Security Awareness

2022
Who Do We Host

● Banks
● Health care organizations
● Governments
● Anything in between
Impact of Unauthorized Access

● Damage to customer reputation

● Damage to our reputation
● Loss of customers
● Fines
Where Do I Report Potential Issues?

● Supervisor
● Manager
● Security Team (secteam@liquidweb.com)
Bare Minimum CHD Safety

● Digital
○ Follow workstation policy, outlined here
■ https://waypoint.liquidweb.com/display/LWW/Workstation
+Security+Guidelines
○ Don’t store sensitive information on your
workstation
■ Do not copy it from servers
■ Do not store passwords in plain text
● Physical
○ Don’t leave it out in the open
○ Properly dispose of when you are done
Physical Security
Man Traps

● Require two badge swipes to pass through

○ No swipes to exit
● Only one door open at a time
● Be aware of who enters with you
○ Look for tag alongs or ex-employees
Visitors and Guest

● Employees may have visitors

● Customers may visit
○ Colocation
○ Tours
● Contractors may be working on site
Checking In a Visitor

● Log in at front desk with IDM or badge reader

● Add or find the visitor
○ If adding, take their picture with the webcam
● If entering the DC, check “DC Access”
● Create barcode badge
● Logout
Checking in a Contractor

● Go to the badge kiosk near the maintenance office

● Scan your badge on the locked box and pull out as
many yellow badges as you need
● Enter each contractor’s information into the kiosk
including a picture of the contractor
● Assign the badges to the contractors on the kiosk and
distribute badges
Visitor vs Yellow Badge

Visitor Yellow
No door access Limited door access
Given by anyone Approved by
Always escorted supervisors,
managers, executives
or maintenance
 Pink Badges

● For contractors working more than 1

day.
● Only active during contracted hours
○ will not work outside of scheduled hours.
● Office where contractor will be working
● Expiration date
○ Badge invalid on specified date
Escort Badge

● Used to give employees access to the DC

● Internal use only
● Issued by supervisor or manager
Who should have a Badge

Anyone that is in the building should have a

visible badge.
Make sure you are doing your due diligence
and checking for badges while you are in the
building.
What is Allowed in the Building?

No weapons
● Guns
● Knives over 3.5”
● Explosives
● Taser/Stun Guns
● Chemicals intended to cause harm
Escorting Visitors

Do Don’t
Be heroic Leave them unattended
Answer questions Hover or loom
Be attentive Misrepresent Liquid Web
Be available Allow them to install new
Be honest external hardware without
setups approval
Hand them tools
Restricted Areas

● Anywhere you need a badge to access

○ Datacenter
● Extra restricted areas:
○ Setups cage
○ Storage closets
○ Workbenches
○ Electrical cages
Who Can Be Where?

● Don’t wander
○ Keep employee visitors to public spaces
■ Break rooms
■ Lounge
■ Conference rooms
○ Keep customers in relevant areas
■ Tours
■ Colo server
■ Conference rooms
Customer Hardware

● Setups must approve new external

hardware
○ Must be available power and rack space
● Should not break our terms of service
○ No port scanning
○ No interfering with other customers
○ No wifi
● No liquid cooling
Unidentified Personnel

● Escort them from the building

○ Do not leave them alone
○ If possible, strength in numbers
○ DC3 front desk x2330
● Inform a supervisor
Digital Security
Strong Passwords

● 12+ characters
● Upper and lower case characters
● Digits and punctuation characters
● Not a word in any language, slang or jargon
● Not based on personal information
● Not written down
Password Policy

● Do not use same password for both work

and personal
● Do not reuse previous 2 passwords
● User-level passwords must be changed
every 90 days
● https://waypoint.liquidweb.com/display/HR/Password+
Policy
Password Policy

● Do not reveal your passwords:

○ On the phone
○ In an email
○ To your boss
○ In a form
○ With family members
○ To co-workers
○ Or make hints
○ Or talk about it
Password Storage

● Never Store passwords in clear text. Always use

encrypted password storage methods.
● Do not store passwords directly in your browser. Instead
use an encrypted storage method such as LastPass to
store your credentials.
○ LastPass is the company approved standard for
sharing passwords.
Receiving Files

● Do not open files from unknown sources

○ Third-party site
○ Potential customers
○ Magically apparating USB drives
● Delete spam, chain or other junk mail
Dangerous Extensions

● .exe
● .bat
● .sh
● .jar
● .py
● .pl
Client Data Storage

● Never store client data locally on your laptop or workstation.

○ Note this extends to any storage medium that might attach to
your laptop or workstation.
■ Flash Drive
■ SD Card
■ External Hard Drive
○ This also applies to network storage.
■ Dropbox / box.com
■ Google Drive
Client Data Storage

● Having client data or clear text passwords on workstation/work

devices increases the chances of data loss or compromise, should
you misplace/lose you device.
● Having client data on your laptop or external media is a huge
security risk.
○ Example: Having a copy of a site’s database dump on your
work laptop
○ Example: Maintaining client site code on your work laptop
Anti-Virus

● Always run antivirus software

● Always scan media from an unknown source
for viruses before using it
● Never download files from unknown or
suspicious sources
● Avoid direct disk sharing with read/write
access
Social Media

● No photos or videos in the datacenter

● Limited photos or videos in the office
○ Is there sensitive information in the picture?
● Marketing or Executives can approve
exceptions
Personal Devices

● Cannot connect to the wired network

● Can use wireless network as long as you
follow the connection guidelines in the wiki
● Nexcess offices have a private wifi network
for work devices and a guest wifi network
for personal devices
Remote Access

● Do not provide access to anyone else

● Device must meet security requirements for
an employee workstation
○ Available in handbook and wiki
● May only be simultaneously connected to a
private, fully controlled network
Secure Habits
Cardholder Data Security Requirements

Cannot store:
● Credit Card numbers
● Data from magnetic strip
● CAV2/CVC2/CVV2/CID
● PINs
Cardholder Data Security Requirements

● Only billing team can directly handle credit

card data
● Everyone else:
○ Direct the customer to my.liquidweb.com
○ Pass the interaction to billing
Social Engineering

Social engineering is the process of gaining

access to information through conversation,
asking questions, giving vague answers and
tricking the customer representative to provide
them with the information they want.
Social Engineering - In Person

● Follow normal colo procedures and

authenticate them as normal
Social Engineering - Phone/Ticket/Chat

● Let them know they can get their username

and reset their password through their
account login screen.
● For business accounts they can send us
documents proving they are the business
owner, or are an officer of that company
Social Engineering - Shoulder Surfing

● Do not hang out with visitors at your desk

● Do not leave sensitive data out on your desk
Social Engineering - Dumpster Diving

● Use shredders or secure shredding bins for

sensitive data in physical form
For More Policy Information

waypoint.liquidweb.com
waypoint.liquidweb.com/display/HR/Employee+Handbook