TCU Wiki - User contributions [en]

Protection tips for immigrants

2025-04-01T12:35:45Z

Kristin1: Created page with "New York The Legal Aid Society’s Immigration Law Unit has a proven track record of providing comprehensive, high-quality immigration assistance to low-income New Yorkers. In these uncertain times, they have compiled a [https://legalaidnyc.org/news/critical-resources-immigrant-communities/ series of resources] to help navigate the new administration."

New York

The Legal Aid Society’s Immigration Law Unit has a proven track record of providing comprehensive, high-quality immigration assistance to low-income New Yorkers. In these uncertain times, they have compiled a [https://legalaidnyc.org/news/critical-resources-immigrant-communities/ series of resources] to help navigate the new administration.

Security resources organized by topic

2025-02-22T21:59:37Z

Kristin1: /* Security planning on specific topics */ adding a page on protecting immigrants

== Building awareness of how we respond to threat and stress ==
''Developing a useful security strategy is heavily dependent on our perception – we need to be able to identify and analyse threats in order to implement ways of avoiding or reducing them. But we all perceive the world around us differently based on our circumstances, experiences and many other factors. As a result, our perception can sometimes be hindered: threats which may be evident to some people may go unrecognised by others; similarly, we also need to be able to tell the difference between threats which are genuinely possible and those which we falsely perceive, called 'unfounded fears'. It's a good idea to become familiar with factors that condition our perceptions of threat, and consider ways that we can take these into account in our security planning.'' (Source: [https://holistic-security.tacticaltech.org/chapters/prepare/1-2-individual-responses-to-threat.html Holistic Security Manual])

Resources:

* [https://holistic-security.tacticaltech.org/chapters/prepare/1-2-individual-responses-to-threat.html '''Exploring individual responses to threat'''] (Holistic Security Manual)
* [https://holistic-security.tacticaltech.org/chapters/prepare/1-4-team-and-peer-responses-to-threat.html '''Exploring group responses to threat'''] (Holistic Security Manual)
* [https://holistic-security.tacticaltech.org/chapters/prepare/1-5-communicating-about-threats-in-teams-and-organisations.html '''Communicating about security in teams and organizations'''] (Holistic Security Manual)

== Understanding our threats and context ==

=== Situation monitoring and analysis ===
Situation monitoring and analysis is the broadest kind of analysis of our context: observing the political, economic, social, technological, legal and environmental developments in society which are relevant to our work, and may impact our security situation. (Source: [https://holistic-security.tacticaltech.org/chapters/explore/2-2-situation-monitoring-and-analysis.html Holistic Security Manual])

Exercise: [https://holistic-security.tacticaltech.org/exercises/explore/situational-monitoring-a-quick-pestle-analysis.html '''Pestle analysis'''] (Holistic Security Manual)

Tool: '''[https://tnr-research.uwazi.io/ Research Database on transnational repression]''' - This collection of research reports on transnational repression can help human rights defenders better understand:

* Transnational Repression (TNR) threats that are possible, to determine appropriate mitigation techniques
* Which TNR threats are unlikely, in order to alleviate fear
* What exiled HRDs can expect from a host country in terms of protection measures
* Existing campaigns to strengthen protection for exiled HRDs

=== Identifying, analyzing and prioritizing threats ===

==== Map the actors ====
''It is valuable to get a clear picture of all the actors in our environment (individuals, institutions, organizations, etc). Threats almost always come from someone or something. Knowing as much as we can about the actors in our context improves our perception of our environment and thereby, our ability to carry out activities to maintain or expand our space for work.'' (Source: [https://holistic-security.tacticaltech.org/chapters/explore/2-3-vision-strategy-and-actors.html Holistic Security Manual])

Exercise:

* [https://holistic-security.tacticaltech.org/exercises/explore/visual-actor-mapping-part-1.html '''Spectrum of allies'''] (Holistic Security Manual)
* [https://newtactics.org/resource/exercises-identifying-allies-opponents '''Spectrum of allies'''] (New Tactics in Human Rights project)

==== Brainstorm threats ====
This exercise is a first attempt at identifying the threats to yourself, your group or organization and your work in defense of human rights. This initial list of threats can then be refined so as to focus in more depth on the threats which are most likely or potentially most harmful. (Source: [https://holistic-security.tacticaltech.org/exercises/explore/threat-brainstorm.html Holistic Security Manual])

Exercise: [https://holistic-security.tacticaltech.org/exercises/explore/threat-brainstorm.html '''Threat brainstorm'''] (Holistic Security Manual)

==== Analyzing risk, prioritizing threats ====
Threats can be viewed and categorized in light of the following: the likelihood that the threat will take place, and the impact if and when it does. Likelihood and impact are concepts which help us determine risk: the higher the likelihood or impact of a threat, the higher the risk. Categorizing threats can help to keep us from feeling overwhelmed and keep our perception of threats realistic. (Source: [https://holistic-security.tacticaltech.org/chapters/explore/2-8-identifying-and-analysing-threats.html Holistic Security Manual])

Exercise: [https://holistic-security.tacticaltech.org/chapters/explore/2-8-identifying-and-analysing-threats.html '''Threat matrix'''] (Holistic Security Manual)

==== Analyze threats ====
This exercise will help you prioritize threats and divine the causes, ramifications, sources as well as the required resources, existing actions and possible next steps.

Exercise: [https://holistic-security.tacticaltech.org/exercises/explore/threat-inventory.html '''Threat inventory'''] (Holistic Security Manual)

== Risk mitigation ==
In order to build a response to the threats we face, we can consider them in terms of the factors which make us more or less susceptible to them. Read more in [https://holistic-security.tacticaltech.org/chapters/strategise/3-1-responding-to-threats.html this chapter of the Holistic Security Manual].

=== Digital security assessment tools ===
[https://digiresilience.org/solutions/wellness-check/ '''Digital Wellness Check'''] by the Center for Digital Resilience - The Wellness Check Report Generator is a tool to help the community create beautiful risk assessments. You can download the tool directly from [https://gitlab.com/digiresilience/digital-wellness/wellness-check-report-generator Gitlab].

The Ford Foundation’s [https://www.fordfoundation.org/work/our-grants/building-institutions-and-networks/cybersecurity-assessment-tool/ '''Cybersecurity Assessment Tool (CAT)'''] is designed to measure the maturity, resiliency, and strength of an organization’s cybersecurity efforts. We have created this questionnaire with busy nontechnical grant makers, grantee partners, civil society organizations, and nonprofits in mind, and we hope it helps shine some light on a recommended path forward for any organization undertaking a cybersecurity journey

=== Mitigation techniques for common threats to information ===
{| class="wikitable"
|+
! Threat
!Mitigation techniques and links to guidance
|-
|Data loss
|
* [[Ways to securely store and share files|Have your information securely in the cloud or on a server]]
* Have a backup process
|-
|Compromised accounts
|
* [[Protect your accounts using strong passwords, pw managers, 2fa|Use two factor authentication for all accounts]]
* [[Protect your accounts using strong passwords, pw managers, 2fa|Use unique, complex passwords for all accounts]]
* [[Protect your accounts using strong passwords, pw managers, 2fa|Use a password manager to create, store and protect those passwords]]
|-
|Device inspection at checkpoints
|
* [[Use a secure messaging app#Tip: use automatic disappearing messages|Use automated disappearing messages on your messaging apps]]
* [[Ways to securely store and share files|Have your sensitive information stored safely in the cloud and off of your device]]
* Hide or delete any apps that would provide access to this information (you can restore that app later)
|-
|Device confiscation or theft
|
* [[Secure your devices#Full disk encryption|Encrypt your devices]]
* And, review and adapt the same advice above for “device inspection” threat
|-
|Information handover
|
* [[Trusted hosting companies in the human rights community|Host your information with a company you trust]], who will not turn over information to your opponents (via subpoena, request, etc)
|-
|Targeted malware or spyware
|
* [[Protect your accounts using strong passwords, pw managers, 2fa#Be aware of spear phishing attacks|Protect yourselves against (spear) phishing attacks]]
* Use a second device for sensitive activities
* [[How to mitigate your risk of being subject to Pegasus surveillance|Restart your device regularly to disrupt spyware]]
* [[Secure your devices|Use anti virus]]
* [[How to mitigate your risk of being subject to Pegasus surveillance]], and other spyware
* [[Guidance for purchasing devices with strong security features]]
|-
|Surveillance and monitoring
|
* [[Safe internet browsing using VPN and Tor browser|Use a VPN and/or Tor browser]]
* [[Use a secure messaging app]]
* [[How to collect and store information in a secure way]]
* [[Ways to securely store and share files|How to use Google Drive safely and alternatives to Google Drive]]
* [[Use a Faraday cage to block electromagnetic transmissions from a device]]
|-
|Website hacking and takeover
|
* [[Protect your website|Protect your website from DDOS attacks]]
* [[Trusted hosting companies in the human rights community|Use a host company that you trust]]
* And, review and adapt the same advice above for "compromised accounts"
|}
Other important considerations when collecting, storing, using sensitive information:
{| class="wikitable"
|+
!Consideration
!Resources
|-
|Make sure you have informed consent from the people you are collecting information
|[[Guidance on informed consent]]
|-
|
|
|-
|
|
|}
* [[Information Security for Human Rights Defenders]]

===Mitigation techniques for online harassment===
[[How to deal with online harassment and threats]]

==Security planning ==
Once we have clarity about the threats we face during our activities, we can begin to organize our security protocols into security plans or agreements. There are three main areas to consider when developing any security plans:

# '''PREPARE: Prevention of threats''' - Most security plans will include tactics which aim to prevent identified threats from taking place (i.e. reducing their likelihood). This will include:
## Identify & assess the threats and your vulnerabilities
## Develop security policies and procedures
## Implement preventive measures
## Invest in Security Awareness Programs
## Conduct Security testing
# '''RESPOND: Emergency responses''' - Emergency plans, also called contingency plans, are the actions which we take in response to a threat becoming a reality. This will include:
## Build Incident Response Plan
## Communication Strategy
## Business continuity plan
## Disaster recovery plan (Data Backups and Recovery)
## Communication and Collaboration
# '''TREAT: Well-being considerations''' - Actions we take to maintain our physical energy and a mindful approach to our work and our security –it may include such considerations as where and when we will eat, sleep, relax and enjoy ourselves in the course of our work. This will include:
## Analyze lessons learned
## Recovery and Remediation
## Psychological safety considerations,
## Review and update your security plans and approach
For more information, read '''[[General guidance for creating security plans and agreements]]''' and review [https://holistic-security.tacticaltech.org/chapters/strategise/3-3-creating-security-plans-and-agreements.html this chapter of the Holistic Security Manual].

Additional resources:

* Consumer Reports [https://securityplanner.consumerreports.org/ '''Security Planner'''] is a free, easy-to-use guide to staying safer online. It provides personalized recommendations and expert advice on topics such as keeping social media accounts from being hacked, locking down devices ranging from smartphones to home security cameras, and reducing intrusive tracking by websites.
* [https://www.nist.gov/itl/smallbusinesscyber/nist-cybersecurity-framework-0 '''NIST Cybersecurity Framework 2.0''']: Small Business Quick Start Guide - provides small-to-medium sized businesses (SMB), specifically those who have modest or no cybersecurity plans in place, with considerations to kick-start their cybersecurity risk management strategy using the NIST Cybersecurity Framework (CSF) 2.0. (by the ''National Institute of Standards and Technology)''

===Security planning on specific topics===

* [[General tips for international travel]]
* [[General tips for home security]]
* [[General tips for office security]]
* [[Protection tips for immigrants]]

== Building a culture of security within a team ==
[https://level-up.cc/ '''LevelUp'''] is a collection of resources for the global digital safety training community.

[https://wiki.orgsec.community/ '''Organisational security community wiki'''] is a resource created by and for security practitioners from all backgrounds to share useful resources and document innovative approaches to long-term security work.

==Resource collections related to security ==
[https://digitalfirstaid.org/ '''Digital First Aid Kit'''] - The Digital First Aid Kit is a free resource to help rapid responders, digital security trainers, and tech-savvy activists to better protect themselves and the communities they support against the most common types of digital emergencies. It can also be used by activists, human rights defenders, bloggers, journalists or media activists who want to learn more about how they can protect themselves and support others. If you or someone you are assisting is experiencing a digital emergency, the Digital First Aid Kit will guide you in diagnosing the issues you are facing, and refer you to support providers for further help if needed.

[https://communitydocs.accessnow.org/ '''Access Now Help Desk documentation''']

[https://cyber-star.org/ '''CyberSTAR'''], by SecDev, makes it easier for small organizations and individuals to understand and manage digital safety by organizing it around six themes. This site presents learning resources to help you be safer online—plus teaching resources for digital safety trainers.

[https://totem-project.org/ '''Totem project'''] - Developed in collaboration by Greenhost and Free Press Unlimited, Totem is a '''free''' '''online learning platform''' that offers educational courses about digital security and privacy, and related tools and tactics for journalists, activists and human rights defenders in a safe, online classroom environment.

[https://advocacyassembly.org/en/courses?category=1 '''Advocacy Assembly''' online courses related to digital security] - Advocacy Assembly is a '''free e-learning platform''' featuring dozens of courses for human rights activists, campaigners and journalists.

[https://www.saferedge.com/learning '''Safer Edge''' online courses] (not free) - Safer Edge works with security, safeguarding and risk advisory professionals with a wide range of expertise, skills and experience. Team and consultants have experience working internationally in the humanitarian and development contexts in a range of risk contexts. In-house team speaks English, French, Spanish, Portuguese, Arabic and Russian.

[https://academy.amnesty.org/ '''Amnesty International's Human Rights Academy'''] is a free online learning platform that allows participants to embark on a self-paced learning journey to understand the principles of human rights and how to use them as a tool for positive change. We believe that knowledge of rights is essential for claiming them, defending them, and promoting them and hope that our courses will inspire you to take action.

[https://www.protectioninternational.org/tools/protection-manuals/ '''Protection International's Protection Manuals'''] for Human Rights Defenders - These manuals were developed to provide human rights defenders with additional knowledge and tools to improve their understanding of security and protection.

[https://www.frontlinedefenders.org/en/digital-protection-resources '''Front Line Defenders Digital Protection Resources'''] - Front Line Defenders Digital Protection programme responds to the digital security environment facing HRDs and develops tools, guides and reosources to complement its training and consultation programming.

[https://ssd.eff.org/ '''Surveillance Self-Defense'''] toolkit by Electronic Frontier Foundation - "We’re the Electronic Frontier Foundation, an independent non-profit working to protect online privacy for over thirty years. This is Surveillance Self-Defense: our expert guide to protecting you and your friends from online spying."

[https://securityinabox.org/en/ '''Security in a Box'''] primarily aims to help a global community of human rights defenders whose work puts them at risk. It has been recognized worldwide as a foundational resource for helping people at risk protect their digital security and privacy.

'''[https://www.frontlinedefenders.org/en/resource-publication/workbook-security-practical-steps-human-rights-defenders-risk Front Line Defenders Workbook on Security]''' has been inspired by the hundreds of HRDs from over 50 countries who have attended Front Line Defenders workshops on security and protection. The Workbook takes you through the steps to producing a security plan – for yourself and for your organisation (for those HRDs who are working in organisations). It follows a systematic approach for assessing your security situation and developing risk and vulnerability reduction strategies and tactics. Manual available in French, Spanish, Russian, Arabic, Turkish, Portuguese, Urdu, Somali, Dari, and Chinese.

Use a secure messaging app

2025-01-15T19:56:22Z

Kristin1: /* Recommendation: Use Signal */ updates on signal features

== Tool Recommendation: Signal ==
If you are trying to decide between using Signal, WhatsApp or Telegram, most sources would say that Signal has a better reputation for security then the others. Here are a few reasons to choose Signal (source: [https://www.pcmag.com/picks/best-secure-messaging-apps The Best Secure Messaging Apps for 2024] PC Mag)

# All of your messages are secured with E2EE and Signal is a nonprofit, so there's no reason to harvest any user data.
# The underlying technology of Signal is so successful it has been implemented by Google and Meta.

=== Reasons to avoid using WhatsApp ===
* '''Requires phone number''' and contacts list to function (However, there are [https://www.wikihow.com/Use-WhatsApp-Without-a-Phone-Number ways around] using your actual phone number)
* '''Backups (especially iCloud) may be vulnerable to surveillance''' (Source: [https://freedom.press/digisec/blog/icloud-security/#:~:text=If%20not%20encrypted%2C%20law%20enforcement,case%20showing%20subpoenaed%20WhatsApp%20messages. Freedom of the Press Foundation])
* '''Privacy of content sent via WhatsApp is questionable''', and there are reasons to not trust Meta and their contractors with your content (Source: [https://www.theregister.com/2021/09/07/whatsapp_privacy_propublica/ The Register])
* '''Hackers can break WhatsApp''' by tricking users into giving away verification codes, using spyware, sending malware as attachments, or even cloning your phone or WhatsApp account. (Source: [https://www.bitdefender.com/blog/hotforsecurity/how-scammers-gain-access-and-hack-your-whatsapp-account-and-what-you-can-do-to-protect-yourself/ BitDefender blog])
* '''Unofficial versions of WhatsApp are almost indistinguishable from the real version of WhatsApp'''. Unofficial versions of WhatsApp are insecure and compromise the privacy and security of communication. Having one person using an unofficial version of WhatsApp within a group makes all group communications vulnerable. [https://faq.whatsapp.com/1293093778117781 Here's how to know if you are using the official WhatsApp program].

== Tip: Configure your privacy settings ==
Here are features to make your phone number more private on Signal (source: [https://support.signal.org/hc/en-us/articles/6712070553754-Phone-Number-Privacy-and-Usernames Signal Support]):

# As a new default, your phone number will no longer be visible to everyone in Signal. You can [https://support.signal.org/hc/articles/6712070553754#see_me opt to display your phone number]. However, people who have your number saved in their phone’s contacts will still see your phone number, regardless of your settings, since they already know it.
# Limit [https://support.signal.org/hc/articles/6712070553754#find_me who can connect with you] on Signal via your phone number.
# Create a [https://support.signal.org/hc/articles/6712070553754#username username] to share instead of or in addition to using your phone number to connect on Signal.

=== More on Signal usernames ===
Usernames in Signal do not function like usernames on social media platforms. Signal usernames are not logins or handles that you’ll be known by on the app – they’re simply a quick way to connect without sharing a phone number. Your profile name remains whatever you set it to. Your username is not displayed on your Profile Details page, and people you message can’t see or find your username without your sharing it. Put another way, someone will need to know your exact unique username in order to start a chat with you on Signal. And Signal does not provide a searchable directory of usernames.

Usernames in Signal are designed to be easily changeable. For example, you can make a username to connect with people at a conference or to plan a group trip. Then, when it’s over, change it if you want to. Just click on your username from your Profile Details page to make the changes you want. When you change your username, your Signal contacts are not notified because your username is not visible to the people you are chatting with 1-1 or in groups.

== Tip: Use automatic disappearing messages on Signal ==
Disappearing messages (also known as Vanish mode) is a feature that makes your messages disappear once a recipient reads them or after a certain period of time. It’s a great tool for privacy protection and chat hygiene. It's an excellent feature to use if there's a risk that your phone will be viewed by someone who may be against your human rights work.

=== Disappearing messages in Signal ===
Use [https://support.signal.org/hc/en-us/articles/360007320771-Set-and-manage-disappearing-messages disappearing messages (in Signal)] to keep your message history tidy. The message will disappear from your devices after the timer has elapsed. This is not for situations where your contact is your adversary — after all, if someone who receives a disappearing message really wants a record of it, they can always use another camera to take a photo of the screen before the message disappears.

* Disappearing messages can be managed by anyone in the chat.
* The setting applies to any new messaging after the timer has been set or modified.
* Changes to the timer will sync with your linked devices.

=== Disappearing messages in WhatsApp ===
[https://faq.whatsapp.com/673193694148537 Disappearing messages] is an optional feature you can turn on for more privacy. You can set messages to disappear 24 hours, 7 days, or 90 days after they're sent unless that message is kept. The duration you choose only affects new messages in the chat, not messages you've already sent or received.

=== Disappearing messages in Messenger (Facebook) ===
[https://nordvpn.com/blog/vanish-mode/#:~:text=Vanish%20mode%20on%20Messenger%20automatically,what%20Facebook%20knows%20about%20you. Vanish mode on Messenger] automatically clears messages after the recipient has viewed them and closed the chat. This advanced feature offers Messenger users more private communication and media sharing and limits what Facebook knows about you.

== Online courses ==
Totem course on '''Secure messaging apps''' (available in [https://learn.totem-project.org/courses/course-v1:Totem+TP_SM_001+course/about EN], [https://learn.totem-project.org/courses/course-v1:Totem+TP_SM_FR+cours/about FR], [https://learn.totem-project.org/courses/course-v1:Totem+TP_SM_ES+001/about ES], [https://learn.totem-project.org/courses/course-v1:Totem+TP_SM_RU+001/about RU])

You should walk away from this course knowing<blockquote>
* What secure messaging actually is
* How to choose which secure messaging app is the best for you
* How to activate security measures, including:

* End-to-end encryption
* Disappearing messages
</blockquote>

== Articles ==
[https://www.securemessagingapps.com/ Secure Messaging Apps Comparison]

[https://www.pcmag.com/picks/best-secure-messaging-apps The Best Secure Messaging Apps for 2024] (PC Mag)

General tips for office security

2025-01-02T20:22:04Z

Kristin1: Created page with " == Check list: Office Security == ''(Source: Appendix 5 of the [https://www.frontlinedefenders.org/en/resource-publication/workbook-security-practical-steps-human-rights-defenders-risk Workbook on Security by Front Line Defenders])'' This check list is not intended to be a blueprint for security. Your own context is the key determining factor. Consider the risks and threats you face, and any vulnerabilities you have in order to supplement and personalise this list. 1...."

== Check list: Office Security ==
''(Source: Appendix 5 of the [https://www.frontlinedefenders.org/en/resource-publication/workbook-security-practical-steps-human-rights-defenders-risk Workbook on Security by Front Line Defenders])''

This check list is not intended to be a blueprint for security. Your own context is the key determining factor. Consider the risks and threats you face, and any vulnerabilities you have in order to supplement and personalise this list.

1. Emergency Contacts

* Is there a handy and up to date list with telephone numbers and addresses of other local NGOs, emergency hospitals, police, fire brigade and ambulance?

2. Technical and physical boundaries (external, internal and interior)

* Check condition and working order of external gates / fences, doors to the building, windows, walls and roof
* Check condition and working order of external lighting, alarms, cameras or video entrance phones
* Check key procedures, including that keys are kept securely and code-labelled, assignment of responsibility for controlling keys and copies, and that keys and copies are in good working order. Make sure locks are changed when keys are lost or stolen, and that such incidents are logged
* Do you have a special ‘safe’ room?
* Can the sign with your office name on it be taken down in times of increased threat to reduce your vulnerability to attack?

3. Office personnel

* Do you recruit only trustworthy people, including guards, and take up their references?
* Are all personnel trained in the relevant security plans?
* Do you have a plan in case the office is raided by the authorities, or other groups?
* Do you operate a ‘need-to-know’ policy about the most sensitive work?
* Do you maintain good dialogue with all staff, especially if you know they have financial problems or are under other pressures? (Disgruntled staff can make dangerous enemies.)
* When someone leaves the organisation, do you change security measures, passwords, keys as appropriate?

4. Visitor Admission procedures and ‘filters’

* Are admission procedures in operation for all types of visitors? Are all staff familiar with them?
* Do ask those staff members who usually carry out admission procedures if the procedures are working properly and what improvements are needed
* Do staff know what to do if an unexpected parcel arrives? (eg isolate it, do not open, call authorities)
* Do you note the names of visitors (including those attending meetings at your office)? If yes, is this information sensitive and how do you protect it? (for example by codes or encrypted files)

5. Information security (see also Appendix 14, Computer and Phone Security)

* Do you carry out regular back-ups and keep the back-ups in a safe place outside of the office?
* Do staff know not to leave any sensitive information on their desks?
* Do you have a secure system for recording confidential information, eg about clients or witnesses?
* Do you give your (physical and electronic) sensitive files secure names so they are not immediately identifiable?

6. Security in case of accidents

* Check the condition of fire extinguishers, gas valves/pipes and water taps, electricity plugs and cables and elecricity generators (where applicable)

7. Responsibility and training

* Has responsibility for office security been assigned? Is it effective?
* Is there an office security training programme? Does it cover all the areas

Security resources organized by topic

2025-01-02T20:16:47Z

Kristin1: /* Security planning on specific topics */

== Building awareness of how we respond to threat and stress ==
''Developing a useful security strategy is heavily dependent on our perception – we need to be able to identify and analyse threats in order to implement ways of avoiding or reducing them. But we all perceive the world around us differently based on our circumstances, experiences and many other factors. As a result, our perception can sometimes be hindered: threats which may be evident to some people may go unrecognised by others; similarly, we also need to be able to tell the difference between threats which are genuinely possible and those which we falsely perceive, called 'unfounded fears'. It's a good idea to become familiar with factors that condition our perceptions of threat, and consider ways that we can take these into account in our security planning.'' (Source: [https://holistic-security.tacticaltech.org/chapters/prepare/1-2-individual-responses-to-threat.html Holistic Security Manual])

Resources:

* [https://holistic-security.tacticaltech.org/chapters/prepare/1-2-individual-responses-to-threat.html '''Exploring individual responses to threat'''] (Holistic Security Manual)
* [https://holistic-security.tacticaltech.org/chapters/prepare/1-4-team-and-peer-responses-to-threat.html '''Exploring group responses to threat'''] (Holistic Security Manual)
* [https://holistic-security.tacticaltech.org/chapters/prepare/1-5-communicating-about-threats-in-teams-and-organisations.html '''Communicating about security in teams and organizations'''] (Holistic Security Manual)

== Understanding our threats and context ==

=== Situation monitoring and analysis ===
Situation monitoring and analysis is the broadest kind of analysis of our context: observing the political, economic, social, technological, legal and environmental developments in society which are relevant to our work, and may impact our security situation. (Source: [https://holistic-security.tacticaltech.org/chapters/explore/2-2-situation-monitoring-and-analysis.html Holistic Security Manual])

Exercise: [https://holistic-security.tacticaltech.org/exercises/explore/situational-monitoring-a-quick-pestle-analysis.html '''Pestle analysis'''] (Holistic Security Manual)

Tool: '''[https://tnr-research.uwazi.io/ Research Database on transnational repression]''' - This collection of research reports on transnational repression can help human rights defenders better understand:

* Transnational Repression (TNR) threats that are possible, to determine appropriate mitigation techniques
* Which TNR threats are unlikely, in order to alleviate fear
* What exiled HRDs can expect from a host country in terms of protection measures
* Existing campaigns to strengthen protection for exiled HRDs

=== Identifying, analyzing and prioritizing threats ===

==== Map the actors ====
''It is valuable to get a clear picture of all the actors in our environment (individuals, institutions, organizations, etc). Threats almost always come from someone or something. Knowing as much as we can about the actors in our context improves our perception of our environment and thereby, our ability to carry out activities to maintain or expand our space for work.'' (Source: [https://holistic-security.tacticaltech.org/chapters/explore/2-3-vision-strategy-and-actors.html Holistic Security Manual])

Exercise:

* [https://holistic-security.tacticaltech.org/exercises/explore/visual-actor-mapping-part-1.html '''Spectrum of allies'''] (Holistic Security Manual)
* [https://newtactics.org/resource/exercises-identifying-allies-opponents '''Spectrum of allies'''] (New Tactics in Human Rights project)

==== Brainstorm threats ====
This exercise is a first attempt at identifying the threats to yourself, your group or organization and your work in defense of human rights. This initial list of threats can then be refined so as to focus in more depth on the threats which are most likely or potentially most harmful. (Source: [https://holistic-security.tacticaltech.org/exercises/explore/threat-brainstorm.html Holistic Security Manual])

Exercise: [https://holistic-security.tacticaltech.org/exercises/explore/threat-brainstorm.html '''Threat brainstorm'''] (Holistic Security Manual)

==== Analyzing risk, prioritizing threats ====
Threats can be viewed and categorized in light of the following: the likelihood that the threat will take place, and the impact if and when it does. Likelihood and impact are concepts which help us determine risk: the higher the likelihood or impact of a threat, the higher the risk. Categorizing threats can help to keep us from feeling overwhelmed and keep our perception of threats realistic. (Source: [https://holistic-security.tacticaltech.org/chapters/explore/2-8-identifying-and-analysing-threats.html Holistic Security Manual])

Exercise: [https://holistic-security.tacticaltech.org/chapters/explore/2-8-identifying-and-analysing-threats.html '''Threat matrix'''] (Holistic Security Manual)

==== Analyze threats ====
This exercise will help you prioritize threats and divine the causes, ramifications, sources as well as the required resources, existing actions and possible next steps.

Exercise: [https://holistic-security.tacticaltech.org/exercises/explore/threat-inventory.html '''Threat inventory'''] (Holistic Security Manual)

== Risk mitigation ==
In order to build a response to the threats we face, we can consider them in terms of the factors which make us more or less susceptible to them. Read more in [https://holistic-security.tacticaltech.org/chapters/strategise/3-1-responding-to-threats.html this chapter of the Holistic Security Manual].

=== Digital security assessment tools ===
[https://digiresilience.org/solutions/wellness-check/ '''Digital Wellness Check'''] by the Center for Digital Resilience - The Wellness Check Report Generator is a tool to help the community create beautiful risk assessments. You can download the tool directly from [https://gitlab.com/digiresilience/digital-wellness/wellness-check-report-generator Gitlab].

The Ford Foundation’s [https://www.fordfoundation.org/work/our-grants/building-institutions-and-networks/cybersecurity-assessment-tool/ '''Cybersecurity Assessment Tool (CAT)'''] is designed to measure the maturity, resiliency, and strength of an organization’s cybersecurity efforts. We have created this questionnaire with busy nontechnical grant makers, grantee partners, civil society organizations, and nonprofits in mind, and we hope it helps shine some light on a recommended path forward for any organization undertaking a cybersecurity journey

=== Mitigation techniques for common threats to information ===
{| class="wikitable"
|+
! Threat
!Mitigation techniques and links to guidance
|-
|Data loss
|
* [[Ways to securely store and share files|Have your information securely in the cloud or on a server]]
* Have a backup process
|-
|Compromised accounts
|
* [[Protect your accounts using strong passwords, pw managers, 2fa|Use two factor authentication for all accounts]]
* [[Protect your accounts using strong passwords, pw managers, 2fa|Use unique, complex passwords for all accounts]]
* [[Protect your accounts using strong passwords, pw managers, 2fa|Use a password manager to create, store and protect those passwords]]
|-
|Device inspection at checkpoints
|
* [[Use a secure messaging app#Tip: use automatic disappearing messages|Use automated disappearing messages on your messaging apps]]
* [[Ways to securely store and share files|Have your sensitive information stored safely in the cloud and off of your device]]
* Hide or delete any apps that would provide access to this information (you can restore that app later)
|-
|Device confiscation or theft
|
* [[Secure your devices#Full disk encryption|Encrypt your devices]]
* And, review and adapt the same advice above for “device inspection” threat
|-
|Information handover
|
* [[Trusted hosting companies in the human rights community|Host your information with a company you trust]], who will not turn over information to your opponents (via subpoena, request, etc)
|-
|Targeted malware or spyware
|
* [[Protect your accounts using strong passwords, pw managers, 2fa#Be aware of spear phishing attacks|Protect yourselves against (spear) phishing attacks]]
* Use a second device for sensitive activities
* [[How to mitigate your risk of being subject to Pegasus surveillance|Restart your device regularly to disrupt spyware]]
* [[Secure your devices|Use anti virus]]
* [[How to mitigate your risk of being subject to Pegasus surveillance]], and other spyware
* [[Guidance for purchasing devices with strong security features]]
|-
|Surveillance and monitoring
|
* [[Safe internet browsing using VPN and Tor browser|Use a VPN and/or Tor browser]]
* [[Use a secure messaging app]]
* [[How to collect and store information in a secure way]]
* [[Ways to securely store and share files|How to use Google Drive safely and alternatives to Google Drive]]
* [[Use a Faraday cage to block electromagnetic transmissions from a device]]
|-
|Website hacking and takeover
|
* [[Protect your website|Protect your website from DDOS attacks]]
* [[Trusted hosting companies in the human rights community|Use a host company that you trust]]
* And, review and adapt the same advice above for "compromised accounts"
|}
Other important considerations when collecting, storing, using sensitive information:
{| class="wikitable"
|+
!Consideration
!Resources
|-
|Make sure you have informed consent from the people you are collecting information
|[[Guidance on informed consent]]
|-
|
|
|-
|
|
|}
* [[Information Security for Human Rights Defenders]]

===Mitigation techniques for online harassment===
[[How to deal with online harassment and threats]]

==Security planning ==
Once we have clarity about the threats we face during our activities, we can begin to organize our security protocols into security plans or agreements. There are three main areas to consider when developing any security plans:

# '''PREPARE: Prevention of threats''' - Most security plans will include tactics which aim to prevent identified threats from taking place (i.e. reducing their likelihood). This will include:
## Identify & assess the threats and your vulnerabilities
## Develop security policies and procedures
## Implement preventive measures
## Invest in Security Awareness Programs
## Conduct Security testing
# '''RESPOND: Emergency responses''' - Emergency plans, also called contingency plans, are the actions which we take in response to a threat becoming a reality. This will include:
## Build Incident Response Plan
## Communication Strategy
## Business continuity plan
## Disaster recovery plan (Data Backups and Recovery)
## Communication and Collaboration
# '''TREAT: Well-being considerations''' - Actions we take to maintain our physical energy and a mindful approach to our work and our security –it may include such considerations as where and when we will eat, sleep, relax and enjoy ourselves in the course of our work. This will include:
## Analyze lessons learned
## Recovery and Remediation
## Psychological safety considerations,
## Review and update your security plans and approach
For more information, read '''[[General guidance for creating security plans and agreements]]''' and review [https://holistic-security.tacticaltech.org/chapters/strategise/3-3-creating-security-plans-and-agreements.html this chapter of the Holistic Security Manual].

Additional resources:

* Consumer Reports [https://securityplanner.consumerreports.org/ '''Security Planner'''] is a free, easy-to-use guide to staying safer online. It provides personalized recommendations and expert advice on topics such as keeping social media accounts from being hacked, locking down devices ranging from smartphones to home security cameras, and reducing intrusive tracking by websites.
* [https://www.nist.gov/itl/smallbusinesscyber/nist-cybersecurity-framework-0 '''NIST Cybersecurity Framework 2.0''']: Small Business Quick Start Guide - provides small-to-medium sized businesses (SMB), specifically those who have modest or no cybersecurity plans in place, with considerations to kick-start their cybersecurity risk management strategy using the NIST Cybersecurity Framework (CSF) 2.0. (by the ''National Institute of Standards and Technology)''

===Security planning on specific topics===

* [[General tips for international travel]]
* [[General tips for home security]]
* [[General tips for office security]]

== Building a culture of security within a team ==
[https://level-up.cc/ '''LevelUp'''] is a collection of resources for the global digital safety training community.

[https://wiki.orgsec.community/ '''Organisational security community wiki'''] is a resource created by and for security practitioners from all backgrounds to share useful resources and document innovative approaches to long-term security work.

==Resource collections related to security ==
[https://digitalfirstaid.org/ '''Digital First Aid Kit'''] - The Digital First Aid Kit is a free resource to help rapid responders, digital security trainers, and tech-savvy activists to better protect themselves and the communities they support against the most common types of digital emergencies. It can also be used by activists, human rights defenders, bloggers, journalists or media activists who want to learn more about how they can protect themselves and support others. If you or someone you are assisting is experiencing a digital emergency, the Digital First Aid Kit will guide you in diagnosing the issues you are facing, and refer you to support providers for further help if needed.

[https://communitydocs.accessnow.org/ '''Access Now Help Desk documentation''']

[https://cyber-star.org/ '''CyberSTAR'''], by SecDev, makes it easier for small organizations and individuals to understand and manage digital safety by organizing it around six themes. This site presents learning resources to help you be safer online—plus teaching resources for digital safety trainers.

[https://totem-project.org/ '''Totem project'''] - Developed in collaboration by Greenhost and Free Press Unlimited, Totem is a '''free''' '''online learning platform''' that offers educational courses about digital security and privacy, and related tools and tactics for journalists, activists and human rights defenders in a safe, online classroom environment.

[https://advocacyassembly.org/en/courses?category=1 '''Advocacy Assembly''' online courses related to digital security] - Advocacy Assembly is a '''free e-learning platform''' featuring dozens of courses for human rights activists, campaigners and journalists.

[https://www.saferedge.com/learning '''Safer Edge''' online courses] (not free) - Safer Edge works with security, safeguarding and risk advisory professionals with a wide range of expertise, skills and experience. Team and consultants have experience working internationally in the humanitarian and development contexts in a range of risk contexts. In-house team speaks English, French, Spanish, Portuguese, Arabic and Russian.

[https://academy.amnesty.org/ '''Amnesty International's Human Rights Academy'''] is a free online learning platform that allows participants to embark on a self-paced learning journey to understand the principles of human rights and how to use them as a tool for positive change. We believe that knowledge of rights is essential for claiming them, defending them, and promoting them and hope that our courses will inspire you to take action.

[https://www.protectioninternational.org/tools/protection-manuals/ '''Protection International's Protection Manuals'''] for Human Rights Defenders - These manuals were developed to provide human rights defenders with additional knowledge and tools to improve their understanding of security and protection.

[https://www.frontlinedefenders.org/en/digital-protection-resources '''Front Line Defenders Digital Protection Resources'''] - Front Line Defenders Digital Protection programme responds to the digital security environment facing HRDs and develops tools, guides and reosources to complement its training and consultation programming.

[https://ssd.eff.org/ '''Surveillance Self-Defense'''] toolkit by Electronic Frontier Foundation - "We’re the Electronic Frontier Foundation, an independent non-profit working to protect online privacy for over thirty years. This is Surveillance Self-Defense: our expert guide to protecting you and your friends from online spying."

[https://securityinabox.org/en/ '''Security in a Box'''] primarily aims to help a global community of human rights defenders whose work puts them at risk. It has been recognized worldwide as a foundational resource for helping people at risk protect their digital security and privacy.

'''[https://www.frontlinedefenders.org/en/resource-publication/workbook-security-practical-steps-human-rights-defenders-risk Front Line Defenders Workbook on Security]''' has been inspired by the hundreds of HRDs from over 50 countries who have attended Front Line Defenders workshops on security and protection. The Workbook takes you through the steps to producing a security plan – for yourself and for your organisation (for those HRDs who are working in organisations). It follows a systematic approach for assessing your security situation and developing risk and vulnerability reduction strategies and tactics. Manual available in French, Spanish, Russian, Arabic, Turkish, Portuguese, Urdu, Somali, Dari, and Chinese.

Research on transnational repression

2024-12-31T19:02:07Z

Kristin1:

== Introduction ==
What is transnational repression? It is governments reaching across borders to silence dissent among diasporas and exiles, including through assassinations, illegal deportations, abductions, digital threats, Interpol abuse, and family intimidation.

It is a daily assault on civilians everywhere — including in democracies like the United States, United Kingdom, Canada, Germany, Australia, and South Africa.

Source: https://freedomhouse.org/report/transnational-repression

== Videos ==
* [https://www.youtube.com/watch?v=FkPCec7jG5I Digital Transnational Repression Explained], by Citizen Lab
* [https://www.youtube.com/watch?v=8YcHajYQLSw Digital Transnational Repression Explained: Activists], by Citizen Lab
* [https://www.youtube.com/watch?v=N72UV-aD9r4 Gender-based Digital Transnational Repression Explained], by Citizen Lab
* [https://www.youtube.com/watch?v=3D4EjMq5FK4 Responding to Transnational Repression] - recorded panel discussion from Dec 2021
* [https://www.orionpolicy.org/orionforum/111/transnational-repression-the-long-arm-of-authoritarianism Transnational Repression: The Long Arm of Authoritarianism] (parts 1 and 2) - recorded panel discussion from Sept/Oct 2022.
* [https://www.youtube.com/watch?v=86Q_9IUosCE&t=71s Defending Democracy in Exile: Policy Responses to Transnational Repression] by Freedom House

== Reports ==

=== Research Database on Transnational Repression (TNR) ===
https://tnr-research.uwazi.io/en/

This collection of research reports can help human rights defenders better understand:

* Which TNR threats are likely or possible based on the existing evidence, to determine appropriate mitigation techniques
* Which TNR threats are unlikely, in order to alleviate fear
* What exiled HRDs can expect from a host country in terms of protection measures
* Existing campaigns to strengthen protection for exiled HRDs

This database was developed and curated by the Center for Victims of Torture. To contribute to this research, email research@freedomhouse.org

Reports in this database include:

* Defending Democracy in Exile: Policy Responses to Transnational Repression, report by Freedom House
* Silencing Across Borders: Transnational Repression and Digital Threats Against Exiled Activists, report by Marcus Michaelsen
* Psychological and Emotional War: Digital Transnational Repression in Canada, report by Citizen Lab
* Going after the family: Transnational repression and the proxy punishment of Middle Eastern diasporas, article co-authored with Dana M. Moss & Gillian Kennedy.

== Books ==

'''The Arab Spring Abroad: Diaspora Activism against Authoritarian Regimes''', book by Dana Moss. You can download this book for free here: https://www.cambridge.org/core/books/arab-spring-abroad/D7EC15ED46D37A2DB8CDDB83F06CC591#overview

== TNR threat categories ==

* Unlawful deportation, extradition, rendition, Interpol abuse, legal cases
** Examples: trial in absentia, initiate a criminal case in order to carry out deportation or extradition
*Physical intimidation, assault, etc
* Coercion by proxy / Threats against in-country relatives
** Examples: Opponent may harass, threaten, prosecute, and imprison family or colleagues
*Account and device hacking
** Examples: Opponents hack social media or email accounts
* Monitoring and surveillance
** Examples: Tracking and identifying HRDs, monitor family members’ conversations so they can access communications, infiltration of network through informants, surveil/monitor communication to ascertain location and activities
* Slander, harassment, disinformation campaigns
** Examples: Smear campaigns, hate speech and harassment in social media

== TNR mitigation techniques ==
{| class="wikitable"
|+
!Threat category
!Mitigation techniques
!Resources and research
|-
|Unlawful deportation, extradition, rendition, Interpol abuse, legal cases
|
|
|-
|Physical intimidation, assault, etc
|Personal safety awareness (see Umbrella app)
|
|-
|Coercion by proxy / Threats against in-country relatives
|
|[https://tnr-research.uwazi.io/en/entity/s0hrhs72n7n Going after the family: Transnational repression and the proxy punishment of Middle Eastern diasporas] (Moss, Michaelsen, Kennedy (2022))
|-
|Account and device hacking
|
* [[Protect your accounts using strong passwords, pw managers, 2fa|Use two factor authentication for all accounts]]
* [[Protect your accounts using strong passwords, pw managers, 2fa|Use unique, complex passwords for all accounts]]
* [[Protect your accounts using strong passwords, pw managers, 2fa|Use a password manager to create, store and protect those passwords]]
* [[Protect your website|Protect your website from DDOS attacks]]
* [[Trusted hosting companies in the human rights community|Use a host company that you trust]]
|
|-
|Monitoring and surveillance
|
* [[Safe internet browsing using VPN and Tor browser|Use a VPN and/or Tor browser]]
* [[Use a secure messaging app]]
* [[How to collect and store information in a secure way]]

* [[Protect your accounts using strong passwords, pw managers, 2fa#Be aware of spear phishing attacks|Protect yourselves against (spear) phishing attacks]]
* Use a second device for sensitive activities
* [[How to mitigate your risk of being subject to Pegasus surveillance|Restart your device regularly to disrupt spyware]]
* [[Secure your devices|Use anti virus]]
* [[How to mitigate your risk of being subject to Pegasus surveillance]], and other spyware
|
|-
|Slander, harassment, disinformation campaigns
|[[How to deal with online harassment and threats]]
|
|}

Security resources organized by topic

2024-12-27T20:25:24Z

Kristin1: /* Risk mitigation */ added digital security assessment tools

== Building awareness of how we respond to threat and stress ==
''Developing a useful security strategy is heavily dependent on our perception – we need to be able to identify and analyse threats in order to implement ways of avoiding or reducing them. But we all perceive the world around us differently based on our circumstances, experiences and many other factors. As a result, our perception can sometimes be hindered: threats which may be evident to some people may go unrecognised by others; similarly, we also need to be able to tell the difference between threats which are genuinely possible and those which we falsely perceive, called 'unfounded fears'. It's a good idea to become familiar with factors that condition our perceptions of threat, and consider ways that we can take these into account in our security planning.'' (Source: [https://holistic-security.tacticaltech.org/chapters/prepare/1-2-individual-responses-to-threat.html Holistic Security Manual])

Resources:

* [https://holistic-security.tacticaltech.org/chapters/prepare/1-2-individual-responses-to-threat.html '''Exploring individual responses to threat'''] (Holistic Security Manual)
* [https://holistic-security.tacticaltech.org/chapters/prepare/1-4-team-and-peer-responses-to-threat.html '''Exploring group responses to threat'''] (Holistic Security Manual)
* [https://holistic-security.tacticaltech.org/chapters/prepare/1-5-communicating-about-threats-in-teams-and-organisations.html '''Communicating about security in teams and organizations'''] (Holistic Security Manual)

== Understanding our threats and context ==

=== Situation monitoring and analysis ===
Situation monitoring and analysis is the broadest kind of analysis of our context: observing the political, economic, social, technological, legal and environmental developments in society which are relevant to our work, and may impact our security situation. (Source: [https://holistic-security.tacticaltech.org/chapters/explore/2-2-situation-monitoring-and-analysis.html Holistic Security Manual])

Exercise: [https://holistic-security.tacticaltech.org/exercises/explore/situational-monitoring-a-quick-pestle-analysis.html '''Pestle analysis'''] (Holistic Security Manual)

Tool: '''[https://tnr-research.uwazi.io/ Research Database on transnational repression]''' - This collection of research reports on transnational repression can help human rights defenders better understand:

* Transnational Repression (TNR) threats that are possible, to determine appropriate mitigation techniques
* Which TNR threats are unlikely, in order to alleviate fear
* What exiled HRDs can expect from a host country in terms of protection measures
* Existing campaigns to strengthen protection for exiled HRDs

=== Identifying, analyzing and prioritizing threats ===

==== Map the actors ====
''It is valuable to get a clear picture of all the actors in our environment (individuals, institutions, organizations, etc). Threats almost always come from someone or something. Knowing as much as we can about the actors in our context improves our perception of our environment and thereby, our ability to carry out activities to maintain or expand our space for work.'' (Source: [https://holistic-security.tacticaltech.org/chapters/explore/2-3-vision-strategy-and-actors.html Holistic Security Manual])

Exercise:

* [https://holistic-security.tacticaltech.org/exercises/explore/visual-actor-mapping-part-1.html '''Spectrum of allies'''] (Holistic Security Manual)
* [https://newtactics.org/resource/exercises-identifying-allies-opponents '''Spectrum of allies'''] (New Tactics in Human Rights project)

==== Brainstorm threats ====
This exercise is a first attempt at identifying the threats to yourself, your group or organization and your work in defense of human rights. This initial list of threats can then be refined so as to focus in more depth on the threats which are most likely or potentially most harmful. (Source: [https://holistic-security.tacticaltech.org/exercises/explore/threat-brainstorm.html Holistic Security Manual])

Exercise: [https://holistic-security.tacticaltech.org/exercises/explore/threat-brainstorm.html '''Threat brainstorm'''] (Holistic Security Manual)

==== Analyzing risk, prioritizing threats ====
Threats can be viewed and categorized in light of the following: the likelihood that the threat will take place, and the impact if and when it does. Likelihood and impact are concepts which help us determine risk: the higher the likelihood or impact of a threat, the higher the risk. Categorizing threats can help to keep us from feeling overwhelmed and keep our perception of threats realistic. (Source: [https://holistic-security.tacticaltech.org/chapters/explore/2-8-identifying-and-analysing-threats.html Holistic Security Manual])

Exercise: [https://holistic-security.tacticaltech.org/chapters/explore/2-8-identifying-and-analysing-threats.html '''Threat matrix'''] (Holistic Security Manual)

==== Analyze threats ====
This exercise will help you prioritize threats and divine the causes, ramifications, sources as well as the required resources, existing actions and possible next steps.

Exercise: [https://holistic-security.tacticaltech.org/exercises/explore/threat-inventory.html '''Threat inventory'''] (Holistic Security Manual)

== Risk mitigation ==
In order to build a response to the threats we face, we can consider them in terms of the factors which make us more or less susceptible to them. Read more in [https://holistic-security.tacticaltech.org/chapters/strategise/3-1-responding-to-threats.html this chapter of the Holistic Security Manual].

=== Digital security assessment tools ===
[https://digiresilience.org/solutions/wellness-check/ '''Digital Wellness Check'''] by the Center for Digital Resilience - The Wellness Check Report Generator is a tool to help the community create beautiful risk assessments. You can download the tool directly from [https://gitlab.com/digiresilience/digital-wellness/wellness-check-report-generator Gitlab].

The Ford Foundation’s [https://www.fordfoundation.org/work/our-grants/building-institutions-and-networks/cybersecurity-assessment-tool/ '''Cybersecurity Assessment Tool (CAT)'''] is designed to measure the maturity, resiliency, and strength of an organization’s cybersecurity efforts. We have created this questionnaire with busy nontechnical grant makers, grantee partners, civil society organizations, and nonprofits in mind, and we hope it helps shine some light on a recommended path forward for any organization undertaking a cybersecurity journey

=== Mitigation techniques for common threats to information ===
{| class="wikitable"
|+
! Threat
!Mitigation techniques and links to guidance
|-
|Data loss
|
* [[Ways to securely store and share files|Have your information securely in the cloud or on a server]]
* Have a backup process
|-
|Compromised accounts
|
* [[Protect your accounts using strong passwords, pw managers, 2fa|Use two factor authentication for all accounts]]
* [[Protect your accounts using strong passwords, pw managers, 2fa|Use unique, complex passwords for all accounts]]
* [[Protect your accounts using strong passwords, pw managers, 2fa|Use a password manager to create, store and protect those passwords]]
|-
|Device inspection at checkpoints
|
* [[Use a secure messaging app#Tip: use automatic disappearing messages|Use automated disappearing messages on your messaging apps]]
* [[Ways to securely store and share files|Have your sensitive information stored safely in the cloud and off of your device]]
* Hide or delete any apps that would provide access to this information (you can restore that app later)
|-
|Device confiscation or theft
|
* [[Secure your devices#Full disk encryption|Encrypt your devices]]
* And, review and adapt the same advice above for “device inspection” threat
|-
|Information handover
|
* [[Trusted hosting companies in the human rights community|Host your information with a company you trust]], who will not turn over information to your opponents (via subpoena, request, etc)
|-
|Targeted malware or spyware
|
* [[Protect your accounts using strong passwords, pw managers, 2fa#Be aware of spear phishing attacks|Protect yourselves against (spear) phishing attacks]]
* Use a second device for sensitive activities
* [[How to mitigate your risk of being subject to Pegasus surveillance|Restart your device regularly to disrupt spyware]]
* [[Secure your devices|Use anti virus]]
* [[How to mitigate your risk of being subject to Pegasus surveillance]], and other spyware
* [[Guidance for purchasing devices with strong security features]]
|-
|Surveillance and monitoring
|
* [[Safe internet browsing using VPN and Tor browser|Use a VPN and/or Tor browser]]
* [[Use a secure messaging app]]
* [[How to collect and store information in a secure way]]
* [[Ways to securely store and share files|How to use Google Drive safely and alternatives to Google Drive]]
* [[Use a Faraday cage to block electromagnetic transmissions from a device]]
|-
|Website hacking and takeover
|
* [[Protect your website|Protect your website from DDOS attacks]]
* [[Trusted hosting companies in the human rights community|Use a host company that you trust]]
* And, review and adapt the same advice above for "compromised accounts"
|}
Other important considerations when collecting, storing, using sensitive information:
{| class="wikitable"
|+
!Consideration
!Resources
|-
|Make sure you have informed consent from the people you are collecting information
|[[Guidance on informed consent]]
|-
|
|
|-
|
|
|}
* [[Information Security for Human Rights Defenders]]

===Mitigation techniques for online harassment===
[[How to deal with online harassment and threats]]

==Security planning ==
Once we have clarity about the threats we face during our activities, we can begin to organize our security protocols into security plans or agreements. There are three main areas to consider when developing any security plans:

# '''PREPARE: Prevention of threats''' - Most security plans will include tactics which aim to prevent identified threats from taking place (i.e. reducing their likelihood). This will include:
## Identify & assess the threats and your vulnerabilities
## Develop security policies and procedures
## Implement preventive measures
## Invest in Security Awareness Programs
## Conduct Security testing
# '''RESPOND: Emergency responses''' - Emergency plans, also called contingency plans, are the actions which we take in response to a threat becoming a reality. This will include:
## Build Incident Response Plan
## Communication Strategy
## Business continuity plan
## Disaster recovery plan (Data Backups and Recovery)
## Communication and Collaboration
# '''TREAT: Well-being considerations''' - Actions we take to maintain our physical energy and a mindful approach to our work and our security –it may include such considerations as where and when we will eat, sleep, relax and enjoy ourselves in the course of our work. This will include:
## Analyze lessons learned
## Recovery and Remediation
## Psychological safety considerations,
## Review and update your security plans and approach
For more information, read '''[[General guidance for creating security plans and agreements]]''' and review [https://holistic-security.tacticaltech.org/chapters/strategise/3-3-creating-security-plans-and-agreements.html this chapter of the Holistic Security Manual].

