3. Akash Mahajan – About Me
• Co-Founder of Appsecco (appsecco.com)
• A boutique security consulting start-up
• Co-Founder of null0x00 (null.co.in)
• An Open Security Community
• Author of Security Books
• Burp Suite Essentials
• Security Automation using Ansible2
• Security Trainer
• Nullcon, BlackHat US
• Community Member (Ex-Chapter Lead)
• Null Bangalore, OWASP Bangalore
4. • Some of you are going to be pissed
• Because you may find this too simplistic
• Because you may have already spent money on security products and services
• Because you may find that I move too much on the stage
• Some of you are going to be a bit dazed
• Because this talk is too abstract
• Because too many cool buzzwords are being thrown around
• Because you don't think this is relevant to your start-up at all
DISCLAIMER – By the end of this talk
5. Buzz Word Why did I use it?
Simplistic Usually security done right is simple, usable and intuitive
Sunken Cost No matter when you start your security journey, by the end of this talk you will know
what should matter and what can be left alone
Abstract While the ideas may see not applicable, these will allow for a contextual (relevant to
you) action items
Buzzwords We will get a chance to explain all of them during the Q and A with the panel
Relevance If you feel they are not relevant, you may not be right person being responsible for
this, share it with the techie in charge
I understand the variety of emotions - 😠 😳 😮
6. We want to answer the question
How to become secure and stay secure
online
7. Keeping in mind the following constraint
Become resilient against security threats
without breaking the bankbreaking the bank
8. A simplified depiction of the start-up’s journey
Great
Idea
Documented
Idea in laptop
Idea shared
with co-founder
Potential team
formedDomain & Email
• Website
• Source Code
• Processes
• Shared files
• Presentations
• Strategy Documents
• SuperSecret Sauce
• List of potential
clients
• Clients
• Financial Details
$$$
Exit$$$
9. A start-up’s journey in becoming secure -
Great
Idea
Documented
Idea in laptop
Idea shared
with co-founder
Potential team
formedDomain & Email
• Website
• Source Code
• Processes
• Shared files
• Presentations
• Strategy Documents
• SuperSecret Sauce
• List of potential
clients
• Clients
• Financial Details
$$$
Exit$$$
10. Laptop Security – Becoming and Staying Secure
• Securing a laptop that you
use for work Use licensed software
Keep up with security patches
Install anti-virus, anti-malware
Don’t use unknown USB flash drives
Don’t download and install unknown
software from the internet
11. Laptop Security – Resilience against security threats
Take continuous,
encrypted,
incremental backups
of the software and
data
• Best defense against
ransomware attacks
• Allows for business continuity
in case of hardware failure
• Reduce Mean Time To
Recovery in case of laptop
theft
12. Domain & Email – Becoming and Staying Secure
• Securing domain and
email
Use reputed domain registrars
Use reputed email/office suite
providers
Ensure 2FA for admin
accounts
Reminders for renewing
accounts and domains
13. Domain and Email – Resilience against security threats
Ensure that you retain
control of the billing and
ownership of domain
and email accounts
management
• Best defense against
hijacking attempts (insider
or external)
• Allows for business
continuity in case of active
phishing attempts
14. Sensitive Data – Becoming and Staying Secure
• Securing sensitive data,
files etc. Use secure file sharing solutions
Use reputed email/office suite
providers
Ensure 2FA for admin accounts
Create role-based access
depending on need of access
15. Sensitive Data – Resilience against security threats
Provide access to
sensitive data, as and
when required,
revoke when not
required
• Best defense against data
breach/leakages
• Understand how to revoke
access before providing any
as employees/contractors
can and will leave you
16. Finance/Banking – Becoming and Staying Secure
• Access your finance
services/banking with
paranoia
Use secure laptop with secure
network (Don’t use open Wi-Fi)
Avoid using mobile apps
Enable and use 2FA
Create a process of alerts on
all transactions
17. Finance/Banking – Resilience against security threats
