Security Hygene – Hosting my First CryptoParty

Turns out I am not alone in wanting to evaluate my online presence and update my security priorities. Partly to update my own security checkup, I wanted to update security knowhow here.

I got involved with an awesome Chicago-based group, the Lucy Parsons Labs this year. One thing that attracted me to the group was their outreach – they not only do work on behalf of others, but they also offer security training for journalists and activists. This week I got a chance to get involved and I led my first digital security training.

Ain’t No Party Like a CryptoParty

Monday was the November CryptoParty, hosted by moi. Like past Chicago CryptoParties, the point is to get all types of people together to talk about digital privacy and what’s important to each person. Some folks wanted to create stronger passwords, others wanted to divest from Google’s tracking tentacles.

I started by doing lots of research. There are great guides to hosting a CryptoParties, trainings, and resources for speakers  and the general public. Once I got a grasp of what range of topics we might cover, I knew I wanted to start with a short presentation on “threat modeling” and then open it up to questions and discussions for everyone.

https://www.cryptoparty.in/

The EFF has a new and awesome Surveillance Self Defense guides and printouts, plus  “playlists” for different threat models. I built my slides from there, with a quick intro to threat modeling (aka risk assessment since it sounds less militant and terrifying). I like the analogy of cold and flu season – the best thing to do is prevent getting sick and the easiest way to avoid colds is just washing your hands!

So what is security “hand washing” ? My favorite part of the threat model concept is that it depends. It depends on what information you have (assets), who you’re protecting it from (adversaries), and how comfortable you are with losing data (threat). If something happens (risk), how terrible is it?  It depends on who you are and what you’re doing.

Here are my slides.

Part 2 was more tips & tricks, mostly based on Martin Shelton’s post “Securing your Digital Life Like a Normal Person.” Applying the “it depends” model to the tips and tricks was a nice segue into discussions. We covered encryption, VPNs, and 2FA.

Here’s a partial list of topics, tips and tools:

Next Up

I was excited, humbled, and energized to get to participate in this CryptoParty. I was impressed how many folks knew about the “advanced” stuff I mentioned, like VPNs and Tor Browsers. I think next time we should jump into deep-dive topics like encryption, how VPNs work, and more. I’m ready, are you in?

Sound cool? Want to get involved with another CryptoParty or digital training? Have more in depth questions for any of us at Lucy Parsons Labs? Email us infoATlucyparsonslabs.com

Advertisements

Featured in Digital Guardian: Cloud Computing Security Benefits – Infosec Pros Reveal the Top Benefits of Cloud

CLOUD COMPUTING SECURITY BENEFITS: INFOSEC PROS REVEAL THE TOP BENEFITS OF THE CLOUD

“Cloud computing has obvious cost benefits…”

Especially for startups and businesses looking to move away from owning and running data centers. Cloud providers have more capacity, speed, and locations. Shifting your information security practice to fit cloud is a process, but there are upsides. Cloud providers offer Service Level Agreements (SLAs) for their services, including: specifics on security, privacy, access to data, and data portability. Offloading IaaS-layer requirements onto a provider will ease the burden on your teams as long as the SLAs meet internal security standards.

Margaret Valtierra featured in Digital Guardian

Cloud providers can also help InfoSec teams meet compliance requirements, since most IaaS offerings meet ISO, PCI, and other well-known standards. Before cloud, we had to maintain and secure our own servers and physical security. Now, Amazon, Azure, and Google run word-class data centers for us. 70% of organizations use at least one application in the cloud. Those applications – everything from CRM to mobile apps – put critical business data beyond the reach of traditional security. Security teams can now use cloud technologies to prevent data breaches and vulnerabilities by enforcing strong virtual networks and flexible data policies for each application.

Another big benefit of the cloud is the ability to build security on top of standard offerings. A virtual private network (VPN) allows security teams to create a secure network on top of a cloud provider’s physical network. As teams install and launch applications, security teams can directly control network traffic with point-to-point connectivity. Network security settings like firewall rules, users access, and internet port filters can be sized, scaled, and tailored to each cloud application.

Margaret Valtierra featured in Digital Guardian

Read the full article here.

Margaret Valtierra is the Technical Marketing Specialist at Cohesive Networks, where she creates technical documentation, guides, and video demos. Margaret has a BSM from Tulane University and is an AWS Certified Solutions Architect and Cloud Security Alliance (CSA) CCSK.