Old School INFOSEC: Basic Controls
** Summary **
Module 3, Old School INFOSEC: Basic Controls, provides an introduction to tools and other controls for students and their partner organizations to use in mitigating risks to their digital safety. This module helps bolster the capacity for individuals and organizations to compare security policy by prescription versus critical evaluation.
** Learning Objectives **
Introduce students to common security controls
Identify methods to deploy organizational policy
Identify friction / obstacles to setting up security controls
** Pre-Readings **
See readings for Old School INFOSEC: Basic Controls
** Resources **
** Activity **
This activity is to identify as many security-related activities, ideas, questions and potential misconceptions. Have students brainstorm individually or as a team answers to these questions. We suggest writing answers on sticky-notes or on a whiteboard and group the answer in similar clusters as they are shared.
What is the one thing that everyone should do to protect themselves or their systems?
What is one thing that everyone should avoid doing?
What is one thing that you want to learn about cybersecurity?
Other options:
What things do we do to protect digitally ourselves?
What things have we heard about that protect our systems?
What are security or other digital things that we’ve been confused about?
** Discussion **
What things are missing from the resulting groups of suggested actions and ideas?
Why do you think these clusters formed?
How did we learn how to “be secure”?
** Input **
Why even “low risk” organizations need cybersecurity
Confidentiality, Integrity, Availability
Strong Authentication
Multi-factor Authentication
Strong Passwords and Password Managers
Account Monitoring
Automatic Updates and Software Licenses
The Cloud
HTTPS
Data Security
Encryption
Access Management
Friction of getting existing staff on board with the new security protocols
“This is the way we’ve always done things”: the story of the five gorillas
Leadership buy-in vs ground floor buy-in
Friction of getting new staff on board with existing security
The dreaded “New Employee Handbook”
Non-profit pressure to hit the ground running
** Deepening **
[30 mins in-class, continue as homework] Have students set up their personal devices or assigned devices according to a default, prescribed organizational “secure” configuration or policy that you create.
The purpose of this activity is to setup the basic security to conduct clinic work. Second, students will empathize with an onboarding process that they may propose for their future client organizations. Finally, they may gain further appreciation of the operational burdens of working in a “high security” environment.
When possible, check on student learning by having them perform a task that demonstrates that they have completed the proper setup. For instance, students can send you an encrypted message or a secure note via a password manager. Alternatively, use admin tools from managed service providers to report whether students have enrolled in 2FA or changed passwords.
Use the Baseline Organizational Security Guide to help you create this policy in advance of your course creation. Elements to consider:
How might students use their personal devices or clinic-assigned devices? What device policies are required? Automatic updates?
Will you use virtual machines? If a student’s device does not meet your minimum system requirements, how will you provide a device?
How might students connect to the Internet? Will they use virtual private networks?
How will students use email and collaborate via shared folders?
How might students communicate via mobile devices, with you, their client organization, and each other?
Consider having the students...
Setup a password manager
Create strong, unique passwords for their Clinic accounts
Setup multi-factor authentication
Setup a VPN client
Install specific browsers & plugins
Install an SSH client
Setup an E2E encrypted messenger
During the class activity, we’ve found it useful to have students with similar devices but different levels of technical expertise to work together. We lead the students through steps in the setup process and discuss any tricky or confusing steps in this process.
** Synthesis **
Discuss the advantages and disadvantages of prescribed security policy. Receiving instructions on how to set-up accounts without a full understanding of what each control protects may not always be a bad thing. When and why may dictating initial setup procedures be useful, especially in a non-profit organization? How might this “onboarding” process be improved?
** Assignments **
Complete communications setup.
Complete the communications setup (see Deepening activity) according to your Clinic protocol. Encourage students to help one another to complete or to use office hours.
Optional reflection assignment.
Being a security practitioner requires you to be intimately familiar with the steps someone could take to protect themselves: one must understand the burden on the user, learn how to communicate those steps effectively, and, most importantly, define the “protection” offered by implementing certain controls (eg. “Security keys can help which persons to protect what information from which threats in which contexts?”). At this early stage in the course, we don’t expect you to already know every reason why the clinic’s information system is setup in the above manner, but you should be asking yourself why you took certain steps and, perhaps, questioning why or how certain decisions were made.
Write a reflection on the above communications setup process. 1. What parts of the process were difficult to complete? What factors contributed to those challenges? How would you improve the process if you were guiding someone else to complete these tasks? 2. Which parts of the process were easy for you to complete? What factors contributed to you having a relatively easier time with parts of this process? 3. Consider your new system setup (equipment, service providers, identifiers) we’ve provided in terms of security or privacy for you and a potential client. What are the advantages of this setup? What are its disadvantages? How might we overcome those disadvantages during this course?
Last updated