Security Recommendations: Networks and Communication / Collaboration
The third part of our Security Recommendations series is divided into two sections. The first part covers how to behave when accessing your account remotely, the second part focuses on collaborating in a secure environment when working with sensitive data.
Network – Remote Connection
Why should we address cyber security concerns in a network environment?
We are accessing various services and devices through the network every day. In order to avoid leaking sensitive information (e.g., due to eavesdropping), we need to secure our connections and establish appropriate access rights.
What to do:
1. Use secure remote sessions.
- SSH instead of Telnet
- Use encrypted communication, e.g. via SCP/SFTP/FTPS protocols instead of FTP/TFTP.
2. Use a secure remote login.
- Opt for logging in via private keys over passwords. Store them safely and don’t share them with anyone (unless you have a good reason, such as a remote shared account).
- Consider using an IP access list (allowlist or denylist) to increase security.
- When using a PC or a laptop, choose connecting through Ethernet cable (rather than a wireless network).
- When using a public Wi-Fi, it is highly recommended to enable a reputable VPN service.
4. Set appropriate access rights to your files on the company’s shared file-storage.
- Familiarize yourself with the company’s infrastructure, its primary purpose, and what type of information should be stored at each location/service.
Communication / Collaboration
Even though the corporate environment protects us from many threats, different colleagues have varying access rights to classified information. Some of it can also be accessed by people outside your company (e.g., project partners). Many well-known companies have experienced severe breaches – some examples are mentioned in the list below.
Do we need to be careful in our company environment?
Each one of us works with some kind of confidential information we need to protect. A malicious attacker or an employee who unknowingly compromises classified information can extract the information in several ways.
What to do:
1. Be careful when sharing your unpublished research.
- Even being a good samaritan has its limits. You may end up sending a lot of classified information (starting from the 20th minute in the linked podcast).
2. Carefully read received proposals via email and think twice before clicking on a link (to protect yourself from phishing).
- Proposals – for funds, publication and other types of research collaboration.
- Look up the institution, the person who contacted you, and verify if the link points to a proper domain (e.g., mouse hover the link).
3. Share documents in collaborative environments.
- Always send a link to the company’s cloud infrastructure (e.g., Google Drive or SharePoint).
- Avoid sending attachments (files) via mail, chat, or other communication services.
- This way, only authorized personnel can access the data. The number of authorized people can be easily changed anytime.
- When you send a file or attachment, you usually lose access control. For instance, in a chat room with multiple people, where the access rights are not properly set, it may happen when someone adds a new member. Also, you can accidentally put the wrong address when sending an e-mail (e.g., due to autocomplete).
4. Protect shared documents.
- If you share your project-related results with a project partner, clarify their account policy or maintain a shared document list. This way, when their employee leaves the company, we avoid data exfiltration from our systems.
- If you share the documents to their personal accounts (if allowed), remember to revoke access rights at the end of the project (at the latest).
5. Do not leak information about your company that is not published or authorized for publishing.
- This includes anything that is not published on the web or social media, e.g., a secret know-how from internal meetings or internal documents.
- Always remember that there probably is some kind of NDA, so better avoid mentioning exact data.
- When in doubt, ask your team supervisor if the information can be shared.
- There are numerous ways in which leaking such information could get the company and project partners into serious trouble. Some examples include severe reputation and financial damage or breach of contract with partners, e.g., because of leaked information from internal meetings or internal documents.