NML

Security Practices

Mental readjustment

  • It’s not about making your job harder, it’s about making your job sustainable
  • It’s not about keeping secrets, it’s about sharing information responsibly
  • It’s not about raising barriers, it’s about creating safe entrances
  • It’s not about pessimistic reactivity, it’s about optimistic proactivity

Passwords

  • Always check new potential passwords with https://howsecureismypassword.net/
  • Use a password manager for storing all password
    • LastPass, Dashlane, KeePass
    • Organize into private and business
  • Use password generator for new passwords
    • LastPass, DashLane and KeePass has built-in password generators
    • 32 characters minimum for generated passwords
  • Use pass phrase instead of just a password whenever possible
    • Passphrases are relatively easy to remember and almost impossible to brute force.
    • Use l33t speak just to make it that much harder
    • Avoid English if you can
    • Examples
      • I l1v3 in PE
      • Duck duck go for president
      • Julle w0nder seker w@t my password is?
  • If supported ALWAYS use 2 factor authentication for services

Team Passwords

  • Store shared passwords in Azure Key Vault instances
  • Store all production password in a separate, less accessible Key Vault instance
  • Ensure only the correct people have access
  • If you need to send somebody a password
    • 1st choice: Key Vault
    • 2nd choice: Read it out (Don’t write it down!)
    • 3rd choice WhatsApp (Sender must delete for all subsequently)
    • 4th choice Slack (Sender MUST delete subsequently!)
  • Never email or write a password down

NML

  • Encrypt you hard drives with BitLocker
  • Join the NML domain
  • Lock you computer
  • Don’t share you computer password
  • Don’t reuse the same password with “slight” modifications when your password expires
  • Check you password for breaches on https://HaveIBeenPwnd.com/Passwords
  • Beware of phishing emails!
    • Check the actual email address, and not just the name. It is very, very easy to just read the name and not spot the email address as we’re so use to just looking for that. Charl Marais<ab.c@scammer-r-us.com.ru> is a clear indication something untoward is going on.
    • Think about the request and whether it’s actually a reasonable request over email. Passwords must NEVER get sent over email.
    • If you have any doubts about any email you received:
      • Verify the request via some other means with the “source”. Phone, whatsapp, walk over and talk. Don’t just reply.
      • o Get a second opinion from the people around you whether they think it seems fishy.

Azure

  • VMs
    • Passwords should be at least 32 character, generated by a tool
    • At least the Network Security Group for the VM must be configured to only allow necessary traffic
      • Production VM must also have their Windows Firewalls configured accordingly
    • Just In Time access should be configured
    • Endpoint Protection must be enabled
    • Follow and resolve security recommendations on the VM blade
    • Encrypt VM harddrives
  • Web Apps
    • IP restrict to only the required access. For dev, QA and UAT, that’s generally NML and the client.
  • SQL, Key Vault, Storage Accounts
    • Configure firewalls

3rd Party VMs

  • Only use generated passwords and store in password manager
  • Do not share your account details
  • Wish that you rather have no access and work towards having access as short as possible

Future

  • We’ll migrate out Active Directory to Azure Active Directory
  • We’ll introduce some group policy aimed alleviating some responsibility
  • We’ll consolidate authentication and authorization service to provide a less intrusive experience on the various products we use
  • We’ll introduce project security reviews and workshops to enhance our security posture on all projects