Concilium | Concilium is a 501(c)3 faith-based organization dedicated to helping Christian international workers, humanitarians, and other Gospel workers build stewardship and resilience into Great Commission obedience. Concilium provides ministry resources in security training, open-source analysis, member care, humanitarian relief & crisis response. Concilium uses each service to equip, train, and empower Christian workers from around the world, empowering both the voice and presence of the Gospel to enter and remain in difficult-to-reach areas. Organizations can connect with the Concilium Respond team to assess their current security and risk vulnerability. Based on this assessment, Concilium teams can help meet your security needs via security trainings with the Concilium Secure team, intelligence reports from the Concilium Insight team, and member care resources and trainings with the Concilium Care team. Website: https://concilium.us/ Reliant using Concilium to assist in our international crisis management planning and training as well as receiving recommendations during crisis incidents. | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
Overseas Security Advisory Council (OSAC) | OSAC is a partnership between the U.S. Department of State and the private-sector security community that supports the safe operations of U.S. organizations overseas through threat alerts, analysis, and peer network groups. The OSAC Program Office is headquartered in Washington, DC and is overseen by a 34-member public-private Council. OSAC membership includes 5,400+ member organizations and 18,000+ individual members from corporate, non-profit, academic, and faith-based groups of every size, all with overseas operations and personnel who are exposed to ever-evolving security issues. The OSAC community collaborates in regional- and sector-specific committees to keep members informed, connected, and better equipped to manage complex security challenges around the world. Organizational membership in OSAC is free and is highly recommended for any organizations operating abroad. Reliant can add specific field team member users to the Reliant OSAC account The team member can register for a specific location to receive tailored email updates for that location. There is an OSAC analyst on call for each country of the world who is available to assist constituents with any security or crisis-related issues. The annual crimes and safety reports released by OSAC provide an excellent baseline for evaluating the ever-changing threat landscape in your various locations. These can easily be used to brief mobilizing staff members on the conditions. Website: https://www.osac.gov/ There is also an app available for download to receive updates on your phone. | ||||||||||
The Smart Traveler Enrollment Program (STEP) | The State Department’s Office of American Citizens Services and Crisis Management (ACS) administers the Smart Traveler Enrollment Program. The Smart Traveler Enrollment Program (STEP) is a free service to allow U.S. citizens and nationals traveling and living abroad to enroll with the nearest U.S. Embassy or Consulate. STEP is used to inform the public of conditions abroad within a specific country that may affect safety and security to assist you in making informed decisions using travel alerts and warnings. It will also help the U.S. Embassy contact you in an emergency (whether natural disaster, civil unrest, or family emergency, etc.) They will also assist in helping family and friends get in touch with you in an emergency. STEP also has country contact information such as the address for the closest U.S. consulates, the off-duty embassy call number as well as the in-country emergency "911" numbers for police and medical emergencies. You can register for the STEP program through the website https://step.state.gov/step/. We highly recommend downloading the STEP app to receive alerts and be able to contact American Citizens Services (see below) as well as local emergency numbers from your phone. According to the American Consular Services, information is held in strict privacy and is not shared with local governments. | ||||||||||
American Citizens Services | The State Department’s Office of American Citizens Services and Crisis Management (ACS) supports the work of overseas Embassies and Consulates in providing emergency services to Americans traveling or living abroad. They also assist in non-emergency matters of birth, identity, passport, citizenship, registration, judicial assistance, and estates. ACS can facilitate the transfer of funds overseas to assist U.S. citizens in need, repatriate the remains of U.S. citizens who have died overseas, assist victims of crime, and help U.S. citizens who are detained in foreign prisons. The ACS operates a 24-hour Duty Officer Program and Crisis Response Teams who work on task forces convened to deal with natural or man-made disasters. ACS can be contacted at Overseas Citizens Services: | ||||||||||
Internet Security | Reliant is unable to assist with personal computers, but here are some recommendations that we have for Encryption, Privacy, and Online Security.
