Slide 1

Slide 1 text

Minimum Viable Security Akash Mahajan Co-Founder Appsecco

Slide 2

Slide 2 text

Founder Bootcamp - Goa #MSFT4Startups

Slide 3

Slide 3 text

Akash Mahajan - Author | Speaker | Trainer | Community Started & Nurtured Author Speaker & Trainer Technical Reviewer Ex Co-Founder

Slide 4

Slide 4 text

Click to add text

Slide 5

Slide 5 text

A simplified depiction of the start-up’s journey Great Idea Documented Idea in laptop Idea shared with co-founder Potential team formed Domain & Email • Website • Source Code • Processes • Shared files • Presentations • Strategy Documents • SuperSecret Sauce • List of potential clients • Clients • Financial Details $$$ Exit $$$

Slide 6

Slide 6 text

A start-up’s journey in becoming secure - Great Idea Documented Idea in laptop Idea shared with co-founder Potential team formed Domain & Email • Website • Source Code • Processes • Shared files • Presentations • Strategy Documents • SuperSecret Sauce • List of potential clients • Clients • Financial Details $$$ Exit $$$

Slide 7

Slide 7 text

Laptop Security – Becoming and Staying Secure • Securing a laptop that you use for work Use licensed software Keep up with security patches Install anti-virus, anti-malware Don’t use unknown USB flash drives Don’t download and install unknown software from the internet

Slide 8

Slide 8 text

Laptop Security – Resilience against security threats Take continuous, encrypted, incremental backups of the software and data • Best defense against ransomware attacks • Allows for business continuity in case of hardware failure • Reduce Mean Time To Recovery in case of laptop theft

Slide 9

Slide 9 text

Domain & Email – Becoming and Staying Secure • Securing domain and email Use reputed domain registrars Use reputed email/office suite providers Ensure 2FA for admin accounts Reminders for renewing accounts and domains

Slide 10

Slide 10 text

Domain and Email – Resilience against security threats Ensure that you retain control of the billing and ownership of domain and email accounts management • Best defense against hijacking attempts (insider or external) • Allows for business continuity in case of active phishing attempts

Slide 11

Slide 11 text

Sensitive Data – Becoming and Staying Secure • Securing sensitive data, files etc. Use secure file sharing solutions Use reputed email/office suite providers Ensure 2FA for admin accounts Create role-based access depending on need of access

Slide 12

Slide 12 text

Sensitive Data – Resilience against security threats Provide access to sensitive data, as and when required, revoke when not required • Best defense against data breach/leakages • Understand how to revoke access before providing any as employees/contractors can and will leave you

Slide 13

Slide 13 text

Finance/Banking – Becoming and Staying Secure • Access your finance services/banking with paranoia Use secure laptop with secure network (Don’t use open Wi-Fi) Avoid using mobile apps Enable and use 2FA Create a process of alerts on all transactions

Slide 14

Slide 14 text

Finance/Banking – Resilience against security threats Use secure laptop, over a secure network to access bank website and enable 2FA for sensitive transactions • Know how to block bank transactions by calling the bank • Understand that fraud to steal your money can happen to you as well

Slide 15

Slide 15 text

Four pillars of abstract thoughts on Security 1. Create an inventory 2. Always do secure communications 1. Invest in account governance 3. Create and document processes for access and usage of information assets in the company 1. All processes need to have a source of truth 2. As processes evolve, put them under version control 4. Think in terms of service security

Slide 16

Slide 16 text

Create Inventory • Of users for email • Of users for file sharing • Of various websites and apps being used by the start-up • Of users who are also admins

Slide 17

Slide 17 text

Doing Secure Communications • Add team members to domain/corporate email before exchanging sensitive information • Ensure email is set to use TLS/SSL • If using messaging applications, use the ones that have end to end encryption • Bonus points if it has ability to delete messages

Slide 18

Slide 18 text

Document processes around onboarding and exits • A clearly defined steps to follow to add a user to corporate email and other accounts (apps inventory) • A clearly defined steps to follow to remove a user from corporate email and other accounts (apps inventory)

