HOW TO USE THIS CURRICULUM

So, now that we know how big the problem is let’s start with a definition: What the heck is digital security anyway?

Digital security is a set of defensive practices and awarenesses that ensures that all your devices, data, communications, and identity markers are protected to minimize surveillance by entities or individuals that may directly or indirectly wish you harm.

By the day, the number of devices and contexts where surveillance is possible only increases. Every laptop, mobile phone, smart television, car on-board computer, or home device has the potential for data leakage and personalized surveillance.

AN ECOSYSTEM OF DIGITAL SECURITY

Digital security is part of a large ecosystem of thinking in regards to your safety. In this ecosystem each part works with the others to secure the whole. That is why we break down our modules into easily accessible part of this ecosystem.

The digital security ecosystem includes how you secure your devices and data, the way you access your network, and the means by which you protect your identity and communications. Each part of this ecosystem can be protected or it can be compromised. Our goal is to give you the tools to better understand this ecosystem and show you ways to use more disciplined practices that will help build your digital resilience.

While we are focusing only on digital communications, we encourage everyone to also think about physical and emotional threats, it's important to consider everything and to—always plan accordingly.

It's OK if this confusing! The more you start thinking about it on your own and with trusted friends the easier it will become. Promise! So let's begin.

TIP: Individuals that love their communities practice good digital security

IT’S ALL ABOUT HARM REDUCTION RIGHT NOW

In our journey toward better digital security one of the hardest lessons to accept is that there is no silver bullet of digital security. Internet security solutions, programs, and services available on the Internet can change their security settings and privacy policies without notice, possibly putting users at risk. New security updates, as well as viruses and malware, are launched every day. This means that what was secure yesterday may be vulnerable to attack today.

There is no alternative to staying aware, informed, and engaged and most importantly fighting back as a community. You are only as safe as the discipline of your digital network.

We also know that maintaining a secure environment can be hard work. At best, you have to change passwords, habits, and perhaps the software you use on your main computer or device. At worst, you have to constantly think about whether you are leaking confidential information or using unsafe practices.

Even when you know the problems, some solutions may be out of your hands. Other people may require you to continue unsafe digital security practices even after you explain the dangers. For instance, work colleagues might want you to continue to open email attachments from them, even though you know your attackers could impersonate them and send you malware. Or, you may be concerned that your main computer has already been compromised.

And you know what? All of that is ok. In order to become a digitally resilient community together we have to be patient, firm, and aware that digital security is a journey not a destination. This is why we use the harm reduction framework.

We will make mistakes, and we will also be getting stronger together. We want to be a learning community that has patience and compassion for each other during this difficult time. So ask questions, ask them frequently, and know the work you begin today will only grow if you stay committed to digital resilience tomorrow.

SIGNS OF SECURITY COMPROMISE

Many people feel safe when, in fact, they already have a compromised digital ecosystems. Do you know what the signs of compromise could be? Here is a list of some examples:

  • Passwords that change mysteriously.
  • Private messages that appear to have been read by someone else.
  • Websites that have become inaccessible from certain countries.
  • New pop-ups constantly launch from your browser.
  • Instances when your web browser redirects or crashes.
  • A rapid reduction of battery life, despite little-to-no use
  • Instances when your cursor unexpectedly moves without your direction.
  • Links from people you don’t know via Facebook, Twitter, WhatsApp, or e-mail.

If you have any of these symptoms don't panic. The best approach is to take your device to a trusted IT professional and have them take a look. Even if you don't have a security compromise these symptoms can also sometimes point to other serious problems on your machines. The point is to be aware and be proactive about problems so when a real threat arises you are ready.

HOW TO MAKE A RISK ASSESSMENT

Risk assessment is a skill that we use in many aspects of our lives. It is what we use when we think about what side of the street to walk on at night, whether we lock our doors in our houses and the numerous other calculations we make to balance risk with the effort it takes to protect ourselves from a threat.

Digital security is no different. By thinking through and mapping out the risks we face, we can make better decisions about how to stay safe and protect ourselves and networks. When you take the time to create a risk assessment model for yourself or your organization/network you can:

  • Identify your risks—specifically, the people or institutions that may pose a threat—and understand the various ways they could potentially target you.
  • Understand your current or future vulnerabilities so you can account for them.
  • Brainstorm how the vulnerabilities of the network(s) or organizations you are part of can affect you. For example, if you don’t know the technical practices of an organization or network, you may want to rethink the sensitive information you share, it may not be adequately protected.

While you are the best person to understand your own risk, make sure to research or talk to people who have a better understanding of your adversaries’ capabilities. This is especially true about digital surveillance strategies and laws that may change quickly from one day to the next.

It is important to note that in managing risks to improve security there are always trade-offs. It’s impossible to being 100% secure and digital security tools alone will not make you more secure. Ultimately, you will need to think deeply about your behaviors and practices.

