Security

As part of working at Human Made you are going to come into contact with a lot of important, confidential information; from things like the password to a client’s FTP accounts to your SSH key that grants you root access to production servers. It’s very important that you take steps to keep such information secure.

This applies to all employees, contractors, consultants, temporaries, and other workers at Human Made and covers the use of all your devices.

Any employee found to have violated our security rules may be subject to disciplinary action, up to and including termination of employment. Take this seriously.

We have a 🔒 security checklist which you should run through with another human. This could be your trial buddy, or you can ping John who’ll be happy to help you out with security.

Your laptop and phone

  • Set your computer to require a password to wake up from sleep, that way if you close the lid and step away for a few minutes someone can’t steal it and get access to all the secrets.
  • Automatically lock your computer after a short period of idle time (10 mins maximum).
  • Require at least a 6-digit pin to unlock your phone.
  • Run a virus scanner on any files you are sent (Gmail does this for you automatically).
  • Have full disk encryption (FileVault for macOS) enabled on your computer. (you should also encrypt your backups).
  • Enable device tracking on your laptop and phone.
    • iOS: Settings > iCloud > Find My iPhone. Check on icloud.com to verify.
    • macOS: Settings > iCloud > Find My Mac. Check on icloud.com to verify.
    • Android: Settings > Google > Security > Remotely locate this device. Check on Android Device Manager to verify.
  • Encrypt your work phone:
    • iOS: Set a passcode. Under Settings > Touch ID & Passcode, “Data protection is enabled” should be shown at the bottom of the screen.
    • Android: Settings > Security > Encrypt phone. This should show “Encrypted” if enabled.
  • Use a strong password with your SSH (proxy) key. Do not use passwordless keys.
    • You can test your SSH password by running ssh-keygen -y on the command line. If you are not prompted for a password, you need to add one, which you can do with ssh-keygen -p . Your public key will remain the same, so remote servers/proxy access does not need to be updated.
    • You should also use strong algorithms. Run ssh-keygen -l -v to check the algorithm. You something like this:
      2048 SHA256:y+L97hDrJg64jQ9HfcrEWUuNJHCdYxuyXB8sc9CFvFK me+mbp2013@ryanmccue.info (RSA)
      +---[RSA 2048]----+
      |    Eo..         |
      |  . =.= .        |
      |   =.= = .       |
      |   o= B o        |
      |   .oo =S        |
      | . .  o. .       |
      |o .. + o=        |
      | oo+*.oX .       |
      | oOO==* +        |
      +----[SHA256]-----+
    • You should have RSA 2048 at a minimum; higher numbers are better, and 4096 should be used for any new keys generated. (ed25519 is also OK.)
    • Never share your private key with anyone, or copy to a remote server. If you need access from another server with your remote key, use SSH agent forwarding.

Security online

  • Enable 2-factor authentication for:
    • Dropbox
    • GitHub
    • Google (Gmail)
    • Slack
    • Amazon AWS account
    • Charlie HR (if you get locked out, teamadmin can’t unlock for you unfortunately, you need to email CharlieHR asking them to switch off 2FA: help@charliehr.com)
    • Xero
    • WordPress.com
    • Backblaze
    • Any other services you use that support two-factor authentication
  • Use Google Authenticator (or a 3rd party app like Authy) for two-factor authentication. 1Password has built-in 2FA that you can use.
  • Use a password manager like 1Password. You can expense your password manager. Human Made has its own 1Password account. Never write your passwords down outside of your password manager.
  • Use the Human Made 1Password account to log into shared accounts and services.
    • Avoid sharing accounts where possible. Use team accounts with individual members added instead.
  • Use strong long passwords (16+ chars) made up of random letters, numbers and symbols. 1Password can generate these.
  • Use a separate password for each service.
  • If you are using GitHub on the command line, create a unique access token.
  • Treat any P2 uploads (e.g. images, videos) as potentially externally accessible and use Google Drive or Dropbox to share files internally for truly private stuff.
  • When using Wi-Fi, you must follow the wireless security guide. Essentially, route all traffic through our proxy to avoid sniffing.

When an employee leaves Human Made access rights to all systems will be removed. This includes repossession and wiping of company devices (phones and laptops).