Security Compensation - How to Invest in Start-Up Security
•Download as PPTX, PDF•
1 like•1,010 views
If you can offload security functions to secure third party services, do so. Start security practices as soon as possible to avoid issues later. Some key security practices for startups include implementing least privilege for user accounts, hardening web browsers, using strong authentication and password management, securely configuring applications and services, and establishing processes for provisioning and revoking employee access.
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Viewers also liked
Viewers also liked (17)
Similar to Security Compensation - How to Invest in Start-Up Security
Similar to Security Compensation - How to Invest in Start-Up Security (20)
More from Christopher Grayson
More from Christopher Grayson (10)
Recently uploaded
Recently uploaded (20)
Security Compensation - How to Invest in Start-Up Security
- 1. Security CompensationHOW TO INVEST IN STARTUP SECURITY April 8, 2015
- 2. INTRODUCTION WHO ARE THOSE PEEPS UP IN FRONT?
- 3. 33 Chris Grayson • Security Associate Austin Whipple • Senior Security Analyst RELEVANT BECAUSE EASTER Some Cool Peeps 3 ChrisAustin
- 4. 44 • Offloading Security Risk • Security Best Practices for Start-ups • Conclusion WHATCHU TALKIN’ ‘BOUT HOLMES? Agenda
- 5. OFFLOADING ONLY MARGINALLY DIFFERENT FROM FREELOADING
- 6. 66 • Risk = (Probability of a threat occurring against an asset) x (Value of asset) • Reducing risk can be done by reducing the probability of the threat or reducing the value of the asset. • What is offloading risk? THE GAME OF GLOBAL DOMINATION Offloading Risk
- 7. 77 • Email has lots of hidden “gotchas:” spoofing, forwarding, encryption, backups, etc. • These are incredibly easy to overlook and misconfigure. Don’t do it yourself! EVERY WEEK I CHECK THE EMAIL Offloading Email
- 8. 88 • Similar to email, there are lots of “gotchas” that can lead to exploitation (Heartbleed). • Platforms like Cloudflare get early warning/access to exploits to fix them before the security advisory goes public. ENCRYPT ALL THE THINGS Offloading SSL
- 9. 99 • “Cloud” is not the be-all and end-all of technology solutions, but it does have its place. • Amazon suite, for example, makes it easier to have security by default. EVERYTHING IS SECURE IN “THE CLOUD” Offloading Hosting
- 10. 1010 • In 2015, there aren’t very many good reasons to be doing your own payroll. • If you aren’t storing/handling/ processing those details, we can’t steal them from you. YOU CAN’T STEAL WHAT THEY DON’T HAVE Offloading Payroll
- 11. 1111 • For tech companies with a product or a web presence, research shows that having a bug bounty is a good idea. • Bugcrowd: 193 – average number of valid submissions per bug bounty run YOU DEAL WITH MY PROBLEMS Offloading Bug Bounties
- 12. SECURITY BEST PRACTICES START NOW OR FOREVER HOLD YOUR PEACE
- 13. 1313 • As per Wikipedia, “every module must be able to access only the information and resources that are necessary for its legitimate purpose.” • Local admin rights, access to file shares, other sensitive information • Not about trust – about minimizing exposure NO, THEY DON’T NEED AN ADMIN ACCOUNT Principle of Least Privilege
- 14. 1414 • Browsers are popular targets. • Script blocking • ScriptSafe, ScriptBlock, NoScript • Ad blocking • Adblock • Tracker blocking • Ghostery, Disconnect THIS MIGHT HURT A LITTLE Hardening Your Browser
- 15. 1515 How a digital system identifies a user. • Authenticate with Facebook, Google • Private keys • Two-factor authentication on highly-sensitive endpoints (email, VPN) • Duo Security WHO ARE YOU AND WHAT ARE YOU DOING ON MY SERVER?! Authentication
- 16. 1616 • Wikipedia defines sandboxing as, “a security mechanism for separating running programs. It is often used to execute untested code.” • Virtual machines! • VMWare, VirtualBox DOMO ARIGATO MR. ROBOTO Virtualization
