Link Search Menu Expand Document

Security

Security is of paramount importance at Parallel given the sensitive nature of the information we deal with. This section contains some of our high level guidelines for helping ensure the safety and security of our confidential information. This list is certainly not complete and only represents a small subset of our overall security guidelines found in our Security Policy.

Table of contents

  1. Software
    1. Passwords :closed_lock_with_key:
    2. Multi-Factor Authentication :iphone:
    3. Secure Browsing :computer:
    4. Form autofill :memo:
    5. Email :email:
  2. Hardware :desktop_computer:
  3. Humans :bust_in_silhouette:
  4. Network :satellite:

Software

Passwords :closed_lock_with_key:

Use a password manager! Wirecutter recommends LastPass or 1password, and Wired has their own list. It doesn’t matter which you use, just make sure you’re using one for all of your passwords. Also:

  1. Make sure you use a separate password for every service (for instance, your Gmail password should be different than your Slack password).
  2. You should use the password autogeneration capabilities of your password manager to generate secure passwords.
  3. Don’t share passwords (with co-workers, friends, strangers, or any other people, living or dead :ghost:). Every person should have their own account on every service.

Multi-Factor Authentication :iphone:

You should use Multi-factor authentication (aka, 2 Factor Authentication, aka 2FA) for every service that provides it. Note that 2FA is mandatory for most Parallel services.

  1. Always prefer a time-based one-time password option (a number that changes every 30 seconds) over text message. SMS 2FA is vulnerable to an attack known as a SIM Swap.
  2. Use an app like Google Authenticator or Authy to provide your time-based one-time passwords
  3. Some services allow you to download “backup codes” that you can use instead of a time-based code in case you lose your phone (or access to your time-based password generator). Make sure you store these somewhere safe!

Secure Browsing :computer:

While browser extensions are easy to install and test out, make sure you only install extensions from sources you trust. Here are a few extensions we do recommend:

  • HTTPS Everywhere - ensure that you only visit sites that support encrypted HTTP
  • Privacy Badger - A tool from the EFF, Privacy Badger automatically learns to block invisible trackers.
  • uBlock Origin - blocks ads and the data they collect

Form autofill :memo:

Form autofill is known to be dangerous since it can share more information than you intended without your consent. We recommend turning form autofill off in your browser:

Email :email:

Here are some general guidelines for email:

  1. If you get an email that looks suspicious, forward the email to our IT support at security@parallelmarkets.com.
  2. An email can be suspicious, even if it’s from someone you know, if there’s an unexpected link :link: or attachment :file_folder:.
  3. Don’t be afraid to reach out to anyone directly to ask if they sent something you weren’t expecting (for instance, reach out on Slack).
  4. When in doubt, reach out to security@parallelmarkets.com.

Hardware :desktop_computer:

All Company hardware should have the Company’s device profile installed to enable remote lock/wipe in case your laptop is stolen. Your device should also:

  1. Have full hard drive encryption enabled (for OSX, use FileVault).
  2. Make sure you have your screensaver set to lock your computer after a short period of activity (and require a password)
  3. Never leave your phone or laptop unattended in a public place (for instance, at a coffeeshop). Even if you leave your computer alone with a stranger for only a minute, quick physical access is all that’s required to hack your computer.
  4. Ensure all of the important files on your devices are backed up in one of our tools. All computers eventually die, act as though yours could expire any day.

Humans :bust_in_silhouette:

Be familiar with the general approaches used in social engineering, and know that you could be targeted based on your access to highly sensitive personal information. You should understand the vectors used, like Vishing :phone:, Phishing :fishing_pole_and_fish:, and Smishing :iphone:.

Network :satellite:

In general, we operate with a stance of Zero Trust. We assume that our internal networks could be compromised and seek to secure resources rather than networks. Given the nature of our remote workforce and our utilization of cloud services, we cannot assume that resources are located within an enterprise-owned network boundary.