Encryption, Privacy, and Online Security
This is a simplified guide to encryption, security, and digital privacy. The programs and tools recommended here are tested and trusted by Reliant, but they are not the only suitable option. The goal of this write-up is to guide you towards the best level of privacy without adding unnecessary complications, to strike a balance between a solution that's "good enough" and easy to use.
Online SecurityHTTPSHTTPS (HTTP Secure) is an extension of HTTP, the foundation of data communication on the Internet. A properly configured HTTPS application ensures that communication between you and the website is end-to-end encrypted, making it impossible for third parties to view/read what you send to websites (through forms, file uploads, etc.). Always make sure to pay attention to the following:
VPNVirtual Private Networks (VPNs), employ end-to-end encryption technologies to creates a safe and encrypted connection over a less secure network, such as the Internet. For our purposes, VPNs are used to ensure our online activities cannot be snooped on by unauthorized parties. Without a VPN, we rely on HTTPs and other forms of encryption to hide the contents of our interactions with a website, but that doesn't hide the fact that we communicated with the website. Think of HTTPS as using a special code language to communicate with each other in public, extending this analogy, VPN is the equivalent of going into a private meeting room through one door while your partner enters through another door on the other side of the building. The observer knows that you entered the room, but they don't know who else has entered the room. As an example, let's say you are making a purchase of a product from example.com for $100, here is what an eavesdropper can observe:
It's important to recognize that while a VPN hides your activity from the public network you're on (or your ISP), your VPN provider can see your activity clearly. It's very important to use a VPN from a trusted provider. The most important factors to look out for when choosing a VPN provider are:
VPN services we recommend:
Additional reviewed VPN services:
If you're curious about another VPN service, get in touch with us and we'll try to assess it. PasswordsYour emails or encrypted files may be secure, but it doesn't matter if an attacker can get hold of your password.
The most common way an attacker gains access to an important online account (gmail, banking, etc) is not by defeating the security of the high profile services, but by trying the same password that was used on a less secure service. It's important to use unique passwords for all the accounts that matter. It's vital that the difference between passwords be ambiguous. Do not use the same password differing only by including the service name, for example.
With more and more online services requiring account creation, and our growing dependence on online services, it can be difficult to keep track of and remember all the passwords for all the different accounts. For passwords to accounts and services aimed at ensuring privacy, remember those by heart; for everything else (Netflix, Facebook, etc), use a password manager. A text document or a spreadsheet is not a secure way to store your passwords! Password managers come in two flavors, local storage, and cloud storage. Password managers can be used for a lot more than passwords, secure notes, credit card numbers, private encryption keys, and other sensitive information can be securely and safely stored in secure password management software.
Local password managers store your passwords in an encrypted file that is saved locally on your device, giving you complete control over the data.
We recommend KeePass for offline password management (https://keepass.info). It uses proven encryption technologies and has a proven track record of properly implementing them, it's open-source, and it's portable (meaning you can run it off a USB drive, without installing any software to your computer.
Cloud password managers store your passwords in an encrypted file that is stored on the provider's servers
We recommend BitWarden for cloud password management (https://bitwarden.com/).
Your password, a short memorable phrase, is all that stops unauthorized access to all your data. Be sure to choose a strong and secure password. General tips:
Birthdays, anniversary dates, pet or loved ones' names are all terrible ideas for passwords. So are favorite quotes, famous names, or any piece of information that can be easily guessed by knowing you or talking to you. Your password should be chosen randomly, it should not reflect your thoughts or feelings.
