The SAFETAG Curriculum has also been updated to better match the changes to the SAFETAG methodology over the past 2 years and introduce some of the clarifying context (such as the TRI approach) to selecting activities.
Based on their work training auditors in Colombia, Fundación Karisma developed a custom curriculum (in Spanish) that adapts the SAFETAG methodology to reflect the needs and context of Colombian civil society organizations. It is included as part of the 0.7.0 release and available directly from Karisma: Currículo para auditores de seguridad digital.
SAFETAG Fellows and partners gathered for a 3-day workshop in September 2018 to expand the guidance that the SAFETAG framework has for auditors to assist organizations facing emerging challenges and new technology such as increased reliance on cloud services, the Internet of Things, and more.
In addition; AccessNow developed two new activities from their work with vulnerable populations which help capture the personal aspects of organizational security.
Thanks to all the contributions and support from the fellows in creating this!
This updated content is available in the repository and as pre-compiled PDFs in the 0.7 release
New Method and Activities for reviewing organizational policies
While implicit across multiple parts of SAFETAG, this new method formalizes a review process for reviewing both formal and informal policies and practices of organizations; leveraging inputs from the Capacity Assessment methodology and adding two specific exercises, one for working with organizations with formal policies and one for identifying informal agreements and practices.
New and Updated Activities
“Night in the Life”
This activity has the auditor discuss with the staff about their practices, personal devices, software and other security capabilities that they use outside of work. This is used to develop a report component exposing how practices outside of their work can affect their personal security and that of the organization.
Doxing (also “doxxing”, or “d0xing”, a word derived from “documents”, or “docs”) consists in tracing and gathering information about someone using sources that are freely available on the internet (called OSINT, or Open Source INTelligence).
Doxing is premised on the idea that “The more you know about your target, the easier it will be to find their flaws”. A malicious actor may use this method to identify valuable information about their target. Once they have found sensitive information, they may publish this information for defamation, blackmail the target person, or use it for other goals.
This activity aims to help participants identify any unwanted personal information that may be publicly available online, and to make them aware of the risk of doxing and how to prevent it.
Cloud Provider Assessment
It is increasingly difficult to run complex organizations without some reliance on cloud-based service providers such as email hosting, web hosting, or document management/backup. Organizations (and as assisted by the auditor) should review their options in the selection of cloud providers, and in parallel consider ways to apply practices and policies to their use to meet organizational security requirements.
This activity helps auditors both enumerate the cloud providers the organization works with (formally/officially and as shadow IT infrastructure), map out what data and metadata is shared where, what access and technical controls are available, and assess risks.
Updates to Network Scanning: Assessing IoT devices
We have significantly updated and streamlined the network scanning activity to include overall guidelines for identifying and assessing IoT devices on office networks. In addition, it’s worth highlighting an entire activity devoted to working with VOIP systems.
Work still in draft
We also began a section called “Fear Mapping” to help identify, quantify, and manage fears. See issue #397 for the status and next steps.
We are happy to announce that SAFETAG’s methods are now available in Russian, Arabic, and Spanish (updated)!
Please give a huge thanks to Localization Lab and their network of expert volunteers.
Also note that we are very close to connecting the SAFETAG repository directly with the Transifex platform to streamline the translation process moving forward. SAFETAG welcomes new content in any language. If you want to create new content in our current non-English languages or add content in a new language, please contact [email protected] or submit an issue so we can help get it set up.
Said this, some of the kind of reports I’ve seen in my evaluations and from others work are:
1: The magic recipe oriented report
Simple, short and sometimes effective, usually this kind of reports have a short list of actions the organization needs to do to improve their security, sometimes this list is divided in immediate, short, medium and large term. the actions can be as short or detailed as we want them to be.
If the organization gave you only a few days to assess them they will have 5 minutes to read this list
If the organization talks the same language as us at the end of the assessment this kind of report will speed up the implementation
Is fast to built so we can help the organization to implement security measures right away
Recommendations not linked to the threat model so the organization isn’t aware of the importance of the recommendations and the order
Does not build the organization’s own agency in understanding or mitigating their risks
Could be confusing if the actions are not clear for the reader
Communicating technical things can be challenging and can cause the organization to dismiss recommendations just for not understanding them
Generally are bad for giving them to third parties giving the lack of detail
It’s difficult for the organization to reproduce the results
2: The asset oriented report
The organization generally knows what assets they have, so it’s interesting to talk in a language they can understand easily
Easy in terms of communication
Given the risk of each asset they can assess what kind of recommendations they want to apply first, owning better the security process
Is easier to share part of the report with external consultants that usually work with specific types of assets
The report is easy to collaborate on when there is more than one person running the assessment.
