The Lawyers’ Committee For Human Rights (YUCOM) organized an online training “Digital Security of Human Rights Activists”, on April 18, 2022. While cyber-attacks are on the rise, many CSOs have unprotected data and insufficient cyber security protocols, making them vulnerable to data loss. To fight this, organizations must priorities enacting digital security best practices. The training has provided human rights activists with a comprehensive knowledge of digital information security concepts and an understanding of their application, but also practical skills for threats posed to organizations and the approaches needed to mitigate such risks.
The online training was divided into four sessions dedicated to key topics related to digital security of local activists.
Surveillance architecture
Session led by: Filip Milošević
The first session was an introduction to the most important aspects of digital communication affecting privacy and security of any internet user, but particularly socially and politically pro-active citizens such as human rights activists. For ice-breaking, participants discussed their subjective feel of their digital hygiene, but also briefly described their experience with privacy and security issues online. During the presentation, they learned about the most important risks regarding their work, what makes the internet ‘invisible’ infrastructure, how their digital footprint is being created, where their personal data is going through and where its being retained, identified, analyzed, and who has access to it. Along the way terms like metadata, IP address, ISPs, IXPs, artificial intelligence and algorithms were demystified. Finally, they were introduced to the architecture of digital and biometric surveillance in Serbia.
Most common technical attacks
Session led by: Bojan Perkov
This session covered the most common types of technical attacks, particularly in the context of targeting public interest actors, such as human rights defenders, civil society and journalists. The attacks covered at the training were website “flooding” (Distributed Denial of Service – DDoS), phishing as a form of social engineering, ransomware and advanced mobile device espionage with spyware such as Pegasus. The participants were given the opportunity to learn more about the most important issues when it comes to these attacks, as well as examples of mitigation and protection measures.
Practical advice and tools
Session led by: Ninoslava Bogdanović
Training was about the practical digital security recommendations and measures for the civil sector. Training had three sections. In the first part of the training Cybersecurity Toolkit was presented as a practical tool where organizations can find solutions for their digital security dilemmas or can learn more about organizational security and how to stay secure in a digital environment. Next part was about implementing recommendations from Toolkit on an organizational level. Main preventive digital security measures were explained and it was explained how those measures can become a part of everyday work by creating security policies. Three security policies were mentioned: 1. Password policy, 2. Policy for the use of email and accompanying accounts and 3. Security plan. Third section was about SHARE CERT and recommendations on security incidents and what organizations should do when cyber incidents occur. In this part reactive security measures were explained with focus on SHARE CERT as one of the actors that could help organizations in case of emergency.
Protection measures
Session led by: Mila Bajić
This session covered digital security protection measures from a personal perspective. The participants were provided with advice on how to keep and use their passwords secure with password manager applications, such as KeePass or Bitwarden. The importance of protecting online accounts with multi-factor authentication was also explained, together with ways to set it up for various services. Lastly, the participants received additional advice on how to keep their organizational email, social media and other accounts secure.