Additional resources:

* Consumer Reports [https://securityplanner.consumerreports.org/ '''Security Planner'''] is a free, easy-to-use guide to staying safer online. It provides personalized recommendations and expert advice on topics such as keeping social media accounts from being hacked, locking down devices ranging from smartphones to home security cameras, and reducing intrusive tracking by websites.
* [https://www.nist.gov/itl/smallbusinesscyber/nist-cybersecurity-framework-0 '''NIST Cybersecurity Framework 2.0''']: Small Business Quick Start Guide - provides small-to-medium sized businesses (SMB), specifically those who have modest or no cybersecurity plans in place, with considerations to kick-start their cybersecurity risk management strategy using the NIST Cybersecurity Framework (CSF) 2.0. (by the ''National Institute of Standards and Technology)''

===Security planning on specific topics===

* [[General tips for international travel]]
* [[General tips for home security]]

== Building a culture of security within a team ==
[https://level-up.cc/ '''LevelUp'''] is a collection of resources for the global digital safety training community.

[https://wiki.orgsec.community/ '''Organisational security community wiki'''] is a resource created by and for security practitioners from all backgrounds to share useful resources and document innovative approaches to long-term security work.

==Resource collections related to security ==
[https://digitalfirstaid.org/ '''Digital First Aid Kit'''] - The Digital First Aid Kit is a free resource to help rapid responders, digital security trainers, and tech-savvy activists to better protect themselves and the communities they support against the most common types of digital emergencies. It can also be used by activists, human rights defenders, bloggers, journalists or media activists who want to learn more about how they can protect themselves and support others. If you or someone you are assisting is experiencing a digital emergency, the Digital First Aid Kit will guide you in diagnosing the issues you are facing, and refer you to support providers for further help if needed.

[https://communitydocs.accessnow.org/ '''Access Now Help Desk documentation''']

[https://cyber-star.org/ '''CyberSTAR'''], by SecDev, makes it easier for small organizations and individuals to understand and manage digital safety by organizing it around six themes. This site presents learning resources to help you be safer online—plus teaching resources for digital safety trainers.

[https://totem-project.org/ '''Totem project'''] - Developed in collaboration by Greenhost and Free Press Unlimited, Totem is a '''free''' '''online learning platform''' that offers educational courses about digital security and privacy, and related tools and tactics for journalists, activists and human rights defenders in a safe, online classroom environment.

[https://advocacyassembly.org/en/courses?category=1 '''Advocacy Assembly''' online courses related to digital security] - Advocacy Assembly is a '''free e-learning platform''' featuring dozens of courses for human rights activists, campaigners and journalists.

[https://www.saferedge.com/learning '''Safer Edge''' online courses] (not free) - Safer Edge works with security, safeguarding and risk advisory professionals with a wide range of expertise, skills and experience. Team and consultants have experience working internationally in the humanitarian and development contexts in a range of risk contexts. In-house team speaks English, French, Spanish, Portuguese, Arabic and Russian.

[https://academy.amnesty.org/ '''Amnesty International's Human Rights Academy'''] is a free online learning platform that allows participants to embark on a self-paced learning journey to understand the principles of human rights and how to use them as a tool for positive change. We believe that knowledge of rights is essential for claiming them, defending them, and promoting them and hope that our courses will inspire you to take action.

[https://www.protectioninternational.org/tools/protection-manuals/ '''Protection International's Protection Manuals'''] for Human Rights Defenders - These manuals were developed to provide human rights defenders with additional knowledge and tools to improve their understanding of security and protection.

[https://www.frontlinedefenders.org/en/digital-protection-resources '''Front Line Defenders Digital Protection Resources'''] - Front Line Defenders Digital Protection programme responds to the digital security environment facing HRDs and develops tools, guides and reosources to complement its training and consultation programming.

[https://ssd.eff.org/ '''Surveillance Self-Defense'''] toolkit by Electronic Frontier Foundation - "We’re the Electronic Frontier Foundation, an independent non-profit working to protect online privacy for over thirty years. This is Surveillance Self-Defense: our expert guide to protecting you and your friends from online spying."

[https://securityinabox.org/en/ '''Security in a Box'''] primarily aims to help a global community of human rights defenders whose work puts them at risk. It has been recognized worldwide as a foundational resource for helping people at risk protect their digital security and privacy.

'''[https://www.frontlinedefenders.org/en/resource-publication/workbook-security-practical-steps-human-rights-defenders-risk Front Line Defenders Workbook on Security]''' has been inspired by the hundreds of HRDs from over 50 countries who have attended Front Line Defenders workshops on security and protection. The Workbook takes you through the steps to producing a security plan – for yourself and for your organisation (for those HRDs who are working in organisations). It follows a systematic approach for assessing your security situation and developing risk and vulnerability reduction strategies and tactics. Manual available in French, Spanish, Russian, Arabic, Turkish, Portuguese, Urdu, Somali, Dari, and Chinese.

Use a Faraday cage to block electromagnetic transmissions from a device

2024-12-19T17:51:05Z

Kristin1: Created page with "A '''Faraday cage''' or '''Faraday shield''' is an enclosure used to block some electromagnetic fields. A Faraday shield may be formed by a continuous covering of conductive material, or in the case of a Faraday cage, by a mesh of such materials. (Source: Wikipedia) Faraday bags are portable containers fabricated with metallic materials that are used to contain devices in order to protect them from electromagnetic transmissions for a wide rang..."

A '''Faraday cage''' or '''Faraday shield''' is an enclosure used to block some electromagnetic fields. A Faraday shield may be formed by a continuous covering of conductive material, or in the case of a Faraday cage, by a mesh of such materials. (Source: [[wikipedia:Faraday_cage|Wikipedia]])

Faraday bags are portable containers fabricated with metallic materials that are used to contain devices in order to protect them from electromagnetic transmissions for a wide range of applications, from enhancing digital privacy of cell telephones to protecting credit cards from RFID skimming. (Source: [[wikipedia:Faraday_cage|Wikipedia]])

There are many products out there that claim to be a Faraday cage/bag, so it's important to verify that the product adheres to the [https://standards.ieee.org/ieee/299/3090/ IEEE Standard Method for Measuring the Effectiveness of Electromagnetic Shielding Enclosures]. Make sure that the product is certified to shielding effectiveness standards '''MIL STD 188-125''' and '''IEEE 299-2006'''.

Security resources organized by topic

2024-12-19T17:45:46Z

Kristin1: /* Mitigation techniques for common threats to information */

== Building awareness of how we respond to threat and stress ==
''Developing a useful security strategy is heavily dependent on our perception – we need to be able to identify and analyse threats in order to implement ways of avoiding or reducing them. But we all perceive the world around us differently based on our circumstances, experiences and many other factors. As a result, our perception can sometimes be hindered: threats which may be evident to some people may go unrecognised by others; similarly, we also need to be able to tell the difference between threats which are genuinely possible and those which we falsely perceive, called 'unfounded fears'. It's a good idea to become familiar with factors that condition our perceptions of threat, and consider ways that we can take these into account in our security planning.'' (Source: [https://holistic-security.tacticaltech.org/chapters/prepare/1-2-individual-responses-to-threat.html Holistic Security Manual])

Resources:

* [https://holistic-security.tacticaltech.org/chapters/prepare/1-2-individual-responses-to-threat.html '''Exploring individual responses to threat'''] (Holistic Security Manual)
* [https://holistic-security.tacticaltech.org/chapters/prepare/1-4-team-and-peer-responses-to-threat.html '''Exploring group responses to threat'''] (Holistic Security Manual)
* [https://holistic-security.tacticaltech.org/chapters/prepare/1-5-communicating-about-threats-in-teams-and-organisations.html '''Communicating about security in teams and organizations'''] (Holistic Security Manual)

== Understanding our threats and context ==

=== Situation monitoring and analysis ===
Situation monitoring and analysis is the broadest kind of analysis of our context: observing the political, economic, social, technological, legal and environmental developments in society which are relevant to our work, and may impact our security situation. (Source: [https://holistic-security.tacticaltech.org/chapters/explore/2-2-situation-monitoring-and-analysis.html Holistic Security Manual])

Exercise: [https://holistic-security.tacticaltech.org/exercises/explore/situational-monitoring-a-quick-pestle-analysis.html '''Pestle analysis'''] (Holistic Security Manual)

Tool: '''[https://tnr-research.uwazi.io/ Research Database on transnational repression]''' - This collection of research reports on transnational repression can help human rights defenders better understand:

* Transnational Repression (TNR) threats that are possible, to determine appropriate mitigation techniques
* Which TNR threats are unlikely, in order to alleviate fear
* What exiled HRDs can expect from a host country in terms of protection measures
* Existing campaigns to strengthen protection for exiled HRDs

=== Identifying, analyzing and prioritizing threats ===

==== Map the actors ====
''It is valuable to get a clear picture of all the actors in our environment (individuals, institutions, organizations, etc). Threats almost always come from someone or something. Knowing as much as we can about the actors in our context improves our perception of our environment and thereby, our ability to carry out activities to maintain or expand our space for work.'' (Source: [https://holistic-security.tacticaltech.org/chapters/explore/2-3-vision-strategy-and-actors.html Holistic Security Manual])

Exercise:

* [https://holistic-security.tacticaltech.org/exercises/explore/visual-actor-mapping-part-1.html '''Spectrum of allies'''] (Holistic Security Manual)
* [https://newtactics.org/resource/exercises-identifying-allies-opponents '''Spectrum of allies'''] (New Tactics in Human Rights project)

==== Brainstorm threats ====
This exercise is a first attempt at identifying the threats to yourself, your group or organization and your work in defense of human rights. This initial list of threats can then be refined so as to focus in more depth on the threats which are most likely or potentially most harmful. (Source: [https://holistic-security.tacticaltech.org/exercises/explore/threat-brainstorm.html Holistic Security Manual])

Exercise: [https://holistic-security.tacticaltech.org/exercises/explore/threat-brainstorm.html '''Threat brainstorm'''] (Holistic Security Manual)

==== Analyzing risk, prioritizing threats ====
Threats can be viewed and categorized in light of the following: the likelihood that the threat will take place, and the impact if and when it does. Likelihood and impact are concepts which help us determine risk: the higher the likelihood or impact of a threat, the higher the risk. Categorizing threats can help to keep us from feeling overwhelmed and keep our perception of threats realistic. (Source: [https://holistic-security.tacticaltech.org/chapters/explore/2-8-identifying-and-analysing-threats.html Holistic Security Manual])

Exercise: [https://holistic-security.tacticaltech.org/chapters/explore/2-8-identifying-and-analysing-threats.html '''Threat matrix'''] (Holistic Security Manual)

Tools:

* The Ford Foundation’s [https://www.fordfoundation.org/work/our-grants/building-institutions-and-networks/cybersecurity-assessment-tool/ '''Cybersecurity Assessment Tool (CAT)'''] is designed to measure the maturity, resiliency, and strength of an organization’s cybersecurity efforts. We have created this questionnaire with busy nontechnical grant makers, grantee partners, civil society organizations, and nonprofits in mind, and we hope it helps shine some light on a recommended path forward for any organization undertaking a cybersecurity journey

==== Analyze threats ====
This exercise will help you prioritize threats and divine the causes, ramifications, sources as well as the required resources, existing actions and possible next steps.

Exercise: [https://holistic-security.tacticaltech.org/exercises/explore/threat-inventory.html '''Threat inventory'''] (Holistic Security Manual)

== Risk mitigation ==
In order to build a response to the threats we face, we can consider them in terms of the factors which make us more or less susceptible to them. Read more in [https://holistic-security.tacticaltech.org/chapters/strategise/3-1-responding-to-threats.html this chapter of the Holistic Security Manual].

=== Mitigation techniques for common threats to information ===
{| class="wikitable"
|+
! Threat
!Mitigation techniques and links to guidance
|-
|Data loss
|
* [[Ways to securely store and share files|Have your information securely in the cloud or on a server]]
* Have a backup process
|-
|Compromised accounts
|
* [[Protect your accounts using strong passwords, pw managers, 2fa|Use two factor authentication for all accounts]]
* [[Protect your accounts using strong passwords, pw managers, 2fa|Use unique, complex passwords for all accounts]]
* [[Protect your accounts using strong passwords, pw managers, 2fa|Use a password manager to create, store and protect those passwords]]
|-
|Device inspection at checkpoints
|
* [[Use a secure messaging app#Tip: use automatic disappearing messages|Use automated disappearing messages on your messaging apps]]
* [[Ways to securely store and share files|Have your sensitive information stored safely in the cloud and off of your device]]
* Hide or delete any apps that would provide access to this information (you can restore that app later)
|-
|Device confiscation or theft
|
* [[Secure your devices#Full disk encryption|Encrypt your devices]]
* And, review and adapt the same advice above for “device inspection” threat
|-
|Information handover
|
* [[Trusted hosting companies in the human rights community|Host your information with a company you trust]], who will not turn over information to your opponents (via subpoena, request, etc)
|-
|Targeted malware or spyware
|
* [[Protect your accounts using strong passwords, pw managers, 2fa#Be aware of spear phishing attacks|Protect yourselves against (spear) phishing attacks]]
* Use a second device for sensitive activities
* [[How to mitigate your risk of being subject to Pegasus surveillance|Restart your device regularly to disrupt spyware]]
* [[Secure your devices|Use anti virus]]
* [[How to mitigate your risk of being subject to Pegasus surveillance]], and other spyware
* [[Guidance for purchasing devices with strong security features]]
|-
|Surveillance and monitoring
|
* [[Safe internet browsing using VPN and Tor browser|Use a VPN and/or Tor browser]]
* [[Use a secure messaging app]]
* [[How to collect and store information in a secure way]]
* [[Ways to securely store and share files|How to use Google Drive safely and alternatives to Google Drive]]
* [[Use a Faraday cage to block electromagnetic transmissions from a device]]
|-
|Website hacking and takeover
|
* [[Protect your website|Protect your website from DDOS attacks]]
* [[Trusted hosting companies in the human rights community|Use a host company that you trust]]
* And, review and adapt the same advice above for "compromised accounts"
|}
Other important considerations when collecting, storing, using sensitive information:
{| class="wikitable"
|+
!Consideration
!Resources
|-
|Make sure you have informed consent from the people you are collecting information
|[[Guidance on informed consent]]
|-
|
|
|-
|
|
|}
* [[Information Security for Human Rights Defenders]]

===Mitigation techniques for online harassment===
[[How to deal with online harassment and threats]]

==Security planning ==
Once we have clarity about the threats we face during our activities, we can begin to organize our security protocols into security plans or agreements. There are three main areas to consider when developing any security plans:

# '''PREPARE: Prevention of threats''' - Most security plans will include tactics which aim to prevent identified threats from taking place (i.e. reducing their likelihood). This will include:
## Identify & assess the threats and your vulnerabilities
## Develop security policies and procedures
## Implement preventive measures
## Invest in Security Awareness Programs
## Conduct Security testing
# '''RESPOND: Emergency responses''' - Emergency plans, also called contingency plans, are the actions which we take in response to a threat becoming a reality. This will include:
## Build Incident Response Plan
## Communication Strategy
## Business continuity plan
## Disaster recovery plan (Data Backups and Recovery)
## Communication and Collaboration
# '''TREAT: Well-being considerations''' - Actions we take to maintain our physical energy and a mindful approach to our work and our security –it may include such considerations as where and when we will eat, sleep, relax and enjoy ourselves in the course of our work. This will include:
## Analyze lessons learned
## Recovery and Remediation
## Psychological safety considerations,
## Review and update your security plans and approach
For more information, read '''[[General guidance for creating security plans and agreements]]''' and review [https://holistic-security.tacticaltech.org/chapters/strategise/3-3-creating-security-plans-and-agreements.html this chapter of the Holistic Security Manual].

Additional resources:

* Consumer Reports [https://securityplanner.consumerreports.org/ '''Security Planner'''] is a free, easy-to-use guide to staying safer online. It provides personalized recommendations and expert advice on topics such as keeping social media accounts from being hacked, locking down devices ranging from smartphones to home security cameras, and reducing intrusive tracking by websites.
* [https://www.nist.gov/itl/smallbusinesscyber/nist-cybersecurity-framework-0 '''NIST Cybersecurity Framework 2.0''']: Small Business Quick Start Guide - provides small-to-medium sized businesses (SMB), specifically those who have modest or no cybersecurity plans in place, with considerations to kick-start their cybersecurity risk management strategy using the NIST Cybersecurity Framework (CSF) 2.0. (by the ''National Institute of Standards and Technology)''

===Security planning on specific topics===

* [[General tips for international travel]]
* [[General tips for home security]]

== Building a culture of security within a team ==
[https://level-up.cc/ '''LevelUp'''] is a collection of resources for the global digital safety training community.

[https://wiki.orgsec.community/ '''Organisational security community wiki'''] is a resource created by and for security practitioners from all backgrounds to share useful resources and document innovative approaches to long-term security work.

==Resource collections related to security ==
[https://digitalfirstaid.org/ '''Digital First Aid Kit'''] - The Digital First Aid Kit is a free resource to help rapid responders, digital security trainers, and tech-savvy activists to better protect themselves and the communities they support against the most common types of digital emergencies. It can also be used by activists, human rights defenders, bloggers, journalists or media activists who want to learn more about how they can protect themselves and support others. If you or someone you are assisting is experiencing a digital emergency, the Digital First Aid Kit will guide you in diagnosing the issues you are facing, and refer you to support providers for further help if needed.

[https://communitydocs.accessnow.org/ '''Access Now Help Desk documentation''']

[https://cyber-star.org/ '''CyberSTAR'''], by SecDev, makes it easier for small organizations and individuals to understand and manage digital safety by organizing it around six themes. This site presents learning resources to help you be safer online—plus teaching resources for digital safety trainers.

[https://totem-project.org/ '''Totem project'''] - Developed in collaboration by Greenhost and Free Press Unlimited, Totem is a '''free''' '''online learning platform''' that offers educational courses about digital security and privacy, and related tools and tactics for journalists, activists and human rights defenders in a safe, online classroom environment.

[https://advocacyassembly.org/en/courses?category=1 '''Advocacy Assembly''' online courses related to digital security] - Advocacy Assembly is a '''free e-learning platform''' featuring dozens of courses for human rights activists, campaigners and journalists.

[https://www.saferedge.com/learning '''Safer Edge''' online courses] (not free) - Safer Edge works with security, safeguarding and risk advisory professionals with a wide range of expertise, skills and experience. Team and consultants have experience working internationally in the humanitarian and development contexts in a range of risk contexts. In-house team speaks English, French, Spanish, Portuguese, Arabic and Russian.

[https://academy.amnesty.org/ '''Amnesty International's Human Rights Academy'''] is a free online learning platform that allows participants to embark on a self-paced learning journey to understand the principles of human rights and how to use them as a tool for positive change. We believe that knowledge of rights is essential for claiming them, defending them, and promoting them and hope that our courses will inspire you to take action.

[https://www.protectioninternational.org/tools/protection-manuals/ '''Protection International's Protection Manuals'''] for Human Rights Defenders - These manuals were developed to provide human rights defenders with additional knowledge and tools to improve their understanding of security and protection.

[https://www.frontlinedefenders.org/en/digital-protection-resources '''Front Line Defenders Digital Protection Resources'''] - Front Line Defenders Digital Protection programme responds to the digital security environment facing HRDs and develops tools, guides and reosources to complement its training and consultation programming.

[https://ssd.eff.org/ '''Surveillance Self-Defense'''] toolkit by Electronic Frontier Foundation - "We’re the Electronic Frontier Foundation, an independent non-profit working to protect online privacy for over thirty years. This is Surveillance Self-Defense: our expert guide to protecting you and your friends from online spying."

[https://securityinabox.org/en/ '''Security in a Box'''] primarily aims to help a global community of human rights defenders whose work puts them at risk. It has been recognized worldwide as a foundational resource for helping people at risk protect their digital security and privacy.

'''[https://www.frontlinedefenders.org/en/resource-publication/workbook-security-practical-steps-human-rights-defenders-risk Front Line Defenders Workbook on Security]''' has been inspired by the hundreds of HRDs from over 50 countries who have attended Front Line Defenders workshops on security and protection. The Workbook takes you through the steps to producing a security plan – for yourself and for your organisation (for those HRDs who are working in organisations). It follows a systematic approach for assessing your security situation and developing risk and vulnerability reduction strategies and tactics. Manual available in French, Spanish, Russian, Arabic, Turkish, Portuguese, Urdu, Somali, Dari, and Chinese.

Guidance for purchasing devices with strong security features

2024-12-19T16:39:33Z

Kristin1: /* Phones */

Thinking of purchasing a new device and want some guidance on what to look for? Here is some advice, collected from a number of practitioners. (Last updated Dec 2024)

== Phones ==
When it comes to phones, it's best to get a modern phone with advanced protections on the account enabled. Most likely, this means flagship phones from '''Apple''' and '''Google'''. Both companies provide security patches and software updates for their devices for around seven years. (see [https://endoflife.date/iphone Apple iPhone end of life dates], and [https://support.google.com/nexus/answer/4457705?hl=en Google Pixel end of life dates])

Phone recommendations (based on internet search in Dec 2024):

* '''Apple iPhone''': The iPhone series, particularly the Pro Max models, are consistently considered one of the most secure smartphones due to Apple's strong security practices and updates.
* '''Google Pixel''': Google Pixel phones are another top choice with excellent security features thanks to Google's commitment to security updates and the Titan M security chip.
* '''Purism Librem 5''': This phone is specifically designed for maximum privacy with hardware kill switches to physically disconnect components like the microphone and cellular network, making it ideal for users prioritizing extreme security.

There are some helpful articles on [https://www.techradar.com/best/secure-smartphones TechRadar] and [https://cybermagazine.com/articles/top-10-phones-for-cybersecurity Cyber Magazine] on this topic.

== Laptops ==
Laptop recommendations (based on [https://www.inacom-sby.com/most-secure-business-laptops/ internet search] in Dec 2024):

* '''Apple MacBook Pro''' (2023) and '''MacBook Air with an M1 chip''' are good options for human rights defenders because it has many built-in security features (full disk encryption, protection from malware, etc). (Mac operating system)
* '''Lenovo IdeaPad Flex 5i Chromebook Plus''' is an affordable option that is secure and easy to use. (Chrome operating system)
* '''Lenovo ThinkPad''' X1 Carbon (11th Gen) is reliable and secure. (Windows operating system)
* For users of Linux operating systems, '''Purism Librem 14''' is highly recommended. (Linux operating system)

Guidance for purchasing devices with strong security features

2024-12-19T16:35:20Z

Kristin1: Created page with "Thinking of purchasing a new device and want some guidance on what to look for? Here is some advice, collected from a number of practitioners. (Last updated Dec 2024) == Phones == When it comes to phones, it's best to get a modern phone with advanced protections on the account enabled. Most likely, this means flagship phones from Apple and Google. Apple is good about providing support with security patches and software updates [https://endoflife.date/iphone for about..."

Thinking of purchasing a new device and want some guidance on what to look for? Here is some advice, collected from a number of practitioners. (Last updated Dec 2024)

== Phones ==
When it comes to phones, it's best to get a modern phone with advanced protections on the account enabled. Most likely, this means flagship phones from Apple and Google.

Apple is good about providing support with security patches and software updates [https://endoflife.date/iphone for about seven years] after the device is purchased.

Google Pixel phones are also supported for [https://support.google.com/nexus/answer/4457705?hl=en about seven years].

Phone recommendations (based on internet search in Dec 2024):

* '''Apple iPhone''': The iPhone series, particularly the Pro Max models, are consistently considered one of the most secure smartphones due to Apple's strong security practices and updates.
* '''Google Pixel''': Google Pixel phones are another top choice with excellent security features thanks to Google's commitment to security updates and the Titan M security chip.
* '''Purism Librem 5''': This phone is specifically designed for maximum privacy with hardware kill switches to physically disconnect components like the microphone and cellular network, making it ideal for users prioritizing extreme security.

There are some helpful articles on [https://www.techradar.com/best/secure-smartphones TechRadar] and [https://cybermagazine.com/articles/top-10-phones-for-cybersecurity Cyber Magazine] on this topic.

== Laptops ==
Laptop recommendations (based on [https://www.inacom-sby.com/most-secure-business-laptops/ internet search] in Dec 2024):

* '''Apple MacBook Pro''' (2023) and '''MacBook Air with an M1 chip''' are good options for human rights defenders because it has many built-in security features (full disk encryption, protection from malware, etc). (Mac operating system)
* '''Lenovo IdeaPad Flex 5i Chromebook Plus''' is an affordable option that is secure and easy to use. (Chrome operating system)
* '''Lenovo ThinkPad''' X1 Carbon (11th Gen) is reliable and secure. (Windows operating system)
* For users of Linux operating systems, '''Purism Librem 14''' is highly recommended. (Linux operating system)

Security resources organized by topic

2024-12-19T16:23:52Z

Kristin1: /* Mitigation techniques for common threats to information */

== Building awareness of how we respond to threat and stress ==
''Developing a useful security strategy is heavily dependent on our perception – we need to be able to identify and analyse threats in order to implement ways of avoiding or reducing them. But we all perceive the world around us differently based on our circumstances, experiences and many other factors. As a result, our perception can sometimes be hindered: threats which may be evident to some people may go unrecognised by others; similarly, we also need to be able to tell the difference between threats which are genuinely possible and those which we falsely perceive, called 'unfounded fears'. It's a good idea to become familiar with factors that condition our perceptions of threat, and consider ways that we can take these into account in our security planning.'' (Source: [https://holistic-security.tacticaltech.org/chapters/prepare/1-2-individual-responses-to-threat.html Holistic Security Manual])

Resources:

* [https://holistic-security.tacticaltech.org/chapters/prepare/1-2-individual-responses-to-threat.html '''Exploring individual responses to threat'''] (Holistic Security Manual)
* [https://holistic-security.tacticaltech.org/chapters/prepare/1-4-team-and-peer-responses-to-threat.html '''Exploring group responses to threat'''] (Holistic Security Manual)
* [https://holistic-security.tacticaltech.org/chapters/prepare/1-5-communicating-about-threats-in-teams-and-organisations.html '''Communicating about security in teams and organizations'''] (Holistic Security Manual)

== Understanding our threats and context ==

=== Situation monitoring and analysis ===
Situation monitoring and analysis is the broadest kind of analysis of our context: observing the political, economic, social, technological, legal and environmental developments in society which are relevant to our work, and may impact our security situation. (Source: [https://holistic-security.tacticaltech.org/chapters/explore/2-2-situation-monitoring-and-analysis.html Holistic Security Manual])

Exercise: [https://holistic-security.tacticaltech.org/exercises/explore/situational-monitoring-a-quick-pestle-analysis.html '''Pestle analysis'''] (Holistic Security Manual)

Tool: '''[https://tnr-research.uwazi.io/ Research Database on transnational repression]''' - This collection of research reports on transnational repression can help human rights defenders better understand:

* Transnational Repression (TNR) threats that are possible, to determine appropriate mitigation techniques
* Which TNR threats are unlikely, in order to alleviate fear
* What exiled HRDs can expect from a host country in terms of protection measures
* Existing campaigns to strengthen protection for exiled HRDs

=== Identifying, analyzing and prioritizing threats ===

==== Map the actors ====
''It is valuable to get a clear picture of all the actors in our environment (individuals, institutions, organizations, etc). Threats almost always come from someone or something. Knowing as much as we can about the actors in our context improves our perception of our environment and thereby, our ability to carry out activities to maintain or expand our space for work.'' (Source: [https://holistic-security.tacticaltech.org/chapters/explore/2-3-vision-strategy-and-actors.html Holistic Security Manual])

Exercise:

* [https://holistic-security.tacticaltech.org/exercises/explore/visual-actor-mapping-part-1.html '''Spectrum of allies'''] (Holistic Security Manual)
* [https://newtactics.org/resource/exercises-identifying-allies-opponents '''Spectrum of allies'''] (New Tactics in Human Rights project)

==== Brainstorm threats ====
This exercise is a first attempt at identifying the threats to yourself, your group or organization and your work in defense of human rights. This initial list of threats can then be refined so as to focus in more depth on the threats which are most likely or potentially most harmful. (Source: [https://holistic-security.tacticaltech.org/exercises/explore/threat-brainstorm.html Holistic Security Manual])

Exercise: [https://holistic-security.tacticaltech.org/exercises/explore/threat-brainstorm.html '''Threat brainstorm'''] (Holistic Security Manual)

==== Analyzing risk, prioritizing threats ====
Threats can be viewed and categorized in light of the following: the likelihood that the threat will take place, and the impact if and when it does. Likelihood and impact are concepts which help us determine risk: the higher the likelihood or impact of a threat, the higher the risk. Categorizing threats can help to keep us from feeling overwhelmed and keep our perception of threats realistic. (Source: [https://holistic-security.tacticaltech.org/chapters/explore/2-8-identifying-and-analysing-threats.html Holistic Security Manual])

Exercise: [https://holistic-security.tacticaltech.org/chapters/explore/2-8-identifying-and-analysing-threats.html '''Threat matrix'''] (Holistic Security Manual)

Tools:

* The Ford Foundation’s [https://www.fordfoundation.org/work/our-grants/building-institutions-and-networks/cybersecurity-assessment-tool/ '''Cybersecurity Assessment Tool (CAT)'''] is designed to measure the maturity, resiliency, and strength of an organization’s cybersecurity efforts. We have created this questionnaire with busy nontechnical grant makers, grantee partners, civil society organizations, and nonprofits in mind, and we hope it helps shine some light on a recommended path forward for any organization undertaking a cybersecurity journey

==== Analyze threats ====
This exercise will help you prioritize threats and divine the causes, ramifications, sources as well as the required resources, existing actions and possible next steps.

Exercise: [https://holistic-security.tacticaltech.org/exercises/explore/threat-inventory.html '''Threat inventory'''] (Holistic Security Manual)

== Risk mitigation ==
In order to build a response to the threats we face, we can consider them in terms of the factors which make us more or less susceptible to them. Read more in [https://holistic-security.tacticaltech.org/chapters/strategise/3-1-responding-to-threats.html this chapter of the Holistic Security Manual].

=== Mitigation techniques for common threats to information ===
{| class="wikitable"
|+
! Threat
!Mitigation techniques and links to guidance
|-
|Data loss
|
* [[Ways to securely store and share files|Have your information securely in the cloud or on a server]]
* Have a backup process
|-
|Compromised accounts
|
* [[Protect your accounts using strong passwords, pw managers, 2fa|Use two factor authentication for all accounts]]
* [[Protect your accounts using strong passwords, pw managers, 2fa|Use unique, complex passwords for all accounts]]
* [[Protect your accounts using strong passwords, pw managers, 2fa|Use a password manager to create, store and protect those passwords]]
|-
|Device inspection at checkpoints
|
* [[Use a secure messaging app#Tip: use automatic disappearing messages|Use automated disappearing messages on your messaging apps]]
* [[Ways to securely store and share files|Have your sensitive information stored safely in the cloud and off of your device]]
* Hide or delete any apps that would provide access to this information (you can restore that app later)
|-
|Device confiscation or theft
|
* [[Secure your devices#Full disk encryption|Encrypt your devices]]
* And, review and adapt the same advice above for “device inspection” threat
|-
|Information handover
|
* [[Trusted hosting companies in the human rights community|Host your information with a company you trust]], who will not turn over information to your opponents (via subpoena, request, etc)
|-
|Targeted malware or spyware
|
* [[Protect your accounts using strong passwords, pw managers, 2fa#Be aware of spear phishing attacks|Protect yourselves against (spear) phishing attacks]]
* Use a second device for sensitive activities
* [[How to mitigate your risk of being subject to Pegasus surveillance|Restart your device regularly to disrupt spyware]]
* [[Secure your devices|Use anti virus]]
* [[How to mitigate your risk of being subject to Pegasus surveillance]], and other spyware
* [[Guidance for purchasing devices with strong security features]]
|-
|Surveillance and monitoring
|
* [[Safe internet browsing using VPN and Tor browser|Use a VPN and/or Tor browser]]
* [[Use a secure messaging app]]
* [[How to collect and store information in a secure way]]
* [[Ways to securely store and share files|How to use Google Drive safely and alternatives to Google Drive]]
|-
|Website hacking and takeover
|
* [[Protect your website|Protect your website from DDOS attacks]]
* [[Trusted hosting companies in the human rights community|Use a host company that you trust]]
* And, review and adapt the same advice above for "compromised accounts"
|}
Other important considerations when collecting, storing, using sensitive information:
{| class="wikitable"
|+
!Consideration
!Resources
|-
|Make sure you have informed consent from the people you are collecting information
|[[Guidance on informed consent]]
|-
|
|
|-
|
|
|}
* [[Information Security for Human Rights Defenders]]

===Mitigation techniques for online harassment===
[[How to deal with online harassment and threats]]

==Security planning ==
Once we have clarity about the threats we face during our activities, we can begin to organize our security protocols into security plans or agreements. There are three main areas to consider when developing any security plans:

# '''PREPARE: Prevention of threats''' - Most security plans will include tactics which aim to prevent identified threats from taking place (i.e. reducing their likelihood). This will include:
## Identify & assess the threats and your vulnerabilities
## Develop security policies and procedures
## Implement preventive measures
## Invest in Security Awareness Programs
## Conduct Security testing
# '''RESPOND: Emergency responses''' - Emergency plans, also called contingency plans, are the actions which we take in response to a threat becoming a reality. This will include:
## Build Incident Response Plan
## Communication Strategy
## Business continuity plan
## Disaster recovery plan (Data Backups and Recovery)
## Communication and Collaboration
# '''TREAT: Well-being considerations''' - Actions we take to maintain our physical energy and a mindful approach to our work and our security –it may include such considerations as where and when we will eat, sleep, relax and enjoy ourselves in the course of our work. This will include:
## Analyze lessons learned
## Recovery and Remediation
## Psychological safety considerations,
## Review and update your security plans and approach
For more information, read '''[[General guidance for creating security plans and agreements]]''' and review [https://holistic-security.tacticaltech.org/chapters/strategise/3-3-creating-security-plans-and-agreements.html this chapter of the Holistic Security Manual].

Additional resources:

* Consumer Reports [https://securityplanner.consumerreports.org/ '''Security Planner'''] is a free, easy-to-use guide to staying safer online. It provides personalized recommendations and expert advice on topics such as keeping social media accounts from being hacked, locking down devices ranging from smartphones to home security cameras, and reducing intrusive tracking by websites.
* [https://www.nist.gov/itl/smallbusinesscyber/nist-cybersecurity-framework-0 '''NIST Cybersecurity Framework 2.0''']: Small Business Quick Start Guide - provides small-to-medium sized businesses (SMB), specifically those who have modest or no cybersecurity plans in place, with considerations to kick-start their cybersecurity risk management strategy using the NIST Cybersecurity Framework (CSF) 2.0. (by the ''National Institute of Standards and Technology)''

===Security planning on specific topics===

* [[General tips for international travel]]
* [[General tips for home security]]

== Building a culture of security within a team ==
[https://level-up.cc/ '''LevelUp'''] is a collection of resources for the global digital safety training community.

[https://wiki.orgsec.community/ '''Organisational security community wiki'''] is a resource created by and for security practitioners from all backgrounds to share useful resources and document innovative approaches to long-term security work.

==Resource collections related to security ==
[https://digitalfirstaid.org/ '''Digital First Aid Kit'''] - The Digital First Aid Kit is a free resource to help rapid responders, digital security trainers, and tech-savvy activists to better protect themselves and the communities they support against the most common types of digital emergencies. It can also be used by activists, human rights defenders, bloggers, journalists or media activists who want to learn more about how they can protect themselves and support others. If you or someone you are assisting is experiencing a digital emergency, the Digital First Aid Kit will guide you in diagnosing the issues you are facing, and refer you to support providers for further help if needed.

[https://communitydocs.accessnow.org/ '''Access Now Help Desk documentation''']

[https://cyber-star.org/ '''CyberSTAR'''], by SecDev, makes it easier for small organizations and individuals to understand and manage digital safety by organizing it around six themes. This site presents learning resources to help you be safer online—plus teaching resources for digital safety trainers.

[https://totem-project.org/ '''Totem project'''] - Developed in collaboration by Greenhost and Free Press Unlimited, Totem is a '''free''' '''online learning platform''' that offers educational courses about digital security and privacy, and related tools and tactics for journalists, activists and human rights defenders in a safe, online classroom environment.

[https://advocacyassembly.org/en/courses?category=1 '''Advocacy Assembly''' online courses related to digital security] - Advocacy Assembly is a '''free e-learning platform''' featuring dozens of courses for human rights activists, campaigners and journalists.

[https://www.saferedge.com/learning '''Safer Edge''' online courses] (not free) - Safer Edge works with security, safeguarding and risk advisory professionals with a wide range of expertise, skills and experience. Team and consultants have experience working internationally in the humanitarian and development contexts in a range of risk contexts. In-house team speaks English, French, Spanish, Portuguese, Arabic and Russian.

[https://academy.amnesty.org/ '''Amnesty International's Human Rights Academy'''] is a free online learning platform that allows participants to embark on a self-paced learning journey to understand the principles of human rights and how to use them as a tool for positive change. We believe that knowledge of rights is essential for claiming them, defending them, and promoting them and hope that our courses will inspire you to take action.

[https://www.protectioninternational.org/tools/protection-manuals/ '''Protection International's Protection Manuals'''] for Human Rights Defenders - These manuals were developed to provide human rights defenders with additional knowledge and tools to improve their understanding of security and protection.

[https://www.frontlinedefenders.org/en/digital-protection-resources '''Front Line Defenders Digital Protection Resources'''] - Front Line Defenders Digital Protection programme responds to the digital security environment facing HRDs and develops tools, guides and reosources to complement its training and consultation programming.

[https://ssd.eff.org/ '''Surveillance Self-Defense'''] toolkit by Electronic Frontier Foundation - "We’re the Electronic Frontier Foundation, an independent non-profit working to protect online privacy for over thirty years. This is Surveillance Self-Defense: our expert guide to protecting you and your friends from online spying."

[https://securityinabox.org/en/ '''Security in a Box'''] primarily aims to help a global community of human rights defenders whose work puts them at risk. It has been recognized worldwide as a foundational resource for helping people at risk protect their digital security and privacy.

'''[https://www.frontlinedefenders.org/en/resource-publication/workbook-security-practical-steps-human-rights-defenders-risk Front Line Defenders Workbook on Security]''' has been inspired by the hundreds of HRDs from over 50 countries who have attended Front Line Defenders workshops on security and protection. The Workbook takes you through the steps to producing a security plan – for yourself and for your organisation (for those HRDs who are working in organisations). It follows a systematic approach for assessing your security situation and developing risk and vulnerability reduction strategies and tactics. Manual available in French, Spanish, Russian, Arabic, Turkish, Portuguese, Urdu, Somali, Dari, and Chinese.

Use a secure messaging app

2024-12-18T19:09:03Z

Kristin1: /* Reasons to avoid using WhatsApp */

== Recommendation: Use Signal ==
If you are trying to decide between using Signal, WhatsApp or Telegram, most sources would say that Signal has a better reputation for security then the others. Here are a few reasons to choose Signal (source: [https://www.pcmag.com/picks/best-secure-messaging-apps The Best Secure Messaging Apps for 2024] PC Mag)

# All of your messages are secured with E2EE and Signal is a nonprofit, so there's no reason to harvest any user data.
# The underlying technology of Signal is so successful it has been implemented by Google and Meta.

== Reasons to avoid using WhatsApp ==

* '''Requires phone number''' and contacts list to function (However, there are [https://www.wikihow.com/Use-WhatsApp-Without-a-Phone-Number ways around] using your actual phone number)
* '''Backups (especially iCloud) may be vulnerable to surveillance''' (Source: [https://freedom.press/digisec/blog/icloud-security/#:~:text=If%20not%20encrypted%2C%20law%20enforcement,case%20showing%20subpoenaed%20WhatsApp%20messages. Freedom of the Press Foundation])
* '''Privacy of content sent via WhatsApp is questionable''', and there are reasons to not trust Meta and their contractors with your content (Source: [https://www.theregister.com/2021/09/07/whatsapp_privacy_propublica/ The Register])
* '''Hackers can break WhatsApp''' by tricking users into giving away verification codes, using spyware, sending malware as attachments, or even cloning your phone or WhatsApp account. (Source: [https://www.bitdefender.com/blog/hotforsecurity/how-scammers-gain-access-and-hack-your-whatsapp-account-and-what-you-can-do-to-protect-yourself/ BitDefender blog])
* '''Unofficial versions of WhatsApp are almost indistinguishable from the real version of WhatsApp'''. Unofficial versions of WhatsApp are insecure and compromise the privacy and security of communication. Having one person using an unofficial version of WhatsApp within a group makes all group communications vulnerable. [https://faq.whatsapp.com/1293093778117781 Here's how to know if you are using the official WhatsApp program].

== Tip: use automatic disappearing messages ==
Disappearing messages (also known as Vanish mode) is a feature that makes your messages disappear once a recipient reads them or after a certain period of time. It’s a great tool for privacy protection and chat hygiene. It's an excellent feature to use if there's a risk that your phone will be viewed by someone who may be against your human rights work.

=== Disappearing messages in Signal ===
Use [https://support.signal.org/hc/en-us/articles/360007320771-Set-and-manage-disappearing-messages disappearing messages (in Signal)] to keep your message history tidy. The message will disappear from your devices after the timer has elapsed. This is not for situations where your contact is your adversary — after all, if someone who receives a disappearing message really wants a record of it, they can always use another camera to take a photo of the screen before the message disappears.

* Disappearing messages can be managed by anyone in the chat.
* The setting applies to any new messaging after the timer has been set or modified.
* Changes to the timer will sync with your linked devices.

=== Disappearing messages in WhatsApp ===
[https://faq.whatsapp.com/673193694148537 Disappearing messages] is an optional feature you can turn on for more privacy. You can set messages to disappear 24 hours, 7 days, or 90 days after they're sent unless that message is kept. The duration you choose only affects new messages in the chat, not messages you've already sent or received.

=== Disappearing messages in Messenger (Facebook) ===
[https://nordvpn.com/blog/vanish-mode/#:~:text=Vanish%20mode%20on%20Messenger%20automatically,what%20Facebook%20knows%20about%20you. Vanish mode on Messenger] automatically clears messages after the recipient has viewed them and closed the chat. This advanced feature offers Messenger users more private communication and media sharing and limits what Facebook knows about you.

== Online courses ==
Totem course on '''Secure messaging apps''' (available in [https://learn.totem-project.org/courses/course-v1:Totem+TP_SM_001+course/about EN], [https://learn.totem-project.org/courses/course-v1:Totem+TP_SM_FR+cours/about FR], [https://learn.totem-project.org/courses/course-v1:Totem+TP_SM_ES+001/about ES], [https://learn.totem-project.org/courses/course-v1:Totem+TP_SM_RU+001/about RU])

You should walk away from this course knowing<blockquote>
* What secure messaging actually is
* How to choose which secure messaging app is the best for you
* How to activate security measures, including:

* End-to-end encryption
* Disappearing messages
</blockquote>

== Articles ==
[https://www.securemessagingapps.com/ Secure Messaging Apps Comparison]

[https://www.pcmag.com/picks/best-secure-messaging-apps The Best Secure Messaging Apps for 2024] (PC Mag)

Secure your devices

2024-12-18T16:39:38Z

Kristin1: /* Keep your device or operating system up-to-date with software updates */

== Secure your device's operating system ==

=== Avoid pirated copies of operating systems ===
It is very important that you use a ''licensed'' operating system, such as Linux, Windows or Mac. A "pirated copy" of an operating system refers to a version of the OS that is illegally obtained. These pirated copies do not have a valid license and do not receive critical updates, therefore, it exposes users to security risks and potential legal issues.

=== Keep your devices or operating system up-to-date with software updates ===
Keep your licensed operating systems (and devices) up-to-date with software updates. Updates will often fix security problems in older code that attacks can exploit. Note that some older phones and operating systems may no longer be supported, even for security updates. In particular, Microsoft has made it clear that versions of Windows Vista, XP, and below will not receive fixes for even severe security problems. This means that if you use these, you cannot expect them to be secure from attackers. The same is true for OS X before 10.11 or El Capitan. (Source: [https://ssd.eff.org/module/choosing-your-tools Electronic Frontier SSD])

=== Free, open source operating systems ===
If you cannot afford to purchase a licensed Windows or Mac operating system, you can use a free and open source operating system, such as:

'''[https://www.linuxmint.com/ Linux Mint]''' is an operating system for desktop and laptop computers. It is designed to work 'out of the box' and comes fully equipped with the apps most people need. Linux Mint works on most computers. It can also be run from a live USB stick to make sure everything works fine without having to install anything.

[https://tails.net/ '''Tails'''] is a portable operating system that protects against surveillance and censorship. To use Tails, shut down the computer and start on your Tails USB stick instead of starting on Windows, macOS, or Linux. You can temporarily turn your own computer into a secure machine. You can also '''.''' You can also stay safe while using the computer of somebody else'''.''' Tails is a 1.4 GB download and takes ½ hour to install. Tails can be installed on any USB stick of 8 GB minimum. Tails works on most computers less than 10 years old. You can start again on the other operating system after you s t down Tails. You don't have to worry about the computer having viruses because Tails runs independently from the other operating system and never uses the hard disk. But, Tails cannot always protect you if you install it from a computer with viruses or if you use it on a computer with malicious hardware, like keyloggers.

== Use antivirus or anti-malware ==

=== Good practices ===
1. Know how to check if your antivirus or anti-malware app is working and updating itself.

2. Perform periodic manual scans.

3. Choose and run only one anti-malware app; if you run more than one on a device, they may interfere with each other.

[https://freedom.press/training/blog/what-about-antivirus/ What about antivirus?] Article by David Huerta (2020) of the Freedom of the Press Foundation Here's a good article
Excerpt: "Antivirus software is one of the oldest offerings available from the now billion-dollar cybersecurity industry. But what does antivirus software do to help protect our devices, what does it not do, and do we really need it?"

=== Antivirus software options ===

==== Windows ====
On Windows 10, Security in a Box recommends to turn on Windows's own anti-malware protection [https://securityplanner.consumerreports.org/tool/turn-on-windows-defender-antivirus Windows Defender]

==== Linux ====
On Linux you can manually scan your device for malware with [https://www.clamav.net/ ClamAV]. But be aware it is only a scanner, and will not monitor your system to protect you from infection. You can use it to determine whether or not a file or directory contains known malware — and it can be run from a USB memory stick in case you do not have permission to install software on the suspect computer. You may also consider using paid antivirus (e.g. ESET NOD32)

==== Windows, Linux, Mac, iOS, Android ====
Software available on multiple operating systems that offer free versions:
* [https://www.bitdefender.com BitDefender] (Android, iOS, Mac, Windows) - Warning: This can be a heavy program for many computers.
* [https://www.malwarebytes.com/ Malwarebytes] (Android, iOS, Mac, Windows). Malwarebytes full version is free for 2 week, but you can manually scan your device without time limits.
* [https://www.avast.com/ Avast antivirus] (Android, iOS, Mac, Windows)

Not recommended:
* [https://www.avg.com/ AVG antivirus] (Android, iOS, Mac, Windows)
* [https://www.avira.com/en/free-antivirus Avira antivirus] (Android, iOS, Mac, Windows)

From the community: AVG, Avira were found to be running mining operations on consumers PC and they don't offer proper protection.

Note that all antivirus and anti-malware apps collect information on how the protected devices are being used. Some of this information may be shared with companies which own them. There have been cases where this information was sold to third parties.

== Full disk encryption ==

=== For computers ===
'''Apple''' provides a built-in, full-disk encryption feature on macOS called [[wikipedia:FileVault|FileVault]]. Guide: How to encrypt your [https://ssd.eff.org/module/how-encrypt-your-iphone iPhone] (available in 10+ languages)

'''Linux''' distributions usually offer full-disk encryption when you first set up your system.

'''Windows Vista or later''' includes a full-disk encryption feature called [https://learn.microsoft.com/en-us/windows/security/operating-system-security/data-protection/bitlocker/ BitLocker]. Guide: How to encrypt your [https://ssd.eff.org/module/how-encrypt-your-windows-device Windows device] (available in 10+ languages)

=== For smartphones and tablets ===
'''Apple''' devices such as the iPhone and iPad describe it as “Data Protection” and turn it on if you set a passcode.

'''Android''' offers full-disk encryption when you first set up your device on newer devices, or anytime afterwards under its “Security” settings for all devices.

=== Disk encryption vulnerabilities ===
There are some risks related to disk encryption that you need to consider before moving forward, and find ways to mitigate these risks:
# Data is exposed as soon as it leaves the protected disk
# Data is exposed in the clear if a user session is hijacked
# Data is exposed if device credentials are compromised
# All data is protected by a single key, which means that if you lose that one key, you lose access to the device

== Disable features that create vulnerabilities (Lockdown Mode) ==
'''iPhone and Mac devices offers [https://support.apple.com/en-us/HT212650 Lockdown Mode]''' - "When Lockdown Mode is enabled, your device won’t function like it typically does. To reduce the attack surface that potentially could be exploited by highly targeted mercenary spyware, certain apps, websites, and features are strictly limited for security and some experiences might not be available at all. Lockdown Mode is available in iOS 16, iPadOS 16, and macOS Ventura."

Lockdown Mode covers a lot of different scenarios and reduce attack surface for attacks: remove JIT from browser, disable a lot of webkit features, block calls from unknown contacts in iMessage, remove many file types in messages etc. You can read a [https://blacktop.github.io/presentations/0x41con_2023/HTML/index.html#0 2023 analysis presentation by Blacktop].

'''Android also offers a version of [https://www.zdnet.com/article/how-to-use-the-android-lockdown-mode-and-why-you-should/ Lockdown Mode]''' - "When lockdown mode is enabled, fingerprint sensors, facial recognition, and voice recognition do not function. Once you've activated lockdown mode, the only way to gain access to your device is either via PIN, password, or pattern. One thing you must know about lockdown mode is that it's a one-time thing. In other words, once you've enabled it, it will immediately be disabled upon successful login. That means you have to re-enable lockdown mode every time you want to use it."

== Separate your phone number from your device ==
[https://theintercept.com/2017/09/28/signal-tutorial-second-phone-number/ How to use signal without giving out your phone number] (article) - A step-by-step guide to protecting your private phone number while enjoying the security of encrypted texting app Signal.
----
''Last updated June 18, 2024''

Source for this content: [https://securityinabox.org/en/phones-and-computers/malware/#use-antivirus-or-anti-malware Security in a Box]'' , [https://ssd.eff.org/ Electronic Frontier SSD], and discussions with human rights security practitioners.''

Research on transnational repression

2024-12-17T20:45:27Z

Kristin1: /* TNR mitigation techniques */

== Videos ==
* [https://www.youtube.com/watch?v=FkPCec7jG5I Digital Transnational Repression Explained], by Citizen Lab
* [https://www.youtube.com/watch?v=8YcHajYQLSw Digital Transnational Repression Explained: Activists], by Citizen Lab
* [https://www.youtube.com/watch?v=N72UV-aD9r4 Gender-based Digital Transnational Repression Explained], by Citizen Lab
* [https://www.youtube.com/watch?v=3D4EjMq5FK4 Responding to Transnational Repression] - recorded panel discussion from Dec 2021
* [https://www.orionpolicy.org/orionforum/111/transnational-repression-the-long-arm-of-authoritarianism Transnational Repression: The Long Arm of Authoritarianism] (parts 1 and 2) - recorded panel discussion from Sept/Oct 2022.
* [https://www.youtube.com/watch?v=86Q_9IUosCE&t=71s Defending Democracy in Exile: Policy Responses to Transnational Repression] by Freedom House

== Reports ==

=== Research Database on Transnational Repression (TNR) ===
https://tnr-research.uwazi.io/en/

This collection of research reports can help human rights defenders better understand:

* Which TNR threats are likely or possible based on the existing evidence, to determine appropriate mitigation techniques
* Which TNR threats are unlikely, in order to alleviate fear
* What exiled HRDs can expect from a host country in terms of protection measures
* Existing campaigns to strengthen protection for exiled HRDs

This database was developed and curated by the Center for Victims of Torture. To contribute to this research, email research@freedomhouse.org

Reports in this database include:

* Defending Democracy in Exile: Policy Responses to Transnational Repression, report by Freedom House
* Silencing Across Borders: Transnational Repression and Digital Threats Against Exiled Activists, report by Marcus Michaelsen
* Psychological and Emotional War: Digital Transnational Repression in Canada, report by Citizen Lab
* Going after the family: Transnational repression and the proxy punishment of Middle Eastern diasporas, article co-authored with Dana M. Moss & Gillian Kennedy.