Depending on the structure and detail level could be difficult for the organization to reproduce the results
Depending on the structure and detail level could be challenging communicating technical things causing the organization to dismiss recommendations just for not understanding them
Could be difficult to organize when similar assets have different threat models
Could be difficult to link the specific assessment activities with the assets
Could be difficult to organize visually assets vs. risk associated vs. implementation terms
3: The activity oriented report
Another way we can order the information of the assessment is in function of the specific activities we run during the assessment. This usually leads to specify well which tools or indicators were used, making it a nice input for IT staff and consultants linked with the organization.
Allows us to build the report faster because we can feed this kind of report as a log during the process
Could be intuitive for technical audiences. Useful when the organization have IT staff and they are the most involved part during the assessment. With this format is easier for them to reproduce the results
If we want to do more activities during the process is more intuitive to add the new information to the report
The report is easy to feed by more than one people running the assessment.
Generally not the most intuitive format for the organizations given that they could not be familiar with our activities/tools
Depending on the structure and detail level could be challenging communicating technical things causing the organization to dismiss recommendations just for not understanding them
Could be difficult to organize visually activities vs. assets vs. risk associated vs. implementation terms
It doesn’t work as well for assessments that go beyond the more specific technical aspects – it is hard to bring in higher level (policy, practice) problems which do not cleanly “fit” in any one activity.
4: The super comprehensive (and sometimes dangerously long) risk oriented report
This approach without doubt is the more complete on this article, it aims to catalogue and develop 4 types of information:
Threats: coming principally from the threat modelling activity
Vulnerabilities: discovered during the execution of the assessment activities
Recommendations: developed to respond to the vulnerabilities discovered
Implementation plan: ordering the recommendations in a way that makes sense for the organization
We can have better results with this approach when we can link the vulnerabilities with the associated threats and with the correspondent recommendations, so if we are reading a recommendation we can know what vulnerabilities and threats it tries to address. Giving the reader the most important answers she/he needs.
Given the complexity of this approach is crucial to select a structure and format that makes easy to the reader reach the information he/she wants to get without distracting with noise, this could be particularly challenging when using formats like PDFs or odt/docx.
Usually everything you want to know about the assessment is on the report, facilitating the understanding of the organization especially when in the future it will be more difficult to contact us
Guarantees that the assessors are linking suggestions to identified threats and organizational priorities
It links directly the group exercise made during the assessment with the recommendations, making it easier for the organization to understand the pertinence of them
Follows an ordered process, leading an open door to automation (spoiler: working on that :wink: )
It helps the organization to keep an eye on the evolution of their threat model while implementing the recommendations, making the organization an active part in the process of follow-up and opens a door to do a better Monitoring and Evaluation of the security implementation process
Could be overwhelming to write and overwhelming to read if the format is not clear and ordered
Takes a long time to build (Careful with the need of the organization to start working fast on security measures)
Could take long time to read (Again careful with formats, if someone needs/wants to read just 5% of the report help her/him to reach quickly and effectively to that 5%)
This format requires running the threat modelling activities from SAFETAG (Which in my opinion should be the norm, but it could affect your freedom selecting the activities)
5: The awesome format that you use and we don’t know… yet
Understanding that there is no silver bullet for reporting security assessments for NGOs and independent media outlets, we can open the discussion about many other ways to present the information we gather during our assessments. If you know and/or use another approach and want to share it with this community, don’t doubt to
With all of this options and the potential combinations and variations of them, it’s virtually impossible to not have one kind of report that adapts well to our needs in each case. In our case, we usually aim for the long report in point 4 given that the information gathered for it allows us to rewrite the report to be more like the simpler versions described above. The more experience you have as an auditor, the faster you will become at identifying what type of report the organization will be able to understand the best, even if you yourself are still conceptualizing and seeking out the answers as if you were building the most comprehensive report. For instance: if the organization explicitly wants something short, they are in a bad moment in terms of security and they need to implement fast, we want to give a detailed report for IT/Management and another shorter for the Directors or for some external technical service provider; we already have everything we need. Once again, is up to you (mostly) what kind of report do you want to build and what kind of report the organization you attend needs, just remember that our ultimate goal is that they understand how secure they are and implement measures to improve their security and do a better job
*This article was written by Carlos Guerra with the input and help of Mario Felaco; of Con-nexo. *
We run organizational security training sessions, long term support and security assessments for NGOs (Non-Government Organizations) and independent media outlets at risk in Latin America. We base a lot of of our work on the SAFETAG framework and we like to promote it to new people that want to help organizations improve their security.
