security & compliance for startups
TRANSCRIPT
Security & Compliance for
Startups
Kar5k Trivedi Partner, Symosis Security
Quick Survey
What are you responsible for? • Audit & Assurance • Security / Compliance • IT / Management • Product Development
What size of company do you work for? • Fortune 1000 • SMB (Small and Medium Business)
• Startups
Any company that is almost always significantly resource constrained – Forbes
What we will cover?
1. Recent Breaches (& What we can learn from them)
2. Demo 3. (Few) Security &
Compliance considera5ons
56 million credit + debit payment cards informa=on Criminals used a third-‐party vendor's user name and password to enter the perimeter of its network Resisted ac=va=ng the intrusion preven=on, leE its computers vulnerable by switching off Symantec’s Network Threat Protec=on (NTP) firewall Home Depot didn’t encrypt the customer card data on its registers and computers inside its stores The former managers say Home Depot was also using out-‐of-‐date an=virus soEware in its stores
The Amazon of CC
• hSp://rescator.cc
76M Banks contact informa=on + 7M Small Businesses Hackers had originally gained access to the bank's network by compromising the computer an employee with special privileges had used both at work and at home and then moved across the bank's network to access contact data Hackers then obtained the website cer=ficate for the Corporate Challenge site's vendor allowing hackers access to any communica=ons between visitors and the website, including passwords and email addresses Breach was part of a repository of a billion stolen passwords and usernames from some 420,000 websites
Cyber aVack that exposed names, birth dates and other sensi=ve informa=on of more than ~300k staff, students and alumni. The aVacker used an exis=ng login account to access the server …a breach impacted more than 300k students and recent graduates aEer data was improperly stored in a server exposed to the Internet. It was accessed by automated webcrawlers
The university learned through the subsequent inves=ga=on an unknown person broke into a university web server used to store various employment transac=on records and some extended learning course informa=on. wp-‐config.php~
The Social Security numbers, names and addresses of employees and contract workers were poten=ally accessible online because the thumb drive was plugged into the employee’s “unsecure home network,
The problem began last month when the system sent two unencrypted computer discs containing the first and last names and Social Security numbers of members enrolled in ASRS dental plans to a benefits company, Assurant, in Kansas City, Mo. Assurant, at the end of last month, informed the ASRS that it had not received the discs
Exposed names, e-‐mail addresses, and password data for the service's 50 million end users The chief complaint involves Evernote's use of the MD5 cryptographic algorithm to convert user passwords into one-‐way hashes before storing them in a database MD5 makes an aVacker's job of cracking the hashes much easier by allowing billions of guesses per second
Hacker going by the handle “w0rm” posted a screenshot on TwiVer on Tuesday showing a database from the newspaper. W0rm offered to sell the data for 1 bitcoin, or about US$620
The hacker gained entry into the network via a SQL injec=on vulnerability. By gaining entry to the graphics system, w0rm may have also had access to 23 other databases on the same server eBay admiVed to the massive data breach that affected 145 million registered users worldwide aEer its database was compromised Each =me a user visits any infected auc=on page created by the aVacker, the reported persistent XSS vulnerability will execute the unauthorized Javascript code on the users’ browser with a payload to steal their account cookies and user creden=als
The Apple password reset func=on that could have let hackers into iCloud with ONLY an email address is revealed System allows users to reset password by answering two security ques=ons Experts say answers can easily be found online by hackers Fears other services like Dropbox and Google Drive could also be at risk from password reset systems
Vimeo, Meetup, Basecamp, Bit.ly, ShuVerstock, the stock photography agency, MailChimp, Feedly, Evernote, Moz, Move Denial-‐of-‐service, or DDoS aVacks, against web start-‐ups. In each case, aVackers knock their vic=ms offline using a flood of traffic and refuse to stop un=l vic=ms pay their ransom in Bitcoins.
10 million Starbucks customers at risk for official iOS app flaw. The official Starbucks iOS app doesn’t encryp=ng user’s data, including your password A security hole recently discovered in Facebook’s iOS and Android apps has now been found in Dropbox’s iOS app as well. The flaw allows anyone with physical access to your phone to copy your login creden=als — because, get this, both companies store your login informa=on in unencrypted text files.
2014 Breach Threat Vectors • Resisted ac5va5ng of IPS, Firewall, out-‐of-‐date an5virus
• 3rd party vendor security • Credit card data not encrypted • Unrestricted employee laptop access to work & home • Service accounts / Insecure password • Data inadvertently exposed online • Web server configura5on, insecure crypto • Losing Thumb drive / unencrypted CD • Applica5on Security -‐ SQL Injec5on, XSS, DOS • Mobile Apps Data Leakage, transmission security
Demo
What we will cover?