== Books ==

'''The Arab Spring Abroad: Diaspora Activism against Authoritarian Regimes''', book by Dana Moss. You can download this book for free here: https://www.cambridge.org/core/books/arab-spring-abroad/D7EC15ED46D37A2DB8CDDB83F06CC591#overview

== TNR threat categories ==

* Unlawful deportation, extradition, rendition, Interpol abuse, legal cases
** Examples: trial in absentia, initiate a criminal case in order to carry out deportation or extradition
*Physical intimidation, assault, etc
* Coercion by proxy / Threats against in-country relatives
** Examples: Opponent may harass, threaten, prosecute, and imprison family or colleagues
*Account and device hacking
** Examples: Opponents hack social media or email accounts
* Monitoring and surveillance
** Examples: Tracking and identifying HRDs, monitor family members’ conversations so they can access communications, infiltration of network through informants, surveil/monitor communication to ascertain location and activities
* Slander, harassment, disinformation campaigns
** Examples: Smear campaigns, hate speech and harassment in social media

== TNR mitigation techniques ==
{| class="wikitable"
|+
!Threat category
!Mitigation techniques
!Resources and research
|-
|Unlawful deportation, extradition, rendition, Interpol abuse, legal cases
|
|
|-
|Physical intimidation, assault, etc
|Personal safety awareness (see Umbrella app)
|
|-
|Coercion by proxy / Threats against in-country relatives
|
|[https://tnr-research.uwazi.io/en/entity/s0hrhs72n7n Going after the family: Transnational repression and the proxy punishment of Middle Eastern diasporas] (Moss, Michaelsen, Kennedy (2022))
|-
|Account and device hacking
|
* [[Protect your accounts using strong passwords, pw managers, 2fa|Use two factor authentication for all accounts]]
* [[Protect your accounts using strong passwords, pw managers, 2fa|Use unique, complex passwords for all accounts]]
* [[Protect your accounts using strong passwords, pw managers, 2fa|Use a password manager to create, store and protect those passwords]]
* [[Protect your website|Protect your website from DDOS attacks]]
* [[Trusted hosting companies in the human rights community|Use a host company that you trust]]
|
|-
|Monitoring and surveillance
|
* [[Safe internet browsing using VPN and Tor browser|Use a VPN and/or Tor browser]]
* [[Use a secure messaging app]]
* [[How to collect and store information in a secure way]]

* [[Protect your accounts using strong passwords, pw managers, 2fa#Be aware of spear phishing attacks|Protect yourselves against (spear) phishing attacks]]
* Use a second device for sensitive activities
* [[How to mitigate your risk of being subject to Pegasus surveillance|Restart your device regularly to disrupt spyware]]
* [[Secure your devices|Use anti virus]]
* [[How to mitigate your risk of being subject to Pegasus surveillance]], and other spyware
|
|-
|Slander, harassment, disinformation campaigns
|[[How to deal with online harassment and threats]]
|
|}

Research on transnational repression

2024-12-17T20:43:13Z

Kristin1: /* TNR mitigation techniques */

== Videos ==
* [https://www.youtube.com/watch?v=FkPCec7jG5I Digital Transnational Repression Explained], by Citizen Lab
* [https://www.youtube.com/watch?v=8YcHajYQLSw Digital Transnational Repression Explained: Activists], by Citizen Lab
* [https://www.youtube.com/watch?v=N72UV-aD9r4 Gender-based Digital Transnational Repression Explained], by Citizen Lab
* [https://www.youtube.com/watch?v=3D4EjMq5FK4 Responding to Transnational Repression] - recorded panel discussion from Dec 2021
* [https://www.orionpolicy.org/orionforum/111/transnational-repression-the-long-arm-of-authoritarianism Transnational Repression: The Long Arm of Authoritarianism] (parts 1 and 2) - recorded panel discussion from Sept/Oct 2022.
* [https://www.youtube.com/watch?v=86Q_9IUosCE&t=71s Defending Democracy in Exile: Policy Responses to Transnational Repression] by Freedom House

== Reports ==

=== Research Database on Transnational Repression (TNR) ===
https://tnr-research.uwazi.io/en/

This collection of research reports can help human rights defenders better understand:

* Which TNR threats are likely or possible based on the existing evidence, to determine appropriate mitigation techniques
* Which TNR threats are unlikely, in order to alleviate fear
* What exiled HRDs can expect from a host country in terms of protection measures
* Existing campaigns to strengthen protection for exiled HRDs

This database was developed and curated by the Center for Victims of Torture. To contribute to this research, email research@freedomhouse.org

Reports in this database include:

* Defending Democracy in Exile: Policy Responses to Transnational Repression, report by Freedom House
* Silencing Across Borders: Transnational Repression and Digital Threats Against Exiled Activists, report by Marcus Michaelsen
* Psychological and Emotional War: Digital Transnational Repression in Canada, report by Citizen Lab
* Going after the family: Transnational repression and the proxy punishment of Middle Eastern diasporas, article co-authored with Dana M. Moss & Gillian Kennedy.

== Books ==

'''The Arab Spring Abroad: Diaspora Activism against Authoritarian Regimes''', book by Dana Moss. You can download this book for free here: https://www.cambridge.org/core/books/arab-spring-abroad/D7EC15ED46D37A2DB8CDDB83F06CC591#overview

== TNR threat categories ==

* Unlawful deportation, extradition, rendition, Interpol abuse, legal cases
** Examples: trial in absentia, initiate a criminal case in order to carry out deportation or extradition
*Physical intimidation, assault, etc
* Coercion by proxy / Threats against in-country relatives
** Examples: Opponent may harass, threaten, prosecute, and imprison family or colleagues
*Account and device hacking
** Examples: Opponents hack social media or email accounts
* Monitoring and surveillance
** Examples: Tracking and identifying HRDs, monitor family members’ conversations so they can access communications, infiltration of network through informants, surveil/monitor communication to ascertain location and activities
* Slander, harassment, disinformation campaigns
** Examples: Smear campaigns, hate speech and harassment in social media

== TNR mitigation techniques ==
{| class="wikitable"
|+
!Threat category
!Mitigation techniques
!Resources and research
|-
|Unlawful deportation, extradition, rendition, Interpol abuse, legal cases
|
|
|-
|Physical intimidation, assault, etc
|
|
|-
|Coercion by proxy / Threats against in-country relatives
|
|[https://tnr-research.uwazi.io/en/entity/s0hrhs72n7n Going after the family: Transnational repression and the proxy punishment of Middle Eastern diasporas] (Moss, Michaelsen, Kennedy (2022))
|-
|Account and device hacking
|
* [[Protect your accounts using strong passwords, pw managers, 2fa|Use two factor authentication for all accounts]]
* [[Protect your accounts using strong passwords, pw managers, 2fa|Use unique, complex passwords for all accounts]]
* [[Protect your accounts using strong passwords, pw managers, 2fa|Use a password manager to create, store and protect those passwords]]
* [[Protect your website|Protect your website from DDOS attacks]]
* [[Trusted hosting companies in the human rights community|Use a host company that you trust]]
|
|-
|Monitoring and surveillance
|
* [[Safe internet browsing using VPN and Tor browser|Use a VPN and/or Tor browser]]
* [[Use a secure messaging app]]
* [[How to collect and store information in a secure way]]

* [[Protect your accounts using strong passwords, pw managers, 2fa#Be aware of spear phishing attacks|Protect yourselves against (spear) phishing attacks]]
* Use a second device for sensitive activities
* [[How to mitigate your risk of being subject to Pegasus surveillance|Restart your device regularly to disrupt spyware]]
* [[Secure your devices|Use anti virus]]
* [[How to mitigate your risk of being subject to Pegasus surveillance]], and other spyware
|
|-
|Slander, harassment, disinformation campaigns
|
|
|}

Research on transnational repression

2024-12-17T20:41:49Z

Kristin1: /* TNR threat categories */

== Videos ==
* [https://www.youtube.com/watch?v=FkPCec7jG5I Digital Transnational Repression Explained], by Citizen Lab
* [https://www.youtube.com/watch?v=8YcHajYQLSw Digital Transnational Repression Explained: Activists], by Citizen Lab
* [https://www.youtube.com/watch?v=N72UV-aD9r4 Gender-based Digital Transnational Repression Explained], by Citizen Lab
* [https://www.youtube.com/watch?v=3D4EjMq5FK4 Responding to Transnational Repression] - recorded panel discussion from Dec 2021
* [https://www.orionpolicy.org/orionforum/111/transnational-repression-the-long-arm-of-authoritarianism Transnational Repression: The Long Arm of Authoritarianism] (parts 1 and 2) - recorded panel discussion from Sept/Oct 2022.
* [https://www.youtube.com/watch?v=86Q_9IUosCE&t=71s Defending Democracy in Exile: Policy Responses to Transnational Repression] by Freedom House

== Reports ==

=== Research Database on Transnational Repression (TNR) ===
https://tnr-research.uwazi.io/en/

This collection of research reports can help human rights defenders better understand:

* Which TNR threats are likely or possible based on the existing evidence, to determine appropriate mitigation techniques
* Which TNR threats are unlikely, in order to alleviate fear
* What exiled HRDs can expect from a host country in terms of protection measures
* Existing campaigns to strengthen protection for exiled HRDs

This database was developed and curated by the Center for Victims of Torture. To contribute to this research, email research@freedomhouse.org

Reports in this database include:

* Defending Democracy in Exile: Policy Responses to Transnational Repression, report by Freedom House
* Silencing Across Borders: Transnational Repression and Digital Threats Against Exiled Activists, report by Marcus Michaelsen
* Psychological and Emotional War: Digital Transnational Repression in Canada, report by Citizen Lab
* Going after the family: Transnational repression and the proxy punishment of Middle Eastern diasporas, article co-authored with Dana M. Moss & Gillian Kennedy.

== Books ==

'''The Arab Spring Abroad: Diaspora Activism against Authoritarian Regimes''', book by Dana Moss. You can download this book for free here: https://www.cambridge.org/core/books/arab-spring-abroad/D7EC15ED46D37A2DB8CDDB83F06CC591#overview

== TNR threat categories ==

* Unlawful deportation, extradition, rendition, Interpol abuse, legal cases
** Examples: trial in absentia, initiate a criminal case in order to carry out deportation or extradition
*Physical intimidation, assault, etc
* Coercion by proxy / Threats against in-country relatives
** Examples: Opponent may harass, threaten, prosecute, and imprison family or colleagues
*Account and device hacking
** Examples: Opponents hack social media or email accounts
* Monitoring and surveillance
** Examples: Tracking and identifying HRDs, monitor family members’ conversations so they can access communications, infiltration of network through informants, surveil/monitor communication to ascertain location and activities
* Slander, harassment, disinformation campaigns
** Examples: Smear campaigns, hate speech and harassment in social media

== TNR mitigation techniques ==
{| class="wikitable"
|+
!Threat category
!Mitigation techniques
!Resources and research
|-
|Unlawful deportation, extradition, rendition, Interpol abuse, legal cases
|
|
|-
|Physical intimidation, assault, etc
|
|
|-
|Coercion by proxy / Threats against in-country relatives
|
|[https://tnr-research.uwazi.io/en/entity/s0hrhs72n7n Going after the family: Transnational repression and the proxy punishment of Middle Eastern diasporas] (Moss, Michaelsen, Kennedy (2022))
|-
|Account and device hacking
|
* [[Protect your accounts using strong passwords, pw managers, 2fa|Use two factor authentication for all accounts]]
* [[Protect your accounts using strong passwords, pw managers, 2fa|Use unique, complex passwords for all accounts]]
* [[Protect your accounts using strong passwords, pw managers, 2fa|Use a password manager to create, store and protect those passwords]]
|
|-
|Monitoring and surveillance
|
* [[Safe internet browsing using VPN and Tor browser|Use a VPN and/or Tor browser]]
* [[Use a secure messaging app]]
* [[How to collect and store information in a secure way]]

* [[Protect your accounts using strong passwords, pw managers, 2fa#Be aware of spear phishing attacks|Protect yourselves against (spear) phishing attacks]]
* Use a second device for sensitive activities
* [[How to mitigate your risk of being subject to Pegasus surveillance|Restart your device regularly to disrupt spyware]]
* [[Secure your devices|Use anti virus]]
* [[How to mitigate your risk of being subject to Pegasus surveillance]], and other spyware
|
|-
|Slander, harassment, disinformation campaigns
|
|
|}

Research on transnational repression

2024-12-17T20:34:50Z

Kristin1: /* TNR threat categories */

Research on transnational repression

2024-12-16T17:31:12Z

Kristin1: /* TNR threat categories */ added physical intimidation

Resources for At-Risk Digital Rights Defenders

2024-12-16T13:52:15Z

Kristin1: /* Relocation and resettlement support specifically for HRDs at risk */ added mccain institute

''Team CommUNITY attempts to recommend evergreen resources, due to changing and variable funding landscapes, resources may appear out of date.''

== Well-being and Resilience ==

=== '''Programs that provide mental health services''' ===
'''ipso-care''': empathy international (Global) - [https://ipso-care.com/home.html ipso-care] offers personal, strictly confidential client-orientated tele-video sessions through the client portal. (Global)

'''Open Briefing''' (Global) - [https://www.openbriefing.org/support/referral/ Open Briefing] operates a rapid response mechanism to provide fully-funded holistic security mentoring and remote accompaniment to human rights defenders and other civic society actors at risk of physical, digital, or psychological harm. (Global)

Other:
* [https://vita-activa.org/ Vita Activa] is a helpline that provides online support and strategic solutions for women and LGBTIQ+ journalists, activists and gender, land and labor rights, and freedom of expression defenders. If you are experiencing stress, trauma, crisis, burnout and/or if you are facing gender based violence, contact them: apoyo@vita-activa.org (ESP) | support@vita-activa.org (ENG) | +52155-8171-1117 (Signal, Whatsapp, Telegram) (Focus is on Latin America)
* [https://irct.org/our-members/ Global list of torture treatment centers] from the International Rehabilitation Council for Torture Victims (IRCT) (Global)
* [https://www.hrresilience.org/programs.html List of mental health programs and centers] curated by The Human Rights Resilience Project
* [https://nqttcn.com/en/community-resources/ The National Queer and Trans Therapists of Color Network (NQTTCN) community resources] (United States resources)

=== '''Resources, research and guides''' ===
Self-guided, '''free online courses and guides''' designed for HRDs and journalists, available in various languages:
[[File:Tree in Turku, Finland by Miikka A..png|thumb|Miikka A.]]
* [https://learn.totem-project.org/courses/course-v1:IWPR+IWPR_AH_EN+001/about Taking care of your mental health] - In this course by Totem Project, you will learn different techniques to manage stress and thus acquire tools with which to regulate emotions and perform better in your work and personal life. These techniques will help you to attain a better quality of life and better understand the importance of mental hygiene.
* [https://www.frontlinedefenders.org/en/resources-wellbeing-stress-management Resources for Wellbeing & Stress Management] by Front Line Defenders
* [https://learn.totem-project.org/courses/course-v1:IWPR+IWPR_PAP_EN+001/about Psychological First Aid] - Take this course if you want to learn how to help those who need psychological support and to know what tools you should use to safeguard your own mental health in situations so requiring.
* [https://learn.totem-project.org/courses/course-v1:IWPR+IWPR_PPC_EN+001/about Psychological preparation before and after a reporting assignment] by Totem Project - This course will help you systematize and become aware of the steps, strategies and tools needed for safe news reporting from a psycho-emotional perspective and, in turn, help you emotionally detach yourself from the event.
* An online collection of [https://proqol.org/self-care-tools-1 self-care protocols] by the Center for Victims of Torture.
* Facilitated online course titled [https://thekairosproject.org/virtual-programme-series/building-resilience/ Being well; building resilience] hosted by the Kairos Project.
* [https://coping-with-prison.org/ Coping with Prison] - A collection of resources for HRDs who are preparing to go to prison, and for their families, lawyers and supporters.
* [https://integratedsecuritymanual.org/what-is-integrated-security The Integrated Security Manual] is a collection of group activities for facilitators interested in opening up a space to talk about the connection between human rights work, well-being and security.
* [https://sur.conectas.org/en/self-care-as-a-political-strategy/ Self-Care as a Political Strategy] (article) - Adopting a self-care approach not only ensures the sustainability of social movements, but also constitutes an ethical-political viewpoint that looks at the practices and relations established at work at the personal and collective level. This article also discusses the experience of Casa La Serena, a place of rest and healing for women human rights defenders.
* [https://www.iwmf.org/mental-health-guide/ Mental Health Guide for Journalists Facing Online Violence] by the International Women’s Media Foundation provides:
** Downloadable exercises to help manage the mental health toll of online abuse
** Information to understand the psychological reasons why abusers attack online
** Self-assessments to address how online violence affects one’s well being
** Resources and organizations that can support journalists when facing online violence

==== Research articles and reports: ====

* [https://hrlr.law.columbia.edu/hrlr-online/trauma-depression-and-burnout-in-the-human-rights-field-identifying-barriers-and-pathways-to-resilient-advocacy/ Trauma, Depression, and Burnout in the Human Rights Field: Identifying Barriers and Pathways to Resilient Advocacy] (2018)
* [https://www.hrresilience.org/uploads/1/1/6/2/116243539/190820_executive_summary_from_a_culture_of_unwellness_bluebooked.pdf From a “Culture of Unwellness” to Sustainable Advocacy: Organizational Responses to Mental Health Risks in the Human Rights Field] (2019) - This study examines how organizations may respond to HRDs mental health. It also addresses some steps that organizations can take to improve the well-being of human rights advocates.
* [https://static1.squarespace.com/static/5f5274d8c4e54f6ba3b7f7d4/t/60e5c4718b8e5a01c01653b9/1625670778427/Community+Report+2020_Building+Stronger+Communities_FINAL.pdf Community Health Report 2020: The case for mental health support for digital rights defenders by Team CommUNITY]
* [https://static1.squarespace.com/static/5f5274d8c4e54f6ba3b7f7d4/t/628bcd743e43ad3d0070bd09/1653329271383/Pathways+to+Organizational+Recovery-CHR-23May22-Final.pdf Pathways to Organizational Recovery] (2022) by Team CommUNITY

=== '''Well-being and resilience grants for HRDs''' ===
[https://www.csolifeline.org/resiliency-grants '''Lifeline rapid response resiliency grants'''] provide support to at-risk CSOs to proactively avoid or mitigate the threats they face and help them continue to work in high-risk environments. These grants are highly flexible and support a range of activities including digital or physical security training; technical training on how to respond to restrictive CSO legislation; building peer-to-peer support networks, or establishing temporary collaborative space to help CSOs return to work.

=== '''Temporary relocation programs for study, rest and respite''' ===
[[File:Matese Fields.png|thumb|Matese Fields]]
[https://sheltercity.org/about-us/ '''Shelter City'''] is a global movement of cities, organizations and people who stand side by side with human rights defenders at risk. We offer them a safe and inspiring space where they re-energize, receive tailormade support and engage with allies to reinforce their local actions for change.

[https://icorn.org/what-icorn '''The International Cities of Refuge Network (ICORN)'''] is an independent organization of cities and regions offering shelter to writers and artists at risk, advancing freedom of expression, defending democratic values and promoting international solidarity. ICORN Member Cities offer long-term, but temporary, shelter to those put at risk as a direct consequence of their creative activities.

[https://www.ifa.de/en/funding/elisabeth-selbert-initiative/ '''The Elisabeth-Selbert-Initiative'''] provides threatened human rights defenders with a safe place to recuperate, cope with trauma, and when possible, to network and further develop their professional skills.

[https://www.york.ac.uk/cahr/human-rights-defenders/protective-fellowship/ '''Protective Fellowship Scheme for Human Rights Defenders at Risk'''] at the Centre for Applied Human Rights at the University of York (United Kingdom) - Human rights defenders are invited to come to York for periods ranging from three to six months. During this time, they benefit both from time away from a difficult environment, and from educational resources designed to increase their effectiveness and their ability to influence policy and practice when they return home.

[https://www.scholarsatrisk.org/get-help/ '''Scholars at Risk'''] works with its global network of higher education institutions around the world to arrange short-term, temporary research and teaching positions for threatened scholars. They also provide advisory, referral, and career support services for scholars.

[https://www.frontlinedefenders.org/en/programme/rest-respite '''Front Line Defenders Rest & Respite Programme'''] enables human rights defenders to take some time out and to recharge their batteries in a safe environment while at the same time enhancing their skills so that they can work more effectively when they return home. Rest & Respite opportunities are offered on an invitation-only basis.

[https://www.initiativemarianne.fr/en/a-propos/ '''The Marianne Initiative has a Solidarity Fund for Innovative Projects'''] (for HRDs in France), and selects fellows who will benefit from personalized support within a place of exchange and training, open to all those involved in the cause of human rights.

== Security and Protection ==

=== '''Resources: guides, online courses, helplines, communities of practice''' ===
[https://www.accessnow.org/help/ '''Access Now’s Digital Security Helpline'''] works with individuals and organizations around the world to keep them safe online. If you’re at risk, we can help you improve your digital security practices to keep out of harm’s way. If you’re already under attack, we provide rapid-response emergency assistance. 24/7 services are available with support in nine languages: English, Spanish, French, German, Portuguese, Russian, Tagalog, Arabic, and Italian. They respond to all requests within two hours.
[[File:Lucas Faragosa.png|thumb|Lucas Faragosa]]
[https://ssd.eff.org/ '''Surveillance Self-Defense: Tips, Tools and How-tos for Safer Online Communications'''] - This is an online resource from the Electronic Frontier Foundation that provides up-to-date guidance on basic digital security techniques, tools and further learning. It's very helpful! Resources are available in: EN, ES, AR, FA, FR, RU, Bur, Vie, and many more

[https://learn.totem-project.org/courses '''Totem Project'''] is a collection of online courses designed by human rights and journalist organizations from around the world. It is maintained and hosted by Greenhost and Free Press Unlimited. I have personally worked with them on a course related to human rights documentation. Many of their courses are related to digital security and privacy. This is a great way to learn about good security practices, and understanding why certain techniques are recommended. Courses are available in: EN, ES, AR, FA, FR, RU

[https://holistic-security.org/ '''Holistic Security'''] is a strategy manual to help human rights defenders maintain their well-being in action. The holistic approach integrates self-care, well-being, digital security, and information security into traditional security management practices.

[https://cpj.org/emergency-response/resource-center/ '''Committee to Protect Journalists''']’ resource center shares critical resources to help journalists prepare for an assignment or respond to an emergency.

[https://digitalfirstaid.org/en/index.html '''Digital First Aid Kit'''] is a free resource to help rapid responders, digital security trainers, and tech-savvy activists to better protect themselves and the communities they support against the most common types of digital emergencies.

[https://freedom.press/training/ '''Freedom of the Press Foundation Guides and Training'''] on digital security

[https://wiki.orgsec.community/ '''Organisational security community wiki'''] - a resource created by and for security practitioners from all backgrounds to share useful resources and document innovative approaches to long-term security work.

[https://www.alunapsicosocial.org/single-post/risk-assessment-in-human-rights-defense-methodological-guide-from-the-psychosocial-approach '''Risk Assessment in Human Rights Defense Methodological Guide from the Psychosocial Approach'''], by Aluna - This guide’s content is based on international methodologies from organizations such as Protection International and Front Line Defenders, among others. Accordingly, we have incorporated some of these tools, complementing them with the accompaniment model proposed by Aluna and adapting them to the specificities of the contexts and the political subjects whom we accompany. Available in [https://www.alunapsicosocial.org/single-post/risk-assessment-in-human-rights-defense-methodological-guide-from-the-psychosocial-approach EN], [https://www.alunapsicosocial.org/single-post/valoraci%C3%B3n-del-riesgo-en-la-defensa-de-ddhh-gu%C3%ADa-metodol%C3%B3gica-desde-elenfoque-psicosocial ES]

=== '''Regional protection networks for digital rights defenders''' ===

==== Africa ====

* [https://defenddefenders.org/ DefendDefenders] promotes, protects, & strengthens the work of human rights defenders in the East & Horn of Africa sub-region.
* [https://westafricadefenders.org/ West African Human Rights Defenders Network] (Réseau Ouest Africain des Défenseurs des Droits Humains)
* [https://southerndefenders.africa/ Southern Defenders] - Southern Africa Human Rights Defenders Network
* [https://digitalsociety.africa/ Digital Society of Africa (DSA)] works to strengthen the resilience and ability of frontline activists; human rights defenders and other at-risk groups in the region to independently recognize and respond to digital threats and attacks. They seek to achieve this using the holistic security approach; through a range of activities including: organisational security audits; risk assessment; trainings, sustainable security accompaniment; security policy formulation and tech support.

==== Asia ====

* [https://docs.google.com/spreadsheets/d/1J2Nj2HFpLIp6t2U1Jy1iOdz7ZIv9XAO5lFMeG_Y0Wzo/htmlview?hl=en# List of protection and support funding for HRDs] (Myanmar)
* [https://ocf.tw/en/p/cscs/ Civil Society Cyber Shield, Open Culture Foundation] (Taiwan)

==== MENA/SWANA ====

* [https://whrdmena.org/ Regional Coalition for Women Human Rights Defenders in MENA]
* [https://www.gc4hr.org/get-help/ Gulf Centre for Human Rights Emergency Resources Hub] - an independent NGO that provides protection for human rights defenders, including journalists and Internet activists, and enhances their effectiveness online and offline in the Gulf and neighboring countries.
* [https://smex.org/helpdesk/ SMEX Digital Safety Helpdesk] (MENA and digital protection-focused)

==== Latin America and the Caribbean ====

* [https://im-defensoras.org/es/ The Mesoamerican Women Human Rights Defenders Initiative (IM-Defensoras)] is a local to regional alliance of diverse women human rights defenders (WHRDs), organizations and networks.
* [https://pbi-mexico.org/ Peace Brigades International] - Mexico
* [https://socialtic.org/ SocialTic] is a Mexican non-profit organization dedicated to research, training, and promoting digital technology or information with social purposes.

==== Europe ====

* [https://www.holistic-protection.eu/ Holistic Protection Collective] - an independent collective of security practitioners that aims to improve the security of Rights-based organizations, initiatives, foundations and activist collectives.

==== Global ====

* [https://www.frontlinedefenders.org/ Front Line Defenders Emergency Contact]
* [https://www.protectioninternational.org/ Protection International]
* [http://freepressunlimited.org/en/projects/reporters-respond-emergency-and-legal-support Reporters Respond: emergency support by Free Press Unlimited]
* [https://www.ifj.org/safety-fund The IFJ Safety Fund]
* [https://www.peacebrigades.org/ Peace Brigades International]

=== '''Legal support''' ===
[https://www.amerainternational.org/pro-bono-directory/ '''Amera International Pro Bono Directory'''] - list of organizations and individuals that provide free legal assistance and support refugees (and asylum seekers) in the listed countries.
[[File:Asia Pacific Refugee Rights Network.png|right|frameless|163x163px]]
[https://aprrn.org/ '''Asia Pacific Refugee Rights Network'''] works to advance the rights and inclusion of refugees and other people in need of protection in the Asia Pacific region—including refugees, asylum seekers, torture survivors and complainants, trafficked persons, IDPs, stateless persons, migrants in vulnerable situations, and returnees—so they may have equal and adequate access to assistance and protection, and to timely durable solutions.

[https://elsc.support/ '''European Legal Support Center (ELSC)'''] (Europe and UK) an independent organization that provides free legal advice and assistance to associations, human rights NGOs, groups and individuals advocating for Palestinian rights in mainland Europe and the United Kingdom.

[https://systemicjustice.ngo/ '''System Justice'''] (Europe) - an independent NGO that focuses on community-driven litigation for racial, social, and economic justice across Europe
[[File:FDPN.png|right|frameless]]
[https://fdpn.org.au/ '''Forcibly Displaced People Network (FDPN)'''] (Australia) is the first registered LGBTIQ+ refugee-led organization in Australia. We work to support LGBTIQ+ people seeking asylum, refugees and migrants from non-Western countries to be safe in Australia.

[https://circlegreen.org.au/humanitarian/ '''Circle Green'''] (Australia) helps people new to Australia who need professional legal migration advice and are disadvantaged in accessing legal services.

=== '''Emergency grants''' ===
[[File:Lifeline.png|right|frameless|270x270px]]
[https://www.csolifeline.org/emergency-assistance '''Lifeline'''] (an initiative by Freedom House and Front Line Defenders) provides small, short-term emergency grants to CSOs threatened because of their human rights work. Lifeline grants can address security, medical expenses, legal representation, prison visits, trial monitoring, temporary relocation, equipment replacement, and other urgently needed expenses.
[[File:Front Line Defenders Protection.png|right|frameless|273x273px]]
[https://www.frontlinedefenders.org/en/programme/protection-grants '''Front Line Defenders Protection Grants'''] can pay for provisions (grants are for amounts up to a maximum of €7,500) to improve the security and protection of human rights defenders and their organizations including, but not limited to:

* improving physical security of an organization or individual, digital security and communication security;
* supporting legal fees for HRDs who are being judicially harassed;
* paying for medical fees for HRDs who have been attacked or who have suffered a medical condition as a result of their peaceful human rights activities;
* providing family assistance for imprisoned HRDs or family members who are at risk because of a HRD's activities.
[[File:Urgent Action Fund.png|right|frameless|295x295px]]
[[File:Protect Defenders EU.png|right|frameless]]
[https://urgentactionfund.org/apply-for-a-grant/criteriado-i-fit/ '''Urgent Action Fund’s Rapid Response Grants'''] resource the resilience of human rights and gender justice movements by supporting the security and advocacy interventions of activists when a swift response is needed. Specifically, Rapid Response Grants offer quick, flexible funding to respond to security threats or unexpected advocacy opportunities experienced by women, transgender, or gender non-conforming, activists and human rights defenders.

[https://www.civicus.org/index.php/what-we-do/defend/crisis-response-fund '''CIVICUS Crisis Response Fund'''] welcomes applications from formal or informal civil society actors & consortia, including social movements. Grants must be for a 3-6 month period. Amount: US$10,000 - US$20,000 for Advocacy Grants or Resiliency Grants.

[https://wphfund.org/whrds/ '''The Women’s Peace and Humanitarian Fund'''] provides rapid, flexible funding and direct logistical support to women HRDs from/working in crisis and conflict-affected areas, working at community, national, regional or international levels. For individuals they have an Advocacy Support Stream and a Safety Net Stream.

[https://www.mccaininstitute.org/programs/democracy-programs/human-rights-defenders-program/ '''McCain Institute's Human Rights Defender Program'''] (under the Democracy Program) provides temporary, transitional support to activists who are forced to work underground or flee their countries so they can continue to fight in the human rights arena.

[https://www.dignitylgbti.org/ '''The Dignity for All: LGBTQI+ Assistance Program'''] is a consortium of six leading human rights and LGBTQI+ organizations that provides emergency assistance, advocacy funding, and security support to human rights defenders and civil society organizations under threat or attack due to their work for LGBTQI+ rights.

[https://protectdefenders.eu/protecting-defenders/ '''ProtectDefenders.eu'''] provides a range of services to human rights defenders at risk, including an emergency helpline (run by Front Line Defenders), emergency grants, and temporary relocation.

=== '''Relocation and resettlement support specifically for HRDs at risk''' ===
'''[https://www.mccaininstitute.org/programs/democracy-programs/human-rights-defenders-program/ Human Rights Defenders Program, McCain Institute]''' - Through the Human Rights Defenders program, the McCain Institute provides funding, logistical assistance and referrals to human rights defenders in distress, helping them to:

* Settle into a safe environment
* Receive training involving extra security precautions, networking, and career development if unable to return home any time soon
* Find sustainable employment as a means to continue their human rights work throughout the time they are unable to return to their home countries

[https://www.frontlinedefenders.org/en/canada-program '''Canada Global Refugee Stream for Human Rights Defenders'''] - The Canadian government has established a dedicated refugee stream for human rights defenders for resettlement to Canada.

[https://www.rainbowrailroad.org/request-help '''Rainbow Railroad'''] is a global not-for-profit organization that helps at-risk LGBTQI+ people get to safety worldwide.

[https://cpj.org/emergency-response/post-incident-assistance/#emergency-relocation '''Journalists in Distress Network'''] resources for journalists who have received serious threats or are in distress in relation to their work, and may need emergency relocation

== Strategic Advocacy ==
[[File:Iris Wang.png|thumb|414x414px|Iris Wang]]
[https://newtactics.org/toolkit/strategy-toolkit New Tactics in Human Rights Strategy Toolkit] - activities and resources for developing an advocacy strategy. available in EN and AR

[https://www.csolifeline.org/advocacy-toolkit Advocacy in Restricted Spaces: A Toolkit for Civil Society Organizations] is a practical resource that emphasizes that advocacy is possible even in restrictive contexts. The toolkit places the planning process within the context of risk assessment and mitigation, which is essential in these environments. Available in AR, FR, ES, RU, VI, FA, EN

[https://toolkit.video4change.org/ Video for Change Impact Toolkit] by Engage Media - This toolkit will show you how to design and strategize for impact in your progressive social change initiatives. It is designed for documentary or journalist video-makers, established Video for Change organizations, and nonprofit organizations that are using or thinking about using video to engage their communities.

== Localization ==
[[File:Localization Lab.png|right|frameless]]
[https://www.localizationlab.org/ Localization Lab] - a community of '''7000+''' contributors working on making FLOSS technology and internet freedom resources accessible in '''200+''' languages including Azerbaijani, Basque, Shona, Chinese and Arabic, through collaboration with developers, organizations, end users, and communities in need.
[[File:Engage Media.png|right|frameless]]
[https://engagemedia.org/ Engage Media] - a nonprofit that promotes digital rights, open and secure technology, and social issue documentary. Combining video, technology, knowledge, and networks, they support Asia-Pacific and global changemakers advocating for human rights. Engage Media has been working on regional localization efforts for Thai, Burmese, Indonesian, Khmer and Filipino.

Research on transnational repression

2024-12-12T16:18:17Z

Kristin1: added database, added threat categories

Research on transnational repression

2024-12-06T18:31:10Z

Kristin1:

'''Explanatory videos:'''

* [https://www.youtube.com/watch?v=FkPCec7jG5I Digital Transnational Repression Explained], by Citizen Lab
* [https://www.youtube.com/watch?v=8YcHajYQLSw Digital Transnational Repression Explained: Activists], by Citizen Lab
* [https://www.youtube.com/watch?v=N72UV-aD9r4 Gender-based Digital Transnational Repression Explained], by Citizen Lab

'''Defending Democracy in Exile: Policy Responses to Transnational Repression''', report by Freedom House

Freedom House is engaged in a multiyear study of transnational repression. Its latest report, Defending Democracy in Exile, published in June 2022, examines what is being done to protect exiles and diaspora members who are being intimidated and attacked by the governments from which they fled. The report assesses the responses mounted by host governments, international organizations, and technology companies. It builds on the findings of Out of Sight, Not Out of Reach: The Global Scale and Scope of Transnational Repression—the first global study of this dangerous practice, which Freedom House released in February 2021.

* https://www.youtube.com/watch?v=86Q_9IUosCE&t=71s [video]
* https://freedomhouse.org/report/transnational-repression [overview and report]

'''Silencing Across Borders: Transnational Repression and Digital Threats Against Exiled Activists''', report by Marcus Michaelsen

Marcus Michaelsen’s report examines the online efforts of authoritarian regimes to intimidate activists living abroad. Hivos is proud to have acted as a host organization for the one-year research project leading to the publication of this report. What tools actually exist in these new digital “toolkits” of transnational repression? And how successful are they in disrupting cross-border information flows? Using the online efforts of Syria and Iran as examples, Marcus Michaelsen set out to find answers.

https://hivos.org/the-silencing-effect-of-digital-transnational-repression/ [overview and report]

'''Psychological and Emotional War: Digital Transnational Repression in Canada''', report by Citizen Lab

In this report, we describe how Canadian activists and dissidents living in exile in Canada are impacted by digital transnational repression. We conclude that digital transnational repression has a serious impact on these communities, including their ability to undertake transnational advocacy work related to human rights.

https://citizenlab.ca/2022/03/psychological-emotional-war-digital-transnational-repression-canada/ [video, overview and report]

'''Responding to Transnational Repression''' [video] - recorded panel discussion from Dec 2021 https://www.youtube.com/watch?v=3D4EjMq5FK4

'''Going after the family: Transnational repression and the proxy punishment of Middle Eastern diasporas''', article co-authored with Dana M. Moss & Gillian Kennedy. Available here (https://onlinelibrary.wiley.com/doi/10.1111/glob.12372) via institutions or for purchase

'''The Arab Spring Abroad: Diaspora Activism against Authoritarian Regimes''', book by Dana Moss. You can download this book for free here: https://www.cambridge.org/core/books/arab-spring-abroad/D7EC15ED46D37A2DB8CDDB83F06CC591#overview

'''Transnational Repression: The Long Arm of Authoritarianism''' (parts 1 and 2) - recorded panel discussion from Sept/Oct 2022. Watch the videos here https://www.orionpolicy.org/orionforum/111/transnational-repression-the-long-arm-of-authoritarianism

How to mitigate your risk of being subject to Pegasus surveillance

2024-11-14T19:45:18Z

Kristin1: added lockdown mode

Over 30,000 human rights activists, journalists and lawyers across the world may have been targeted using Pegasus (source: [https://www.amnesty.org/en/latest/press-release/2021/07/the-pegasus-project/ The Pegasus Project, 2021]). While it's important to note that Pegasus is an expensive toolkit ($2.5 million for an Android zero-click infection chain with persistence), if a human rights defender is an important target for a country, it is likely just a matter of time and resources before this HRD's device gets infected.

== Mitigation techniques ==
Government-grade spyware can be more difficult to detect. However, as noted in [https://www.kaspersky.com/blog/how-to-protect-from-pegasus-spyware/43453/ a guide on Pegasus published by Kaspersky], there are some actions you can take to mitigate the risk of being subject to such surveillance, based on current research and findings:

* '''Enable Lockdown Mode''' to disable features that create vulnerabilities to spyware - see [[Secure your devices#Disable features that create vulnerabilities (Lockdown Mode)]]
* '''Reboots:''' Reboot your device daily to prevent persistence from taking hold. The majority of infections have appeared to be based on zero-day exploits with little persistence and so rebooting can hamper attackers.
* '''Disable iMessage and FaceTime (iOS):''' As features enabled by default, iMessage and FaceTime are attractive avenues for exploitation. A number of new Safari and iMessage exploits have been developed in recent years.
* '''Use an alternative browser other than Safari or default Chrome:''' Some exploits do not work well on alternatives such as Firefox Focus.
* Use a trusted, paid '''VPN service''', and install an app that warns when your device has been '''jailbroken'''. Some AV apps will perform this check.

It is also recommended that individuals who suspect a Pegasus infection make use of a secondary device, preferably running GrapheneOS, for secure communication. ([https://www.zdnet.com/article/how-to-find-and-remove-spyware-from-your-phone/ source])

If you think you may have spyware on your device, you can contact '''share@amnesty.tech''' to ask about next steps/what to do. You can also reach out to the Access Now Helpline anytime (24/7) https://www.accessnow.org/help/
== Countries known to have purchased and used ''Pegasus'' or ''Predator'' ==

=== Americas ===

* '''El Salvador''' - Pegasus found on devices of journalists ''(Source: [[wikipedia:Pegasus_(spyware)|Wikipedia]])''
* '''Dominican Republic''' - Pegasus found on devices of journalists ''(Source: [https://www.amnesty.org/en/latest/news/2023/05/dominican-republic-pegasus-spyware-journalists-phone/ Amnesty International])''
* '''Mexico''' - Pegasus found on devices of political opposition, activists ''(Source: [[wikipedia:Pegasus_(spyware)|Wikipedia]])''
* '''Panama''' - Pegasus found on devices of political opposition ''(Source: [[wikipedia:Pegasus_(spyware)|Wikipedia]])''
* '''Trinidad Tobago''' - Evidence of the use of Predator ''(Source: [https://www.recordedfuture.com/predator-spyware-operators-rebuild-multi-tier-infrastructure-target-mobile-devices Recorded Future])''
* '''United States''' - "In the United States, the FBI confirmed the purchase of a "limited license" of the spyware but said there had been "no operational use in support of any investigation," and that it used the software "for product testing and evaluation only."" ''(Source: [https://forbiddenstories.org/pegasus-project-impacts-map/ Forbidden Stories])''

=== Africa ===

* '''Angola''' - Evidence of the use of Predator ''(Source: [https://www.recordedfuture.com/predator-spyware-operators-rebuild-multi-tier-infrastructure-target-mobile-devices Recorded Future])''
* '''Botswana''' - Evidence of the use of Predator ''(Source: [https://www.recordedfuture.com/predator-spyware-operators-rebuild-multi-tier-infrastructure-target-mobile-devices Recorded Future])''
* '''Djibouti''' - In 2018, the U.S. Central Intelligence Agency purchased Pegasus for the Djibouti government to conduct counter-terrorism operations (despite Djibouti's poor human rights record). ''(Source: [[wikipedia:Pegasus_(spyware)|Wikipedia]])''
* '''Rwanda''' - Pegasus found on devices of activists ''(Source: [[wikipedia:Pegasus_(spyware)|Wikipedia]])''
* '''Togo''' - Pegasus found on devices of political opposition ''(Source: [[wikipedia:Pegasus_(spyware)|Wikipedia]])''
* '''Uganda''' - Pegasus found on devices of foreign diplomats ''(Source: [[wikipedia:Pegasus_(spyware)|Wikipedia]])''

=== Middle East, North Africa and Gulf ===

* '''Bahrain''' - Pegasus found on devices of activists, bloggers ''(Source: [[wikipedia:Pegasus_(spyware)|Wikipedia]])''
* '''Egypt''' - Evidence of the use of Predator ''(Source: [https://www.recordedfuture.com/predator-spyware-operators-rebuild-multi-tier-infrastructure-target-mobile-devices Recorded Future])''
* '''Iraq''' - Pegasus found on devices of political opposition, journalists, activists ''(Source: [[wikipedia:Pegasus_(spyware)|Wikipedia]])''
* '''Israel/Palestine''' - Pegasus found on devices of journalists, activists ''(Source: [https://www.amnesty.org/en/latest/research/2021/11/devices-of-palestinian-human-rights-defenders-hacked-with-nso-groups-pegasus-spyware-2/ Amnesty International])''
* '''Jordan''' - Pegasus found on devices of activists ''(Source: [[wikipedia:Pegasus_(spyware)|Wikipedia]])''
* '''Morocco''' - Pegasus found on devices of political opposition, activists ''(Source: [[wikipedia:Pegasus_(spyware)|Wikipedia]])''
* '''Oman''' - Evidence of the use of Predator ''(Source: [https://www.recordedfuture.com/predator-spyware-operators-rebuild-multi-tier-infrastructure-target-mobile-devices Recorded Future])''
* '''Saudi Arabia''' - Pegasus found on devices of political opposition, activists, journalists ''(Source: [[wikipedia:Pegasus_(spyware)|Wikipedia]]),'' Evidence of the use of Predator ''(Source: [https://www.recordedfuture.com/predator-spyware-operators-rebuild-multi-tier-infrastructure-target-mobile-devices Recorded Future])''
* '''United Arab Emirates''' - Pegasus found on devices of activists, journalists, lawyers ''(Source: [[wikipedia:Pegasus_(spyware)|Wikipedia]])''

=== Europe and Central Asia ===

* '''Armenia''' - Pegasus found on devices of political opposition ''(Source: [[wikipedia:Pegasus_(spyware)|Wikipedia]]),'' Evidence of the use of Predator ''(Source: [https://www.recordedfuture.com/predator-spyware-operators-rebuild-multi-tier-infrastructure-target-mobile-devices Recorded Future])''
* '''Azerbaijan''' - Pegasus found on devices of journalists and activists ''(Source: [[wikipedia:Pegasus_(spyware)|Wikipedia]])''
* '''Germany''' - Pegasus is in use by German Federal Criminal Police Office (BKA) ''(Source: [[wikipedia:Pegasus_(spyware)|Wikipedia]])''
* '''Hungary''' - Pegasus found on devices of political opposition, journalists, lawyers ''(Source: [[wikipedia:Pegasus_(spyware)|Wikipedia]])''
* '''Kazakhstan''' - Pegasus found on devices of journalists, activists ''(Source: [[wikipedia:Pegasus_(spyware)|Wikipedia]]),'' Evidence of the use of Predator ''(Source: [https://www.recordedfuture.com/predator-spyware-operators-rebuild-multi-tier-infrastructure-target-mobile-devices Recorded Future])''
* '''Netherlands''' - Pegasus used to spy on a high profile criminal ''(Source: [[wikipedia:Pegasus_(spyware)|Wikipedia]])''
* '''Poland''' - Pegasus found on devices of political opposition, journalists ''(Source: [[wikipedia:Pegasus_(spyware)|Wikipedia]])''
* '''Spain''' - Pegasus found on devices of political opposition ''(Source: [[wikipedia:Pegasus_(spyware)|Wikipedia]])''

=== Asia ===

* '''India''' - Pegasus found on devices of political opposition, activists ''(Source: [[wikipedia:Pegasus_(spyware)|Wikipedia]])''
* '''Indonesia''' - Evidence of the use of Predator ''(Source: [https://www.recordedfuture.com/predator-spyware-operators-rebuild-multi-tier-infrastructure-target-mobile-devices Recorded Future])''
* '''Mongolia''' - Evidence of the use of Predator ''(Source: [https://www.recordedfuture.com/predator-spyware-operators-rebuild-multi-tier-infrastructure-target-mobile-devices Recorded Future])''
* '''The Philippines''' - Evidence of the use of Predator ''(Source: [https://www.recordedfuture.com/predator-spyware-operators-rebuild-multi-tier-infrastructure-target-mobile-devices Recorded Future])''
* '''Thailand''' - Pegasus found on devices of political opposition, activists ''(Source: [[wikipedia:Pegasus_(spyware)|Wikipedia]])''

== Research on Pegasus ==
[https://citizenlab.ca/tag/pegasus/ Research by Citizen Lab on the use of Pegasus] to monitor human rights defenders and journalists.

[https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-how-to-catch-nso-groups-pegasus/ Forensic Methodology Report: How to catch NSO Group’s Pegasus] (2021), by Amnesty International. And this [https://securitylab.amnesty.org/latest/2023/10/global-predator-files-investigation-reveals-catastrophic-failure-to-regulate-surveillance-trade/ blog post] summarizing the latest investigation that the team worked on, focused on the company widely known as the ‘Intellexa Alliance’.

[https://docs.google.com/spreadsheets/d/1lUv-hoQWGZagZi-8DbX9bLiC_WUWpL-o3f7NRyZmA04/edit#gid=1547057674 Pegasus Project - Individuals listed, targeted, or compromised] - This spreadsheet tracks individuals targeted with NSO’s Pegasus. This includes individuals who are (a) on a list as a person of interest, (b) known to have been targeted, and (c) known to have been compromised.

A 10-minute [https://www.youtube.com/watch?v=8r8MkMfvaPU&t=1s video about how Pegasus Spyware works], from the 2021 Pegasus Project

Granitt tracks and updates this published list of Pegasus victims research here https://github.com/GranittHQ/data-pegasus-victims

== Research on QuaDream (iPhone spyware) ==
A new investigation reveals how QuaDream, an Israeli cyber mercenary company with close ties to Israeli intelligence agencies, used malicious calendar invites to [https://techcrunch.com/2023/04/11/quadream-spyware-hacked-iphones-calendar-invites/?guccounter=1 hack civil society] in various regions, including West Asia and North Africa. Full report by Citizen Lab can be found [https://citizenlab.ca/2023/04/spyware-vendor-quadream-exploits-victims-customers/ here].

== Research on BouldSpy (Android spyware) ==
The Iranian government has been using the BouldSpy Android malware to spy on minority groups in the country and monitor arms, alcohol, and drugs trafficking. ''(Source: [https://www.securityweek.com/bouldspy-android-malware-used-in-iranian-government-surveillance-operations/ Security Week])''

== Research on Predator (Android spyware) ==
Predator is a commercial Android spyware, which is marketed by the Israeli company Intellexa. ''(Source: [https://thehackernews.com/2023/05/predator-android-spyware-researchers.html Hacker News])''

''New research from Recorded Future’s Insikt Group examines newly discovered infrastructure related to the operators of Predator, a mercenary mobile spyware. This infrastructure is believed to be in use in at least eleven countries, including Angola, Armenia, Botswana, Egypt, Indonesia, Kazakhstan, Mongolia, Oman, the Philippines, Saudi Arabia, and Trinidad and Tobago. Notably, this is the first identification of Predator customers in Botswana and the Philippines. Despite being marketed for counterterrorism and law enforcement, Predator is often used against civil society, targeting journalists, politicians, and activists, with no specific victims or targets currently identified in this latest activity.'' ''(Source: [https://www.recordedfuture.com/predator-spyware-operators-rebuild-multi-tier-infrastructure-target-mobile-devices Recorded Future])''

Granitt tracks and updates this published list of Predator victims research here https://github.com/GranittHQ/data-predator-victims.

== Research on Candiru (iPhones, Androids, Macs, PCs, and cloud accounts) ==
''Candiru is a secretive Israel-based company that sells spyware exclusively to governments. Reportedly, their spyware can infect and monitor iPhones, Androids, Macs, PCs, and cloud accounts. As part of their investigation, Microsoft observed at least 100 victims in Palestine, Israel, Iran, Lebanon, Yemen, Spain, United Kingdom, Turkey, Armenia, and Singapore. Victims include human rights defenders, dissidents, journalists, activists, and politicians.'' ''(Source: [https://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/ The Citizen Lab])''

Granitt tracks and updates this published list of Candiru victims research here https://github.com/GranittHQ/data-candiru-victims

== Research on BadBazaar (Android spyware) ==
''Security researchers have uncovered malicious apps masquerading as Signal and Telegram apps. The apps are being distributed on the Google Play Store and the Samsung Galaxy store. The fake apps, “Signal Plus Messenger” and “Flygram”, both impersonate the Signal app and the Telegram app respectively, and are both aimed at delivering the “BadBazaar” spyware, which has been attributed to a Chinese state actor. BadBazaar has been found to track and monitor victims while exfiltrating sensitive data such as call logs, messages and location information. Once a device is infected, the attacker can link and collect data from the real Signal and Telegram apps on the victim’s phone without any further action by the victim. So far, victims have been detected in Germany, Poland, The United States, Ukraine, Australia, Brazil, Denmark, Congo-Kinshasa, Hong Kong, Hungary, Lithuania, the Netherlands, Portugal, Singapore, Spain, and Yemen.''

''What Can You Do? If you have downloaded apps such as Signal Plus Messenger or Flygram either from a Telegram channel or the Google or Samsung stores, then you may have been seriously compromised. Delete the application immediately then install a good antivirus solution and perform a root scan. Notify your contacts and associates that you may have been compromised so that they can take measures to protect themselves as well. Also, pay attention to the logos and names of apps you are downloading and make sure they are not fake apps with either the name or logo (lookalike) of a popular app. Lastly, do not download or “update” apps from Telegram channels or unofficial distribution sites''

(Source: [https://mailchi.mp/c61f8d11d65e/cdr-loop-july-2023-edition-15732520?e=bf72ac7dae Center for Digital Resilience Aug 2023 newsletter])

Secure your devices

2024-11-14T19:43:26Z

Kristin1: /* Disable features that create vulnerabilities */ added link to black top presentation

== Keep your device or operating system up-to-date with software updates ==
When you buy a device or an operating system, keep it up-to-date with software updates. Updates will often fix security problems in older code that attacks can exploit. Note that some older phones and operating systems may no longer be supported, even for security updates. In particular, Microsoft has made it clear that versions of Windows Vista, XP, and below will not receive fixes for even severe security problems. This means that if you use these, you cannot expect them to be secure from attackers. The same is true for OS X before 10.11 or El Capitan. (Source: [https://ssd.eff.org/module/choosing-your-tools Electronic Frontier SSD])

=== Free, open source operating systems ===
If you cannot afford to purchase a licensed Windows or Mac operating system, you can use a free and open source operating system, such as:

'''[https://www.linuxmint.com/ Linux Mint]''' is an operating system for desktop and laptop computers. It is designed to work 'out of the box' and comes fully equipped with the apps most people need. Linux Mint works on most computers. It can also be run from a live USB stick to make sure everything works fine without having to install anything.

[https://tails.net/ '''Tails'''] is a portable operating system that protects against surveillance and censorship. To use Tails, shut down the computer and start on your Tails USB stick instead of starting on Windows, macOS, or Linux. You can temporarily turn your own computer into a secure machine. You can also '''.''' You can also stay safe while using the computer of somebody else'''.''' Tails is a 1.4 GB download and takes ½ hour to install. Tails can be installed on any USB stick of 8 GB minimum. Tails works on most computers less than 10 years old. You can start again on the other operating system after you s t down Tails. You don't have to worry about the computer having viruses because Tails runs independently from the other operating system and never uses the hard disk. But, Tails cannot always protect you if you install it from a computer with viruses or if you use it on a computer with malicious hardware, like keyloggers.

== Use antivirus or anti-malware ==

=== Advice ===
1. Know how to check if your antivirus or anti-malware app is working and updating itself.

2. Perform periodic manual scans.

3. Choose and run only one anti-malware app; if you run more than one on a device, they may interfere with each other.

[https://freedom.press/training/blog/what-about-antivirus/ What about antivirus?] Article by David Huerta (2020) of the Freedom of the Press Foundation Here's a good article
Excerpt: "Antivirus software is one of the oldest offerings available from the now billion-dollar cybersecurity industry. But what does antivirus software do to help protect our devices, what does it not do, and do we really need it?"

=== Antivirus software options ===

'''Windows'''
On Windows 10, Security in a Box recommends to turn on Windows's own anti-malware protection [https://securityplanner.consumerreports.org/tool/turn-on-windows-defender-antivirus Windows Defender]

'''Linux'''
On Linux you can manually scan your device for malware with [https://www.clamav.net/ ClamAV]. But be aware it is only a scanner, and will not monitor your system to protect you from infection. You can use it to determine whether or not a file or directory contains known malware — and it can be run from a USB memory stick in case you do not have permission to install software on the suspect computer. You may also consider using paid antivirus (e.g. ESET NOD32)

Software available on multiple operating systems that offer free versions:
* [https://www.bitdefender.com BitDefender] (Android, iOS, Mac, Windows) - Warning: This can be a heavy program for many computers.
* [https://www.malwarebytes.com/ Malwarebytes] (Android, iOS, Mac, Windows). Malwarebytes full version is free for 2 week, but you can manually scan your device without time limits.
* [https://www.avast.com/ Avast antivirus] (Android, iOS, Mac, Windows)

Not recommended:
* [https://www.avg.com/ AVG antivirus] (Android, iOS, Mac, Windows)
* [https://www.avira.com/en/free-antivirus Avira antivirus] (Android, iOS, Mac, Windows)

From the community: AVG, Avira were found to be running mining operations on consumers PC and they don't offer proper protection.

Note that all antivirus and anti-malware apps collect information on how the protected devices are being used. Some of this information may be shared with companies which own them. There have been cases where this information was sold to third parties.

== Full disk encryption ==

=== For computers ===
'''Apple''' provides a built-in, full-disk encryption feature on macOS called [[wikipedia:FileVault|FileVault]]. Guide: How to encrypt your [https://ssd.eff.org/module/how-encrypt-your-iphone iPhone] (available in 10+ languages)

'''Linux''' distributions usually offer full-disk encryption when you first set up your system.

'''Windows Vista or later''' includes a full-disk encryption feature called [https://learn.microsoft.com/en-us/windows/security/operating-system-security/data-protection/bitlocker/ BitLocker]. Guide: How to encrypt your [https://ssd.eff.org/module/how-encrypt-your-windows-device Windows device] (available in 10+ languages)

=== For smartphones and tablets ===
'''Apple''' devices such as the iPhone and iPad describe it as “Data Protection” and turn it on if you set a passcode.

'''Android''' offers full-disk encryption when you first set up your device on newer devices, or anytime afterwards under its “Security” settings for all devices.