As previously said in the SAFETAG Stories: If you fail – TRI, TRI Again, there isn’t one unique approach on security assessments for organizations and independent media outlets; their unique structures and dynamics make it difficult to assume there is a single way to evaluate security or even a single way they can respond to our recommendations. After a few years doing SAFETAG-based assessments and security interventions, I’ve come across different ways that I and others end up building assessment reports. They can be widely different, without meaning that one report style is wrong or right. It is just a matter of knowing when is more convenient to use one approach or another. Some of the factors that can affect what kind of information and how much of it the organization could digest are:
This is the third in a series of blog posts sharing some stories gleaned from audits over the years (often combined from multiple experiences and with all identifying information removed). The goal is to share experiences and approaches to help new auditors get into the mindset of SAFETAG
SAFETAG Stories: The DDoS Outreach Strategy The SAFETAG framework emphasizes the importance of putting the organization first, and helping them prioritize their own risks. This often feels at odds with more traditional, prescriptive approaches to security audits.
SAFETAG itself began as a way to adapt professional “penetration testing” to the NGO world. To say that we learned a lot along the way would be a colossal understatement. Penetration tests are fantastic for, well, organizations with an IT team and a large budget. If your organization’s focus is to support independent media, support vulnerable populations, or advance other social good outcomes, your budget is (sadly) more limited, and your IT support is stretched to capacity in just keeping systems functional and staff supported through some of the most amazingly creative tricks possible.
To balance the real threats organizations face with the constraints of time, staff and budget they are under, SAFETAG focuses on empowering organizations to explore their own tolerance for risk, where they face risk, and how they might mitigate or reduce it in a way that respects their mission and capacity.
A simple example would be an organization which depends on individual donations through its website. The reputation of the organization, the safety and reliability of its donation system, and the protection of the identities and credit card or banking information of its donors is paramount to that organization’s ongoing success. They may have many odd, not-perfect systems, but if they have an outdated website with well-known vulnerabilities and no clear website management plan, finding an affordable solution may be the first priority.
My favorite actual example from an audit was working with a media and transparency organization. Among many challenges they faced, one stood out as unusually simple to fix – their website got reliably DDoSed and taken down every time they released a new, impactful report. We immediately suggested the free DDoS protection Deflect.ca provides for media and human rights tools. The organization politely declined, and explained that every time they got DDoS’ed, they would go onto various social media platforms to complain about that, which ended up driving more interest in their reports. Intentionally allowing one’s site to get attacked like that may sound crazy on the surface, but for this organization at the time it was part of their outreach strategy, and it worked.
The magic of SAFETAG is not technical magic, hacker tools that would be at home in Mr. Robot, Black Mirror, or the Matrix, and it’s not expensive tools. The magic of SAFETAG is listening to the organization you’re working with, understanding the context they operate in, and helping to make sure their practices match the threats they face.
This work is scary, difficult, impossible, unending, and more – but at the same time, it is also challenging in the best way. Actually listening to an organization and providing pragmatic, achievable next steps for improved organizational security is the most challenging - and rewarding - part of being an auditor.
It’s easy to simply state that they need professional IT and security support. It’s easy to mandate that they never again open an attachment. It’s unrealistic for this to happen. We do not operate in an ideal, unconstrained world. Budgets are not infinite – if they even exist. Threats are real and have very real impacts where the above example of losing online donations pale in comparison to some of the alternatives, yet there are real limits to what can be done. A five-person journalism outfit is not going to hire a 100k USD infosec expert and an IT team to manage their online presence – and they cannot simply stop opening sketchy attachments people email them promising juicy scoops.
But. But maybe that outdated website could be protected behind a service like Cloudflare (or better, Deflect), and maybe they can transition their email to Google, and use Google Drive to open attachments first. It may not be a techno-utopia, (and these are not universal recommendations! Your mileage may vary!) but the impact on their security, in a way that respects their needs and their capacity - is worth it. Imperfect but positive first steps can lead to a better culture of security within the organization, and grow their capacity to move to more advanced solutions while keeping them safer in the meantime.
This is the second in a series of blog posts sharing some stories gleaned from audits over the years (often combined from multiple experiences and with all identifying information removed). The goal is to share experiences and approaches to help new auditors get into the mindset of SAFETAG
In the previous SAFETAG Story, we explained the “TRI” approach in choosing activities which take different approaches (Technical, Research, Interpersonal) in order to TRI-angulate (!!!) the reality of what is going on at an organization. That variety is critical, but sometimes not enough.
