Regarding number 5, one company I worked for had the donut rule: if you left your computer unlocked, everyone was within their rights to send an email to the whole company offering to buy everybody donuts. It was expected that you would follow through (with whatever treats you deemed appropriate, didn't have to be sugary stuff). Of course this highlighted the security advantages of using a DVORAK layout on your keyboard and only sending email with Emacs which probably wasn't the intended effect, but every little helps.
My standard move was to change the background and set the screen to auto-lock after as little idle as the desktop environment would let me. The victim usually immediately saw the background, but the auto-lock change usually remained unnoticed and kept triggering for a few days... Hey, I'm just trying to prevent the problem from reoccurring!
At another place I worked, the devs took a screenshot of their desktop and made it the lock screen image, so it looked like it was unlocked, just to annoy security (i.e. me!).
Same, I even put a Thunderbird "New Message" window on mine just to be extra "attractive". Had an extra keybind for that, just in case I need to take my laptop to a customer.
Overall the "buy treats for the office" rule helped to establish the habit even though I think we never followed through with it. We mostly just told newcomers that this is the rule and they locked their screen as expected. And ofc it turned "Hey, lock your screen!" into "Oh, you want to treat us?" which makes for a more cheerful way to remind people.
Your coworkers can just film you while you type the password to unlock the screen. And of course if the machine is running the decryption key for the disk is located in the RAM.
If you can't trust your coworkers in the same office, you should absolutely have private rooms that get locked, and shut down your machine completely every time you leave it.
It's not about trusting coworkers, it's about creating the right security habits so you don't leave your computer unlocked in situations where it is easily compromised. And it's about closing of the easiest attack vectors (open laptops, reused or simple passwords etc) not about nation-state level hacking possibilities :)
Trusting co-workers has nothing to do with it. Any random person walking by could do it - cleaning staff, maintenance folks, a guest or visitor, someone ‘surfing’ in behind someone, etc.
And it gives some incentive to everyone to watch each others backs and keep each other honest. Which is how actual trust gets built IMO.
Knowing someone will catch and make sure you know you screwed up on something important before it became a bigger problem, rather than ignoring it and letting it fester.
Higher stakes areas, but most military combat MOS, LEO, skydiving, and climbing groups do similar things - always check that everyone around you has their act together (and give them shit if they miss something) so that there isn’t something serious that gets missed and gets someone or the group killed.
Or in this case, something serious gets missed and the company gets ‘killed’.
Think of it as tough love. And if they can dish it out, they’d better be able to take it or that is a whole nother level of ribbing that’s coming.
> Trusting co-workers has nothing to do with it. Any random person walking by could do it - cleaning staff, maintenance folks, a guest or visitor, someone ‘surfing’ in behind someone, etc.
Precisely. So if you want to be safe, shut down completely the machine. Then all of the people you listed can't access it.
And then wait minutes for things to start up, even if things reopen to their prior state perfectly. As compared to seconds to lock/unlock.
Suspend adds major security issues above and beyond either of these scenarios.
The majority of scenarios, none of those folks are able to do much to a locked machine without powering it off, which resets it to the state you were referencing.
They could install a hardware keylogger of course, and none of these protections would help.
It’s all tradeoffs. SCIF’s are better still after all, and a nightmare productivity wise.
> if you left your computer unlocked, everyone was within their rights to send an email to the whole company offering to buy everybody donuts. It was expected that you would follow through
Ah yes, the excellent security practice that if you see someone messing with someone else's equipment that's completely normal - praiseworthy, even - and if you don't challenge them on it, you get donuts.
To me that's kind of silly. Don't get me wrong, I lock my computer whenever I leave the room, but there should be a certain level of trust among coworkers assuming you aren't actually working on classified stuff (or if you have access to HR data).
You are legally liable for the messages you send; the access rights you have etc;
This is why shared accounts are one of the first thing a CISO/CIO will try to kill. It makes liability lie with the company and not the individual.
