Mental readjustment

• It’s not about making your job harder, it’s about making your job sustainable
• It’s not about keeping secrets, it’s about sharing information responsibly
• It’s not about raising barriers, it’s about creating safe entrances
• It’s not about pessimistic reactivity, it’s about optimistic proactivity

Passwords

• Always check new potential passwords with the How Secure Is My Password tool

• Use a password manager for storing all password

  • BitWarden, Dashlane, KeePass
  • Organize into private and business

• Use a password generator for new passwords

  • BitWarden, DashLane and KeePass have built-in password generators -32 characters minimum for generated passwords

• Use a passphrase instead of just a password whenever possible

• Passphrases are relatively easy to remember and almost impossible to brute force.

• Use l33t speak just to make it that much harder

• Avoid English if you can -Examples

  • I l1v3 in PE
  • Duck duck go for president
  • Julle w0nder seker w@t my password is?

• If supported ALWAYS use two-factor authentication for services

Team Passwords

• Store shared passwords in Azure Key Vault instances
• Store all production passwords in a separate, less accessible Key Vault instance
• Ensure only the correct people have access
• If you need to send somebody a password
  • 1st choice: Share via Key Vault or a password manager
  • 2nd choice: Read it out (Don’t write it down!)
  • 3rd choice WhatsApp (Sender must delete for all subsequently)
  • 4th choice Teams(Sender MUST delete subsequently!)
• Never email or write a password down

NML

• Encrypt your hard drives with BitLocker
  • This is an enforced policy via InTune, but check that your machine complies
• Lock your computer when you leave it for anything
  • NML has an InTune policy that enforces automatic locking, but don't rely on it alone
• Don’t share your computer password
• Don’t reuse the same password with “slight” modifications when your password expires
  • NML passwords are set to not expire, but other sites and services may still enforce such a policy.
• Check your password for breaches on https://haveibeenpwned.com/
• Beware of phishing emails!
  • Check the actual email address, and not just the name. It is very, very easy to just read the name and not spot the email address as we’re so used to just looking for that. Charl Marais<ab.c@scammer-r-us.com.ru> is a clear indication something untoward is going on.
  • Think about the request and whether it’s actually a reasonable request over email. Passwords must NEVER get sent over email.
  • If you have any doubts about any email you received:
  • Verify the request via some other means with the “source”. Phone, Whatsapp, walk over and talk. Don’t just reply.
  • Get a second opinion from the people around you whether they think it seems fishy.

Azure

• VMs

  • Passwords should be at least 32 characters, generated by a tool

  • At least the Network Security Group for the VM must be configured to only allow the necessary traffic

    • Production VM must also have their Windows Firewalls configured accordingly

  • Just In Time access should be configured

  • Endpoint Protection must be enabled

  • Follow and resolve security recommendations on the VM blade

  • Encrypt VM hard drives

• Web Apps

  • IP restrict to only the required access. For dev, QA and UAT, that’s generally NML and the client.

• SQL, Key Vault, Storage Accounts

  • Configure firewalls

3rd Party VMs

• Only use generated passwords and store in a password manager
• Do not share your account details
• Wish that you rather have no access and work towards having access as short as possible

Future

• We’ll migrate out Active Directory to Azure Active Directory - DONE
• We’ll introduce some group policy aimed at alleviating some responsibility - DONE
• We’ll consolidate authentication and authorization service to provide a less intrusive experience on the various products we use - DONE
• We’ll introduce project security reviews and workshops to enhance our security posture on all projects