Axelerant attempts to provide team members with the education and tools to maintain the security of company confidential and personal information. As security concerns evolve, awareness about secure methodologies will as well.
Social engineering is the most common attack vector used to compromise computer systems. Social engineering relies heavily on human interaction, often tricking people into breaking normal security procedures. The following is a brief reminder of some of the methods used but is incomplete.
Phishing
Don't click on links; hover and check the URLs
Don't open attachments (unless you trust the sender)
If in doubt, ask an IT member (e.g., via Slack)
Windows Technical Support
"Windows Technical Support has noticed that you have viruses or other malware on your computer..."
Baiting
Seemingly innocent (or interesting) abandoned USB, CD, and DVD media with autorun
Public WiFi (e.g., coffee shop, airport, library, ...)
Turn off sharing
Don't automatically connect to unknown WiFi hotspots.
Confirm the network name - know the name of your hotspot!
Turn on your local firewall.
As usual, never enter your name or password information:
when on an insecure (non-HTTPS or SSL encrypted) connection, or
to a site that you have not verified is correct (by examining at the URL)
Most modern disks (SSDs) have built-in self-encrypting drive (SED) technology. Axelerant highly recommends SSDs for their increased speed and the hardware-based encryption (self-encrypting drive or "SED" technology) to protect the drive when the machine is off. This is particularly important for laptops that can be easily stolen. When you buy a new disk or configure a new laptop, turn on the disk encryption. Some of Axelerant's clients will demand it. (Contact your product manager to see if you are eligible for a hard disk rebate.)
If you haven't set up your hard drive with hardware encryption, you can use software alternatives until you get a new one. These methods incur a small performance penalty concerning hardware encryption but are relatively quick and easy to set up.
Open System Preferences, click the Security & Privacy icon, and switch to the FileVault tab. If you see a button that says "Turn Off FileVault..." then congratulations, your disk is already encrypted. Otherwise, click the lock icon in the bottom left to make changes, and click "Turn On FileVault...". Google "Filevault" for more information.
Much more technical detail on securing your Mac: macOS-Security-and-Privacy-Guide. This is useful but well beyond what is required by Axelerant.
To see if BitLocker is supported on your version of Windows, open up Windows Explorer, right-click on C drive, and see if you have a "Turn on BitLocker" option (if you see a "Manage BitLocker" option, then congratulations, your disk is already encrypted.) If you don't have BitLocker available, google the open-source DiskCryptor.
Unlike Mac and Windows, you can only encrypt your drive during system installation; you might as well buy a new SSD...
With more work captured in the cloud by Slack, Gmail, Google Drive, GitHub, etc., less needs to be backed up. But you won't know what you'll miss until your system doesn't boot up because of an unrecoverable hard drive (or SSD) error. At the least, back up your security keys and personal preferences directories, such as (examples in GNU/Linux):
~/.ssh/
~/.gnupg/
~/.config
Consider committing your personalization files (like ~/.bashrc) into a Git repository. Just make sure you do not commit any files containing private keys or passwords.
While it's preferable that you not back up any company or client-sensitive files or data, such data must be completely deleted from your machine(s) when you stop working for that client.
If you use any backup mechanism more complicated than simply copying the files to another medium, ensure that you know how to restore the files, too, as backups are worthless if you can't retrieve them.
Finally, there is no good reason not to make backups: a one-terabyte external USB drive costs less than $60 on Amazon.
When you delete a file, it doesn't go away. Usually, all that occurs is the file name, and a pointer to its bits is removed from a directory listing. With the proper tools, deleted files can be recovered. For this reason, old disks must be securely wiped before being given or thrown away. Some pointers are given below:
GNU/Linux:
http://askubuntu.com/questions/57572/how-to-delete-files-in-secure-manner
https://ssd.eff.org/en/module/how-delete-your-data-securely-linux
Mac OS X:
https://support.apple.com/kb/PH18638 (Yosemite)
https://www.intego.com/mac-security-blog/how-to-securely-empty-trash-in-os-x-el-capitan/ (El Capitan)
Erasing an entire disk:
One of the best ways to protect yourself from being hacked (other than via a social engineering pathway) is to keep the software on your computers and phones up-to-date. Sometimes you may reasonably want to wait for a .1 or .2 release before updating after a new major release, but don't get far behind. Also, if you have a Windows machine, you must maintain an up-to-date anti-virus package.
Axelerant believes privacy is a right, and private communication can benefit the business. Here are some tips on how free and open source tools can help:
The operating system and software applications on your laptop - and all computers, phones, tablets, etc., in your house - should be updated with new versions and security patches that ensure it presents a minimal attack surface to potential adversaries.
