If you can offload security functions to secure third party services, do so. Start security practices as soon as possible to avoid issues later. Some key security practices for startups include implementing least privilege for user accounts, hardening web browsers, using strong authentication and password management, securely configuring applications and services, and establishing processes for provisioning and revoking employee access.
6. 66
• Risk = (Probability of a
threat occurring against
an asset) x (Value of
asset)
• Reducing risk can be
done by reducing the
probability of the threat
or reducing the value of
the asset.
• What is offloading risk?
THE GAME OF GLOBAL DOMINATION
Offloading Risk
7. 77
• Email has lots of hidden
“gotchas:” spoofing,
forwarding, encryption,
backups, etc.
• These are incredibly
easy to overlook and
misconfigure.
Don’t do it yourself!
EVERY WEEK I CHECK THE EMAIL
Offloading Email
8. 88
• Similar to email, there are
lots of “gotchas” that can
lead to exploitation
(Heartbleed).
• Platforms like Cloudflare
get early warning/access to
exploits to fix them before
the security advisory goes
public.
ENCRYPT ALL THE THINGS
Offloading SSL
9. 99
• “Cloud” is not the be-all
and end-all of technology
solutions, but it does have
its place.
• Amazon suite, for example,
makes it easier to have
security by default.
EVERYTHING IS SECURE IN “THE CLOUD”
Offloading Hosting
10. 1010
• In 2015, there aren’t very
many good reasons to be
doing your own payroll.
• If you aren’t
storing/handling/
processing those details, we
can’t steal them from you.
YOU CAN’T STEAL WHAT THEY DON’T HAVE
Offloading Payroll
11. 1111
• For tech companies with a
product or a web presence,
research shows that having
a bug bounty is a good
idea.
• Bugcrowd: 193 – average
number of valid
submissions per bug
bounty run
YOU DEAL WITH MY PROBLEMS
Offloading Bug Bounties
13. 1313
• As per Wikipedia, “every
module must be able to
access only the information
and resources that are
necessary for its legitimate
purpose.”
• Local admin rights, access to
file shares, other sensitive
information
• Not about trust – about
minimizing exposure
NO, THEY DON’T NEED AN ADMIN ACCOUNT
Principle of Least Privilege
14. 1414
• Browsers are popular
targets.
• Script blocking
• ScriptSafe, ScriptBlock,
NoScript
• Ad blocking
• Adblock
• Tracker blocking
• Ghostery, Disconnect
THIS MIGHT HURT A LITTLE
Hardening Your Browser
15. 1515
How a digital system
identifies a user.
• Authenticate with
Facebook, Google
• Private keys
• Two-factor authentication
on highly-sensitive
endpoints (email, VPN)
• Duo Security
WHO ARE YOU AND WHAT ARE YOU DOING ON MY SERVER?!
Authentication
16. 1616
• Wikipedia defines
sandboxing as, “a security
mechanism for separating
running programs. It is
often used to execute
untested code.”
• Virtual machines!
• VMWare, VirtualBox
DOMO ARIGATO MR. ROBOTO
Virtualization
17. 1717
Passwords are the most
ubiquitous form of authentication
• One of the most valuable
targets for an attacker.
• Don’t re-use them!
• Don’t share them!
• Don’t write them down!
• Use password vaults where
possible.
• KeePass, LastPass
YOU CAN’T LIVE WITH ‘EM, YOU CAN’T LIVE WITHOUT ‘EM
Password Management
18. 1818
• Vulnerable services and
applications lead to
compromised businesses.
• Internal applications
shouldn’t be on the open
Internet.
• Have a network? VPN +
2FA
• No network? SSH +
private key + port
forwarding
YOU’VE GOT WHAT ON YOUR EXTERNAL NETWORK?!
Applications and Services
19. 1919
Only if you insist…
• Not using publicly-vulnerable
software
• All sensitive information is
encrypted when transmitted
across the network
• If passwords are used, the
passwords are strong
• Web application? Pay
attention to the OWASP top
10
UGH FINE – WELL IF IT HAS TO BE ON THE INTERNET
Applications and Services
20. 2020
Majority of sensitive
communication occurs
via email.
• Encrypt your emails
• Protect your domain
from spoofed emails
AN AGE OLD PROTOCOL WITH SERIOUS SECURITY IMPLICATIONS
Email
21. 2121
• Don’t leave sensitive files
sitting around
• USB drives, FTP servers,
anonymously-accessible
file shares
• Encryption
• ZIP files, Truecrypt
volumes
• Don’t email files!
• Syncing files
• GIT, SVN, Box.com,
Dropbox.com, Seafile
EVERYBODY DOES IT
File Sharing
22. 2222
Employees will come
and go.
• Establish a process
for provisioning and
revocation
• May not seem
necessary…
• But by the time it is, it’s
too late.
PAY A LITTLE NOW OR A LOT LATER
Account Provisioning and Revocation
23. 2323
• Security controls only
count when they’re used.
• Uniform practices
• Repeatable,
• Thought out
• Documented
• Verbalized.
• Don’t over-engineer!
BUT I THOUGHT WE WERE TALKING ABOUT SECURITY…
Process Management
24. 2424
• Don’t do it
• Seriously – don’t do it
• Wireless networks pose
significant risk
• Open wireless network for
guests
• WPA2-PSK for employee
Internet access
CUT ALL THE CLUTTER
Wireless Networks
27. 2727
If you can offload to a secure service, do it!
Start security ASAP - you’ll be glad you did later.
