Does anyone have a list of IT security stuff that you should setup for your early stage startup?
Like for example DNSSEC, VPN, forcing employees to use 2-factor etc.
That is specifically written for startups that may have to do SOC2 compliance in the future. But it is a useful starting point for most people.
#1: Single Sign-On
#2: PRs, Protected Branches, and CI/CD
#3: Centralized Logging
#4: Terraform Or Something
#5: CloudTrail And AssumeRole
#6: MDM
#7: VendorSechttps://www.cisecurity.org/controls/cis-controls-list
CIS Top 18 Version 8 works sequentially too, so you implement control 1 and it sets you up in a good place to then implement control 2, and so on.
--- Cyber Essentials: --- The UK's Cyber Essentials scheme is a certification standard (but you can ignore that and just use it as a checklist if you'd like).
It's designed for small to medium size organizations, and focused on getting the foundations right.
This would be a useful place to start but it won't cover some of the specific threats and risks associated with software/app development. See @snowstormsun's comment about OWASP Top 10 for that.
https://www.ncsc.gov.uk/cyberessentials/overview
--- There's loads of other standards like this out there, that are free to use and are each focused on different security challenges etc.
I've shared these two standards as they both setup a solid foundation.
As already noted, a tailored list for startups doesn't really exist. IMO, there are two approaches when it comes to establishing security in a Startup. You can either go the standard route or the checklist route.
1. Standard route: You hire a consultant, decide on a standard (preferably ISO27k) and go implementing. Costs a lot of money, takes a lot of time/energy, you will be happy about it in the future, if your company is not broke by then.
The German Federal Office for Information Security has adapted the ISO27001 standard in the past and created the so called Core Protection methodology. You can find the details here: https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Grundsch...
It's a nice compromise between adherence to the standard and pragmatism.
As a Startup you basically want to protect two things: your IP and availability of your product. The core protection method allows you to specify a very narrow scope that you want to protect and helps you to develop protection requirements.
2. The checklist route: If standards are not your thing, I would advise you to take a look at CISA's "Cyber Essentials" checklist for Small and Midsize Businesses.
If you have 90% of these things implemented - which should be very easy for a startup - you will have a better security posture than 90% of all other companies out there (if not more).
- MDM for laptops/phones, don't let people use their own devices. The point of MDM isn't to stop people installing their favourite IDE, the point of it is to make sure the device is patched and running latest OS. If you have a VPN (even AWS Client VPN supports this...) tie MDM together with device attestation so only patched machines can connect to your VPN.
- Unified login, for a start up you can use Google workspace or even GitHub as your identity provider (this gets weird if you have non-devs but you can push it for a bit). Don't have more than one account/password for things, you just log into your google account then use OIDC/SAML to auth against internal apps. If you do this you probably don't need VPN. Use this to auth into AWS too.
- Don't share accounts on SaaS services (e.g domain registrar), this will make rotating stuff when someone leaves a nightmare. If a service doesn't support teams or you don't want to pay for the enterprise version then it's OK for the CTO and 1 other person to have their own login.
- Minimise/avoid static credentials for your infra (e.g. web server talking to postgres) prefer to use AWS Instance roles with short lived dynamic credentials.
- Make sure network isolation is set up correctly, your Mongo db shouldn't be listening on the internet
- Use 2fa but make sure it's WebAuthn/FIDO. Issue everyone with 2x security keys. People wipe / screw up their phones/TOTP authenticator apps far too much.
- Centralised logging, make sure your apps can output logs to opensearch/datadog/whatever. Whenever a user performs an action make sure this gets logged.
- Don't let people manage prod infrastructure without using Infrastructure as code tools (CDK/Pulumi/Terraform), best thing would be not to give people prod access and all changes have to go through CI
- Make sure you know your product is down before your users start calling/emailing. Set up healhchecks.io / pingdom whatever.
You can have protected branches, pubkey auth everywhere with yubikeys and macs everywhere it all helps reduce noise but security architecture ensures there are no cracks in your defenses. These checklist solutions can do more harm than good by leaving you with the impression that you have a better security-posture and risk appettite than you actually do leading you to make catastrophic decisions.
IT/OPs/Engineering folks who know enough security to be dangerous would say things like "but _____ defensive measure is there,that wouldn't work" or "if they got past all this then we have bigger issues anyways" and be dangerously wrong.
2FA with yubi? Cookie theft is now popular. SSH pubkey on a mac? Commodity multiplatform stealers in Rust and Golang of course are a thing and they include stealing private keys and sensitive files as a feature. MDM doesn't protect you against malware and SSO while still should be implemented makes cookie theft one working attack away from pwning all things the user has access to. Boring old things like segmentation, (good)logging and proactive monitoring (probably MSP for you at the start) are still top of the "list" and despite what pop-security personalities have you believe, not only do you need AV but you need a cross-platform good EDR as soon as possible as well as corporate VPNs and while gsuite is popular with startups, O365 has better security and DLP.