You will not be able to hide behind the fact you refuse or fail to secure your devices if someone sends a threatening message from your email account or if someone deletes the prod database.
Where shared credentials are required there is usually an access log associated: which ties individual named accounts to shared access rights in the event of eDiscovery or forensics.
Some trust is good, but if we really believed in trust then we wouldn't even both having access accounts with our names on them.
Eh, if the physical security isn't good enough you'll have laptops going missing whether they're encrypted or not. There's a lot more opportunist thieves who'll snatch a laptop than there are industrial espionage spies rappelling down your elevator shaft or whatever.
The real reason for the policy is so when some dumbass sends a dick pic from their work computer and gets fired for it, they can't claim "it wasn't me" and expect to keep their job.
It's probably better to just install an MDM. This lets you do ongoing reporting re: is disk encryption active, how long is the timeout for screen locking, etc. And to remote lock the device.
That is funny in my case the chief of security used my computer to send an invitation to everybody to buy farewell drinks because of my resignation, fun times. (no harm done we are fun people)
More or less the rules that everyone should follow, everywhere. I only somewhat disagree on two points:
(1) Store everything in a cloud, not on the laptop? You've got to work on the stuff, so it needs to be on the laptop. You should have automatic synchronization, and the user shouldn't really have to worry about it.
(2) You shouldn't use a commercial cloud. Hosting your private cloud is incredibly easy (OwnCloud & Co), and whoever is responsible for your IT should ensure that backups happen. Cloud providers don't really provide backups. When iCloud loses your files, good luck with that. Someone accidentally deleted a file some unknown number of weeks ago? If you have your own backup system, finding it is easy. Relying on Google or Dropbox? Maybe you'll find it in the version history (if you have versioning turned on), and maybe not...
Small team, though, non-profit. There is wayyyy more work to do than any one individual has time to do, and while this is probably common even in non-startup-y type businesses, it means "work on what matters most" is really important.
I don't believe managing my own cloud is anywhere near the top of my list of things that matter most. We pay something like $8.50 a month to just have the devices backed up using a backup service. It would cost significantly more for me to maintain OwnCloud.
I don't think I said we weren't making backups. We have two pieces in place:
1. We are a Microsoft 365 shop, so OneDrive stores versions of files and all that. Admittedly this is not a "backup" necessarily, but it does serve a portion of the purpose of backups and are far more easily accessible to users themselves.
2. We also have a backup service running on every company issued laptop that backs up to a backup service.
What I am not advocating is that a small team should setup their own cloud for the purpose of backups. That's a lot of work and maintenance. I am an IT team of 1. My time is better spent on actually getting work done, not playing around with self hosting stuff and maintaining that.
Backups are important, otherwise I wouldn't be spending thousands of dollars on it in my tiny little budget each year. But I disagree pretty strongly with the priority of _how_ to do backups.
>(1) Store everything in a cloud, not on the laptop?
shouldn't we follow the 3-2-1 backup rule?
"The 3-2-1 backup strategy simply states that you should have 3 copies of your data (your production data and 2 backup copies) on two different media (disk and tape) with one copy off-site for disaster recovery"
Disagree on “host your own”. Use a business cloud instead of a consumer one if you’re worried about reliability of backups.
I’ll use Microsoft as an example since that’s what I’m familiar with:
- Users store personal files in OneDrive (stored on their device, automatically synchronized)
- Shared files in Sharepoint or Azure File Share
- Enable Azure backup of the file share, or use a cloud service that runs Veeam for you (iLand, etc) to backup your Office 365 environment (including Sharepoint and OneDrive)
The founder is the “IT person” usually, and they don’t need to worry about running backups. That’s a recipe for “hey I need this file restored” followed by “oops our backups haven’t run for 9 months” (seen this first hand, far too often).
I've had some solid experience with alcion.ai as a backup tool. Relatively cheap for a early-stage startup and extremely reliable so far (even had to restore some onedrive files).