Even within one category, sometimes one approach just doesn’t work with the organization. The activity may be geared towards a small group, but the organization is large. It may expect people to be in one room, but the organization is distributed across locations and even time zones. Sometimes, it may just not work for reasons that are not clear.
The Forgotten incident
At one audit, the audit team had gone through the normal motions of process mapping, talking about potential adversaries, ranking what risks and their impacts were not acceptable, as well as research around digital challenges faced in their country and around their issue area. After almost a week, we had simply not found any specific concerns beyond the normal outdated computers and network glitches, and were looking forward to a simple and straightforward audit findings and recommendations reporting process. SAFETAG recommends having some form of “debrief” at the end of every audit, to respect concerns and provide one last point of contact and reassurance to staff. During this, someone casually mentioned a theft from a few years back, where only the hard drives of the computers were stolen.
That… is an odd and very specific thing to steal. We had to have additional conversations to re-scope and re-prioritize some of the recommendations we had planned on providing, as well as re-think what threats this organization was actually facing.
This is a great example of a situation where multiple activities theoretically should have caught this – from initial interviews with management and technical staff, to idle chatter during “Day in the Life” style direct engagement with staff members, or any of the group activities such as process mapping, data mapping, or in particular some of the risk rating exercises where the organization discusses previous incidents. An important lesson here is that while it can sometimes feel like you are repeating work or returning to questions you think you have the answers to, it can be the only way you uncover critical information.
This is the first in a series of blog posts sharing some stories gleaned from audits over the years (often combined from multiple experiences and with all identifying information removed). The goal is to share experiences and approaches to help new auditors get into the mindset of SAFETAG
One of the most common questions we get about the SAFETAG framework is whether one has to do everything in it for it to “count” as an assessment based on SAFETAG. The answer is absolutely not.
In describing SAFETAG, I often poke fun at the inevitable result of traditional “penetration tests” against an organization. These tests try every handle, press every button, and push on every closed door of an organization’s digital (and often physical) security to map out every possible vulnerability, resulting in incredibly detailed and overwhelming reports. For many organizations, this report may not even include a clear way to prioritize how to tackle it beyond a gazillion “high” priority issues and countless “medium” and below things to also ponder.
The secret follow-up punchline however, is that SAFETAG itself is, well, an overwhelming, detailed, 300+ page behemoth itself, and will continue to grow.
Choose your own SAFETAG Adventure: Try out the “TRI” model
We are working to make working with SAFETAG feel as flexible as it was built to be. It has always been a modular, “choose-your-own-adventure” style approach to working closely with organizations to assess the risks they face, and the best path for addressing their top priorities. One important way we are doing this is by adding metadata into each activity to help auditors build a comprehensive audit plan (follow the metadata branch at https://github.com/SAFETAG/SAFETAG/tree/metadata and the issue at https://github.com/SAFETAG/SAFETAG/issues/334! Initially, we are focusing on the time each activity takes, specific skills it requires, and what “type” of activity it is.
In SAFETAG, the various activities we suggest to learn about an organization tend to fall in three broad approaches: Technical, Research, and Interpersonal. It is tempting to focus on the style of approach you as the auditor are most comfortable with - people with backgrounds in digital security training tend towards the interpersonal, people with pentesting backgrounds the technical. However, by using a combination of these, you get a clearer understanding of not only the organization’s setup and infrastructure, but how decisions are made, how policies are enforced (or not), and where there are opportunities for organizational change.
The Dropbox Effect
An illustrative story from my own auditing experience is what I call the “dropbox effect”. This story, with small changes, has come out of … many audits I’ve been a part of. It starts during the initial scoping and interviewing stage (Interpersonal!), where management and/or any technical staff will say something to the effect that the organization has made a decision to not use dropbox (or google drive, etc.), so no one is using it. Digging through provided policy documents (Research!), there may even be a section on correct storage and backup / filesharing for the organization which specifically bans dropbox. Once you start scanning networks (Technical!) and talking 1:1 with end users (Interpersonal again!) as you sit with them and look at their desktop systems (Technical again!) – a different picture emerges. Dropbox is everywhere.
