Security Practices
Information security encompasses a variety of different working groups. These security best practices support the functions of business operations, infrastructure, and product development, to name a few. Everybody is responsible for maintaining a level of security to support compliance, while raising the bar of our security posture.
Zero Trust
As part of raising that bar, Bramble is implementing Zero Trust, or the practice of shifting access control from the perimeter of the org to the individuals, the assets and the endpoints. You can learn more about this strategy from the Google BeyondCorp whitepaper: A New Approach to Enterprise Security.
In our case, Zero Trust means that all devices trying to access an endpoint or asset within our Bramble environment will need to authenticate and be authorized. Because Zero Trust relies on dynamic, risk-based decisions, this also means that users must be authorized and validated: what department are they in, what role do they have, how sensitive is the data and the host that they are trying to access? We’re at the beginning stages in our Zero Trust roadmap, but as we move along in the journey, we’ll document our lessons learned.
Why We Don’t Have a Corporate VPN
In many enterprise environments, virtual private networks (VPN) are used to allow access to less secured resources, typically also protected by an enterprise firewall. Adding corporate VPN connectivity only marginally improves the security of using those systems and assumes a network perimeter is in place. At Bramble, as an all remote company, we do most of our work using other Software-as-a-Service (SaaS) providers that we rely on to maintain confidentiality of communication and data.
In relation to Zero Trust, a corporate VPN is a perimeter, which ZTN architecture deemphasizes as a basis for making authorization decisions. Current access to critical systems is managed through alternative controls.
While a corporate VPN is not implemented at this time, there are other valid use cases for which individual team members may still wish to use a personal VPN, such as privacy or preventing traffic aggregation. Team members that wish to use a personal VPN service for any reason may still expense one.
For the use case of laptop usage in untrusted environments, such as coffee shops and coworking spaces, team members should prioritize a baseline of always-on host protections, such as up-to-date security patching, host firewalls, and antivirus, by following the system configuration guidelines at a minimum. That said, a personal VPN may provide additional protections in these situations. For more on personal VPNs see the Personal VPN page.
Contact Bramble Security
The Bramble Security Teams are available 24/7/365 and are ready to assist with questions, concerns, or issues you may have.
There are some common scenarios faced by Bramble team members:
To contact for any other reason, see Engaging the Security On-Call
External Engagement
The Security Teams can be contacted at security@brmbl.io
. External researchers or other interested parties should
refer to our Responsible Disclosure Policy for more information about reporting vulnerabilities. The security@brmbl.io
email address also forwards to a Help Desk queue that is monitored by the security team.
For Security Team members, the private PGP key is available in via our Security Keybase chat.
CEO & Executive Fraud
The CEO will not send you an email to wire cash, the CFO won’t send you a text message to ask for gift cards, or anything else that feels like CEO fraud or CEO scam. These types of spear phishing events will be more common as we grow. Feel free to verify any unusual requests with a video call.
What should you do if you receive a potential phishing email or text from Bramble’s CEO?
- If you are unsure whether the text or email is legitimate, confirm the request via Video Call or contact Security to review.
- If the email is determined to be fake, follow the instructions for phishing attacks below.
- If the text is determined to be fake: block the number, notify Security, and delete the text.
Non-Emergency Contact
If you have a question or concern and need to speak with the Security Team, you can contact Security.
Security Process and Procedures for Team Members
Accounts and Passwords
- Read and follow the requirements for handling passwords and other credentials in the Bramble Password Policy Guidelines below for all accounts used to conduct Bramble related work. Using KeePassXC to [generate and store] the passwords is strongly recommended.
- Enable two-factor authentication (2FA) with an authenticator, such as
Google authenticator or [KeePassXC TOTP] for on every account that supports
it. This is required for
Google,
Slack,
GitLab.com.
Users without 2FA enabled that are stale for over 30 days will be blocked/suspended until resolved. This improves the security posture for both the user and Bramble.
