Security CompensationHOW TO INVEST IN STARTUP SECURITY

April 8, 2015

INTRODUCTIONWHO ARE THOSE PEEPS UP IN FRONT?

33

Chris Grayson

• Security Associate

Austin Whipple

• Senior Security Analyst

RELEVANT BECAUSE EASTER

Some Cool Peeps

3

ChrisAustin

44

• Offloading Security Risk

• Security Best Practices for Start-ups

• Conclusion

WHATCHU TALKIN’ ‘BOUT HOLMES?

Agenda

OFFLOADINGONLY MARGINALLY DIFFERENT FROM FREELOADING

66

• Risk = (Probability of a threat occurring against an asset) x (Value of asset)

• Reducing risk can be done by reducing the probability of the threator reducing the value of the asset.

• What is offloading risk?

THE GAME OF GLOBAL DOMINATION

Offloading Risk

77

• Email has lots of hidden “gotchas:” spoofing, forwarding, encryption, backups, etc.

• These are incredibly easy to overlook and misconfigure. Don’t do it yourself!

EVERY WEEK I CHECK THE EMAIL

Offloading Email

88

• Similar to email, there are lots of “gotchas” that can lead to exploitation (Heartbleed).

• Platforms like Cloudflareget early warning/access to exploits to fix them before the security advisory goes public.

ENCRYPT ALL THE THINGS

Offloading SSL

99

• “Cloud” is not the be-all and end-all of technology solutions, but it does have its place.

• Amazon suite, for example, makes it easier to have security by default.

EVERYTHING IS SECURE IN “THE CLOUD”

Offloading Hosting

1010

• In 2015, there aren’t very many good reasons to be doing your own payroll.

• If you aren’t storing/handling/processing those details, we can’t steal them from you.

YOU CAN’T STEAL WHAT THEY DON’T HAVE

Offloading Payroll

1111

• For tech companies with a product or a web presence, research shows that having a bug bounty is a good idea.

• Bugcrowd: 193 – average number of valid submissions per bug bounty run

YOU DEAL WITH MY PROBLEMS

Offloading Bug Bounties

SECURITY BEST PRACTICESSTART NOW OR FOREVER HOLD YOUR PEACE

1313

• As per Wikipedia, “every module must be able to access only the information and resources that are necessary for its legitimate purpose.”

• Local admin rights, access to file shares, other sensitive information

• Not about trust – about minimizing exposure

NO, THEY DON’T NEED AN ADMIN ACCOUNT

Principle of Least Privilege

1414

• Browsers are popular targets.

• Script blocking

• ScriptSafe, ScriptBlock, NoScript

• Ad blocking

• Adblock

• Tracker blocking

• Ghostery, Disconnect

THIS MIGHT HURT A LITTLE

Hardening Your Browser

1515

How a digital system identifies a user.

• Authenticate with Facebook, Google

• Private keys

• Two-factor authentication on highly-sensitive endpoints (email, VPN)

• Duo Security

WHO ARE YOU AND WHAT ARE YOU DOING ON MY SERVER?!

Authentication

1616

• Wikipedia defines sandboxing as, “a security mechanism for separating running programs. It is often used to execute untested code.”

• Virtual machines!

• VMWare, VirtualBox

DOMO ARIGATO MR. ROBOTO

Virtualization

1717

Passwords are the most ubiquitous form of authentication

• One of the most valuable targets for an attacker.

• Don’t re-use them!

• Don’t share them!

• Don’t write them down!

• Use password vaults where possible.

• KeePass, LastPass

YOU CAN’T LIVE WITH ‘EM, YOU CAN’T LIVE WITHOUT ‘EM

Password Management

1818

• Vulnerable services and applications lead to compromised businesses.

• Internal applications shouldn’t be on the open Internet.

• Have a network? VPN + 2FA

• No network? SSH + private key + port forwarding

YOU’VE GOT WHAT ON YOUR EXTERNAL NETWORK?!

Applications and Services

1919

Only if you insist…

• Not using publicly-vulnerable software

• All sensitive information is encrypted when transmitted across the network

• If passwords are used, the passwords are strong

• Web application? Pay attention to the OWASP top 10

UGH FINE – WELL IF IT HAS TO BE ON THE INTERNET

Applications and Services

2020

Majority of sensitive communication occurs via email.

