This page contains details on security-related processes and proceedures for both employees and contractors.
- Accounts and Passwords
- Secure Browsing
- Security Awareness
- Contacting Security
Do not sign up for a new service on behalf of Parallel without first receiving permission from firstname.lastname@example.org
This includes signing into web pages and web apps using your @parallelmarkets.com Google sign-in.
Use a password manager! A password manager let you memorize one strong password, and then it generates and manages strong, unique passwords for every site for which you have a login. Employees can install LastPass via the Self Service App that is installed on your company device.
- Make sure you use a separate password for every service (for instance, your Gmail password should be different than your Slack password).
- You should use the password autogeneration capabilities of your password manager to generate secure passwords. Passwords should:
- have a minimum length of 12 characters
- never be reused - whether across services or on the same service
- should not be the same as username
- should not be predictable (for instance, follow a pattern across services)
- Don’t share passwords (with co-workers, friends, strangers, or any other people, living or dead ). Every person should have their own account on every service.
- Don’t write any passwords down.
- Password “hints” are not to be used. If a password is forgotten, a mechanism must be in place to replace a password/passphrase with sufficient controls to verify the identity of the requester of the password reset.
- If an account or password is suspected to have been compromised, contact the Security Team immediately.
You must use Multi-factor authentication (aka, 2 Factor Authentication, aka 2FA) for every service that provides support, including all third-party tools and company applications. This second factor requirement can help prevent unauthorized users from being able to access accounts if one piece of evidence (such as password) is compromised. Note that 2FA is mandatory for most Parallel services.
The following 2FA methods are acceptable:
- Use of an app like Google Authenticator or Authy to provide a time-based, one-time passwords (a number that changes every 30 seconds).
- Some services support external authentication devices like Yubikeys; these are acceptable forms of 2FA as well (though not all services support them).
- Some services allow you to download “backup codes” that you can use instead of a time-based code in case you lose your phone (or access to your time-based password generator). Make sure you store these somewhere safe!
Note: SMS (text message) and phone call based 2FA are both vulnerable to an attack known as a SIM Swap. These methods should not be used for 2FA unless there are no other 2FA option available for a specific service.
While browser extensions are easy to install and test out, make sure you only install extensions from sources you trust. Here are a few extensions we do recommend:
- HTTPS Everywhere - ensure that you only visit sites that support encrypted HTTP
- Privacy Badger - A tool from the EFF, Privacy Badger automatically learns to block invisible trackers.
- uBlock Origin - blocks ads and the data they collect
- Apple Safari - go to settings (Safari, then Preferences in the menu), then choose the AutoFill and uncheck all checkboxes.
- Google Chrome - go to address autofill settings and payment methods settings
- Mozilla Firefox - go to privacy preferences and scroll down to Forms and Autofill
- MS Edge - go to address autofill settings and payment method settings
Here are some general guidelines for email:
- If you get an email that looks suspicious, forward the email to email@example.com.
- An email can be suspicious, even if it’s from someone you know, if there’s an unexpected link or attachment .
- Don’t be afraid to reach out to anyone directly to ask if they sent something you weren’t expecting (for instance, reach out on Slack).
- Follow the guidelines for identifying phishing emails provided in this guide.
- The Security Team will, from time to time, simulate phishing attacks to our company email addresses to ensure everyone is aware of the threat.
- If you receive a suspicious email, forward it to firstname.lastname@example.org for analysis before clicking any links or downloading any attachments.
- When in doubt, reach out to email@example.com or
- Never sign in to any Parallel Markets related account using public computers, such as library or hotel kiosks.
- If you receive a security report of any kind (issue, customer ticket, etc.) never dismiss it as invalid. Please contact the Security Team.
- Be familiar with the general approaches used in social engineering, and know that you could be targeted based on your access to highly sensitive personal information. You should understand the vectors used:
- Vishing - Someone may call you asking for information. Never share sensitive data over the phone.
- Phishing - You may get an email that looks valid at first glance but contains an attachment with malware or a link to a site that will install malware.
- Smishing - Be aware of suspicious texts, and don’t click links that look suspicious or weren’t expected.
Feel free to reach out to the Security Team at any point with questions, concerns, or suspicious emails for analysis at firstname.lastname@example.org. You can also ask for help in the
#security room in Slack at any time.