=== Disk encryption vulnerabilities ===
There are some risks related to disk encryption that you need to consider before moving forward, and find ways to mitigate these risks:
# Data is exposed as soon as it leaves the protected disk
# Data is exposed in the clear if a user session is hijacked
# Data is exposed if device credentials are compromised
# All data is protected by a single key, which means that if you lose that one key, you lose access to the device

== Disable features that create vulnerabilities (Lockdown Mode) ==
'''iPhone and Mac devices offers [https://support.apple.com/en-us/HT212650 Lockdown Mode]''' - "When Lockdown Mode is enabled, your device won’t function like it typically does. To reduce the attack surface that potentially could be exploited by highly targeted mercenary spyware, certain apps, websites, and features are strictly limited for security and some experiences might not be available at all. Lockdown Mode is available in iOS 16, iPadOS 16, and macOS Ventura."

Lockdown Mode covers a lot of different scenarios and reduce attack surface for attacks: remove JIT from browser, disable a lot of webkit features, block calls from unknown contacts in iMessage, remove many file types in messages etc. You can read a [https://blacktop.github.io/presentations/0x41con_2023/HTML/index.html#0 2023 analysis presentation by Blacktop].

'''Android also offers a version of [https://www.zdnet.com/article/how-to-use-the-android-lockdown-mode-and-why-you-should/ Lockdown Mode]''' - "When lockdown mode is enabled, fingerprint sensors, facial recognition, and voice recognition do not function. Once you've activated lockdown mode, the only way to gain access to your device is either via PIN, password, or pattern. One thing you must know about lockdown mode is that it's a one-time thing. In other words, once you've enabled it, it will immediately be disabled upon successful login. That means you have to re-enable lockdown mode every time you want to use it."

== Separate your phone number from your device ==
[https://theintercept.com/2017/09/28/signal-tutorial-second-phone-number/ How to use signal without giving out your phone number] (article) - A step-by-step guide to protecting your private phone number while enjoying the security of encrypted texting app Signal.
----
''Last updated June 18, 2024''

Source for this content: [https://securityinabox.org/en/phones-and-computers/malware/#use-antivirus-or-anti-malware Security in a Box]'' , [https://ssd.eff.org/ Electronic Frontier SSD], and discussions with human rights security practitioners.''

Security resources organized by topic

2024-11-07T17:49:54Z

Kristin1: /* Resource collections related to security */ added front line workbook

== Building awareness of how we respond to threat and stress ==
''Developing a useful security strategy is heavily dependent on our perception – we need to be able to identify and analyse threats in order to implement ways of avoiding or reducing them. But we all perceive the world around us differently based on our circumstances, experiences and many other factors. As a result, our perception can sometimes be hindered: threats which may be evident to some people may go unrecognised by others; similarly, we also need to be able to tell the difference between threats which are genuinely possible and those which we falsely perceive, called 'unfounded fears'. It's a good idea to become familiar with factors that condition our perceptions of threat, and consider ways that we can take these into account in our security planning.'' (Source: [https://holistic-security.tacticaltech.org/chapters/prepare/1-2-individual-responses-to-threat.html Holistic Security Manual])

Resources:

* [https://holistic-security.tacticaltech.org/chapters/prepare/1-2-individual-responses-to-threat.html '''Exploring individual responses to threat'''] (Holistic Security Manual)
* [https://holistic-security.tacticaltech.org/chapters/prepare/1-4-team-and-peer-responses-to-threat.html '''Exploring group responses to threat'''] (Holistic Security Manual)
* [https://holistic-security.tacticaltech.org/chapters/prepare/1-5-communicating-about-threats-in-teams-and-organisations.html '''Communicating about security in teams and organizations'''] (Holistic Security Manual)

== Understanding our threats and context ==

=== Situation monitoring and analysis ===
Situation monitoring and analysis is the broadest kind of analysis of our context: observing the political, economic, social, technological, legal and environmental developments in society which are relevant to our work, and may impact our security situation. (Source: [https://holistic-security.tacticaltech.org/chapters/explore/2-2-situation-monitoring-and-analysis.html Holistic Security Manual])

Exercise: [https://holistic-security.tacticaltech.org/exercises/explore/situational-monitoring-a-quick-pestle-analysis.html '''Pestle analysis'''] (Holistic Security Manual)

Tool: '''[https://tnr-research.uwazi.io/ Research Database on transnational repression]''' - This collection of research reports on transnational repression can help human rights defenders better understand:

* Transnational Repression (TNR) threats that are possible, to determine appropriate mitigation techniques
* Which TNR threats are unlikely, in order to alleviate fear
* What exiled HRDs can expect from a host country in terms of protection measures
* Existing campaigns to strengthen protection for exiled HRDs

=== Identifying, analyzing and prioritizing threats ===

==== Map the actors ====
''It is valuable to get a clear picture of all the actors in our environment (individuals, institutions, organizations, etc). Threats almost always come from someone or something. Knowing as much as we can about the actors in our context improves our perception of our environment and thereby, our ability to carry out activities to maintain or expand our space for work.'' (Source: [https://holistic-security.tacticaltech.org/chapters/explore/2-3-vision-strategy-and-actors.html Holistic Security Manual])

Exercise:

* [https://holistic-security.tacticaltech.org/exercises/explore/visual-actor-mapping-part-1.html '''Spectrum of allies'''] (Holistic Security Manual)
* [https://newtactics.org/resource/exercises-identifying-allies-opponents '''Spectrum of allies'''] (New Tactics in Human Rights project)

==== Brainstorm threats ====
This exercise is a first attempt at identifying the threats to yourself, your group or organization and your work in defense of human rights. This initial list of threats can then be refined so as to focus in more depth on the threats which are most likely or potentially most harmful. (Source: [https://holistic-security.tacticaltech.org/exercises/explore/threat-brainstorm.html Holistic Security Manual])

Exercise: [https://holistic-security.tacticaltech.org/exercises/explore/threat-brainstorm.html '''Threat brainstorm'''] (Holistic Security Manual)

==== Analyzing risk, prioritizing threats ====
Threats can be viewed and categorized in light of the following: the likelihood that the threat will take place, and the impact if and when it does. Likelihood and impact are concepts which help us determine risk: the higher the likelihood or impact of a threat, the higher the risk. Categorizing threats can help to keep us from feeling overwhelmed and keep our perception of threats realistic. (Source: [https://holistic-security.tacticaltech.org/chapters/explore/2-8-identifying-and-analysing-threats.html Holistic Security Manual])

Exercise: [https://holistic-security.tacticaltech.org/chapters/explore/2-8-identifying-and-analysing-threats.html '''Threat matrix'''] (Holistic Security Manual)

Tools:

* The Ford Foundation’s [https://www.fordfoundation.org/work/our-grants/building-institutions-and-networks/cybersecurity-assessment-tool/ '''Cybersecurity Assessment Tool (CAT)'''] is designed to measure the maturity, resiliency, and strength of an organization’s cybersecurity efforts. We have created this questionnaire with busy nontechnical grant makers, grantee partners, civil society organizations, and nonprofits in mind, and we hope it helps shine some light on a recommended path forward for any organization undertaking a cybersecurity journey

==== Analyze threats ====
This exercise will help you prioritize threats and divine the causes, ramifications, sources as well as the required resources, existing actions and possible next steps.

Exercise: [https://holistic-security.tacticaltech.org/exercises/explore/threat-inventory.html '''Threat inventory'''] (Holistic Security Manual)

== Risk mitigation ==
In order to build a response to the threats we face, we can consider them in terms of the factors which make us more or less susceptible to them. Read more in [https://holistic-security.tacticaltech.org/chapters/strategise/3-1-responding-to-threats.html this chapter of the Holistic Security Manual].

=== Mitigation techniques for common threats to information ===
{| class="wikitable"
|+
! Threat
!Mitigation techniques and links to guidance
|-
|Data loss
|
* [[Ways to securely store and share files|Have your information securely in the cloud or on a server]]
* Have a backup process
|-
|Compromised accounts
|
* [[Protect your accounts using strong passwords, pw managers, 2fa|Use two factor authentication for all accounts]]
* [[Protect your accounts using strong passwords, pw managers, 2fa|Use unique, complex passwords for all accounts]]
* [[Protect your accounts using strong passwords, pw managers, 2fa|Use a password manager to create, store and protect those passwords]]
|-
|Device inspection at checkpoints
|
* [[Use a secure messaging app#Tip: use automatic disappearing messages|Use automated disappearing messages on your messaging apps]]
* [[Ways to securely store and share files|Have your sensitive information stored safely in the cloud and off of your device]]
* Hide or delete any apps that would provide access to this information (you can restore that app later)
|-
|Device confiscation or theft
|
* [[Secure your devices#Full disk encryption|Encrypt your devices]]
* And, review and adapt the same advice above for “device inspection” threat
|-
|Information handover
|
* [[Trusted hosting companies in the human rights community|Host your information with a company you trust]], who will not turn over information to your opponents (via subpoena, request, etc)
|-
|Targeted malware or spyware
|
* [[Protect your accounts using strong passwords, pw managers, 2fa#Be aware of spear phishing attacks|Protect yourselves against (spear) phishing attacks]]
* Use a second device for sensitive activities
* [[How to mitigate your risk of being subject to Pegasus surveillance|Restart your device regularly to disrupt spyware]]
* [[Secure your devices|Use anti virus]]
* [[How to mitigate your risk of being subject to Pegasus surveillance]], and other spyware
|-
|Surveillance and monitoring
|
* [[Safe internet browsing using VPN and Tor browser|Use a VPN and/or Tor browser]]
* [[Use a secure messaging app]]
* [[How to collect and store information in a secure way]]
* [[Ways to securely store and share files|How to use Google Drive safely and alternatives to Google Drive]]
|-
|Website hacking and takeover
|
* [[Protect your website|Protect your website from DDOS attacks]]
* [[Trusted hosting companies in the human rights community|Use a host company that you trust]]
* And, review and adapt the same advice above for "compromised accounts"
|}
Other important considerations when collecting, storing, using sensitive information:
{| class="wikitable"
|+
!Consideration
!Resources
|-
|Make sure you have informed consent from the people you are collecting information
|[[Guidance on informed consent]]
|-
|
|
|-
|
|
|}
* [[Information Security for Human Rights Defenders]]

===Mitigation techniques for online harassment===
[[How to deal with online harassment and threats]]

==Security planning ==
Once we have clarity about the threats we face during our activities, we can begin to organize our security protocols into security plans or agreements. There are three main areas to consider when developing any security plans:

# '''PREPARE: Prevention of threats''' - Most security plans will include tactics which aim to prevent identified threats from taking place (i.e. reducing their likelihood). This will include:
## Identify & assess the threats and your vulnerabilities
## Develop security policies and procedures
## Implement preventive measures
## Invest in Security Awareness Programs
## Conduct Security testing
# '''RESPOND: Emergency responses''' - Emergency plans, also called contingency plans, are the actions which we take in response to a threat becoming a reality. This will include:
## Build Incident Response Plan
## Communication Strategy
## Business continuity plan
## Disaster recovery plan (Data Backups and Recovery)
## Communication and Collaboration
# '''TREAT: Well-being considerations''' - Actions we take to maintain our physical energy and a mindful approach to our work and our security –it may include such considerations as where and when we will eat, sleep, relax and enjoy ourselves in the course of our work. This will include:
## Analyze lessons learned
## Recovery and Remediation
## Psychological safety considerations,
## Review and update your security plans and approach
For more information, read '''[[General guidance for creating security plans and agreements]]''' and review [https://holistic-security.tacticaltech.org/chapters/strategise/3-3-creating-security-plans-and-agreements.html this chapter of the Holistic Security Manual].

Additional resources:

* Consumer Reports [https://securityplanner.consumerreports.org/ '''Security Planner'''] is a free, easy-to-use guide to staying safer online. It provides personalized recommendations and expert advice on topics such as keeping social media accounts from being hacked, locking down devices ranging from smartphones to home security cameras, and reducing intrusive tracking by websites.
* [https://www.nist.gov/itl/smallbusinesscyber/nist-cybersecurity-framework-0 '''NIST Cybersecurity Framework 2.0''']: Small Business Quick Start Guide - provides small-to-medium sized businesses (SMB), specifically those who have modest or no cybersecurity plans in place, with considerations to kick-start their cybersecurity risk management strategy using the NIST Cybersecurity Framework (CSF) 2.0. (by the ''National Institute of Standards and Technology)''

===Security planning on specific topics===

* [[General tips for international travel]]
* [[General tips for home security]]

== Building a culture of security within a team ==
[https://level-up.cc/ '''LevelUp'''] is a collection of resources for the global digital safety training community.

[https://wiki.orgsec.community/ '''Organisational security community wiki'''] is a resource created by and for security practitioners from all backgrounds to share useful resources and document innovative approaches to long-term security work.

==Resource collections related to security ==
[https://digitalfirstaid.org/ '''Digital First Aid Kit'''] - The Digital First Aid Kit is a free resource to help rapid responders, digital security trainers, and tech-savvy activists to better protect themselves and the communities they support against the most common types of digital emergencies. It can also be used by activists, human rights defenders, bloggers, journalists or media activists who want to learn more about how they can protect themselves and support others. If you or someone you are assisting is experiencing a digital emergency, the Digital First Aid Kit will guide you in diagnosing the issues you are facing, and refer you to support providers for further help if needed.

[https://communitydocs.accessnow.org/ '''Access Now Help Desk documentation''']

[https://cyber-star.org/ '''CyberSTAR'''], by SecDev, makes it easier for small organizations and individuals to understand and manage digital safety by organizing it around six themes. This site presents learning resources to help you be safer online—plus teaching resources for digital safety trainers.

[https://totem-project.org/ '''Totem project'''] - Developed in collaboration by Greenhost and Free Press Unlimited, Totem is a '''free''' '''online learning platform''' that offers educational courses about digital security and privacy, and related tools and tactics for journalists, activists and human rights defenders in a safe, online classroom environment.

[https://advocacyassembly.org/en/courses?category=1 '''Advocacy Assembly''' online courses related to digital security] - Advocacy Assembly is a '''free e-learning platform''' featuring dozens of courses for human rights activists, campaigners and journalists.

[https://www.saferedge.com/learning '''Safer Edge''' online courses] (not free) - Safer Edge works with security, safeguarding and risk advisory professionals with a wide range of expertise, skills and experience. Team and consultants have experience working internationally in the humanitarian and development contexts in a range of risk contexts. In-house team speaks English, French, Spanish, Portuguese, Arabic and Russian.

[https://academy.amnesty.org/ '''Amnesty International's Human Rights Academy'''] is a free online learning platform that allows participants to embark on a self-paced learning journey to understand the principles of human rights and how to use them as a tool for positive change. We believe that knowledge of rights is essential for claiming them, defending them, and promoting them and hope that our courses will inspire you to take action.

[https://www.protectioninternational.org/tools/protection-manuals/ '''Protection International's Protection Manuals'''] for Human Rights Defenders - These manuals were developed to provide human rights defenders with additional knowledge and tools to improve their understanding of security and protection.

[https://www.frontlinedefenders.org/en/digital-protection-resources '''Front Line Defenders Digital Protection Resources'''] - Front Line Defenders Digital Protection programme responds to the digital security environment facing HRDs and develops tools, guides and reosources to complement its training and consultation programming.

[https://ssd.eff.org/ '''Surveillance Self-Defense'''] toolkit by Electronic Frontier Foundation - "We’re the Electronic Frontier Foundation, an independent non-profit working to protect online privacy for over thirty years. This is Surveillance Self-Defense: our expert guide to protecting you and your friends from online spying."

[https://securityinabox.org/en/ '''Security in a Box'''] primarily aims to help a global community of human rights defenders whose work puts them at risk. It has been recognized worldwide as a foundational resource for helping people at risk protect their digital security and privacy.

'''[https://www.frontlinedefenders.org/en/resource-publication/workbook-security-practical-steps-human-rights-defenders-risk Front Line Defenders Workbook on Security]''' has been inspired by the hundreds of HRDs from over 50 countries who have attended Front Line Defenders workshops on security and protection. The Workbook takes you through the steps to producing a security plan – for yourself and for your organisation (for those HRDs who are working in organisations). It follows a systematic approach for assessing your security situation and developing risk and vulnerability reduction strategies and tactics. Manual available in French, Spanish, Russian, Arabic, Turkish, Portuguese, Urdu, Somali, Dari, and Chinese.

Security resources organized by topic

2024-11-07T17:46:49Z

Kristin1: /* Resource collections related to security */

== Building awareness of how we respond to threat and stress ==
''Developing a useful security strategy is heavily dependent on our perception – we need to be able to identify and analyse threats in order to implement ways of avoiding or reducing them. But we all perceive the world around us differently based on our circumstances, experiences and many other factors. As a result, our perception can sometimes be hindered: threats which may be evident to some people may go unrecognised by others; similarly, we also need to be able to tell the difference between threats which are genuinely possible and those which we falsely perceive, called 'unfounded fears'. It's a good idea to become familiar with factors that condition our perceptions of threat, and consider ways that we can take these into account in our security planning.'' (Source: [https://holistic-security.tacticaltech.org/chapters/prepare/1-2-individual-responses-to-threat.html Holistic Security Manual])

Resources:

* [https://holistic-security.tacticaltech.org/chapters/prepare/1-2-individual-responses-to-threat.html '''Exploring individual responses to threat'''] (Holistic Security Manual)
* [https://holistic-security.tacticaltech.org/chapters/prepare/1-4-team-and-peer-responses-to-threat.html '''Exploring group responses to threat'''] (Holistic Security Manual)
* [https://holistic-security.tacticaltech.org/chapters/prepare/1-5-communicating-about-threats-in-teams-and-organisations.html '''Communicating about security in teams and organizations'''] (Holistic Security Manual)

== Understanding our threats and context ==

=== Situation monitoring and analysis ===
Situation monitoring and analysis is the broadest kind of analysis of our context: observing the political, economic, social, technological, legal and environmental developments in society which are relevant to our work, and may impact our security situation. (Source: [https://holistic-security.tacticaltech.org/chapters/explore/2-2-situation-monitoring-and-analysis.html Holistic Security Manual])

Exercise: [https://holistic-security.tacticaltech.org/exercises/explore/situational-monitoring-a-quick-pestle-analysis.html '''Pestle analysis'''] (Holistic Security Manual)

Tool: '''[https://tnr-research.uwazi.io/ Research Database on transnational repression]''' - This collection of research reports on transnational repression can help human rights defenders better understand:

* Transnational Repression (TNR) threats that are possible, to determine appropriate mitigation techniques
* Which TNR threats are unlikely, in order to alleviate fear
* What exiled HRDs can expect from a host country in terms of protection measures
* Existing campaigns to strengthen protection for exiled HRDs

=== Identifying, analyzing and prioritizing threats ===

==== Map the actors ====
''It is valuable to get a clear picture of all the actors in our environment (individuals, institutions, organizations, etc). Threats almost always come from someone or something. Knowing as much as we can about the actors in our context improves our perception of our environment and thereby, our ability to carry out activities to maintain or expand our space for work.'' (Source: [https://holistic-security.tacticaltech.org/chapters/explore/2-3-vision-strategy-and-actors.html Holistic Security Manual])

Exercise:

* [https://holistic-security.tacticaltech.org/exercises/explore/visual-actor-mapping-part-1.html '''Spectrum of allies'''] (Holistic Security Manual)
* [https://newtactics.org/resource/exercises-identifying-allies-opponents '''Spectrum of allies'''] (New Tactics in Human Rights project)

==== Brainstorm threats ====
This exercise is a first attempt at identifying the threats to yourself, your group or organization and your work in defense of human rights. This initial list of threats can then be refined so as to focus in more depth on the threats which are most likely or potentially most harmful. (Source: [https://holistic-security.tacticaltech.org/exercises/explore/threat-brainstorm.html Holistic Security Manual])

Exercise: [https://holistic-security.tacticaltech.org/exercises/explore/threat-brainstorm.html '''Threat brainstorm'''] (Holistic Security Manual)

==== Analyzing risk, prioritizing threats ====
Threats can be viewed and categorized in light of the following: the likelihood that the threat will take place, and the impact if and when it does. Likelihood and impact are concepts which help us determine risk: the higher the likelihood or impact of a threat, the higher the risk. Categorizing threats can help to keep us from feeling overwhelmed and keep our perception of threats realistic. (Source: [https://holistic-security.tacticaltech.org/chapters/explore/2-8-identifying-and-analysing-threats.html Holistic Security Manual])

Exercise: [https://holistic-security.tacticaltech.org/chapters/explore/2-8-identifying-and-analysing-threats.html '''Threat matrix'''] (Holistic Security Manual)

Tools:

* The Ford Foundation’s [https://www.fordfoundation.org/work/our-grants/building-institutions-and-networks/cybersecurity-assessment-tool/ '''Cybersecurity Assessment Tool (CAT)'''] is designed to measure the maturity, resiliency, and strength of an organization’s cybersecurity efforts. We have created this questionnaire with busy nontechnical grant makers, grantee partners, civil society organizations, and nonprofits in mind, and we hope it helps shine some light on a recommended path forward for any organization undertaking a cybersecurity journey

==== Analyze threats ====
This exercise will help you prioritize threats and divine the causes, ramifications, sources as well as the required resources, existing actions and possible next steps.

Exercise: [https://holistic-security.tacticaltech.org/exercises/explore/threat-inventory.html '''Threat inventory'''] (Holistic Security Manual)

== Risk mitigation ==
In order to build a response to the threats we face, we can consider them in terms of the factors which make us more or less susceptible to them. Read more in [https://holistic-security.tacticaltech.org/chapters/strategise/3-1-responding-to-threats.html this chapter of the Holistic Security Manual].

=== Mitigation techniques for common threats to information ===
{| class="wikitable"
|+
! Threat
!Mitigation techniques and links to guidance
|-
|Data loss
|
* [[Ways to securely store and share files|Have your information securely in the cloud or on a server]]
* Have a backup process
|-
|Compromised accounts
|
* [[Protect your accounts using strong passwords, pw managers, 2fa|Use two factor authentication for all accounts]]
* [[Protect your accounts using strong passwords, pw managers, 2fa|Use unique, complex passwords for all accounts]]
* [[Protect your accounts using strong passwords, pw managers, 2fa|Use a password manager to create, store and protect those passwords]]
|-
|Device inspection at checkpoints
|
* [[Use a secure messaging app#Tip: use automatic disappearing messages|Use automated disappearing messages on your messaging apps]]
* [[Ways to securely store and share files|Have your sensitive information stored safely in the cloud and off of your device]]
* Hide or delete any apps that would provide access to this information (you can restore that app later)
|-
|Device confiscation or theft
|
* [[Secure your devices#Full disk encryption|Encrypt your devices]]
* And, review and adapt the same advice above for “device inspection” threat
|-
|Information handover
|
* [[Trusted hosting companies in the human rights community|Host your information with a company you trust]], who will not turn over information to your opponents (via subpoena, request, etc)
|-
|Targeted malware or spyware
|
* [[Protect your accounts using strong passwords, pw managers, 2fa#Be aware of spear phishing attacks|Protect yourselves against (spear) phishing attacks]]
* Use a second device for sensitive activities
* [[How to mitigate your risk of being subject to Pegasus surveillance|Restart your device regularly to disrupt spyware]]
* [[Secure your devices|Use anti virus]]
* [[How to mitigate your risk of being subject to Pegasus surveillance]], and other spyware
|-
|Surveillance and monitoring
|
* [[Safe internet browsing using VPN and Tor browser|Use a VPN and/or Tor browser]]
* [[Use a secure messaging app]]
* [[How to collect and store information in a secure way]]
* [[Ways to securely store and share files|How to use Google Drive safely and alternatives to Google Drive]]
|-
|Website hacking and takeover
|
* [[Protect your website|Protect your website from DDOS attacks]]
* [[Trusted hosting companies in the human rights community|Use a host company that you trust]]
* And, review and adapt the same advice above for "compromised accounts"
|}
Other important considerations when collecting, storing, using sensitive information:
{| class="wikitable"
|+
!Consideration
!Resources
|-
|Make sure you have informed consent from the people you are collecting information
|[[Guidance on informed consent]]
|-
|
|
|-
|
|
|}
* [[Information Security for Human Rights Defenders]]

===Mitigation techniques for online harassment===
[[How to deal with online harassment and threats]]

==Security planning ==
Once we have clarity about the threats we face during our activities, we can begin to organize our security protocols into security plans or agreements. There are three main areas to consider when developing any security plans:

# '''PREPARE: Prevention of threats''' - Most security plans will include tactics which aim to prevent identified threats from taking place (i.e. reducing their likelihood). This will include:
## Identify & assess the threats and your vulnerabilities
## Develop security policies and procedures
## Implement preventive measures
## Invest in Security Awareness Programs
## Conduct Security testing
# '''RESPOND: Emergency responses''' - Emergency plans, also called contingency plans, are the actions which we take in response to a threat becoming a reality. This will include:
## Build Incident Response Plan
## Communication Strategy
## Business continuity plan
## Disaster recovery plan (Data Backups and Recovery)
## Communication and Collaboration
# '''TREAT: Well-being considerations''' - Actions we take to maintain our physical energy and a mindful approach to our work and our security –it may include such considerations as where and when we will eat, sleep, relax and enjoy ourselves in the course of our work. This will include:
## Analyze lessons learned
## Recovery and Remediation
## Psychological safety considerations,
## Review and update your security plans and approach
For more information, read '''[[General guidance for creating security plans and agreements]]''' and review [https://holistic-security.tacticaltech.org/chapters/strategise/3-3-creating-security-plans-and-agreements.html this chapter of the Holistic Security Manual].

Additional resources:

* Consumer Reports [https://securityplanner.consumerreports.org/ '''Security Planner'''] is a free, easy-to-use guide to staying safer online. It provides personalized recommendations and expert advice on topics such as keeping social media accounts from being hacked, locking down devices ranging from smartphones to home security cameras, and reducing intrusive tracking by websites.
* [https://www.nist.gov/itl/smallbusinesscyber/nist-cybersecurity-framework-0 '''NIST Cybersecurity Framework 2.0''']: Small Business Quick Start Guide - provides small-to-medium sized businesses (SMB), specifically those who have modest or no cybersecurity plans in place, with considerations to kick-start their cybersecurity risk management strategy using the NIST Cybersecurity Framework (CSF) 2.0. (by the ''National Institute of Standards and Technology)''

===Security planning on specific topics===

* [[General tips for international travel]]
* [[General tips for home security]]

== Building a culture of security within a team ==
[https://level-up.cc/ '''LevelUp'''] is a collection of resources for the global digital safety training community.

[https://wiki.orgsec.community/ '''Organisational security community wiki'''] is a resource created by and for security practitioners from all backgrounds to share useful resources and document innovative approaches to long-term security work.

==Resource collections related to security ==
[https://digitalfirstaid.org/ '''Digital First Aid Kit'''] - The Digital First Aid Kit is a free resource to help rapid responders, digital security trainers, and tech-savvy activists to better protect themselves and the communities they support against the most common types of digital emergencies. It can also be used by activists, human rights defenders, bloggers, journalists or media activists who want to learn more about how they can protect themselves and support others. If you or someone you are assisting is experiencing a digital emergency, the Digital First Aid Kit will guide you in diagnosing the issues you are facing, and refer you to support providers for further help if needed.

[https://communitydocs.accessnow.org/ '''Access Now Help Desk documentation''']

[https://cyber-star.org/ '''CyberSTAR'''], by SecDev, makes it easier for small organizations and individuals to understand and manage digital safety by organizing it around six themes. This site presents learning resources to help you be safer online—plus teaching resources for digital safety trainers.

[https://totem-project.org/ '''Totem project'''] - Developed in collaboration by Greenhost and Free Press Unlimited, Totem is a '''free''' '''online learning platform''' that offers educational courses about digital security and privacy, and related tools and tactics for journalists, activists and human rights defenders in a safe, online classroom environment.

[https://advocacyassembly.org/en/courses?category=1 '''Advocacy Assembly''' online courses related to digital security] - Advocacy Assembly is a '''free e-learning platform''' featuring dozens of courses for human rights activists, campaigners and journalists.

[https://www.saferedge.com/learning '''Safer Edge''' online courses] (not free) - Safer Edge works with security, safeguarding and risk advisory professionals with a wide range of expertise, skills and experience. Team and consultants have experience working internationally in the humanitarian and development contexts in a range of risk contexts. In-house team speaks English, French, Spanish, Portuguese, Arabic and Russian.

[https://academy.amnesty.org/ '''Amnesty International's Human Rights Academy'''] is a free online learning platform that allows participants to embark on a self-paced learning journey to understand the principles of human rights and how to use them as a tool for positive change. We believe that knowledge of rights is essential for claiming them, defending them, and promoting them and hope that our courses will inspire you to take action.

[https://www.protectioninternational.org/tools/protection-manuals/ '''Protection International's Protection Manuals'''] for Human Rights Defenders - These manuals were developed to provide human rights defenders with additional knowledge and tools to improve their understanding of security and protection.

[https://www.frontlinedefenders.org/en/digital-protection-resources '''Front Line Defenders Digital Protection Resources'''] - Front Line Defenders Digital Protection programme responds to the digital security environment facing HRDs and develops tools, guides and reosources to complement its training and consultation programming.

[https://ssd.eff.org/ '''Surveillance Self-Defense'''] toolkit by Electronic Frontier Foundation - "We’re the Electronic Frontier Foundation, an independent non-profit working to protect online privacy for over thirty years. This is Surveillance Self-Defense: our expert guide to protecting you and your friends from online spying."

[https://securityinabox.org/en/ '''Security in a Box'''] primarily aims to help a global community of human rights defenders whose work puts them at risk. It has been recognized worldwide as a foundational resource for helping people at risk protect their digital security and privacy.

Security resources organized by topic

2024-11-07T17:45:40Z

Kristin1: /* Resource collections related to security */

== Building awareness of how we respond to threat and stress ==
''Developing a useful security strategy is heavily dependent on our perception – we need to be able to identify and analyse threats in order to implement ways of avoiding or reducing them. But we all perceive the world around us differently based on our circumstances, experiences and many other factors. As a result, our perception can sometimes be hindered: threats which may be evident to some people may go unrecognised by others; similarly, we also need to be able to tell the difference between threats which are genuinely possible and those which we falsely perceive, called 'unfounded fears'. It's a good idea to become familiar with factors that condition our perceptions of threat, and consider ways that we can take these into account in our security planning.'' (Source: [https://holistic-security.tacticaltech.org/chapters/prepare/1-2-individual-responses-to-threat.html Holistic Security Manual])

Resources:

* [https://holistic-security.tacticaltech.org/chapters/prepare/1-2-individual-responses-to-threat.html '''Exploring individual responses to threat'''] (Holistic Security Manual)
* [https://holistic-security.tacticaltech.org/chapters/prepare/1-4-team-and-peer-responses-to-threat.html '''Exploring group responses to threat'''] (Holistic Security Manual)
* [https://holistic-security.tacticaltech.org/chapters/prepare/1-5-communicating-about-threats-in-teams-and-organisations.html '''Communicating about security in teams and organizations'''] (Holistic Security Manual)

== Understanding our threats and context ==

=== Situation monitoring and analysis ===
Situation monitoring and analysis is the broadest kind of analysis of our context: observing the political, economic, social, technological, legal and environmental developments in society which are relevant to our work, and may impact our security situation. (Source: [https://holistic-security.tacticaltech.org/chapters/explore/2-2-situation-monitoring-and-analysis.html Holistic Security Manual])

Exercise: [https://holistic-security.tacticaltech.org/exercises/explore/situational-monitoring-a-quick-pestle-analysis.html '''Pestle analysis'''] (Holistic Security Manual)

Tool: '''[https://tnr-research.uwazi.io/ Research Database on transnational repression]''' - This collection of research reports on transnational repression can help human rights defenders better understand:

* Transnational Repression (TNR) threats that are possible, to determine appropriate mitigation techniques
* Which TNR threats are unlikely, in order to alleviate fear
* What exiled HRDs can expect from a host country in terms of protection measures
* Existing campaigns to strengthen protection for exiled HRDs

=== Identifying, analyzing and prioritizing threats ===

==== Map the actors ====
''It is valuable to get a clear picture of all the actors in our environment (individuals, institutions, organizations, etc). Threats almost always come from someone or something. Knowing as much as we can about the actors in our context improves our perception of our environment and thereby, our ability to carry out activities to maintain or expand our space for work.'' (Source: [https://holistic-security.tacticaltech.org/chapters/explore/2-3-vision-strategy-and-actors.html Holistic Security Manual])

Exercise:

* [https://holistic-security.tacticaltech.org/exercises/explore/visual-actor-mapping-part-1.html '''Spectrum of allies'''] (Holistic Security Manual)
* [https://newtactics.org/resource/exercises-identifying-allies-opponents '''Spectrum of allies'''] (New Tactics in Human Rights project)

==== Brainstorm threats ====
This exercise is a first attempt at identifying the threats to yourself, your group or organization and your work in defense of human rights. This initial list of threats can then be refined so as to focus in more depth on the threats which are most likely or potentially most harmful. (Source: [https://holistic-security.tacticaltech.org/exercises/explore/threat-brainstorm.html Holistic Security Manual])

Exercise: [https://holistic-security.tacticaltech.org/exercises/explore/threat-brainstorm.html '''Threat brainstorm'''] (Holistic Security Manual)

==== Analyzing risk, prioritizing threats ====
Threats can be viewed and categorized in light of the following: the likelihood that the threat will take place, and the impact if and when it does. Likelihood and impact are concepts which help us determine risk: the higher the likelihood or impact of a threat, the higher the risk. Categorizing threats can help to keep us from feeling overwhelmed and keep our perception of threats realistic. (Source: [https://holistic-security.tacticaltech.org/chapters/explore/2-8-identifying-and-analysing-threats.html Holistic Security Manual])

Exercise: [https://holistic-security.tacticaltech.org/chapters/explore/2-8-identifying-and-analysing-threats.html '''Threat matrix'''] (Holistic Security Manual)

Tools:

* The Ford Foundation’s [https://www.fordfoundation.org/work/our-grants/building-institutions-and-networks/cybersecurity-assessment-tool/ '''Cybersecurity Assessment Tool (CAT)'''] is designed to measure the maturity, resiliency, and strength of an organization’s cybersecurity efforts. We have created this questionnaire with busy nontechnical grant makers, grantee partners, civil society organizations, and nonprofits in mind, and we hope it helps shine some light on a recommended path forward for any organization undertaking a cybersecurity journey

==== Analyze threats ====
This exercise will help you prioritize threats and divine the causes, ramifications, sources as well as the required resources, existing actions and possible next steps.

Exercise: [https://holistic-security.tacticaltech.org/exercises/explore/threat-inventory.html '''Threat inventory'''] (Holistic Security Manual)

== Risk mitigation ==
In order to build a response to the threats we face, we can consider them in terms of the factors which make us more or less susceptible to them. Read more in [https://holistic-security.tacticaltech.org/chapters/strategise/3-1-responding-to-threats.html this chapter of the Holistic Security Manual].

=== Mitigation techniques for common threats to information ===
{| class="wikitable"
|+
! Threat
!Mitigation techniques and links to guidance
|-
|Data loss
|
* [[Ways to securely store and share files|Have your information securely in the cloud or on a server]]
* Have a backup process
|-
|Compromised accounts
|
* [[Protect your accounts using strong passwords, pw managers, 2fa|Use two factor authentication for all accounts]]
* [[Protect your accounts using strong passwords, pw managers, 2fa|Use unique, complex passwords for all accounts]]
* [[Protect your accounts using strong passwords, pw managers, 2fa|Use a password manager to create, store and protect those passwords]]
|-
|Device inspection at checkpoints
|
* [[Use a secure messaging app#Tip: use automatic disappearing messages|Use automated disappearing messages on your messaging apps]]
* [[Ways to securely store and share files|Have your sensitive information stored safely in the cloud and off of your device]]
* Hide or delete any apps that would provide access to this information (you can restore that app later)
|-
|Device confiscation or theft
|
* [[Secure your devices#Full disk encryption|Encrypt your devices]]
* And, review and adapt the same advice above for “device inspection” threat
|-
|Information handover
|
* [[Trusted hosting companies in the human rights community|Host your information with a company you trust]], who will not turn over information to your opponents (via subpoena, request, etc)
|-
|Targeted malware or spyware
|
* [[Protect your accounts using strong passwords, pw managers, 2fa#Be aware of spear phishing attacks|Protect yourselves against (spear) phishing attacks]]
* Use a second device for sensitive activities
* [[How to mitigate your risk of being subject to Pegasus surveillance|Restart your device regularly to disrupt spyware]]
* [[Secure your devices|Use anti virus]]
* [[How to mitigate your risk of being subject to Pegasus surveillance]], and other spyware
|-
|Surveillance and monitoring
|
* [[Safe internet browsing using VPN and Tor browser|Use a VPN and/or Tor browser]]
* [[Use a secure messaging app]]
* [[How to collect and store information in a secure way]]
* [[Ways to securely store and share files|How to use Google Drive safely and alternatives to Google Drive]]
|-
|Website hacking and takeover
|
* [[Protect your website|Protect your website from DDOS attacks]]
* [[Trusted hosting companies in the human rights community|Use a host company that you trust]]
* And, review and adapt the same advice above for "compromised accounts"
|}
Other important considerations when collecting, storing, using sensitive information:
{| class="wikitable"
|+
!Consideration
!Resources
|-
|Make sure you have informed consent from the people you are collecting information
|[[Guidance on informed consent]]
|-
|
|
|-
|
|
|}
* [[Information Security for Human Rights Defenders]]

===Mitigation techniques for online harassment===
[[How to deal with online harassment and threats]]

==Security planning ==
Once we have clarity about the threats we face during our activities, we can begin to organize our security protocols into security plans or agreements. There are three main areas to consider when developing any security plans:

# '''PREPARE: Prevention of threats''' - Most security plans will include tactics which aim to prevent identified threats from taking place (i.e. reducing their likelihood). This will include:
## Identify & assess the threats and your vulnerabilities
## Develop security policies and procedures
## Implement preventive measures
## Invest in Security Awareness Programs
## Conduct Security testing
# '''RESPOND: Emergency responses''' - Emergency plans, also called contingency plans, are the actions which we take in response to a threat becoming a reality. This will include:
## Build Incident Response Plan
## Communication Strategy
## Business continuity plan
## Disaster recovery plan (Data Backups and Recovery)
## Communication and Collaboration
# '''TREAT: Well-being considerations''' - Actions we take to maintain our physical energy and a mindful approach to our work and our security –it may include such considerations as where and when we will eat, sleep, relax and enjoy ourselves in the course of our work. This will include:
## Analyze lessons learned
## Recovery and Remediation
## Psychological safety considerations,
## Review and update your security plans and approach
For more information, read '''[[General guidance for creating security plans and agreements]]''' and review [https://holistic-security.tacticaltech.org/chapters/strategise/3-3-creating-security-plans-and-agreements.html this chapter of the Holistic Security Manual].

Additional resources:

* Consumer Reports [https://securityplanner.consumerreports.org/ '''Security Planner'''] is a free, easy-to-use guide to staying safer online. It provides personalized recommendations and expert advice on topics such as keeping social media accounts from being hacked, locking down devices ranging from smartphones to home security cameras, and reducing intrusive tracking by websites.
* [https://www.nist.gov/itl/smallbusinesscyber/nist-cybersecurity-framework-0 '''NIST Cybersecurity Framework 2.0''']: Small Business Quick Start Guide - provides small-to-medium sized businesses (SMB), specifically those who have modest or no cybersecurity plans in place, with considerations to kick-start their cybersecurity risk management strategy using the NIST Cybersecurity Framework (CSF) 2.0. (by the ''National Institute of Standards and Technology)''

===Security planning on specific topics===

* [[General tips for international travel]]
* [[General tips for home security]]

== Building a culture of security within a team ==
[https://level-up.cc/ '''LevelUp'''] is a collection of resources for the global digital safety training community.

[https://wiki.orgsec.community/ '''Organisational security community wiki'''] is a resource created by and for security practitioners from all backgrounds to share useful resources and document innovative approaches to long-term security work.

==Resource collections related to security ==
[https://digitalfirstaid.org/ '''Digital First Aid Kit'''] - The Digital First Aid Kit is a free resource to help rapid responders, digital security trainers, and tech-savvy activists to better protect themselves and the communities they support against the most common types of digital emergencies. It can also be used by activists, human rights defenders, bloggers, journalists or media activists who want to learn more about how they can protect themselves and support others. If you or someone you are assisting is experiencing a digital emergency, the Digital First Aid Kit will guide you in diagnosing the issues you are facing, and refer you to support providers for further help if needed.

[https://communitydocs.accessnow.org/ '''Access Now Help Desk documentation''']

[https://cyber-star.org/ '''CyberSTAR'''], by SecDev, makes it easier for small organizations and individuals to understand and manage digital safety by organizing it around six themes. This site presents learning resources to help you be safer online—plus teaching resources for digital safety trainers.

[https://totem-project.org/ '''Totem project'''] - Developed in collaboration by Greenhost and Free Press Unlimited, Totem is a '''free''' '''online learning platform''' that offers educational courses about digital security and privacy, and related tools and tactics for journalists, activists and human rights defenders in a safe, online classroom environment.

[https://advocacyassembly.org/en/courses?category=1 '''Advocacy Assembly''' online courses related to digital security] - Advocacy Assembly is a '''free e-learning platform''' featuring dozens of courses for human rights activists, campaigners and journalists.

[https://www.saferedge.com/learning '''Safer Edge''' online courses] (not free) - Safer Edge works with security, safeguarding and risk advisory professionals with a wide range of expertise, skills and experience. Team and consultants have experience working internationally in the humanitarian and development contexts in a range of risk contexts. In-house team speaks English, French, Spanish, Portuguese, Arabic and Russian.

[https://academy.amnesty.org/ '''Amnesty International's Human Rights Academy'''] is a free online learning platform that allows participants to embark on a self-paced learning journey to understand the principles of human rights and how to use them as a tool for positive change. We believe that knowledge of rights is essential for claiming them, defending them, and promoting them and hope that our courses will inspire you to take action.

[https://www.protectioninternational.org/tools/protection-manuals/ '''Protection International's Protection Manuals'''] for Human Rights Defenders - These manuals were developed to provide human rights defenders with additional knowledge and tools to improve their understanding of security and protection.

[https://www.frontlinedefenders.org/en/digital-protection-resources '''Front Line Defenders Digital Protection Resources'''] - Front Line Defenders Digital Protection programme responds to the digital security environment facing HRDs and develops tools, guides and reosources to complement its training and consultation programming.

[https://ssd.eff.org/ '''Surveillance Self-Defense'''] toolkit by Electronic Frontier Foundation - "We’re the Electronic Frontier Foundation, an independent non-profit working to protect online privacy for over thirty years. This is Surveillance Self-Defense: our expert guide to protecting you and your friends from online spying."

Security resources organized by topic

2024-11-07T17:40:29Z

Kristin1: /* Resource collections related to security */

== Building awareness of how we respond to threat and stress ==
''Developing a useful security strategy is heavily dependent on our perception – we need to be able to identify and analyse threats in order to implement ways of avoiding or reducing them. But we all perceive the world around us differently based on our circumstances, experiences and many other factors. As a result, our perception can sometimes be hindered: threats which may be evident to some people may go unrecognised by others; similarly, we also need to be able to tell the difference between threats which are genuinely possible and those which we falsely perceive, called 'unfounded fears'. It's a good idea to become familiar with factors that condition our perceptions of threat, and consider ways that we can take these into account in our security planning.'' (Source: [https://holistic-security.tacticaltech.org/chapters/prepare/1-2-individual-responses-to-threat.html Holistic Security Manual])

Resources:

* [https://holistic-security.tacticaltech.org/chapters/prepare/1-2-individual-responses-to-threat.html '''Exploring individual responses to threat'''] (Holistic Security Manual)
* [https://holistic-security.tacticaltech.org/chapters/prepare/1-4-team-and-peer-responses-to-threat.html '''Exploring group responses to threat'''] (Holistic Security Manual)
* [https://holistic-security.tacticaltech.org/chapters/prepare/1-5-communicating-about-threats-in-teams-and-organisations.html '''Communicating about security in teams and organizations'''] (Holistic Security Manual)

== Understanding our threats and context ==

=== Situation monitoring and analysis ===
Situation monitoring and analysis is the broadest kind of analysis of our context: observing the political, economic, social, technological, legal and environmental developments in society which are relevant to our work, and may impact our security situation. (Source: [https://holistic-security.tacticaltech.org/chapters/explore/2-2-situation-monitoring-and-analysis.html Holistic Security Manual])

Exercise: [https://holistic-security.tacticaltech.org/exercises/explore/situational-monitoring-a-quick-pestle-analysis.html '''Pestle analysis'''] (Holistic Security Manual)

Tool: '''[https://tnr-research.uwazi.io/ Research Database on transnational repression]''' - This collection of research reports on transnational repression can help human rights defenders better understand:

* Transnational Repression (TNR) threats that are possible, to determine appropriate mitigation techniques
* Which TNR threats are unlikely, in order to alleviate fear
* What exiled HRDs can expect from a host country in terms of protection measures
* Existing campaigns to strengthen protection for exiled HRDs

=== Identifying, analyzing and prioritizing threats ===

==== Map the actors ====
''It is valuable to get a clear picture of all the actors in our environment (individuals, institutions, organizations, etc). Threats almost always come from someone or something. Knowing as much as we can about the actors in our context improves our perception of our environment and thereby, our ability to carry out activities to maintain or expand our space for work.'' (Source: [https://holistic-security.tacticaltech.org/chapters/explore/2-3-vision-strategy-and-actors.html Holistic Security Manual])

Exercise:

* [https://holistic-security.tacticaltech.org/exercises/explore/visual-actor-mapping-part-1.html '''Spectrum of allies'''] (Holistic Security Manual)
* [https://newtactics.org/resource/exercises-identifying-allies-opponents '''Spectrum of allies'''] (New Tactics in Human Rights project)

==== Brainstorm threats ====
This exercise is a first attempt at identifying the threats to yourself, your group or organization and your work in defense of human rights. This initial list of threats can then be refined so as to focus in more depth on the threats which are most likely or potentially most harmful. (Source: [https://holistic-security.tacticaltech.org/exercises/explore/threat-brainstorm.html Holistic Security Manual])

Exercise: [https://holistic-security.tacticaltech.org/exercises/explore/threat-brainstorm.html '''Threat brainstorm'''] (Holistic Security Manual)

==== Analyzing risk, prioritizing threats ====
Threats can be viewed and categorized in light of the following: the likelihood that the threat will take place, and the impact if and when it does. Likelihood and impact are concepts which help us determine risk: the higher the likelihood or impact of a threat, the higher the risk. Categorizing threats can help to keep us from feeling overwhelmed and keep our perception of threats realistic. (Source: [https://holistic-security.tacticaltech.org/chapters/explore/2-8-identifying-and-analysing-threats.html Holistic Security Manual])

Exercise: [https://holistic-security.tacticaltech.org/chapters/explore/2-8-identifying-and-analysing-threats.html '''Threat matrix'''] (Holistic Security Manual)

Tools:

* The Ford Foundation’s [https://www.fordfoundation.org/work/our-grants/building-institutions-and-networks/cybersecurity-assessment-tool/ '''Cybersecurity Assessment Tool (CAT)'''] is designed to measure the maturity, resiliency, and strength of an organization’s cybersecurity efforts. We have created this questionnaire with busy nontechnical grant makers, grantee partners, civil society organizations, and nonprofits in mind, and we hope it helps shine some light on a recommended path forward for any organization undertaking a cybersecurity journey

==== Analyze threats ====
This exercise will help you prioritize threats and divine the causes, ramifications, sources as well as the required resources, existing actions and possible next steps.

Exercise: [https://holistic-security.tacticaltech.org/exercises/explore/threat-inventory.html '''Threat inventory'''] (Holistic Security Manual)

== Risk mitigation ==
In order to build a response to the threats we face, we can consider them in terms of the factors which make us more or less susceptible to them. Read more in [https://holistic-security.tacticaltech.org/chapters/strategise/3-1-responding-to-threats.html this chapter of the Holistic Security Manual].

=== Mitigation techniques for common threats to information ===
{| class="wikitable"
|+
! Threat
!Mitigation techniques and links to guidance
|-
|Data loss
|
* [[Ways to securely store and share files|Have your information securely in the cloud or on a server]]
* Have a backup process
|-
|Compromised accounts
|
* [[Protect your accounts using strong passwords, pw managers, 2fa|Use two factor authentication for all accounts]]
* [[Protect your accounts using strong passwords, pw managers, 2fa|Use unique, complex passwords for all accounts]]
* [[Protect your accounts using strong passwords, pw managers, 2fa|Use a password manager to create, store and protect those passwords]]
|-
|Device inspection at checkpoints
|
* [[Use a secure messaging app#Tip: use automatic disappearing messages|Use automated disappearing messages on your messaging apps]]
* [[Ways to securely store and share files|Have your sensitive information stored safely in the cloud and off of your device]]
* Hide or delete any apps that would provide access to this information (you can restore that app later)
|-
|Device confiscation or theft
|
* [[Secure your devices#Full disk encryption|Encrypt your devices]]
* And, review and adapt the same advice above for “device inspection” threat
|-
|Information handover
|
* [[Trusted hosting companies in the human rights community|Host your information with a company you trust]], who will not turn over information to your opponents (via subpoena, request, etc)
|-
|Targeted malware or spyware
|
* [[Protect your accounts using strong passwords, pw managers, 2fa#Be aware of spear phishing attacks|Protect yourselves against (spear) phishing attacks]]
* Use a second device for sensitive activities
* [[How to mitigate your risk of being subject to Pegasus surveillance|Restart your device regularly to disrupt spyware]]
* [[Secure your devices|Use anti virus]]
* [[How to mitigate your risk of being subject to Pegasus surveillance]], and other spyware
|-
|Surveillance and monitoring
|
* [[Safe internet browsing using VPN and Tor browser|Use a VPN and/or Tor browser]]
* [[Use a secure messaging app]]
* [[How to collect and store information in a secure way]]
* [[Ways to securely store and share files|How to use Google Drive safely and alternatives to Google Drive]]
|-
|Website hacking and takeover
|
* [[Protect your website|Protect your website from DDOS attacks]]
* [[Trusted hosting companies in the human rights community|Use a host company that you trust]]
* And, review and adapt the same advice above for "compromised accounts"
|}
Other important considerations when collecting, storing, using sensitive information:
{| class="wikitable"
|+
!Consideration
!Resources
|-
|Make sure you have informed consent from the people you are collecting information
|[[Guidance on informed consent]]
|-
|
|
|-
|
|
|}
* [[Information Security for Human Rights Defenders]]

===Mitigation techniques for online harassment===
[[How to deal with online harassment and threats]]

==Security planning ==
Once we have clarity about the threats we face during our activities, we can begin to organize our security protocols into security plans or agreements. There are three main areas to consider when developing any security plans:

# '''PREPARE: Prevention of threats''' - Most security plans will include tactics which aim to prevent identified threats from taking place (i.e. reducing their likelihood). This will include:
## Identify & assess the threats and your vulnerabilities
## Develop security policies and procedures
## Implement preventive measures
## Invest in Security Awareness Programs
## Conduct Security testing
# '''RESPOND: Emergency responses''' - Emergency plans, also called contingency plans, are the actions which we take in response to a threat becoming a reality. This will include:
## Build Incident Response Plan
## Communication Strategy
## Business continuity plan
## Disaster recovery plan (Data Backups and Recovery)
## Communication and Collaboration
# '''TREAT: Well-being considerations''' - Actions we take to maintain our physical energy and a mindful approach to our work and our security –it may include such considerations as where and when we will eat, sleep, relax and enjoy ourselves in the course of our work. This will include:
## Analyze lessons learned
## Recovery and Remediation
## Psychological safety considerations,
## Review and update your security plans and approach
For more information, read '''[[General guidance for creating security plans and agreements]]''' and review [https://holistic-security.tacticaltech.org/chapters/strategise/3-3-creating-security-plans-and-agreements.html this chapter of the Holistic Security Manual].

Additional resources:

* Consumer Reports [https://securityplanner.consumerreports.org/ '''Security Planner'''] is a free, easy-to-use guide to staying safer online. It provides personalized recommendations and expert advice on topics such as keeping social media accounts from being hacked, locking down devices ranging from smartphones to home security cameras, and reducing intrusive tracking by websites.
* [https://www.nist.gov/itl/smallbusinesscyber/nist-cybersecurity-framework-0 '''NIST Cybersecurity Framework 2.0''']: Small Business Quick Start Guide - provides small-to-medium sized businesses (SMB), specifically those who have modest or no cybersecurity plans in place, with considerations to kick-start their cybersecurity risk management strategy using the NIST Cybersecurity Framework (CSF) 2.0. (by the ''National Institute of Standards and Technology)''

===Security planning on specific topics===

* [[General tips for international travel]]
* [[General tips for home security]]

== Building a culture of security within a team ==
[https://level-up.cc/ '''LevelUp'''] is a collection of resources for the global digital safety training community.

[https://wiki.orgsec.community/ '''Organisational security community wiki'''] is a resource created by and for security practitioners from all backgrounds to share useful resources and document innovative approaches to long-term security work.

==Resource collections related to security ==
[https://digitalfirstaid.org/ '''Digital First Aid Kit'''] - The Digital First Aid Kit is a free resource to help rapid responders, digital security trainers, and tech-savvy activists to better protect themselves and the communities they support against the most common types of digital emergencies. It can also be used by activists, human rights defenders, bloggers, journalists or media activists who want to learn more about how they can protect themselves and support others. If you or someone you are assisting is experiencing a digital emergency, the Digital First Aid Kit will guide you in diagnosing the issues you are facing, and refer you to support providers for further help if needed.

[https://communitydocs.accessnow.org/ '''Access Now Help Desk documentation''']

[https://cyber-star.org/ '''CyberSTAR'''], by SecDev, makes it easier for small organizations and individuals to understand and manage digital safety by organizing it around six themes. This site presents learning resources to help you be safer online—plus teaching resources for digital safety trainers.

[https://totem-project.org/ '''Totem project'''] - Developed in collaboration by Greenhost and Free Press Unlimited, Totem is a '''free''' '''online learning platform''' that offers educational courses about digital security and privacy, and related tools and tactics for journalists, activists and human rights defenders in a safe, online classroom environment.

[https://advocacyassembly.org/en/courses?category=1 '''Advocacy Assembly''' online courses related to digital security] - Advocacy Assembly is a '''free e-learning platform''' featuring dozens of courses for human rights activists, campaigners and journalists.