So, research and initial interpersonal approaches lead you to expect that staff members are not using dropbox. Additional activities (in this case, mostly technical) reveal the exact opposite. The combination of this work will reveal the why. Perhaps the communications lead needs to regularly send very large files to a print shop, and dropbox works where email doesn’t and SBs are unsafe. Perhaps people are using it to sync family or pet photos from their home account to have as a screensaver. Perhaps some people simply never uninstalled it after the policy change, but aren’t actively using it. Any or all of these can provide a hint towards what a recommendation to resolve this difference between the organization’s policies and its actual practices. Based on the specific risks and priorities of the organization, it may be relaxing the “dropbox ban” and improving information controls and entry/exit policies instead, or actually enforcing it but finding workable, policy-compliant solutions for these specific cases.
Does the TRI concept make sense? Sound even more confusing? Let us know on the issue queue or at [email protected]
SAFETAG Fellows and partners gathered for a 3-day workshop to expand the guidance that the SAFETAG framework has for auditors to respond to advanced threats - organizations receiving phishing emails or with active malware in their systems. This will all be included in a release going live later today. Thanks to all the contributions and support from the fellows in creating this!
Responding to Advanced Threats Method
In advance of the workshop, Dlshad Othman put together a new SAFETAG method for advanced threat response paired with an analysis activity. At the workshop, we expanded this into a full-on triage approach for responding to attacks, paired with “hooks” across the framework to better identify signs of active attacks. This collection of changes makes heavy use of the activity “variant” approach to combine very similar or parallel approaches in one single activity.
The majority of the work can be found in the new “Responding to Advanced Threats” method and its related activities, detailed below.
It is important to underline that this is focused on identifying malicious activity and doing the minimal possible analysis to responsibly triage it. Deeper analysis of the specifics may happen during the report-writing phase, but it is important to not be easily derailed from completing the SAFETAG audit process. This drives home the importance of having an agreed-upon incident response plan with the organization to determine how they would prefer to respond if something that is potentially serious occurs.
New and Updated Activities
Identifying and Analyzing Suspicious Activities
Malware is a common tactic to target organizations, Malwares like RAT (Remote Access Trojan) can provide an attacker with a back-door access to a targeted machine which enables the attacker to steal information, record audio and video and run commands on the infected machine. This component provides an overview for analyzing different types of suspicious emails, files, active processes, and network traffic.
This component briefs the tools and procedures required to acquire the image (live or dead, depending on the situation) and securely handle data from a device (laptop, desktop, HDD, memory stick, USB stick, etc.) that is needed to later perform a malware analysis or forensic evidence process.
This component describes how to perform an analysis on captured evidence (e.g. hard drive image or memory dump) without altering the evidence. Any alteration, or even an environment or situation that creates the possibility of alteration, could lead to rejection of the evidence in a court of law or to malware analysis failures.
In most cases, reach out for help, there are multiple organizations which coordinate and can support malware analysis targeting NGOs. The Digital First Aid Kit has a list of organizations and in most cases secure contact details to seek support in doing advanced analysis. The Rapid Response Network, a project of CiviCERT is a consortia of these organizations who may be able to help. Citizen Lab is also well known for their analysis and research.
Technical Context Research
An important cornerstone in working with high-risk organizations is having an expansive understanding of their potential adversaries and their capabilities. This has long been guidance in SAFETAG, and at the workshop we pushed out a more structured approach to tackle this research based on Internews’ internal digital country risk assessment methodology.
Changes to Incident Response
Since its inception, SAFETAG has had a section instructing auditors to create an agreed-upon incident response plan with the organization. During the Advanced Threats workshop, we expanded on this in parallel with the overall “triage” approach.
Changes to the Interview activity and creation of a High-Risk Interview activity
For the pre-audit interview process, we have improved the formatting of the overall section and added more questions to help identify potential attacks, and added a specific “Guiding Questions for High-Risk Organisations” to dive deeper where the auditor and/or organization already suspects they are under active attack. This additional interview activity is to identify if there are any indicators that the organization may have already been attacked and/or compromised, or if someone they know has faced advanced threats. It should help identify what threats / threat actors they are dealing with, and their intent. This will help the auditor prioritize work with the organisation during the audit and follow up and understand whether the auditor has the expertise to address or understand the threat or if outside expertise is needed.
Changes to Network Scanning and Traffic Analysis
We have added some guidance to help auditors judge whether open ports and network traffic is out of the ordinary for office environments. Naturally, every office set up is different, and this will rely on the auditor conducting on-site research and analysis. These changes are in the Network Scanning and Traffic Analysis activities.
Thanks to some feedback, we’ve updated the contribution guide at CONTRIBUTING.md with clearer, step-by-step guides, a reminder to post an issue to the issue queue first, and - most usefully - templates to use to get started crafting new SAFETAG methods and activities. Those can be found in the templates folder.
