Security Awareness
Axelerant attempts to provide team members with the education and tools to maintain the security of company confidential and personal information. As security concerns evolve, awareness about secure methodologies will as well.
Avoid Phishing and Social Engineering
Social engineering is the most common attack vector used to compromise computer systems. Social engineering relies heavily on human interaction, often tricking people into breaking standard security procedures.
When in doubt about a message being sent on unofficial channels such as your email ID or WhatsApp, please refrain from responding and block the sender, as we do not do this by default.
While this is one of the many techniques that may be used, the following is a brief reminder of some measures to keep track of when receiving such messages.
Phishing - Phishing attacks are fraudulent communications to deceive people into sharing sensitive information.
To avoid such attacks:Don't click on links; hover and check the URLs
Review the from address (on emails and do not respond unless they are from the Axelerant.com domain)
Don't open attachments (unless you trust the sender)
If in doubt, ask an IT member (e.g., via Slack)
Windows Technical Support
"Windows Technical Support has noticed that you have viruses or other malware on your computer..."
Baiting
Seemingly innocent (or attractive) abandoned USB, CD, and DVD media with
autorun.
Public WiFi (e.g., coffee shop, airport, library, ...)
Turn off sharing
Don't automatically connect to unknown
WiFi hotspots.
Confirm the network name - know the name of your hotspot!
Turn on your local firewall.
As usual, never enter your name or password information:
when on an insecure (non-HTTPS or SSL encrypted) connection or
to a site that you have not verified is correct (by examining the URL)
Consider Disk Encryption and Storage Management
Most modern disks (SSDs) have built-in self-encrypting drive (SED) technology. Axelerant highly recommends SSDs for their increased speed and the hardware-based encryption (self-encrypting drive or "SED" technology) to protect the drive when the machine is off. This is particularly important for laptops that can be easily stolen. When you buy a new disk or configure a new laptop, turn on the disk encryption.
Backups
With more work captured in the cloud by Slack, Gmail, Google Drive, GitHub, etc., less needs to be backed up. But you won't know what you'll miss until your system doesn't boot up because of an unrecoverable hard drive (or SSD) error. At the least, back up your security keys and personal preferences directories, such as (examples in GNU/Linux):
Securely Delete Files and Wipe Disks
When you delete a file, it doesn't go away. Usually, all that occurs is the file name, and a pointer to its bits is removed from a directory listing. With the proper tools, deleted files can be recovered. For this reason, old disks must be securely wiped before being given or thrown away. Some pointers are given below:
Keep Your Systems Up-to-date
One of the best ways to protect yourself from being hacked (other than via a social engineering pathway) is to keep the software on your computers and phones up."
Shared account passwords should rotate to ensure that only those users needing access continue to have access, revoking individual accounts, mainly when people leave.
Use Password Management Tools
A password manager will enable you to have unique, strong passwords for every service you log into. Good Password managers will generate new passwords for you, auto-fill web forms, allow extra protection for high-security accounts (like banking), and more.
At Axelerant, we currently use 1Password as it is the most full-featured; we have a paid plan that allows all our employees to save and share passwords and other credentials (SSH keys, tokens, CLI logins, etc) securely.
1Password
The 1Password password generator can easily create and maintain hundreds of different passwords. And 1Password has free iPhone, Android, and Desktop apps.
We recommend a minimum of 16-character passwords using all character types. (Some old systems will need you to lessen this level of security, but those are few.)
Once you have all your passwords in 1Password, take the "Security Challenge" - your score should be 80% or higher.
1Password is required for all members of the Axelerant Team.
Set up Two two-factor authentication on your 1Password Account. 1Password will be storing all your passwords, so make it secure.
Axelerant also requires a backup 2-factor authenticator for your 1Password account.
Disable Browser Password Autofill
1Password provides secure password management, especially when unlocked via Two two-factor authentication. Storing new passwords created in 1Password in your browser completely defeats this security, enabling anyone to access your browser access to all your sites. If your browser asks, "Do you want to save this password in your browser?" answer "No." Then turn off this insecure action altogether:
Once you install the 1Password browser extension, 1Password should automatically take over the Password management from your browser.
Use Two Factor (or 2-Step) Authentication (TFA, 2FA)
Two-factor authentication includes something you know (e.g., your memorized password) and something you have (e.g., your smartphone or a Yubikey) and can significantly increase your security systems. Axelerant recommends you use Two-Factor Authentication for services that support it.
For example, as your password manager grows to have more passwords - not only Axelerant's systems and clients but also your personal bank accounts, credit cards, school records, etc. - it becomes increasingly important to have it protected by more than just a password.
Axelerant requires that its employees and contractors give access to the Axelerant Google Apps - that include Gmail, Hangouts, and Google Docs access - and use Two-Factor Authentication on their Axelerant Google Account.
Two-Factor Authenticators
Many hardware and software tools exist for creating secure "one-time passwords" (OTP). Two that we frequently use internally are described below.
Please do not rely on SMS text messages for available two-factor authentication, as it is less secure than others listed here. However, at the time of this writing, setting up Two-Factor Authentication on your Google account initially requires SMS verification.
This is OK and serves as a "TFA Backup" mechanism; more at Two-Factor Redundancy and TFA Backup Codes.
Google Authenticator
For installation instructions, see https://support.google.com/accounts/answer/1066447 .
This page also has instructions for setting up 2-step Verification for multiple Google accounts.
Two-Factor Redundancy and TFA Backup Codes
As a final, crucial step, you must have backup codes for all your TFA accounts. Imagine using a Token generator app from your phone to unlock a tool, and you lose your phone. Without a backup code, access to your accounts would be prevented. So it would help if you had backup codes; whenever you set up two-factor authentication, you save the back codes to access them easily without needing your phone's token generator app.
SMS can often be an easy backup if the tool allows multiple methods. Services that provide TFA generally enable multiple two-factor options and a downloadable set of single-use "backup codes" that you can download, print, and keep in a safe place.
Recommended mobile apps to be used as Token generators for two-factor authentication; they also sync with the cloud, allowing you to install them again on a new device,
Google Authenticator
Authy