1. Recent Breaches & What we can learn from them
2. Demo 3. (Few) Security &
Compliance considera5ons
(Few) Security & Compliance Considera5ons
1. Data (& IP) Protec5on 2. Firewall / Malware / An5-‐Virus 3. Encrypt Everything 4. Secure Configura5ons 5. Applica5on / Mobile Security 6. Risk Assessment 7. Backup / Data Recovery 8. Employee Training 9. Vendor Security 10. Security Vs. Compliance 11. Others
Data (& IP) Protec5on
1. Iden5fy Sensi5ve Data & Intellectual Property
2. Isolate/segregate sensi5ve data 3. DLP Tools
Firewall / Malware / An5-‐Virus 1. Con5nuously monitor worksta5ons, servers, and mobile
devices 2. Disable auto-‐run content from removable media 3. Scan and block all malicious e-‐mail aSachments entering
the organiza5on’s e-‐mail gateway 4. Control outbound content as well as inbound 5. The best services iden5fy previously iden5fied malware,
emergent threats, suspiciously behaving scripts, phishing campaigns, risky websites and other poten5al threats
Encrypt Everything Know exactly what sort of data you hold and why you are holding it Encrypt sensi=ve data in use, at rest, and in mo=on OS Encryp=on -‐ Bitlocker, FileVault, AxCrypt Encrypt your external and USB thumb drives, Internet traffic – VPN, Email – Gmail, Ourlook Cer=ficates, Encrypt Google Drive, Dropbox (or other cloud storage) Encrypt your Word, Excel, and PowerPoint documents
Secure Configura=ons
Establish, implement, and ac1vely manage the security configura1on of 1. Hardware and Sogware on
Mobile Devices, Laptops, Worksta5ons, and Servers
2. Network Devices such as Firewalls, Routers, and Switches
3. Password, Automated patching
4. Restrict use of removable storage devices
Web / Mobile Applica5on Security Develop Secure Web, Mobile Applica5ons & Service API Security Add Security ASributes to SDLC Enlist QA to test for basic applica5on security flaws
Applica5on / Mobile Security
Risk Assessments (Technical) 1. Run automated vulnerability
scanning tools against all systems on the network on a weekly or more frequent basis
2. Correlate event logs with informa5on from vulnerability scans
3. Penetra5on Tests and Red Team Exercises
Backup / Data Recovery 1. Backup systems con5nuously 2. Test data on backup media on a
regular basis by performing a data restora5on process to ensure that the backup is properly working
3. Backup Encryp5on 4. Authen5ca5on of users and backup
clients to the backup server
Employee Training Security Awareness Training, Developer Security Training, QA / Product management security Training Training driven by role, compliance requirement and access to data Outsource or develop in house (do the boring work)
Key points in Contracts / SLA Right to audit clause Third party assurance of controls – SOC 1/2/3, ISAE 3402, ISO 27001, etc. Informa=on Security and physical security requirements – IPS/IDS, WAF, penetra=on tes=ng, vulnerability management, SIEM, etc. Recourse and remedia=on of unsa=sfactory performance Data breach liability Sub-‐contrac=ng – i.e., CSP is leveraging other CSPs
Compliance is a baseline Test once -‐ comply with many approach Enable one test to cover mul=ple compliance ini=a=ves Leverage common requirements across standards Aligns controls to cover mul=ple compliance ini=a=ves Consolidate service providers Achieve reduc=on in overall assessment resources for the environment
Compliance Consistency
Few Others
1. Controlled Use of Administra5ve Privileges 2. Configure all administra5ve passwords to be
complex 3. Secure Data Destruc5on – BleachBit, Eraser,
Wipe 4. Maintenance, Monitoring, and Analysis of Audit
Logs 5. Incident Response and Management – Not if
but when
Recap – Security & Compliance for Startups
Breach • Resisted ac5va5ng of IPS,
Firewall, out-‐of-‐date an5virus • Credit card data not encrypted • Reconnaissance, Scanning,
Probing, Gaining Access, Exploita5on
• Service accounts / Insecure password
• Data inadvertently exposed online
• Web server insecure configura5on
• Losing Thumb drive / unencrypted CD
• SQL Injec5on, DOS • Mobile Apps Data Leakage,
transmission security
Security Considera5on 1. Data (& IP) Protec5on 2. Firewall / Malware / An5-‐Virus 3. Encrypt Everything 4. Secure Configura5ons 5. Applica5on / Mobile Security 6. Risk Assessment 7. Backup / Data Recovery 8. Employee Training 9. Vendor Security 10. Security Vs Compliance 11. Others
Ques5ons? -‐ [email protected]
Symosis Resources for Startups / SMB – Please email [email protected] for more informa=on
Free Training Evals – Security for Developers, OWASP Top 10, JAVA / .NET, IOS, Android, Emerging Threats, PCI/HIPAA Security Awareness Free Security Checks – Automated Scans on Mobile Apps, Web Apps & External IP Free Compliance Gap Templates -‐ HIPAA, PCI DSS