Topics

Building a Culture of
Security
A Strong Foundation:
Securing Accounts and
Devices
Communicating and
Storing Data Securely
Staying Safe on
the Internet
Protecting Physical
Security
What To Do When
Things Go Wrong

A Strong Foundation: Securing Accounts and Devices

Secure Devices

In addition to accounts, it is essential to keep all devices – computers, phones, USBs, external hard drives, etc. – well protected. Such protection starts with being careful about what type of devices your parliament and staff purchase and use. Any vendors or manufacturers that you select should have a demonstrated track record of adhering to global standards regarding the secure development of hardware devices (like phones and computers). Any devices you procure should be manufactured by trusted companies that do not have an incentive to hand over data and information to a potential adversary. It is important to note that the Chinese government requires Chinese companies to provide data to the central government. Therefore, despite the ubiquitous and inexpensive presence of smartphones like Huawei or ZTE, they should be avoided. Although the cost of cheap hardware can be very attractive, the potential security risks for parliaments should steer you towards other device and equipment options.

Your adversaries can compromise the security of your devices - and everything you do from those devices - by either gaining physical access or “remote” access to your device.

Device Security and Parliaments

cyber Photo

Some of the world’s most advanced malware has been developed and deployed across the globe to target MPs, other government officials, and their staff. In India, for example, a consortium of journalists revealed that multiple MPs and government ministers were targeted by the Pegasus spyware, a type of malicious software that captured headlines in 2020. Pegasus is infamous for its ability to infect mobile devices and give the perpetrator the ability to record audio, intercept keystrokes and messages, and in effect put the victim under full surveillance, without requiring the victim’s interaction. However, the vast majority of spyware succeeds due to poor device security practices, such as an inattention to phishing or lack of enforcement of the policies mentioned throughout this section of the Handbook.

Physical device access through loss or theft

To prevent physical compromise, it is essential to keep your devices physically secure. In short, do not make it easy for an adversary to steal or even temporarily take your device from you. Keep devices locked away if left at home or in an office. Or if you think it is safer, keep them on your person. This of course means that part of device security is the physical security of your workspaces (whether in an office setting or at home). You will need to install strong locks, security cameras, or other monitoring systems. Remind staff to treat devices the same way they would treat a large stack of cash - do not leave them lying around unattended or unprotected.

What if a device is stolen?

To limit the impact if someone does manage to steal a device – or even if they just gain access to it for a short period of time – be sure to mandate the use of strong passwords or passcodes on everyone’s computers and phones. The same password tips from the Passwords section of this Handbook apply to a good password for a computer or laptop. When it comes to locking your phone, use codes that are at least six to eight digits, and avoid using “swipe patterns” to unlock the screen. For additional tips on screen locks, check out Tactical Tech’s Data Detox Kit. Using good device passwords makes it much harder for an adversary to quickly access information on your device in the case of theft or confiscation.

Be sure any devices issued by parliament are also enrolled in a mobile device or endpoint management system. While not inexpensive, these systems allow your parliament to enforce security policies across all devices and locate one, and wipe its potentially sensitive contents, should it be stolen, lost, or confiscated. While many different solutions for mobile device management exist, a few trusted options that work across platforms (iPhones, Android, Mac, and Windows) include Hexnode, Cisco’s Meraki Systems Manager, IBMs MDM, and the Google Workspace built-in Mobile Device Management feature. If cost is a limiting factor, at the very least encourage members and staff to use built-in "Find my Device" features on their parliamentary-issued and personal smartphones, such as iPhone’s Find My iPhone and Android’s Find My Device.

What about device encryption?

It is important to use encryption, scrambling data so that it is unreadable and unusable, on all devices, especially computers and smartphones. You should set up all devices across parliament with something called full-disk encryption if possible. Full-disk encryption means that the entirety of a device is encrypted so that an adversary, if they were to physically steal it, would be unable to extract a device’s contents without knowing the password or key you used to encrypt it.

Many modern smartphones and computers offer full-disk encryption. Apple devices like iPhones and iPads, quite conveniently, turn on full-disk encryption when you set a normal device passcode. Apple computers using macOS provide a feature called FileVault that you can turn on for full-disk encryption.