If any systems provide an option to use SMS text as a second factor, this is highly discouraged. Phone company security can be easily subverted by attackers allowing them to take over a phone account. (Ref: 6 Ways Attackers Are Still Bypassing SMS 2-Factor Authentication / 2 minute Youtube social engineering attack with a phone call and crying baby) - A Universal 2nd Factor or U2F hardware token can be used as a secure and convenient 2-factor authentication method for Okta, Google Workspace, Bramble instances, and many other sites. If you do not have one, you may consider purchasing one. Popular choices include Yubico’s YubiKey and Solokeys' Solo Security Key. For more information on U2F and choices, visit the Tools and Tips page.
- When signing up for a new service on behalf of Bramble:
- Request a Security Review by opening an issue in the Compliance project.
- If shared access is required by multiple team members to a single account, for example, a social media account, an Access Request should be opened. The credentials will be stored and shared securely.
- If you find an existing shared account in KeePassXC, create an issue to get it migrated to our shared secrets.
Laptop or Desktop System Configuration
Read and follow the requirements for approved operating systems
The following instructions are for Apple (MacBook Pro or Air) users. Linux users please go to the Linux Tools section of the handbook.
- Set up full disk encryption with [FileVault] (for details, refer to Apple Support). Bramble is currently utilizing SentinelOne for endpoint management and can assist with this step.
- Set up a screen saver with password lock on your laptop with a timeout of 5 minutes or less. Bramble is currently utilizing SentinelOne for endpoint management and can assist with this step.
- Never leave your unlocked computer unattended. Activate the screensaver, lock the desktop, or close the lid.
- For backups on macOS follow this tutorial: How to use Time Machine
- If you backup your computer make sure the backup drive is encrypted and use a strong password.
- Purchase (if necessary) and install security related software.
- Little Snitch is an excellent personal firewall solution for macOS. Recommended to monitor application network communications.
- An anti-virus/antimalware program such as Malwarebytes, ClamAV, ESET, or Norton.
- Refer to Why We Don’t Have A Corporate VPN for more information about personal VPN usage at Bramble
- Do not allow your web browser (e.g. Chrome, Safari, Firefox) to store passwords when prompted. This presents an unnecessary risk and is redundant.
- Do not install software with many known security vulnerabilities. Follow the Third Party Risk Management Procedure for review of services individually deployed on endpoint devices. After a decision regarding deployment of an endpoint management solution is made the process will be redesigned accordingly and services, where applicable, will be retroactively reviewed. Please ensure you continue to follow the requirements defined in the acceptable use policy.
- Enable automatic software updates for security patches. On macOS, this is found under “System Preferences” -> “Software Update”, “Automatically keep my Mac up to date”. Bramble is currently utilizing SentinelOne for endpoint management and can assist with this step.
- Enable your system’s built in firewall. In macOS, this can be found in
System Settings
->Security & Privacy
under theFirewall
tab. It is recommended to select “Block all incoming connections”; however, if choosing not to block all incoming traffic, apply the following configuration (see screenshot):- Deselect “Automatically allow downloaded signed software to receive incoming messages”
- Select “Enable stealth mode”
- Bramble is currently utilizing SentinelOne and DriveStrike for endpoint management and can assist with this step.
WiFi configuration
Refer to this guide for setting up a dedicated WiFi so that your work notebook is isolated from other personal devices in your home network.
Mobile Applications
Many services that team members use such as Slack and Zoom have mobile applications that can be loaded onto iOS or Android devices, allowing for use of those resources from a mobile phone. Refer to the acceptable use policy for more information on using a mobile device.
Most major applications (Slack, Zoom, Gmail) are ok to use, but there may be some mobile applications which are not. If you have a question about the security of a mobile app and want to know if you should be using it to access Bramble data, contact the Security Team via Slack in the #team-security channel.
Google Endpoint Management
As part of the Zero Trust implementation, we use Google endpoint management to make Bramble’s data more secure across our teams' mobile devices, desktops, laptops, and other endpoints.
GEM allows you to access your Google Account and services we use from your mobile devices, laptops, and desktops - from anywhere.
In some cases, for non-company provided devices (BYOD), you will need to install an agent.