Forget conventional wisdom and outdated practices, random letters and numbers do not make the best passwords unless they are very long, which makes them next to impossible to remember. Your passwords (unless seldom used and stored in a password manager) should be nearly impossible to guess, but very easy to remember. Consider the following two passwords: "yM&Lqg4?S" and "atone long pod wordy calve", we've been led to believe that the first one is the more secure password, in fact, the second password would fail most "password strength" tests for not containing numbers or special characters, but in reality, the first password is more difficult for us to memorize, and far easier for a computer to guess. Choose a password that's easy to remember, sufficiently long, and optionally introduce easy-to-remember typos or letter substitutions to make it more difficult for a computer to guess. Techno-babel There are two types of "guessing" attacks to break into a password-protected system, brute-force and dictionary; these attacks are effectively useless against online systems, even if not secured properly, the latency alone makes them impractical. However, these attacks are very effective against local encrypted files (like your password database, or any other file you encrypt for privacy). Let's compare the two attacks against our two passwords. Let's assume the attacker is using an array of modern processors that is capable of going through Brute Force This technique relies on trying every possible combination of characters until the correct one is guessed, hence the name brute force. If we consider a typical brute force algorithm that attempts to guess the password with the 26 characters of the English alphabet in both upper and lower case, 10 numerical digits, and 33 special characters easily found on a qwerty keyboard, we find:
Dictionary Attack: A dictionary attack aims to address the slowness of a brute force attack by taking advantage of people's tendency to use simple words as their passwords, this relies on the password consisting of a word or two, or it becomes a brute force attack. The English language is rather rich, we'll consider a medium-sized "dictionary" of 450,000 words for this attack (note that the bigger the dictionary, the more likely it is to produce a successful guess, and the slower it is, the most popular password cracking dictionary at the time of this writing contains 1,493,677,782 words).
Two Factor AuthenticationTwo-factor authentication is a method of confirming a user's identity with two pieces of identification (factors), to add an extra layer of security. Your password may be very well crafted, but it's only secure as long as no one else can see it. If your password becomes known to a third party, a second factor of authentication can keep your information secure. The basic concept of most two-factor authentication systems is to use something you know (your password) as well as something you have (fingerprint, access to a cell phone, or a secure token). Even if someone gets ahold of your password, they won't be able to access your files/accounts without also having access to your second authentication factor. It is recommended to always use two-factor authentication when available, in today's world where attackers have more and more ways to intercept passwords, a second factor of authentication is often the only way to stop unauthorized access. When setting up two-factor authentication, you're given the option to generate permanent recovery codes, these are to be used if you lose access to your second factor (your phone, for example). Write these codes down and store them in a secure location. If you lose access to your second factor, and you don't have a recovery code, you may not be able to regain access to your accounts. For software-based token authentication, we recommend using BitWarden's built-in authenticator functionality. We also recommend LastPass Authenticator (https://lastpass.com/auth/). AntivirusModern operating systems are designed with security in mind, and modern web browsers are very good at telling us when a website seems risky, but at the end of the day the computer will do what we tell it and if we accidentally tell it to trust an infected file, antivirus can act as a last resort to stop the spread of the infection. The key takeaway here is that we want antivirus to be the last resort, just in case, we shouldn't solely rely on it for safety and security.
EncryptionEncryption is the process of scrambling data through complicated mathematical formulas that make them unrecognizable, we'll discuss three use-cases for encryption, and the types of encryption and tools for each use-case. Personal EncryptionFor encrypting personal data for long-term storage and/or secure off-site backup, we recommend using AES. Advanced Encryption Standard (AES) is a symmetric key algorithm ratified as a standard by the National Institute of Standards and Technology of the United States; AES-256 is currently labeled as sufficient to use in the US government for the transmission of TOP SECRET information. At present, there is no known practical attack that would allow someone without knowledge of the key to read data encrypted by AES when correctly implemented. As far as we know, intelligence organizations such as the NSA are not able to break it. A symmetric block cipher uses a single encryption key to encrypt and to decrypt data, making it useful to encrypt personal documents but useless for sharing sensitive information with a third party. AES is:
Once properly encrypted, data can safely be duplicated for off-site backups or removal from local device. The tool we recommend using for encrypting personal files is 7-zip (https://www.7-zip.org/). 7-Zip is a free and open-source compression and packaging program with a strong implementation of AES-256 encryption. We recommend 7-zip because it is a very popular archiving tool, and it doesn't scream "I'm encrypting files!". For a more convenient - but less obscure - experience, we recommend VeraCrypt (https://www.veracrypt.fr/en/Home.html). It allows you to mount a logical drive (think a USB drive plugged into your computer), where everything you save to the drive is encrypted. You can then safely upload the whole volume (or "drive" file). Techno-babel Simplified illustration of symmetric cryptography in practice: This is a story about Alice and Bob. Alice wants to send a private message to Bob, and the only easy way they have to communicate is via postal mail. Unfortunately, Alice is pretty sure that the postman is reading the mail she sends. That makes Alice sad, so she decides to find a way to send messages to Bob without anyone else being able to read them. Alice decides to put the message inside a lockbox, then mail the box to Bob. She buys a lockbox and two identical keys to open it. But then she realizes she can’t send the key to open the box to Bob via mail, as the mailman might open that package and take a copy of the key. Instead, Alice arranges to meet Bob at a nearby bar to give him one of the keys. It’s inconvenient, but she only has to do it once. After Alice gets home she uses her key to lock her message into the lockbox. Then she sends the lockbox to Bob. The mailman could look at the outside, or even throw the box away so Bob doesn’t get the message – but there’s no way he can read the message, as he has no way of opening the lockbox. Bob can use his identical key to unlock the lockbox and read the message. This works well, and now that Alice and Bob have identical keys Bob can use the same method to securely reply. Meeting at a bar to exchange keys is inconvenient, though. It gets even more inconvenient when Alice and Bob are on opposite sides of an ocean. Encryption for secure data sharingFor encrypting data for the purpose of sharing it with others, we recommend using RSA. RSA is a public-key cryptosystem, which uses an asymmetric key algorithm. The most important concept to understand about asymmetric key encryption is that it uses a public-private key pair, the public key is used to encrypt data, and the private key is used to decrypt it. This allows you to share the public key freely, which a sender would use to encrypt their data before sending it to you, and only you can decrypt the data with your private key. In contrast, when you want to send sensitive data to another person, you must use their public key to encrypt it. At present, there is no known practical attack that would allow someone without knowledge of the private key to read data encrypted by RSA when correctly implemented. As far as we know, intelligence organizations such as the NSA are not able to break it. RSA is:
When sharing sensitive information, such as passwords or private encryption keys, always ensure the data is encrypted end-to-end; that is, encrypted on the sender's local device, and decrypted on the receiver's local device. Services like protonmail.com rely on public-key encryption to ensure your emails are encrypted end-to-end, but to make it easy to use, they hold on to your private key and store it securely in their own servers. The private key is itself encrypted on their servers and is only decrypted when you successfully login to your account, it is then decrypted and sent to your browser where it is stored in memory to decrypt the emails. In theory, ProtonMail cannot access your private key, but since we don't know how they encrypt it, we cannot know for sure that it's securely encrypted. Therefore, we rely on them to not access it or allow anyone else to access it. For most communications, ProtonMail is considered highly secure. For the ultimate security and privacy, we must manually encrypt our data. For Windows: Creating the private-public keypair For computers running on the Windows Operating System, we're going to use Gpg4Win (https://www.gpg4win.org/) a free and Open Source suite of tools for email and file encryption. After installing the Gpg4Win suite, the first thing we need to do is create the key pair. It consists of a public key used to encrypt data, and a private key used to decrypt data encrypted with the public key. To create a key pair, launch Kleopatra and choose "New Key Pair" from the File menu:
Choose the "Create a personal OpenPGP key pair option: Although it says optional for both, the program requires some text to be entered for either the Name or Email fields, feel free to just enter anything in the name field if you don't wish to disclose your name. Click on the Advanced Settings button, and make sure you're using RSA 4096 bits, the checkbox for "+RSA" is optional and can be used for signing, go ahead and check it.