[https://www.saferedge.com/learning '''Safer Edge''' online courses] (not free) - Safer Edge works with security, safeguarding and risk advisory professionals with a wide range of expertise, skills and experience. Team and consultants have experience working internationally in the humanitarian and development contexts in a range of risk contexts. In-house team speaks English, French, Spanish, Portuguese, Arabic and Russian.

[https://academy.amnesty.org/ '''Amnesty International's Human Rights Academy'''] is a free online learning platform that allows participants to embark on a self-paced learning journey to understand the principles of human rights and how to use them as a tool for positive change. We believe that knowledge of rights is essential for claiming them, defending them, and promoting them and hope that our courses will inspire you to take action.

[https://www.protectioninternational.org/tools/protection-manuals/ '''Protection International's Protection Manuals'''] for Human Rights Defenders - These manuals were developed to provide human rights defenders with additional knowledge and tools to improve their understanding of security and protection.

Security resources organized by topic

2024-11-07T17:20:50Z

Kristin1: /* Resource collections related to security */ added Amnesty Academy

== Building awareness of how we respond to threat and stress ==
''Developing a useful security strategy is heavily dependent on our perception – we need to be able to identify and analyse threats in order to implement ways of avoiding or reducing them. But we all perceive the world around us differently based on our circumstances, experiences and many other factors. As a result, our perception can sometimes be hindered: threats which may be evident to some people may go unrecognised by others; similarly, we also need to be able to tell the difference between threats which are genuinely possible and those which we falsely perceive, called 'unfounded fears'. It's a good idea to become familiar with factors that condition our perceptions of threat, and consider ways that we can take these into account in our security planning.'' (Source: [https://holistic-security.tacticaltech.org/chapters/prepare/1-2-individual-responses-to-threat.html Holistic Security Manual])

Resources:

* [https://holistic-security.tacticaltech.org/chapters/prepare/1-2-individual-responses-to-threat.html '''Exploring individual responses to threat'''] (Holistic Security Manual)
* [https://holistic-security.tacticaltech.org/chapters/prepare/1-4-team-and-peer-responses-to-threat.html '''Exploring group responses to threat'''] (Holistic Security Manual)
* [https://holistic-security.tacticaltech.org/chapters/prepare/1-5-communicating-about-threats-in-teams-and-organisations.html '''Communicating about security in teams and organizations'''] (Holistic Security Manual)

== Understanding our threats and context ==

=== Situation monitoring and analysis ===
Situation monitoring and analysis is the broadest kind of analysis of our context: observing the political, economic, social, technological, legal and environmental developments in society which are relevant to our work, and may impact our security situation. (Source: [https://holistic-security.tacticaltech.org/chapters/explore/2-2-situation-monitoring-and-analysis.html Holistic Security Manual])

Exercise: [https://holistic-security.tacticaltech.org/exercises/explore/situational-monitoring-a-quick-pestle-analysis.html '''Pestle analysis'''] (Holistic Security Manual)

Tool: '''[https://tnr-research.uwazi.io/ Research Database on transnational repression]''' - This collection of research reports on transnational repression can help human rights defenders better understand:

* Transnational Repression (TNR) threats that are possible, to determine appropriate mitigation techniques
* Which TNR threats are unlikely, in order to alleviate fear
* What exiled HRDs can expect from a host country in terms of protection measures
* Existing campaigns to strengthen protection for exiled HRDs

=== Identifying, analyzing and prioritizing threats ===

==== Map the actors ====
''It is valuable to get a clear picture of all the actors in our environment (individuals, institutions, organizations, etc). Threats almost always come from someone or something. Knowing as much as we can about the actors in our context improves our perception of our environment and thereby, our ability to carry out activities to maintain or expand our space for work.'' (Source: [https://holistic-security.tacticaltech.org/chapters/explore/2-3-vision-strategy-and-actors.html Holistic Security Manual])

Exercise:

* [https://holistic-security.tacticaltech.org/exercises/explore/visual-actor-mapping-part-1.html '''Spectrum of allies'''] (Holistic Security Manual)
* [https://newtactics.org/resource/exercises-identifying-allies-opponents '''Spectrum of allies'''] (New Tactics in Human Rights project)

==== Brainstorm threats ====
This exercise is a first attempt at identifying the threats to yourself, your group or organization and your work in defense of human rights. This initial list of threats can then be refined so as to focus in more depth on the threats which are most likely or potentially most harmful. (Source: [https://holistic-security.tacticaltech.org/exercises/explore/threat-brainstorm.html Holistic Security Manual])

Exercise: [https://holistic-security.tacticaltech.org/exercises/explore/threat-brainstorm.html '''Threat brainstorm'''] (Holistic Security Manual)

==== Analyzing risk, prioritizing threats ====
Threats can be viewed and categorized in light of the following: the likelihood that the threat will take place, and the impact if and when it does. Likelihood and impact are concepts which help us determine risk: the higher the likelihood or impact of a threat, the higher the risk. Categorizing threats can help to keep us from feeling overwhelmed and keep our perception of threats realistic. (Source: [https://holistic-security.tacticaltech.org/chapters/explore/2-8-identifying-and-analysing-threats.html Holistic Security Manual])

Exercise: [https://holistic-security.tacticaltech.org/chapters/explore/2-8-identifying-and-analysing-threats.html '''Threat matrix'''] (Holistic Security Manual)

Tools:

* The Ford Foundation’s [https://www.fordfoundation.org/work/our-grants/building-institutions-and-networks/cybersecurity-assessment-tool/ '''Cybersecurity Assessment Tool (CAT)'''] is designed to measure the maturity, resiliency, and strength of an organization’s cybersecurity efforts. We have created this questionnaire with busy nontechnical grant makers, grantee partners, civil society organizations, and nonprofits in mind, and we hope it helps shine some light on a recommended path forward for any organization undertaking a cybersecurity journey

==== Analyze threats ====
This exercise will help you prioritize threats and divine the causes, ramifications, sources as well as the required resources, existing actions and possible next steps.

Exercise: [https://holistic-security.tacticaltech.org/exercises/explore/threat-inventory.html '''Threat inventory'''] (Holistic Security Manual)

== Risk mitigation ==
In order to build a response to the threats we face, we can consider them in terms of the factors which make us more or less susceptible to them. Read more in [https://holistic-security.tacticaltech.org/chapters/strategise/3-1-responding-to-threats.html this chapter of the Holistic Security Manual].

=== Mitigation techniques for common threats to information ===
{| class="wikitable"
|+
! Threat
!Mitigation techniques and links to guidance
|-
|Data loss
|
* [[Ways to securely store and share files|Have your information securely in the cloud or on a server]]
* Have a backup process
|-
|Compromised accounts
|
* [[Protect your accounts using strong passwords, pw managers, 2fa|Use two factor authentication for all accounts]]
* [[Protect your accounts using strong passwords, pw managers, 2fa|Use unique, complex passwords for all accounts]]
* [[Protect your accounts using strong passwords, pw managers, 2fa|Use a password manager to create, store and protect those passwords]]
|-
|Device inspection at checkpoints
|
* [[Use a secure messaging app#Tip: use automatic disappearing messages|Use automated disappearing messages on your messaging apps]]
* [[Ways to securely store and share files|Have your sensitive information stored safely in the cloud and off of your device]]
* Hide or delete any apps that would provide access to this information (you can restore that app later)
|-
|Device confiscation or theft
|
* [[Secure your devices#Full disk encryption|Encrypt your devices]]
* And, review and adapt the same advice above for “device inspection” threat
|-
|Information handover
|
* [[Trusted hosting companies in the human rights community|Host your information with a company you trust]], who will not turn over information to your opponents (via subpoena, request, etc)
|-
|Targeted malware or spyware
|
* [[Protect your accounts using strong passwords, pw managers, 2fa#Be aware of spear phishing attacks|Protect yourselves against (spear) phishing attacks]]
* Use a second device for sensitive activities
* [[How to mitigate your risk of being subject to Pegasus surveillance|Restart your device regularly to disrupt spyware]]
* [[Secure your devices|Use anti virus]]
* [[How to mitigate your risk of being subject to Pegasus surveillance]], and other spyware
|-
|Surveillance and monitoring
|
* [[Safe internet browsing using VPN and Tor browser|Use a VPN and/or Tor browser]]
* [[Use a secure messaging app]]
* [[How to collect and store information in a secure way]]
* [[Ways to securely store and share files|How to use Google Drive safely and alternatives to Google Drive]]
|-
|Website hacking and takeover
|
* [[Protect your website|Protect your website from DDOS attacks]]
* [[Trusted hosting companies in the human rights community|Use a host company that you trust]]
* And, review and adapt the same advice above for "compromised accounts"
|}
Other important considerations when collecting, storing, using sensitive information:
{| class="wikitable"
|+
!Consideration
!Resources
|-
|Make sure you have informed consent from the people you are collecting information
|[[Guidance on informed consent]]
|-
|
|
|-
|
|
|}
* [[Information Security for Human Rights Defenders]]

===Mitigation techniques for online harassment===
[[How to deal with online harassment and threats]]

==Security planning ==
Once we have clarity about the threats we face during our activities, we can begin to organize our security protocols into security plans or agreements. There are three main areas to consider when developing any security plans:

# '''PREPARE: Prevention of threats''' - Most security plans will include tactics which aim to prevent identified threats from taking place (i.e. reducing their likelihood). This will include:
## Identify & assess the threats and your vulnerabilities
## Develop security policies and procedures
## Implement preventive measures
## Invest in Security Awareness Programs
## Conduct Security testing
# '''RESPOND: Emergency responses''' - Emergency plans, also called contingency plans, are the actions which we take in response to a threat becoming a reality. This will include:
## Build Incident Response Plan
## Communication Strategy
## Business continuity plan
## Disaster recovery plan (Data Backups and Recovery)
## Communication and Collaboration
# '''TREAT: Well-being considerations''' - Actions we take to maintain our physical energy and a mindful approach to our work and our security –it may include such considerations as where and when we will eat, sleep, relax and enjoy ourselves in the course of our work. This will include:
## Analyze lessons learned
## Recovery and Remediation
## Psychological safety considerations,
## Review and update your security plans and approach
For more information, read '''[[General guidance for creating security plans and agreements]]''' and review [https://holistic-security.tacticaltech.org/chapters/strategise/3-3-creating-security-plans-and-agreements.html this chapter of the Holistic Security Manual].

Additional resources:

* Consumer Reports [https://securityplanner.consumerreports.org/ '''Security Planner'''] is a free, easy-to-use guide to staying safer online. It provides personalized recommendations and expert advice on topics such as keeping social media accounts from being hacked, locking down devices ranging from smartphones to home security cameras, and reducing intrusive tracking by websites.
* [https://www.nist.gov/itl/smallbusinesscyber/nist-cybersecurity-framework-0 '''NIST Cybersecurity Framework 2.0''']: Small Business Quick Start Guide - provides small-to-medium sized businesses (SMB), specifically those who have modest or no cybersecurity plans in place, with considerations to kick-start their cybersecurity risk management strategy using the NIST Cybersecurity Framework (CSF) 2.0. (by the ''National Institute of Standards and Technology)''

===Security planning on specific topics===

* [[General tips for international travel]]
* [[General tips for home security]]

== Building a culture of security within a team ==
[https://level-up.cc/ '''LevelUp'''] is a collection of resources for the global digital safety training community.

[https://wiki.orgsec.community/ '''Organisational security community wiki'''] is a resource created by and for security practitioners from all backgrounds to share useful resources and document innovative approaches to long-term security work.

==Resource collections related to security ==
[https://digitalfirstaid.org/ '''Digital First Aid Kit'''] - The Digital First Aid Kit is a free resource to help rapid responders, digital security trainers, and tech-savvy activists to better protect themselves and the communities they support against the most common types of digital emergencies. It can also be used by activists, human rights defenders, bloggers, journalists or media activists who want to learn more about how they can protect themselves and support others. If you or someone you are assisting is experiencing a digital emergency, the Digital First Aid Kit will guide you in diagnosing the issues you are facing, and refer you to support providers for further help if needed.

[https://communitydocs.accessnow.org/ '''Access Now Help Desk documentation''']

[https://cyber-star.org/ '''CyberSTAR'''], by SecDev, makes it easier for small organizations and individuals to understand and manage digital safety by organizing it around six themes. This site presents learning resources to help you be safer online—plus teaching resources for digital safety trainers.

[https://totem-project.org/ '''Totem project'''] - Developed in collaboration by Greenhost and Free Press Unlimited, Totem is a '''free''' '''online learning platform''' that offers educational courses about digital security and privacy, and related tools and tactics for journalists, activists and human rights defenders in a safe, online classroom environment.

[https://advocacyassembly.org/en/courses?category=1 '''Advocacy Assembly''' online courses related to digital security] - Advocacy Assembly is a '''free e-learning platform''' featuring dozens of courses for human rights activists, campaigners and journalists.

[https://www.saferedge.com/learning '''Safer Edge''' online courses] (not free) - Safer Edge works with security, safeguarding and risk advisory professionals with a wide range of expertise, skills and experience. Team and consultants have experience working internationally in the humanitarian and development contexts in a range of risk contexts. In-house team speaks English, French, Spanish, Portuguese, Arabic and Russian.

[https://academy.amnesty.org/ '''Amnesty International's Human Rights Academy'''] is a free online learning platform that allows participants to embark on a self-paced learning journey to understand the principles of human rights and how to use them as a tool for positive change. We believe that knowledge of rights is essential for claiming them, defending them, and promoting them and hope that our courses will inspire you to take action.

Security resources organized by topic

2024-11-07T17:11:31Z

Kristin1: /* Resource collections */

== Building awareness of how we respond to threat and stress ==
''Developing a useful security strategy is heavily dependent on our perception – we need to be able to identify and analyse threats in order to implement ways of avoiding or reducing them. But we all perceive the world around us differently based on our circumstances, experiences and many other factors. As a result, our perception can sometimes be hindered: threats which may be evident to some people may go unrecognised by others; similarly, we also need to be able to tell the difference between threats which are genuinely possible and those which we falsely perceive, called 'unfounded fears'. It's a good idea to become familiar with factors that condition our perceptions of threat, and consider ways that we can take these into account in our security planning.'' (Source: [https://holistic-security.tacticaltech.org/chapters/prepare/1-2-individual-responses-to-threat.html Holistic Security Manual])

Resources:

* [https://holistic-security.tacticaltech.org/chapters/prepare/1-2-individual-responses-to-threat.html '''Exploring individual responses to threat'''] (Holistic Security Manual)
* [https://holistic-security.tacticaltech.org/chapters/prepare/1-4-team-and-peer-responses-to-threat.html '''Exploring group responses to threat'''] (Holistic Security Manual)
* [https://holistic-security.tacticaltech.org/chapters/prepare/1-5-communicating-about-threats-in-teams-and-organisations.html '''Communicating about security in teams and organizations'''] (Holistic Security Manual)

== Understanding our threats and context ==

=== Situation monitoring and analysis ===
Situation monitoring and analysis is the broadest kind of analysis of our context: observing the political, economic, social, technological, legal and environmental developments in society which are relevant to our work, and may impact our security situation. (Source: [https://holistic-security.tacticaltech.org/chapters/explore/2-2-situation-monitoring-and-analysis.html Holistic Security Manual])

Exercise: [https://holistic-security.tacticaltech.org/exercises/explore/situational-monitoring-a-quick-pestle-analysis.html '''Pestle analysis'''] (Holistic Security Manual)

Tool: '''[https://tnr-research.uwazi.io/ Research Database on transnational repression]''' - This collection of research reports on transnational repression can help human rights defenders better understand:

* Transnational Repression (TNR) threats that are possible, to determine appropriate mitigation techniques
* Which TNR threats are unlikely, in order to alleviate fear
* What exiled HRDs can expect from a host country in terms of protection measures
* Existing campaigns to strengthen protection for exiled HRDs

=== Identifying, analyzing and prioritizing threats ===

==== Map the actors ====
''It is valuable to get a clear picture of all the actors in our environment (individuals, institutions, organizations, etc). Threats almost always come from someone or something. Knowing as much as we can about the actors in our context improves our perception of our environment and thereby, our ability to carry out activities to maintain or expand our space for work.'' (Source: [https://holistic-security.tacticaltech.org/chapters/explore/2-3-vision-strategy-and-actors.html Holistic Security Manual])

Exercise:

* [https://holistic-security.tacticaltech.org/exercises/explore/visual-actor-mapping-part-1.html '''Spectrum of allies'''] (Holistic Security Manual)
* [https://newtactics.org/resource/exercises-identifying-allies-opponents '''Spectrum of allies'''] (New Tactics in Human Rights project)

==== Brainstorm threats ====
This exercise is a first attempt at identifying the threats to yourself, your group or organization and your work in defense of human rights. This initial list of threats can then be refined so as to focus in more depth on the threats which are most likely or potentially most harmful. (Source: [https://holistic-security.tacticaltech.org/exercises/explore/threat-brainstorm.html Holistic Security Manual])

Exercise: [https://holistic-security.tacticaltech.org/exercises/explore/threat-brainstorm.html '''Threat brainstorm'''] (Holistic Security Manual)

==== Analyzing risk, prioritizing threats ====
Threats can be viewed and categorized in light of the following: the likelihood that the threat will take place, and the impact if and when it does. Likelihood and impact are concepts which help us determine risk: the higher the likelihood or impact of a threat, the higher the risk. Categorizing threats can help to keep us from feeling overwhelmed and keep our perception of threats realistic. (Source: [https://holistic-security.tacticaltech.org/chapters/explore/2-8-identifying-and-analysing-threats.html Holistic Security Manual])

Exercise: [https://holistic-security.tacticaltech.org/chapters/explore/2-8-identifying-and-analysing-threats.html '''Threat matrix'''] (Holistic Security Manual)

Tools:

* The Ford Foundation’s [https://www.fordfoundation.org/work/our-grants/building-institutions-and-networks/cybersecurity-assessment-tool/ '''Cybersecurity Assessment Tool (CAT)'''] is designed to measure the maturity, resiliency, and strength of an organization’s cybersecurity efforts. We have created this questionnaire with busy nontechnical grant makers, grantee partners, civil society organizations, and nonprofits in mind, and we hope it helps shine some light on a recommended path forward for any organization undertaking a cybersecurity journey

==== Analyze threats ====
This exercise will help you prioritize threats and divine the causes, ramifications, sources as well as the required resources, existing actions and possible next steps.

Exercise: [https://holistic-security.tacticaltech.org/exercises/explore/threat-inventory.html '''Threat inventory'''] (Holistic Security Manual)

== Risk mitigation ==
In order to build a response to the threats we face, we can consider them in terms of the factors which make us more or less susceptible to them. Read more in [https://holistic-security.tacticaltech.org/chapters/strategise/3-1-responding-to-threats.html this chapter of the Holistic Security Manual].

=== Mitigation techniques for common threats to information ===
{| class="wikitable"
|+
! Threat
!Mitigation techniques and links to guidance
|-
|Data loss
|
* [[Ways to securely store and share files|Have your information securely in the cloud or on a server]]
* Have a backup process
|-
|Compromised accounts
|
* [[Protect your accounts using strong passwords, pw managers, 2fa|Use two factor authentication for all accounts]]
* [[Protect your accounts using strong passwords, pw managers, 2fa|Use unique, complex passwords for all accounts]]
* [[Protect your accounts using strong passwords, pw managers, 2fa|Use a password manager to create, store and protect those passwords]]
|-
|Device inspection at checkpoints
|
* [[Use a secure messaging app#Tip: use automatic disappearing messages|Use automated disappearing messages on your messaging apps]]
* [[Ways to securely store and share files|Have your sensitive information stored safely in the cloud and off of your device]]
* Hide or delete any apps that would provide access to this information (you can restore that app later)
|-
|Device confiscation or theft
|
* [[Secure your devices#Full disk encryption|Encrypt your devices]]
* And, review and adapt the same advice above for “device inspection” threat
|-
|Information handover
|
* [[Trusted hosting companies in the human rights community|Host your information with a company you trust]], who will not turn over information to your opponents (via subpoena, request, etc)
|-
|Targeted malware or spyware
|
* [[Protect your accounts using strong passwords, pw managers, 2fa#Be aware of spear phishing attacks|Protect yourselves against (spear) phishing attacks]]
* Use a second device for sensitive activities
* [[How to mitigate your risk of being subject to Pegasus surveillance|Restart your device regularly to disrupt spyware]]
* [[Secure your devices|Use anti virus]]
* [[How to mitigate your risk of being subject to Pegasus surveillance]], and other spyware
|-
|Surveillance and monitoring
|
* [[Safe internet browsing using VPN and Tor browser|Use a VPN and/or Tor browser]]
* [[Use a secure messaging app]]
* [[How to collect and store information in a secure way]]
* [[Ways to securely store and share files|How to use Google Drive safely and alternatives to Google Drive]]
|-
|Website hacking and takeover
|
* [[Protect your website|Protect your website from DDOS attacks]]
* [[Trusted hosting companies in the human rights community|Use a host company that you trust]]
* And, review and adapt the same advice above for "compromised accounts"
|}
Other important considerations when collecting, storing, using sensitive information:
{| class="wikitable"
|+
!Consideration
!Resources
|-
|Make sure you have informed consent from the people you are collecting information
|[[Guidance on informed consent]]
|-
|
|
|-
|
|
|}
* [[Information Security for Human Rights Defenders]]

===Mitigation techniques for online harassment===
[[How to deal with online harassment and threats]]

==Security planning ==
Once we have clarity about the threats we face during our activities, we can begin to organize our security protocols into security plans or agreements. There are three main areas to consider when developing any security plans:

# '''PREPARE: Prevention of threats''' - Most security plans will include tactics which aim to prevent identified threats from taking place (i.e. reducing their likelihood). This will include:
## Identify & assess the threats and your vulnerabilities
## Develop security policies and procedures
## Implement preventive measures
## Invest in Security Awareness Programs
## Conduct Security testing
# '''RESPOND: Emergency responses''' - Emergency plans, also called contingency plans, are the actions which we take in response to a threat becoming a reality. This will include:
## Build Incident Response Plan
## Communication Strategy
## Business continuity plan
## Disaster recovery plan (Data Backups and Recovery)
## Communication and Collaboration
# '''TREAT: Well-being considerations''' - Actions we take to maintain our physical energy and a mindful approach to our work and our security –it may include such considerations as where and when we will eat, sleep, relax and enjoy ourselves in the course of our work. This will include:
## Analyze lessons learned
## Recovery and Remediation
## Psychological safety considerations,
## Review and update your security plans and approach
For more information, read '''[[General guidance for creating security plans and agreements]]''' and review [https://holistic-security.tacticaltech.org/chapters/strategise/3-3-creating-security-plans-and-agreements.html this chapter of the Holistic Security Manual].

Additional resources:

* Consumer Reports [https://securityplanner.consumerreports.org/ '''Security Planner'''] is a free, easy-to-use guide to staying safer online. It provides personalized recommendations and expert advice on topics such as keeping social media accounts from being hacked, locking down devices ranging from smartphones to home security cameras, and reducing intrusive tracking by websites.
* [https://www.nist.gov/itl/smallbusinesscyber/nist-cybersecurity-framework-0 '''NIST Cybersecurity Framework 2.0''']: Small Business Quick Start Guide - provides small-to-medium sized businesses (SMB), specifically those who have modest or no cybersecurity plans in place, with considerations to kick-start their cybersecurity risk management strategy using the NIST Cybersecurity Framework (CSF) 2.0. (by the ''National Institute of Standards and Technology)''

===Security planning on specific topics===

* [[General tips for international travel]]
* [[General tips for home security]]

== Building a culture of security within a team ==
[https://level-up.cc/ '''LevelUp'''] is a collection of resources for the global digital safety training community.

[https://wiki.orgsec.community/ '''Organisational security community wiki'''] is a resource created by and for security practitioners from all backgrounds to share useful resources and document innovative approaches to long-term security work.

==Resource collections related to security ==
[https://digitalfirstaid.org/ '''Digital First Aid Kit'''] - The Digital First Aid Kit is a free resource to help rapid responders, digital security trainers, and tech-savvy activists to better protect themselves and the communities they support against the most common types of digital emergencies. It can also be used by activists, human rights defenders, bloggers, journalists or media activists who want to learn more about how they can protect themselves and support others. If you or someone you are assisting is experiencing a digital emergency, the Digital First Aid Kit will guide you in diagnosing the issues you are facing, and refer you to support providers for further help if needed.

[https://communitydocs.accessnow.org/ '''Access Now Help Desk documentation''']

[https://cyber-star.org/ '''CyberSTAR'''], by SecDev, makes it easier for small organizations and individuals to understand and manage digital safety by organizing it around six themes. This site presents learning resources to help you be safer online—plus teaching resources for digital safety trainers.

[https://totem-project.org/ '''Totem project'''] - Developed in collaboration by Greenhost and Free Press Unlimited, Totem is a '''free''' '''online learning platform''' that offers educational courses about digital security and privacy, and related tools and tactics for journalists, activists and human rights defenders in a safe, online classroom environment.

[https://advocacyassembly.org/en/courses?category=1 '''Advocacy Assembly''' online courses related to digital security] - Advocacy Assembly is a '''free e-learning platform''' featuring dozens of courses for human rights activists, campaigners and journalists.

[https://www.saferedge.com/learning '''Safer Edge''' online courses] (not free) - Safer Edge works with security, safeguarding and risk advisory professionals with a wide range of expertise, skills and experience. Team and consultants have experience working internationally in the humanitarian and development contexts in a range of risk contexts. In-house team speaks English, French, Spanish, Portuguese, Arabic and Russian.

Security resources organized by topic

2024-11-07T17:11:11Z

Kristin1: /* Resource collections */ added online resource collections

== Building awareness of how we respond to threat and stress ==
''Developing a useful security strategy is heavily dependent on our perception – we need to be able to identify and analyse threats in order to implement ways of avoiding or reducing them. But we all perceive the world around us differently based on our circumstances, experiences and many other factors. As a result, our perception can sometimes be hindered: threats which may be evident to some people may go unrecognised by others; similarly, we also need to be able to tell the difference between threats which are genuinely possible and those which we falsely perceive, called 'unfounded fears'. It's a good idea to become familiar with factors that condition our perceptions of threat, and consider ways that we can take these into account in our security planning.'' (Source: [https://holistic-security.tacticaltech.org/chapters/prepare/1-2-individual-responses-to-threat.html Holistic Security Manual])

Resources:

* [https://holistic-security.tacticaltech.org/chapters/prepare/1-2-individual-responses-to-threat.html '''Exploring individual responses to threat'''] (Holistic Security Manual)
* [https://holistic-security.tacticaltech.org/chapters/prepare/1-4-team-and-peer-responses-to-threat.html '''Exploring group responses to threat'''] (Holistic Security Manual)
* [https://holistic-security.tacticaltech.org/chapters/prepare/1-5-communicating-about-threats-in-teams-and-organisations.html '''Communicating about security in teams and organizations'''] (Holistic Security Manual)

== Understanding our threats and context ==

=== Situation monitoring and analysis ===
Situation monitoring and analysis is the broadest kind of analysis of our context: observing the political, economic, social, technological, legal and environmental developments in society which are relevant to our work, and may impact our security situation. (Source: [https://holistic-security.tacticaltech.org/chapters/explore/2-2-situation-monitoring-and-analysis.html Holistic Security Manual])

Exercise: [https://holistic-security.tacticaltech.org/exercises/explore/situational-monitoring-a-quick-pestle-analysis.html '''Pestle analysis'''] (Holistic Security Manual)

Tool: '''[https://tnr-research.uwazi.io/ Research Database on transnational repression]''' - This collection of research reports on transnational repression can help human rights defenders better understand:

* Transnational Repression (TNR) threats that are possible, to determine appropriate mitigation techniques
* Which TNR threats are unlikely, in order to alleviate fear
* What exiled HRDs can expect from a host country in terms of protection measures
* Existing campaigns to strengthen protection for exiled HRDs

=== Identifying, analyzing and prioritizing threats ===

==== Map the actors ====
''It is valuable to get a clear picture of all the actors in our environment (individuals, institutions, organizations, etc). Threats almost always come from someone or something. Knowing as much as we can about the actors in our context improves our perception of our environment and thereby, our ability to carry out activities to maintain or expand our space for work.'' (Source: [https://holistic-security.tacticaltech.org/chapters/explore/2-3-vision-strategy-and-actors.html Holistic Security Manual])

Exercise:

* [https://holistic-security.tacticaltech.org/exercises/explore/visual-actor-mapping-part-1.html '''Spectrum of allies'''] (Holistic Security Manual)
* [https://newtactics.org/resource/exercises-identifying-allies-opponents '''Spectrum of allies'''] (New Tactics in Human Rights project)

==== Brainstorm threats ====
This exercise is a first attempt at identifying the threats to yourself, your group or organization and your work in defense of human rights. This initial list of threats can then be refined so as to focus in more depth on the threats which are most likely or potentially most harmful. (Source: [https://holistic-security.tacticaltech.org/exercises/explore/threat-brainstorm.html Holistic Security Manual])

Exercise: [https://holistic-security.tacticaltech.org/exercises/explore/threat-brainstorm.html '''Threat brainstorm'''] (Holistic Security Manual)

==== Analyzing risk, prioritizing threats ====
Threats can be viewed and categorized in light of the following: the likelihood that the threat will take place, and the impact if and when it does. Likelihood and impact are concepts which help us determine risk: the higher the likelihood or impact of a threat, the higher the risk. Categorizing threats can help to keep us from feeling overwhelmed and keep our perception of threats realistic. (Source: [https://holistic-security.tacticaltech.org/chapters/explore/2-8-identifying-and-analysing-threats.html Holistic Security Manual])

Exercise: [https://holistic-security.tacticaltech.org/chapters/explore/2-8-identifying-and-analysing-threats.html '''Threat matrix'''] (Holistic Security Manual)

Tools:

* The Ford Foundation’s [https://www.fordfoundation.org/work/our-grants/building-institutions-and-networks/cybersecurity-assessment-tool/ '''Cybersecurity Assessment Tool (CAT)'''] is designed to measure the maturity, resiliency, and strength of an organization’s cybersecurity efforts. We have created this questionnaire with busy nontechnical grant makers, grantee partners, civil society organizations, and nonprofits in mind, and we hope it helps shine some light on a recommended path forward for any organization undertaking a cybersecurity journey

==== Analyze threats ====
This exercise will help you prioritize threats and divine the causes, ramifications, sources as well as the required resources, existing actions and possible next steps.

Exercise: [https://holistic-security.tacticaltech.org/exercises/explore/threat-inventory.html '''Threat inventory'''] (Holistic Security Manual)

== Risk mitigation ==
In order to build a response to the threats we face, we can consider them in terms of the factors which make us more or less susceptible to them. Read more in [https://holistic-security.tacticaltech.org/chapters/strategise/3-1-responding-to-threats.html this chapter of the Holistic Security Manual].

=== Mitigation techniques for common threats to information ===
{| class="wikitable"
|+
! Threat
!Mitigation techniques and links to guidance
|-
|Data loss
|
* [[Ways to securely store and share files|Have your information securely in the cloud or on a server]]
* Have a backup process
|-
|Compromised accounts
|
* [[Protect your accounts using strong passwords, pw managers, 2fa|Use two factor authentication for all accounts]]
* [[Protect your accounts using strong passwords, pw managers, 2fa|Use unique, complex passwords for all accounts]]
* [[Protect your accounts using strong passwords, pw managers, 2fa|Use a password manager to create, store and protect those passwords]]
|-
|Device inspection at checkpoints
|
* [[Use a secure messaging app#Tip: use automatic disappearing messages|Use automated disappearing messages on your messaging apps]]
* [[Ways to securely store and share files|Have your sensitive information stored safely in the cloud and off of your device]]
* Hide or delete any apps that would provide access to this information (you can restore that app later)
|-
|Device confiscation or theft
|
* [[Secure your devices#Full disk encryption|Encrypt your devices]]
* And, review and adapt the same advice above for “device inspection” threat
|-
|Information handover
|
* [[Trusted hosting companies in the human rights community|Host your information with a company you trust]], who will not turn over information to your opponents (via subpoena, request, etc)
|-
|Targeted malware or spyware
|
* [[Protect your accounts using strong passwords, pw managers, 2fa#Be aware of spear phishing attacks|Protect yourselves against (spear) phishing attacks]]
* Use a second device for sensitive activities
* [[How to mitigate your risk of being subject to Pegasus surveillance|Restart your device regularly to disrupt spyware]]
* [[Secure your devices|Use anti virus]]
* [[How to mitigate your risk of being subject to Pegasus surveillance]], and other spyware
|-
|Surveillance and monitoring
|
* [[Safe internet browsing using VPN and Tor browser|Use a VPN and/or Tor browser]]
* [[Use a secure messaging app]]
* [[How to collect and store information in a secure way]]
* [[Ways to securely store and share files|How to use Google Drive safely and alternatives to Google Drive]]
|-
|Website hacking and takeover
|
* [[Protect your website|Protect your website from DDOS attacks]]
* [[Trusted hosting companies in the human rights community|Use a host company that you trust]]
* And, review and adapt the same advice above for "compromised accounts"
|}
Other important considerations when collecting, storing, using sensitive information:
{| class="wikitable"
|+
!Consideration
!Resources
|-
|Make sure you have informed consent from the people you are collecting information
|[[Guidance on informed consent]]
|-
|
|
|-
|
|
|}
* [[Information Security for Human Rights Defenders]]

===Mitigation techniques for online harassment===
[[How to deal with online harassment and threats]]

==Security planning ==
Once we have clarity about the threats we face during our activities, we can begin to organize our security protocols into security plans or agreements. There are three main areas to consider when developing any security plans:

# '''PREPARE: Prevention of threats''' - Most security plans will include tactics which aim to prevent identified threats from taking place (i.e. reducing their likelihood). This will include:
## Identify & assess the threats and your vulnerabilities
## Develop security policies and procedures
## Implement preventive measures
## Invest in Security Awareness Programs
## Conduct Security testing
# '''RESPOND: Emergency responses''' - Emergency plans, also called contingency plans, are the actions which we take in response to a threat becoming a reality. This will include:
## Build Incident Response Plan
## Communication Strategy
## Business continuity plan
## Disaster recovery plan (Data Backups and Recovery)
## Communication and Collaboration
# '''TREAT: Well-being considerations''' - Actions we take to maintain our physical energy and a mindful approach to our work and our security –it may include such considerations as where and when we will eat, sleep, relax and enjoy ourselves in the course of our work. This will include:
## Analyze lessons learned
## Recovery and Remediation
## Psychological safety considerations,
## Review and update your security plans and approach
For more information, read '''[[General guidance for creating security plans and agreements]]''' and review [https://holistic-security.tacticaltech.org/chapters/strategise/3-3-creating-security-plans-and-agreements.html this chapter of the Holistic Security Manual].

Additional resources:

* Consumer Reports [https://securityplanner.consumerreports.org/ '''Security Planner'''] is a free, easy-to-use guide to staying safer online. It provides personalized recommendations and expert advice on topics such as keeping social media accounts from being hacked, locking down devices ranging from smartphones to home security cameras, and reducing intrusive tracking by websites.
* [https://www.nist.gov/itl/smallbusinesscyber/nist-cybersecurity-framework-0 '''NIST Cybersecurity Framework 2.0''']: Small Business Quick Start Guide - provides small-to-medium sized businesses (SMB), specifically those who have modest or no cybersecurity plans in place, with considerations to kick-start their cybersecurity risk management strategy using the NIST Cybersecurity Framework (CSF) 2.0. (by the ''National Institute of Standards and Technology)''

===Security planning on specific topics===

* [[General tips for international travel]]
* [[General tips for home security]]

== Building a culture of security within a team ==
[https://level-up.cc/ '''LevelUp'''] is a collection of resources for the global digital safety training community.

[https://wiki.orgsec.community/ '''Organisational security community wiki'''] is a resource created by and for security practitioners from all backgrounds to share useful resources and document innovative approaches to long-term security work.

==Resource collections ==
[https://digitalfirstaid.org/ '''Digital First Aid Kit'''] - The Digital First Aid Kit is a free resource to help rapid responders, digital security trainers, and tech-savvy activists to better protect themselves and the communities they support against the most common types of digital emergencies. It can also be used by activists, human rights defenders, bloggers, journalists or media activists who want to learn more about how they can protect themselves and support others. If you or someone you are assisting is experiencing a digital emergency, the Digital First Aid Kit will guide you in diagnosing the issues you are facing, and refer you to support providers for further help if needed.

[https://communitydocs.accessnow.org/ '''Access Now Help Desk documentation''']

[https://cyber-star.org/ '''CyberSTAR'''], by SecDev, makes it easier for small organizations and individuals to understand and manage digital safety by organizing it around six themes. This site presents learning resources to help you be safer online—plus teaching resources for digital safety trainers.

[https://totem-project.org/ '''Totem project'''] - Developed in collaboration by Greenhost and Free Press Unlimited, Totem is a '''free''' '''online learning platform''' that offers educational courses about digital security and privacy, and related tools and tactics for journalists, activists and human rights defenders in a safe, online classroom environment.

[https://advocacyassembly.org/en/courses?category=1 '''Advocacy Assembly''' online courses related to digital security] - Advocacy Assembly is a '''free e-learning platform''' featuring dozens of courses for human rights activists, campaigners and journalists.

[https://www.saferedge.com/learning '''Safer Edge''' online courses] (not free) - Safer Edge works with security, safeguarding and risk advisory professionals with a wide range of expertise, skills and experience. Team and consultants have experience working internationally in the humanitarian and development contexts in a range of risk contexts. In-house team speaks English, French, Spanish, Portuguese, Arabic and Russian.

How to deal with online harassment and threats

2024-10-28T13:23:21Z

Kristin1: /* Abusers and their tactics */

''The information below is used with permission from the Totem Project's online course on [https://learn.totem-project.org/courses/course-v1:IWMF+IWMF_OH_EN+001/about Know Your Trolls], in 2023.''

==Abusers and their tactics==
<p>Watch [https://www.youtube.com/watch?v=RJR466zSUhs this video] to get an understanding of the strategies used and the reason abusers use them.</p>

===Identifying common tactics ===
<p>Targets need a common language to describe what’s happening to them, to friends, colleagues, editors, and law enforcement. You will learn more about how to define these tactics in the next exercise. You may find that abusers often use a combination of tactics to silence you online. Below are some common tactics and their definitions. </p>
[[File:Image-common-tactics.png|border]]
<h3>More on doxxing</h3>
<p>Doxxing is a tactic used by online abusers as a way to intimidate and threaten journalists. Personal details, including a home address, are posted online with a call to others to use that information to harass and cause harm.</p>
<p>This is a common tactic used by the far right as well as by members of certain interest groups, such as pro-life supporters. Having your home address circulated online by trolls means that an online attack has the possibility to turn into a physical threat as people now know where you live.</p><p>There are steps you can take to remove and limit access to your personal information on the Internet. This will help to better protect you against doxxing. Learn more about this in the Totem course on [https://learn.totem-project.org/courses/course-v1:Totem+TP_IO_EN+001/about How to protect your identity online].</p><p>You can also review these resources by [https://www.brightlin.es/ Brightlines] (shared via Creative Commons):</p>

* Tips for Managing Your Online Presence
* Doxxing Scenario Planning

== Mental health==
<p>Online harassment and abuse can take its toll on your mental health. There are steps you can take to protect yourself and reduce the impact of the abuse.</p>
<ul>
<li>Ask a colleague or friend to monitor your accounts so you do not have to be exposed to the abuse </li>
<li>Do not engage with trolls as this can make the situation worse. </li>
<li>Speak with your editor or colleagues about the abuse and make them aware of the situation.</li>
<li>Take care of yourself by looking after your body and mind.</li>
</ul>

==Ways to fight back==
<h3>Documenting attacks</h3>
<p>It can be important to document the abuse you are receiving online, especially if you feel there is a threat to your life. <strong>You should keep an evidence trail</strong> to show your colleagues, editors or the authorities. This information can also be presented to international organizations who assist journalists, and they may be able to help you with your case.</p>
*<strong>Keep a spreadsheet with details of the harassment</strong>, including date, time and type of harassment. Include the medium through which the abuse happened, for example, direct message, and also note down the platform.
*<strong>Take screenshots of the abuse</strong>. Ensure that you include, where possible, the name or handle of the abuser, the date and time, and the full content of the abuse. <strong>It’s important to capture the whole message, the date, the name, and the handle/account name when collecting evidence about your abusers.</strong> This will become important if you decide to contact the authorities or an organization that defends freedom of expression about your case.
* You may wish to <strong>ask someone to help you</strong> do this if the abuse is taking its toll on your mental health. For example, ask a colleague to monitor your social media accounts and enlist their help in taking screenshots of the abuse.
* Before you start working on a story, <strong>think about the groups of people who could attack you</strong> online as a result of publishing a story. Take steps to secure your data and your accounts: use strong and unique passwords, and protect yourself against phishing attacks.<h3 class="mb-0 h3">Blocking, muting, and reporting abuse</h3>
<p>We have looked at how to document abuse. Now let’s look at how to block, mute, and report your abuse.</p>[[File:Image-blocking-muting.png]]<p><strong>Tip:</strong> When you block someone on a social media site it could mean that the content they posted will be deleted. Make sure you have documented the abuse before blocking anyone.</p>

====Blocking and muting on specific platforms====
<p>Learn more about blocking and muting different social media sites by visiting their guides. Below is a list of the most common social media sites.</p>
<blockquote>
<ul>
<li>[https://help.twitter.com/en/using-x#blocking-and-muting Twitter’s guide to blocking and muting]</li>
<li>[https://www.facebook.com/help/1000976436606344 Facebook’s guide to blocking]</li>
<li>[https://help.instagram.com/426700567389543 Instagram’s guide to blocking] </li>
<li>[https://help.snapchat.com/hc/en-us/articles/7012410297364-How-to-Remove-a-Friend-on-Snapchat Snapchat’s guide to blocking] </li>
</ul>
</blockquote>

====Platforms and reporting harassment====
<p>Each platform has different policies around reporting online harassment that makes it challenging and frustrating for those trying to get something done about their online harassment. Know that you are not alone with this. It can help to keep a record of when you reported the harassment to the platform and what, if any, were the outcomes. You can add this to other evidence that you have collected about your harassers.</p>
<strong>Tip:</strong> Platforms administrators are only likely to take down content if it violates their community guidelines or standards. Before reporting harassment to the platform, make sure you are familiar with their guidelines and what they will and will not remove. Use the guidelines to support your case for removing the content. Below is a list of the most common social media sites:
<ul>
<li>[https://transparency.fb.com/policies/community-standards/bullying-harassment/ Facebook’s Community Standards on bullying and harassment]</li>
<li>[https://help.twitter.com/en/rules-and-policies/x-rules Twitter Rules] </li>
</ul><strong>If you are a freelance journalist or HRD</strong> working without the support of a media outlet or if you are not supported by your workplace, then you should consider reaching out to other women journalists to create a support network. You should ask them to: <blockquote>
<ul>
<li> Help report abuse on the platforms</li>
<li> Help document the abuse</li>
<li> Monitor your social media and/or email accounts</li>
<li>Make a public statement of solidarity [TIP: Focus on condemning the behavior, not the abusers]</li>
<li>Rally a supportive community</li>
<li>Provide emotional support</li>
</ul>
</blockquote>
<h2>More information and resources</h2>

<h3> Resources for putting this into practice</h3>

* [https://open.nytimes.com/how-to-dox-yourself-on-the-internet-d2892b4c5954 How to Dox yourself on the Internet] by the New York Times
* [https://cpj.org/2019/09/digital-safety-remove-personal-data-internet/ Remove Personal Data from the Internet] by the Committee to Protect Journalists (CPJ)
* [https://onlineharassmentfieldmanual.pen.org/best-practices-for-employers/ Online Harassment Field Manual: Steps for Safeguarding Employees] by PEN America
* Blocking and Muting on Different Social Media Sites:
** [https://help.twitter.com/en/using-x#blocking-and-muting Twitter’s guide to blocking and muting]
** [https://www.facebook.com/help/1000976436606344 Facebook’s guide to blocking]
** [https://help.instagram.com/426700567389543 Instagram’s guide to blocking]
** [https://help.snapchat.com/hc/en-us/articles/7012410297364-How-to-Remove-a-Friend-on-Snapchat Snapchat’s guide to blocking]
<h3>Free online learning courses</h3>
<ul>
<li>[https://advocacyassembly.org/en/courses/34/#/chapter/1/lesson/1 Recognising and Responding to Online Gender-Based Violence], a free online course by Advocacy Assembly and Association for Progressive Communications (APC)
<li>You will learn about different types of online gender-based violence, how it harms people, and how people are responding. You'll also learn effective strategies and digital safety steps.</li>
<li>[https://advocacyassembly.org/en/courses/43 Cyber harassment: Concepts and prevention] by Advocacy Assembly and Institute for War and Peace Reporting
<li>You will also learn some general digital security concepts, about metadata, and how to do safe online campaigning.</li>
<li>[https://advocacyassembly.org/en/courses/32 Staying Safe Online And Using Social Media] by Advocacy Assembly and Security First
<li>By the end of the course, you will be able to identify common causes of digital security breaches such as phishing and social engineering. Also how to implement basic precautions to protect from viruses and an stay safe online in repressive countries.</li>
<li>[https://learn.totem-project.org/courses/course-v1:Totem+TP_IO_EN+001/about How to protect your identity online] on the Totem Project
<li>By the end of this course, you will: Understand what anonymity is; Know what identifies you online; Understand why protecting your identity and that of others matters; Know what to do to protect your identity; Understand that achieving anonymity online is often very difficult.
<li>[https://learn.totem-project.org/courses/course-v1:IWMF+IWMF_OH_EN+001/about Know your trolls] on the Totem Project created by IWMF
<li>After completing this interactive course you will: Recognize types of online abusers and how they work together, Become more familiar with some of the tactics online abusers use, Be equipped with some key strategies for dealing with abuse

<h3>Video resources</h3>

<ul>
<li>[https://www.youtube.com/watch?v=_KHEkR5yb9A The Problem with “Don’t Feed the Trolls”] by Steph Guthrie, TEDxToronto </li>
<li>[https://feministfrequency.com/2015/04/28/women-in-the-world-online-harassment-panel/ Stop the Trolls: Women Fight Online Harassment Panel] by Feminist Frequency</li>
<li>[https://feministfrequency.com/video/anita-sarkeesian-speaking-at-xoxo-conference/ Anita Sarkeesian, Feminist Frequency] at XOXO Festival</li>
<li>[https://newsrooms-ontheline.ipi.media/tutorials/block-3-basic-countermeasures-for-journalist-to-cope-with-online-harassment/ Basic Countermeasures for Journalists to Cope with Online Harassment] by IPI and the Dart Centre</li><li>[https://newsrooms-ontheline.ipi.media/tutorials_category/legal-remedies-on-addressing-online-harassment/ Legal Remedies to Address Online harassment] by International Press Institute (IPI)</li>
</ul>

<h3>Read</h3>

<ul><li>[https://www.iwmf.org/wp-content/uploads/2018/09/Attacks-and-Harassment.pdf Attacks and Harassment: The impact on female journalists and their reporting] [PDF] by the International Women’s Media Foundation (IWMF)</li><li>[https://onlineharassmentfieldmanual.pen.org Online Harassment Field Manual] by Pen America</li><li>[https://www.takebackthetech.net Take Back the Tech] website</li><li>[https://rorypecktrust.org/how-we-help/freelance-resources/digital-security/social-media-trolling-and-doxxing/ Social Media: Trolling and Doxxing] by the Rory Peck Trust</li><li>[https://dartcenter.org/resources/dealing-hate-campaigns-toolkit-journalists Dealing with Hate Campaigns: Toolkit for Journalists] by the Dart Center</li><li>[https://gameshotline.org/online-free-safety-guide/ A Guide to Protecting Yourself During Online Harassment Attacks] by Feminist Frequency</li><li>[https://www.onlinesos.org/ OnlineSOS] is a non-profit organization connecting people with information and tools to take action in the face of online harassment</li><li>[https://gijn.org/resource/digital-security/ Digital Security Tips and Links to Organisations who can Assist] by the Global Investigative Journalism Network</li><li>[https://dartcenter.org/blog/2017/12/online-harassment-don%E2%80%99t-starve-trolls-control-them How to Manage Trolls and your Mental Health] by the Dart Centre</li><li>[https://onlineharassmentfieldmanual.pen.org/best-practices-for-allies-and-witnesses/ Tips for Allies and Witnesses] by PEN America</li><li>Totem course handouts:<ul>
<li>[https://learn.totem-project.org/asset-v1:IWMF+IWMF_OH_EN+001+type@asset+block@IWMF-Totem_Infographic_AbuserStrategies.pdf Infographic on abuser Strategies] [PDF]</li>
<li>[https://learn.totem-project.org/asset-v1:IWMF+IWMF_OH_EN+001+type@asset+block@IWMF-Totem_Infographic_BlockingMuting.pdf Infographic on Muting and Blocking] [PDF]</li>
<li>[https://learn.totem-project.org/asset-v1:IWMF+IWMF_OH_EN+001+type@asset+block@IWMF-Totem_Infographic_StudyAbusers.pdf Infographic on Studying abusers] [PDF]</li>
</ul></li></ul>

Building a trauma-informed organization

2024-10-07T12:26:12Z

Kristin1: /* Articles */ added new articles

== Key principles of a trauma-informed approach ==
There are six key principles of a trauma-informed approach:

# Safety
# Trustworthiness and transparency
# Peer support
# Collaboration and mutuality
# Empowerment, voice, and choice
# Cultural, historical, and gender issues

=== Safety ===
Safety considers both the physical and emotional safety of staff and individuals with which we work. Physical safety can include:

* Physical space for trainings
* Accessibility of work spaces
* Timing of workshops/training

Emotional safety requires constant feedback from staff and individuals to ensure their physical safety needs are met. For instance, supervisors conduct regular check-ins to ask about workload, mental health, needs, etc.

=== Trustworthiness and transparency ===
Trustworthiness and transparency involves providing clear information about what is being done, by whom, when, and why. This can include job descriptions, roles clarity, expectations. It also means maintaining respectful boundaries, prioritizing privacy and confidentiality. It can include:

* Providing the people we work with the reports we write that involve them
* Involving the people we work with in decision-making about the project
* Providing a clear job description and expectations to staff

=== Peer Support ===
Peer Support and mutual self-help establish safety, hope, trust. “Peers” refers to people who have shared experiences of trauma or stress. It also acknowledges that the trauma itself may be used as a galvanizing tool for action, solidarity, etc.

=== Collaboration and mutuality ===
Collaboration and mutuality levels power differences between staff and those who we work with. It demonstrates that healing can happen in relationships and in meaningful sharing of power. The organization recognizes that everyone has an important role to play. It is the attitude of doing something “with” someone, not “to” or “for”. It emphasizes autonomy and agency.

=== Empowerment, voice and choice ===
Empowerment, voice and choice requires the organization to place people above projects. The organization seeks to empower both staff and stakeholders. It allows those we work with decision-making power, a voice in our projects, the ability to say no without fear of punishment or ostracization. It also focuses on individual’s strengths over weaknesses.

=== Cultural, historical and gender issues ===
Cultural, historical and gender issues involves the organization conscientiously acknowledging the role it has played in perpetuating harm (e.g. the aid sector or “international development” and the consequences of that) as well as structural forms of racism, ableism, sexism, etc. It moves past acknowledgement into action: how can we transform the organization and those within it to ensure that we are not upholding harmful stereotypes, world systems, or oppression?

All six principles are intertwined and do not exist in a vacuum. They are interdependent.

== What is a trauma-informed organization? ==
"A trauma-informed organization is one that operates with an understanding of trauma and its negative effects on the organization’s employees and the communities it serves and works to mitigate those effects." (Source: [https://hbr.org/2022/03/we-need-trauma-informed-workplaces Harvard Business Review])

'''Trauma-informed organizations are able to:'''

* Realize the impact of trauma
* Recognize the signs and symptoms
* Respond by integrating this knowledge into policies, procedures, practices
* Resist re-traumatization

== Recognize the signs and symptoms ==

=== Physiological responses to threat ===
Humans, like all animals, have built-in responses to threats that have helped us survive as we’ve evolved as a species. When we perceive acute danger, many of these responses kick in without our being able to control them: they are hard-wired to our bodies and minds.

* '''The 'freeze response'''' is when a person becomes utterly still while remaining highly alert and poised for action. This response relies on escaping notice until the danger has passed. For example, we might cease the work that we are doing, stop communicating through our usual channels, or reduce communication with someone with whom we are in conflict. In each case, we are hoping that the unwelcome attention will pass if we become inactive.
* '''The 'flight response'''' is when a person quickly tries to get as far away from the danger as possible. We might move our operations to a safer location, abandon certain activities or modes of communication, or separate ourselves from people who might cause us harm.
* '''The 'comply response'''' involves doing what an aggressor instructs in the hope that our cooperation will result in the attack ending quickly and without injury. We might agree to suspend or abandon certain objectives or activities, or give up passwords to secure information.
* '''The 'tend response'''' happens when people try to protect other, more vulnerable people who are being victimized. Many human rights defenders are motivated to help others because of our own experiences of oppression and exploitation.
* '''The 'befriend response'''' involves trying to build some kind of relationship with the aggressor in the hope that this will limit the harm perpetrated against oneself or others. For example, by telling aggressors about our families we might try to humanize ourselves in their eyes, a strategy that is sometimes useful in reducing violence.
* '''The 'posture response'''' is an attempt to drive off the danger by pretending to have greater power than one actually does. As human rights defenders, we often threaten to expose threats of violence in order to publicly embarrass our adversaries.
* '''The 'fight response'''' is when a person attacks with the intent of driving off or destroying an aggressor. (There are many ways to fight, and we all make our own ethical choices about this.)

If we have been through dangerous, stressful or traumatic experiences, sometimes these reactions can kick in when we are stressed or frightened, even if there is no 'real' danger present. Therefore, it is a good idea to look for indicators in our behavior when we are under stress, and to work with them in order to reduce our stress.