Don't password managers get hacked all the time lately?
This is really good advice though: "Encrypt your hard drives using FileVault (macOS) or Bitlocker (Windows) and never leave your machine without locking it."
No, there have been only a couple of managers that had significant problems with their implementations. Usually it's a closed source manager that has the undisclosed implementation issues that get exploited.
Generally speaking, a password manager is going to be one of the strongest most secure products a person uses.
Most people's threat model doesn't really include having to worry about having both of them in the same tool. If your threat model does, absolutely keep them separate. But I can say, that at least for my team, my biggest issue is really just getting people to use a password manager... I have two users, both of them executive level, that haven't opened their password manager in nearly 4 months.
I'd be far far happier if they used a password manager, even if their 2FA codes were in that same password manager, it would be a significant increase in security over whatever is currently happening.
I've been in the same mindset as you, but I've changed my mind a bit.
Personally and at work, I've started to think about two-ish security classes.
The first are the top security things, e.g. my password manager or my github account. For these, I want my password and my second factor far away from each other and I won't add this second factor to my password manager to make it hard to compromise both of them at once.
But then there are less important accounts and at work, shared accounts even. Here you get a small benefit: Unless you compromise the secret behind the TOTP (which is the one kind you'd generally store in a password manager), if you can see my password + token for some reason, you only have access for a minute or so. Like I can finally type my password into slack without the account being immediately compromised.
And I can get this small edge of security for these less important accounts for almost no effort from the PW manager.
Put differently - if you manage to break into my password manager, you'd get access to my less secure accounts either way, no matter if I store the TOTP or not. But having the TOTP active might make some attack scenarios harder, like if you MITM a login request.
I have often wondered the same thing. I think it boils down to the actual factors being “something you have” and “something you know”, where the former is the possession of the password manager file/access, and the latter is the master password of the pw manager?
I don't get No. 2 either. How are you supposed to get 2FA codes from a password manager? Does it mean use a manager that has an OTP code generating feature?
Yes. Bitwarden, for example, lets you store the 2FA information for accounts. You would still use a separate 2FA app to be able to access Bitwarden, of course. It may slightly lower the safety of using 2FA, but assuming you're using a strong password for your password manager and require 2FA to log into it from new devices, it's a minimal risk, and probably no worse than the alternative of having them on your phone. Plus, if your phone is lost, you don't have to go through the hassle of regaining access to everything.
Yes, 1Password etc can scan the QR code and generate OTP codes.
For shared accounts this is often critical, where say, IT staff need to have 2FA access to manage some line of business cloud app, but you don’t want to setup 20 named users in your IT department in 30 different apps (Adobe, CRM, etc).
Password managers geared toward IT will have good audit trail, so each employee still 2FA’s into the password manager, and it’s logged who viewed passwords/codes when, so you still have named visibility into which IT staff are making which changes.
PassPortal (by N-able) is one I’ve used that did this for IT teams.
This also rubs me the wrong way but at least on 1Password it’s cumbersome enough to add a device to your account that you still need to have something as a factor - an authed device on your account. So the attacker would need one of those and your master password to get at the otp. It’s not the highest level of security but it’s not quite eliminating things back to single factor.
You’re right that these should, ideally, be separated.
It’s a trade off of practicality, in that both in one place is still (usually) an improvement for less technically inclined users who will do well to just use the password manager.
LOL the place I work now has some passwords in the password manager that say "call the eng director for the 2fa" because the service only uses SMS 2FA.
While this seems weird, it actually somewhat qualifies as an insecure 4 eyes. Ofc the eng director can act without another party, but for anybody else this usually involves at least a short "sure, what are you trying to do?".
Google voice and other "non-traditional"/VoIP services are sometimes blocked by websites sadly.
P.S. dishonorable mention: Apple Business Manager uses SMS 2FA only, at least you can have multiple admin accounts
2) “watch out for phishing” is near useless advice. A well-written phishing email will catch the most seasoned security professional. The only fix is: see #1 above
> A well-written phishing email will catch the most seasoned security professional.
