HOPE 2020 (2020): "QubesOS for Organizational Security Auditing" (Download)
Thursday, July 30, 2020: 1600. Many members of the international Internet freedom community perform organizational security audits for non-profits, media organizations, and small NGOs in need. These services are by no means full-fledged penetration tests, but they effectively respond to a specific need for affordable and achievable ways to bolster a small and cash-strapped organization's security posture.
While different OrgSec auditors may have their own tooling, Harlo will introduce you to the workflow developed at Freedom of the Press Foundation, centered around the Qubes operating system. This session will cover compartmentalization, building custom environments with powerful penetration testing tools, observing network activity without contaminating your results with personal traffic, working with peripherals like external Wi-Fi cards and network taps, and even air-gapped and confidential report generation. Oh, and since we are in the midst of a global health crisis, she'll address how some of this work extends well (or not-so-well) to a strictly remote practice. Throughout the session, Harlo will demonstrate how certain modules within popular auditing frameworks, like the SAFETAG methodology, are made all the easier and effective by taking advantage of the great set of features available in a Qubes workstation.
The goal of the session is to bridge the gaps between popular auditing techniques and their actual practical implementation. This will also be a great opportunity to discuss with the HOPE community the finer philosophical goals and methodologies that have been built around OrgSec auditing at a smaller scale, while showcasing how a pretty nimble setup using this new and exciting operating system has been created.