(Source: [https://holistic-security.tacticaltech.org/ckeditor_assets/attachments/60/holisticsecurity_trainersmanual.pdf Holistic Security Training Manual], page 53)

=== Group responses to threat ===
Threats and stress affect group dynamics in a number of ways, and this varies greatly due to organizational culture and many other factors. There are some common reactions, however. Consider these potential changes to group dynamics under stress and see if they resonate.

# <u>'''Harder group boundaries'''</u> - One predictable change experienced by groups under threat is the boundaries that define the group becoming less permeable. Those within the group become more closely connected to each other, and those outside the group become more distant. It also becomes more difficult for people to join or leave the group. While such changes can be protective, there are also some potential difficulties with this. The impermeable boundaries of the group may distance the group from existing and potential allies, leaving it more isolated than it might otherwise be. These boundaries also reduce the flow of information into and out of the group. This may result in members of the group being less informed than they might otherwise have been, and having fewer opportunities to check their perception of the world with those ‘outside’ of their group. Less permeable boundaries also make it difficult to leave groups. Members who wish to leave might be branded as traitors or sell-outs in a way that is harmful to the individual and those perceived to be his or her allies. It is very helpful for groups to regularly discuss the ways in which people and information enter and leave the group, and how to manage this in a holistic way that truly promotes security.
# <u>'''Fixed patterns'''</u> - Secondly, patterns of behaviour become more fixed and harder to change. This makes it more difficult for members of the group to question (supposedly) shared beliefs, or challenge the behaviour of other members. When we lose the ability to question each others’ assumptions or point out potentially unhealthy behaviours, our ability to constructively and compassionately build group security is greatly compromised. For this reason, it is important for groups to regularly revisit and discuss their shared values in an honest way.
# <u>'''Authoritarianism'''</u> - A third predictable change relates to leadership and power dynamics within groups. When groups feel unsafe, group members tolerate greater authoritarianism from leaders or more powerful members of the group. This results in reduced levels of information exchange within the group, and fewer opportunities for group members to check their perceptions of the world with other members of their team. In extreme cases, powerful members of the group may become abusive, and the increased rigidity of the group boundaries may prevent victims of such abuse from escaping. Again, it is important for groups to talk about power dynamics and leadership styles on a regular basis, and to make sure that every person has an opportunity to contribute.

Looking into the links between decision-making processes and security, we should not underestimate the positive effects of having fair and transparent decision-making processes. If a group has shared knowledge and responsibilities, it reduces the impact when perpetrators target the leaders of a group.

(Source: [https://holistic-security.tacticaltech.org/ckeditor_assets/attachments/60/holisticsecurity_trainersmanual.pdf Holistic Security Training Manual], page 57)

== Respond by integrating knowledge into policies, procedures, practices ==

=== Crisis management ===
Being prepared to handle crisis situations is a crucial part of the organization’s commitment to protecting the physical and emotional well-being of its staff.

Conveys a strong message that staff safety is a top priority.

==== Before the crisis (preparedness) ====

# Determine what types of crisis events might be faced by an organization, and develop a list of potential risks.
# Gain an understanding of how staff respond to crisis events and what stress reactions they might have before, during, and after such events. This will help determine what strategies might be useful to individuals or groups (see the section above on [[Building a trauma-informed organization#Physiological%20responses%20to%20threat|Physiological responses to threat]])
# Create a staff support plan that can be used in the event of a crisis.
# Create a crisis response team with clearly defined roles and responsibilities. It is crucial that the crisis team understands the psychosocial and mental health effects of trauma, how to provide support, and the options available to staff requiring specialized assessment and care.
# Prepare a list of internal and external resources available to staff in the organization. Ensure that these lists are reviewed regularly and kept up to date.
# Develop communication plans that include how to inform staff members immediately about the nature of the event, how to protect themselves in case of danger, and how to keep them informed about the crisis.
# Practice responding to different crisis scenarios with all staff members.

==== During the crisis ====
'''Look'''

# Identify people who need immediate attention or support.
# Focus on safety.
# Pay attention to physical and emotional reactions.
# Be attentive to staff members who want to share their reactions.
# Assess how the crisis is impacting staff members’ decision making and abilities to fulfill their given roles and responsibilities.

'''Listen'''

# Listen with your eyes, ears and heart
# Pay attention to body language and words
# Validate staff reactions to the crisis
# Provide comfort and reassurance where possible
# Obtain multiple perspectives on the situation if possible

'''Link'''

# Remind staff members about the internal and external resources available to them if they need support
# When you suspect any staff member is having a difficult time dealing with his or her situation or having severe symptoms, recommend that they seek professional support
# Give permission for anyone who is severely impacted to step away from their responsibilities if possible and get the support/rest that they need.

==== After the crisis ====

# Debrief the event as an organization. Analyze how the incident occurred, how to prevent it from happening again, and what measures must be taken in the meantime to control the risk.
# Consult with staff members about the effectiveness of the existing plan. Update the procedures and protocols as necessary.
# Follow-up with staff about how they were impacted by the incident, and what ongoing needs them might have.
# Make adjustments to work schedules according to staff capacity and needs.

== Resources for building a trauma-informed organization ==

=== Articles ===
[https://hbr.org/2022/03/we-need-trauma-informed-workplaces We need trauma-informed workplaces] (Harvard Business Review, 2022)

For the past few years, we’ve been experiencing collective trauma. But trauma is not new in our organizations, and it’s not going away, either. Estimates are that six in 10 men and five in 10 women experience at least one trauma, and approximately 6% of the population will experience PTSD at some point in their lives. As we’ve seen the lines between work and home blur and a fundamental shift in our expectations of the places we work, organizations have struggled to provide the support and leadership that their employees and customers need. That’s why it’s so important that they take steps now to build the cultures that can see them through this crisis and the ones we’ll all inevitably face in the future. To do that, we need to build trauma-informed organizations. A trauma-informed organization is one that operates with an understanding of trauma and its negative effects on the organization’s employees and the communities it serves and works to mitigate those effects. It may not be possible to predict or avoid the next crisis our organizations will face. However, with forethought, planning, and commitment, we can be prepared to meet the next challenge — whatever it may be — and come through it stronger.

[https://pubmed.ncbi.nlm.nih.gov/18181708/ Five essential elements of immediate and mid-term mass trauma intervention: empirical evidence] (Stevan E Hobfoll, 2007)

Given the devastation caused by disasters and mass violence, it is critical that intervention policy be based on the most updated research findings. However, to date, no evidence-based consensus has been reached supporting a clear set of recommendations for intervention during the immediate and the mid-term post mass trauma phases. Because it is unlikely that there will be evidence in the near or mid-term future from clinical trials that cover the diversity of disaster and mass violence circumstances, we assembled a worldwide panel of experts on the study and treatment of those exposed to disaster and mass violence to extrapolate from related fields of research, and to gain consensus on intervention principles. We identified five empirically supported intervention principles that should be used to guide and inform intervention and prevention efforts at the early to mid-term stages. These are promoting: 1) a sense of safety, 2) calming, 3) a sense of self- and community efficacy, 4) connectedness, and 5) hope.

[https://www.ictj.org/resource-library/%E2%80%98-search-people%E2%80%99s-well-being%E2%80%99-mainstreaming-psychosocial-approach-transitional ‘The Search for People’s Well-Being’: Mainstreaming a Psychosocial Approach to Transitional Justice] (ICTJ, 2024)

The field of transitional justice is increasingly recognizing the relevance of mental health and psychosocial support (MHPSS) in contexts of massive human rights violations. Despite growing advocacy and awareness at the global policy level, however, the field lacks a systematic approach to the issue. This study contributes to the development of such an approach, one that applies a psychosocial lens to analyze contexts, assess needs, and design and implement programming that has a positive impact on the well-being of victims and communities and broader social systems.

=== Assessment resources ===

* [https://ctrinstitute.com/trauma-informed-workplace-assessment/ Trauma-Informed Workplace Assessment] by the Crisis and Trauma Resource Institute
* [https://www.hca.wa.gov/assets/program/trauma-informed-self-assessment-national-council-for-behavioral-health.pdf Organizational Self-Assessment: Adoption of trauma-informed care practice] by the National Council for Behavioral Health
* [https://nhchc.org/wp-content/uploads/2020/12/NHCHC-TIO-Assessment-Manual.pdf Trauma-Informed Organization Assessment Manual](PDF) by National Healthcare for the Homeless Council (NHCHC), 2020
* [https://traumainformedoregon.org/tic-resources/creating-cultures-trauma-informed-care-cctic-self-assessment-planning-protocol/ Creating Cultures of Trauma-Informed Care (CCTIC): A Self-Assessment and Planning Protocol] - This assessment tool provides guidelines for agencies or programs interested in facilitating trauma-informed modifications in their service systems. For use by administrators, providers, and survivor-consumers in the development, implementation, evaluation, and ongoing monitoring of trauma-informed programs. (Source: Community Connections; Washington, D.C. Roger D. Fallot, Ph.D. and Maxine Harris, Ph.D., 2009)

=== Resource hub ===
[https://safeguardingsupporthub.org/what-rsh The Safeguarding Resource and Support Hub (RSH)] is a programme that aims to support organisations in the aid sector to strengthen their safeguarding policy and practice against Sexual Exploitation, Abuse and Sexual Harassment (SEAH). RSH supports organisations working in both the humanitarian and development sectors but is driven by the needs of smaller national or local organisations in developing countries. RSH has an Online Hub website available in English, Arabic, French and Swahili and is free for anyone working in the aid sector to use.

Security resources organized by topic

2024-08-09T17:35:59Z

Kristin1: /* Mitigation techniques for common threats to information */

== Building awareness of how we respond to threat and stress ==
''Developing a useful security strategy is heavily dependent on our perception – we need to be able to identify and analyse threats in order to implement ways of avoiding or reducing them. But we all perceive the world around us differently based on our circumstances, experiences and many other factors. As a result, our perception can sometimes be hindered: threats which may be evident to some people may go unrecognised by others; similarly, we also need to be able to tell the difference between threats which are genuinely possible and those which we falsely perceive, called 'unfounded fears'. It's a good idea to become familiar with factors that condition our perceptions of threat, and consider ways that we can take these into account in our security planning.'' (Source: [https://holistic-security.tacticaltech.org/chapters/prepare/1-2-individual-responses-to-threat.html Holistic Security Manual])

Resources:

* [https://holistic-security.tacticaltech.org/chapters/prepare/1-2-individual-responses-to-threat.html '''Exploring individual responses to threat'''] (Holistic Security Manual)
* [https://holistic-security.tacticaltech.org/chapters/prepare/1-4-team-and-peer-responses-to-threat.html '''Exploring group responses to threat'''] (Holistic Security Manual)
* [https://holistic-security.tacticaltech.org/chapters/prepare/1-5-communicating-about-threats-in-teams-and-organisations.html '''Communicating about security in teams and organizations'''] (Holistic Security Manual)

== Understanding our threats and context ==

=== Situation monitoring and analysis ===
Situation monitoring and analysis is the broadest kind of analysis of our context: observing the political, economic, social, technological, legal and environmental developments in society which are relevant to our work, and may impact our security situation. (Source: [https://holistic-security.tacticaltech.org/chapters/explore/2-2-situation-monitoring-and-analysis.html Holistic Security Manual])

Exercise: [https://holistic-security.tacticaltech.org/exercises/explore/situational-monitoring-a-quick-pestle-analysis.html '''Pestle analysis'''] (Holistic Security Manual)

Tool: '''[https://tnr-research.uwazi.io/ Research Database on transnational repression]''' - This collection of research reports on transnational repression can help human rights defenders better understand:

* Transnational Repression (TNR) threats that are possible, to determine appropriate mitigation techniques
* Which TNR threats are unlikely, in order to alleviate fear
* What exiled HRDs can expect from a host country in terms of protection measures
* Existing campaigns to strengthen protection for exiled HRDs

=== Identifying, analyzing and prioritizing threats ===

==== Map the actors ====
''It is valuable to get a clear picture of all the actors in our environment (individuals, institutions, organizations, etc). Threats almost always come from someone or something. Knowing as much as we can about the actors in our context improves our perception of our environment and thereby, our ability to carry out activities to maintain or expand our space for work.'' (Source: [https://holistic-security.tacticaltech.org/chapters/explore/2-3-vision-strategy-and-actors.html Holistic Security Manual])

Exercise:

* [https://holistic-security.tacticaltech.org/exercises/explore/visual-actor-mapping-part-1.html '''Spectrum of allies'''] (Holistic Security Manual)
* [https://newtactics.org/resource/exercises-identifying-allies-opponents '''Spectrum of allies'''] (New Tactics in Human Rights project)

==== Brainstorm threats ====
This exercise is a first attempt at identifying the threats to yourself, your group or organization and your work in defense of human rights. This initial list of threats can then be refined so as to focus in more depth on the threats which are most likely or potentially most harmful. (Source: [https://holistic-security.tacticaltech.org/exercises/explore/threat-brainstorm.html Holistic Security Manual])

Exercise: [https://holistic-security.tacticaltech.org/exercises/explore/threat-brainstorm.html '''Threat brainstorm'''] (Holistic Security Manual)

==== Analyzing risk, prioritizing threats ====
Threats can be viewed and categorized in light of the following: the likelihood that the threat will take place, and the impact if and when it does. Likelihood and impact are concepts which help us determine risk: the higher the likelihood or impact of a threat, the higher the risk. Categorizing threats can help to keep us from feeling overwhelmed and keep our perception of threats realistic. (Source: [https://holistic-security.tacticaltech.org/chapters/explore/2-8-identifying-and-analysing-threats.html Holistic Security Manual])

Exercise: [https://holistic-security.tacticaltech.org/chapters/explore/2-8-identifying-and-analysing-threats.html '''Threat matrix'''] (Holistic Security Manual)

Tools:

* The Ford Foundation’s [https://www.fordfoundation.org/work/our-grants/building-institutions-and-networks/cybersecurity-assessment-tool/ '''Cybersecurity Assessment Tool (CAT)'''] is designed to measure the maturity, resiliency, and strength of an organization’s cybersecurity efforts. We have created this questionnaire with busy nontechnical grant makers, grantee partners, civil society organizations, and nonprofits in mind, and we hope it helps shine some light on a recommended path forward for any organization undertaking a cybersecurity journey

==== Analyze threats ====
This exercise will help you prioritize threats and divine the causes, ramifications, sources as well as the required resources, existing actions and possible next steps.

Exercise: [https://holistic-security.tacticaltech.org/exercises/explore/threat-inventory.html '''Threat inventory'''] (Holistic Security Manual)

== Risk mitigation ==
In order to build a response to the threats we face, we can consider them in terms of the factors which make us more or less susceptible to them. Read more in [https://holistic-security.tacticaltech.org/chapters/strategise/3-1-responding-to-threats.html this chapter of the Holistic Security Manual].

=== Mitigation techniques for common threats to information ===
{| class="wikitable"
|+
! Threat
!Mitigation techniques and links to guidance
|-
|Data loss
|
* [[Ways to securely store and share files|Have your information securely in the cloud or on a server]]
* Have a backup process
|-
|Compromised accounts
|
* [[Protect your accounts using strong passwords, pw managers, 2fa|Use two factor authentication for all accounts]]
* [[Protect your accounts using strong passwords, pw managers, 2fa|Use unique, complex passwords for all accounts]]
* [[Protect your accounts using strong passwords, pw managers, 2fa|Use a password manager to create, store and protect those passwords]]
|-
|Device inspection at checkpoints
|
* [[Use a secure messaging app#Tip: use automatic disappearing messages|Use automated disappearing messages on your messaging apps]]
* [[Ways to securely store and share files|Have your sensitive information stored safely in the cloud and off of your device]]
* Hide or delete any apps that would provide access to this information (you can restore that app later)
|-
|Device confiscation or theft
|
* [[Secure your devices#Full disk encryption|Encrypt your devices]]
* And, review and adapt the same advice above for “device inspection” threat
|-
|Information handover
|
* [[Trusted hosting companies in the human rights community|Host your information with a company you trust]], who will not turn over information to your opponents (via subpoena, request, etc)
|-
|Targeted malware or spyware
|
* [[Protect your accounts using strong passwords, pw managers, 2fa#Be aware of spear phishing attacks|Protect yourselves against (spear) phishing attacks]]
* Use a second device for sensitive activities
* [[How to mitigate your risk of being subject to Pegasus surveillance|Restart your device regularly to disrupt spyware]]
* [[Secure your devices|Use anti virus]]
* [[How to mitigate your risk of being subject to Pegasus surveillance]], and other spyware
|-
|Surveillance and monitoring
|
* [[Safe internet browsing using VPN and Tor browser|Use a VPN and/or Tor browser]]
* [[Use a secure messaging app]]
* [[How to collect and store information in a secure way]]
* [[Ways to securely store and share files|How to use Google Drive safely and alternatives to Google Drive]]
|-
|Website hacking and takeover
|
* [[Protect your website|Protect your website from DDOS attacks]]
* [[Trusted hosting companies in the human rights community|Use a host company that you trust]]
* And, review and adapt the same advice above for "compromised accounts"
|}
Other important considerations when collecting, storing, using sensitive information:
{| class="wikitable"
|+
!Consideration
!Resources
|-
|Make sure you have informed consent from the people you are collecting information
|[[Guidance on informed consent]]
|-
|
|
|-
|
|
|}
* [[Information Security for Human Rights Defenders]]

===Mitigation techniques for online harassment===
[[How to deal with online harassment and threats]]

==Security planning ==
Once we have clarity about the threats we face during our activities, we can begin to organize our security protocols into security plans or agreements. There are three main areas to consider when developing any security plans:

# '''PREPARE: Prevention of threats''' - Most security plans will include tactics which aim to prevent identified threats from taking place (i.e. reducing their likelihood). This will include:
## Identify & assess the threats and your vulnerabilities
## Develop security policies and procedures
## Implement preventive measures
## Invest in Security Awareness Programs
## Conduct Security testing
# '''RESPOND: Emergency responses''' - Emergency plans, also called contingency plans, are the actions which we take in response to a threat becoming a reality. This will include:
## Build Incident Response Plan
## Communication Strategy
## Business continuity plan
## Disaster recovery plan (Data Backups and Recovery)
## Communication and Collaboration
# '''TREAT: Well-being considerations''' - Actions we take to maintain our physical energy and a mindful approach to our work and our security –it may include such considerations as where and when we will eat, sleep, relax and enjoy ourselves in the course of our work. This will include:
## Analyze lessons learned
## Recovery and Remediation
## Psychological safety considerations,
## Review and update your security plans and approach
For more information, read '''[[General guidance for creating security plans and agreements]]''' and review [https://holistic-security.tacticaltech.org/chapters/strategise/3-3-creating-security-plans-and-agreements.html this chapter of the Holistic Security Manual].

Additional resources:

* Consumer Reports [https://securityplanner.consumerreports.org/ '''Security Planner'''] is a free, easy-to-use guide to staying safer online. It provides personalized recommendations and expert advice on topics such as keeping social media accounts from being hacked, locking down devices ranging from smartphones to home security cameras, and reducing intrusive tracking by websites.
* [https://www.nist.gov/itl/smallbusinesscyber/nist-cybersecurity-framework-0 '''NIST Cybersecurity Framework 2.0''']: Small Business Quick Start Guide - provides small-to-medium sized businesses (SMB), specifically those who have modest or no cybersecurity plans in place, with considerations to kick-start their cybersecurity risk management strategy using the NIST Cybersecurity Framework (CSF) 2.0. (by the ''National Institute of Standards and Technology)''

===Security planning on specific topics===

* [[General tips for international travel]]
* [[General tips for home security]]

== Building a culture of security within a team ==
[https://level-up.cc/ '''LevelUp'''] is a collection of resources for the global digital safety training community.

[https://wiki.orgsec.community/ '''Organisational security community wiki'''] is a resource created by and for security practitioners from all backgrounds to share useful resources and document innovative approaches to long-term security work.

==Resource collections ==
[https://digitalfirstaid.org/ '''Digital First Aid Kit'''] - The Digital First Aid Kit is a free resource to help rapid responders, digital security trainers, and tech-savvy activists to better protect themselves and the communities they support against the most common types of digital emergencies. It can also be used by activists, human rights defenders, bloggers, journalists or media activists who want to learn more about how they can protect themselves and support others. If you or someone you are assisting is experiencing a digital emergency, the Digital First Aid Kit will guide you in diagnosing the issues you are facing, and refer you to support providers for further help if needed.

[https://communitydocs.accessnow.org/ '''Access Now Help Desk documentation''']

[https://cyber-star.org/ '''CyberSTAR'''], by SecDev, makes it easier for small organizations and individuals to understand and manage digital safety by organizing it around six themes. This site presents learning resources to help you be safer online—plus teaching resources for digital safety trainers.

More info:

[[Ways to securely store and share files|Secure storage for sensitive information]]

[[Protect your accounts using strong passwords, pw managers, 2fa|Secure access to sensitive information]]

[[Secure your devices]]

How to collect and store information in a secure way

2024-08-05T19:09:50Z

Kristin1: /* Tools to collect information */ added tresorit

== Principles for protecting information ==

=== Enable (and use) multi-factor authentication on any accounts ===
If you are requiring someone to create an account in order to send you information, make sure that it's possible to protect that account by using multi-factor authentication. Multi-factor authentication is an electronic authentication method in which a user is granted access to a website or application only after successfully presenting two or more pieces of evidence to an authentication mechanism: knowledge, possession, and inherent. Without multi-factor authentication, the information is only as protected as the strength of the user's password.

Learn more about two factor authentication here: [[Protect your accounts using strong passwords, pw managers, 2fa]]

=== Use end-to-end encryption for information in motion ===
When protecting information that is "in motion" (being transferred from one person/device to another), It's a good practice to use a tool that provides end-to-end encryption. End-to-end encryption (E2EE) is a type of information transfer or messaging that keeps the information private from everyone, including the messaging service. When E2EE is used, the information being transferred only appears in decrypted form for the person sending the message and the person receiving the message. [https://holistic-security.tacticaltech.org/chapters/explore/2-6-information-in-motion.html Learn more about protecting information in motion].

=== Host sensitive information with a company you trust ===
For things that are extremely sensitive and you don't need to actually need to use it (analyze it) or share it, you can always lock it away in an encrypted folder (using [https://www.veracrypt.fr/code/VeraCrypt/ VeraCrypt]) on any server. But for information that you want to organize, understand, analyze, use and share, you will want it more accessible than having it in an encrypted folder. For these cases, you will want to [[Trusted hosting companies in the human rights community|host your information with a company that you trust]].

== Tools to collect information ==

=== Tella app ===
[https://tella-app.org/ Tella] is a free app that is available for Android devices and will be available for iOS soon. It can be used by anyone who engages in collecting information on injustices. Tella allows users to produce high-quality documentation that can be used for research, advocacy or transitional justice. Tella can be connected to KoboToolbox, Uwazi, or another database platform to store, organize and analyze the information.

=== LimeSurvey ===
[https://www.limesurvey.org/ LimeSurvey] is a simple, quick and anonymous online survey tool. It is open source, allowing people to host LimeSurvey themselves. This self-hosted version is called LimeSurvey Community Edition, and all your data is stored on your or your provider’s server (usually the one where you installed LimeSurvey). You can also work with a [[Trusted hosting companies in the human rights community|web hosting company that you trust]] to host and manage this software for you, such as Greenhost.

=== SecureDrop ===
[https://securedrop.org/ SecureDrop] is an open source whistleblower submission system that media organizations and NGOs can install to securely accept documents from anonymous sources. SecureDrop is available in 22 languages.

=== Globaleaks ===
[https://www.globaleaks.org/ GlobaLeaks] is free, open-source software enabling anyone to easily set up and maintain a secure whistleblowing platform. It is possible to host this software with [https://greenhost.net/products/managed/ Greenhost].

=== OnionShare ===
🧅 [https://onionshare.org OnionShare] is an open source tool that lets you securely and anonymously share files, host websites, and chat with friends using the Tor network.

=== Tresorit ===
[https://tresorit.com/ Tresorit] offers ultra-secure encryption for cloud storage, encrypted file sharing & storage, and e‑signature within your organization and with external partners. They offer a [https://tresorit.com/nonprofit 50% discount for nonprofits].

== Tools to store information ==

=== Uwazi database to store information ===
[https://uwazi.io/ Uwazi] is a web-based tool designed for managing your data in one easy-to-search place. This open-source database application allows you to capture, organise and make sense of a set of facts, observations, testimonies, research, documents and more. You can work with a [[Trusted hosting companies in the human rights community|web hosting company that you trust]] to host and manage this software for you, such as Greenhost.

=== NextCloud ===
[https://nextcloud.com/about/ Nextcloud] Hub is the industry-leading, fully open-source, on-premises content collaboration platform. Teams access, share and edit their documents, chat and participate in video calls and manage their mail and calendar and projects across mobile, desktop and web interfaces. It is hosted and managed by [[Trusted hosting companies in the human rights community|Greenhost and other web hosting companies]].

== Ways to collect and store information ==

=== Tella to collect and Uwazi to store information ===
Organisations who already use Uwazi to store their information, can connect Tella to one or more of their databases to upload data. Using Tella for the information collection enables users who work offline to collect data, add it to the submission forms, save it and upload the information when it is convenient. In addition to the protection and encryption features, working in offline mode is a huge benefit for those who collect information in risky environments and areas with limited or no connectivity. [https://huridocs.org/2022/07/the-new-tella-app-lets-uwazi-users-document-violations-safely-and-while-offline/ More information]on the HURIDOCS website.

== Other tools ==
For more tools used for documenting human rights violations, see [[Tools for securely documenting human rights violations]]

To learn more about '''how to use Google Drive safely and alternatives to Google Drive''', see [[Ways to securely store and share files]]

Français (French)

2024-07-19T14:47:51Z

Kristin1: /* Cours en ligne (gratuit) */

== Assistance urgente ==
'''Service de sécurité numérique de la Helpline''' - La liste ci-dessous répertorie les domaines les plus courants pour lesquels l’équipe de la Helpline, assistera les utilisateurs exposés aux risques. Si le besoin/l’incident ne figure pas dans la liste, nous encourageons nos bénéficiaires à vérifier auprès de nous, car nous pourrons peut-être encore vous aider. https://www.accessnow.org/helpline-services-fr/?ignorelocale

== Guides pratiques ==
* '''Autodéfense Contre La Surveillance: Astuces, outils, et Guides pratiques pour des communications en ligne plus sécurisées''' https://ssd.eff.org/fr#index - Surveillance Self-Defense (Electronic Frontier Foundation)
** Créer des mots de passe robustes https://ssd.eff.org/fr/module/cr%C3%A9er-des-mots-de-passe-robustes

* '''Manuel de Sécurité (Front Line Defenders)''' https://www.frontlinedefenders.org/fr/manuel-de-s%C3%A9curit%C3%A9 - Le Manuel de Sécurité de Front Line Defenders vous explique comment élaborer un plan de sécurité – pour vous-même et pour votre organisation (pour les DDH qui travaillent dans des organisations). Il suit une approche systématique pour évaluer votre situation de sécurité et élaborer des stratégies et des tactiques pour réduire les risques et la vulnérabilité.

* '''Le Protocole de sécurité holistique pour les défenseurs des droits de l'homme (le Protocole du Défenseur)''' nous aide à améliorer notre sécurité physique, notre sécurité numérique, ainsi que notre bien-être et notre capacité de résilience. En suivant le ptorocole, nous renforçons notre sécurité individuelle et collective et pouvons réduire le fardeau des attaques, du harcèlement et de la censure qui pèse sur nous et nos communautés. https://openbriefing.gitbook.io/defenders-protocol/v/fr/

== Cours en ligne (gratuit) ==
* '''Cours de Totem sur les mots de passe sécurisés''' - Les mots de passe sont votre première ligne de défense en ligne, il est donc très important qu'ils soient longs et uniques. Mais comment pouvez-vous gérer cela pour tous vos comptes? Le cours vous guidera dans la configuration de KeePassXC, un gestionnaire de mots de passe qui facilite et sécurise la création et le stockage des mots de passe. Vous examinerez également l'authentification à deux facteurs (2FA), pour plus de sécurité. Vous devriez terminer le cours avec une solide stratégie de gestion des mots de passe qui protège vos comptes, sans prendre trop de temps (ou de ressources intellectuelles!). https://learn.totem-project.org/courses/course-v1:Totem+TP_SP_FR_001+cours/about
* '''Protégez vos périphériques''' - Il ne fait aucun doute que nos périphériques, smartphones, ordinateurs, montres connectées, etc. sont devenus notre interface avec le monde et nos principaux souvenirs. Nous dépendons d'eux au quotidien pour toutes sortes de choses, leur confiant souvent nos secrets les plus intimes. C'est pourquoi il est important de les sécuriser et de les protéger, ainsi que les données qu'ils contiennent. https://learn.totem-project.org/courses/course-v1:Totem+TP_SD_FR+01/about
* '''Le Hameçonnage''' - Les attaques par hameçonnage, cela concerne tout le monde. Malheureusement la plupart des gens ne s'y intéressent seulement une fois qu'ils en ont été victimes. Pour se protéger de ce type d'attaque, il faut commencer par identifier le message électronique (email, message Facebook, ou autre), vecteur de l'attaque avant de cliquer sur le lien ou de télécharger la ou les pièces jointes du message. Même si vous faites attention, une attaque par hameçonnage peut quand même réussir. Ne paniquez pas. Si vous avez cliqué sur un lien de hameçonnage et si un tiers a réussi à accéder à vos données, vous pouvez quand même minimiser les conséquences pour vous, vos collègues, vos amis ou votre famille. Dans ce cours, vous allez en apprendre plus sur les attaques par hameçonnage, en quoi elles consistent, comment vous pouvez les identifier et ce que vous pouvez faire si vous vous êtes fait hameçonner. https://learn.totem-project.org/courses/course-v1:Totem+TP_PM_FR001+cours/about

* '''Qui sont vos trolls?''' Bienvenue dans ce cours en ligne sur le harcèlement en ligne développé par l'IWMF, des experts en cybersécurité, des journalistes et des spécialistes des formations en ligne au cours de workshops et de sessions de travail communes. Le but: aider les journalistes à mieux appréhender le harcèlement en ligne, qui peut se cacher derrière les «trolls», et quelles sont les stratégies pour mieux s’en prémunir. https://learn.totem-project.org/courses/course-v1:IWMF+IWMF_OH_FR+001/about
* '''Protège ta vie privée!''' Bienvenue dans ce cours sur la vie privée en ligne développé par l’IWMF, des expert.e.s en cybersécurité, des journalistes et des spécialistes des formations en ligne. L’objectif de ce cours est d’aider les journalistes à évaluer quelles informations il est raisonnable de partager en ligne et la manière dont celles-ci pourront être ensuite utilisées contre eux pour les menacer. Les journalistes ont la difficile tâche de devoir être présent.e.s en ligne tout en devant se protéger face au cyberharcèlement et aux attaques en ligne. Ce cours leur fournit des conseils pratiques sur la manière de mieux se protéger, ainsi que leur famille. https://learn.totem-project.org/courses/course-v1:IWMF+IWMF_KP_FR+001/about
* '''Applications de messagerie Sécurisées''' - Les applications de messagerie dites instantanées sont devenues un outil de communication essentiel. Nous partageons une grande quantité de messages personnels et professionnels, de photos, de vidéos et de pièces jointes par le biais des applications de messagerie, mais nous nous demandons rarement qui pourrait avoir accès à ce contenu. Dans le cadre de votre travail, vous pourriez vouloir protéger vos communications avec vos collègues, vos sources ou vos clients. Dans votre vie personnelle, vous pourriez vouloir protéger les photos et les documents que vous partagez avec votre famille et vos amis. Il existe de nombreuses applications de messagerie différentes. Comment choisir celles qui vous conviennent? En matière de protection de la vie privée et de sécurité numérique, il n'existe pas de solution unique; tout est question de contexte. https://learn.totem-project.org/courses/course-v1:Totem+TP_SM_FR+cours/about
* '''Comment fonctionne Internet''' - Est-il encore possible d'imaginer votre vie sans Internet? Depuis une dizaine d'années, Internet s'est installé au centre de nombreux aspects de nos vies: communication, travail, recherche, opérations bancaires, shopping, stockage de photos et de vidéos. L'utilisation d'Internet est devenue presque incontournable. Dans ce cours, vous découvrirez l'infrastructure d'Internet - son fonctionnement, qui en est le propriétaire et comment faire des choix éclairés en fonction de vos besoins en matière de protection de la vie privée et de sécurité. https://learn.totem-project.org/courses/course-v1:Totem+TP_IP_FR+cours/about

Tous le cours https://learn.totem-project.org/courses

Security resources organized by topic

2024-07-05T14:45:01Z

Kristin1: /* Security planning */

== Building awareness of how we respond to threat and stress ==
''Developing a useful security strategy is heavily dependent on our perception – we need to be able to identify and analyse threats in order to implement ways of avoiding or reducing them. But we all perceive the world around us differently based on our circumstances, experiences and many other factors. As a result, our perception can sometimes be hindered: threats which may be evident to some people may go unrecognised by others; similarly, we also need to be able to tell the difference between threats which are genuinely possible and those which we falsely perceive, called 'unfounded fears'. It's a good idea to become familiar with factors that condition our perceptions of threat, and consider ways that we can take these into account in our security planning.'' (Source: [https://holistic-security.tacticaltech.org/chapters/prepare/1-2-individual-responses-to-threat.html Holistic Security Manual])

Resources:

* [https://holistic-security.tacticaltech.org/chapters/prepare/1-2-individual-responses-to-threat.html '''Exploring individual responses to threat'''] (Holistic Security Manual)
* [https://holistic-security.tacticaltech.org/chapters/prepare/1-4-team-and-peer-responses-to-threat.html '''Exploring group responses to threat'''] (Holistic Security Manual)
* [https://holistic-security.tacticaltech.org/chapters/prepare/1-5-communicating-about-threats-in-teams-and-organisations.html '''Communicating about security in teams and organizations'''] (Holistic Security Manual)

== Understanding our threats and context ==

=== Situation monitoring and analysis ===
Situation monitoring and analysis is the broadest kind of analysis of our context: observing the political, economic, social, technological, legal and environmental developments in society which are relevant to our work, and may impact our security situation. (Source: [https://holistic-security.tacticaltech.org/chapters/explore/2-2-situation-monitoring-and-analysis.html Holistic Security Manual])

Exercise: [https://holistic-security.tacticaltech.org/exercises/explore/situational-monitoring-a-quick-pestle-analysis.html '''Pestle analysis'''] (Holistic Security Manual)

Tool: '''[https://tnr-research.uwazi.io/ Research Database on transnational repression]''' - This collection of research reports on transnational repression can help human rights defenders better understand:

* Transnational Repression (TNR) threats that are possible, to determine appropriate mitigation techniques
* Which TNR threats are unlikely, in order to alleviate fear
* What exiled HRDs can expect from a host country in terms of protection measures
* Existing campaigns to strengthen protection for exiled HRDs

=== Identifying, analyzing and prioritizing threats ===

==== Map the actors ====
''It is valuable to get a clear picture of all the actors in our environment (individuals, institutions, organizations, etc). Threats almost always come from someone or something. Knowing as much as we can about the actors in our context improves our perception of our environment and thereby, our ability to carry out activities to maintain or expand our space for work.'' (Source: [https://holistic-security.tacticaltech.org/chapters/explore/2-3-vision-strategy-and-actors.html Holistic Security Manual])

Exercise:

* [https://holistic-security.tacticaltech.org/exercises/explore/visual-actor-mapping-part-1.html '''Spectrum of allies'''] (Holistic Security Manual)
* [https://newtactics.org/resource/exercises-identifying-allies-opponents '''Spectrum of allies'''] (New Tactics in Human Rights project)

==== Brainstorm threats ====
This exercise is a first attempt at identifying the threats to yourself, your group or organization and your work in defense of human rights. This initial list of threats can then be refined so as to focus in more depth on the threats which are most likely or potentially most harmful. (Source: [https://holistic-security.tacticaltech.org/exercises/explore/threat-brainstorm.html Holistic Security Manual])

Exercise: [https://holistic-security.tacticaltech.org/exercises/explore/threat-brainstorm.html '''Threat brainstorm'''] (Holistic Security Manual)

==== Analyzing risk, prioritizing threats ====
Threats can be viewed and categorized in light of the following: the likelihood that the threat will take place, and the impact if and when it does. Likelihood and impact are concepts which help us determine risk: the higher the likelihood or impact of a threat, the higher the risk. Categorizing threats can help to keep us from feeling overwhelmed and keep our perception of threats realistic. (Source: [https://holistic-security.tacticaltech.org/chapters/explore/2-8-identifying-and-analysing-threats.html Holistic Security Manual])

Exercise: [https://holistic-security.tacticaltech.org/chapters/explore/2-8-identifying-and-analysing-threats.html '''Threat matrix'''] (Holistic Security Manual)

Tools:

* The Ford Foundation’s [https://www.fordfoundation.org/work/our-grants/building-institutions-and-networks/cybersecurity-assessment-tool/ '''Cybersecurity Assessment Tool (CAT)'''] is designed to measure the maturity, resiliency, and strength of an organization’s cybersecurity efforts. We have created this questionnaire with busy nontechnical grant makers, grantee partners, civil society organizations, and nonprofits in mind, and we hope it helps shine some light on a recommended path forward for any organization undertaking a cybersecurity journey

==== Analyze threats ====
This exercise will help you prioritize threats and divine the causes, ramifications, sources as well as the required resources, existing actions and possible next steps.

Exercise: [https://holistic-security.tacticaltech.org/exercises/explore/threat-inventory.html '''Threat inventory'''] (Holistic Security Manual)

== Risk mitigation ==
In order to build a response to the threats we face, we can consider them in terms of the factors which make us more or less susceptible to them. Read more in [https://holistic-security.tacticaltech.org/chapters/strategise/3-1-responding-to-threats.html this chapter of the Holistic Security Manual].

=== Mitigation techniques for common threats to information ===
{| class="wikitable"
|+
! Threat
!Mitigation techniques and links to guidance
|-
|Data loss
|
* [[Ways to securely store and share files|Have your information securely in the cloud or on a server]]
* Have a backup process
|-
|Compromised accounts
|
* [[Protect your accounts using strong passwords, pw managers, 2fa|Use two factor authentication for all accounts]]
* [[Protect your accounts using strong passwords, pw managers, 2fa|Use unique, complex passwords for all accounts]]
* [[Protect your accounts using strong passwords, pw managers, 2fa|Use a password manager to create, store and protect those passwords]]
|-
|Device inspection at checkpoints
|
* [[Use a secure messaging app#Tip: use automatic disappearing messages|Use automated disappearing messages on your messaging apps]]
* [[Ways to securely store and share files|Have your sensitive information stored safely in the cloud and off of your device]]
* Hide or delete any apps that would provide access to this information (you can restore that app later)
|-
|Device confiscation or theft
|
* [[Secure your devices#Full disk encryption|Encrypt your devices]]
* And, review and adapt the same advice above for “device inspection” threat
|-
|Information handover
|
* [[Trusted hosting companies in the human rights community|Host your information with a company you trust]], who will not turn over information to your opponents (via subpoena, request, etc)
|-
|Targeted malware or spyware
|
* [[Protect your accounts using strong passwords, pw managers, 2fa|Protect yourselves against (spear) phishing attacks]]
* Use a second device for sensitive activities
* [[How to mitigate your risk of being subject to Pegasus surveillance|Restart your device regularly to disrupt spyware]]
* [[Secure your devices|Use anti virus]]
* [[How to mitigate your risk of being subject to Pegasus surveillance]], and other spyware
|-
|Surveillance and monitoring
|
* [[Safe internet browsing using VPN and Tor browser|Use a VPN and/or Tor browser]]
* [[Use a secure messaging app]]
* [[How to collect and store information in a secure way]]
* [[Ways to securely store and share files|How to use Google Drive safely and alternatives to Google Drive]]
|-
|Website hacking and takeover
|
* [[Protect your website|Protect your website from DDOS attacks]]
* [[Trusted hosting companies in the human rights community|Use a host company that you trust]]
* And, review and adapt the same advice above for "compromised accounts"
|}
Other important considerations when collecting, storing, using sensitive information:
{| class="wikitable"
|+
!Consideration
!Resources
|-
|Make sure you have informed consent from the people you are collecting information
|[[Guidance on informed consent]]
|-
|
|
|-
|
|
|}
* [[Information Security for Human Rights Defenders]]

===Mitigation techniques for online harassment===
[[How to deal with online harassment and threats]]

==Security planning ==
Once we have clarity about the threats we face during our activities, we can begin to organize our security protocols into security plans or agreements. There are three main areas to consider when developing any security plans:

# '''PREPARE: Prevention of threats''' - Most security plans will include tactics which aim to prevent identified threats from taking place (i.e. reducing their likelihood). This will include:
## Identify & assess the threats and your vulnerabilities
## Develop security policies and procedures
## Implement preventive measures
## Invest in Security Awareness Programs
## Conduct Security testing
# '''RESPOND: Emergency responses''' - Emergency plans, also called contingency plans, are the actions which we take in response to a threat becoming a reality. This will include:
## Build Incident Response Plan
## Communication Strategy
## Business continuity plan
## Disaster recovery plan (Data Backups and Recovery)
## Communication and Collaboration
# '''TREAT: Well-being considerations''' - Actions we take to maintain our physical energy and a mindful approach to our work and our security –it may include such considerations as where and when we will eat, sleep, relax and enjoy ourselves in the course of our work. This will include:
## Analyze lessons learned
## Recovery and Remediation
## Psychological safety considerations,
## Review and update your security plans and approach
For more information, read '''[[General guidance for creating security plans and agreements]]''' and review [https://holistic-security.tacticaltech.org/chapters/strategise/3-3-creating-security-plans-and-agreements.html this chapter of the Holistic Security Manual].

Additional resources:

* Consumer Reports [https://securityplanner.consumerreports.org/ '''Security Planner'''] is a free, easy-to-use guide to staying safer online. It provides personalized recommendations and expert advice on topics such as keeping social media accounts from being hacked, locking down devices ranging from smartphones to home security cameras, and reducing intrusive tracking by websites.
* [https://www.nist.gov/itl/smallbusinesscyber/nist-cybersecurity-framework-0 '''NIST Cybersecurity Framework 2.0''']: Small Business Quick Start Guide - provides small-to-medium sized businesses (SMB), specifically those who have modest or no cybersecurity plans in place, with considerations to kick-start their cybersecurity risk management strategy using the NIST Cybersecurity Framework (CSF) 2.0. (by the ''National Institute of Standards and Technology)''

===Security planning on specific topics===

* [[General tips for international travel]]
* [[General tips for home security]]

== Building a culture of security within a team ==
[https://level-up.cc/ '''LevelUp'''] is a collection of resources for the global digital safety training community.

[https://wiki.orgsec.community/ '''Organisational security community wiki'''] is a resource created by and for security practitioners from all backgrounds to share useful resources and document innovative approaches to long-term security work.

==Resource collections ==
[https://digitalfirstaid.org/ '''Digital First Aid Kit'''] - The Digital First Aid Kit is a free resource to help rapid responders, digital security trainers, and tech-savvy activists to better protect themselves and the communities they support against the most common types of digital emergencies. It can also be used by activists, human rights defenders, bloggers, journalists or media activists who want to learn more about how they can protect themselves and support others. If you or someone you are assisting is experiencing a digital emergency, the Digital First Aid Kit will guide you in diagnosing the issues you are facing, and refer you to support providers for further help if needed.

[https://communitydocs.accessnow.org/ '''Access Now Help Desk documentation''']

[https://cyber-star.org/ '''CyberSTAR'''], by SecDev, makes it easier for small organizations and individuals to understand and manage digital safety by organizing it around six themes. This site presents learning resources to help you be safer online—plus teaching resources for digital safety trainers.

More info:

[[Ways to securely store and share files|Secure storage for sensitive information]]

[[Protect your accounts using strong passwords, pw managers, 2fa|Secure access to sensitive information]]

[[Secure your devices]]

Security resources organized by topic

2024-06-18T18:50:02Z

Kristin1: /* Security planning */

== Building awareness of how we respond to threat and stress ==
''Developing a useful security strategy is heavily dependent on our perception – we need to be able to identify and analyse threats in order to implement ways of avoiding or reducing them. But we all perceive the world around us differently based on our circumstances, experiences and many other factors. As a result, our perception can sometimes be hindered: threats which may be evident to some people may go unrecognised by others; similarly, we also need to be able to tell the difference between threats which are genuinely possible and those which we falsely perceive, called 'unfounded fears'. It's a good idea to become familiar with factors that condition our perceptions of threat, and consider ways that we can take these into account in our security planning.'' (Source: [https://holistic-security.tacticaltech.org/chapters/prepare/1-2-individual-responses-to-threat.html Holistic Security Manual])

Resources:

* [https://holistic-security.tacticaltech.org/chapters/prepare/1-2-individual-responses-to-threat.html '''Exploring individual responses to threat'''] (Holistic Security Manual)
* [https://holistic-security.tacticaltech.org/chapters/prepare/1-4-team-and-peer-responses-to-threat.html '''Exploring group responses to threat'''] (Holistic Security Manual)
* [https://holistic-security.tacticaltech.org/chapters/prepare/1-5-communicating-about-threats-in-teams-and-organisations.html '''Communicating about security in teams and organizations'''] (Holistic Security Manual)

== Understanding our threats and context ==

=== Situation monitoring and analysis ===
Situation monitoring and analysis is the broadest kind of analysis of our context: observing the political, economic, social, technological, legal and environmental developments in society which are relevant to our work, and may impact our security situation. (Source: [https://holistic-security.tacticaltech.org/chapters/explore/2-2-situation-monitoring-and-analysis.html Holistic Security Manual])

Exercise: [https://holistic-security.tacticaltech.org/exercises/explore/situational-monitoring-a-quick-pestle-analysis.html '''Pestle analysis'''] (Holistic Security Manual)

Tool: '''[https://tnr-research.uwazi.io/ Research Database on transnational repression]''' - This collection of research reports on transnational repression can help human rights defenders better understand:

* Transnational Repression (TNR) threats that are possible, to determine appropriate mitigation techniques
* Which TNR threats are unlikely, in order to alleviate fear
* What exiled HRDs can expect from a host country in terms of protection measures
* Existing campaigns to strengthen protection for exiled HRDs

=== Identifying, analyzing and prioritizing threats ===

==== Map the actors ====
''It is valuable to get a clear picture of all the actors in our environment (individuals, institutions, organizations, etc). Threats almost always come from someone or something. Knowing as much as we can about the actors in our context improves our perception of our environment and thereby, our ability to carry out activities to maintain or expand our space for work.'' (Source: [https://holistic-security.tacticaltech.org/chapters/explore/2-3-vision-strategy-and-actors.html Holistic Security Manual])

Exercise:

* [https://holistic-security.tacticaltech.org/exercises/explore/visual-actor-mapping-part-1.html '''Spectrum of allies'''] (Holistic Security Manual)
* [https://newtactics.org/resource/exercises-identifying-allies-opponents '''Spectrum of allies'''] (New Tactics in Human Rights project)

==== Brainstorm threats ====
This exercise is a first attempt at identifying the threats to yourself, your group or organization and your work in defense of human rights. This initial list of threats can then be refined so as to focus in more depth on the threats which are most likely or potentially most harmful. (Source: [https://holistic-security.tacticaltech.org/exercises/explore/threat-brainstorm.html Holistic Security Manual])

Exercise: [https://holistic-security.tacticaltech.org/exercises/explore/threat-brainstorm.html '''Threat brainstorm'''] (Holistic Security Manual)

==== Analyzing risk, prioritizing threats ====
Threats can be viewed and categorized in light of the following: the likelihood that the threat will take place, and the impact if and when it does. Likelihood and impact are concepts which help us determine risk: the higher the likelihood or impact of a threat, the higher the risk. Categorizing threats can help to keep us from feeling overwhelmed and keep our perception of threats realistic. (Source: [https://holistic-security.tacticaltech.org/chapters/explore/2-8-identifying-and-analysing-threats.html Holistic Security Manual])

Exercise: [https://holistic-security.tacticaltech.org/chapters/explore/2-8-identifying-and-analysing-threats.html '''Threat matrix'''] (Holistic Security Manual)

Tools:

* The Ford Foundation’s [https://www.fordfoundation.org/work/our-grants/building-institutions-and-networks/cybersecurity-assessment-tool/ '''Cybersecurity Assessment Tool (CAT)'''] is designed to measure the maturity, resiliency, and strength of an organization’s cybersecurity efforts. We have created this questionnaire with busy nontechnical grant makers, grantee partners, civil society organizations, and nonprofits in mind, and we hope it helps shine some light on a recommended path forward for any organization undertaking a cybersecurity journey

==== Analyze threats ====
This exercise will help you prioritize threats and divine the causes, ramifications, sources as well as the required resources, existing actions and possible next steps.

Exercise: [https://holistic-security.tacticaltech.org/exercises/explore/threat-inventory.html '''Threat inventory'''] (Holistic Security Manual)

== Risk mitigation ==
In order to build a response to the threats we face, we can consider them in terms of the factors which make us more or less susceptible to them. Read more in [https://holistic-security.tacticaltech.org/chapters/strategise/3-1-responding-to-threats.html this chapter of the Holistic Security Manual].

=== Mitigation techniques for common threats to information ===
{| class="wikitable"
|+
! Threat
!Mitigation techniques and links to guidance
|-
|Data loss
|
* [[Ways to securely store and share files|Have your information securely in the cloud or on a server]]
* Have a backup process
|-
|Compromised accounts
|
* [[Protect your accounts using strong passwords, pw managers, 2fa|Use two factor authentication for all accounts]]
* [[Protect your accounts using strong passwords, pw managers, 2fa|Use unique, complex passwords for all accounts]]
* [[Protect your accounts using strong passwords, pw managers, 2fa|Use a password manager to create, store and protect those passwords]]
|-
|Device inspection at checkpoints
|
* [[Use a secure messaging app#Tip: use automatic disappearing messages|Use automated disappearing messages on your messaging apps]]
* [[Ways to securely store and share files|Have your sensitive information stored safely in the cloud and off of your device]]
* Hide or delete any apps that would provide access to this information (you can restore that app later)
|-
|Device confiscation or theft
|
* [[Secure your devices#Full disk encryption|Encrypt your devices]]
* And, review and adapt the same advice above for “device inspection” threat
|-
|Information handover
|
* [[Trusted hosting companies in the human rights community|Host your information with a company you trust]], who will not turn over information to your opponents (via subpoena, request, etc)
|-
|Targeted malware or spyware
|
* [[Protect your accounts using strong passwords, pw managers, 2fa|Protect yourselves against (spear) phishing attacks]]
* Use a second device for sensitive activities
* [[How to mitigate your risk of being subject to Pegasus surveillance|Restart your device regularly to disrupt spyware]]
* [[Secure your devices|Use anti virus]]
* [[How to mitigate your risk of being subject to Pegasus surveillance]], and other spyware
|-
|Surveillance and monitoring
|
* [[Safe internet browsing using VPN and Tor browser|Use a VPN and/or Tor browser]]
* [[Use a secure messaging app]]
* [[How to collect and store information in a secure way]]
* [[Ways to securely store and share files|How to use Google Drive safely and alternatives to Google Drive]]
|-
|Website hacking and takeover
|
* [[Protect your website|Protect your website from DDOS attacks]]
* [[Trusted hosting companies in the human rights community|Use a host company that you trust]]
* And, review and adapt the same advice above for "compromised accounts"
|}
Other important considerations when collecting, storing, using sensitive information:
{| class="wikitable"
|+
!Consideration
!Resources
|-
|Make sure you have informed consent from the people you are collecting information
|[[Guidance on informed consent]]
|-
|
|
|-
|
|
|}
* [[Information Security for Human Rights Defenders]]

===Mitigation techniques for online harassment===
[[How to deal with online harassment and threats]]

==Security planning ==
Once we have clarity about the threats we face during our activities, we can begin to organize our security protocols into security plans or agreements. There are three main areas to consider when developing any security plans:

# '''PREPARE: Prevention of threats''' - Most security plans will include tactics which aim to prevent identified threats from taking place (i.e. reducing their likelihood). This will include:
## Identify & assess the threats and your vulnerabilities
## Develop security policies and procedures
## Implement preventive measures
## Invest in Security Awareness Programs
## Conduct Security testing
# '''RESPOND: Emergency responses''' - Emergency plans, also called contingency plans, are the actions which we take in response to a threat becoming a reality. This will include:
## Build Incident Response Plan
## Communication Strategy
## Business continuity plan
## Disaster recovery plan (Data Backups and Recovery)
## Communication and Collaboration
# '''TREAT: Well-being considerations''' - Actions we take to maintain our physical energy and a mindful approach to our work and our security –it may include such considerations as where and when we will eat, sleep, relax and enjoy ourselves in the course of our work. This will include:
## Analyze lessons learned
## Recovery and Remediation
## Psychological safety considerations,
## Review and update your security plans and approach
For more information, read [[Index.php?title=general guidance for creating security plans and agreements|'''General guidance for creating security plans and agreements''']] and review [https://holistic-security.tacticaltech.org/chapters/strategise/3-3-creating-security-plans-and-agreements.html this chapter of the Holistic Security Manual].

Additional resources:

* Consumer Reports [https://securityplanner.consumerreports.org/ '''Security Planner'''] is a free, easy-to-use guide to staying safer online. It provides personalized recommendations and expert advice on topics such as keeping social media accounts from being hacked, locking down devices ranging from smartphones to home security cameras, and reducing intrusive tracking by websites.
* [https://www.nist.gov/itl/smallbusinesscyber/nist-cybersecurity-framework-0 '''NIST Cybersecurity Framework 2.0''']: Small Business Quick Start Guide - provides small-to-medium sized businesses (SMB), specifically those who have modest or no cybersecurity plans in place, with considerations to kick-start their cybersecurity risk management strategy using the NIST Cybersecurity Framework (CSF) 2.0. (by the ''National Institute of Standards and Technology)''

===Security planning on specific topics===

* [[General tips for international travel]]
* [[General tips for home security]]

== Building a culture of security within a team ==
[https://level-up.cc/ '''LevelUp'''] is a collection of resources for the global digital safety training community.

[https://wiki.orgsec.community/ '''Organisational security community wiki'''] is a resource created by and for security practitioners from all backgrounds to share useful resources and document innovative approaches to long-term security work.

