Most “start here” for infosec guides begin with an exercise in assessing and enumerating the threats and risks. However, for most startups there isn’t a clear answer here. Unless you’re a high-value target attracting focused attacks the main threat to your company and products is the ambient background noise on the internet: port scans, dorks, or vulnerabilities in widely deployed software. While one specific actor might be interested in trawling for some narrow niche, taken in aggregate all of this background noise sums to a collective threat. A startup needs to do just the basics to stay ahead of it all.
In our continuing series, here are some easy wins you can do to keep your startup secure. (Previously: Do the basics)
- 2FA/MFA every service that your team interacts with
Ensure multi-factor auth is turned on for all your users across all of your services—your cloud providers (AWS, GCP, Azure), your source control (GitHub, GitLab), and your account systems (GSuite, Rippling, Office 365).
- Delete old users and stale access keys
As team members, contractors, and collaborators come and go be sure to delete old accounts and access keys. This is especially important in your private code repos where collaborators might be added in a one-off manner that isn’t visible at the organization level.
- Keep widely deployed software (Jenkins, Grafana, Jupyter, etc) up to date and optionally behind a VPN
Keeping your deployed software up to date is extremely important. Security updates are a frequent occurrence in all widely deployed open source projects. If your endpoints are available on the public internet, it’s crucial to keep them updated. If you have the cycles to trade off some convenience, put them all behind a VPN.
- Firewall off and close all ports that don’t need to be on the public internet
Modern providers have made strides in sensible and secure defaults for many service (i.e. SSH requires key exchange and password logins disabled). If you have other services open to the internet such as a database port, RPC endpoints, other administrative interfaces they are susceptible to brute forcing.
Stay tuned for more posts in this series where we’ll continue to enumerate other areas startups can get easy wins toward their infosec posture.