Start-Up Secure. Chris Castaldo
Читать онлайн книгу.
or Microsoft Azure,12 a start-up is starting ahead of the game with SaaS.
Starting a business requires a lot of data and documentation and collaboration on that data and documentation. Whether you are developing the next mobile app to disrupt the housing market or developing a new fireproof fabric, the information and intellectual property surrounding that must be secured. Hundreds of platforms exist for collaboration, which I can't discuss at length in this book.
However, I will discuss some of the more popular platforms for sharing data. Some of the most common are Dropbox, Box, Google Drive (part of Google Workspace) and Microsoft OneDrive (part of Microsoft O365). You've probably noticed by now that encryption and access are key components to protecting information. When storing that data you should encrypt it if possible. There are many solutions that have the ability to encrypt files you store in those file-sharing tools and share with your team in an even more secure manner. This doesn't always scale but can help protect your sensitive information early on. Additionally, this level of file-based encryption should be kept for only the most sensitive data to maintain efficiency of your start-up.
In the case of software development, care should be taken when considering access to services such as GitHub,13 which is a service that allows developers to store and retrieve software code they've written. Ensuring you've enabled all security settings in regard to user access is critical, as you are relying on the service to protect the data once it is on their system. Basics such as making sure you have a strong passphrase set and have enabled multi-factor authentication; making sure your repositories are set to private; and storing things like credentials and keys in a proper secrets manager and not hardcoded in your source code, are essential. Secure development will be discussed further in Chapter 9.
Using SaaS products are not necessarily more secure but they do reduce cost and enable start-ups to remain as lean as possible for as long as possible. Additionally, many of those SaaS platforms will scale with your business, and pricing models adjust accordingly. At some point though, you must use a computer to actually access those services, whether it is a desktop, laptop, or mobile device. For those services to be useful you need availability.
A benefit to using an SaaS platform is a far higher availability rate than if you tried to duplicate the services in your own data center. While the risk can be reduced, you cannot completely outsource risk. If you are negligent with sensitive customer data, like credit card data, you can still be held liable even if you don't host any part of your product in your own data center. This is also referred to as the shared security model.
I've talked about services you might use and the security surrounding them, but you must also consider the security of the devices you use to access them. Desktops, laptops, and mobile devices will continue to be the most likely initial access vector in a data breach along with your credentials. To get your credentials, an attacker must either dupe you into giving your credentials to them, referred to as social engineering, or take advantage of a vulnerability in the computer you are using, referred to as an exploit. Or if you are a high-value target, they may go as far as to gain physical access to your device.
PATCHING
Another primary tenant in cybersecurity is updating and patching; these are critical procedures to achieve balance with confidentiality, integrity, and availability (CIA). That annoying time once a month when you have to close your browser with 50 open tabs or worse, close all your applications, and reboot your computer. The process differs between Windows, MacOS, Android, and iOS but the goal is the same – a vulnerability is discovered, the vendor creates and releases a patch, and then you must apply the patch.
In the early stages of start-ups, it is a very minimal risk to enable auto-updating in your most-used applications and operating system. This doesn't apply to production environments that are used by paying customers, but we'll get to that in Chapter 9. If you are a typical start-up you will most likely use a laptop and mobile phone. We'll focus on laptops first.
Both Windows and MacOS have the ability to download and install security updates with little interaction required from the user. At most, you will be prompted to reboot your computer, which might take only a few minutes of lost productivity out of your day. However, the security gains from applying those patches immediately will help protect you from devastating ransomware, like WannaCry in 2017, most of the time. Nothing in security is 100%, which is why there are so many layers to a successful cybersecurity program. If you are not sure if this setting is enabled you should check in your system settings in either Windows or MacOS.
Besides monthly updates, there are completely new versions of Windows and Mac released about every 18 months on average. It is not imperative to cybersecurity to immediately spend $200 on the latest version of Windows or Mac if the current version you do use will continue to receive updates. To find out how long you will receive those updates you can search for things like “Windows 10 end of life” or “Mac OS end of life.” The results should provide you with the final date on which Microsoft or Apple will discontinue creating security patches. For example, if you are using Windows XP you should immediately buy the latest version of Windows or a new computer, as it is no longer supported by Microsoft and no longer receiving security updates. At the time of writing, the average cost of a ransomware attack on a single system is about $300 to unencrypt your data. Once compromised you can no longer trust the security of that system or the data on that system. In Chapter 7 we'll talk more about what to do if your start-up suffers a data breach.
The next layer of security you must be aware of is the applications you might use on a daily basis: Chrome, Firefox, Safari, Office, Slack, etc. All the components you use to create and run your start-up, these too can be vulnerable. I mentioned earlier that stolen credentials are one of the leading causes of data breaches. And those credentials are typically stolen in one of two ways: social engineering or software vulnerability exploitation.
Example 1
For example, you get an email from a prospective venture capital company looking to participate in your Series A funding round. The email has an attachment with their terms; you open it. This email plays on human emotion and counts on you dropping your guard and best interest for your company to open the attachment. Suddenly you get a popup that says the contents of your computer have been encrypted. You've been hit with ransomware.
Example 2
You receive a phone call from an individual at a venture capital firm you've been speaking with about participating in your next round. They tell you they're sending an email with a link to their secure portal to access the terms sheet. You get an email a few minutes after you hang up the call, click the link, it prompts you to log in with your Microsoft O365 credentials. Once logged in you try to open the document and get an error. You call the number back and get a message saying the number is not in service. Suddenly you get a frantic text from your co-founder that production is down hard. You've fallen victim to pre-texting and credential compromise. Since your credentials also worked in your cloud provider account the attackers were able to ransom all of the data in your production database.
In these scenarios, both social engineering and vulnerability exploitation came into play. The email enticed you to open it and then open the attachment. The attachment then contained an exploit that gained special privileges on your computer and encrypted all of your data. The phone call made the email you received shortly after seem more legitimate. While there is no software update that can prevent you from opening the email and attachment, you could possibly prevent the opened document from harming your computer.
All of the five applications I mentioned receive frequent security updates, some more than others. These are just