Minimum Viable Security for Startups

Transcript

1. Minimum Viable Security Akash Mahajan Co-Founder Appsecco

2. Founder Bootcamp - Goa #MSFT4Startups

3. Akash Mahajan - Author | Speaker | Trainer | Community

   Started & Nurtured Author Speaker & Trainer Technical Reviewer Ex Co-Founder

4. Click to add text

5. A simplified depiction of the start-up’s journey Great Idea Documented

   Idea in laptop Idea shared with co-founder Potential team formed Domain & Email • Website • Source Code • Processes • Shared files • Presentations • Strategy Documents • SuperSecret Sauce • List of potential clients • Clients • Financial Details $$$ Exit $$$

6. A start-up’s journey in becoming secure - Great Idea Documented

   Idea in laptop Idea shared with co-founder Potential team formed Domain & Email • Website • Source Code • Processes • Shared files • Presentations • Strategy Documents • SuperSecret Sauce • List of potential clients • Clients • Financial Details $$$ Exit $$$

7. Laptop Security – Becoming and Staying Secure • Securing a

   laptop that you use for work Use licensed software Keep up with security patches Install anti-virus, anti-malware Don’t use unknown USB flash drives Don’t download and install unknown software from the internet

8. Laptop Security – Resilience against security threats Take continuous, encrypted,

   incremental backups of the software and data • Best defense against ransomware attacks • Allows for business continuity in case of hardware failure • Reduce Mean Time To Recovery in case of laptop theft

9. Domain & Email – Becoming and Staying Secure • Securing

   domain and email Use reputed domain registrars Use reputed email/office suite providers Ensure 2FA for admin accounts Reminders for renewing accounts and domains

10. Domain and Email – Resilience against security threats Ensure that

    you retain control of the billing and ownership of domain and email accounts management • Best defense against hijacking attempts (insider or external) • Allows for business continuity in case of active phishing attempts

11. Sensitive Data – Becoming and Staying Secure • Securing sensitive

    data, files etc. Use secure file sharing solutions Use reputed email/office suite providers Ensure 2FA for admin accounts Create role-based access depending on need of access

12. Sensitive Data – Resilience against security threats Provide access to

    sensitive data, as and when required, revoke when not required • Best defense against data breach/leakages • Understand how to revoke access before providing any as employees/contractors can and will leave you

13. Finance/Banking – Becoming and Staying Secure • Access your finance

    services/banking with paranoia Use secure laptop with secure network (Don’t use open Wi-Fi) Avoid using mobile apps Enable and use 2FA Create a process of alerts on all transactions

14. Finance/Banking – Resilience against security threats Use secure laptop, over

    a secure network to access bank website and enable 2FA for sensitive transactions • Know how to block bank transactions by calling the bank • Understand that fraud to steal your money can happen to you as well

15. Four pillars of abstract thoughts on Security 1. Create an

    inventory 2. Always do secure communications 1. Invest in account governance 3. Create and document processes for access and usage of information assets in the company 1. All processes need to have a source of truth 2. As processes evolve, put them under version control 4. Think in terms of service security

16. Create Inventory • Of users for email • Of users

    for file sharing • Of various websites and apps being used by the start-up • Of users who are also admins

17. Doing Secure Communications • Add team members to domain/corporate email

    before exchanging sensitive information • Ensure email is set to use TLS/SSL • If using messaging applications, use the ones that have end to end encryption • Bonus points if it has ability to delete messages

18. Document processes around onboarding and exits • A clearly defined

    steps to follow to add a user to corporate email and other accounts (apps inventory) • A clearly defined steps to follow to remove a user from corporate email and other accounts (apps inventory)

19. Who needs access? Can you avoid giving access to everyone?

    Thinking in terms of Service Security

20. Can you enforce a password policy? Thinking in terms of

    Service Security Top 10 weakest passwords for 2019 so far

21. Can you enforce a 2FA policy? Thinking in terms of

    Service Security Passwords fail to protect against the following attacks Credential Stuffing Phishing Keystroke Logging Local Discovery (Password Sharing) Password Spraying Extortion Brute-force There are over 4 billion stolen passwords in circulation

22. Self evaluation checklist • Protect your personal email account (used

    to register to everything else initially with 2FA) • Make sure email is setup with proper SPF, DKIM, DMARC • Don’t lose control of your mobile number

23. Understand risks with examples Potential risk Can you do anything

    about it? Anyone on the internet can try my DNS records Nope People are able to see who my domain registrar is Nope My ISP/Hosting company/Government is insecure Nope My OS/Processor/Hardware company is insecure Nope

24. Does my registrar support 2FA? Yes ❑ Understand how does

    the 2FA reset process works ❑ Make a note of what will need to be done, in case 2FA needs to be disabled ❑ Enable 2FA for login ❑ Bonus Points – If authentication logs can be stored No ❑ Change your provider

25. Does my registrar support whois privacy? Yes ❑ Understand how

    to enable domain whois privacy ❑ Enable domain whois privacy before configuring the domain to do anything No ❑ Change your provider ❑ If not an option, accept that as a potential risk factor

26. Does my domain email support 2FA? Yes ❑ Understand how

    does the 2FA reset process works ❑ Make a note of what will need to be done, in case 2FA needs to be disabled ❑ Enable 2FA for login ❑ Bonus Points – If authentication logs can be stored No ❑ Change your provider

27. Protecting the domain admin email Dos ❑ Enable 2FA ❑

    Ideally not SMS based but app based ❑ Use a reputed 3rd party provider (like Gmail maybe) ❑ Make sure your password is sufficiently random ❑ Put in a process to change it after a fixed duration Don’ts ❑ Use that email address for registering to other sites ❑ Never reuse that password if you have to use the same email ID elsewhere

28. Using Azure Services for Security A quick tour to give

    you some ideas

29. Azure Security Centre – Security for your platform use •

    Useful if you have virtual machine servers in Azure • Also useful if you want a visibility on your Azure resources

30. Azure Enterprise Applications – Secure apps with SSO • If

    you have internal facing applications which require Role Based Access Control • If you have O365, adding or removing users is seamless

31. Azure Key Vault – Secrets Management for your Pipeline •

    Useful if you integrate and deploy applications using CI/CD pipeline software • Instead of secrets stored everywhere they can stay safe in Key Vault and requested on demand

32. Checklist Why is it useful 1. OWASP Top 10 Bare

    minimum-security controls for your source code 2. OWASP Mobile Top 10 Bare minimum-security controls for your mobile apps 3. OWASP ASVS (Application Security Verification Guide) A comprehensive checklist covering many areas on how to build secure web applications 4. OWASP MASVS (Mobile ASVS) A comprehensive checklist covering many areas on how to build secure mobile applications 5. OWASP Security Testing Guide If you require 3rd party VA/PT they should be testing for at least what is mentioned here 6. OWASP Mobile Security Testing Guide If you require 3rd party VA/PT they should be testing for at least what is mentioned here 7. Azure Data Security and Encryption Best Practices If you plan to store or transfer data in or out of Azure 8. Azure best practices for Network Security If you plan to have any kind of service available over the network (website/app backend/API) 9. Azure CIS Benchmark If you plan to host and maintain many virtual machines Key Take Aways – Important Security Checklists

33. Any Questions or thoughts? Akash Mahajan | [email protected] | @makash