Windows computers running pro, enterprise, or education licenses offer a feature called BitLocker that you can turn on for full-disk encryption. You can turn on BitLocker by following these instructions from Microsoft, which may have to first be enabled by your organization’s administrator. If staff only have a home license for their Windows computers, BitLocker is not available. However, they can still turn on full-disk encryption by going to ‘Update & Security’ > ‘Device encryption’ under the Windows OS settings.

Android devices, as of version 9.0 and later, ship with file-based encryption turned on by default. Android’s file-based encryption operates differently from full-disk encryption but still provides strong security. If you are using a relatively new Android phone and have set a passcode, file-based encryption should be enabled. However, it is a good idea to check your settings just to make sure, especially if your phone is more than a couple of years old. To check, go to Settings > Security on your Android device. Within the security settings you should see a subsection for “encryption” or “encryption and credentials”, which will indicate if your phone is encrypted and, if not, allow you to turn encryption on.

For computers (whether Windows or Mac), it is particularly important to store any encryption keys (referred to as recovery keys) in a safe place. These “recovery keys” are, in most cases, essentially long passwords or passphrases. In case you forget your normal device password or something unexpected happens (such as device failure), recovery keys are the only way to recover your encrypted data and, if necessary, move it to a new device. Therefore, when turning on full-disk encryption, be sure to save these keys or passwords in a safe place, like a secured cloud account or your parliament’s password manager.

Remote device access – also known as hacking

In addition to keeping devices physically secure, it is important to keep them free from malware. Tactical Tech’s Security-in-a-Box gives a helpful description of what malware is and why it is important to avoid, which is adapted slightly in the rest of this section.

Understanding and avoiding malware 

There are many ways to classify malware (which is a term meaning malicious software). Viruses, spyware, worms, trojans, rootkits, ransomware and cryptojackers are all types of malware. Some types of malware spread over the internet through email, text messages, malicious web pages, and other means. Some spread through devices like USB memory sticks that are used to exchange and steal data. And, while some malware requires an unsuspecting target to make a mistake, others can silently infect vulnerable systems without you doing anything wrong at all. 

In addition to general malware, which is released widely and aimed at the general public, targeted malware is typically used to interfere with or spy on a particular individual, organization, or network. Regular criminals use these techniques, but so do military and intelligence services, terrorists, online harassers, abusive spouses, and shady political actors.

Whatever they are called, however they are distributed, malware can ruin computers, steal and destroy data, disrupt parliamentary operations, invade privacy, and put users at risk. In short, malware is really dangerous. However, there are some simple steps that your parliament can take to protect itself against this common threat.

Will an anti-malware tool protect us?

Anti-malware tools are unfortunately not a complete solution. However, it is a very good idea to use some basic, free tools as a baseline. Malware changes so quickly, with new risks in the real world so frequently, that relying on any such tool cannot be your only defense.

If you are using Windows, you should have a look at the built-in Windows Defender. Macs and Linux computers do not come with built-in anti-malware software, nor do Android and iOS devices. You can install a reputable, free-to-use tool like Bitdefender or Malwarebytes for those devices (and Windows computers as well).  But do not rely on that as your only line of defense as they will certainly miss some of the most targeted, dangerous new attacks.

Additionally, be very careful to only download reputable anti-malware or anti-virus tools from legitimate sources (such as the websites linked above). Unfortunately, many fake or compromised versions of anti-malware tools exist that do much more harm than good.

To the extent that you do use Bitdefender or another anti-malware tool across your parliament, be sure not to run two of them at the same time. Many of them will identify the behavior of another anti-malware program as suspicious and stop it from running, leaving both malfunctioning. Bitdefender or other reputable anti-malware programs can be updated for free, and the built-in Windows Defender receives updates along with your computer. Ensure that your anti-malware software updates itself regularly (some trial versions of commercial software that ship with a computer will be disabled after the trial period expires, leaving it more dangerous than helpful.) New malware is written and distributed every day, and your computer will quickly become even more vulnerable if you do not keep up with new malware definitions and anti-malware techniques. If possible, you should configure your software to install updates automatically. If your anti-malware tool has an optional "always on" feature, you should enable it, and consider occasionally scanning all of the files on your computer. 

