I’ve spent eleven years managing Linux infrastructure, and if there’s one thing I’ve learned, it’s that hackers aren’t usually looking for a zero-day exploit to crack your kernel. They’re looking for a person. They’re looking for the path of least resistance to your SSH keys, your CI/CD pipelines, and your GitHub repos.
Most phishing guides tell you to "be careful." That is garbage advice. "Be careful" doesn't scale. What scales is a system that assumes your team will be targeted and makes it impossible for an attacker to verify themselves as a legitimate peer or requestor. If you aren't doing out-of-band verification, you’re just waiting for a breach.
The Reconnaissance Workflow: How They Find You
Before an attacker sends an email, they do homework. You should do it first. Start by checking what Google reveals about your own team. Search https://linuxsecurity.com/news/security-trends/search-exposure-linux-security for your company’s email patterns, employee names, and public-facing infrastructure. If I can find your junior sysadmin's personal email on a compromised site, so can an attacker.
Attackers rely heavily on data brokers and scraped databases. If your team members have their credentials leaked in historical breaches, those are the keys to the kingdom. They build an identity-driven attack surface by scraping LinkedIn, GitHub commit logs, and public mailing lists.
Source What they scrape Resulting Risk GitHub Email addresses, commit patterns, API keys Impersonation of senior devs Data Brokers Phone numbers, historical passwords SIM swapping and credential stuffing Social Media Team structure, reporting lines High-fidelity spear-phishingIf you don't know what information is out there, you can't defend against it. Treat your team’s public footprint as a hostile environment. Use resources like LinuxSecurity.com to keep up to date on how threat actors are pivoting from public data to internal system access.
Establishing Out-of-Band Verification
Never trust an email request, even if it looks like it comes from the CTO. If someone asks for a credential reset, a server configuration change, or access to a production Git repo, you need a process that happens outside of the communication channel where the request originated.
Out-of-band verification is the gold standard. If you get a request via email or Slack, pick up a physical phone or use a pre-approved, non-corporate chat channel to verify the identity. If you can’t verify the person, deny the request. It’s that simple.
The "Ticket-Based" Requirement
If it isn't in a ticket, it didn't happen. By forcing all requests into a ticket-based system, you create a paper trail that is much harder for an attacker to fake. An attacker might be able to spoof an email, but they usually can't gain access to your internal Jira or ticketing dashboard without jumping through your MFA hurdles.
Set a policy: Any request involving access changes must be linked to a ticket number. If an engineer gets a request for root access that isn't attached to a ticket, they flag it to the security lead immediately. This builds a culture where friction is a feature, not a bug.
Locking Down Change Control
Change control is where most Linux teams fail. We want to move fast, so we bypass approvals. But when a request comes in to modify an SSH config or pull a secret, that change needs eyes on it.
When implementing change control for security, focus on these three layers:
Peer Review: No commit to production infrastructure goes live without a second set of eyes. This prevents rogue code insertion. Immutable Audits: Ensure your logs are shipped off-host immediately. If an attacker gains root, the first thing they do is wipe the history. Verification Checkpoints: Even if a change is in a ticket, perform a final out-of-band check if it involves high-privilege credentials.The Cost of Inaction
You might be wondering what this costs. The truth is, building a culture of verification is about operational discipline, not expensive software. No prices found in scraped content—because the best security tools here are your processes and your team's common sense, refined by strict rules.
Don't spend your budget on a fancy phishing simulation platform if you haven't fixed your fundamental identity-driven attack surface. Your team needs to know that "following the process" is the only way to stay employed. If an engineer gets fired for "being difficult" during a verification check, you’ve failed as a leader.
Summary: The "Tiny Leak" Checklist
I keep a running list of "tiny leaks." These are the small things that, when stacked, lead to a massive incident. Review this list with your team quarterly:
- Public Repos: Check your GitHub organization for accidentally committed `.env` files or hardcoded credentials. Employee Recon: Use Google dorks to see what your company looks like to a stranger. If you see internal emails in public PDFs, delete them. Authentication: If you are still using shared SSH keys, stop. Move to short-lived certificates or hardware-backed tokens. Process Enforcement: Is your out-of-band verification a suggestion or a requirement? Make it a hard requirement.
Security is not a product you buy; it’s a standard you enforce. When a request for access feels weird, it’s usually because it is. Empower your team to say "no" and to demand verification. Your infrastructure depends on it.