I disagree, this "most seasoned security professional" won't reply to that e-mail if "nobody will ever ask for your credentials on any channel" is part of the hygiene. No matter how well written it is, even if the CEO got his actual legit e-mail hijacked it should not work. Follow proper procedures or fuck off is the only valid answer.
I’ve never ever run a phishing campaign against a medium+ sized organization and had zero hits. It’s great that you think you could never be conned, but I’d be interested if you think that scales to your entire security team.
A well-timed, creative phishing campaign can include things like a “regarding your employment status” right after the company announces layoffs, if you’re talking malicious actor and not watered-down security awareness exercise
We are all very aware of what to watch out for and I trust that anyone with dangerous access is aware, but we're a small shop. I know that humans are the weak link, but my definition of a "seasoned security professional" is not the average Joe that would fall for it. Will some security people fall for it? Absolutely, but they don't deserve the title "seasoned". Especially not if always being cautious of phishing is part of their training/on-boarding. I'd say it makes that rule essential instead of useless.
The first couple bullets are already woefully out of date. There is simply no reason for any company, startup or not, to not use passkeys or hardware security keys as the preferred method of account authentication. OTP are too easily phished. Our "order of preference" for account auth:
1. The primary employee auth system (we use Google Workspace which is common among startups, but this is certainly not a requirement) should be protected with passkeys (preferred) or as a U2F hardware key second factor.
2. For other SaaS products that your company uses, if they offer OAuth with your primary provider (and many/most do), use that.
3. If they don't, only then use a new password stored in an approved PW manager (which should obviously not be LastPass). The order of preference for second factor should be hardware key -> TOTP -> SMS 2FA based on what that provider allows.
The list makes every item a problem for the employee when in reality it's a problem for the company itself. It's the company that needs to implement and IDP and define SSO/2FA policies. The company is the one that ought to make following the rules the default - create policies to prevent saving passwords to the browser, etc. Employees do play a role but companies need to understand that it's on them to create sane policies by default
All services use TLS and or SSL or HTTPS nowadays which means certificates need to be stored and managed. These instructions imply that a password manager should be sufficient, but that doesn't seem right. Make sure those don't get into source version control or a common whole team file store.
7. Only use our company Google Account (Gmail, GDrive) to store files, not your laptop hard drive. Only data from your Google-account is backed up regularly.
If this is the case then their first rule should be "1. Get some new IT."
The general advice for an AWS root account is to generate a random password and protect it with at least 2 hardware security keys for 2FA. Put one key in a safe (there are good gun safes with biometric access and access logs) and the other as backup in a safety deposit box.
Great advice, perfect for a start-up coming into existence clean. Then a client emails you their credit card number, and root password for the production enviro now it's in your inbox, the 3 other employees they CC'd and also in their outbox. Even if we delete it (is it backed up? how many places?) the well has been poisoned. I say this mostly in jest but boy does my email contain some secrets I don't want.
We can't say for sure. I've been guilty of thinking everything I read anymore is AI generated, but then I read my own posts and think they look AI generated too, even though I know they're not, because I wrote them.
Most of this is the bare minimum to operate on the internet. has Chris Haarburger ever run a company?
Youre incorporated so "early stage" is over; grow up. you have investors and you have a legal duty to protect them from risk. IT Security is part of risk managent including the impact and severity of threats and exploits. take some time to educate yourself about what this all means, or do one better and hire an infosec person. you should also have a disaster recovery plan and business continuity plan for things like ransomware attacks and disasters.
So, how many employees do you take before you spend the time to go through an entire risk management framework? Solopreneur? 3 cofounders? First employee? When you get your first funding? When you get your first request for a SOC 2 report? When you get your first pit in your stomach that you have no controls?
I'm not sure about #1. Password managers are a centralized place where a lot of your world lives. They have had issues and leaks in the past. I do not trust password managers or key vaults. For example:
