This is the third in a series of blog posts sharing some stories gleaned from audits over the years (often combined from multiple experiences and with all identifying information removed). The goal is to share experiences and approaches to help new auditors get into the mindset of SAFETAG
SAFETAG Stories: The DDoS Outreach Strategy The SAFETAG framework emphasizes the importance of putting the organization first, and helping them prioritize their own risks. This often feels at odds with more traditional, prescriptive approaches to security audits.
SAFETAG itself began as a way to adapt professional "penetration testing" to the NGO world. To say that we learned a lot along the way would be a colossal understatement. Penetration tests are fantastic for, well, organizations with an IT team and a large budget. If your organization's focus is to support independent media, support vulnerable populations, or advance other social good outcomes, your budget is (sadly) more limited, and your IT support is stretched to capacity in just keeping systems functional and staff supported through some of the most amazingly creative tricks possible.
To balance the real threats organizations face with the constraints of time, staff and budget they are under, SAFETAG focuses on empowering organizations to explore their own tolerance for risk, where they face risk, and how they might mitigate or reduce it in a way that respects their mission and capacity.
A simple example would be an organization which depends on individual donations through its website. The reputation of the organization, the safety and reliability of its donation system, and the protection of the identities and credit card or banking information of its donors is paramount to that organization's ongoing success. They may have many odd, not-perfect systems, but if they have an outdated website with well-known vulnerabilities and no clear website management plan, finding an affordable solution may be the first priority.
My favorite actual example from an audit was working with a media and transparency organization. Among many challenges they faced, one stood out as unusually simple to fix -- their website got reliably DDoSed and taken down every time they released a new, impactful report. We immediately suggested the free DDoS protection Deflect.ca provides for media and human rights tools. The organization politely declined, and explained that every time they got DDoS’ed, they would go onto various social media platforms to complain about that, which ended up driving more interest in their reports. Intentionally allowing one’s site to get attacked like that may sound crazy on the surface, but for this organization at the time it was part of their outreach strategy, and it worked.
The magic of SAFETAG is not technical magic, hacker tools that would be at home in Mr. Robot, Black Mirror, or the Matrix, and it's not expensive tools. The magic of SAFETAG is listening to the organization you're working with, understanding the context they operate in, and helping to make sure their practices match the threats they face.
This work is scary, difficult, impossible, unending, and more -- but at the same time, it is also challenging in the best way. Actually listening to an organization and providing pragmatic, achievable next steps for improved organizational security is the most challenging - and rewarding - part of being an auditor.
It's easy to simply state that they need professional IT and security support. It's easy to mandate that they never again open an attachment. It's unrealistic for this to happen. We do not operate in an ideal, unconstrained world. Budgets are not infinite -- if they even exist. Threats are real and have very real impacts where the above example of losing online donations pale in comparison to some of the alternatives, yet there are real limits to what can be done. A five-person journalism outfit is not going to hire a 100k USD infosec expert and an IT team to manage their online presence -- and they cannot simply stop opening sketchy attachments people email them promising juicy scoops.
But. But maybe that outdated website could be protected behind a service like Cloudflare (or better, Deflect), and maybe they can transition their email to Google, and use Google Drive to open attachments first. It may not be a techno-utopia, (and these are not universal recommendations! Your mileage may vary!) but the impact on their security, in a way that respects their needs and their capacity - is worth it. Imperfect but positive first steps can lead to a better culture of security within the organization, and grow their capacity to move to more advanced solutions while keeping them safer in the meantime.