...
Social engineering is the most common attack vector used to compromise computer systems. Social engineering relies heavily on human interaction, often tricking people into breaking normal standard security procedures. The following is a brief reminder of some of the methods used, but it is incomplete.
Phishing
Don't click on links; hover and check the URLs
Don't open attachments (unless you trust the sender)
If in doubt, ask an IT member (e.g., via Slack)
Windows Technical Support
"Windows Technical Support has noticed that you have viruses or other malware on your computer..."
Baiting
Seemingly innocent (or interestingattractive) abandoned USB, CD, and DVD media with autorun
Public WiFi (e.g., coffee shop, airport, library, ...)
Turn off sharing
Don't automatically connect to unknown WiFi hotspots.
Confirm the network name - know the name of your hotspot!
Turn on your local firewall.
As usual, never enter your name or password information:
when on an insecure (non-HTTPS or SSL encrypted) connection, or
to a site that you have not verified is correct (by examining at the URL)
...
If you haven't set up your hard drive with hardware encryption, you can use software alternatives until you get a new one. These methods incur a small minor performance penalty concerning hardware encryption but are relatively quick and easy to set up.
...
Consider committing your personalization files (like ~/.bashrc) into a Git repository. Just make sure ensure you do not commit any files containing private keys or passwords.
...
Axelerant believes privacy is a right, and private communication can benefit the business. Here are some tips on how free and open-source tools can help:
...
Additionally, your laptop should lock (require a password to resume) on-screen close and after 15 minutes of idle time.
Sharing Online Service Accounts
If a service allows individual accounts, use only individual personal accounts and not share credentials.
Prefer services that allow individual accounts, TFA, and secure password policies.
If a service only allows a single account, have a shared LastPass master account that ideally only 2-3 trusted people can access. From there, share passwords "as needed," including individual day-to-day Lastpass accounts for the 2-3 trusted people.
If the LastPass master account is paid, it also allows sharing credentials in a way that makes the password harder for the person with who you shared it to recover/view/share (but still allows them to log in with it).
Shared account passwords should rotate to ensure that only those users needing access continue to have access, revoking individual accounts, particularly mainly when people leave.
Use Password Management Tools
...
Two-Factor Authentication includes something you know (e.g., your memorized password) and something you have (e.g., your smartphone or a Yubikey) and can greatly significantly increase your security systems. Axelerant recommends you use Two-Factor Authentication for services that support it.
...
Please do not rely on SMS text messages for general available two-factor authentication, as it is less secure than others listed here. However, at the time of this writing, setting up Two-Factor Authentication on your Google account initially requires SMS verification.
...
SMS can often be an easy backup, say for Google Authenticator. Services that provide TFA generally enable multiple two-factor options and a downloadable set of single-use "backup codes" that you can download or , print, and keep in a safe place.
If you lost lose your primary second factor, you could use your secondary one or a printer backup code stored in your file cabinet. Hint: you can store keep backup codes in LastPass in the Notes section.
...
Some applications and services may need to connect to your Axelerant Google account, but they might not handle TFA. An example would be a personal Gmail account trying to send e-mails emails through your Axelerant account.
...