Additionally, your laptop should lock (require a password to resume) on-screen close and after 15 minutes of idle time.
If a service allows individual accounts, use only individual accounts and not share credentials.
Prefer services that allow individual accounts, TFA, and secure password policies.
If a service only allows a single account, have a shared LastPass master account that ideally only 2-3 trusted people can access. From there, share passwords "as needed," including individual day-to-day Lastpass accounts for the 2-3 trusted people.
If the LastPass master account is paid, it also allows sharing credentials in a way that makes the password harder for the person with who you shared it to recover/view/share (but still allows them to log in with it).
Shared account passwords should rotate to ensure that only those users needing access continue to have access, revoking individual accounts, particularly when people leave.
A password manager will enable you to have unique, strong passwords for every service you log into. Good password managers will generate new passwords for you, auto-fill web forms, allow extra protection for high-security accounts (like banking), and more.
Please choose a password manager that encrypts locally (in your browser, so you don't have to trust the provider to keep their data safe) with iPhone and Android apps that will auto-sync with the manager.
At Axelerant, we currently recommend LastPass as it is the most full-featured, but we keep a close eye on the FOSS KeePass and Password Safe solutions.
The LastPass password generator can easily create and maintain hundreds of different passwords. And LastPass has free iPhone and Android apps.
We recommend a minimum of 16-character passwords using all character types. (Some old systems will need you to lessen this level of security, but those are few.)
Once you have all your passwords in LastPass, take the "Security Challenge" - your score should be 80% or higher.
LastPass is required for all members of the Axelerant Team.
Set up Two Factor Authentication on your LastPass Account (see below). LastPass will be storing all your passwords, so make it secure.
It is fine (and perhaps preferable because your browser can only use one LastPass account at a time) to use a personal email address to create your LastPass account.
Axelerant also requires a backup 2-factor authenticator for your LastPass account.
LastPass provides secure password management, especially when unlocked via Two Factor Authentication. Storing new passwords created in LastPass in your browser completely defeats this security, enabling anyone to access your browser access to all your sites. If asked by your browser, "Do you want to save this password in your browser?" answer "No" Then disable this insecure action altogether:
In Chrome, go to chrome://settings/ and uncheck "Offer to save your web passwords."
In Firefox, go to about:preferences#security and uncheck "Remember logins for sites."
In Safari, go to Preferences >> Passwords and uncheck "AutoFill user names and passwords."
Two-Factor Authentication includes something you know (e.g., your memorized password) and something you have (e.g., your smartphone or a Yubikey) and can greatly increase your security systems. Axelerant recommends you use Two-Factor Authentication for services that support it.
For example, as your password manager grows to have more passwords - not only Axelerant's systems and clients but also your personal bank accounts, credit cards, school records, etc. - it becomes increasingly important to have it protected by more than just a password.
Axelerant requires that its employees and contractors give access to the Axelerant Google Apps - that include Gmail, Hangouts, and Google Docs access - use Two-Factor Authentication on their Axelerant Google Account.
Many hardware and software tools exist for creating secure "one-time passwords" (OTP). Two that we frequently use internally are described below.
Please do not rely on SMS text messages for general two-factor authentication, as it is less secure than others listed here. However, at the time of this writing, setting up Two-Factor Authentication on your Google account initially requires SMS verification.
This is OK and serves as a "TFA Backup" mechanism; more at Two-Factor Redundancy and TFA Backup Codes.
For installation instructions, see https://support.google.com/accounts/answer/1066447.
This page also has instructions for setting up 2-Step Verification for multiple Google accounts.
LastPass: Multifactor Authentication Options
Google: 2-Step Verification
GitLab: See your profile
As a final, crucial step, you must have a backup second factor for all your TFA accounts. Imagine using Google Authenticator from your phone to unlock LastPass, and you lose your phone. Without a backup second factor, access to your accounts would be prevented. So you need a backup.
SMS can often be an easy backup, say for Google Authenticator. Services that provide TFA generally enable multiple two-factor options and a downloadable set of single-use "backup codes" that you can download or print and keep in a safe place. If you lost your primary second factor, you could use your secondary one or a printer backup code stored in your file cabinet. Hint: you can store backup codes in LastPass in the Notes section.
Some applications and services may need to connect to your Axelerant Google account, but they might not handle TFA. An example would be a personal Gmail account trying to send e-mails through your Axelerant account.
For this purpose, Google has created something called App Passwords. App Passwords allows you to create a unique password for each of your services/apps. If this password is used while authenticating your service/app to access your Axelerant account, it will bypass TFA.
There are some instructions at https://support.google.com/accounts/answer/185833?hl=en on how to use App Passwords with Google. Several other TFA-enabled services also support app passwords -- see their respective documentation.