I could go on but my point is you at least need a consultant at the begining and have a solid plan on when you will hire a proper security pro to architect things and make all the devs and engineers do things they disagree with passionately leading some to even leave lol.
> "The SaaS CTO Security Checklist [Redux]" https://github.com/vikrum/SecurityChecklists
> "The Personal Infosec & Security Checklist" https://www.goldfiglabs.com/guide/personal-infosec-security-...
> "The DevOps Security Checklist Redux" https://www.goldfiglabs.com/guide/devops-security-checklist/
For an early stage startup I feel that some unnecessary risks are caused by the lack of separation of privileges because a few people do have the rights to do everything. I'd recommend having your key people keep a separate account for privileged actions so that you're not reading your email with an account that has the access to the keys of the kingdom, that you're not doing stuff on your cloud provider with a user account that has the privileges to accidentally delete everything. Have the superuser accounts on all the third-party systems be something that you use rarely, make a limited account for your daily work.
Don't bother with VPN's if you're SaaS-based. Just take the zero-trust route with mandatory MFA everywhere, invest in Yubikeys for all employees and set up a SIEM box to ingress audit logs from your various systems.
Setting up an Elastic box for this should be relatively straightforward. For many people it's easier to keep SIEM locally hosted (pulling data, no external access) and then periodically push encrypted backups offsite).
You'll probably end up setting up business metrics monitoring from this eventually too, at least in the early days before you start the "data lake" approach.
DNSSEC is a waste of time right now.
This is not a comprehensive checklist per se, but a minimum set of security controls to implement to help secure your AWS account and workloads running on AWS within your account.
Any service that is needed for the day-to-day working of your business should be properly secured. You mention DNSSEC but it starts with the user accounts that are used to log in to your registrar, hosting provider, payment provider, any SaaS... Generate unique, strong passwords for every business related service. Use a password vault like keepass or a service like 1password for secure storage and ease of use. Multi-factor everything you can, and prefer to use an app or physical token over SMS-based multifactor. I have recommended Twilio Authy a lot due to the multi-device support and google authenticator compatibility. Use DNSSEC for your domain(s), enable SPF, DKIM and DMARC for your mail, set up TLS for your website(s). Depending your needs, cloudflare has some great options for the latter.
Security of the endpoints and endusers greatly depends on wether your employees BYOD, what the network looks like and most of all, what you are protecting. I recommend to search for some public "acceptable use policy" or "security policy" documents, especially in the context of ISO27001 and create an own policy based on that, depending on your needs and environment. Even better than policy is proper training for employees on security hygiene, how to avoid phishing and if relevant, secure development. Ceate an open environment for employees to report potential issues or mistakes. Regarding secure development, OWASP is a great resource for anything application security.
Whether a startup, a small company or a large corporation, there is at least one IT security standard in each developed country, if not an international standard (e.g., ISO27002 , NIST cybersecurity, etc.). Their role is exactly what they are called for: they tell whoever owns an IT system what should be done to protect it.
Unless you're an academic doing research, or you have personally reached the limits of a standard in your organization, there is no reason to look elsewhere.
Pull the standard from your country, or pull the ISO27002, and start working on your spreadsheet and assigning tasks :)
Rationale: I have seen enough organizations with the checklist-based approach to security. In all of them, it had nothing to do with actual security, but with convincing customers that the organization is safe to deal with - even if it is in fact false. People responsible for filling in such questionnaires often had an outdated vision of the practices of the company.
Also, once you allow any checklist in, or hire any so-called cybersecurity expert who is actually a checkbox-ticking expert, you will be under constant pressure to strengthen this "security posture" more and more, way beyond reasonable. Hypothetical example: this expert decides that you have to comply with Cyber Essentials, and one of the requirements is to install, on each laptop and desktop, an antivirus that can live-check all of the web pages loaded in browsers. But no such desktop-ready thing exists for Linux, and this expert will tell you to stop using Linux on desktops, thus leading to mass-resignation of developers. While the proper solution would have been "don't deal with the UK government".
and the owasp's cheatsheets in general
A capability is an access token to a resource, and NOT a user account. Think of it as a $10 bill. If you pull a $10 capability from your wallet, you can't lose $1000 by accident, no matter how badly things go.
Flickr makes it possible to give out a guest pass for photos, for example.[2] The nice thing about a guest pass is you can revoke it at any time.
[1] - https://en.wikipedia.org/wiki/Capability-based_security
[2] - https://www.flickrhelp.com/hc/en-us/articles/4404069601172-C...