Laptop
On your machine, [install Endpoint Verification](https://cloud.google.com/endpoint-verification/docs/self-installing and https://support.google.com/a/users/answer/9018161?hl=en)
Android
Set up a Work profile for employee-owned devices (BYOD)
Windows
Install GDM
NOTE: As described in the Acceptable Use Policy, Microsoft Windows operating systems are not allowed. If you have a legitimate business need to use a Windows operating system, please see the Exception Process.
Other Services/Devices
- Do not configure email forwarding of company emails (@brmbl.io) to a non-company email address. Follow the Unacceptable Email and Communications Activities policy.
- There are security implications involved in the use of “smart home devices” such as Amazon Echo or Google Home. In rare instances these devices can record conversations you might not have intended them to record. Many smart home devices will provide a visual and/or auditory indicator to let you know they’re activated; for many such devices, when they’re activated, they’re recording you and save a transcript of what you say while it’s active. If a smart home device is activated while you’re verbalizing sensitive information, wait for it to turn off or manually turn it off. If you think a smart device may have been activated while verbalizing sensitive information, most smart home devices allow you to delete transcripts and recordings. Please use your best judgement about the placement of these devices and whether or not to deactivate the microphone during sensitive discussions related to Bramble. If you ever have any questions or concerns, you can always contact the Security team.
- Do not use tools designed to circumvent network firewalls for the purpose of exposing your laptop to the public Internet. An example of this would be using ngrok to generate a public URL for accessing a local development environment. This can result in the complete compromise of your laptop, including any business and personal accounts you have used it to access. Our Acceptable Use Policy prohibits circumventing the security of any computer owned by Bramble, and using ngrok in this manner is an example of circumventing our documented firewall requirements.
Security Awareness
- Follow the guidelines for identifying phishing emails provided in the training and How to identify a basic phishing attack.
- During the onboarding process you may receive account registration emails for your baseline entitlements. Before clicking these links feel free to confirm with #it-ops that they initialized the process. Clicking itself is a problem even when you don’t enter a password, because a visit can already be used to execute a 0-day attack. Security Team will, from time to time, simulate phishing attacks to our company email addresses to ensure everyone is aware of the threat.
- If you get strange emails personally or other things related to security feel free to ask the security team for help, they might be aiming for the company.
- If you receive a security report of any kind (issue, customer ticket, etc.) never dismiss it as invalid. Please bring it to the attention of the Security Team, and follow the steps outlined on that team’s handbook page
- Report suspect situations to an officer of the company or use the engage the Security Oncall.
- If you have security suggestion, create an issue on the
security issue tracker
and ping the security team. New security best practices and processes should be
added to the
#whats-happening-at-bramble
slack channel - Do not sign in to any Bramble related account using public computers, such as library or hotel kiosks.
Bramble Password Policy Guidelines
Moved to our Password Policy
Security Awareness Training
The Bramble Security Training is Bramble’s security awareness presentation for new hires and annual training requirements beginning. The purpose of the annual training is to mature our internal posture through regular training while satisfying external regulatory requirements. The New Hire training is part of the onboarding process, and needs to be completed by every new hire. We are trying to make it fun, engaging and not time-consuming.
The future in-house training is being actively developed by Bramble Security’s Security Incident Response Team. The goal of the training is to:
- Make all Bramble team-members aware of the Bramble Security team, and familiarize them with our efforts, team structure, and people.
- Make all Bramble team-members aware of the importance of their role in securing Bramble on a daily basis, and to empower them to make the right decisions with security best-practices.
- Familiarize all new Bramble team-members with security-related situations that they might encounter during their tenure with the company.
- Help all Bramble team-members internalize and reinforce the idea that paging the Security On-Call is an encouraged practice.
Training Delivery
New Hire Security Training
The New Hire Security Training is delivered through our Drata account
Additionally please refer to these resources:
- Security Practices - a list of security process and procedures that you can consult at any time.
Bramble Security Awareness Training
Ongoing Security Training is delivered through Drata.
- Topics covered:
Training Feedback
You are strongly encouraged to engage the team behind the training and provide feedback, or ask any questions related to the content of the training. You can do that by sending an email to security+training@brmbl.io.