==Resource collections ==
[https://digitalfirstaid.org/ '''Digital First Aid Kit'''] - The Digital First Aid Kit is a free resource to help rapid responders, digital security trainers, and tech-savvy activists to better protect themselves and the communities they support against the most common types of digital emergencies. It can also be used by activists, human rights defenders, bloggers, journalists or media activists who want to learn more about how they can protect themselves and support others. If you or someone you are assisting is experiencing a digital emergency, the Digital First Aid Kit will guide you in diagnosing the issues you are facing, and refer you to support providers for further help if needed.

[https://communitydocs.accessnow.org/ '''Access Now Help Desk documentation''']

[https://cyber-star.org/ '''CyberSTAR'''], by SecDev, makes it easier for small organizations and individuals to understand and manage digital safety by organizing it around six themes. This site presents learning resources to help you be safer online—plus teaching resources for digital safety trainers.

More info:

[[Ways to securely store and share files|Secure storage for sensitive information]]

[[Protect your accounts using strong passwords, pw managers, 2fa|Secure access to sensitive information]]

[[Secure your devices]]

General guidance for creating security plans and agreements

2024-06-18T18:47:31Z

Kristin1:

=== Components of a security plan ===
As far as individual HRDs are concerned, a simple security plan may include the following sections:

* '''Objective (or activity, region, area of work, etc)'''

* '''Threats''' - ideally you will create a security plan for each threat

* '''PREPARE: Prevention of threats'''
** Most security plans will include tactics which aim to prevent identified threats from taking place (i.e. reducing their likelihood). Examples of prevention tactics might include encrypting a database of contacts so as to reduce the likelihood that it can be accessed by adversaries, or employing a security guard at the office so as to reduce the likelihood that it is broken into.
** Many of these tactics will reflect strategies of acceptance, deterrence and protection or self-defence. As such, they may include advocacy campaigns or other forms of engagement with the public or civilian and military authorities in order to raise consciousness and acceptance of the legitimacy of our work; strengthening of ties with our allies in order to raise the potential cost of aggressions against us, and any number of tactics which build our own capacities and agility in the face of the threats to our work which we have identified.
** In this section, consider the following activities:
*** Identify & assess the threats and your vulnerabilities: This involves systematically analyzing your assets (physically, digitally) to understand potential threats and knowing your vulnerabilities that could be exploited.
*** Develop security policies and procedures: Create clear policies outlining acceptable behavior regarding physical and digital security, and incident reporting.
*** Implement preventive measures: based on identified threats, implement safeguards procedures and tools, with considering staff training programs to minimize the potential threats impact.
*** Invest in Security Awareness Programs: regularly educate your staff/colleagues on the founded security plans and measures, this empowers them to identify, respond and report effectively.
*** Conduct Security testing: regularly assess the effectiveness of security measures through penetration testing (simulated attacks) and security drills. This helps identify weaknesses and refine procedures.

** '''TOOLS''': Devices and information - Devices and information refer to which devices we will depend on in order to carry out our work, and the tactics we will employ in order to ensure that our information and communication can not be accessed by others.

* '''RESPOND: Emergency responses'''
** Emergency plans, also called contingency plans, are the actions which we take in response to a threat becoming a reality. They generally have the aim of lessening the impact of the event and reducing the likelihood of further harm in its aftermath. Examples of emergency response tactics might include bringing a First Aid kit with you when travelling, in case of minor injuries, or a mask and goggles to a protest in case tear gas is used.
** Coordinating a response to an emergency always involves coordinating actions so digital communication is increasingly important. Decide what the most secure and effective means of communicating with each actor is in different scenarios and identify a back-up means too. Be aware that for emergencies, it might be useful to have clear guidelines on: what to communicate, which channels to use, and to whom.
** In this section, consider the following activities:
*** Build Incident Response Plan: develop a clear plan outlining actions to be taken in case of a security threat. This includes identifying the designated responders, notification procedures (internal teams, authorities), and containment strategies to mitigate impact.
*** Communication Strategy: Establish a communication plan for internal and external stakeholders during a security incident. This ensures timely and accurate information is disseminated, minimizing confusion and panic.
*** Business continuity plan: A strategy to ensure critical operations continue with minimal disruption during an incident.
*** Disaster recovery plan (Data Backups and Recovery): establish a specific plan for recovering IT systems and data, maintain robust data backup and recovery procedures to ensure business continuity in case of after a disaster like a fire, flood, or cyberattack.
*** Communication and Collaboration: effective communication and collaboration across teams are crucial for successful incident response and recovery.
*** Train your people: Regularly train staff on security policies, incident reporting procedures, and their roles during a contingency.

* '''TREAT: Well-being considerations'''
** Actions we take to maintain our physical energy and a mindful approach to our work and our security –it may include such considerations as where and when we will eat, sleep, relax and enjoy ourselves in the course of our work
** In this section, consider the following activities:
*** Analyze lessons learned: conduct a thorough assessment to understand the cause and scope of the security incidents. This helps identify your vulnerabilities, prevent future occurrences, and establish better prevention plans.
*** Recovery and Remediation: Implement measures to restore affected systems and data. This might involve patching vulnerabilities in software, restoring lost data from backups, and implementing additional security measures to prevent similar incidents.
*** Psychological safety considerations, give priority to those affected by incident, and ensure that appropriate care is provided to them if physically or psychologically injured, and treat with causes of the incident accordingly later.
*** Review and update your security plans and approach: Following an incident, review your security posture and update policies, procedures, and preventative measures based on the lessons learned.

=== Example of a basic security plan ===
Below is an example from [https://holistic-security.tacticaltech.org/media/chapters/pdfs/original/HS_3_Strategise_Chapter_3.pdf Holistic Security Manual] (see )

* '''Objective''': Mission to collect testimonies of victims of human rights abuses in a rural area.

* '''Threats'''
** Harassment or arrest by police.
** Confiscation of computer, mobile phone.
** Loss of data as a result.
** Compromising victims’ anonymity as a result.

* '''PREPARE: Prevention of threats'''
** Alert colleagues and friendly embassies and international organisations of the mission, its duration and location.
** Share contact details of local authorities/aggressors with embassies and international organisations.
** Check-in with colleagues every 12 hours.
** Testimonies will be saved to encrypted volume immediately after writing.
** Testimonies will be sent encrypted with GPG to colleagues every evening.
** Email inbox and sent folder will be cleaned from the device after use.
** Security indicators and check-ins will be shared over an encrypted messenger.
** '''Devices and information'''
*** Mobile phone with encrypted messenger and call apps.
*** Computer with encrypted volume and encrypting emails with GPG.

* '''RESPOND: Emergency responses'''
** Prepare an alert message (code) to send in case of surveillance/ being followed.
** Prepare an alert message (code) to send in case of arrest.
** Have lawyer’s number on speed-dial
** '''Emergency plan'''
*** In case of arrest, send alert message and call lawyer.
*** On receiving alert message, colleagues will alert friendly embassies and international organisations.
*** Ask for urgent appeals to be sent by international organisations to authorities.
*** Hand over password for encrypted volume if under threat of abuse.

* '''TREAT: Well-being considerations'''
** Eating in a decent local restaurant, at least twice a day.
** Switching off mobile phone and all other devices during mealtimes.
** Calling family over a secure channel to connect every evening

=== Templates and examples ===

* '''[https://drive.google.com/file/d/1rbzwGlZg6Fg6JHIVfx8StJlAc1MRPtDq/view?usp=sharing Unified Safety & Security Operating Procedure-Plan /or Agreement (PDF)]''' (or [https://docs.google.com/document/d/14gOQWbQdJ2nd3o9XW0gzZpw7neB2qBnO/edit?usp=sharing&ouid=116599388433607757970&rtpof=true&sd=true download the .docx version] of this document) -- This document is a collection of example security plans. It includes a number of risks, adding examples of mitigation strategies, prevention advice, and emergency procedures for the reader to benefit from as reference. It’s highly important to take into account the importance of modifying these risks in relation to the context area, while assessing the risks and developing strategies and procedures in a way that suits our capabilities and the ease of implementing on the ground.

=== Further reading ===

* [https://holistic-security.tacticaltech.org/chapters/strategise/3-3-creating-security-plans-and-agreements.html Holistic Security Manual: Creating security plans and agreements]

* [https://holistic-security.tacticaltech.org/chapters/strategise/3-4-security-in-groups-and-organisations.html Holistic Security Manual: Security in groups and organisations]

* [https://holistic-security.tacticaltech.org/chapters/strategise/3-5-assessing-organisational-security.html Tips for overcoming resistance to security planning]

Security resources organized by topic

2024-06-18T17:54:28Z

Kristin1: /* Security planning */

== Building awareness of how we respond to threat and stress ==
''Developing a useful security strategy is heavily dependent on our perception – we need to be able to identify and analyse threats in order to implement ways of avoiding or reducing them. But we all perceive the world around us differently based on our circumstances, experiences and many other factors. As a result, our perception can sometimes be hindered: threats which may be evident to some people may go unrecognised by others; similarly, we also need to be able to tell the difference between threats which are genuinely possible and those which we falsely perceive, called 'unfounded fears'. It's a good idea to become familiar with factors that condition our perceptions of threat, and consider ways that we can take these into account in our security planning.'' (Source: [https://holistic-security.tacticaltech.org/chapters/prepare/1-2-individual-responses-to-threat.html Holistic Security Manual])

Resources:

* [https://holistic-security.tacticaltech.org/chapters/prepare/1-2-individual-responses-to-threat.html '''Exploring individual responses to threat'''] (Holistic Security Manual)
* [https://holistic-security.tacticaltech.org/chapters/prepare/1-4-team-and-peer-responses-to-threat.html '''Exploring group responses to threat'''] (Holistic Security Manual)
* [https://holistic-security.tacticaltech.org/chapters/prepare/1-5-communicating-about-threats-in-teams-and-organisations.html '''Communicating about security in teams and organizations'''] (Holistic Security Manual)

== Understanding our threats and context ==

=== Situation monitoring and analysis ===
Situation monitoring and analysis is the broadest kind of analysis of our context: observing the political, economic, social, technological, legal and environmental developments in society which are relevant to our work, and may impact our security situation. (Source: [https://holistic-security.tacticaltech.org/chapters/explore/2-2-situation-monitoring-and-analysis.html Holistic Security Manual])

Exercise: [https://holistic-security.tacticaltech.org/exercises/explore/situational-monitoring-a-quick-pestle-analysis.html '''Pestle analysis'''] (Holistic Security Manual)

Tool: '''[https://tnr-research.uwazi.io/ Research Database on transnational repression]''' - This collection of research reports on transnational repression can help human rights defenders better understand:

* Transnational Repression (TNR) threats that are possible, to determine appropriate mitigation techniques
* Which TNR threats are unlikely, in order to alleviate fear
* What exiled HRDs can expect from a host country in terms of protection measures
* Existing campaigns to strengthen protection for exiled HRDs

=== Identifying, analyzing and prioritizing threats ===

==== Map the actors ====
''It is valuable to get a clear picture of all the actors in our environment (individuals, institutions, organizations, etc). Threats almost always come from someone or something. Knowing as much as we can about the actors in our context improves our perception of our environment and thereby, our ability to carry out activities to maintain or expand our space for work.'' (Source: [https://holistic-security.tacticaltech.org/chapters/explore/2-3-vision-strategy-and-actors.html Holistic Security Manual])

Exercise:

* [https://holistic-security.tacticaltech.org/exercises/explore/visual-actor-mapping-part-1.html '''Spectrum of allies'''] (Holistic Security Manual)
* [https://newtactics.org/resource/exercises-identifying-allies-opponents '''Spectrum of allies'''] (New Tactics in Human Rights project)

==== Brainstorm threats ====
This exercise is a first attempt at identifying the threats to yourself, your group or organization and your work in defense of human rights. This initial list of threats can then be refined so as to focus in more depth on the threats which are most likely or potentially most harmful. (Source: [https://holistic-security.tacticaltech.org/exercises/explore/threat-brainstorm.html Holistic Security Manual])

Exercise: [https://holistic-security.tacticaltech.org/exercises/explore/threat-brainstorm.html '''Threat brainstorm'''] (Holistic Security Manual)

==== Analyzing risk, prioritizing threats ====
Threats can be viewed and categorized in light of the following: the likelihood that the threat will take place, and the impact if and when it does. Likelihood and impact are concepts which help us determine risk: the higher the likelihood or impact of a threat, the higher the risk. Categorizing threats can help to keep us from feeling overwhelmed and keep our perception of threats realistic. (Source: [https://holistic-security.tacticaltech.org/chapters/explore/2-8-identifying-and-analysing-threats.html Holistic Security Manual])

Exercise: [https://holistic-security.tacticaltech.org/chapters/explore/2-8-identifying-and-analysing-threats.html '''Threat matrix'''] (Holistic Security Manual)

Tools:

* The Ford Foundation’s [https://www.fordfoundation.org/work/our-grants/building-institutions-and-networks/cybersecurity-assessment-tool/ '''Cybersecurity Assessment Tool (CAT)'''] is designed to measure the maturity, resiliency, and strength of an organization’s cybersecurity efforts. We have created this questionnaire with busy nontechnical grant makers, grantee partners, civil society organizations, and nonprofits in mind, and we hope it helps shine some light on a recommended path forward for any organization undertaking a cybersecurity journey

==== Analyze threats ====
This exercise will help you prioritize threats and divine the causes, ramifications, sources as well as the required resources, existing actions and possible next steps.

Exercise: [https://holistic-security.tacticaltech.org/exercises/explore/threat-inventory.html '''Threat inventory'''] (Holistic Security Manual)

== Risk mitigation ==
In order to build a response to the threats we face, we can consider them in terms of the factors which make us more or less susceptible to them. Read more in [https://holistic-security.tacticaltech.org/chapters/strategise/3-1-responding-to-threats.html this chapter of the Holistic Security Manual].

=== Mitigation techniques for common threats to information ===
{| class="wikitable"
|+
! Threat
!Mitigation techniques and links to guidance
|-
|Data loss
|
* [[Ways to securely store and share files|Have your information securely in the cloud or on a server]]
* Have a backup process
|-
|Compromised accounts
|
* [[Protect your accounts using strong passwords, pw managers, 2fa|Use two factor authentication for all accounts]]
* [[Protect your accounts using strong passwords, pw managers, 2fa|Use unique, complex passwords for all accounts]]
* [[Protect your accounts using strong passwords, pw managers, 2fa|Use a password manager to create, store and protect those passwords]]
|-
|Device inspection at checkpoints
|
* [[Use a secure messaging app#Tip: use automatic disappearing messages|Use automated disappearing messages on your messaging apps]]
* [[Ways to securely store and share files|Have your sensitive information stored safely in the cloud and off of your device]]
* Hide or delete any apps that would provide access to this information (you can restore that app later)
|-
|Device confiscation or theft
|
* [[Secure your devices#Full disk encryption|Encrypt your devices]]
* And, review and adapt the same advice above for “device inspection” threat
|-
|Information handover
|
* [[Trusted hosting companies in the human rights community|Host your information with a company you trust]], who will not turn over information to your opponents (via subpoena, request, etc)
|-
|Targeted malware or spyware
|
* [[Protect your accounts using strong passwords, pw managers, 2fa|Protect yourselves against (spear) phishing attacks]]
* Use a second device for sensitive activities
* [[How to mitigate your risk of being subject to Pegasus surveillance|Restart your device regularly to disrupt spyware]]
* [[Secure your devices|Use anti virus]]
* [[How to mitigate your risk of being subject to Pegasus surveillance]], and other spyware
|-
|Surveillance and monitoring
|
* [[Safe internet browsing using VPN and Tor browser|Use a VPN and/or Tor browser]]
* [[Use a secure messaging app]]
* [[How to collect and store information in a secure way]]
* [[Ways to securely store and share files|How to use Google Drive safely and alternatives to Google Drive]]
|-
|Website hacking and takeover
|
* [[Protect your website|Protect your website from DDOS attacks]]
* [[Trusted hosting companies in the human rights community|Use a host company that you trust]]
* And, review and adapt the same advice above for "compromised accounts"
|}
Other important considerations when collecting, storing, using sensitive information:
{| class="wikitable"
|+
!Consideration
!Resources
|-
|Make sure you have informed consent from the people you are collecting information
|[[Guidance on informed consent]]
|-
|
|
|-
|
|
|}
* [[Information Security for Human Rights Defenders]]

===Mitigation techniques for online harassment===
[[How to deal with online harassment and threats]]

==Security planning ==
Once we have clarity about the threats we face during our activities, we can begin to organize our security protocols into security plans or agreements. There are three main areas to consider when developing any security plans:

# Prepare -- What can you do now to prepare for when this threat happens?
# Respond -- How will you and your team respond when the threat occurs?
# Treat -- How will you take care of your team after the threat has happened?
Prepare:
* Identify & assess the threats and your vulnerabilities: This involves systematically analyzing your assets (physically, digitally) to understand potential threats and knowing your vulnerabilities that could be exploited.
* Develop security policies and procedures: Create clear policies outlining acceptable behavior regarding physical and digital security, and incident reporting.
* Implement preventive measures: based on identified threats, implement safeguards procedures and tools, with considering staff training programs to minimize the potential threats impact.
* Invest in Security Awareness Programs: regularly educate your staff/colleagues on the founded security plans and measures, this empowers them to identify, respond and report effectively.
* Conduct Security testing: regularly assess the effectiveness of security measures through penetration testing (simulated attacks) and security drills. This helps identify weaknesses and refine procedures.

'''Respond:'''

* '''Build Incident Response Plan:''' develop a clear plan outlining actions to be taken in case of a security threat. This includes identifying the designated responders, notification procedures (internal teams, authorities), and containment strategies to mitigate impact.
* '''Communication Strategy:''' Establish a communication plan for internal and external stakeholders during a security incident. This ensures timely and accurate information is disseminated, minimizing confusion and panic.
* '''Business continuity plan:''' A strategy to ensure critical operations continue with minimal disruption during an incident.
* '''Disaster recovery plan (Data Backups and Recovery):''' establish a specific plan for recovering IT systems and data, maintain robust data backup and recovery procedures to ensure business continuity in case of after a disaster like a fire, flood, or cyberattack.
* '''Communication and Collaboration:''' effective communication and collaboration across teams are crucial for successful incident response and recovery.
* '''Train your people:''' Regularly train staff on security policies, incident reporting procedures, and their roles during a contingency.

'''Treat:'''

* '''Analyze lessons learned:''' conduct a thorough assessment to understand the cause and scope of the security incidents. This helps identify your vulnerabilities, prevent future occurrences, and establish better prevention plans.
* '''Recovery and Remediation''': Implement measures to restore affected systems and data. This might involve patching vulnerabilities in software, restoring lost data from backups, and implementing additional security measures to prevent similar incidents.
* '''psychological safety considerations,''' give priority to those affected by incident, and ensure that appropriate care is provided to them if physically or psychologically injured, and treat with causes of the incident accordingly later.
* '''Review and update your security plans and approach:''' Following an incident, review your security posture and update policies, procedures, and preventative measures based on the lessons learned.

Review [https://holistic-security.tacticaltech.org/chapters/strategise/3-3-creating-security-plans-and-agreements.html this chapter of the Holistic Security Manual].

[[General guidance for creating security plans and agreements]]

Resources:

* Consumer Reports [https://securityplanner.consumerreports.org/ '''Security Planner'''] is a free, easy-to-use guide to staying safer online. It provides personalized recommendations and expert advice on topics such as keeping social media accounts from being hacked, locking down devices ranging from smartphones to home security cameras, and reducing intrusive tracking by websites.
* [https://www.nist.gov/itl/smallbusinesscyber/nist-cybersecurity-framework-0 '''NIST Cybersecurity Framework 2.0''']: Small Business Quick Start Guide - provides small-to-medium sized businesses (SMB), specifically those who have modest or no cybersecurity plans in place, with considerations to kick-start their cybersecurity risk management strategy using the NIST Cybersecurity Framework (CSF) 2.0. (by the ''National Institute of Standards and Technology)''

===Security planning on specific topics===

* [[General tips for international travel]]
* [[General tips for home security]]

== Building a culture of security within a team ==
[https://level-up.cc/ '''LevelUp'''] is a collection of resources for the global digital safety training community.

[https://wiki.orgsec.community/ '''Organisational security community wiki'''] is a resource created by and for security practitioners from all backgrounds to share useful resources and document innovative approaches to long-term security work.

==Resource collections ==
[https://digitalfirstaid.org/ '''Digital First Aid Kit'''] - The Digital First Aid Kit is a free resource to help rapid responders, digital security trainers, and tech-savvy activists to better protect themselves and the communities they support against the most common types of digital emergencies. It can also be used by activists, human rights defenders, bloggers, journalists or media activists who want to learn more about how they can protect themselves and support others. If you or someone you are assisting is experiencing a digital emergency, the Digital First Aid Kit will guide you in diagnosing the issues you are facing, and refer you to support providers for further help if needed.

[https://communitydocs.accessnow.org/ '''Access Now Help Desk documentation''']

[https://cyber-star.org/ '''CyberSTAR'''], by SecDev, makes it easier for small organizations and individuals to understand and manage digital safety by organizing it around six themes. This site presents learning resources to help you be safer online—plus teaching resources for digital safety trainers.

More info:

[[Ways to securely store and share files|Secure storage for sensitive information]]

[[Protect your accounts using strong passwords, pw managers, 2fa|Secure access to sensitive information]]

[[Secure your devices]]

Secure your devices

2024-06-18T17:09:06Z

Kristin1: /* Keep your device or operating system up-to-date with software updates */

== Keep your device or operating system up-to-date with software updates ==
When you buy a device or an operating system, keep it up-to-date with software updates. Updates will often fix security problems in older code that attacks can exploit. Note that some older phones and operating systems may no longer be supported, even for security updates. In particular, Microsoft has made it clear that versions of Windows Vista, XP, and below will not receive fixes for even severe security problems. This means that if you use these, you cannot expect them to be secure from attackers. The same is true for OS X before 10.11 or El Capitan. (Source: [https://ssd.eff.org/module/choosing-your-tools Electronic Frontier SSD])

=== Free, open source operating systems ===
If you cannot afford to purchase a licensed Windows or Mac operating system, you can use a free and open source operating system, such as:

'''[https://www.linuxmint.com/ Linux Mint]''' is an operating system for desktop and laptop computers. It is designed to work 'out of the box' and comes fully equipped with the apps most people need. Linux Mint works on most computers. It can also be run from a live USB stick to make sure everything works fine without having to install anything.

[https://tails.net/ '''Tails'''] is a portable operating system that protects against surveillance and censorship. To use Tails, shut down the computer and start on your Tails USB stick instead of starting on Windows, macOS, or Linux. You can temporarily turn your own computer into a secure machine. You can also '''.''' You can also stay safe while using the computer of somebody else'''.''' Tails is a 1.4 GB download and takes ½ hour to install. Tails can be installed on any USB stick of 8 GB minimum. Tails works on most computers less than 10 years old. You can start again on the other operating system after you s t down Tails. You don't have to worry about the computer having viruses because Tails runs independently from the other operating system and never uses the hard disk. But, Tails cannot always protect you if you install it from a computer with viruses or if you use it on a computer with malicious hardware, like keyloggers.

== Use antivirus or anti-malware ==

=== Advice ===
1. Know how to check if your antivirus or anti-malware app is working and updating itself.

2. Perform periodic manual scans.

3. Choose and run only one anti-malware app; if you run more than one on a device, they may interfere with each other.

[https://freedom.press/training/blog/what-about-antivirus/ What about antivirus?] Article by David Huerta (2020) of the Freedom of the Press Foundation Here's a good article
Excerpt: "Antivirus software is one of the oldest offerings available from the now billion-dollar cybersecurity industry. But what does antivirus software do to help protect our devices, what does it not do, and do we really need it?"

=== Antivirus software options ===

'''Windows'''
On Windows 10, Security in a Box recommends to turn on Windows's own anti-malware protection [https://securityplanner.consumerreports.org/tool/turn-on-windows-defender-antivirus Windows Defender]

'''Linux'''
On Linux you can manually scan your device for malware with [https://www.clamav.net/ ClamAV]. But be aware it is only a scanner, and will not monitor your system to protect you from infection. You can use it to determine whether or not a file or directory contains known malware — and it can be run from a USB memory stick in case you do not have permission to install software on the suspect computer. You may also consider using paid antivirus (e.g. ESET NOD32)

Software available on multiple operating systems that offer free versions:
* [https://www.bitdefender.com BitDefender] (Android, iOS, Mac, Windows) - Warning: This can be a heavy program for many computers.
* [https://www.malwarebytes.com/ Malwarebytes] (Android, iOS, Mac, Windows). Malwarebytes full version is free for 2 week, but you can manually scan your device without time limits.
* [https://www.avast.com/ Avast antivirus] (Android, iOS, Mac, Windows)

Not recommended:
* [https://www.avg.com/ AVG antivirus] (Android, iOS, Mac, Windows)
* [https://www.avira.com/en/free-antivirus Avira antivirus] (Android, iOS, Mac, Windows)

From the community: AVG, Avira were found to be running mining operations on consumers PC and they don't offer proper protection.

Note that all antivirus and anti-malware apps collect information on how the protected devices are being used. Some of this information may be shared with companies which own them. There have been cases where this information was sold to third parties.

== Full disk encryption ==

=== For computers ===
'''Apple''' provides a built-in, full-disk encryption feature on macOS called [[wikipedia:FileVault|FileVault]]. Guide: How to encrypt your [https://ssd.eff.org/module/how-encrypt-your-iphone iPhone] (available in 10+ languages)

'''Linux''' distributions usually offer full-disk encryption when you first set up your system.

'''Windows Vista or later''' includes a full-disk encryption feature called [https://learn.microsoft.com/en-us/windows/security/operating-system-security/data-protection/bitlocker/ BitLocker]. Guide: How to encrypt your [https://ssd.eff.org/module/how-encrypt-your-windows-device Windows device] (available in 10+ languages)

=== For smartphones and tablets ===
'''Apple''' devices such as the iPhone and iPad describe it as “Data Protection” and turn it on if you set a passcode.

'''Android''' offers full-disk encryption when you first set up your device on newer devices, or anytime afterwards under its “Security” settings for all devices.

=== Disk encryption vulnerabilities ===
There are some risks related to disk encryption that you need to consider before moving forward, and find ways to mitigate these risks:
# Data is exposed as soon as it leaves the protected disk
# Data is exposed in the clear if a user session is hijacked
# Data is exposed if device credentials are compromised
# All data is protected by a single key, which means that if you lose that one key, you lose access to the device

== Disable features that create vulnerabilities ==
'''iPhone and Mac devices offers [https://support.apple.com/en-us/HT212650 Lockdown Mode]''' - "When Lockdown Mode is enabled, your device won’t function like it typically does. To reduce the attack surface that potentially could be exploited by highly targeted mercenary spyware, certain apps, websites, and features are strictly limited for security and some experiences might not be available at all. Lockdown Mode is available in iOS 16, iPadOS 16, and macOS Ventura."

'''Android also offers a version of [https://www.zdnet.com/article/how-to-use-the-android-lockdown-mode-and-why-you-should/ Lockdown Mode]''' - "When lockdown mode is enabled, fingerprint sensors, facial recognition, and voice recognition do not function. Once you've activated lockdown mode, the only way to gain access to your device is either via PIN, password, or pattern. One thing you must know about lockdown mode is that it's a one-time thing. In other words, once you've enabled it, it will immediately be disabled upon successful login. That means you have to re-enable lockdown mode every time you want to use it."

== Separate your phone number from your device ==
[https://theintercept.com/2017/09/28/signal-tutorial-second-phone-number/ How to use signal without giving out your phone number] (article) - A step-by-step guide to protecting your private phone number while enjoying the security of encrypted texting app Signal.
----
''Last updated June 18, 2024''

Source for this content: [https://securityinabox.org/en/phones-and-computers/malware/#use-antivirus-or-anti-malware Security in a Box]'' , [https://ssd.eff.org/ Electronic Frontier SSD], and discussions with human rights security practitioners.''

Secure your devices

2024-06-18T15:13:36Z

Kristin1:

== Use licensed operating systems and software ==
Some general advice is almost always true, however. When you buy a device or an operating system, keep it up-to-date with software updates. Updates will often fix security problems in older code that attacks can exploit. Note that some older phones and operating systems may no longer be supported, even for security updates. In particular, Microsoft has made it clear that versions of Windows Vista, XP, and below will not receive fixes for even severe security problems. This means that if you use these, you cannot expect them to be secure from attackers. The same is true for OS X before 10.11 or El Capitan.

== Use antivirus or anti-malware ==

=== Advice ===
1. Know how to check if your antivirus or anti-malware app is working and updating itself.

2. Perform periodic manual scans.

3. Choose and run only one anti-malware app; if you run more than one on a device, they may interfere with each other.

[https://freedom.press/training/blog/what-about-antivirus/ What about antivirus?] Article by David Huerta (2020) of the Freedom of the Press Foundation Here's a good article
Excerpt: "Antivirus software is one of the oldest offerings available from the now billion-dollar cybersecurity industry. But what does antivirus software do to help protect our devices, what does it not do, and do we really need it?"

=== Antivirus software options ===

'''Windows'''
On Windows 10, Security in a Box recommends to turn on Windows's own anti-malware protection [https://securityplanner.consumerreports.org/tool/turn-on-windows-defender-antivirus Windows Defender]

'''Linux'''
On Linux you can manually scan your device for malware with [https://www.clamav.net/ ClamAV]. But be aware it is only a scanner, and will not monitor your system to protect you from infection. You can use it to determine whether or not a file or directory contains known malware — and it can be run from a USB memory stick in case you do not have permission to install software on the suspect computer. You may also consider using paid antivirus (e.g. ESET NOD32)

Software available on multiple operating systems that offer free versions:
* [https://www.bitdefender.com BitDefender] (Android, iOS, Mac, Windows) - Warning: This can be a heavy program for many computers.
* [https://www.malwarebytes.com/ Malwarebytes] (Android, iOS, Mac, Windows). Malwarebytes full version is free for 2 week, but you can manually scan your device without time limits.
* [https://www.avast.com/ Avast antivirus] (Android, iOS, Mac, Windows)

Not recommended:
* [https://www.avg.com/ AVG antivirus] (Android, iOS, Mac, Windows)
* [https://www.avira.com/en/free-antivirus Avira antivirus] (Android, iOS, Mac, Windows)

From the community: AVG, Avira were found to be running mining operations on consumers PC and they don't offer proper protection.

Note that all antivirus and anti-malware apps collect information on how the protected devices are being used. Some of this information may be shared with companies which own them. There have been cases where this information was sold to third parties.

== Full disk encryption ==

=== For computers ===
'''Apple''' provides a built-in, full-disk encryption feature on macOS called [[wikipedia:FileVault|FileVault]]. Guide: How to encrypt your [https://ssd.eff.org/module/how-encrypt-your-iphone iPhone] (available in 10+ languages)

'''Linux''' distributions usually offer full-disk encryption when you first set up your system.

'''Windows Vista or later''' includes a full-disk encryption feature called [https://learn.microsoft.com/en-us/windows/security/operating-system-security/data-protection/bitlocker/ BitLocker]. Guide: How to encrypt your [https://ssd.eff.org/module/how-encrypt-your-windows-device Windows device] (available in 10+ languages)

=== For smartphones and tablets ===
'''Apple''' devices such as the iPhone and iPad describe it as “Data Protection” and turn it on if you set a passcode.

'''Android''' offers full-disk encryption when you first set up your device on newer devices, or anytime afterwards under its “Security” settings for all devices.

=== Disk encryption vulnerabilities ===
There are some risks related to disk encryption that you need to consider before moving forward, and find ways to mitigate these risks:
# Data is exposed as soon as it leaves the protected disk
# Data is exposed in the clear if a user session is hijacked
# Data is exposed if device credentials are compromised
# All data is protected by a single key, which means that if you lose that one key, you lose access to the device

== Disable features that create vulnerabilities ==
'''iPhone and Mac devices offers [https://support.apple.com/en-us/HT212650 Lockdown Mode]''' - "When Lockdown Mode is enabled, your device won’t function like it typically does. To reduce the attack surface that potentially could be exploited by highly targeted mercenary spyware, certain apps, websites, and features are strictly limited for security and some experiences might not be available at all. Lockdown Mode is available in iOS 16, iPadOS 16, and macOS Ventura."

'''Android also offers a version of [https://www.zdnet.com/article/how-to-use-the-android-lockdown-mode-and-why-you-should/ Lockdown Mode]''' - "When lockdown mode is enabled, fingerprint sensors, facial recognition, and voice recognition do not function. Once you've activated lockdown mode, the only way to gain access to your device is either via PIN, password, or pattern. One thing you must know about lockdown mode is that it's a one-time thing. In other words, once you've enabled it, it will immediately be disabled upon successful login. That means you have to re-enable lockdown mode every time you want to use it."

== Separate your phone number from your device ==
[https://theintercept.com/2017/09/28/signal-tutorial-second-phone-number/ How to use signal without giving out your phone number] (article) - A step-by-step guide to protecting your private phone number while enjoying the security of encrypted texting app Signal.
----
''Last updated June 18, 2024''

Source for this content: [https://securityinabox.org/en/phones-and-computers/malware/#use-antivirus-or-anti-malware Security in a Box]'' , [https://ssd.eff.org/ Electronic Frontier SSD], and discussions with human rights security practitioners.''

Building a trauma-informed organization

2024-06-17T12:21:51Z

Kristin1: /* Resources for building a trauma-informed organization */

== Key principles of a trauma-informed approach ==
There are six key principles of a trauma-informed approach:

# Safety
# Trustworthiness and transparency
# Peer support
# Collaboration and mutuality
# Empowerment, voice, and choice
# Cultural, historical, and gender issues

=== Safety ===
Safety considers both the physical and emotional safety of staff and individuals with which we work. Physical safety can include:

* Physical space for trainings
* Accessibility of work spaces
* Timing of workshops/training

Emotional safety requires constant feedback from staff and individuals to ensure their physical safety needs are met. For instance, supervisors conduct regular check-ins to ask about workload, mental health, needs, etc.

=== Trustworthiness and transparency ===
Trustworthiness and transparency involves providing clear information about what is being done, by whom, when, and why. This can include job descriptions, roles clarity, expectations. It also means maintaining respectful boundaries, prioritizing privacy and confidentiality. It can include:

* Providing the people we work with the reports we write that involve them
* Involving the people we work with in decision-making about the project
* Providing a clear job description and expectations to staff

=== Peer Support ===
Peer Support and mutual self-help establish safety, hope, trust. “Peers” refers to people who have shared experiences of trauma or stress. It also acknowledges that the trauma itself may be used as a galvanizing tool for action, solidarity, etc.

=== Collaboration and mutuality ===
Collaboration and mutuality levels power differences between staff and those who we work with. It demonstrates that healing can happen in relationships and in meaningful sharing of power. The organization recognizes that everyone has an important role to play. It is the attitude of doing something “with” someone, not “to” or “for”. It emphasizes autonomy and agency.

=== Empowerment, voice and choice ===
Empowerment, voice and choice requires the organization to place people above projects. The organization seeks to empower both staff and stakeholders. It allows those we work with decision-making power, a voice in our projects, the ability to say no without fear of punishment or ostracization. It also focuses on individual’s strengths over weaknesses.

=== Cultural, historical and gender issues ===
Cultural, historical and gender issues involves the organization conscientiously acknowledging the role it has played in perpetuating harm (e.g. the aid sector or “international development” and the consequences of that) as well as structural forms of racism, ableism, sexism, etc. It moves past acknowledgement into action: how can we transform the organization and those within it to ensure that we are not upholding harmful stereotypes, world systems, or oppression?

All six principles are intertwined and do not exist in a vacuum. They are interdependent.

== What is a trauma-informed organization? ==
"A trauma-informed organization is one that operates with an understanding of trauma and its negative effects on the organization’s employees and the communities it serves and works to mitigate those effects." (Source: [https://hbr.org/2022/03/we-need-trauma-informed-workplaces Harvard Business Review])

'''Trauma-informed organizations are able to:'''

* Realize the impact of trauma
* Recognize the signs and symptoms
* Respond by integrating this knowledge into policies, procedures, practices
* Resist re-traumatization

== Recognize the signs and symptoms ==

=== Physiological responses to threat ===
Humans, like all animals, have built-in responses to threats that have helped us survive as we’ve evolved as a species. When we perceive acute danger, many of these responses kick in without our being able to control them: they are hard-wired to our bodies and minds.

* '''The 'freeze response'''' is when a person becomes utterly still while remaining highly alert and poised for action. This response relies on escaping notice until the danger has passed. For example, we might cease the work that we are doing, stop communicating through our usual channels, or reduce communication with someone with whom we are in conflict. In each case, we are hoping that the unwelcome attention will pass if we become inactive.
* '''The 'flight response'''' is when a person quickly tries to get as far away from the danger as possible. We might move our operations to a safer location, abandon certain activities or modes of communication, or separate ourselves from people who might cause us harm.
* '''The 'comply response'''' involves doing what an aggressor instructs in the hope that our cooperation will result in the attack ending quickly and without injury. We might agree to suspend or abandon certain objectives or activities, or give up passwords to secure information.
* '''The 'tend response'''' happens when people try to protect other, more vulnerable people who are being victimized. Many human rights defenders are motivated to help others because of our own experiences of oppression and exploitation.
* '''The 'befriend response'''' involves trying to build some kind of relationship with the aggressor in the hope that this will limit the harm perpetrated against oneself or others. For example, by telling aggressors about our families we might try to humanize ourselves in their eyes, a strategy that is sometimes useful in reducing violence.
* '''The 'posture response'''' is an attempt to drive off the danger by pretending to have greater power than one actually does. As human rights defenders, we often threaten to expose threats of violence in order to publicly embarrass our adversaries.
* '''The 'fight response'''' is when a person attacks with the intent of driving off or destroying an aggressor. (There are many ways to fight, and we all make our own ethical choices about this.)

If we have been through dangerous, stressful or traumatic experiences, sometimes these reactions can kick in when we are stressed or frightened, even if there is no 'real' danger present. Therefore, it is a good idea to look for indicators in our behavior when we are under stress, and to work with them in order to reduce our stress.

(Source: [https://holistic-security.tacticaltech.org/ckeditor_assets/attachments/60/holisticsecurity_trainersmanual.pdf Holistic Security Training Manual], page 53)

=== Group responses to threat ===
Threats and stress affect group dynamics in a number of ways, and this varies greatly due to organizational culture and many other factors. There are some common reactions, however. Consider these potential changes to group dynamics under stress and see if they resonate.

# <u>'''Harder group boundaries'''</u> - One predictable change experienced by groups under threat is the boundaries that define the group becoming less permeable. Those within the group become more closely connected to each other, and those outside the group become more distant. It also becomes more difficult for people to join or leave the group. While such changes can be protective, there are also some potential difficulties with this. The impermeable boundaries of the group may distance the group from existing and potential allies, leaving it more isolated than it might otherwise be. These boundaries also reduce the flow of information into and out of the group. This may result in members of the group being less informed than they might otherwise have been, and having fewer opportunities to check their perception of the world with those ‘outside’ of their group. Less permeable boundaries also make it difficult to leave groups. Members who wish to leave might be branded as traitors or sell-outs in a way that is harmful to the individual and those perceived to be his or her allies. It is very helpful for groups to regularly discuss the ways in which people and information enter and leave the group, and how to manage this in a holistic way that truly promotes security.
# <u>'''Fixed patterns'''</u> - Secondly, patterns of behaviour become more fixed and harder to change. This makes it more difficult for members of the group to question (supposedly) shared beliefs, or challenge the behaviour of other members. When we lose the ability to question each others’ assumptions or point out potentially unhealthy behaviours, our ability to constructively and compassionately build group security is greatly compromised. For this reason, it is important for groups to regularly revisit and discuss their shared values in an honest way.
# <u>'''Authoritarianism'''</u> - A third predictable change relates to leadership and power dynamics within groups. When groups feel unsafe, group members tolerate greater authoritarianism from leaders or more powerful members of the group. This results in reduced levels of information exchange within the group, and fewer opportunities for group members to check their perceptions of the world with other members of their team. In extreme cases, powerful members of the group may become abusive, and the increased rigidity of the group boundaries may prevent victims of such abuse from escaping. Again, it is important for groups to talk about power dynamics and leadership styles on a regular basis, and to make sure that every person has an opportunity to contribute.

Looking into the links between decision-making processes and security, we should not underestimate the positive effects of having fair and transparent decision-making processes. If a group has shared knowledge and responsibilities, it reduces the impact when perpetrators target the leaders of a group.

(Source: [https://holistic-security.tacticaltech.org/ckeditor_assets/attachments/60/holisticsecurity_trainersmanual.pdf Holistic Security Training Manual], page 57)

== Respond by integrating knowledge into policies, procedures, practices ==

=== Crisis management ===
Being prepared to handle crisis situations is a crucial part of the organization’s commitment to protecting the physical and emotional well-being of its staff.

Conveys a strong message that staff safety is a top priority.

==== Before the crisis (preparedness) ====

# Determine what types of crisis events might be faced by an organization, and develop a list of potential risks.
# Gain an understanding of how staff respond to crisis events and what stress reactions they might have before, during, and after such events. This will help determine what strategies might be useful to individuals or groups (see the section above on [[Building a trauma-informed organization#Physiological%20responses%20to%20threat|Physiological responses to threat]])
# Create a staff support plan that can be used in the event of a crisis.
# Create a crisis response team with clearly defined roles and responsibilities. It is crucial that the crisis team understands the psychosocial and mental health effects of trauma, how to provide support, and the options available to staff requiring specialized assessment and care.
# Prepare a list of internal and external resources available to staff in the organization. Ensure that these lists are reviewed regularly and kept up to date.
# Develop communication plans that include how to inform staff members immediately about the nature of the event, how to protect themselves in case of danger, and how to keep them informed about the crisis.
# Practice responding to different crisis scenarios with all staff members.

==== During the crisis ====
'''Look'''

# Identify people who need immediate attention or support.
# Focus on safety.
# Pay attention to physical and emotional reactions.
# Be attentive to staff members who want to share their reactions.
# Assess how the crisis is impacting staff members’ decision making and abilities to fulfill their given roles and responsibilities.

'''Listen'''

# Listen with your eyes, ears and heart
# Pay attention to body language and words
# Validate staff reactions to the crisis
# Provide comfort and reassurance where possible
# Obtain multiple perspectives on the situation if possible

'''Link'''

# Remind staff members about the internal and external resources available to them if they need support
# When you suspect any staff member is having a difficult time dealing with his or her situation or having severe symptoms, recommend that they seek professional support
# Give permission for anyone who is severely impacted to step away from their responsibilities if possible and get the support/rest that they need.

==== After the crisis ====

# Debrief the event as an organization. Analyze how the incident occurred, how to prevent it from happening again, and what measures must be taken in the meantime to control the risk.
# Consult with staff members about the effectiveness of the existing plan. Update the procedures and protocols as necessary.
# Follow-up with staff about how they were impacted by the incident, and what ongoing needs them might have.
# Make adjustments to work schedules according to staff capacity and needs.

== Resources for building a trauma-informed organization ==

=== Articles ===
[https://hbr.org/2022/03/we-need-trauma-informed-workplaces We need trauma-informed workplaces] (Harvard Business Review, 2022)

For the past few years, we’ve been experiencing collective trauma. But trauma is not new in our organizations, and it’s not going away, either. Estimates are that six in 10 men and five in 10 women experience at least one trauma, and approximately 6% of the population will experience PTSD at some point in their lives. As we’ve seen the lines between work and home blur and a fundamental shift in our expectations of the places we work, organizations have struggled to provide the support and leadership that their employees and customers need. That’s why it’s so important that they take steps now to build the cultures that can see them through this crisis and the ones we’ll all inevitably face in the future. To do that, we need to build trauma-informed organizations. A trauma-informed organization is one that operates with an understanding of trauma and its negative effects on the organization’s employees and the communities it serves and works to mitigate those effects. It may not be possible to predict or avoid the next crisis our organizations will face. However, with forethought, planning, and commitment, we can be prepared to meet the next challenge — whatever it may be — and come through it stronger.

=== Assessment resources ===

* [https://ctrinstitute.com/trauma-informed-workplace-assessment/ Trauma-Informed Workplace Assessment] by the Crisis and Trauma Resource Institute
* [https://www.hca.wa.gov/assets/program/trauma-informed-self-assessment-national-council-for-behavioral-health.pdf Organizational Self-Assessment: Adoption of trauma-informed care practice] by the National Council for Behavioral Health
* [https://nhchc.org/wp-content/uploads/2020/12/NHCHC-TIO-Assessment-Manual.pdf Trauma-Informed Organization Assessment Manual](PDF) by National Healthcare for the Homeless Council (NHCHC), 2020
* [https://traumainformedoregon.org/tic-resources/creating-cultures-trauma-informed-care-cctic-self-assessment-planning-protocol/ Creating Cultures of Trauma-Informed Care (CCTIC): A Self-Assessment and Planning Protocol] - This assessment tool provides guidelines for agencies or programs interested in facilitating trauma-informed modifications in their service systems. For use by administrators, providers, and survivor-consumers in the development, implementation, evaluation, and ongoing monitoring of trauma-informed programs. (Source: Community Connections; Washington, D.C. Roger D. Fallot, Ph.D. and Maxine Harris, Ph.D., 2009)

=== Resource hub ===
[https://safeguardingsupporthub.org/what-rsh The Safeguarding Resource and Support Hub (RSH)] is a programme that aims to support organisations in the aid sector to strengthen their safeguarding policy and practice against Sexual Exploitation, Abuse and Sexual Harassment (SEAH). RSH supports organisations working in both the humanitarian and development sectors but is driven by the needs of smaller national or local organisations in developing countries. RSH has an Online Hub website available in English, Arabic, French and Swahili and is free for anyone working in the aid sector to use.

Security resources organized by topic

2024-06-14T17:56:42Z

Kristin1: /* Security planning */

== Building awareness of how we respond to threat and stress ==
''Developing a useful security strategy is heavily dependent on our perception – we need to be able to identify and analyse threats in order to implement ways of avoiding or reducing them. But we all perceive the world around us differently based on our circumstances, experiences and many other factors. As a result, our perception can sometimes be hindered: threats which may be evident to some people may go unrecognised by others; similarly, we also need to be able to tell the difference between threats which are genuinely possible and those which we falsely perceive, called 'unfounded fears'. It's a good idea to become familiar with factors that condition our perceptions of threat, and consider ways that we can take these into account in our security planning.'' (Source: [https://holistic-security.tacticaltech.org/chapters/prepare/1-2-individual-responses-to-threat.html Holistic Security Manual])

Resources:

* [https://holistic-security.tacticaltech.org/chapters/prepare/1-2-individual-responses-to-threat.html '''Exploring individual responses to threat'''] (Holistic Security Manual)
* [https://holistic-security.tacticaltech.org/chapters/prepare/1-4-team-and-peer-responses-to-threat.html '''Exploring group responses to threat'''] (Holistic Security Manual)
* [https://holistic-security.tacticaltech.org/chapters/prepare/1-5-communicating-about-threats-in-teams-and-organisations.html '''Communicating about security in teams and organizations'''] (Holistic Security Manual)

== Understanding our threats and context ==

=== Situation monitoring and analysis ===
Situation monitoring and analysis is the broadest kind of analysis of our context: observing the political, economic, social, technological, legal and environmental developments in society which are relevant to our work, and may impact our security situation. (Source: [https://holistic-security.tacticaltech.org/chapters/explore/2-2-situation-monitoring-and-analysis.html Holistic Security Manual])

Exercise: [https://holistic-security.tacticaltech.org/exercises/explore/situational-monitoring-a-quick-pestle-analysis.html '''Pestle analysis'''] (Holistic Security Manual)

Tool: '''[https://tnr-research.uwazi.io/ Research Database on transnational repression]''' - This collection of research reports on transnational repression can help human rights defenders better understand:

* Transnational Repression (TNR) threats that are possible, to determine appropriate mitigation techniques
* Which TNR threats are unlikely, in order to alleviate fear
* What exiled HRDs can expect from a host country in terms of protection measures
* Existing campaigns to strengthen protection for exiled HRDs

=== Identifying, analyzing and prioritizing threats ===

==== Map the actors ====
''It is valuable to get a clear picture of all the actors in our environment (individuals, institutions, organizations, etc). Threats almost always come from someone or something. Knowing as much as we can about the actors in our context improves our perception of our environment and thereby, our ability to carry out activities to maintain or expand our space for work.'' (Source: [https://holistic-security.tacticaltech.org/chapters/explore/2-3-vision-strategy-and-actors.html Holistic Security Manual])

Exercise:

* [https://holistic-security.tacticaltech.org/exercises/explore/visual-actor-mapping-part-1.html '''Spectrum of allies'''] (Holistic Security Manual)
* [https://newtactics.org/resource/exercises-identifying-allies-opponents '''Spectrum of allies'''] (New Tactics in Human Rights project)

==== Brainstorm threats ====
This exercise is a first attempt at identifying the threats to yourself, your group or organization and your work in defense of human rights. This initial list of threats can then be refined so as to focus in more depth on the threats which are most likely or potentially most harmful. (Source: [https://holistic-security.tacticaltech.org/exercises/explore/threat-brainstorm.html Holistic Security Manual])

Exercise: [https://holistic-security.tacticaltech.org/exercises/explore/threat-brainstorm.html '''Threat brainstorm'''] (Holistic Security Manual)

==== Analyzing risk, prioritizing threats ====
Threats can be viewed and categorized in light of the following: the likelihood that the threat will take place, and the impact if and when it does. Likelihood and impact are concepts which help us determine risk: the higher the likelihood or impact of a threat, the higher the risk. Categorizing threats can help to keep us from feeling overwhelmed and keep our perception of threats realistic. (Source: [https://holistic-security.tacticaltech.org/chapters/explore/2-8-identifying-and-analysing-threats.html Holistic Security Manual])

Exercise: [https://holistic-security.tacticaltech.org/chapters/explore/2-8-identifying-and-analysing-threats.html '''Threat matrix'''] (Holistic Security Manual)

Tools:

* The Ford Foundation’s [https://www.fordfoundation.org/work/our-grants/building-institutions-and-networks/cybersecurity-assessment-tool/ '''Cybersecurity Assessment Tool (CAT)'''] is designed to measure the maturity, resiliency, and strength of an organization’s cybersecurity efforts. We have created this questionnaire with busy nontechnical grant makers, grantee partners, civil society organizations, and nonprofits in mind, and we hope it helps shine some light on a recommended path forward for any organization undertaking a cybersecurity journey

==== Analyze threats ====
This exercise will help you prioritize threats and divine the causes, ramifications, sources as well as the required resources, existing actions and possible next steps.

Exercise: [https://holistic-security.tacticaltech.org/exercises/explore/threat-inventory.html '''Threat inventory'''] (Holistic Security Manual)

== Risk mitigation ==
In order to build a response to the threats we face, we can consider them in terms of the factors which make us more or less susceptible to them. Read more in [https://holistic-security.tacticaltech.org/chapters/strategise/3-1-responding-to-threats.html this chapter of the Holistic Security Manual].

=== Mitigation techniques for common threats to information ===
{| class="wikitable"
|+
! Threat
!Mitigation techniques and links to guidance
|-
|Data loss
|
* [[Ways to securely store and share files|Have your information securely in the cloud or on a server]]
* Have a backup process
|-
|Compromised accounts
|
* [[Protect your accounts using strong passwords, pw managers, 2fa|Use two factor authentication for all accounts]]
* [[Protect your accounts using strong passwords, pw managers, 2fa|Use unique, complex passwords for all accounts]]
* [[Protect your accounts using strong passwords, pw managers, 2fa|Use a password manager to create, store and protect those passwords]]
|-
|Device inspection at checkpoints
|
* [[Use a secure messaging app#Tip: use automatic disappearing messages|Use automated disappearing messages on your messaging apps]]
* [[Ways to securely store and share files|Have your sensitive information stored safely in the cloud and off of your device]]
* Hide or delete any apps that would provide access to this information (you can restore that app later)
|-
|Device confiscation or theft
|
* [[Secure your devices#Full disk encryption|Encrypt your devices]]
* And, review and adapt the same advice above for “device inspection” threat
|-
|Information handover
|
* [[Trusted hosting companies in the human rights community|Host your information with a company you trust]], who will not turn over information to your opponents (via subpoena, request, etc)
|-
|Targeted malware or spyware
|
* [[Protect your accounts using strong passwords, pw managers, 2fa|Protect yourselves against (spear) phishing attacks]]
* Use a second device for sensitive activities
* [[How to mitigate your risk of being subject to Pegasus surveillance|Restart your device regularly to disrupt spyware]]
* [[Secure your devices|Use anti virus]]
* [[How to mitigate your risk of being subject to Pegasus surveillance]], and other spyware
|-
|Surveillance and monitoring
|
* [[Safe internet browsing using VPN and Tor browser|Use a VPN and/or Tor browser]]
* [[Use a secure messaging app]]
* [[How to collect and store information in a secure way]]
* [[Ways to securely store and share files|How to use Google Drive safely and alternatives to Google Drive]]
|-
|Website hacking and takeover
|
* [[Protect your website|Protect your website from DDOS attacks]]
* [[Trusted hosting companies in the human rights community|Use a host company that you trust]]
* And, review and adapt the same advice above for "compromised accounts"
|}
Other important considerations when collecting, storing, using sensitive information:
{| class="wikitable"
|+
!Consideration
!Resources
|-
|Make sure you have informed consent from the people you are collecting information
|[[Guidance on informed consent]]
|-
|
|
|-
|
|
|}
* [[Information Security for Human Rights Defenders]]

===Mitigation techniques for online harassment===
[[How to deal with online harassment and threats]]

==Security planning ==
Once we have clarity about the threats we face during our activities, we can begin to organize our security protocols into security plans or agreements. There are three main areas to consider when developing any security plans:

# Prepare
# Respond
# TreatPrepare:

* Identify & assess the threats and your vulnerabilities: This involves systematically analyzing your assets (physically, digitally) to understand potential threats and knowing your vulnerabilities that could be exploited.
* Develop security policies and procedures: Create clear policies outlining acceptable behavior regarding physical and digital security, and incident reporting.
* Implement preventive measures: based on identified threats, implement safeguards procedures and tools, with considering staff training programs to minimize the potential threats impact.
* Invest in Security Awareness Programs: regularly educate your staff/colleagues on the founded security plans and measures, this empowers them to identify, respond and report effectively.
* Conduct Security testing: regularly assess the effectiveness of security measures through penetration testing (simulated attacks) and security drills. This helps identify weaknesses and refine procedures.