Keep devices up-to-date

Updates are essential. Use the latest version of whatever operating system runs on a device (Windows, Mac, Android, iOS, etc), and keep that operating system up to date. Keep other software, browser, and any browser plugins up to date as well. Install updates as soon as they become available, ideally by turning on automatic updates. The more up to date a device’s operating system, the less vulnerabilities you have. Think of updates kind of like putting a band-aid on an open cut: it seals up a vulnerability and greatly reduces the chance that you will get infected. Also uninstall software that you no longer use. Outdated software often has security issues, and you may have installed a tool that is no longer being updated by the developer, leaving it more vulnerable to hackers.

Malware in the Real World: Updates are Essential

Malware photo

In 2017, the WannaCry ransomware attacks infected millions of devices around the world, shutting down hospitals, government entities, large and small organizations and businesses in dozens of countries. Why was the attack so effective? Because of out of date, “unpatched” Windows operating systems, many of which were initially pirated. Much of the damage – human and financial – could have been avoided with better automated updating practices and the use of legitimate operating systems.

Be careful about USBs

Be cautious when opening files that are sent to you as attachments, through download links, or by any other means. Also think twice before inserting removable media like USB sticks, flash memory cards, DVDs and CDs into your computer, as they can be a vector for malware. USBs that have been shared for a while are very likely to have viruses on them. For alternative options to share files securely across your parliament, take a look at the File Sharing section of the Handbook.

Be cautious as well about what other devices you connect to through Bluetooth. It is fine to sync up your phone or computer to a known and trusted Bluetooth speaker to play your favorite music, but be careful about linking to or accepting requests from any devices that you do not recognize. Only allow connections to trusted devices and remember to turn off Bluetooth when it is not in use.

Be smart while browsing

Never accept and run applications that come from websites you do not know and trust. Rather than accepting an "update" offered in a pop-up browser window, for example, check for updates on the relevant application's official website. As discussed in the Phishing section of the Handbook, it is essential to stay alert when browsing websites. Check the destination of a link (by hovering over it) before you click, and glance at the website address after you follow a link and make sure it looks appropriate before entering sensitive information like your password. Do not click through error messages or warnings, and watch for browser windows that appear automatically and read them carefully instead of just clicking Yes or OK. 

What about smartphones?

As with computers, keep your phone’s operating system and applications up to date, and turn on automatic updates. Install only from official or trusted sources like Google's Play Store and Apple's App Store (or F-droid, a free, open-source app store for Android). Apps can have malware inserted into them and still appear to work normally, so you will not always know if one is malicious. Be sure that you are downloading the legitimate version of an app as well. Especially on Androids, “fake” versions of popular applications exist. So be sure an app is created by the proper company or developer, has good reviews, and has the expected number of downloads (for example, a fake version of WhatsApp might only have a few thousand downloads, but the real version has over five billion). Pay attention to the permissions that your apps request. If they seem excessive (like a calculator requiring access to your camera or Angry Birds asking for access to your location, for example) deny the request or uninstall the app. Uninstalling apps that you no longer use can also help protect your smartphone or tablet. Developers sometimes sell ownership of their apps to other people. These new owners may try to make money by adding malicious code.

Malware in the Real World: Malicious Mobile Apps

iphone Screen

Hackers in multiple countries have been using fake applications in the Google Play store to distribute malware for years. One particular case targeted at users in Vietnam came to light in April 2020. This spying campaign used fake applications, which supposedly helped users find nearby pubs or look up information about local churches. Once installed by unwitting Android users, the malicious applications collected call logs, location data, and information about contacts and text messages. This is just one of many reasons to be careful about what apps you download to your devices.

Keeping Devices Secure

  • Train members and staff on the risks of malware and the best practices to avoid it.
    • Provide policies about connecting external devices, clicking on links, downloading files and apps, and checking software and app permissions.
  • Mandate that devices, software, and applications are kept fully updated.
    • Turn on automatic updates where possible.
  • Enroll all parliamentary devices in a mobile device or endpoint management system.
  • Ensure all devices are using licensed software.
  • Require password protection of all parliamentary devices, including personal mobile devices which are used for parliament-related communications.
  • Enable full-disk encryption on devices.
  • Frequently remind members and staff to keep their devices physically secure - and manage your office security with appropriate locks and ways to secure computers.
  • Do not share files using USBs or plug USBs into your computers.
    • Use alternative secure file sharing options instead.