Internews is launching a funding pool to diversify and scale SAFETAG across the broader human rights and digital security community. Internews is seeking to fund 10-12 individuals or teams embedded in organizations to customize SAFETAG to meet their needs, conduct SAFETAG-based assessments integrating these customizations, and share these approaches back with the SAFETAG community. Grant amounts are expected to vary based on local costs and scope, but the average grant is expected to be $25,000 USD and approximately 4 months in duration.
Winning applications must support at least two SAFETAG-based assessments of at-risk organizations working with vulnerable or marginalized communities. These assessments should be in parallel with the creation and documentation of customized approaches – new activities which work better for the applicant’s region/community/specific threats and/or a “playlist” of existing (and custom-created or modified) SAFETAG activities which best work for this community. Grantees will be expected to responsibly share the non-identifying context research (e.g. high-level country risk assessments) within the SAFETAG community and to coordinate on peer-training events to share their approach. Following each assessment, the grantee will help the recipient organization develop risk mitigation plans to address weaknesses, and either provide direct support through existing organizational programming or connect the organization to external services, goods, or funding support as needed to address their security vulnerabilities.
Throughout this entire process, the grantee will have ongoing access and mentoring from Internews’ SAFETAG team and access to the combination of skills and implementation expertise of the entire fellowship pool. Internews will work to “match-make” grantees working on similar or related challenges for peer-training opportunities.
Preference will be towards individuals embedded in organizations working in the human rights and digital security space. Individuals may also apply, but the funding mechanism may be different. Winning applications will demonstrate continued post-funding usage of and contribution to SAFETAG as a community project.
Applications are due November 17 and will be evaluated by Internews’ SAFETAG team, the SAFETAG Community Advisory Board, and in consultation with SAFETAG funders according to the criteria (and regulations) in the submission form. If funds permit a second round will be opened in 2018.
Please submit your applications via this Google Form
If you would prefer to submit this information via PGP, please send to [email protected] and [email protected], encrypting to these keys: http://pgp.mit.edu/pks/lookup?op=vindex&search=0xB46A01C3270C17F1 and http://pgp.mit.edu/pks/lookup?op=get&search=0x6316FC03DF318F76 .
Seamus Tuohy of Prudent Innovation has completed an in-depth decision tree program for auditors/assessors to answer questions and builds a detailed, plain language agreement for you to use in your engagements. It’s built in Python on Debian/Ubuntu, and available in the SAFETAG community github.
It allows auditors to provide custom fee schedules and has specific call-outs for parts of the agreement which are the most critical to have local legal advice on. Given that SAFETAG auditors operate in legal jurisdictions all over the world and in a variety of languages, the template text will focused on clarity and conciseness instead of legalese. By clearly articulating the scope and intent of the each component lawyers in different regions will be able to evaluate and update the language to support their legal code. The repository comes with an example plain language template. It includes a “base” outline template and a fine-grained template file that extends this base. By editing the base template a assessor can add/remove large sections of the agreement without searching through the fine-grained template for the text they wish to remove, which also customizes the interactive agreement process, enabling auditors to quickly re-generate new agreements with small modifications.
The project’s README file includes both an installation guide as well as usage and advance customization documentation.
Please test it out and send in feedback via the issue queue, as this will be replacing the existing “draft engagement agreement” currently in SAFETAG.
As more and more contributors are helping build SAFETAG, we realized that the existing guidance on the structure had fallen out of line with the current setup, and how the SAFETAG content is getting mapped into the Content as Code framework.
We have now updated and combined our disparate documentation on the structure of SAFETAG in light of recent feedback and (in the ongoing effort to polish the repository) have uploaded it as a CONTRIBUTING.md file
Finally, there’s an updated release (ironically not including the above documents yet) which rolls up the changes from the recent write-sprint.
An ongoing interest in the SAFETAG community has been how to use the SAFETAG framework in situations where the auditor cannot travel to the organization at all, or cannot travel to remote or multiple office locations – what can be done remotely, what can be done with help, and what gaps remain that must be accommodated? Thanks to coordination and co-funding with multiple organizations, a SAFETAG peer-training and content sprint answered these questions with new approaches and adaptations to support a variety of remote-only SAFETAG assessment work.