The next step is to choose a password, create a unique and secure password for your key pair. Once your key is generated, make a backup of your key pair by clicking the appropriate button When prompted, save the file to a secure storage location. You can now hit finish, and you'll see your certificates listed:
From here, you can right click on your certificate to export your private (or secret) key. Be very careful when doing so, remember this key is used to decrypt your data, and it must be stored securely. Make sure you encrypt your exported private key with AES before storing it long-term. Now right click on your newly created certificate and click on "Export." Choose a place to save the file and give it a name, and hit save. This is your public key, you share this key freely, people would use this key to encrypt messages sent to you, and only you can decrypt those messages using your private key. Go ahead and send us your public key, we will use it to communicate sensitive information with you. This is our public key, if you wish to send us encrypted data, use this key to encrypt the data: https://reliant.org/publickey.txt (save as a local file, and import it into your Kleopatra certificate cache). Encrypting data: The Gpg4Win suite has added new options to your windows context menu (when you right click on a file) When you click on "Sign and encrypt" or "Encrypt", you're presented with Kleopatra's encryption dialog: Signing is optional, and you sign with your key pair if you chose the +RSA option. When encrypting for personal use, you can use your key pair to encrypt, but when encrypting to send to someone, you choose the public-key of the recipient which we imported earlier. Note that we unchecked the "Encrypt for me" option since we're using the public key of the recipient. We checked the "Encrypt for others" option and chose the imported public key by searching for the name on the key ("XXXXX"). The encrypted file is saved in the same directory as the original file, by default. You can choose another location if you'd like. You can now send the encrypted file knowing that no one can read its contents except the intended recipient (the owner of the public key). The Gpg4Win suite has also installed extensions to allow you to easily encrypt/decrypt emails within Outlook if you happen to have that installed. Techno-babel Simplified Example of asymmetric cryptography in practice: This is a story about Alice and Bob. Alice wants to send a private message to Bob, and the only easy way they have to communicate is via postal mail. Unfortunately, Alice is pretty sure that the postman is reading the mail she sends. That makes Alice sad, so she decides to find a way to send messages to Bob without anyone else being able to read them. This time, Alice and Bob don’t ever need to meet. First Bob buys a padlock and matching key. Then Bob mails the (unlocked) padlock to Alice, keeping the key safe. Alice buys a simple lockbox that closes with a padlock, and puts her message in it. Then she locks it with Bob’s padlock, and mails it to Bob. She knows that the mailman can’t read the message, as he has no way of opening the padlock. When Bob receives the lockbox he can open it with his key, and read the message. This only works to send messages in one direction, but Alice could buy a blue padlock and key and mail the padlock to Bob so that he can reply. Or, instead of sending a message in the padlock-secured lockbox, Alice could send Bob one of a pair of identical keys. Then Alice and Bob can send messages back and forth in their symmetric-key lockbox, as they did in the first example. Encryption for secure communication
You can use the previously discussed encryption methods to securely encrypt and send private information, but they may be too cumbersome to use if you only want to prevent eavesdropping while the data is in transit. If the information doesn't have to remain encrypted once it reaches its target, there's a far better approach: Perfect Forward Secrecy (PFS). PFS is designed for ongoing communication (like your web browser communicating with a website over a browsing session, or a messaging application), it works in a very similar way to the previously discussed encryption methods, but it differs in that it generates a unique key-pair for every subsequent communication, thus ensuring that even in the unlikely event that an attacker can guess a key, they can that one message - leaving the rest of the communication session private and secure. The Signal messaging protocol employs perfect forward secrecy, and when implemented properly, it is the most secure way to privately send messages. Keep in mind that once the messages are decrypted by the messaging application, they sit on the receiver's device en-encrypted. We recommend the following messaging applications for secure and private communication:
| ||||||||||
Factal | Factal is a breaking news technology company that helps the world's largest organizations protect people, avoid disruptions and expedite disaster relief when global events put them at immediate risk. Factal aggregates news and other public information sources to provide real-time information on developing events and incidents. This is highly recommended for field security managers or team leaders. Website: https://www.factal.com/ There is also an app available for download to receive updates on your phone. |
