Mediocre persistent threats: infosec basics for startups (part 3)

Vikrum Nijjar

Unless you’re an extremely high value target, advanced persistent threats and exotic attacks aren’t a startup’s concern. Diligence around securing the basics of your cloud infrastructure settings is the highest ROI engineering activity you can undertake in the early days. Paying down technical debt around security can seem intractable given infosec’s seemingly never ending surface area. A startup needs to do the basics across a broad range of concerns.

“CC BY-SA 2.0 Bluecoat https://www.flickr.com/photos/111692634@N04/15855489588”

In our continuing series, here are some easy wins you can do to stay secure. (Previously: Do the basics, Mediocre persistent threats: infosec basics for startups (part 2))

  • Encrypt all of your employees’ company issued hard disks When the team is small, this is easy to get everyone to flip a setting encrypting their local disks. It’s widely supported in modern computers and there isn’t any noticeable performance impact. Bonus: Use a MDM like Jamf to also ensure laptops are up-to-date and patched.

  • Use SSO where possible and tie all services your team uses to those credentials (force MFA across the org) Use GSuite or an equivalent to get your employees into the systems they use. This makes it easy to not only onboard and offboard members to the team, but leverages the provider’s security infrastructure for authentication.

    • Corollary: Do not use shared logins for any services. They end up being a nightmare to track who has access to what, rotating credentials is a pain, and identifying who used the account to do something is a game of guessing timestamps and IPs.

    • Bonus: For other important accounts that do not support SSO, make sure the team is using a password manager that can generate and handle this for them.

  • Centralize logging and setup basic alerting As you start making strides toward a stronger security posture, you’ll be glad you set up logging and alerts. Centralize your logs and plug in to infrastructure logs (GCP’s Cloud Audit Logs, AWS’ CloudTrail, GitHub’s audit log) as well.

    • Corollary: If an engineer needs to log in to an instance or service to debug logs, the logging hasn’t been sufficiently centralized.

    • Bonus: Deliver these logs to isolated accounts that don’t share surface area with your application. For example, AWS makes it easy to emit CloudTrail from multiple accounts into a single one. This isolated account can have extremely limited access, users, and exposure.

    • Bonus: Increase the fidelity of your logs by adding tamper proof (write-once-read-many) destinations. See GCP Bucket Lock and AWS S3 Object Lock. Having the confidence

  • Secure your backups and ensure their fidelity This one is highly specific to your application and infrastructure. In general, ensure that access to backups is kept at the same bar or higher as access to the source data. Having historic data all sitting together in one place is a treasure if found. Data backups are a perfect candidate for encrypting at rest. Keep encryption and decryption keys separate. Verify the integrity of restoration procedures and have them checked automatically. Further reading.

Stay tuned for more posts in this series where we’ll continue to enumerate other areas startups can get easy wins toward their infosec posture.

Subscribe to our infosec for startups newsletter