Slide 19

Slide 19 text

Who needs access? Can you avoid giving access to everyone? Thinking in terms of Service Security

Slide 20

Slide 20 text

Can you enforce a password policy? Thinking in terms of Service Security Top 10 weakest passwords for 2019 so far

Slide 21

Slide 21 text

Can you enforce a 2FA policy? Thinking in terms of Service Security Passwords fail to protect against the following attacks Credential Stuffing Phishing Keystroke Logging Local Discovery (Password Sharing) Password Spraying Extortion Brute-force There are over 4 billion stolen passwords in circulation

Slide 22

Slide 22 text

Self evaluation checklist • Protect your personal email account (used to register to everything else initially with 2FA) • Make sure email is setup with proper SPF, DKIM, DMARC • Don’t lose control of your mobile number

Slide 23

Slide 23 text

Understand risks with examples Potential risk Can you do anything about it? Anyone on the internet can try my DNS records Nope People are able to see who my domain registrar is Nope My ISP/Hosting company/Government is insecure Nope My OS/Processor/Hardware company is insecure Nope

Slide 24

Slide 24 text

Does my registrar support 2FA? Yes ❑ Understand how does the 2FA reset process works ❑ Make a note of what will need to be done, in case 2FA needs to be disabled ❑ Enable 2FA for login ❑ Bonus Points – If authentication logs can be stored No ❑ Change your provider

Slide 25

Slide 25 text

Does my registrar support whois privacy? Yes ❑ Understand how to enable domain whois privacy ❑ Enable domain whois privacy before configuring the domain to do anything No ❑ Change your provider ❑ If not an option, accept that as a potential risk factor

Slide 26

Slide 26 text

Does my domain email support 2FA? Yes ❑ Understand how does the 2FA reset process works ❑ Make a note of what will need to be done, in case 2FA needs to be disabled ❑ Enable 2FA for login ❑ Bonus Points – If authentication logs can be stored No ❑ Change your provider

Slide 27

Slide 27 text

Protecting the domain admin email Dos ❑ Enable 2FA ❑ Ideally not SMS based but app based ❑ Use a reputed 3rd party provider (like Gmail maybe) ❑ Make sure your password is sufficiently random ❑ Put in a process to change it after a fixed duration Don’ts ❑ Use that email address for registering to other sites ❑ Never reuse that password if you have to use the same email ID elsewhere

Slide 28

Slide 28 text

Using Azure Services for Security A quick tour to give you some ideas

Slide 29

Slide 29 text

Azure Security Centre – Security for your platform use • Useful if you have virtual machine servers in Azure • Also useful if you want a visibility on your Azure resources

Slide 30

Slide 30 text

Azure Enterprise Applications – Secure apps with SSO • If you have internal facing applications which require Role Based Access Control • If you have O365, adding or removing users is seamless

Slide 31

Slide 31 text

Azure Key Vault – Secrets Management for your Pipeline • Useful if you integrate and deploy applications using CI/CD pipeline software • Instead of secrets stored everywhere they can stay safe in Key Vault and requested on demand

Slide 32

Slide 32 text

Checklist Why is it useful 1. OWASP Top 10 Bare minimum-security controls for your source code 2. OWASP Mobile Top 10 Bare minimum-security controls for your mobile apps 3. OWASP ASVS (Application Security Verification Guide) A comprehensive checklist covering many areas on how to build secure web applications 4. OWASP MASVS (Mobile ASVS) A comprehensive checklist covering many areas on how to build secure mobile applications 5. OWASP Security Testing Guide If you require 3rd party VA/PT they should be testing for at least what is mentioned here 6. OWASP Mobile Security Testing Guide If you require 3rd party VA/PT they should be testing for at least what is mentioned here 7. Azure Data Security and Encryption Best Practices If you plan to store or transfer data in or out of Azure 8. Azure best practices for Network Security If you plan to have any kind of service available over the network (website/app backend/API) 9. Azure CIS Benchmark If you plan to host and maintain many virtual machines Key Take Aways – Important Security Checklists

Slide 33

Slide 33 text

Any Questions or thoughts? Akash Mahajan | [email protected] | @makash