Concilium | Concilium is a 501(c)3 faith-based organization dedicated to helping Christian international workers, humanitarians, and other Gospel workers build stewardship and resilience into Great Commission obedience. Concilium provides ministry resources in security training, open-source analysis, member care, humanitarian relief & crisis response. Concilium uses each service to equip, train, and empower Christian workers from around the world, empowering both the voice and presence of the Gospel to enter and remain in difficult-to-reach areas. Organizations can connect with the Concilium Respond team to assess their current security and risk vulnerability. Based on this assessment, Concilium teams can help meet your security needs via security trainings with the Concilium Secure team, intelligence reports from the Concilium Insight team, and member care resources and trainings with the Concilium Care team. Website: https://concilium.us/ Reliant using Concilium to assist in our international crisis management planning and training as well as receiving recommendations during crisis incidents. |
---|---|
Overseas Security Advisory Council (OSAC) | OSAC is a partnership between the U.S. Department of State and the private-sector security community that supports the safe operations of U.S. organizations overseas through threat alerts, analysis, and peer network groups. The OSAC Program Office is headquartered in Washington, DC and is overseen by a 34-member public-private Council. OSAC membership includes 5,400+ member organizations and 18,000+ individual members from corporate, non-profit, academic, and faith-based groups of every size, all with overseas operations and personnel who are exposed to ever-evolving security issues. The OSAC community collaborates in regional- and sector-specific committees to keep members informed, connected, and better equipped to manage complex security challenges around the world. Organizational membership in OSAC is free and is highly recommended for any organizations operating abroad. Reliant can add specific field team member users to the Reliant OSAC account The team member can register for a specific location to receive tailored email updates for that location. There is an OSAC analyst on call for each country of the world who is available to assist constituents with any security or crisis-related issues. The annual crimes and safety reports released by OSAC provide an excellent baseline for evaluating the ever-changing threat landscape in your various locations. These can easily be used to brief mobilizing staff members on the conditions. Website: https://www.osac.gov/ There is also an app available for download to receive updates on your phone. |
The Smart Traveler Enrollment Program (STEP) | The State Department’s Office of American Citizens Services and Crisis Management (ACS) administers the Smart Traveler Enrollment Program. The Smart Traveler Enrollment Program (STEP) is a free service to allow U.S. citizens and nationals traveling and living abroad to enroll with the nearest U.S. Embassy or Consulate. STEP is used to inform the public of conditions abroad within a specific country that may affect safety and security to assist you in making informed decisions using travel alerts and warnings. It will also help the U.S. Embassy contact you in an emergency (whether natural disaster, civil unrest, or family emergency, etc.) They will also assist in helping family and friends get in touch with you in an emergency. STEP also has country contact information such as the address for the closest U.S. consulates, the off-duty embassy call number as well as the in-country emergency "911" numbers for police and medical emergencies. You can register for the STEP program through the website https://step.state.gov/step/. We highly recommend downloading the STEP app to receive alerts and be able to contact American Citizens Services (see below) as well as local emergency numbers from your phone. According to the American Consular Services, information is held in strict privacy and is not shared with local governments. |
American Citizens Services | The State Department’s Office of American Citizens Services and Crisis Management (ACS) supports the work of overseas Embassies and Consulates in providing emergency services to Americans traveling or living abroad. They also assist in non-emergency matters of birth, identity, passport, citizenship, registration, judicial assistance, and estates. ACS can facilitate the transfer of funds overseas to assist U.S. citizens in need, repatriate the remains of U.S. citizens who have died overseas, assist victims of crime, and help U.S. citizens who are detained in foreign prisons. The ACS operates a 24-hour Duty Officer Program and Crisis Response Teams who work on task forces convened to deal with natural or man-made disasters. ACS can be contacted at Overseas Citizens Services: |
Internet Security | Reliant is unable to assist with personal computers, but here are some recommendations that we have for Encryption, Privacy, and Online Security. |
Factal | Factal is a breaking news technology company that helps the world's largest organizations protect people, avoid disruptions and expedite disaster relief when global events put them at immediate risk. Factal aggregates news and other public information sources to provide real-time information on developing events and incidents. This is highly recommended for field security managers or team leaders. Website: https://www.factal.com/ There is also an app available for download to receive updates on your phone. |