IF YOU DON’T REMEMBER ANYTHING ELSE…
Key Takeaways
32. 3232
Wikipedia – Principle of Least Privilege
http://en.wikipedia.org/wiki/Principle_of_least_privilege
ScriptSafe Chrome Plugin
https://chrome.google.com/webstore/detail/scriptsafe/oiigbmnaadbkfbmpbfijlflahbdbdgdf?hl=en
NoScript Firefox Plugin
https://addons.mozilla.org/en-us/firefox/addon/noscript/
AdBlock
https://adblockplus.org/
Ghostery
https://www.ghostery.com/en/
Disconnect
https://disconnect.me/
Authenticate with Google
https://developers.google.com/identity/
SLIDE 1 OF 4
Additional Resources
33. 3333
Authenticate with Facebook
https://developers.facebook.com/docs/facebook-login/v2.3
Wikipedia – Key Authentication
http://en.wikipedia.org/wiki/Key_authentication
Wikipedia – Two-Factor Authentication
http://en.wikipedia.org/wiki/Two_factor_authentication
Duo Two-Factor Authentication
https://www.duosecurity.com/
Better Security Through Sandboxing
http://www.windowsecurity.com/articles-tutorials/windows_os_security/Better-Security-through-Sandboxing.html
KeePass Password Safe
http://keepass.info/
LastPass
https://lastpass.com/
SLIDE 2 OF 4
Additional Resources
34. 3434
OpenVPN How-To
https://openvpn.net/index.php/open-source/documentation/howto.html
SSH Port Forwarding
https://help.ubuntu.com/community/SSH/OpenSSH/PortForwarding
OWASP Top 10
https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
Microsoft – Building a Strong Password Policy
https://technet.microsoft.com/en-us/library/cc736605%28v=ws.10%29.aspx
Getting Started with S/MIME
http://www.office.mvps.org/smime/
DKIM Explained
http://www.gettingemaildelivered.com/dkim-explained-how-to-set-up-and-use-domainkeys-identified-mail-effectively
Setting up SPF Records
http://www.rackspace.com/apps/support/portal/1212
SLIDE 3 OF 4
Additional Resources
35. 3535
How to Set Up DMARC Email Authentication
http://www.gettingemaildelivered.com/how-to-set-up-dmarc-email-authentication
Encrypting ZIP Files with 7-Zip
http://www.northeastern.edu/securenu/?page_id=2573
TrueCrypt
http://truecrypt.sourceforge.net/
Bug Bounties Helpful
https://www.eecs.berkeley.edu/~daw/papers/vrp-use13.pdf
Bug Bounties Helpful, pt. 2
http://www.cmswire.com/cms/information-management/bug-bounty-programs-help-companies-track-vulnerabilities-
027932.php
Bugcrowd
https://bugcrowd.com/products/bounty
SLIDE 4 OF 4
Additional Resources
Editor's Notes
Doing these things will not only improve security, but they also provide organizational maturity, and will allow you to easily scale once the time comes.
Offloading Security Risk
Relying on tried and true services instead of managing them in-house can boost productivity as well as security posture.
Security Best Practices for Start-ups
Security is much easier to improve when built from the ground up, and here’s where you can start.
Conclusion
What did we talk about, and where can you go to learn more?
Otherwise known as “Easy Wins”
Risk calculation: http://www.dhses.ny.gov/ocs/local-government/documents/Risk-Management-Guide-2012.pdf
Reducing probability of threat – Limiting attack surface, defense in depth
Reducing value of asset – storing only hashed passwords instead of plaintext passwords
You’re not just paying for the (hopefully excellent) service, you’re paying for the reduced overhead, risk, and (sometimes) someone to blame in case something goes wrong.
Offloading risk, in this context, means using other service and product providers to do things they specialize in, leaving you more time and effort to spend on what you do best.
They are not only easy to overlook, it’s expensive to hire someone who will get all of them. Much easier and safer to use an email service. Do you have an expert on hand that knows about DKIM and SPF? Is handling email the best use of their time and expertise?
If you’re using Gmail for email, we don’t even attempt all the normal stuff we do with emails and phishing campaigns. They just have their stuff locked down too well.
Gmail, Outlook, Yahoo, Rackspace
They often throw in DDoS protection and caching, too.
Amazon
Hosting, server maintenance, storage (backups), database – Downside is you have little control over downtime (which happens less and less often). Upside is this third party manages everything for you, with security built in to the process, and can scale up and down. It’s a lot easier to hack/break into a place that is not an Amazon datacenter.
There is a tradeoff on control, but one upside is we are much less likely to be successful breaking into (or hacking) an Amazon datacenter than ATV.
Payroll – if you aren’t storing/handling/processing those details, I can’t steal them.
Bug Bounties –
https://www.eecs.berkeley.edu/~daw/papers/vrp-use13.pdf
http://www.cmswire.com/cms/information-management/bug-bounty-programs-help-companies-track-vulnerabilities-027932.php
https://bugcrowd.com/products/bounty
having one and having someone else run it = very effective
Having someone else run it is an even better idea.
Encrypt your emails with S/MIME!
Protect your domain from spoofed emails with SPF, DKIM, and DMARC!
Uniform practices allow for proper process management and oversight.
Processes should be repeatable, thought out, documented and verbalized.
Wiki, Confluence
Don’t over-engineer!
If you can offload to a secure service, do it!
The cost of offloading responsibilities and processes to third-parties may seem significant in terms of dollar amount, but it’s way cheaper than securely taking on those processes and responsibilities internally.
Start security ASAP - you’ll be glad you did later.
Good security practices take time, effort, and money, but they’re important to the health of an organization. Taking the time now to invest in your security will not only greatly improve your operational security posture – it will save you immense amounts of time, effort, and money in the long run.