Seems like a good general list for small businesses when there are no other security requirements to follow (PII, HIPAA, etc). If you aren't tech savvy enough to handle these rules, then at least bring someone to set these kinds of things up for you and your employees to follow. Either pay them to write up guides on how to handle it yourself in the future or have then come in every so often to check up on things.
This checklist is pretty disappointing. It's a lot of pretty empty platitudes, with no actionable info on what to actually do. Telling politicians to install updates and enable OS security features (which ones! what OS! is XP still ok if they just install all the patches?) and revoke API keys (what's an API? from what?) isn't comprehensive advice.
Contrast with https://techsolidarity.org/resources/congressional_howto.htm... which is a checklist by the person behind The Great Slate, a tech-backed grassroots Democratic funding push who has actually worked with politicians. It tells you what phone to buy, what links to click to enable more security for GMail, what app to install to have secure communications. Most politicans are about as savvy as your grandmother.
Do you know his rationale for some of the blanket statements like "always use an iPhone, never an Android device" and "never use Safari on your laptop, but it's ok to do so on your phone?" Presumably sophisticated opponents are targeting iPhones and mobile Safari as much as Android and desktop Safari
Sophisticated attackers target everything. Desktop Safari is a much softer target than Mobile Safari, and, while flagship Android devices can be made asymptotically as secure as iPhones, the median Android phone held by a campaign staffer is much less secure than the median iPhone, which is something you quickly discover when you see the menagerie of devices campaign staffers use.
The two biggest threats campaigns face are phishing and attachments. There are two good ways we know of to break attachment attacks: view attachments in cloud viewers, like Google's PDF viewer, or view them on mobile devices, where they can't trivially be clicked into monstrously insecure desktop productivity applications. Of the two approaches, the latter --- sticking to mobile devices --- is the one that can be deployed with the least amount of end-user training.
> Under no circumstances use the Tor browser (it's okay to use Tor, but do it with Chrome, and seek additional training on how to set it up).
I'm not sure I get the rational behind this one? Is it just because they are already using Chrome, so it's better to reduce the attack avenues?
Also, it seems to me if you need to use Tor, it's probably not a good idea to do so on your regular Windows desktop. Wouldn't Tails be better advice while also being more foolproof for less tech savy people?
Tor Browser might be the least safe browser on the entire Internet: it's a very specific, always-behind version of Firefox (itself not the most hardened browser) selected preferentially by sensitive targets, who have opted in to being collapsed down to a single program for exploits to target.
It remains the case that nobody has done this better than Tech Solidarity. Of course, they have the benefit of actually having done this with a bunch of campaigns, an opportunity they got by also raising money for congressional campaigns during the last cycle.
* This is way too long and full of technical jargon. Even relatively major campaigns still aren't staffed with technical experts. Very few do their own application development. The person managing IT probably has 30 other jobs.
* This "checklist" has no coherent notion of the actual threat model campaigns face. It's just a laundry list of security advice of the sort a bank would provide to a downstream business partner.
* It's extremely casual about the two biggest threats campaigns face --- phishing and attachments. Campaigns need clear, actionable advice for dealing with these, and "be careful about links" absolutely doesn't cut it --- your mental model of phishing should be that it always works, and the attack needs to be broken directly (security key authentication has the virtue of actually doing this; "two factor authentication" does not).
* It contains silly advice, like "modern anti-malware" and "install a WAF".
This list would be unimpressive and ineffective even in trying to secure a small business that actually had an IT team. I don't think it will be helpful at all to campaigns.
That's not why TS makes this recommendation. Rather: campaigns are almost universally dependent on GSuite anyways, Google has a fantastic security team and while Dropbox's has gotten better in the last few years it's still not Google, it's much easier to accidentally copy sensitive stuff into a Dropbox folder than a GDrive folder, Google Drive works especially well with Google's cloud document viewers, which is important for other reasons, and you might as well just have one cloud dependency, not several.
