Security Awareness

Axelerant attempts to provide team members with the education and tools to maintain the security of company confidential and personal information. As security concerns evolve, awareness about secure methodologies will as well.

Avoid Phishing and Social Engineering

Social engineering is the most common attack vector used to compromise computer systems. Social engineering relies heavily on human interaction, often tricking people into breaking standard security procedures.

When in doubt about a message being sent on unofficial channels such as your email ID or WhatsApp, please refrain from responding and block the sender, as we do not do this by default.

While this is one of the many techniques that may be used, the following is a brief reminder of some measures to keep track of when receiving such messages.

• Phishing - Phishing attacks are fraudulent communications to deceive people into sharing sensitive information.
  To avoid such attacks:

  • Don't click on links; hover and check the URLs

  • Review the from address (on emails and do not respond unless they are from the Axelerant.com domain)

  • Don't open attachments (unless you trust the sender)

  • If in doubt, ask an IT member (e.g., via Slack)

  • More on Phishing avoidance (from EFF)

• Windows Technical Support

  • "Windows Technical Support has noticed that you have viruses or other malware on your computer..."

• Baiting

  • Seemingly innocent (or attractive) abandoned USB, CD, and DVD media with

    autorun.

• Public WiFi (e.g., coffee shop, airport, library, ...)

  • Turn off sharing

  • Don't automatically connect to unknown

    WiFi hotspots.

  • Confirm the network name - know the name of your hotspot!

  • Turn on your local firewall.

  • As usual, never enter your name or password information:

    • when on an insecure (non-HTTPS or SSL encrypted) connection or

    • to a site that you have not verified is correct (by examining the URL)

  • More on public WiFi network safety (from LifeHacker)

Open

See this? Ignore it!

Open

Not from Ankur@Axelerant.com.

Consider Disk Encryption and Storage Management

Most modern disks (SSDs) have built-in self-encrypting drive (SED) technology. Axelerant highly recommends SSDs for their increased speed and the hardware-based encryption (self-encrypting drive or "SED" technology) to protect the drive when the machine is off. This is particularly important for laptops that can be easily stolen. When you buy a new disk or configure a new laptop, turn on the disk encryption. Some of Axelerant's clients will demand it. (Contact your product manager to see if you are eligible for a hard disk rebate.)

Software Disk Encryption

If you haven't set up your hard drive with hardware encryption, you can use software alternatives until you get a new one. These methods incur a minor performance penalty concerning hardware encryption but are relatively quick and easy to set up.

Mac OSX: FileVault 2

Open System Preferences, click the Security & Privacy icon and switch to the FileVault tab. If you see a button that says "Turn Off FileVault..." then congratulations, your disk is already encrypted. Otherwise, click the lock icon in the bottom left to make changes, and click "Turn On FileVault...". Google "FileVault" for more information.

Much more technical detail on securing your Mac: macOS-Security-and-Privacy-Guide. This is useful but well beyond what is required by Axelerant.

Windows: BitLocker or DiskCryptor

To see if BitLocker is supported on your version of Windows, open up Windows Explorer, right-click on C drive, and see if you have a "Turn on BitLocker" option (if you see a "Manage BitLocker" option, then congratulations, your disk is already encrypted.) If you don't have BitLocker available, google the open-source DiskCryptor.

GNU/Linux: use the hardware

Unlike Mac and Windows, you can only encrypt your drive during system installation; you might as well buy a new SSD...

Backups

With more work captured in the cloud by Slack, Gmail, Google Drive, GitHub, etc., less needs to be backed up. But you won't know what you'll miss until your system doesn't boot up because of an unrecoverable hard drive (or SSD) error. At the least, back up your security keys and personal preferences directories, such as (examples in GNU/Linux):

• ~/.ssh/

• ~/.gnupg/

• ~/.config

Consider committing your personalization files (like ~/.bashrc) into a Git repository. Just ensure you do not commit files containing private keys or passwords.

While it's preferable that you not back up any company or client-sensitive files or data, such data must be completely deleted from your machine(s) when you stop working for that client.

If you use any backup mechanism more complicated than simply copying the files to another medium, ensure that you know how to restore the files, too, as backups are worthless if you can't retrieve them.

Finally, there is no good reason not to make backups: a one-terabyte external USB drive costs less than $60 on Amazon.

