felt et al. “Improving SSL Warnings: Comprehension and Adherence” [https://dl.acm.org/citation.cfm?id=2702442]
Francesca Musiani and Ksenia Ermoshina. “What is a Good Secure Messaging Tool? The EFF Secure Messaging Scorecard and the Shaping of Digital (Usable) Security” [https://www.westminsterpapers.org/articles/10.16997/wpcc.265/]

Social Engineering and Phishing

Citizen Clinic. "Phishing Simulation Policy" [https://www.citizenclinic.io/Clinic_Infrastructure/Phishing_Simulation/]
Masashi Crete-Nishihata et al, Citizen Lab. "Spying on a Budget: Inside a Phishing Operation with Targets in the Tibetan Community" [https://citizenlab.ca/2018/01/spying-on-a-budget-inside-a-phishing-operation-with-targets-in-the-tibetan-community/]]
Micah Lee, The Intercept. “It’s Impossible To Prove Your Laptop Hasn’t Been Hacked. I Spent Two Years Finding Out.” [https://theintercept.com/2018/04/28/computer-malware-tampering/]
Rachel Tobac. Social Proof Security. “How I would Hack You: Social Engineering Step-by-Step” [https://www.youtube.com/watch?v=L5J2PgGOLtE]

Designing Security Training

Electronic Frontier Foundation. “Am I the Right Person?” [https://sec.eff.org/articles/right-person-to-train]
Electronic Frontier Foundation. “How to Teach Adults” [https://sec.eff.org/articles/how-to-teach-adults]
Browse the rest of EFF’s Security Education Companion. [https://sec.eff.org/]
Rachel Weidinger et al. “How To Give A Digital Security Training” [https://medium.com/@geminiimatt/how-to-give-a-digital-security-training-4c83af667d40]
Rachel Weidinger et al. “Digital Security Training Resources for Security Trainers, Fall 2019 Edition” [https://medium.com/cryptofriends/digital-security-training-resources-for-security-trainers-spring-2017-edition-e95d9e50065e]

Psychosocial Resilience

Rated R for Resilience resource site. [https://sites.google.com/view/ratedr/basics]
Angela Chen. The Verge. “Moderating content doesn’t have to be so traumatic” [https://www.theverge.com/2019/2/27/18243359/content-moderation-mental-health-ptsd-psychology-science-facebook]
Sam Dubberley and Michele Grant. First Draft. “Journalism and Vicarious Trauma” [https://firstdraftnews.org/wp-content/uploads/2017/04/vicarioustrauma.pdf]
Sarah Jeong, Charlie Warzel, Brianna Wu, Joan Donovan. New York Times. “Everything is GamerGate” [https://www.nytimes.com/interactive/2019/08/15/opinion/gamergate-twitter.html] - Read all of the four essays.

Harmful Information (Misinformation and Harassment)

Tahmina Ansari, First Draft. “This Muslim journalist embraced social media until it ‘ruined’ his life” [https://firstdraftnews.org/this-muslim-journalist-embraced-social-media-until-it-ruined-his-life/]
Nicholas Monaco and Carly Nyst. Institute For The Future. “State-Sponsored Trolling: How Governments Are Deploying Disinformation as Part of Broader Digital Harassment Campaigns”. Read pages 3 to 21 & 45 to 51. [http://www.iftf.org/statesponsoredtrolling]
Sarah Oh and Travis L. Adkins. InterAction. “Disinformation Toolkit.” [https://staging.interaction.org/documents/disinformation-toolkit/]
Cindy Otis. USA Today. “Americans could be a bigger fake news threat than Russians in the 2020 presidential campaign” [https://www.usatoday.com/story/opinion/2019/07/19/disinformation-attacks-americans-threaten-2020-election-column/1756092001/]
Reply All podcast. “#112 The Prophet” Listen to or read transcript. [https://www.gimletmedia.com/reply-all/112-the-prophet]
Previous
Mitigation Framework
Next - Low-Resource Organizations
Introduction
Last modified 5mo ago
Copy link
Outline