'''Respond:'''

* '''Build Incident Response Plan:''' develop a clear plan outlining actions to be taken in case of a security threat. This includes identifying the designated responders, notification procedures (internal teams, authorities), and containment strategies to mitigate impact.
* '''Communication Strategy:''' Establish a communication plan for internal and external stakeholders during a security incident. This ensures timely and accurate information is disseminated, minimizing confusion and panic.
* '''Business continuity plan:''' A strategy to ensure critical operations continue with minimal disruption during an incident.
* '''Disaster recovery plan (Data Backups and Recovery):''' establish a specific plan for recovering IT systems and data, maintain robust data backup and recovery procedures to ensure business continuity in case of after a disaster like a fire, flood, or cyberattack.
* '''Communication and Collaboration:''' effective communication and collaboration across teams are crucial for successful incident response and recovery.
* '''Train your people:''' Regularly train staff on security policies, incident reporting procedures, and their roles during a contingency.

'''Treat:'''

* '''Analyze lessons learned:''' conduct a thorough assessment to understand the cause and scope of the security incidents. This helps identify your vulnerabilities, prevent future occurrences, and establish better prevention plans.
* '''Recovery and Remediation''': Implement measures to restore affected systems and data. This might involve patching vulnerabilities in software, restoring lost data from backups, and implementing additional security measures to prevent similar incidents.
* '''psychological safety considerations,''' give priority to those affected by incident, and ensure that appropriate care is provided to them if physically or psychologically injured, and treat with causes of the incident accordingly later.
* '''Review and update your security plans and approach:''' Following an incident, review your security posture and update policies, procedures, and preventative measures based on the lessons learned.

Review [https://holistic-security.tacticaltech.org/chapters/strategise/3-3-creating-security-plans-and-agreements.html this chapter of the Holistic Security Manual].

[[General guidance for creating security plans and agreements]]

Resources:

* Consumer Reports [https://securityplanner.consumerreports.org/ '''Security Planner'''] is a free, easy-to-use guide to staying safer online. It provides personalized recommendations and expert advice on topics such as keeping social media accounts from being hacked, locking down devices ranging from smartphones to home security cameras, and reducing intrusive tracking by websites.
* [https://www.nist.gov/itl/smallbusinesscyber/nist-cybersecurity-framework-0 '''NIST Cybersecurity Framework 2.0''']: Small Business Quick Start Guide - provides small-to-medium sized businesses (SMB), specifically those who have modest or no cybersecurity plans in place, with considerations to kick-start their cybersecurity risk management strategy using the NIST Cybersecurity Framework (CSF) 2.0. (by the ''National Institute of Standards and Technology)''

===Security planning on specific topics===

* [[General tips for international travel]]
* [[General tips for home security]]

== Building a culture of security within a team ==
[https://level-up.cc/ '''LevelUp'''] is a collection of resources for the global digital safety training community.

[https://wiki.orgsec.community/ '''Organisational security community wiki'''] is a resource created by and for security practitioners from all backgrounds to share useful resources and document innovative approaches to long-term security work.

==Resource collections ==
[https://digitalfirstaid.org/ '''Digital First Aid Kit'''] - The Digital First Aid Kit is a free resource to help rapid responders, digital security trainers, and tech-savvy activists to better protect themselves and the communities they support against the most common types of digital emergencies. It can also be used by activists, human rights defenders, bloggers, journalists or media activists who want to learn more about how they can protect themselves and support others. If you or someone you are assisting is experiencing a digital emergency, the Digital First Aid Kit will guide you in diagnosing the issues you are facing, and refer you to support providers for further help if needed.

[https://communitydocs.accessnow.org/ '''Access Now Help Desk documentation''']

[https://cyber-star.org/ '''CyberSTAR'''], by SecDev, makes it easier for small organizations and individuals to understand and manage digital safety by organizing it around six themes. This site presents learning resources to help you be safer online—plus teaching resources for digital safety trainers.

More info:

[[Ways to securely store and share files|Secure storage for sensitive information]]

[[Protect your accounts using strong passwords, pw managers, 2fa|Secure access to sensitive information]]

[[Secure your devices]]

Building a trauma-informed organization

2024-06-14T17:16:49Z

Kristin1: added trauma-informed principles

== Key principles of a trauma-informed approach ==
There are six key principles of a trauma-informed approach:

# Safety
# Trustworthiness and transparency
# Peer support
# Collaboration and mutuality
# Empowerment, voice, and choice
# Cultural, historical, and gender issues

=== Safety ===
Safety considers both the physical and emotional safety of staff and individuals with which we work. Physical safety can include:

* Physical space for trainings
* Accessibility of work spaces
* Timing of workshops/training

Emotional safety requires constant feedback from staff and individuals to ensure their physical safety needs are met. For instance, supervisors conduct regular check-ins to ask about workload, mental health, needs, etc.

=== Trustworthiness and transparency ===
Trustworthiness and transparency involves providing clear information about what is being done, by whom, when, and why. This can include job descriptions, roles clarity, expectations. It also means maintaining respectful boundaries, prioritizing privacy and confidentiality. It can include:

* Providing the people we work with the reports we write that involve them
* Involving the people we work with in decision-making about the project
* Providing a clear job description and expectations to staff

=== Peer Support ===
Peer Support and mutual self-help establish safety, hope, trust. “Peers” refers to people who have shared experiences of trauma or stress. It also acknowledges that the trauma itself may be used as a galvanizing tool for action, solidarity, etc.

=== Collaboration and mutuality ===
Collaboration and mutuality levels power differences between staff and those who we work with. It demonstrates that healing can happen in relationships and in meaningful sharing of power. The organization recognizes that everyone has an important role to play. It is the attitude of doing something “with” someone, not “to” or “for”. It emphasizes autonomy and agency.

=== Empowerment, voice and choice ===
Empowerment, voice and choice requires the organization to place people above projects. The organization seeks to empower both staff and stakeholders. It allows those we work with decision-making power, a voice in our projects, the ability to say no without fear of punishment or ostracization. It also focuses on individual’s strengths over weaknesses.

=== Cultural, historical and gender issues ===
Cultural, historical and gender issues involves the organization conscientiously acknowledging the role it has played in perpetuating harm (e.g. the aid sector or “international development” and the consequences of that) as well as structural forms of racism, ableism, sexism, etc. It moves past acknowledgement into action: how can we transform the organization and those within it to ensure that we are not upholding harmful stereotypes, world systems, or oppression?

All six principles are intertwined and do not exist in a vacuum. They are interdependent.

== What is a trauma-informed organization? ==
"A trauma-informed organization is one that operates with an understanding of trauma and its negative effects on the organization’s employees and the communities it serves and works to mitigate those effects." (Source: [https://hbr.org/2022/03/we-need-trauma-informed-workplaces Harvard Business Review])

'''Trauma-informed organizations are able to:'''

* Realize the impact of trauma
* Recognize the signs and symptoms
* Respond by integrating this knowledge into policies, procedures, practices
* Resist re-traumatization

== Recognize the signs and symptoms ==

=== Physiological responses to threat ===
Humans, like all animals, have built-in responses to threats that have helped us survive as we’ve evolved as a species. When we perceive acute danger, many of these responses kick in without our being able to control them: they are hard-wired to our bodies and minds.

* '''The 'freeze response'''' is when a person becomes utterly still while remaining highly alert and poised for action. This response relies on escaping notice until the danger has passed. For example, we might cease the work that we are doing, stop communicating through our usual channels, or reduce communication with someone with whom we are in conflict. In each case, we are hoping that the unwelcome attention will pass if we become inactive.
* '''The 'flight response'''' is when a person quickly tries to get as far away from the danger as possible. We might move our operations to a safer location, abandon certain activities or modes of communication, or separate ourselves from people who might cause us harm.
* '''The 'comply response'''' involves doing what an aggressor instructs in the hope that our cooperation will result in the attack ending quickly and without injury. We might agree to suspend or abandon certain objectives or activities, or give up passwords to secure information.
* '''The 'tend response'''' happens when people try to protect other, more vulnerable people who are being victimized. Many human rights defenders are motivated to help others because of our own experiences of oppression and exploitation.
* '''The 'befriend response'''' involves trying to build some kind of relationship with the aggressor in the hope that this will limit the harm perpetrated against oneself or others. For example, by telling aggressors about our families we might try to humanize ourselves in their eyes, a strategy that is sometimes useful in reducing violence.
* '''The 'posture response'''' is an attempt to drive off the danger by pretending to have greater power than one actually does. As human rights defenders, we often threaten to expose threats of violence in order to publicly embarrass our adversaries.
* '''The 'fight response'''' is when a person attacks with the intent of driving off or destroying an aggressor. (There are many ways to fight, and we all make our own ethical choices about this.)

If we have been through dangerous, stressful or traumatic experiences, sometimes these reactions can kick in when we are stressed or frightened, even if there is no 'real' danger present. Therefore, it is a good idea to look for indicators in our behavior when we are under stress, and to work with them in order to reduce our stress.

(Source: [https://holistic-security.tacticaltech.org/ckeditor_assets/attachments/60/holisticsecurity_trainersmanual.pdf Holistic Security Training Manual], page 53)

=== Group responses to threat ===
Threats and stress affect group dynamics in a number of ways, and this varies greatly due to organizational culture and many other factors. There are some common reactions, however. Consider these potential changes to group dynamics under stress and see if they resonate.

# <u>'''Harder group boundaries'''</u> - One predictable change experienced by groups under threat is the boundaries that define the group becoming less permeable. Those within the group become more closely connected to each other, and those outside the group become more distant. It also becomes more difficult for people to join or leave the group. While such changes can be protective, there are also some potential difficulties with this. The impermeable boundaries of the group may distance the group from existing and potential allies, leaving it more isolated than it might otherwise be. These boundaries also reduce the flow of information into and out of the group. This may result in members of the group being less informed than they might otherwise have been, and having fewer opportunities to check their perception of the world with those ‘outside’ of their group. Less permeable boundaries also make it difficult to leave groups. Members who wish to leave might be branded as traitors or sell-outs in a way that is harmful to the individual and those perceived to be his or her allies. It is very helpful for groups to regularly discuss the ways in which people and information enter and leave the group, and how to manage this in a holistic way that truly promotes security.
# <u>'''Fixed patterns'''</u> - Secondly, patterns of behaviour become more fixed and harder to change. This makes it more difficult for members of the group to question (supposedly) shared beliefs, or challenge the behaviour of other members. When we lose the ability to question each others’ assumptions or point out potentially unhealthy behaviours, our ability to constructively and compassionately build group security is greatly compromised. For this reason, it is important for groups to regularly revisit and discuss their shared values in an honest way.
# <u>'''Authoritarianism'''</u> - A third predictable change relates to leadership and power dynamics within groups. When groups feel unsafe, group members tolerate greater authoritarianism from leaders or more powerful members of the group. This results in reduced levels of information exchange within the group, and fewer opportunities for group members to check their perceptions of the world with other members of their team. In extreme cases, powerful members of the group may become abusive, and the increased rigidity of the group boundaries may prevent victims of such abuse from escaping. Again, it is important for groups to talk about power dynamics and leadership styles on a regular basis, and to make sure that every person has an opportunity to contribute.

Looking into the links between decision-making processes and security, we should not underestimate the positive effects of having fair and transparent decision-making processes. If a group has shared knowledge and responsibilities, it reduces the impact when perpetrators target the leaders of a group.

(Source: [https://holistic-security.tacticaltech.org/ckeditor_assets/attachments/60/holisticsecurity_trainersmanual.pdf Holistic Security Training Manual], page 57)

== Respond by integrating knowledge into policies, procedures, practices ==

=== Crisis management ===
Being prepared to handle crisis situations is a crucial part of the organization’s commitment to protecting the physical and emotional well-being of its staff.

Conveys a strong message that staff safety is a top priority.

==== Before the crisis (preparedness) ====

# Determine what types of crisis events might be faced by an organization, and develop a list of potential risks.
# Gain an understanding of how staff respond to crisis events and what stress reactions they might have before, during, and after such events. This will help determine what strategies might be useful to individuals or groups (see the section above on [[Building a trauma-informed organization#Physiological%20responses%20to%20threat|Physiological responses to threat]])
# Create a staff support plan that can be used in the event of a crisis.
# Create a crisis response team with clearly defined roles and responsibilities. It is crucial that the crisis team understands the psychosocial and mental health effects of trauma, how to provide support, and the options available to staff requiring specialized assessment and care.
# Prepare a list of internal and external resources available to staff in the organization. Ensure that these lists are reviewed regularly and kept up to date.
# Develop communication plans that include how to inform staff members immediately about the nature of the event, how to protect themselves in case of danger, and how to keep them informed about the crisis.
# Practice responding to different crisis scenarios with all staff members.

==== During the crisis ====
'''Look'''

# Identify people who need immediate attention or support.
# Focus on safety.
# Pay attention to physical and emotional reactions.
# Be attentive to staff members who want to share their reactions.
# Assess how the crisis is impacting staff members’ decision making and abilities to fulfill their given roles and responsibilities.

'''Listen'''

# Listen with your eyes, ears and heart
# Pay attention to body language and words
# Validate staff reactions to the crisis
# Provide comfort and reassurance where possible
# Obtain multiple perspectives on the situation if possible

'''Link'''

# Remind staff members about the internal and external resources available to them if they need support
# When you suspect any staff member is having a difficult time dealing with his or her situation or having severe symptoms, recommend that they seek professional support
# Give permission for anyone who is severely impacted to step away from their responsibilities if possible and get the support/rest that they need.

==== After the crisis ====

# Debrief the event as an organization. Analyze how the incident occurred, how to prevent it from happening again, and what measures must be taken in the meantime to control the risk.
# Consult with staff members about the effectiveness of the existing plan. Update the procedures and protocols as necessary.
# Follow-up with staff about how they were impacted by the incident, and what ongoing needs them might have.
# Make adjustments to work schedules according to staff capacity and needs.

== Resources for building a trauma-informed organization ==

=== Assessment resources ===

* [https://ctrinstitute.com/trauma-informed-workplace-assessment/ Trauma-Informed Workplace Assessment] by the Crisis and Trauma Resource Institute
* [https://www.hca.wa.gov/assets/program/trauma-informed-self-assessment-national-council-for-behavioral-health.pdf Organizational Self-Assessment: Adoption of trauma-informed care practice] by the National Council for Behavioral Health
* [https://nhchc.org/wp-content/uploads/2020/12/NHCHC-TIO-Assessment-Manual.pdf Trauma-Informed Organization Assessment Manual](PDF) by National Healthcare for the Homeless Council (NHCHC), 2020
* [https://traumainformedoregon.org/tic-resources/creating-cultures-trauma-informed-care-cctic-self-assessment-planning-protocol/ Creating Cultures of Trauma-Informed Care (CCTIC): A Self-Assessment and Planning Protocol] - This assessment tool provides guidelines for agencies or programs interested in facilitating trauma-informed modifications in their service systems. For use by administrators, providers, and survivor-consumers in the development, implementation, evaluation, and ongoing monitoring of trauma-informed programs. (Source: Community Connections; Washington, D.C. Roger D. Fallot, Ph.D. and Maxine Harris, Ph.D., 2009)

=== Resource hub ===
[https://safeguardingsupporthub.org/what-rsh The Safeguarding Resource and Support Hub (RSH)] is a programme that aims to support organisations in the aid sector to strengthen their safeguarding policy and practice against Sexual Exploitation, Abuse and Sexual Harassment (SEAH). RSH supports organisations working in both the humanitarian and development sectors but is driven by the needs of smaller national or local organisations in developing countries. RSH has an Online Hub website available in English, Arabic, French and Swahili and is free for anyone working in the aid sector to use.

Security resources organized by topic

2024-06-11T15:44:11Z

Kristin1: /* Security planning */ adding a section on building a culture of security

== Building awareness of how we respond to threat and stress ==
''Developing a useful security strategy is heavily dependent on our perception – we need to be able to identify and analyse threats in order to implement ways of avoiding or reducing them. But we all perceive the world around us differently based on our circumstances, experiences and many other factors. As a result, our perception can sometimes be hindered: threats which may be evident to some people may go unrecognised by others; similarly, we also need to be able to tell the difference between threats which are genuinely possible and those which we falsely perceive, called 'unfounded fears'. It's a good idea to become familiar with factors that condition our perceptions of threat, and consider ways that we can take these into account in our security planning.'' (Source: [https://holistic-security.tacticaltech.org/chapters/prepare/1-2-individual-responses-to-threat.html Holistic Security Manual])

Resources:

* [https://holistic-security.tacticaltech.org/chapters/prepare/1-2-individual-responses-to-threat.html '''Exploring individual responses to threat'''] (Holistic Security Manual)
* [https://holistic-security.tacticaltech.org/chapters/prepare/1-4-team-and-peer-responses-to-threat.html '''Exploring group responses to threat'''] (Holistic Security Manual)
* [https://holistic-security.tacticaltech.org/chapters/prepare/1-5-communicating-about-threats-in-teams-and-organisations.html '''Communicating about security in teams and organizations'''] (Holistic Security Manual)

== Understanding our threats and context ==

=== Situation monitoring and analysis ===
Situation monitoring and analysis is the broadest kind of analysis of our context: observing the political, economic, social, technological, legal and environmental developments in society which are relevant to our work, and may impact our security situation. (Source: [https://holistic-security.tacticaltech.org/chapters/explore/2-2-situation-monitoring-and-analysis.html Holistic Security Manual])

Exercise: [https://holistic-security.tacticaltech.org/exercises/explore/situational-monitoring-a-quick-pestle-analysis.html '''Pestle analysis'''] (Holistic Security Manual)

Tool: '''[https://tnr-research.uwazi.io/ Research Database on transnational repression]''' - This collection of research reports on transnational repression can help human rights defenders better understand:

* Transnational Repression (TNR) threats that are possible, to determine appropriate mitigation techniques
* Which TNR threats are unlikely, in order to alleviate fear
* What exiled HRDs can expect from a host country in terms of protection measures
* Existing campaigns to strengthen protection for exiled HRDs

=== Identifying, analyzing and prioritizing threats ===

==== Map the actors ====
''It is valuable to get a clear picture of all the actors in our environment (individuals, institutions, organizations, etc). Threats almost always come from someone or something. Knowing as much as we can about the actors in our context improves our perception of our environment and thereby, our ability to carry out activities to maintain or expand our space for work.'' (Source: [https://holistic-security.tacticaltech.org/chapters/explore/2-3-vision-strategy-and-actors.html Holistic Security Manual])

Exercise:

* [https://holistic-security.tacticaltech.org/exercises/explore/visual-actor-mapping-part-1.html '''Spectrum of allies'''] (Holistic Security Manual)
* [https://newtactics.org/resource/exercises-identifying-allies-opponents '''Spectrum of allies'''] (New Tactics in Human Rights project)

==== Brainstorm threats ====
This exercise is a first attempt at identifying the threats to yourself, your group or organization and your work in defense of human rights. This initial list of threats can then be refined so as to focus in more depth on the threats which are most likely or potentially most harmful. (Source: [https://holistic-security.tacticaltech.org/exercises/explore/threat-brainstorm.html Holistic Security Manual])

Exercise: [https://holistic-security.tacticaltech.org/exercises/explore/threat-brainstorm.html '''Threat brainstorm'''] (Holistic Security Manual)

==== Analyzing risk, prioritizing threats ====
Threats can be viewed and categorized in light of the following: the likelihood that the threat will take place, and the impact if and when it does. Likelihood and impact are concepts which help us determine risk: the higher the likelihood or impact of a threat, the higher the risk. Categorizing threats can help to keep us from feeling overwhelmed and keep our perception of threats realistic. (Source: [https://holistic-security.tacticaltech.org/chapters/explore/2-8-identifying-and-analysing-threats.html Holistic Security Manual])

Exercise: [https://holistic-security.tacticaltech.org/chapters/explore/2-8-identifying-and-analysing-threats.html '''Threat matrix'''] (Holistic Security Manual)

Tools:

* The Ford Foundation’s [https://www.fordfoundation.org/work/our-grants/building-institutions-and-networks/cybersecurity-assessment-tool/ '''Cybersecurity Assessment Tool (CAT)'''] is designed to measure the maturity, resiliency, and strength of an organization’s cybersecurity efforts. We have created this questionnaire with busy nontechnical grant makers, grantee partners, civil society organizations, and nonprofits in mind, and we hope it helps shine some light on a recommended path forward for any organization undertaking a cybersecurity journey

==== Analyze threats ====
This exercise will help you prioritize threats and divine the causes, ramifications, sources as well as the required resources, existing actions and possible next steps.

Exercise: [https://holistic-security.tacticaltech.org/exercises/explore/threat-inventory.html '''Threat inventory'''] (Holistic Security Manual)

== Risk mitigation ==
In order to build a response to the threats we face, we can consider them in terms of the factors which make us more or less susceptible to them. Read more in [https://holistic-security.tacticaltech.org/chapters/strategise/3-1-responding-to-threats.html this chapter of the Holistic Security Manual].

=== Mitigation techniques for common threats to information ===
{| class="wikitable"
|+
! Threat
!Mitigation techniques and links to guidance
|-
|Data loss
|
* [[Ways to securely store and share files|Have your information securely in the cloud or on a server]]
* Have a backup process
|-
|Compromised accounts
|
* [[Protect your accounts using strong passwords, pw managers, 2fa|Use two factor authentication for all accounts]]
* [[Protect your accounts using strong passwords, pw managers, 2fa|Use unique, complex passwords for all accounts]]
* [[Protect your accounts using strong passwords, pw managers, 2fa|Use a password manager to create, store and protect those passwords]]
|-
|Device inspection at checkpoints
|
* [[Use a secure messaging app#Tip: use automatic disappearing messages|Use automated disappearing messages on your messaging apps]]
* [[Ways to securely store and share files|Have your sensitive information stored safely in the cloud and off of your device]]
* Hide or delete any apps that would provide access to this information (you can restore that app later)
|-
|Device confiscation or theft
|
* [[Secure your devices#Full disk encryption|Encrypt your devices]]
* And, review and adapt the same advice above for “device inspection” threat
|-
|Information handover
|
* [[Trusted hosting companies in the human rights community|Host your information with a company you trust]], who will not turn over information to your opponents (via subpoena, request, etc)
|-
|Targeted malware or spyware
|
* [[Protect your accounts using strong passwords, pw managers, 2fa|Protect yourselves against (spear) phishing attacks]]
* Use a second device for sensitive activities
* [[How to mitigate your risk of being subject to Pegasus surveillance|Restart your device regularly to disrupt spyware]]
* [[Secure your devices|Use anti virus]]
* [[How to mitigate your risk of being subject to Pegasus surveillance]], and other spyware
|-
|Surveillance and monitoring
|
* [[Safe internet browsing using VPN and Tor browser|Use a VPN and/or Tor browser]]
* [[Use a secure messaging app]]
* [[How to collect and store information in a secure way]]
* [[Ways to securely store and share files|How to use Google Drive safely and alternatives to Google Drive]]
|-
|Website hacking and takeover
|
* [[Protect your website|Protect your website from DDOS attacks]]
* [[Trusted hosting companies in the human rights community|Use a host company that you trust]]
* And, review and adapt the same advice above for "compromised accounts"
|}
Other important considerations when collecting, storing, using sensitive information:
{| class="wikitable"
|+
!Consideration
!Resources
|-
|Make sure you have informed consent from the people you are collecting information
|[[Guidance on informed consent]]
|-
|
|
|-
|
|
|}
* [[Information Security for Human Rights Defenders]]

===Mitigation techniques for online harassment===
[[How to deal with online harassment and threats]]

==Security planning ==
Once we have clarity about the threats we face during our activities, we can begin to organize our security protocols into security plans or agreements. Review [https://holistic-security.tacticaltech.org/chapters/strategise/3-3-creating-security-plans-and-agreements.html this chapter of the Holistic Security Manual].

[[General guidance for creating security plans and agreements]]

Resources:

* Consumer Reports [https://securityplanner.consumerreports.org/ '''Security Planner'''] is a free, easy-to-use guide to staying safer online. It provides personalized recommendations and expert advice on topics such as keeping social media accounts from being hacked, locking down devices ranging from smartphones to home security cameras, and reducing intrusive tracking by websites.
* [https://www.nist.gov/itl/smallbusinesscyber/nist-cybersecurity-framework-0 '''NIST Cybersecurity Framework 2.0''']: Small Business Quick Start Guide - provides small-to-medium sized businesses (SMB), specifically those who have modest or no cybersecurity plans in place, with considerations to kick-start their cybersecurity risk management strategy using the NIST Cybersecurity Framework (CSF) 2.0. (by the ''National Institute of Standards and Technology)''

===Security planning on specific topics===

* [[General tips for international travel]]
* [[General tips for home security]]

== Building a culture of security within a team ==
[https://level-up.cc/ '''LevelUp'''] is a collection of resources for the global digital safety training community.

[https://wiki.orgsec.community/ '''Organisational security community wiki'''] is a resource created by and for security practitioners from all backgrounds to share useful resources and document innovative approaches to long-term security work.

==Resource collections ==
[https://digitalfirstaid.org/ '''Digital First Aid Kit'''] - The Digital First Aid Kit is a free resource to help rapid responders, digital security trainers, and tech-savvy activists to better protect themselves and the communities they support against the most common types of digital emergencies. It can also be used by activists, human rights defenders, bloggers, journalists or media activists who want to learn more about how they can protect themselves and support others. If you or someone you are assisting is experiencing a digital emergency, the Digital First Aid Kit will guide you in diagnosing the issues you are facing, and refer you to support providers for further help if needed.

[https://communitydocs.accessnow.org/ '''Access Now Help Desk documentation''']

[https://cyber-star.org/ '''CyberSTAR'''], by SecDev, makes it easier for small organizations and individuals to understand and manage digital safety by organizing it around six themes. This site presents learning resources to help you be safer online—plus teaching resources for digital safety trainers.

More info:

[[Ways to securely store and share files|Secure storage for sensitive information]]

[[Protect your accounts using strong passwords, pw managers, 2fa|Secure access to sensitive information]]

[[Secure your devices]]

Ways to securely store and share files

2024-06-10T18:20:46Z

Kristin1: /* Cryptpad Drive (alternative to Google) */

Like any group of people working on a project, human rights defenders need ways to easily share and work on digital files. Many of us use Google Drive to share and collaborate on documents with colleagues, but human rights defenders often wonder -- "Is Google Drive a secure platform to use for this?".

This page is meant to explain ways to use Google Drive and other alternatives for creating, storing, collaborating, and sharing files. To learn about additional tools to help you collect and store sensitive information securely, see this page: [[How to collect and store information in a secure way]]

== Google Drive and Google Workspace ==
If the Google company itself is not your adversary, their platform provides a lot of great free and low-cost tools for individuals and team. Google Drive includes many important security features, such as two factor authentication.

There are at least three different ways to set up the use the Google platform for file sharing and collaboration:

# Google Drive (which is mostly for individuals),
# Google Workspace for businesses
# Google for Nonprofits (which is basically Google Workspace, but free if you are an eligible <u>nonprofit</u> organization)

==== Google Drive (for individuals) ====
"Store, share, and collaborate on files and folders from your mobile device, tablet, or computer." Many of us already have personal email addresses on Google and this gives us automatic access to Google Drive for individuals. [https://www.google.com/drive/ More information on Google Drive.]

=== Google Workspace (for businesses) ===
For those organization in countries that are not eligible for Google for Nonprofits, you can consider purchasing Google Workspace for Businesses. [https://workspace.google.com/pricing.html Pricing] is around 12 USD per month per user. [https://workspace.google.com/ More information on Google Workspace].

=== Google for Nonprofits ===
Google for Nonprofits provides free tools to nonprofit organizations that allow them to work more quickly and efficiently reach a wider audience, spur more supporters to take action, and tell their story in a more compelling way. This offer is available to our community directly through Google, and it is made possible in part by TechSoup Validation Services. [https://www.techsoup.org/validation-services/?__hstc=241563805.f8b53c84c499be80aa290dd91d0bb736.1572459597322.1572459597322.1585783970635.2&__hssc=241563805.1.1585783970635&__hsfp=3015930617 Learn more] about how TechSoup works with leading companies to bring offers like this one to the nonprofit sector.

[https://support.google.com/nonprofits/answer/3215869?hl=en&ref_topic=3247288&sjid=5846275294374651668-NA Google for Nonprofits Eligibility Guidelines] (including the countries that your organization must be registered in)

=== Important considerations for making Google Drive more secure ===
For each of these Google file sharing options, you will want to make sure to:
* have all contributors use strong, unique passwords,
* have all contributors use two factor authentication, and
* create some policies around permissions and access levels to certain kinds of information, and policies around how to add and remove people from access.

== Proton (alternative to Google) ==
[https://proton.me/about Proton] was born in Switzerland in 2014 when a team of scientists who met at CERN (the European Organization for Nuclear Research) decided to build a better internet where privacy is the default.

=== Proton Drive ===
''[https://proton.me/drive Proton Drive] is an end-to-end encrypted Swiss vault for your files that protects your data. Proton Drive's strong encryption goes beyond other secure cloud solutions. End-to-end encryption ensures that no one, not even us, can access your files. Files, file names, folder names, and more, are all fully encrypted at rest and in transit to the secure cloud. Proton Drive's end-to-end encryption also works when sharing files and folders. Optional features like password protected files and expiring file sharing links enhance security even further. Best of all, there are no file size limits.''

[https://proton.me/support/drive-web-guide Proton Drive guide]

=== Proton for Business ===
[https://proton.me/business Secure business] email, calendar, VPN, and much more, built on the principle of your data, your rules. Pricing: about 11 USD per month per person.

== CryptPad (alternative to Google) ==
[https://cryptpad.org/ CryptPad] is a collaborative office suite that is end-to-end encrypted and open-source.

Flagship instance of [https://cryptpad.fr/ CryptPad], the end-to-end encrypted and open-source collaboration suite. Administered by the CryptPad development team. Encrypted data hosted in France. Free to use!

== Stackspin (alternative to Google) ==
[https://www.stackspin.net/ Stackspin], built and managed by Greenhost, is an online office suite in which you control your data. It includes everything a small organisation needs to get themselves organised. The Stackspin dashboard is a single place for installing and managing apps, adding and managing users, and customizing your Stackspin instance. The project is aimed at CSOs and individual activists that require online solutions and are weary of the corporate offering (or are keen to move away from them). They want these services hosted on a system that they can rely on, but do not need to maintain.
As of May 2023, the suite includes:

* NextCloud for file sharing
* Only Office for document collaboration
* Zulip for team chat
* Wordpress for website creation
* NextCloud for password management
* Wekan for task management

== Secure hosting companies for human rights defenders ==
See [[Trusted hosting companies in the human rights community]] >>

Ways to securely store and share files

2024-06-10T18:19:53Z

Kristin1:

Like any group of people working on a project, human rights defenders need ways to easily share and work on digital files. Many of us use Google Drive to share and collaborate on documents with colleagues, but human rights defenders often wonder -- "Is Google Drive a secure platform to use for this?".

This page is meant to explain ways to use Google Drive and other alternatives for creating, storing, collaborating, and sharing files. To learn about additional tools to help you collect and store sensitive information securely, see this page: [[How to collect and store information in a secure way]]

== Google Drive and Google Workspace ==
If the Google company itself is not your adversary, their platform provides a lot of great free and low-cost tools for individuals and team. Google Drive includes many important security features, such as two factor authentication.

There are at least three different ways to set up the use the Google platform for file sharing and collaboration:

# Google Drive (which is mostly for individuals),
# Google Workspace for businesses
# Google for Nonprofits (which is basically Google Workspace, but free if you are an eligible <u>nonprofit</u> organization)

==== Google Drive (for individuals) ====
"Store, share, and collaborate on files and folders from your mobile device, tablet, or computer." Many of us already have personal email addresses on Google and this gives us automatic access to Google Drive for individuals. [https://www.google.com/drive/ More information on Google Drive.]

=== Google Workspace (for businesses) ===
For those organization in countries that are not eligible for Google for Nonprofits, you can consider purchasing Google Workspace for Businesses. [https://workspace.google.com/pricing.html Pricing] is around 12 USD per month per user. [https://workspace.google.com/ More information on Google Workspace].

=== Google for Nonprofits ===
Google for Nonprofits provides free tools to nonprofit organizations that allow them to work more quickly and efficiently reach a wider audience, spur more supporters to take action, and tell their story in a more compelling way. This offer is available to our community directly through Google, and it is made possible in part by TechSoup Validation Services. [https://www.techsoup.org/validation-services/?__hstc=241563805.f8b53c84c499be80aa290dd91d0bb736.1572459597322.1572459597322.1585783970635.2&__hssc=241563805.1.1585783970635&__hsfp=3015930617 Learn more] about how TechSoup works with leading companies to bring offers like this one to the nonprofit sector.

[https://support.google.com/nonprofits/answer/3215869?hl=en&ref_topic=3247288&sjid=5846275294374651668-NA Google for Nonprofits Eligibility Guidelines] (including the countries that your organization must be registered in)

=== Important considerations for making Google Drive more secure ===
For each of these Google file sharing options, you will want to make sure to:
* have all contributors use strong, unique passwords,
* have all contributors use two factor authentication, and
* create some policies around permissions and access levels to certain kinds of information, and policies around how to add and remove people from access.

== Proton (alternative to Google) ==
[https://proton.me/about Proton] was born in Switzerland in 2014 when a team of scientists who met at CERN (the European Organization for Nuclear Research) decided to build a better internet where privacy is the default.

=== Proton Drive ===
''[https://proton.me/drive Proton Drive] is an end-to-end encrypted Swiss vault for your files that protects your data. Proton Drive's strong encryption goes beyond other secure cloud solutions. End-to-end encryption ensures that no one, not even us, can access your files. Files, file names, folder names, and more, are all fully encrypted at rest and in transit to the secure cloud. Proton Drive's end-to-end encryption also works when sharing files and folders. Optional features like password protected files and expiring file sharing links enhance security even further. Best of all, there are no file size limits.''

[https://proton.me/support/drive-web-guide Proton Drive guide]

=== Proton for Business ===
[https://proton.me/business Secure business] email, calendar, VPN, and much more, built on the principle of your data, your rules. Pricing: about 11 USD per month per person.

== Cryptpad Drive (alternative to Google) ==
Flagship instance of [https://cryptpad.fr/ CryptPad], the end-to-end encrypted and open-source collaboration suite. Administered by the CryptPad development team. Encrypted data hosted in France.

== Stackspin (alternative to Google) ==
[https://www.stackspin.net/ Stackspin], built and managed by Greenhost, is an online office suite in which you control your data. It includes everything a small organisation needs to get themselves organised. The Stackspin dashboard is a single place for installing and managing apps, adding and managing users, and customizing your Stackspin instance. The project is aimed at CSOs and individual activists that require online solutions and are weary of the corporate offering (or are keen to move away from them). They want these services hosted on a system that they can rely on, but do not need to maintain.
As of May 2023, the suite includes:

* NextCloud for file sharing
* Only Office for document collaboration
* Zulip for team chat
* Wordpress for website creation
* NextCloud for password management
* Wekan for task management

== Secure hosting companies for human rights defenders ==
See [[Trusted hosting companies in the human rights community]] >>

Protect your accounts using strong passwords, pw managers, 2fa

2024-06-07T14:53:03Z

Kristin1:

<h1>Passwords</h1>

<p><strong>Passwords are your first line of defense</strong> against anyone who would like to hack into these accounts. They are what keep your information safe; they enable you to keep control of your data.</p>

<p>But preventing your accounts from being hacked requires passwords that are long, strong, complex, unique and practical; and you need to have a DIFFERENT long, strong, unique and practical password for each account.</p>

<h2>Why do we need strong passwords?</h2>

<p>The internet stores a lot of data about you. Your credit card information might be tied to your Apple ID or Android Device ID, as well as to your online shopping accounts. Personal photos, including of your family, children, and friends, might be stored on Facebook, on your phone and and on the servers of your cloud storage. Your email and messaging app accounts have all your conversations with partners, friends and family, as well as work-related discussions and other information.</p>

Your passwords need to be strong enough so you can keep control of your accounts. Once an account is hacked, an attacker can:
<ul>
<li>Access all the information in that account</li>
<li>Lock you out of that account</li>
<li>Impersonate you and communicate with, or send phishing emails to, your network</li>
<li>Try to use this account to gain access to other accounts or use it to try to gain access to your financial information</li>
</ul>

A good password is the only thing keeping this information from being accessed. In short, it gives you control over your data.

<p><strong>No need to change your strong passwords once they are in place.</strong> Changing passwords regularly was a common recommendation until a couple of years ago. This is outdated now because if you follow this list of best practices, there is absolutely no need to change your passwords regularly. The reason why changing passwords is no longer recommended is the following: Researchers have found that changing passwords regularly does more harm than good as it encourages people to choose weaker passwords. Better choose a strong and unique password once, instead of regularly changing a weak one to another weak one.</p>

<h2>Resources on creating strong passwords</h2>

<p><strong>[Online course] Totem's course about secure passwords</strong> (free) - Passwords are your first line of defence online, so it’s really important that these are long and unique. But how can you manage this for all your accounts? The course will guide you through setting up KeePassXC, a password manager that makes creating and storing passwords easier and safer. You’ll also look at Two-Factor Authentication (2FA), for added security. You should end the course with a solid password-management strategy that protects your accounts, without taking up too much of your time (or brain-power!).  This course is available in: [https://learn.totem-project.org/courses/course-v1:Totem+TP_SP_001+course/course/ English], [https://learn.totem-project.org/courses/course-v1:Totem+TP_SP_ES+001/about Spanish], [https://learn.totem-project.org/courses/course-v1:Totem+TP_SP_FR_001+cours/about French], [https://learn.totem-project.org/courses/course-v1:Totem+TP_SP_AR+001/about Arabic], [https://learn.totem-project.org/courses/course-v1:Totem+TP_SP_RU+001/about Russian], [https://learn.totem-project.org/courses/course-v1:Totem+TP_SP_FA+001/about Farsi]</p>

<p><strong>[Guide] Creating strong passwords</strong>  [by Electronic Frontier Foundation] - This guide is designed for human rights defenders and is available in [https://ssd.eff.org/en/module/creating-strong-passwords English], [https://ssd.eff.org/es/module/creando-contrase%C3%B1as-seguras Spanish], [https://ssd.eff.org/fr/module/cr%C3%A9er-des-mots-de-passe-robustes French], [https://ssd.eff.org/ar/module/%D9%88%D8%B6%D8%B9-%D9%83%D9%84%D9%85%D8%A7%D8%AA-%D8%B3%D8%B1-%D9%82%D9%88%D9%8A%D8%A9 Arabic], [https://ssd.eff.org/ru/module/%D1%81%D0%BE%D0%B7%D0%B4%D0%B0%D0%BD%D0%B8%D0%B5-%D0%BD%D0%B0%D0%B4%D1%91%D0%B6%D0%BD%D1%8B%D1%85-%D0%BF%D0%B0%D1%80%D0%BE%D0%BB%D0%B5%D0%B9 Russian], and other languages. </p>

<h1>Password managers</h1>

<p> A password manager is a tool that creates and stores passwords for you, so you can use many different passwords on different sites and services without having to memorize them. You only need to remember one master password that allows you to access the encrypted password manager database of all your passwords.</p>

<p><strong>[Video] Animated Overview</strong>: [https://ssd.eff.org/en/module/animated-overview-using-password-managers-stay-safe-online Using Password Managers to Stay Safe Online] (by EFF) - available in many languages</p>

<h2>Password manager: Bitwarden</h2>

<p>[https://bitwarden.com/ Bitwarden] is a free and open-source password management service that stores sensitive information such as website credentials in an encrypted vault. The Bitwarden platform offers a variety of client applications including a web interface, desktop applications, browser extensions, mobile apps, and a command-line interface. It is a popular password manager option among human rights defenders.</p>

Bitwarden resources:
<ul>
<li>[Videos] [https://vimeo.com/showcase/8692945 Getting Started with Bitwarden](English) </li>
<li>[Guide] How to use Bitwarden to manage passwords on all devices, including phones. Free, open source software.</li>
<li>[Guide] [https://bitwarden.com/help/get-started-individual-user/ Get Started with Bitwarden] (English)</li>
<li>[Slide deck] [https://docs.google.com/presentation/d/e/2PACX-1vRj4oFJeS4hW6RnS3SPctCDAPeEe2XpAq4Iolr9LME3PDG2wKx-hpCNsqhjqz01UmFpTX8IVKObdvNM/embed?start=false&loop=false&delayms=3000&slide=id.gd279e4f08d_1_1062 Bitwarden for Beginners] (English)</li>
<li>[Guide] [https://www.pantallasamigas.net/guia-configuracion-programa-gestor-contrasenas-bitwarden-ciberseguridad/ Install and Configure Bitwarden]</li>
<li>[Video] [https://vimeo.com/539797097 How to send sensitive info (files or text) securely to anyone, using Bitwarden] (English)</li>
<li>[Video] [https://vimeo.com/579574710 How to set up Bitwarden for your internet browser] (English)</li>
<li>[Guide] [https://bitwarden.com/help/getting-started-mobile/ Getting started with Bitwarden mobile] (English)</li>
</ul>

=== How can you trust Bitwarden to protect your passwords? ===
It's natural to feel a bit conflicted about putting all your important passwords in one place, online. It can feel like a vulnerable thing to do! This is a totally valid concerns and is a really good instinct. No company can ever guarantee that your information will be ''protected'' and ''accessible'' in perpetuity. That being said, there are things to keep in mind to mitigate against risks:

# According to their policies, Bitwarden cannot access your data. "[[Source: https://bitwarden.com/help/bitwarden-security-white-paper/|Zero knowledge encryption]]''':''' Bitwarden team members can not see your passwords. Your data remains encrypted end-to-end with your individual email and Master Password. We never store and cannot access your Master Password or your cryptographic keys."
# To further protect your Bitwarden account from hackers trying to break into it, you could use a Yubikey as multifactor authentication, which means that in order to access your account, the person trying to break in will also need to get your Yubikey.
# To mitigate against the risk of Bitwarden losing your information someday, or you losing access to it, you can [https://bitwarden.com/help/export-your-data/ export your data] and keep it in a safe place (such as an encrypted folder on a device or in cloud).<h2>Password manager: KeepassXC</h2>

<p>[https://keepassxc.org/ KeePassXC] is a free and open-source password manager. It started as a community fork of KeePassX. It is built using Qt5 libraries, making it a multi-platform application which can be run on Linux, Windows, and macOS.</p>

KeepassXC resources:
<ul>
<li>[Video] [https://www.youtube-nocookie.com/embed/Dm3Xeo0hIQk Manage your passwords using KeePassXC] (by Justice and Peace Netherlands, English)
</li>[Guide] How to use KeepassXC (by EFF) - available in [https://ssd.eff.org/en/module/how-use-keepassxc English], [https://ssd.eff.org/es/module/c%C3%B3mo-usar-keepassxc Spanish], [https://ssd.eff.org/fr/module/guide-pratique-utiliser-keepassxc French], [https://ssd.eff.org/ar/module/%D9%83%D9%8A%D9%81%D9%8A%D8%A9-%D8%A7%D8%B3%D8%AA%D8%AE%D8%AF%D8%A7%D9%85-%D9%83%D9%8A-%D8%A8%D8%A7%D8%B3-%D8%A7%D9%83%D8%B3 Arabic], [https://ssd.eff.org/ru/module/%D1%80%D1%83%D0%BA%D0%BE%D0%B2%D0%BE%D0%B4%D1%81%D1%82%D0%B2%D0%BE-%D0%BF%D0%BE-keepassxc Russian] and other languages.
</ul>

<h1>Two factor (or multi factor) authentication (2fa or mfa)</h1>
<p>Multi-factor authentication is an electronic authentication method in which a user is granted access to a website or application only after successfully presenting two or more pieces of evidence to an authentication mechanism: knowledge, possession, and inherence.(Source: [https://en.wikipedia.org/wiki/Multi-factor_authentication Wikipedia])</p>

<h2>Resources on 2fa</h2>
<ul>
<li>[Video] [https://www.youtube-nocookie.com/embed/0mvCeNsTa1g What is two factor authentication?]</li>
<li>[Guide] How to enable 2fa (by EFF) - available in [https://ssd.eff.org/en/module/how-enable-two-factor-authentication English], [https://ssd.eff.org/es/module/c%C3%B3mo-habilitar-la-autenticaci%C3%B3n-de-dos-factores Spanish], [https://ssd.eff.org/fr/module/guide-pratique-activer-l%E2%80%99authentification-%C3%A0-deux-facteurs French], [https://ssd.eff.org/ar/module/%D8%AF%D9%84%D9%8A%D9%84-%D9%83%D9%8A%D9%81%D9%8A%D8%A9-%D8%AA%D9%81%D8%B9%D9%8A%D9%84-%D8%A7%D9%84%D8%AA%D9%88%D8%AB%D9%8A%D9%82-%D8%A7%D9%84%D8%AB%D9%86%D8%A7%D8%A6%D9%8A-two-factor-authentication Arabic], [https://ssd.eff.org/ar/module/%D8%AF%D9%84%D9%8A%D9%84-%D9%83%D9%8A%D9%81%D9%8A%D8%A9-%D8%AA%D9%81%D8%B9%D9%8A%D9%84-%D8%A7%D9%84%D8%AA%D9%88%D8%AB%D9%8A%D9%82-%D8%A7%D9%84%D8%AB%D9%86%D8%A7%D8%A6%D9%8A-two-factor-authentication Russian] and other languages. </li>
</ul>

<h1>Be aware of spear phishing attacks</h1>

<p>Phishing happens to everyone, but most people only become aware of it once they have become a victim of an attack. Protecting yourself from phishing attacks starts with identifying an email or message as an attack before you click on the link or download the file. But even if you are careful, a phishing attack can still sometimes be successful. Don’t panic. If you have clicked on a phishing link and given an attacker access to your data, you can still reduce the damage - to yourself as well as to your colleagues, friends, and family.</p>

<h2>Resources to avoid spear phishing attacks</h2>
<ul>
<li>[Video] [https://vimeo.com/444354623 Very brief phishing overview] by Renee McLaughlin</li>
<li>[Online course] Totem online course on Phishing Attacks - In this course you will learn about phishing attacks: what they are, what they are used for, how you can identify them, and what you can do if you have been phished. Available in [https://learn.totem-project.org/courses/course-v1:Totem+TP_PM_001+course/about English], [https://learn.totem-project.org/courses/course-v1:Totem+TP_PM_ES+001/about Spanish], [https://learn.totem-project.org/courses/course-v1:Totem+TP_PM_FR001+cours/about French], [https://learn.totem-project.org/courses/course-v1:Totem+TP_PM_RU+001/about Russian], [https://learn.totem-project.org/courses/course-v1:Totem+TP_PM_AR+001/about Arabic], and [https://learn.totem-project.org/courses/course-v1:Totem+TP_PM_FA+001/about Farsi].</li>
<li>[Guide] How to avoid a phishing attack (by EFF) - This guide will help you to identify phishing attacks when you see them and outline some practical ways to help defend against them. Available in [https://ssd.eff.org/en/module/how-avoid-phishing-attacks English], [https://ssd.eff.org/es/module/c%C3%B3mo-evitar-los-ataques-de-phishing-o-suplantaci%C3%B3n-de-identidad Spanish], [https://ssd.eff.org/fr/module/guide-pratique-%C3%A9viter-les-attaques-par-hame%C3%A7onnage French], [https://ssd.eff.org/ar/module/%D8%AF%D9%84%D9%8A%D9%84-%D9%83%D9%8A%D9%81%D9%8A%D8%A9-%D8%AA%D8%AC%D9%86%D8%A8-%D9%87%D8%AC%D9%85%D8%A7%D8%AA-%D8%A7%D9%84%D8%AA%D8%B5%D9%8A%D8%AF-phishing Arabic], [https://ssd.eff.org/ru/module/%D1%80%D1%83%D0%BA%D0%BE%D0%B2%D0%BE%D0%B4%D1%81%D1%82%D0%B2%D0%BE-%D0%BF%D0%BE-%D0%B7%D0%B0%D1%89%D0%B8%D1%82%D0%B5-%D0%BE%D1%82-%D1%84%D0%B8%D1%88%D0%B8%D0%BD%D0%B3%D0%BE%D0%B2%D1%8B%D1%85-%D0%B0%D1%82%D0%B0%D0%BA Russian], and other languages.</li>
<li>[Toolkit] [https://gcatoolkit.org/mission-based-orgs/prevent-phishing-and-malware/ GCA Cyber Toolkit] - The tools included in this toolbox aim to help prevent these types of attacks. Included are: DNS security (DNS, or Domain Name System, is the method by which you are able to navigate the internet) to help prevent you from going to infected websites; anti-virus software to help prevent viruses and other malicious software from getting into your systems; and ad blockers, together with correct filter lists, help prevent malicious activity and access to malicious websites while browsing the Internet.</li>
<li>[Training quiz] [https://phishingquiz.withgoogle.com/ Google Phishing Quiz] - Can you spot when you’re being phished? Identifying phishing can be harder than you think. Phishing is an attempt to trick you into giving up your personal information by pretending to be someone you know. Can you tell what's fake?</li>
<li>[Guide] [https://safecomputing.umich.edu/be-aware/phishing-and-suspicious-email/shortened-url-security#:~:text=There%20are%20a%20number%20of,tinyurl.com. How to reveal full URLs]</li>
</ul>

How to collect and store information in a secure way

2024-06-03T22:45:31Z

Kristin1: /* Use end-to-end encryption for information in motion */

== Principles for protecting information ==

=== Enable (and use) multi-factor authentication on any accounts ===
If you are requiring someone to create an account in order to send you information, make sure that it's possible to protect that account by using multi-factor authentication. Multi-factor authentication is an electronic authentication method in which a user is granted access to a website or application only after successfully presenting two or more pieces of evidence to an authentication mechanism: knowledge, possession, and inherent. Without multi-factor authentication, the information is only as protected as the strength of the user's password.

Learn more about two factor authentication here: [[Protect your accounts using strong passwords, pw managers, 2fa]]

=== Use end-to-end encryption for information in motion ===
When protecting information that is "in motion" (being transferred from one person/device to another), It's a good practice to use a tool that provides end-to-end encryption. End-to-end encryption (E2EE) is a type of information transfer or messaging that keeps the information private from everyone, including the messaging service. When E2EE is used, the information being transferred only appears in decrypted form for the person sending the message and the person receiving the message. [https://holistic-security.tacticaltech.org/chapters/explore/2-6-information-in-motion.html Learn more about protecting information in motion].

=== Host sensitive information with a company you trust ===
For things that are extremely sensitive and you don't need to actually need to use it (analyze it) or share it, you can always lock it away in an encrypted folder (using [https://www.veracrypt.fr/code/VeraCrypt/ VeraCrypt]) on any server. But for information that you want to organize, understand, analyze, use and share, you will want it more accessible than having it in an encrypted folder. For these cases, you will want to [[Trusted hosting companies in the human rights community|host your information with a company that you trust]].

== Tools to collect information ==

=== Tella app ===
[https://tella-app.org/ Tella] is a free app that is available for Android devices and will be available for iOS soon. It can be used by anyone who engages in collecting information on injustices. Tella allows users to produce high-quality documentation that can be used for research, advocacy or transitional justice. Tella can be connected to KoboToolbox, Uwazi, or another database platform to store, organize and analyze the information.

=== LimeSurvey ===
[https://www.limesurvey.org/ LimeSurvey] is a simple, quick and anonymous online survey tool. It is open source, allowing people to host LimeSurvey themselves. This self-hosted version is called LimeSurvey Community Edition, and all your data is stored on your or your provider’s server (usually the one where you installed LimeSurvey). You can also work with a [[Trusted hosting companies in the human rights community|web hosting company that you trust]] to host and manage this software for you, such as Greenhost.

=== SecureDrop ===
[https://securedrop.org/ SecureDrop] is an open source whistleblower submission system that media organizations and NGOs can install to securely accept documents from anonymous sources. SecureDrop is available in 22 languages.

=== Globaleaks ===
[https://www.globaleaks.org/ GlobaLeaks] is free, open-source software enabling anyone to easily set up and maintain a secure whistleblowing platform. It is possible to host this software with [https://greenhost.net/products/managed/ Greenhost].

=== OnionShare ===
🧅 [https://onionshare.org OnionShare] is an open source tool that lets you securely and anonymously share files, host websites, and chat with friends using the Tor network.

== Tools to store information ==

=== Uwazi database to store information ===
[https://uwazi.io/ Uwazi] is a web-based tool designed for managing your data in one easy-to-search place. This open-source database application allows you to capture, organise and make sense of a set of facts, observations, testimonies, research, documents and more. You can work with a [[Trusted hosting companies in the human rights community|web hosting company that you trust]] to host and manage this software for you, such as Greenhost.

=== NextCloud ===
[https://nextcloud.com/about/ Nextcloud] Hub is the industry-leading, fully open-source, on-premises content collaboration platform. Teams access, share and edit their documents, chat and participate in video calls and manage their mail and calendar and projects across mobile, desktop and web interfaces. It is hosted and managed by [[Trusted hosting companies in the human rights community|Greenhost and other web hosting companies]].

== Ways to collect and store information ==

=== Tella to collect and Uwazi to store information ===
Organisations who already use Uwazi to store their information, can connect Tella to one or more of their databases to upload data. Using Tella for the information collection enables users who work offline to collect data, add it to the submission forms, save it and upload the information when it is convenient. In addition to the protection and encryption features, working in offline mode is a huge benefit for those who collect information in risky environments and areas with limited or no connectivity. [https://huridocs.org/2022/07/the-new-tella-app-lets-uwazi-users-document-violations-safely-and-while-offline/ More information]on the HURIDOCS website.

== Other tools ==
For more tools used for documenting human rights violations, see [[Tools for securely documenting human rights violations]]

To learn more about '''how to use Google Drive safely and alternatives to Google Drive''', see [[Ways to securely store and share files]]