- 17. 1717 Passwords are the most ubiquitous form of authentication • One of the most valuable targets for an attacker. • Don’t re-use them! • Don’t share them! • Don’t write them down! • Use password vaults where possible. • KeePass, LastPass YOU CAN’T LIVE WITH ‘EM, YOU CAN’T LIVE WITHOUT ‘EM Password Management
- 18. 1818 • Vulnerable services and applications lead to compromised businesses. • Internal applications shouldn’t be on the open Internet. • Have a network? VPN + 2FA • No network? SSH + private key + port forwarding YOU’VE GOT WHAT ON YOUR EXTERNAL NETWORK?! Applications and Services
- 19. 1919 Only if you insist… • Not using publicly-vulnerable software • All sensitive information is encrypted when transmitted across the network • If passwords are used, the passwords are strong • Web application? Pay attention to the OWASP top 10 UGH FINE – WELL IF IT HAS TO BE ON THE INTERNET Applications and Services
- 20. 2020 Majority of sensitive communication occurs via email. • Encrypt your emails • Protect your domain from spoofed emails AN AGE OLD PROTOCOL WITH SERIOUS SECURITY IMPLICATIONS Email
- 21. 2121 • Don’t leave sensitive files sitting around • USB drives, FTP servers, anonymously-accessible file shares • Encryption • ZIP files, Truecrypt volumes • Don’t email files! • Syncing files • GIT, SVN, Box.com, Dropbox.com, Seafile EVERYBODY DOES IT File Sharing
- 22. 2222 Employees will come and go. • Establish a process for provisioning and revocation • May not seem necessary… • But by the time it is, it’s too late. PAY A LITTLE NOW OR A LOT LATER Account Provisioning and Revocation
- 23. 2323 • Security controls only count when they’re used. • Uniform practices • Repeatable, • Thought out • Documented • Verbalized. • Don’t over-engineer! BUT I THOUGHT WE WERE TALKING ABOUT SECURITY… Process Management
- 24. 2424 • Don’t do it • Seriously – don’t do it • Wireless networks pose significant risk • Open wireless network for guests • WPA2-PSK for employee Internet access CUT ALL THE CLUTTER Wireless Networks
- 25. CONCLUSION BRINGING IT ALL FULL-CIRCLE
- 26. 2626 Now that we’ve blown your mind…
- 27. 2727 If you can offload to a secure service, do it! Start security ASAP - you’ll be glad you did later. IF YOU DON’T REMEMBER ANYTHING ELSE… Key Takeaways
- 28. PARTING WORDS ALWAYS THE HARDEST PART… :’(
- 30. 3030 • @BishopFox • Facebook.com/BishopFoxConsulting • LinkedIn.com/Company/Bishop-Fox • Google.com/+BishopFox WE’RE A CHATTY BUNCH Contact Us
- 31. Thank You
- 32. 3232 Wikipedia – Principle of Least Privilege http://en.wikipedia.org/wiki/Principle_of_least_privilege ScriptSafe Chrome Plugin https://chrome.google.com/webstore/detail/scriptsafe/oiigbmnaadbkfbmpbfijlflahbdbdgdf?hl=en NoScript Firefox Plugin https://addons.mozilla.org/en-us/firefox/addon/noscript/ AdBlock https://adblockplus.org/ Ghostery https://www.ghostery.com/en/ Disconnect https://disconnect.me/ Authenticate with Google https://developers.google.com/identity/ SLIDE 1 OF 4 Additional Resources
- 33. 3333 Authenticate with Facebook https://developers.facebook.com/docs/facebook-login/v2.3 Wikipedia – Key Authentication http://en.wikipedia.org/wiki/Key_authentication Wikipedia – Two-Factor Authentication http://en.wikipedia.org/wiki/Two_factor_authentication Duo Two-Factor Authentication https://www.duosecurity.com/ Better Security Through Sandboxing http://www.windowsecurity.com/articles-tutorials/windows_os_security/Better-Security-through-Sandboxing.html KeePass Password Safe http://keepass.info/ LastPass https://lastpass.com/ SLIDE 2 OF 4 Additional Resources
- 34. 3434 OpenVPN How-To https://openvpn.net/index.php/open-source/documentation/howto.html SSH Port Forwarding https://help.ubuntu.com/community/SSH/OpenSSH/PortForwarding OWASP Top 10 https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project Microsoft – Building a Strong Password Policy https://technet.microsoft.com/en-us/library/cc736605%28v=ws.10%29.aspx Getting Started with S/MIME http://www.office.mvps.org/smime/ DKIM Explained http://www.gettingemaildelivered.com/dkim-explained-how-to-set-up-and-use-domainkeys-identified-mail-effectively Setting up SPF Records http://www.rackspace.com/apps/support/portal/1212 SLIDE 3 OF 4 Additional Resources
