CreditsLast Updated 2017-06
Identifying good practices to keep our computers safe.
This session was developed for, and should be attributed to, the Institute for War & Peace Reporting resource “Cyberwomen: Holistic Digital Security Training Curriculum for Women Human Rights Defenders” under a Creative Commons Attribution-Share Alike 4.0 International CC BY-SA 4.0 License
It is strongly recommended that you do live demonstration – using a projector connected to your laptop - of any tools you choose to cover in this session, so that participants can follow along and practice on their own computers using “dummy” files created for the purposes of the session (not actually important data or files!)
Step 1 | Ask participants how much they value their computers - How useful or essential is it to their personal and work lives? How much information they storage in their computers?
Step 2 | Now ask them - How much time do they spend on maintenance of their equipment? The difference between the degree with which people tend to value their devices versus the amount of time they spend on maintenance and care is often quite wide. Explain to the group that this session will focus on basic practices for protecting devices.
Step 3 | Mention to the group that many practices related to device safety are in fact more related to physical security than digital security (this is a good way to reinforce the holistic focus of this curriculum). A good example of this is the importance of cleaning devices – to get rid of dirt or residue that might get inside – and to conduct regular physical inspections of equipment to identify any alterations or physical intrusion attempts. In that regard, you can recommend basic digital practices – like using a password to lock a device if they won’t be in its immediate vicinity while it is switched on – as well as physical protections, such as using a keyboard protector or an anti-theft cable chain to prevent unwanted access or theft.
Make sure to note here how the most critical aspect of their devices’ physical safety: awareness. Being aware of where a device is at any given moment – whether on their person, in the other room, or secured in another location – is essential!
Step 4 | Ask each participant to recall the details of their workplace - Which physical risks are present? Is their computer exposed to being stolen? Are there any misplaced cables? Is it possible that their computer might be exposed to extreme heat, cold or moisture? These are other important awareness points – physical awareness isn’t just about making sure an adversary doesn’t get ahold of their device(s), but also about the potential damage that a device’s immediate environment might present.
Step 5 | Explain to participants the risks of using pirated software (high likelihood of downloading malware, can’t regularly update in the same way as with licensed software, etc.); however, licensed software is also frequently quite expensive. Here, you can share a few resources with the group that will be helpful to address this:
Osalt | http://www.osalt.com
Open a browser and navigate to Osalt – this is a website that presents free and open source alternatives to many major licensed software platforms and suites (for example, using Ubuntu instead of Windows; LibreOffice instead of Microsoft Word; Inkscape instead of Adobe Illustrator).
TechSoup | http://www.techsoupglobal.org/network
Via TechSoup, human rights activists and their organizations may be eligible to receive free, or heavily discounted, versions of commercial software: users may look for official distributors among local ICT service providers and request for a non-profit or public sector license discount. A large distribution network for donated software is run by TechSoup - the link above contains a list of partners and the countries in which they operate.
Step 6 | Explain to participants the importance of keeping all their software updated - first and foremost, it protects against security vulnerabilities. All software and updates should only be downloaded from trusted sources; for example, when updating Adobe Acrobat Reader, one should only use updates downloaded directly from Adobe, not third-party websites.
Step 7 | Next, explain to participants the importance of having an antivirus program on their computers - provide some background that can help demystify some of the common myths related to antivirus, such as:
Step 8 | Share these, along with any others that participants share with you – then, discuss some basic safe practices for using antivirus software and protecting against malware (see Input session “Malware and Other Malicious Software”). Some useful ones to highlight here, in case you haven’t already covered them in the Malware & Viruses session in this module, are:
Step 9 | Ask participants - How often do they backup their files? Share examples of best practices related to data backup, such as keeping the backup in a safe place that is separate from their computer, backing up their information on a frequent, regular basis and - depending on the information that is being backed up - to consider also encrypting the hard drive or storage media where data will be stored.
Step 10 | Share with participants the backup format template below, and have them start filling it in individually. Explain to the group that this is a useful way of creating a personal data backup policy – they can refer to this after the training, as a useful resource for keeping track of where their data is stored and how often that data should be backed up.
Step 11 | Explain next that, although there are backup automation tools available such as Duplicati or Cobian, participants may find it easier to start doing their backups by manually dragging and dropping files to the backup storage media. This ultimately depends on the complexity or amount of data they have to manage – for the average user however, manual backups should be more than sufficient.
Step 12 | To follow-up on secure data backups, re-visit briefly the concept of encryption for storage media. Explain to the participants what it means to do, and why encrypting their hard drives or storage media can be useful. VeraCrypt is a relatively popular utility for implementing file or disk encryption, and could be mentioned here as an option for participants to explore. On Linux there is the Duplicity application for performing automatic and encrypted backups.
Step 13 | Read aloud the following statement:
From a purely technical perspective, there is no such thing as a delete function on your computer.
Ask the group what they think about this – Does this statement make sense? How can it be that there is no such thing as a ‘Delete’ function? Remind the participants that they can drag a file to the Recycle Bin on their computer desktop, and then empty the bin, but all this does is clear the icon, remove the file’s name from a hidden index of everything on your computer, and then tell their operating system that the space can be used for something else.
Step 14 | Ask the group - What do you think happens to the data that is ‘deleted’? Until the operating system uses that newly free space, it will remain occupied by the contents of the deleted information, much like a filing cabinet that has had all its labels removed but still contains the original files.
Step 15 | Now explain that because of how a computer manages this storage space for data, if they have the right software and act quickly enough, they can restore information deleted by accident; likewise, there are also tools available that can be used to permanently delete files (not just remove them from the file index until the space is occupied). Take this opportunity to present Eraser and/or Bleachbit as tools that can be used to delete files and Recuva as an option to recover deleted files.