2015-05digital security risk-rpt.pdf
TRANSCRIPT
-
Digital Risk Assessment Basics
Daniel Clunaigh
-
Risk Assessment?
Humans are natural security analysts. We carry out risk assessment all the time
Nobody is entirely without security measures. Everyone has some instinctive knowledge of this.
Risk assessment helps us to be more organised about it, identify gaps and take more adequate measures.
It's a process, rather than an activity, to weave into your strategic planning.
It's hard to be objective: our perception can be challenged by stress, fear, tiredness, trauma, and lack of information.
-
Digital Risk Assessment?
What? Integral part of overall risk assessment. Identifying potential threats to our sensitive digital data in a given context.
Why? To identify the most appropriate means of protecting our data in a given context.
How? Regularly updated research, monitoring and analysis, documentation according to your own preference. Key tool: Information Map
When? Ideally, constantly. At least calmly before new activities. Challenges: No evolutionary instinct for digital threats.
Perception is challenged!
-
Definition of Terms
Threat: a potentially harmful occurrence
Risk: A calculation of the probablility and potential impact of a given threat
Capacities and vulnerabilities: our characteristics resources etc which increase or reduce risk
-
Key tool: Information Map
A first step in taking more control of your information is to understand what it is, where it is, how it moves, and who can access it.
Establish & maintain a register of potential threats to your information
Establish best ways to protect your information Update regularly
-
Steps of Risk Assessment Situational analysis: Political, Economic, Social, Technological, Legal,
Environmental Identifying your vision and activities Actor mapping: Allies, adversaries, neutral parties Information mapping: What information, where stored, and how used? Security indicators: Precedents & incidents which indicate a change in
the security situation Identifying threats: Potentially harmful occurrences Analysing threats: probability and impact Our existing practices, capacities vs. gaps and vulnerabilities Identifying strategies, tools & tactics
-
Overview of steps
What information I have, and how sensitive? Technological trends in socio-political context? Actors: Who can access data? Incidents: What are the indicators/precedents? So, what are the threats? (Their probability and
impact) Take measures for protecting data: reduce
vulnerabilities, build capacities = reduce risk
-
Information Map 1: Information At Rest
Information which is stored on hard drives, USB keys, DVDs, servers, mobile phones What information? How sensitive is it? Where is it stored? Who can access it and how? (incl. Potential
adversaries) Policy: How to protect it? (e.g. Hygiene, password,
backup, periodic deletion, encryption...)
-
Information Map 2: Information in Motion
Information which 'travels' through digital channels like the Internet or Mobile Network (web browsing, emails, chats, phone calls, text messages, metadata...) What information? How sensitive is it? How does it travel (physical and geographical)? Who can access it and how? Policy: How to protect it? (VPNs, TOR, end-to-end
encryption...)
-
Essential Knowledge & Resources
How digital data is stored How data is transferred online How mobile phones store & communicate data Metadata essentials Who are your service providers? What is their relationship to your allies, sources, potential
adversaries? Sources of info on data industry & surveillance: Citizen
Lab, Privacy International, Tactical Tech, others.
-
Sharing Indicators and Incidents
Communities and support organisations can be a great source of information
Security indicators: anything out of the ordinary that may have an effect on my security
Sharing helps to identify patterns Analysing together helps to tune perception & make
decisions Get to know your devices: establish a base-line and
check regularly for anything unusual.
-
You, your communities, your sources
Threats are often shared between human rights defenders and the communities they work with
Similarly threats are often shared between journalists and their sources
You may create and exchange sensitive data together
You may be linked by meta-data (communication) They may have threats that you don't: be prepared to
go beyond your context, into theirs.
-
Useful ResourcesRisk Analysis (generally) Front Line Defenders, Workbook on Security for Human Rights Defenders
https://www.frontlinedefenders.org/files/workbook_eng.pdf Protection International, New Protection Manual for Human Rights Defenders
http://protectioninternational.org/publication/new-protection-manual-for-human-rights-defenders-3rd-edition/
Digital Security Risk Assessment (overview) Security in a Box Community Focus https://securityinabox.org/en/lgbti-africa/security-risk
Sources of Information Security in a Box: https://securityinabox.org Trackography: https://trackography.org Me and My Shadow: https://myshadow.org Citizen Lab: https://citizenlab.org Privacy International: https://privacyinternational.org
Slide 1Slide 2Slide 3Slide 4Slide 5Slide 6Slide 7Slide 8Slide 9Slide 10Slide 11Slide 12Slide 13