Also, if you use GSuite, you can notify Google that you are running for elected office and they will do extra monitoring of your GSuite account and notify you if people try to hack it.
There's still a non-zero risk of Google arbitrarily locking the account, leaving you without access to your documents, spreadsheets and presentations in Google Docs.
To make this an interesting comment you have to address the trade off between using PCs and Office software and whatever Larry sets up to store and share files and Google's stuff, and then make a convincing argument that Larry is better than Google.
Any conservative Republicans running in 2020 would have to be morons to trust their entire communications infrastructure to a company who openly opposes their policies.
(Cue jokes about how the 2nd half of that last sentence is redundant...)
I disagree, you still have to make a convincing argument that Google is more likely to risk ruining a whole bunch of their business than Larry is likely to screw up.
Campaigns should be finding ways to work with professionals from the cybersecurity sector, not looking for ways to bolster defenses on their own. The adversaries these groups face far exceed the norm when it comes to industry standards––your security admin from off the street is going to be no match for a well-determined government. You need seasoned professionals who have background across active incident response, defensive efforts, intelligence and general best practices to even stand a chance.
People who match the description above don't need to be found as much as they need a point-of-contact to campaign staff. Many of us are more than willing to dedicate the time and resources needed to advise those who wish to take security seriously, free of charge. The issue lies in the shared opaqueness of the two parties that must come together; neither know quite who to contact and both are unsure how to engage. We should not let a lack of understanding get in the way of protecting our (anyones really) election process.
That's a great way for campaigns to get lots of WAFs, intrusion detection systems, endpoint agents, and vulnerability scans. But what campaigns need is actionable advice that breaks phishing and attachment attacks. For that: they should use iPhones and, when they use their desktop computers, Yubikeys. You don't need professionals from the cybersecurity sector to make that happen (although I am one of those); you just need someone to buy a bunch of Yubikeys and spend 15 minutes with the campaign showing how to use them and telling them to be afraid of their desktop computers.
I agree with your general sentiment, but if it were that easy, we wouldn't even be having the discussion. Nation states going after a campaign are likely to succeed, it's limiting the exposure if they do. To your point, there are a number of no-brainer processes or technologies to make those compromises difficult or severely limit the damage and many do not require much to put in place. You do need someone on-staff though constantly monitoring and enforcing best practices.
Campaigns :clap-emoji: never :clap-emoji: have :clap-emoji: this :clap-emoji: person :clap-emoji: on :clap-emoji: staff.
You really have to get a sense for how ragtag a political campaign is. Startups --- themselves pretty ragtag --- are raising funds and building for an imagined future in which they're big. They might engage professional IT and security (though many don't). Campaigns aren't like that; every single one of them will be "out of business" within a year and a half. They have minimal infrastructure and a mostly volunteer staff, and there are many hundreds of them every cycle.
At best, you might suggest that the upstream service providers for campaigns, like NGP VAN, should get better at security. The DNC, for instance, has an experienced CSO. But that CSO can't do all that much for individual campaigns.
> you just need someone to buy a bunch of Yubikeys
This is so wrong it's hilarious. I've been doing computers for forever, and "security keys" are STILL a universally lousy user experience.
What happens when you lose one? How do I install multiple keys? How does their manager revoke their keys when they leave the company? And where is the server that controls all this, and how do you administer that? I could go on ...
If you have any pointers to tutorials how to do this, I'M ALL EARS. Seriously.
The purpose of a U2F key is to break phishing. You want users to use them as much as possible (on computers), but you do not depend on them being the only second factor.
So you can buy and enroll 2 keys, or just do what Google forces you to do: enroll an additional second factor, like a code generator.
I do not understand your revocation argument at all. When you let a staffer go, you lock their account. You do not care about their keys.