1. Create a security policy — decide what does/doesn't matter
2. Train employees on security — just do the basic stuff, but all the time (strong passwords, 2FA)
3. Implement security measures — for what matters, take security very seriously
4. Use single sign-on — whether it's Google SSO/Okta/etc, you'll thank yourself later
5. Grant access on-demand — people generally don't need permanent access to sensitive systems, set up groups and grant people time-bounded roleshttps://www.sans.org/cloud-security/securing-web-application...
#1. Living Asset Inventory (constantly updated automatically)
#2. Intelligence on these Assets (can be mdm, but at least reporting of sysinfo, os update version, security version)
#3. Automatic patching of both security software and os version.
#4. Centralized identity management (Azure AD, other SAML options) with security intelligence builtin.
I'm an independent consultant that can help guide infrastructure and devops decisions in early stage start ups. I've spent a lot of time in highly regulated industries. Feel free to reach out with any questions. contact at pallissard dot net.
Outside of basic netsec for your app and “corporate network” (creatively defined for a remote startup), it’s worth focusing on decisions that do initial security hygiene that long term really helps but is hard to fix retroactively, and once in place it’s easier to build the exotic controls on top of. You should also not forget basic GRC capabilities, as a bulk of the “doing security” tasks can easily turn into passing vendor audits and RFPs because sales is big for a startup, so having a bank of security policies complete way ahead of time and knowing the way around frameworks like CIS or NIST CSF will save you a lot of work during a sales-stress period.
So, in practice, I think getting these done early naturally leads to good decisions and a decent security program to start.
- corporate IT:
> seriously, make a large and vocal push to get off of personal computers and on to work laptops. Its worth burning some of your security capital for. All of the follow-on work you’ll do for security, to include sales support for the startup (so, you can tie this decision to revenue) gets undermined security-technically and passing audit-ally via work on personal computers.
> password manager, or can get by for a while with in-browser password managers vs LastPass
> secrets management: very early on, get a firm handle where the passwords/keys to production and service accounts are, store them in a shareable way (AWS secrets manager or shared LastPass), and don’t budge on this. They will too easily (and probably will anyway) end up all over developer computers and note apps. Eventually one will leak this way. By having a work computer, easier to guarantee safety around this loose secrets manager. By having them stored how I said, easy to find and rotate when they leak.
> have 2Fa/MFA setup by default from the get go. Don’t make compromises on this
> MDM/EDR: start trying to move towards this, but work computers are worth getting deployed prior to pushing for MDM. MDM or anti-virus or preferable EDR will show up as a requirement very soon via sales or audits. EDR can be surprisingly cheap for a small fleet of computers, so I’d look there and skip AV and table MDM. Also, these tools will generate alerts, so you’ll have to have a process in place to respond to the alerts.
- Developer productivity
> get the enterprise GitHub hardened very early on - know where the audit logs are, turn on alerts that GH has for free for compromised dependencies, and have a plan for API keys ending up in GH, yours or personal ones accidentally pushed to. Both will happen.
> get a handle on what IDE extensions are installed, and have a firm line on what is not safe to install, and get a senior eng leader to verify and support this decision. Stuff like a random extension to connect and quickly test a prod DB via your IDE suddenly leads to a random malicious extension having your prod DB secrets and connection string. It’s not worth pursuing white/blacklists really, but it’s worth getting a list of really unsafe library types to use and make sure everyone knows why.
- AWS
> heavily support any impulse in the company to use IaC - cloudformation, terrsrorm, etc. this will get a lot of secure-by-default capabilities in place.
> turn on guardduty across all accounts and start watching. I’d stay away from securityhub as it generates a lot of noise and it’s not worth knowing about until you have the means to fix it and other stuff is taken care of in this list.
> build your cloud accounts under an AWS Organization or equivalent. If accounts start under an Org, it’s much easier to build and enforce blanket configs/tooling across all of them, which is needed for security.
- incident response
> build a shell plan for handling incidents. It’ll help everyone, to include non-security incidents like prod crashing. It’ll also save your butt in a security incident. What matters in them is good documentation and good processes, because if/when a security incident happens, being able to answer what you did and why/when is key as all that data surfaces to legal and/or media comms eventually.
- compliance/GRC:
> try to get a sales RFP or vendor audit doc and look what they ask for in security evals. Your sales team may totally be BS’ing these answers currently, forewarning. Figure out what’s asked, prepare those documents.
