Module 3, Old School INFOSEC: Basic Controls, provides an introduction to tools and other controls for students and their partner organizations to use in mitigating risks to their digital safety. This module helps bolster the capacity for individuals and organizations to compare security policy by prescription versus critical evaluation.
- Introduce students to common security controls
- Identify methods to deploy organizational policy
- Identify friction / obstacles to setting up security controls
- See Course Readings for Old School INFOSEC: Basic Controls
- This activity is to identify as many security-related activities, ideas, questions and potential misconceptions. Have students brainstorm individually or as a team answers to these questions. We suggest writing answers on sticky-notes or on a whiteboard and group the answer in similar clusters as they are shared.
- What is the one thing that everyone should do to protect themselves or their systems?
- What is one thing that everyone should avoid doing?
- What is one thing that you want to learn about cybersecurity?
- What things do we do to protect digitally ourselves?
- What things have we heard about that protect our systems?
- What are security or other digital things that we’ve been confused about?
- What things are missing from the resulting groups of suggested actions and ideas?
- Why do you think these clusters formed?
- How did we learn how to “be secure”?
- Why even “low risk” organizations need cybersecurity
- Confidentiality, Integrity, Availability
- Strong Authentication
- Multi-factor Authentication
- Strong Passwords and Password Managers
- Account Monitoring
- Automatic Updates and Software Licenses
- The Cloud
- Data Security
- Access Management
- Friction of getting existing staff on board with the new security protocols
- “This is the way we’ve always done things”: the story of the five gorillas
- Leadership buy-in vs ground floor buy-in
- Friction of getting new staff on board with existing security
- The dreaded “New Employee Handbook”
- Non-profit pressure to hit the ground running
[30 mins in-class, continue as homework] Have students set up their personal devices or assigned devices according to a default, prescribed organizational “secure” configuration or policy that you create.
- The purpose of this activity is to setup the basic security to conduct clinic work. Second, students will empathize with an onboarding process that they may propose for their future client organizations. Finally, they may gain further appreciation of the operational burdens of working in a “high security” environment.
- When possible, check on student learning by having them perform a task that demonstrates that they have completed the proper setup. For instance, students can send you an encrypted message or a secure note via a password manager. Alternatively, use admin tools from managed service providers to report whether students have enrolled in 2FA or changed passwords.
- Use the Baseline Organizational Security Guide to help you create this policy in advance of your course creation. Elements to consider:
- How might students use their personal devices or clinic-assigned devices? What device policies are required? Automatic updates?
- Will you use virtual machines? If a student’s device does not meet your minimum system requirements, how will you provide a device?
- How might students connect to the Internet? Will they use virtual private networks?
- How will students use email and collaborate via shared folders?
- How might students communicate via mobile devices, with you, their client organization, and each other?
- Consider having the students…
- Setup a password manager
- Create strong, unique passwords for their Clinic accounts
- Setup multi-factor authentication
- Setup a VPN client Install specific browsers & plugins
- Install an SSH client
- Setup an E2E encrypted messenger
- During the class activity, we’ve found it useful to have students with similar devices but different levels of technical expertise to work together. We lead the students through steps in the setup process and discuss any tricky or confusing steps in this process.
Discuss the advantages and disadvantages of prescribed security policy. Receiving instructions on how to set-up accounts without a full understanding of what each control protects may not always be a bad thing. When and why may dictating initial setup procedures be useful, especially in a non-profit organization? How might this “onboarding” process be improved?
- Being a security practitioner requires you to be intimately familiar with the steps someone could take to protect themselves: one must understand the burden on the user, learn how to communicate those steps effectively, and, most importantly, define the “protection” offered by implementing certain controls (eg. “Security keys can help which persons to protect what information from which threats in which contexts?”). At this early stage in the course, we don’t expect you to already know every reason why the clinic’s information system is setup in the above manner, but you should be asking yourself why you took certain steps and, perhaps, questioning why or how certain decisions were made.
- Write a reflection on the above communications setup process.
- What parts of the process were difficult to complete? What factors contributed to those challenges? How would you improve the process if you were guiding someone else to complete these tasks?
- Which parts of the process were easy for you to complete? What factors contributed to you having a relatively easier time with parts of this process?
- Consider your new system setup (equipment, service providers, identifiers) we’ve provided in terms of security or privacy for you and a potential client. What are the advantages of this setup? What are its disadvantages? How might we overcome those disadvantages during this course?