I'm generally a fan of Zeltser's materials for many things, but I have to echo the comments from other users here: This seems lacking. In addition to the TechSolidarity resource, the Cybersecurity Campaign PlayBook from Harvard Kennedy School's Belfer Center is pretty good:
33 comments
[ 3.3 ms ] story [ 83.5 ms ] threadContrast with https://techsolidarity.org/resources/congressional_howto.htm... which is a checklist by the person behind The Great Slate, a tech-backed grassroots Democratic funding push who has actually worked with politicians. It tells you what phone to buy, what links to click to enable more security for GMail, what app to install to have secure communications. Most politicans are about as savvy as your grandmother.
The two biggest threats campaigns face are phishing and attachments. There are two good ways we know of to break attachment attacks: view attachments in cloud viewers, like Google's PDF viewer, or view them on mobile devices, where they can't trivially be clicked into monstrously insecure desktop productivity applications. Of the two approaches, the latter --- sticking to mobile devices --- is the one that can be deployed with the least amount of end-user training.
I'm not sure I get the rational behind this one? Is it just because they are already using Chrome, so it's better to reduce the attack avenues?
Also, it seems to me if you need to use Tor, it's probably not a good idea to do so on your regular Windows desktop. Wouldn't Tails be better advice while also being more foolproof for less tech savy people?
https://techsolidarity.org/resources/congressional_howto.htm...
In comparison:
* This is way too long and full of technical jargon. Even relatively major campaigns still aren't staffed with technical experts. Very few do their own application development. The person managing IT probably has 30 other jobs.
* This "checklist" has no coherent notion of the actual threat model campaigns face. It's just a laundry list of security advice of the sort a bank would provide to a downstream business partner.
* It's extremely casual about the two biggest threats campaigns face --- phishing and attachments. Campaigns need clear, actionable advice for dealing with these, and "be careful about links" absolutely doesn't cut it --- your mental model of phishing should be that it always works, and the attack needs to be broken directly (security key authentication has the virtue of actually doing this; "two factor authentication" does not).
* It contains silly advice, like "modern anti-malware" and "install a WAF".
This list would be unimpressive and ineffective even in trying to secure a small business that actually had an IT team. I don't think it will be helpful at all to campaigns.
However, given events like this: https://thehill.com/policy/technology/406437-google-execs-la...
Any conservative Republicans running in 2020 would have to be morons to trust their entire communications infrastructure to a company who openly opposes their policies.
(Cue jokes about how the 2nd half of that last sentence is redundant...)
People who match the description above don't need to be found as much as they need a point-of-contact to campaign staff. Many of us are more than willing to dedicate the time and resources needed to advise those who wish to take security seriously, free of charge. The issue lies in the shared opaqueness of the two parties that must come together; neither know quite who to contact and both are unsure how to engage. We should not let a lack of understanding get in the way of protecting our (anyones really) election process.
You really have to get a sense for how ragtag a political campaign is. Startups --- themselves pretty ragtag --- are raising funds and building for an imagined future in which they're big. They might engage professional IT and security (though many don't). Campaigns aren't like that; every single one of them will be "out of business" within a year and a half. They have minimal infrastructure and a mostly volunteer staff, and there are many hundreds of them every cycle.
At best, you might suggest that the upstream service providers for campaigns, like NGP VAN, should get better at security. The DNC, for instance, has an experienced CSO. But that CSO can't do all that much for individual campaigns.
This is so wrong it's hilarious. I've been doing computers for forever, and "security keys" are STILL a universally lousy user experience.
What happens when you lose one? How do I install multiple keys? How does their manager revoke their keys when they leave the company? And where is the server that controls all this, and how do you administer that? I could go on ...
If you have any pointers to tutorials how to do this, I'M ALL EARS. Seriously.
So you can buy and enroll 2 keys, or just do what Google forces you to do: enroll an additional second factor, like a code generator.
I do not understand your revocation argument at all. When you let a staffer go, you lock their account. You do not care about their keys.
https://www.belfercenter.org/CyberPlaybook