Phishing Tests
Bramble conducts routine phishing tests at a minimum of once per year. All team members may occasionally receive emails that are designed to look like legitimate business-related communications but will in actuality be simulated phishing attacks. Real phishing attacks are designed to steal credentials or trick the recipient into downloading or executing dangerous attachments. No actual attempts will be made by Bramble to steal credentials or execute malicious code.
The goal of these campaigns is not to catch people clicking on dangerous links or punish those who do, but rather to get people thinking about security and the techniques used by attackers via email to trick you into running malicious software or disclosing web passwords. If you fall victim to one of these simulated attacks feel free to take the training courses again or to ask the security team for more information on what could’ve been done to recognize the attack. What you shouldn’t do is feel any shame for having clicked on the link or entered any data, nor should you feel like you need to cop to the security team and let them know you made a mistake. Making a mistake online is practically the reason the Internet was invented.
How to identify a basic phishing attack
When you receive an email with a link, hover your mouse over the link or view the source of the email to determine the link’s true destination.
If you hover your mouse cursor over a link in Google Chrome it will show you the link destination in the status bar at the bottom left corner of your browser window.
In Safari the status bar must be enabled to view the true link destination (View -> Show Status Bar).
Some examples or methods used to trick users into entering sensitive data into phishing forms include:
-
Using HTTP(S) with a hostname that begins with the name of a trusted site but ends with a malicious site.
-
Using a username or password inside the request that corresponds to the name of a trusted domain and assuming the viewer won’t view the whole URL.
-
Using a data URI scheme instead of HTTP(S) is a particularly devious means of tricking users. Data schemes allow the embedding of an entire web page inside the URI itself. Data schemes will not show the typical green lock in the address bar of a browser that is customarily associated with a verified SSL connection.
When viewing the source of an HTML email it is important to remember that the
text inside the “HREF” field is the actual link destination/target and the text
before the </A>
tag is the text that will be displayed to the user.
<a href="http://evilsite.example.org">Google Login!</a>
In this case, “Google Login!” will be displayed to the user but the actual target of the link is “evilsite.example.org”.
After clicking on a link always look for the green lock icon and “secure” label that signify a validated SSL service. This icon alone is not enough to verify the authenticity of a website, however the lack of the green icon does mean you should never enter sensitive data into that website.
What to do if you suspect an email is a phishing attack
Whether you believe that you have received an email from our testing platform
or you suspect that the email is targeted specifically at you or Bramble, please forward
the phishing email to phishing@brmbl.io
as an attachment for it to be investigated. Once you have done so, please proceed to step 2 and report the email as phishing from inside GMail.
To forward the email as an attachment from inside GMail:
- Right click the email
- Select “Forward as attachment”
- Send it to
phishing@brmbl.io
GMail also offers the option to report the email directly to Google as a phishing attempt, which will result in its deletion. Reporting the email in this manner will help the security team track phishing metrics and trends over time within Google Workspace.
To report the email as phishing
from inside GMail:
- Select the “More” button (three dots) on the email in question
- Choose “Report phishing” option from the drop down menu
If you receive an email that appears to come from a service that you utilize, but other details of the email are suspicious – a private message from a sender you don’t recognize, for example – do not click on any links in the email. Instead use your own bookmark for the site or manually type the address of the website into your browser.
Unsolicited email should be treated as phishing emails. For example, if you did not register for a site claiming to send you email, do not click on links in the email or visit the site.
Panic Email
Bramble provides a panic@brmbl.io
email address for team members to use in
situations that require an immediate security response. This email address is
only accessible to Bramble team members and can be reached from their brmbl.io
or personal email address. Should a team member lose
a device such as a thumb drive, YubiKey, mobile phone, tablet, laptop, etc. that
contains their credentials or other Bramble-sensitive data they should send an
email to panic@brmbl.io
right away. When the security team receives an email
sent to this address it will be handled immediately. Using this address provides
an excellent way to limit the damage caused by a loss of one of these devices.
Additionally if a Bramble team member experiences a personal emergency the People Group also provices an emergency contact email.