Content created from this training and content sprint is included with summaries below and has been compiled into an updated SAFETAG release. The content sprint approach taken with this event took advantage of the existing expertise and experience of the attendees to co-create new approaches as a peer training approach. This has the exciting add-on benefit of supporting community-sourced contributions on the SAFETAG github repository, which can be seen via the github commit and pull history
Operational Security (expanded from Physical Security)
The thought process for dealing with “remote” audits - as well as the multiple scenarios they would be most likely - also led to improved clarity on the future of the “Physical Security” module for SAFETAG. It has been transformed into an “Operational Security” section to also include activities to determine staff traveling, working remotely or from home, and the security impacts of multiple offices, especially in situations where the auditor can only assess a subset of an organization’s offices.
The organizational security methodology is focused on how to mitigate against threats that occur because of the arrangement of digital assets in the physical world – how secure are the devices at an organization’s office, where and how staff travel with organizational devices, and whether staff work outside of the office (e.g. in remote offices, at their homes, while traveling, or at cafes). Further, is organizational information accessed from personal devices, and how are those devices secured?
This also enabled the movement of some odd pieces of the framework inside of this, such as hands off discovery of wifi networks and device beacons/probes (https://github.com/SAFETAG/SAFETAG/pull/289) – transforming an awkward “module” into an activity underneath this module that fits more naturally.
Office Mapping (New)
This activity seeks to identify potential physical vulnerabilities to an organization’s information security practices by documenting the current physical layout of the office and the locations of key assets, as well as potential “external” risks such as nearby/shared office spaces. This can be done in person independently or alongside the “Guided Tour” activity, and can also be done in advance of an assessment or remotely by a willing staff member who knows where these assets are located (often a technical or administrative staff person). This can also be conducted in a multi-office or home-office environment where the auditor is unable to visit every location.
Guided Tour (Adapted to include remote support)
During this component an auditor tours the audit location(s) and flags potential risks related to physical access at that location. This can be done remotely via secure videoconference over a smartphone or tablet that can moved around the office easily. Combining this activity with Office Mapping helps to reduce the awkwardness of taking notes while walking around the office, and if being done remotely, the two separate activities can be used to cross-verify the accuracy of each.
Scavenger Hunt (New)
This activity assists in identifying potential physical security concerns at an organization, particularly when an auditor cannot travel to the office location or cannot visit every office location. The scavenger hunt approach is focused on involving the organization staff members into mapping out potential threats based on the abstraction and the gamification of the physical security mapping process. See the “Risk Hunting” exercise in SaferJourno, page 19, for additional ideas and guidance on conducting this activity.
Remote Local Network Scanning and Device Assessment (Adapted)
This allows the auditor to work remotely to identify the devices on a host’s network, the services that are being used by those devices, and any protections in place, as well as to assess the security of the individual devices on the network.
Remote Facilitation (New)
Suggested approaches and methods to use if in-person facilitation for activities such as process mapping and data assessment is not possible. This may not provide as deep results as in-person facilitation, but should provide adequate level of expansion and verification needed.
We are exploring how to better present the SAFETAG content and enable auditors to explore, build and share audit plans, and contribute back to SAFETAG.
Please fill out this survey and inform the next steps of converting the content of SAFETAG into a more interactive and usable structure:
Based on the work from Berlin and revisions and feedback since, we have an updated and streamlined SAFETAG community governance document!
You can find it, alongside the Code of Conduct in the Code of Conduct file in the github repository, which contains the mission, community standards, and community governance structure.
This makes the code of conduct to better more specific, revised the community standards to reflect that the SAFETAG community is living within the orgsec.community world, and simplified the Advisory Board language to get things rolling sooner. As this becomes a self-sustained consortia, we can expand and codify additional items as necessary.
SAFETAG continues to expand its adoption among groups doing organizational security work. Towards this, we joined with a group of 15 practitioners recently in Prague who are working on all aspects of organizational security, from the audit/assessment piece through to implementation and follow-up support. We all shared experiences, resources and approaches to address our collective challenges by coalescing our understanding of what organizational security is, and how we can grow and hone our practice.
We were all very encouraged and buoyed by the depth and breadth of the collective knowledge to be tapped, and resolved to use this as a launching pad towards a larger knowledge space and a community of practice.
If you are attending the Internet Freedom Festival, we invite you to join the discussion, hear our outline of how to grow as an independent, open, and collaborative community; and if you are interested, to join efforts.
There is an initial session Thursday March 3 Noon-1 focused on building a more collaborative assessment framework based out of SAFETAG, followed up by an all-morning session scheduled for Friday 10–1, March 4. We want to hear from you about the challenges you face implementing organizational security support and your solutions; about your own organizational security systems and practices; and how you could benefit and contribute as an active member of this growing community.
