Above: Joseph Meehan (left) receives a certificate of completion for the IWP internship program from internship coordinator Adam Smith (right).
Below is a reflection by Joseph Meehan, who interned at IWP in the summer of 2018. His internship involved working with IWP's Cyber Intelligence Initiative (Ci2) and participating in a course on cyber strategy development offered by Ci2.
This past summer, I took a course on cyber strategy development with Joe Billingsley at IWP. The final project for this class was designing a cyber strategy for an organization of my choice, for which I chose my old Boy Scout troop.
To construct this strategy, I started by calling the troop committee chair to identify the current leadership and get contact info for the troop webmaster mentor, the equivalent of a CIO in a corporate hierarchy. In my conversation with the webmaster mentor, we identified what services the troop currently used and how they were managed. After establishing a list of known services, I then pursued two lines of inquiry -- first, were there any services that had been forgotten, and second, how secure are the services that are being used?
This audit process led to a few discoveries. First, antiquated social media accounts on Facebook and Twitter were identified for either recapture or deactivation and deletion. Second, niche but critical services like TroopMaster were investigated via direct calls and questioning. Somewhat to my surprise, TroopMaster's security exceeded expectations and standards, using important security practices like password salting and the extensive use of backups. Other services with sensitive data were large enough that it was difficult to get answers on details, thus relying on the basic hope that large vendors have done the risk analysis to realize the importance of securing their data. Given the numerous large data breaches, this hope is probably unfounded, but unfortunately the limitations of a small, local nonprofit mean that a full investigation of service providers simply isn't feasible.
Once the information was assembled, a strategy was devised to accommodate the competing needs. While specific, tactical suggestions were made for specific services, the primary recommendation of the strategy is the implementation of a password manager to diversify passwords and increase resiliency to brute force attacks. Password reuse was identified as the primary risk for the troop -- if one service proved to be insecure and had username/password combinations compromised, an attacker could try those combinations on other services.
With the strategy completed, identifying a time and place to present my recommendations proved to be more complicated than expected, but eventually a meeting was arranged with the relevant stakeholders in the troop leadership. The presentation was less than smooth -- each of the leaders had their own particular opinions developed by their technical backgrounds on the issue, and inter-leadership politics led to an extended argument between the viewers in the middle of the presentation. The presentation-turned-discussion eventually resolved once the dissenting leaders had been persuaded that the proposed strategy had the best solutions for the relevant issues. The primary takeaway from this is to be ready for fundamental and serious questioning of any part of a strategy and be ready to defend it -- if any piece has not been tempered by considered thought, it is a potential risk to losing any possibility of progress or development.
For a small organization, developing a "cyber strategy" may seem like overkill compared to the myriad tactical concerns that organization faces. However, as the use of technology proliferates, all organizations must confront the realities of managing their IT resources. Forgotten resources can prove to be major threat vectors, as any compromises of remaining data will go completely unnoticed. The other lesson is that if an organization heavily relies on a single, particular resource from a vendor, it is worth investigating how that data is secured -- while TroopMaster proved to be well secured, small vendors may have not yet invested in properly securing their data. For Boy Scouts, there isn't an equivalent organizing tool to TroopMaster, and the data in TroopMaster is mission critical, creating a need to follow through and audit the security. Similar mission critical but small vendors should be identified and individually examined for vulnerabilities.
In sum, developing the cyber strategy for a small organization proved to be an educational experience both on a technical and a personal level. Even for a process that had numerous advantages in the forms of available resources and technical familiarity with leadership, both coming from many of the adults working at tech companies that provide generous funding along with nonprofit work, still ran into issues with managing personalities and the regular work of a technical audit. Still, the risks of data breaches necessitate this process, even if it is difficult, and remain the primary reason organizations must establish a cyber strategy.