- 35. 3535 How to Set Up DMARC Email Authentication http://www.gettingemaildelivered.com/how-to-set-up-dmarc-email-authentication Encrypting ZIP Files with 7-Zip http://www.northeastern.edu/securenu/?page_id=2573 TrueCrypt http://truecrypt.sourceforge.net/ Bug Bounties Helpful https://www.eecs.berkeley.edu/~daw/papers/vrp-use13.pdf Bug Bounties Helpful, pt. 2 http://www.cmswire.com/cms/information-management/bug-bounty-programs-help-companies-track-vulnerabilities- 027932.php Bugcrowd https://bugcrowd.com/products/bounty SLIDE 4 OF 4 Additional Resources
Editor's Notes
- Doing these things will not only improve security, but they also provide organizational maturity, and will allow you to easily scale once the time comes. Offloading Security Risk Relying on tried and true services instead of managing them in-house can boost productivity as well as security posture. Security Best Practices for Start-ups Security is much easier to improve when built from the ground up, and here’s where you can start. Conclusion What did we talk about, and where can you go to learn more?
- Otherwise known as “Easy Wins”
- Risk calculation: http://www.dhses.ny.gov/ocs/local-government/documents/Risk-Management-Guide-2012.pdf Reducing probability of threat – Limiting attack surface, defense in depth Reducing value of asset – storing only hashed passwords instead of plaintext passwords You’re not just paying for the (hopefully excellent) service, you’re paying for the reduced overhead, risk, and (sometimes) someone to blame in case something goes wrong. Offloading risk, in this context, means using other service and product providers to do things they specialize in, leaving you more time and effort to spend on what you do best.
- They are not only easy to overlook, it’s expensive to hire someone who will get all of them. Much easier and safer to use an email service. Do you have an expert on hand that knows about DKIM and SPF? Is handling email the best use of their time and expertise? If you’re using Gmail for email, we don’t even attempt all the normal stuff we do with emails and phishing campaigns. They just have their stuff locked down too well. Gmail, Outlook, Yahoo, Rackspace
- They often throw in DDoS protection and caching, too. Amazon
- Hosting, server maintenance, storage (backups), database – Downside is you have little control over downtime (which happens less and less often). Upside is this third party manages everything for you, with security built in to the process, and can scale up and down. It’s a lot easier to hack/break into a place that is not an Amazon datacenter. There is a tradeoff on control, but one upside is we are much less likely to be successful breaking into (or hacking) an Amazon datacenter than ATV.
- Payroll – if you aren’t storing/handling/processing those details, I can’t steal them.
- Bug Bounties – https://www.eecs.berkeley.edu/~daw/papers/vrp-use13.pdf http://www.cmswire.com/cms/information-management/bug-bounty-programs-help-companies-track-vulnerabilities-027932.php https://bugcrowd.com/products/bounty having one and having someone else run it = very effective Having someone else run it is an even better idea.
- Encrypt your emails with S/MIME! Protect your domain from spoofed emails with SPF, DKIM, and DMARC!
- Uniform practices allow for proper process management and oversight. Processes should be repeatable, thought out, documented and verbalized. Wiki, Confluence Don’t over-engineer!
- If you can offload to a secure service, do it! The cost of offloading responsibilities and processes to third-parties may seem significant in terms of dollar amount, but it’s way cheaper than securely taking on those processes and responsibilities internally. Start security ASAP - you’ll be glad you did later. Good security practices take time, effort, and money, but they’re important to the health of an organization. Taking the time now to invest in your security will not only greatly improve your operational security posture – it will save you immense amounts of time, effort, and money in the long run.