- further ideas
> where do I find someone to do this: Finding sec eng to take all this on could be hard. This is like a CISO in a box with a fraction or none of the usual funding and headcount. You could then hire a non-technical security lead, but that could turn into an advice/doom machine who isn’t helping fix tech. Sec eng or VP security, either way the salaries are high - $145k base and way up. A sec analyst, who is cheaper, won’t help at this point. So, my advice is pay up for a sec eng who is strong on infra, or pair a security-conscious IT and/or a security conscious devops/infra lead with a comp sci-ish college student with a cloud cert looking to break into security engineering. They’ll get their break, you’ll get someone who knows tech/security but won’t cost a ton and will take a job like this to get the resume bullet (security engineering is hard to break into), and you’ll have someone watching all this and a strong IT and infra eng to help guide them.
> I want a framework to follow still: CIS benchmark or better NIST cybersecurity framework. I’d go for the latter. Focusing on CIS or similar can lead to a narrow IT security focus that doesn’t help with actually building a security program, which is what the startup needs.
Edit - other advice ITT like leveraging SSO/Gsuite heavily and IAM roles over secrets are really sound.
* Vulnerability management: Our customers (I do pentests) sometimes only have a vague idea what IT assets they have and what firmware/software version these are running. Think an Excel list maintained by some random person from accounting, because "IT knows it all and after all all servers&switches are in the network plan". That way you get an out-dated QNAP NAS hosting backups (easy target for ransomware), or an IPMI nobody uses with IPMI-over-LAN enabled & a weak password (trivial to hack). So get a good idea what hardware you have, and what firmware/software is running on that. Whatever you use for that, make sure to get notified about new CVEs and general updates. I can not recommend a specific solution, the only thing I was demoed until now was something by Tenable; that was pretty nice but it's probably out of "startup budget". Worst case you can always run OpenVAS to scan your intranet.
* Apply the principle of least necessary privilege: If a dev gets pwned, an attacker should not be able to steal all your internal data, only the portion that specific dev needed for their work.
* If you really have no idea, push for a CISO (and the budget for the CISO to fulfill their role).
* You can hire a pentesting company to check your IT (usually this is recommended to be done regularly, e.g. twice a year).
* You can also hire people to assist you with creating a ISO27001-compliant security policy; not sure if that makes sense for a startup, except maybe if you really have no idea what you're doing IT security wise. But then you should get help anyway.
* 2FA with FIDO/U2F/Yubikeys or similar hardware tokens (no need to get the expensive Yubikeys if generic FIDO/U2F do the job as well)
* No BYOD
* Only IT admins need admin/root privileges on their machines.
* If you're using Active Directory: At least use the "legacy AD tier model", or take a look at the https://docs.microsoft.com/en-us/security/compass/privileged... -- if you're going to go the simple route (giving IT admins one account for their daily work, which also has domain admin privileges) lateral movement on your IT becomes much easier
* Use a password manager; we use the enterprise version of 1Password. If that's out of budget, take a look at vaultwarden (self-hosted bitwarden), which is FOSS; I'm happy with that at home.
* I wouldn't have mentioned it, as I don't think it's imperative to have. But since major players had such problems with roll out after their startup phase, I'd take away the opposite lesson of what some people recommend: It might be a good idea to implement DNSSEC early on, while it's easier to integrate and doesn't cause too much trouble.
* HTTPS with proper certs for everything. Might be difficult in an intranet: In my lab network I'm running a SmallStep CA with a NameConstraint for 'foobar.tld' (so that can only be used to sign certs for my domain; if it is hacked, an attacker can not produce a cert for google.com that I'd accept). I've setup ACME on that CA, so all my PCs can just do internal HTTP challenges to get/renew certs (DHCP clients are on '$clientname.dhcp.foobar.tld', so they can't spoof e.g. 'vaultwarden.foobar.tld'). However most companies I've seen run a AD-based PKI and use other mechanisms for cert roll out. My variant is still about as safe as Let's Encrypt (as long as the CA VM isn't breached).
* If you're running Active Directory (which you want to do in case you're on Windows), harden the crap out of it. We usually point our customers to German checklists, but I bet there are also good English language ones.
* Network segmentation (VLANs) with firewalls between the segments. Only whitelist what's needed; this applies to all segments. I have once reached our "mark" because while they properly firewalled the client VLAN, some VMs (which are intended to be accessible to most users) resided in the server VLAN, which in turn allowed every connection to everywhere - including our "mark", as well as other highly critical stuff (think: people die if that's pwned).
* Facilitate free/open tools, e.g. OpenVAS or Bloodhound. Re OpenVAS: At our company, we run Nessus internally (we had an extra, unused license due to a project; else our CISO would probably just use OpenVAS) and this helped a lot with finding potential security issues.
* Foster a culture of IT security: Don't blame the victim for falling for a phishing attack, blame the company for not doing better anti-phishing training. Similarly, devs make mistakes, but you want them to be open about it, not punish them for it.