Securely Delete Files and Wipe Disks

When you delete a file, it doesn't go away. Usually, all that occurs is the file name, and a pointer to its bits is removed from a directory listing. With the proper tools, deleted files can be recovered. For this reason, old disks must be securely wiped before being given or thrown away. Some pointers are given below:

GNU/Linux:

• http://askubuntu.com/questions/57572/how-to-delete-files-in-secure-manner

• https://ssd.eff.org/en/module/how-delete-your-data-securely-linux

Mac OS X:

• https://support.apple.com/kb/PH18638 (Yosemite)

• https://www.intego.com/mac-security-blog/how-to-securely-empty-trash-in-os-x-el-capitan/  (El Capitan)

Erasing an entire disk:

Keep Your Systems Up-to-date

One of the best ways to protect yourself from being hacked (other than via a social engineering pathway) is to keep the software on your computers and phones up."

• Shared account passwords should rotate to ensure that only those users needing access continue to have access, revoking individual accounts, mainly when people leave.

Use Password Management Tools

A password manager will enable you to have unique, strong passwords for every service you log into. Good Password managers will generate new passwords for you, auto-fill web forms, allow extra protection for high-security accounts (like banking), and more.

Please choose a password manager that encrypts locally (in your browser, so you don't have to trust it; we provide it to keep your data safe) with iPhone and Android apps that will auto-sync with the manager.

At Axelerant, we currently use 1Password as it is the most full-featured; we have a paid plan that allows all our employees to save and share passwords and other credentials (SSH keys, tokens, CLI logins, etc) securely.

1Password

• The 1Password password generator can easily create and maintain hundreds of different passwords. And 1Password has free iPhone, Android, and Desktop apps.

  • We recommend a minimum of 16-character passwords using all character types. (Some old systems will need you to lessen this level of security, but those are few.)

  • Once you have all your passwords in 1Password, take the "Security Challenge" - your score should be 80% or higher.

• 1Password is required for all members of the Axelerant Team.

• Set up Two two-factor authentication on your 1Password Account. 1Password will be storing all your passwords, so make it secure.

• Axelerant also requires a backup 2-factor authenticator for your 1Password account.

Disable Browser Password Autofill

1Password provides secure password management, especially when unlocked via Two two-factor authentication. Storing new passwords created in 1Password in your browser completely defeats this security, enabling anyone to access your browser access to all your sites. If your browser asks, "Do you want to save this password in your browser?" answer "No." Then turn off this insecure action altogether:

Once you install the 1Password browser extension, 1Password should automatically take over the Password management from your browser.

Use Two Factor (or 2-Step) Authentication (TFA, 2FA)

Two-factor authentication includes something you know (e.g., your memorized password) and something you have (e.g., your smartphone or a Yubikey) and can significantly increase your security systems. Axelerant recommends you use Two-Factor Authentication for services that support it.

For example, as your password manager grows to have more passwords - not only Axelerant's systems and clients but also your personal bank accounts, credit cards, school records, etc. - it becomes increasingly important to have it protected by more than just a password.

Axelerant requires that its employees and contractors give access to the Axelerant Google Apps - that include Gmail, Hangouts, and Google Docs access - and use Two-Factor Authentication on their Axelerant Google Account.

Two-Factor Authenticators

Many hardware and software tools exist for creating secure "one-time passwords" (OTP). Two that we frequently use internally are described below.

Please do not rely on SMS text messages for available two-factor authentication, as it is less secure than others listed here. However, at the time of this writing, setting up Two-Factor Authentication on your Google account initially requires SMS verification.

This is OK and serves as a "TFA Backup" mechanism; more at Two-Factor Redundancy and TFA Backup Codes.

Google Authenticator

• For installation instructions, see  .

• This page also has instructions for setting up 2-step Verification for multiple Google accounts.

Two-Factor Redundancy and TFA Backup Codes

As a final, crucial step, you must have backup codes for all your TFA accounts. Imagine using a Token generator app from your phone to unlock a tool, and you lose your phone. Without a backup code, access to your accounts would be prevented. So it would help if you had backup codes; whenever you set up two-factor authentication, you save the back codes to access them easily without needing your phone's token generator app.

SMS can often be an easy backup if the tool allows multiple methods. Services that provide TFA generally enable multiple two-factor options and a downloadable set of single-use "backup codes" that you can download, print, and keep in a safe place.

Recommended mobile apps to be used as Token generators for two-factor authentication; they also sync with the cloud, allowing you to install them again on a new device,

1. Google Authenticator

2. Authy

Advanced: Connecting to TFA-enabled Services/Apps

Some applications and services may need to connect to your Axelerant Google account, but they might not handle TFA. An example would be a personal Gmail account trying to send emails through your Axelerant account.

For this purpose, Google has created something called App Passwords. App Passwords allows you to create a unique password for each of your services/apps. If this password is used while authenticating your service/app to access your Axelerant account, it will bypass TFA.

There are some instructions at   on how to use App Passwords with Google. Several other TFA-enabled services also support app passwords -- see their respective documentation.