Security hygiene best practices for GitLab users

It's important to recognize that world events that cause global unrest and uncertainty can lead to an increase in cyberattacks. The GitLab Security department would like to remind our community of some suggested security hygiene measures that users should consider implementing to better protect themselves and reduce risk for their organizations, whether you are a GitLab.com or self-managed user.

You may have seen coverage of recent cyber attacks in the press focused on the theft of private source code repositories that demand a ransom to prevent their public disclosure. While specific details on how these attacks were successful are not publicly available, our experience and various threat intelligence activities tell us that credential spraying, phishing, malware, and even attempting to purchase insider access are the most likely tactics in use.

• Credential spraying is when an attacker uses password lists paired with known username lists to try and brute force accounts. This relies on users making the mistake of reusing passwords or having easily guessed ones.
• Phishing is something you are probably very familiar with. It is an attempt to trick someone into taking an action that benefits the attacker in some way. Typically a phishing attempt is designed to capture credentials. A good example of what a phishing attack looks like can be found in one of our Red Team operations.

Following some simple security hygiene tips can go a long way to help defend you and your organization from these types of attacks:

• Enable multi-factor authentication (MFA). Make sure your GitLab accounts require MFA to access. Enable it on everything you can. MFA makes gaining access to accounts more difficult and decreases the chances of a successful attack. You can check out the GitLab documentation on enabling MFA for how to do this on your account.
• Patch! If you are a self-managed GitLab user, make sure you are running the most recent version. You can read about each release in a corresponding blog post, including security releases, and visit our Updates page to update your instances. To get security release blog notifications delivered to your inbox, visit our contact us page. To receive release notifications via RSS, subscribe to our security release RSS feed or our RSS feed for all releases.
• Secure your GitLab instance. If you are an administrator of your own self-managed GitLab instance, check out our secure configuration advice, and use reference architectures where possible.
• Patch some more! Make sure your operating systems, mobile devices, apps, etc. are all up-to-date and patched as well.
• Use a password manager. Use a password manager so you only need to come up with one strong password. This helps prevent password reuse and for most people is a secure enough way to handle good password practices. You can see the GitLab password policy guidelines as a reference for how we guide our own GitLab team members.
• Think before clicking. Be suspicious of any email that asks you to take action. Use your best judgment and check the basics (do you know the sender? are there typos in the message? if you hover over the link does the true destination match the url? etc.) to reasonably decide if you should click on a link or not. That advice is especially true if that link takes you to a page asking for authentication. See how we advise our own GitLab team members to identify a basic phishing attack.
• Use audit logs. If you are running GitLab self-managed it is also a good time to ensure that you understand what audit logs are available to you and how to check them. For additional information check our documentation on how our log system works and what audit events are.

       * GitLab.com SaaS customers can generate reports of various activities in their groups and projects by using the [audit events feature](https://docs.gitlab.com/ee/administration/audit_events.html). Our Support handbook provides a deeper dive into [what information we can (and cannot) provide](https://handbook.gitlab.com/handbook/support/workflows/log_requests.html#what-we-cannot-provide) if you contact Support for additional detail. If you'd like to see something else in the product, consider submitting a [feature request](https://gitlab.com/gitlab-org/gitlab/-/issues/new?issuable_template=Feature%20proposal%20-%20detailed&issue[title]=Docs%20feedback%20-%20feature%20proposal:%20Write%20your%20title).

    

If you're already doing everything above, fantastic! If we forgot something, please let us know. For reference, you can review our security best practices for GitLab team members. If you've got a security question or concern, review how to contact our Support team. If you believe you've discovered a vulnerability, see how to report it. Lastly, to stay informed you can sign-up to receive security alerts and notifications via email.

Thank you for working together with us to keep our community and GitLab safe and secure.