We’ve all sat through those humdrum “security awareness” training sessions designed to break us of bad security habits; cautioning us against revealing sensitive information to social engineers and folks fishing through our trash cans for any trace of personally identifiable information. Let’s just assume for a moment that we’re at least aware of those attack vectors, if not aggressively working to preventing these attacks altogether. As developers, you have access to a number of sensitive systems and should take every measure to protect them from ill-wishers.
In addition to the usual “shred those docs you probably don’t print anyway” tidbits, we have a few additional bad security habits we’d like to caution you against. They’re actually ripped straight from our internal security training: these are the precepts we strive to follow internally. Nuke these bad security habits and you’ll be solid.
Phishing scams have become more sophisticated as the general population becomes more cognizant of the most common tactics (…did you know that Nigeria has 4,561 well-paying princes and all of them need your help to access their nation’s stockpile of gold and precious stones??). Those aren’t the tactics we’re referencing here.
Always, always, always verify links before you click on them. That, of course, includes the sketchy 800-character links but also that seemingly urgent note from your CTO. Attackers love imitating the folks in charge of your IT systems. You probably already hover over suspicious links to check their destination; once in a while, you might notice a tricky character swap like a link to legitimatesite.com/gobbledegook that actually sends you to a malicious site: legitimates1te.com/gobbledegook. It’s an easy way to take advantage of busy professionals.
Browse to trusted links manually, especially if it’s an internal system. Email or send a Slack message to internal senders to double-check links they’ve sent out. Use Google as a back-up to find reviews and ratings for unfamiliar domains.
Displaying your name and employer in public is unsurprisingly a great way to get your identity stolen or fall victim to a social engineering attack. That’s not the only risk your badge presents, though.
A lot of workplaces use RFID badges to regulate entry. It’s far more convenient than swiping into your building with a now-archaic magnetic strip; just hold your badge up to a reader to be authenticated. Unfortunately, it’s equally convenient for an attacker to steal your credentials by way of a love tap with a RFID skimmer. Many skimmers can even capture information from several feet away.
Avoid brandishing your ID badge in public. Use a RFID blocking wallet when reasonable. Be alert for modifications or changes to the RFID reader at your home or office.
Unless you’re the world’s most genial employee, there’s a chance that you don’t know every employee, contractor, vendor, and FedEx guy that strides through your door. Social engineers know this and use it to their advantage; most people are too polite to close the door on folks who swoop in behind them.
Don’t feel bad. Slam that door.
Okay, that’s probably too far. But you should ask them who they are and who they’re meeting. Ensure they meet with the person they’ve asked for, and watch out for office meanderers who may be gathering IP from whiteboards or attempting access to internal devices.
Life would be a lot easier if you could just keep reusing your cat’s name as your primary password but alas, you’ve got 300 accounts just for your work email and one of them was probably breached anyway. Even Mark Zuckerberg struggles with password security. It’s a lot easier to maintain crappy passwords than to adopt basic password security.
Use a password manager like LastPass or Dashlane to help you generate and store your passwords. Change your passwords often, especially your master password. Enable multifactor authentication on everything that allows it (including your password manager). Use a VPN client to create an encrypted tunnel for all of your transactions.
So your company sends you to Vegas. Wonderful! Be careful who you tell. While conferences are typically in the “okay to share” realm, you may attend more sensitive meetings with investors, partners, potential acquisitions, and so forth.
Use your head. Don’t broadcast your location unless you’re asking for folks to meet you somewhere (an event or free drinks would fall into this category). Ask all your travel buddies (co-workers and non-coworkers alike) to do the same. Excited about a deal in the works with Walmart? Maybe ask your SO not to post that photo of glorious Bentonville, AR on Instagram. You get the gist.