This comment has been adapted from a cross-organizational posting which has included the below people and organizations:
- Ali G. Ravi, Confabium - post
- Alix Dunn, the engine room - post
- CC, EngageMedia - post
- Friedhelm Weinberg, HURIDOCS - post
- Jon Camfield, SAFETAG/Internews - post
- Karel Novotný, APC - post
- Kody Leonard, The ISC Project - post
- Kristin Antin, the engine room - post
- Maya Richman, the engine room - post
- Michael Carbone, Access Now - post
- Natasha Msonza, Digital Society of Zimbabwe
- Niels ten Oever, Article 19
- Pablo Zavala, Front Line Defenders
- Peter Steudtner, HIVOS-DIF / pantraining
- Wojtek Bogusz, Front Line Defenders
I’d be willing to wager that you, like me, have been offered “credit monitoring services” more than once in the past few years, because a place you’ve done business with or a past employer was hacked, potentially putting your personal data out on the market.
Corporations and governments, while they are struggling to keep up with hacks, do have resources and teams devoted to the battle. But smaller, much more vulnerable victims of attacks deserve our attention too.
Non-profit organizations around the world are also targeted by cybercrime, and don’t have the benefit of expensive services or personnel monitoring or protecting their systems.
And it’s not as if these small organizations don’t have valuable information — from pre-published research to healthcare data, records of environmental transgressions to election monitoring procedures — development and civil society work around the world collects reams of information that, in the wrong hands, can put an organization or its beneficiaries at risk. Even a lost smartphone or laptop will contain contracts, financial data, and private conversations embedded in the constant steam of emails.
Organizational security can feel like an impossible task, and many security audits or “penetration tests” are expensive and can be too aggressive for most small organizations. Vulnerabilities exist but fixing them are not necessarily high-priority for the organization.
Over the past two years, Internews has developed SAFETAG™ (Security Auditing Framework and Evaluation Template for Advocacy Groups) to address this challenge.
What is SAFETAG?
SAFETAG provides a framework that a digital security expert can use to help organizations identify and prioritize the risks they face and suggest a tightly-focused path to mitigating them. This path to increased safety is designed to be responsive to the actual capacity of an organization. This last element is critical. We have learned that even the best-laid plans will go to waste if the organization is not capable of implementation.
Audits based on the SAFETAG methodology start by working with the organization to explore the information and processes that they consider the most valuable.
For a media or journalism organization, for example, there might be calls and emails between a writer and confidential sources, which then turn into a working draft that is emailed between the author and editors before being sent to a webmaster to be added to the website. Are the phone calls sensitive? Should they be made over an encrypted connection? Where are the emails being stored? Work laptops? Personal smartphones? Email servers hosted by the organization?
The answers to each of these questions help the auditor and the organization think about where vulnerabilities that actually matter to the organization might be hiding. The process mixes interviews, exercises and technical verification and scanning, including documenting what the organization thinks it does versus what it actually does. The goal is to make all the organization’s processes and practices — not just the official ones — safe.
At the end of the day, SAFETAG is like the stone soup parable — the deepest impact comes from the organization taking the time to reflect on the threats they realistically face, the danger this puts them in, and their capacity to reduce these risks over time. The auditor is a catalyst with the resources to make it happen.
Another way that SAFETAG differs from more traditional security audits is that the entire framework is open source and licensed for reuse and re-mixing. Even the trademark on the name “SAFETAG” is meant to encourage organizations to adapt and build on SAFETAG — it requires auditors to avoid calling their work a “SAFETAG audit” but instead use phrases more like “based on SAFETAG.”
SAFETAG continues to evolve — as of today, Internews has trained 13 digital security auditors around the world and performed audits and risk assessments based upon the SAFETAG methodology for 20 at-risk organizations. More exciting than that, however, is organic uptake of the SAFETAG methodology. Other organizations are conducting their own versions of audits based upon SAFETAG.
The entire methodology is open and available on github, with active conversations around the future of the framework visible in the issues queue. “Compiled” versions of SAFETAG are available at https://www.SAFETAG.org .
The future of SAFETAG is to drive — and be driven by — this cross-organizational adoption. Working with this community, Internews is creating a set of practices and a common language that make up the SAFETAG “core activities,” along with with a “plug-in” type approach for advanced SAFETAG topics that auditors can provide to help organizations work through not only digital security risks, but also financial, reputational, or even legal risks.
Interested? We’d love to see you over in our issue queue!
(Image credit: Padlock: Plovdiv, Bulgaria – Rachel Titiriga/CC-BY)