• Encrypt your emails

• Protect your domain from spoofed emails

AN AGE OLD PROTOCOL WITH SERIOUS SECURITY IMPLICATIONS

Email

2121

• Don’t leave sensitive files sitting around

• USB drives, FTP servers, anonymously-accessible file shares

• Encryption

• ZIP files, Truecryptvolumes

• Don’t email files!

• Syncing files

• GIT, SVN, Box.com, Dropbox.com, Seafile

EVERYBODY DOES IT

File Sharing

2222

Employees will come and go.

• Establish a process for provisioning and revocation

• May not seem necessary…

• But by the time it is, it’s too late.

PAY A LITTLE NOW OR A LOT LATER

Account Provisioning and Revocation

2323

• Security controls only count when they’re used.

• Uniform practices

• Repeatable,

• Thought out

• Documented

• Verbalized.

• Don’t over-engineer!

BUT I THOUGHT WE WERE TALKING ABOUT SECURITY…

Process Management

2424

• Don’t do it

• Seriously – don’t do it

• Wireless networks pose significant risk

• Open wireless network for guests

• WPA2-PSK for employee Internet access

CUT ALL THE CLUTTER

Wireless Networks

CONCLUSIONBRINGING IT ALL FULL-CIRCLE

2626

Now that we’ve blown your mind…

2727

If you can offload to a secure service, do it!

Start security ASAP - you’ll be glad you did later.

IF YOU DON’T REMEMBER ANYTHING ELSE…

Key Takeaways

PARTING WORDSALWAYS THE HARDEST PART… :’(

QUESTIONSAND MAYBE ANSWERS

3030

• @BishopFox

• Facebook.com/BishopFoxConsulting

• LinkedIn.com/Company/Bishop-Fox

• Google.com/+BishopFox

WE’RE A CHATTY BUNCH

Contact Us

Thank You

3232

Wikipedia – Principle of Least Privilege

http://en.wikipedia.org/wiki/Principle_of_least_privilege

ScriptSafe Chrome Plugin

https://chrome.google.com/webstore/detail/scriptsafe/oiigbmnaadbkfbmpbfijlflahbdbdgdf?hl=en

NoScript Firefox Plugin

https://addons.mozilla.org/en-us/firefox/addon/noscript/

AdBlock

https://adblockplus.org/

Ghostery

https://www.ghostery.com/en/

Disconnect

https://disconnect.me/

Authenticate with Google

https://developers.google.com/identity/

SLIDE 1 OF 4

Additional Resources

3333

Authenticate with Facebook

https://developers.facebook.com/docs/facebook-login/v2.3

Wikipedia – Key Authentication

http://en.wikipedia.org/wiki/Key_authentication

Wikipedia – Two-Factor Authentication

http://en.wikipedia.org/wiki/Two_factor_authentication

Duo Two-Factor Authentication

https://www.duosecurity.com/

Better Security Through Sandboxing

http://www.windowsecurity.com/articles-tutorials/windows_os_security/Better-Security-through-Sandboxing.html

KeePass Password Safe

http://keepass.info/

LastPass

https://lastpass.com/

SLIDE 2 OF 4

Additional Resources

3434

OpenVPN How-To

https://openvpn.net/index.php/open-source/documentation/howto.html

SSH Port Forwarding

https://help.ubuntu.com/community/SSH/OpenSSH/PortForwarding

OWASP Top 10

https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

Microsoft – Building a Strong Password Policy

https://technet.microsoft.com/en-us/library/cc736605%28v=ws.10%29.aspx

Getting Started with S/MIME

http://www.office.mvps.org/smime/

DKIM Explained

http://www.gettingemaildelivered.com/dkim-explained-how-to-set-up-and-use-domainkeys-identified-mail-effectively

Setting up SPF Records

http://www.rackspace.com/apps/support/portal/1212

SLIDE 3 OF 4

Additional Resources

3535

How to Set Up DMARC Email Authentication

http://www.gettingemaildelivered.com/how-to-set-up-dmarc-email-authentication

Encrypting ZIP Files with 7-Zip

http://www.northeastern.edu/securenu/?page_id=2573

TrueCrypt

http://truecrypt.sourceforge.net/

Bug Bounties Helpful

https://www.eecs.berkeley.edu/~daw/papers/vrp-use13.pdf

Bug Bounties Helpful, pt. 2

http://www.cmswire.com/cms/information-management/bug-bounty-programs-help-companies-track-vulnerabilities-027932.php

Bugcrowd

https://bugcrowd.com/products/bounty

SLIDE 4 OF 4

Additional Resources