Securing the Bears - TunnelBear’s Basic Operational Security
Every company has behaviours that help define their identity and culture. It should be no surprise then, that TunnelBear makes security and privacy a large part of who we are. Whether we’re educating employees about how to create and manage strong passwords or to be aware of the dangers of online phishing, we try to make sure everyone is aware of their security obligations.
By encouraging good security habits in the office, we help minimize the ways our systems can be compromised. Here are a few of the things we ask every employee to think about to help protect the Bears.
Setting up secure devices
Setup and maintenance
When anyone gets a new work device at TunnelBear, we ask them to setup hard drive encryption. A misplaced or stolen device can be a major security risk and by enabling disk encryption, it helps to prevent a lost laptop from turning into a device with complete access to our network.
To encrypt devices we use FileVault for macOS, Bitlocker for Windows, Data Protection on iOS and the Android bundled encryption option in its security settings. Once encryption is enabled, we also ask our team to keep their devices, apps and operating systems up-to-date with security patches and bug fixes as they become available.
Password usage
Strong, unique passwords are an important step in keeping devices and accounts safe. While opinions about creating strong passwords vary, most security professionals agree that passwords made up of 15-20 characters are a good place to start. Minimum character requirements can make remembering passwords more difficult though, so everyone at TunnelBear uses a password manager. We hear RememBear is a pretty solid option.
Multi-factor authentication (2FA)
When we choose a tool to use at TunnelBear, like chat or productivity apps, we prioritize 2FA support. With 2FA, even if passwords for key services are compromised an attacker would still need to gain access to an employee’s device to gain access to our systems.
Vulnerabilities in text message based 2FA have been well documented, which is why we prioritize hardware or token based 2FA, using apps like Google Authenticator.
Securing our online traffic
Encrypted browsing with VPN
We all use TunnelBear to encrypt our traffic. Whether we’re working in the office or remotely, we benefit by using TunnelBear to browse privately. Additionally, by using TunnelBear on a daily basis, we’re able to test new builds as they’re available and quickly provide feedback to our engineers.
Securing the browser
While TunnelBear does a good job of blocking ISPs from seeing traffic, our BlockBear Chrome extension helps stop other tracking methods used for advertising and data gathering. For the Bears that prefer Firefox, we recommend using Privacy Badger.
Another tool we regularly use is HTTPS Everywhere. This plugin helps maintain encrypted connections to every site you visit and makes it much harder for Man-in-the-middle attacks to succeed.
Finally, Password Alert is a Chrome extension for the G Suite that helps defend against phishing attacks. By storing a temporary “salted reduced-bit thumbnail” of passwords, Chrome can tell if you’re using the correct password and check to make sure the field you’re typing your password into belongs to a Google service and not an attacker.
Preventing social engineering
Training exercises
To make sure we stay aware of risks, we’ve also created a series of security exercises designed to teach our staff about different online attack methods. Our TunnelPhish experiment showed our staff how easy it is to be attacked from seemingly trustworthy sources. Phishing our Bears was an eye-opening experience that showed just how easy it is to be caught off guard and accidentally give sensitive information to the wrong people.
Demonstrating insecure wifi
To help staff understand exactly what TunnelBear does to protect them we set up an open WiFi network in our office that was designed to show our team what an attacker could see when you connect to public wifi without encrypting your traffic.
When they turned TunnelBear off, people were surprised to see the websites they were visiting appear on the screen along with their IP address and device name. By showing our team how easy it is to grab their browsing activity in real time, we’re able to help people understand why they should be careful using public wifi without VPN encryption.
Good office security practices help protect our customers
Securing TunnelBear isn’t just a job for developers, every staff member needs to care about security and actively participate. Through a combination of training, regularly scheduled penetration tests and knowledge of how to secure our devices, we’ve worked hard to build a team where everyone cares about security at TunnelBear.
Have questions or suggestions for how we could improve our security practices? Let us know at privacy@tunnelbear.com
Grizzly regards,