Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Minimum Viable Security for Startups

Minimum Viable Security for Startups

Startups require some structured security hygiene practices that should be followed. Additionally a few Microsoft Azure services that can be deployed for continuous compliance and security.

Akash Mahajan

March 08, 2020
Tweet

More Decks by Akash Mahajan

Other Decks in Technology

Transcript

  1. Akash Mahajan - Author | Speaker | Trainer | Community

    Started & Nurtured Author Speaker & Trainer Technical Reviewer Ex Co-Founder
  2. A simplified depiction of the start-up’s journey Great Idea Documented

    Idea in laptop Idea shared with co-founder Potential team formed Domain & Email • Website • Source Code • Processes • Shared files • Presentations • Strategy Documents • SuperSecret Sauce • List of potential clients • Clients • Financial Details $$$ Exit $$$
  3. A start-up’s journey in becoming secure - Great Idea Documented

    Idea in laptop Idea shared with co-founder Potential team formed Domain & Email • Website • Source Code • Processes • Shared files • Presentations • Strategy Documents • SuperSecret Sauce • List of potential clients • Clients • Financial Details $$$ Exit $$$
  4. Laptop Security – Becoming and Staying Secure • Securing a

    laptop that you use for work Use licensed software Keep up with security patches Install anti-virus, anti-malware Don’t use unknown USB flash drives Don’t download and install unknown software from the internet
  5. Laptop Security – Resilience against security threats Take continuous, encrypted,

    incremental backups of the software and data • Best defense against ransomware attacks • Allows for business continuity in case of hardware failure • Reduce Mean Time To Recovery in case of laptop theft
  6. Domain & Email – Becoming and Staying Secure • Securing

    domain and email Use reputed domain registrars Use reputed email/office suite providers Ensure 2FA for admin accounts Reminders for renewing accounts and domains
  7. Domain and Email – Resilience against security threats Ensure that

    you retain control of the billing and ownership of domain and email accounts management • Best defense against hijacking attempts (insider or external) • Allows for business continuity in case of active phishing attempts
  8. Sensitive Data – Becoming and Staying Secure • Securing sensitive

    data, files etc. Use secure file sharing solutions Use reputed email/office suite providers Ensure 2FA for admin accounts Create role-based access depending on need of access
  9. Sensitive Data – Resilience against security threats Provide access to

    sensitive data, as and when required, revoke when not required • Best defense against data breach/leakages • Understand how to revoke access before providing any as employees/contractors can and will leave you
  10. Finance/Banking – Becoming and Staying Secure • Access your finance

    services/banking with paranoia Use secure laptop with secure network (Don’t use open Wi-Fi) Avoid using mobile apps Enable and use 2FA Create a process of alerts on all transactions
  11. Finance/Banking – Resilience against security threats Use secure laptop, over

    a secure network to access bank website and enable 2FA for sensitive transactions • Know how to block bank transactions by calling the bank • Understand that fraud to steal your money can happen to you as well
  12. Four pillars of abstract thoughts on Security 1. Create an

    inventory 2. Always do secure communications 1. Invest in account governance 3. Create and document processes for access and usage of information assets in the company 1. All processes need to have a source of truth 2. As processes evolve, put them under version control 4. Think in terms of service security
  13. Create Inventory • Of users for email • Of users

    for file sharing • Of various websites and apps being used by the start-up • Of users who are also admins
  14. Doing Secure Communications • Add team members to domain/corporate email

    before exchanging sensitive information • Ensure email is set to use TLS/SSL • If using messaging applications, use the ones that have end to end encryption • Bonus points if it has ability to delete messages
  15. Document processes around onboarding and exits • A clearly defined

    steps to follow to add a user to corporate email and other accounts (apps inventory) • A clearly defined steps to follow to remove a user from corporate email and other accounts (apps inventory)
  16. Who needs access? Can you avoid giving access to everyone?

    Thinking in terms of Service Security
  17. Can you enforce a password policy? Thinking in terms of

    Service Security Top 10 weakest passwords for 2019 so far
  18. Can you enforce a 2FA policy? Thinking in terms of

    Service Security Passwords fail to protect against the following attacks Credential Stuffing Phishing Keystroke Logging Local Discovery (Password Sharing) Password Spraying Extortion Brute-force There are over 4 billion stolen passwords in circulation
  19. Self evaluation checklist • Protect your personal email account (used

    to register to everything else initially with 2FA) • Make sure email is setup with proper SPF, DKIM, DMARC • Don’t lose control of your mobile number
  20. Understand risks with examples Potential risk Can you do anything

    about it? Anyone on the internet can try my DNS records Nope People are able to see who my domain registrar is Nope My ISP/Hosting company/Government is insecure Nope My OS/Processor/Hardware company is insecure Nope
  21. Does my registrar support 2FA? Yes ❑ Understand how does

    the 2FA reset process works ❑ Make a note of what will need to be done, in case 2FA needs to be disabled ❑ Enable 2FA for login ❑ Bonus Points – If authentication logs can be stored No ❑ Change your provider
  22. Does my registrar support whois privacy? Yes ❑ Understand how

    to enable domain whois privacy ❑ Enable domain whois privacy before configuring the domain to do anything No ❑ Change your provider ❑ If not an option, accept that as a potential risk factor
  23. Does my domain email support 2FA? Yes ❑ Understand how

    does the 2FA reset process works ❑ Make a note of what will need to be done, in case 2FA needs to be disabled ❑ Enable 2FA for login ❑ Bonus Points – If authentication logs can be stored No ❑ Change your provider
  24. Protecting the domain admin email Dos ❑ Enable 2FA ❑

    Ideally not SMS based but app based ❑ Use a reputed 3rd party provider (like Gmail maybe) ❑ Make sure your password is sufficiently random ❑ Put in a process to change it after a fixed duration Don’ts ❑ Use that email address for registering to other sites ❑ Never reuse that password if you have to use the same email ID elsewhere
  25. Azure Security Centre – Security for your platform use •

    Useful if you have virtual machine servers in Azure • Also useful if you want a visibility on your Azure resources
  26. Azure Enterprise Applications – Secure apps with SSO • If

    you have internal facing applications which require Role Based Access Control • If you have O365, adding or removing users is seamless
  27. Azure Key Vault – Secrets Management for your Pipeline •

    Useful if you integrate and deploy applications using CI/CD pipeline software • Instead of secrets stored everywhere they can stay safe in Key Vault and requested on demand
  28. Checklist Why is it useful 1. OWASP Top 10 Bare

    minimum-security controls for your source code 2. OWASP Mobile Top 10 Bare minimum-security controls for your mobile apps 3. OWASP ASVS (Application Security Verification Guide) A comprehensive checklist covering many areas on how to build secure web applications 4. OWASP MASVS (Mobile ASVS) A comprehensive checklist covering many areas on how to build secure mobile applications 5. OWASP Security Testing Guide If you require 3rd party VA/PT they should be testing for at least what is mentioned here 6. OWASP Mobile Security Testing Guide If you require 3rd party VA/PT they should be testing for at least what is mentioned here 7. Azure Data Security and Encryption Best Practices If you plan to store or transfer data in or out of Azure 8. Azure best practices for Network Security If you plan to have any kind of service available over the network (website/app backend/API) 9. Azure CIS Benchmark If you plan to host and maintain many virtual machines Key Take Aways – Important Security Checklists