Ask yourself a few questions:

What do you want to protect? Start your risk assessment with asking yourself what do you have that requires protection? Some examples of items that need protection include: personal information, sensitive communications, statistical reports, incriminating evidence, photographs, film, documentation of a movement, or written and oral histories of our communities.

Who do you want to protect it from? Thinking about adversaries can be difficult. Many people feel an inherent aversion to thinking about the people that might intend to do violence towards you and your organization. When doing this excercise know that it is okay to have a litle anxiety. It is unpleasant to think about violence period. Have compassion for yourself and know that with risk assessment you are planning for worst and this strategy will help you outhink your opponents. So take a deep breath and dig into identifying all of the opponents who might be interested in targeting what you need to keep safe. This can include police officers, intelligence agents, right-wing adversaries, movement infiltrators, and even abusive family members.

How likely is it that you will need to protect your assets? This question is all about you thinking realistically to parse between what is your anxiety around being attacked and what is the likelihood of an attack. Oftentimes when you start this part of the risk assessment people often find that there fears start to lessen because what they had imagined as a threat is not as stark and in fact only a narrow set of attacks need to be strategized around. Other times people may find they lack the experience to make this part of the assessment in which case doing this assessment with an expert can be incredibly useful so that you or your organization can move forward. In either case this is a critical part of the assessment and it will require you to make an honest and informed calculation between what level of protection does your information needd as well as how often are you exposed to a threat.

How bad are the consequences if you fail? This is where the risk assessment is asking you to really commit to thinking through the worse case scenarios of a compromise. Ask yourself what can happen if the information you care about “leaks”? Could you lose the information completely? What does this mean for you as an individual, an organization, and even your larger community?

How much trouble are you willing to go through in order to prevent those negative consequences? Having gone through thinking about the worse, you can know adequately understand how much of an investment you are willing to avoid the worst case scenarios. For example, are you willing to tighten the security on your devices, learn more about digital security principles and use best practices? Would you be willing to commit to training, new devices, and even if necessary moving if require. The severity of the threat will determine your response but it always important in your risk asssement to give yourself options of responses.

Let’s do a risk assessment for one of the following scenarios. Before you begin, here are some quick definitions:

  • Threat: An entity that can cause harm.
  • Adversary: The opposition that poses this threat.
  • Asset: Something of value that requires protecting.
  • Risk: The likelihood of a threat to a vulnerable asset.

Consider who may present themselves as potential adversaries:

  • A roommate.
  • A troll with a grudge.
  • An employer.
  • The police through an untargeted arrest at a protest.
  • The NSA targeting you.

Different adversaries have different capacities and therefore require different strategies for mitigating threats. For example, your employer may not break into your home, but they can monitor you at work. Your roommate may not set up a fake cell tower but could have direct physical access to your phone. A police arrest at a protest (generally) won’t lead to a warrant for your email, but the police could get it directly from your phone on site.

RISK ASSESSMENT MODEL

Read the chart below to get an idea of how to think through your threat model. Some skills you may not understand quite yet. But return to this table as a model after you have gone through our training or read this curriculum handbook. You will find your understanding will change as you gain digital surveillance literacy. Some visit this page often for review or better yet make your own!

THREATS RISKS POSSIBLE ADVERSERIES CURRENT CAPACITIES CAPACITIES REQUIRED
Example 1: Someone is accessing my email. • I've already shared my password.

• My password is weak and the same across multiple accounts.

• I have a habit of leaving my laptop unattended. 
• Roomates

• "Friends"

• Infiltrators 

• I will change my passwords so they are strong.

• I will no longer share my passwords with anyone.

• I won’t keep my passwords in online documents or emails. 

• I need to install a password manager so I can use strong and diverse passwords for different accounts.

• I need to set up two-factor 
Example 2: My mobile phone is confiscated at a protest. • I have a weak password on my phone lock or use fingerprint login.

• I have sensitive contacts on my phone under their real names.

• I use apps like Gmail, through which anyone who has physical access to my phone can read my email without a password.
• The police.

• Private security guards.

• Department of Homeland Security Officials.

• I can change my password so it’s stronger.

• I can remove the fingerprint login so I’m not compelled to use it unwillingly.

• I can use pseudonyms for sensitive contacts.

• I can leave my phone at home.

• I can delete non-essential apps.

• I need to encrypt my phone.
Example 3: Someone hacking my computer. • I don’t know the various ways they can hack into my computer, and I have sensitive information stored on it. • List anyone who would want to hack into your computer:
• I can keep my operating system and software up to date, and encrypt the hard drive.

• I can store sensitive files on a passwordprotected USB drive.

• I need to research the various ways in which someone can hack into my computer.


NOTE:

If you're working with an organization, https://safetag.org has both an action guide and a curricula on risk modeling. If you want to think more about your organization’s security culture, in addition to digital security, Ruckus has a great manual which you can find here.