đź“–
đź“–
đź“–
đź“–
Citizen Clinic
Search…
Welcome to ​the Citizen Clinic Cybersecurity Education Center
Case Studies
Clinic Curriculum
Syllabus
Lesson Modules
Introduction to Public Interest Cybersecurity
Ethics and the Citizen Clinic Code of Conduct
Old School INFOSEC: Basic Controls
Digital Surveillance of Politically Vulnerable Organizations: The Threat Landscape
Problem Diagnosis and Reframing
Threat Modeling & Bounding Risk Assessments
Contextual & Capacity Research
Information Gathering
Open Source Research Methods, Safety, and Tools
Adversary Persona Development
Threat Scenario Development
Changing Security Behaviors
Social Engineering and Phishing
Designing Security Training
Psychosocial Resilience
Harmful Information (Misinformation and Harassment)
Condensed Bibliography
Low-Resource Organizations
Introduction
Section 1: Why do Low-Risk Organizations Need Cybersecurity?
Section 2: Common Cybersecurity Controls
Section 3: Additional Cybersecurity Best Practices
Appendices
Clinic Infrastructure
Virtual Private Network (VPN)
Creating Virtual Identities
Security Evaluation Framework for OSINT Tools
Powered By GitBook
Old School INFOSEC: Basic Controls

Module 3, Old School INFOSEC: Basic Controls, provides an introduction to tools and other controls for students and their partner organizations to use in mitigating risks to their digital safety. This module helps bolster the capacity for individuals and organizations to compare security policy by prescription versus critical evaluation.

  • Introduce students to common security controls
  • Identify methods to deploy organizational policy
  • Identify friction / obstacles to setting up security controls

  • See readings for Old School INFOSEC: Basic Controls

This activity is to identify as many security-related activities, ideas, questions and potential misconceptions. Have students brainstorm individually or as a team answers to these questions. We suggest writing answers on sticky-notes or on a whiteboard and group the answer in similar clusters as they are shared.
  • What is the one thing that everyone should do to protect themselves or their systems?
  • What is one thing that everyone should avoid doing?
  • What is one thing that you want to learn about cybersecurity?
Other options:
  • What things do we do to protect digitally ourselves?
  • What things have we heard about that protect our systems?
  • What are security or other digital things that we’ve been confused about?

  • What things are missing from the resulting groups of suggested actions and ideas?
  • Why do you think these clusters formed?
  • How did we learn how to “be secure”?

  • Why even “low risk” organizations need cybersecurity
    • Confidentiality, Integrity, Availability
  • Strong Authentication
    • Multi-factor Authentication
    • Strong Passwords and Password Managers
    • Account Monitoring
  • Automatic Updates and Software Licenses
  • The Cloud
    • HTTPS
    • Data Security
    • Encryption
    • Access Management
  • Friction of getting existing staff on board with the new security protocols
    • “This is the way we’ve always done things”: the story of the five gorillas
    • Leadership buy-in vs ground floor buy-in
  • Friction of getting new staff on board with existing security
    • The dreaded “New Employee Handbook”
    • Non-profit pressure to hit the ground running

[30 mins in-class, continue as homework] Have students set up their personal devices or assigned devices according to a default, prescribed organizational “secure” configuration or policy that you create.
  • The purpose of this activity is to setup the basic security to conduct clinic work. Second, students will empathize with an onboarding process that they may propose for their future client organizations. Finally, they may gain further appreciation of the operational burdens of working in a “high security” environment.
  • When possible, check on student learning by having them perform a task that demonstrates that they have completed the proper setup. For instance, students can send you an encrypted message or a secure note via a password manager. Alternatively, use admin tools from managed service providers to report whether students have enrolled in 2FA or changed passwords.
  • Use the Baseline Organizational Security Guide to help you create this policy in advance of your course creation. Elements to consider:
    • How might students use their personal devices or clinic-assigned devices? What device policies are required? Automatic updates?
    • Will you use virtual machines? If a student’s device does not meet your minimum system requirements, how will you provide a device?
    • How might students connect to the Internet? Will they use virtual private networks?
    • How will students use email and collaborate via shared folders?
    • How might students communicate via mobile devices, with you, their client organization, and each other?
    • Consider having the students...
      • Setup a password manager
      • Create strong, unique passwords for their Clinic accounts
      • Setup multi-factor authentication
      • Setup a VPN client
      • Install specific browsers & plugins
      • Install an SSH client
      • Setup an E2E encrypted messenger
  • During the class activity, we’ve found it useful to have students with similar devices but different levels of technical expertise to work together. We lead the students through steps in the setup process and discuss any tricky or confusing steps in this process.

Discuss the advantages and disadvantages of prescribed security policy. Receiving instructions on how to set-up accounts without a full understanding of what each control protects may not always be a bad thing. When and why may dictating initial setup procedures be useful, especially in a non-profit organization? How might this “onboarding” process be improved?

Complete communications setup.
Complete the communications setup (see Deepening activity) according to your Clinic protocol. Encourage students to help one another to complete or to use office hours.
Optional reflection assignment.
  • Being a security practitioner requires you to be intimately familiar with the steps someone could take to protect themselves: one must understand the burden on the user, learn how to communicate those steps effectively, and, most importantly, define the “protection” offered by implementing certain controls (eg. “Security keys can help which persons to protect what information from which threats in which contexts?”). At this early stage in the course, we don’t expect you to already know every reason why the clinic’s information system is setup in the above manner, but you should be asking yourself why you took certain steps and, perhaps, questioning why or how certain decisions were made.
  • Write a reflection on the above communications setup process. 1. What parts of the process were difficult to complete? What factors contributed to those challenges? How would you improve the process if you were guiding someone else to complete these tasks? 2. Which parts of the process were easy for you to complete? What factors contributed to you having a relatively easier time with parts of this process? 3. Consider your new system setup (equipment, service providers, identifiers) we’ve provided in terms of security or privacy for you and a potential client. What are the advantages of this setup? What are its disadvantages? How might we overcome those disadvantages during this course?
Previous
Citizen Clinic Student Code of Conduct
Next
Digital Surveillance of Politically Vulnerable Organizations: The Threat Landscape
Last modified 7mo ago
Copy link
On this page