cybersecurity for startups
TRANSCRIPT
whoami
● Sastry Tumuluri– CEO, Digital Self Defense InfoSec– Program Leader, Startup Leadership Program (SLP), Delhi Chapter– Was
● CISO of Haryana State● Architect of MCA21 system● Chapter Leader, NULL & OWASP Chandigarh
– Been around for a long time
Security People are Awesome
● Only telling the truth● Truth hurts● We only want perfection.
Nothing more.
First... some stories
● My AWS network bills shot up● I got a really nasty email from my ISP● Oh no, ransomware hit!● My servers were shutdown one day before the launch● I only have a few users, but everything is slow now
#1 – Eat Healthy
● For those who are/have techies – harden your servers!– Use free checklists available on the net– Change defaults!– Lynis audit
● For others – Use a managed hosting service– Choose one that offers backups, updates & security– Several good options for WordPress – More expensive than the cheapest option, but still reasonable
● No... no no no... not shared hosting please!
#2 - Exercise Regularly
● Update your OS and all other software regularly– Make it a daily routine– Tell your developers to stay on top of new versions
● Sometimes upgrades break your application● Trade off!
● Please repeat after me– Take regular backups!
#3 – Go For Regular Health Checkups
● Scan your web site regularly for weaknesses– Yes, one more task in your daily routine– Several free scanning options are available
● Some downloads, most are services● Some are limited in some ways ● Try and buy the services if you like them
● Check your backups... make sure they’re good
#4 – Watch your assets on CCTV
● This is probably the hardest● Startup-friendly monitoring solutions are hard to find● But we’re happy to help
– <skipping our advertisement here>● If no other option, check your logs regularly
– Daily routine... will take the longest; also the hardest to make sense of
#5 – Rapid Response, Expert Response
● No matter how good your IT staff are... – Security breaches are best handled by experts– Knowing the latest hacker-techniques is a full-time job
● Do your homework beforehand– React in minutes/hours, not days– Look for Incident Response specialists, not hackers
#6 – Securing yourself & your laptop
● Email hygiene– Beware links & attachments in emails
● Browsing hygiene– Use uBlock Origin, an ad-blocker– Don’t click everything you see, don’t go to dark alleys
● Mobile hygiene– Beware fake apps, beware app-permissions abuse– Update regularly... but wait! Sadly, it’s not in your hands
● Password hygiene– Use Password Managers, setup 2FA (two step authentication via SMS / other)
● Trust hygiene – the mother of all security issues
#7 – A few extras
● Use free Web Application Firewall / equivalent options– e.g., modsecurity, CloudFlare
● Secure Coding – is a biggie, but this is not a tech class– Ask your developers to attend NULL/OWASP meetups regularly
● Use SSH Keys to access your servers, not passwords!– Stop helping the hackers!
● Secure your email servers; advise your customers & employees– Mails from CEO asking wiretransfers– Mails to customers saying your bank account details have changed