Use secure laptop, over
a secure network to
access bank website
and enable 2FA for
sensitive transactions
• Know how to block bank
transactions by calling
them
• Understand that fraud to
steal your money can
happen to you as well
18. Four pillars of abstract thoughts on Security
1. Create an inventory
2. Always do secure communications
1. Invest in account governance
3. Create and document processes for access and
usage of information assets in the company
1. All processes need to have a source of truth
2. As processes evolve, put them under version
control
4. Think in terms of service security
19. Create Inventory
• Of users for email
• Of users for file sharing
• Of various websites and apps
being used by the start-up
• Of users who are also admins
20. Doing Secure Communications
• Add team members to domain/corporate
email before exchanging sensitive
information
• Ensure email is set to use TLS/SSL
• If using messaging applications, use the
ones that have end to end encryption
• Bonus points if it has ability to delete messages
21. Document processes around onboarding and exits
• A clearly defined steps to follow to add
a user to corporate email and other
accounts (apps inventory)
• A clearly defined steps to follow to
remove a user from corporate email
and other accounts (apps inventory)
24. Can you
enforce a
2FA policy?
Thinking in terms of Service Security
Passwords fail to protect against the following attacks
Credential Stuffing
Phishing
Keystroke Logging
Local Discovery (Password Sharing)
Password Spraying
Extortion
Brute-force There are over 4 billion stolen
passwords in circulation😮 😮
25. Woah! Dude that was bloody complicated
1. Understood, we have a great talk planned by
Abhisek on how attackers exploit your online
presence
2. We have a great panel planned to answer all
the questions you may have post this talk
26. Self evaluation checklist
• Protect your personal email
account (used to register to
everything else initially with 2FA)
• Make sure email is setup with
proper SPF, DKIM, DMARC
• Don’t lose control of your mobile
number
27. Understand risks with examples
Potential risk Can you do anything
about it?
Anyone on the internet can try my DNS records Nope
People are able to see who my domain registrar
is
Nope
My ISP/Hosting company/Government is
insecure
Nope
My OS/Processor/Hardware company is insecure Nope
28. Does my registrar support 2FA?
Yes
Understand how does the 2FA
reset process works
Make a note of what will need to
be done, in case 2FA needs to be
disabled
Enable 2FA for login
Bonus Points – If authentication
logs can be stored
No
Change your
provider
29. Does my registrar support whois privacy?
Yes
Understand how to enable
domain whois privacy
Enable domain whois privacy
before configuring the domain to
do anything
No
Change your
provider
If not an option,
accept that as a
potential risk factor
30. Does my domain email support 2FA?
Yes
Understand how does the 2FA
reset process works
Make a note of what will need to
be done, in case 2FA needs to be
disabled
Enable 2FA for login
Bonus Points – If authentication
logs can be stored
No
Change your
provider
31. Protecting the domain admin email
Dos
Enable 2FA
Ideally not SMS based but app based
Use a reputed 3rd party provider (like
Gmail maybe)
Make sure your password is
sufficiently random
Put in a process to change it after a
fixed duration
Don’ts
Use that email
address for
registering to other
sites
Never reuse that
password if you have
to use the same
email ID elsewhere
32. Any Questions or thoughts?
Akash Mahajan | akash@appsecco.com | @makash
Notas do Editor
A presentation
At IIMB NSRCEL
Event
HashTag
In other words – There are different types of audience always
We acknowledge what you are experiencing
Key words become and stay that way
This is a tough ask! Since there are so many different types of audience here.
So let us start with a simple model
Storage is cheap.
Use open source software with data backed up in something like BackBlaze for dirt cheap backups
Point 2 is a bit technical. You may need the support of your provider in case you don’t have a technical resource available
This is what we have done as well
Akash Mahajan
akash@appsecco.com
@makash on Twitter
https://appsecco.com