SlideShare uma empresa Scribd logo

How to-become-secure-and-stay-secure

Transferir como PPTX, PDF
I
IIMBNSRCEL

InfoSec For Startups

Pequenos negócios e empreendedorismo
1 de 33
How to become secure and stay secure online Become resilient against security threats without breaking the bank
A presentation by Akash Mahajan CoFounder Appsecco InfoSec For Startups #ForStartups
Akash Mahajan – About Me • Co-Founder of Appsecco (appsecco.com) • A boutique security consulting start-up • Co-Founder of null0x00 (null.co.in) • An Open Security Community • Author of Security Books • Burp Suite Essentials • Security Automation using Ansible2 • Security Trainer • Nullcon, BlackHat US • Community Member (Ex-Chapter Lead) • Null Bangalore, OWASP Bangalore
• Some of you are going to be pissed • Because you may find this too simplistic • Because you may have already spent money on security products and services • Because you may find that I move too much on the stage • Some of you are going to be a bit dazed • Because this talk is too abstract • Because too many cool buzzwords are being thrown around • Because you don't think this is relevant to your start-up at all DISCLAIMER – By the end of this talk
Buzz Word Why did I use it? Simplistic Usually security done right is simple, usable and intuitive Sunken Cost No matter when you start your security journey, by the end of this talk you will know what should matter and what can be left alone Abstract While the ideas may see not applicable, these will allow for a contextual (relevant to you) action items Buzzwords We will get a chance to explain all of them during the Q and A with the panel Relevance If you feel they are not relevant, you may not be right person being responsible for this, share it with the techie in charge I understand the variety of emotions - 😠 😳 😮
We want to answer the question How to become secure and stay secure online
Keeping in mind the following constraint Become resilient against security threats without breaking the bankbreaking the bank
A simplified depiction of the start-up’s journey Great Idea Documented Idea in laptop Idea shared with co-founder Potential team formedDomain & Email • Website • Source Code • Processes • Shared files • Presentations • Strategy Documents • SuperSecret Sauce • List of potential clients • Clients • Financial Details $$$ Exit$$$
A start-up’s journey in becoming secure - Great Idea Documented Idea in laptop Idea shared with co-founder Potential team formedDomain & Email • Website • Source Code • Processes • Shared files • Presentations • Strategy Documents • SuperSecret Sauce • List of potential clients • Clients • Financial Details $$$ Exit$$$
Laptop Security – Becoming and Staying Secure • Securing a laptop that you use for work Use licensed software Keep up with security patches Install anti-virus, anti-malware Don’t use unknown USB flash drives Don’t download and install unknown software from the internet
Laptop Security – Resilience against security threats Take continuous, encrypted, incremental backups of the software and data • Best defense against ransomware attacks • Allows for business continuity in case of hardware failure • Reduce Mean Time To Recovery in case of laptop theft
Domain & Email – Becoming and Staying Secure • Securing domain and email Use reputed domain registrars Use reputed email/office suite providers Ensure 2FA for admin accounts Reminders for renewing accounts and domains
Domain and Email – Resilience against security threats Ensure that you retain control of the billing and ownership of domain and email accounts management • Best defense against hijacking attempts (insider or external) • Allows for business continuity in case of active phishing attempts
Sensitive Data – Becoming and Staying Secure • Securing sensitive data, files etc. Use secure file sharing solutions Use reputed email/office suite providers Ensure 2FA for admin accounts Create role-based access depending on need of access
Sensitive Data – Resilience against security threats Provide access to sensitive data, as and when required, revoke when not required • Best defense against data breach/leakages • Understand how to revoke access before providing any as employees/contractors can and will leave you
Finance/Banking – Becoming and Staying Secure • Access your finance services/banking with paranoia Use secure laptop with secure network (Don’t use open Wi-Fi) Avoid using mobile apps Enable and use 2FA Create a process of alerts on all transactions
Finance/Banking – Resilience against security threats Use secure laptop, over a secure network to access bank website and enable 2FA for sensitive transactions • Know how to block bank transactions by calling them • Understand that fraud to steal your money can happen to you as well
Four pillars of abstract thoughts on Security 1. Create an inventory 2. Always do secure communications 1. Invest in account governance 3. Create and document processes for access and usage of information assets in the company 1. All processes need to have a source of truth 2. As processes evolve, put them under version control 4. Think in terms of service security
Create Inventory • Of users for email • Of users for file sharing • Of various websites and apps being used by the start-up • Of users who are also admins
Doing Secure Communications • Add team members to domain/corporate email before exchanging sensitive information • Ensure email is set to use TLS/SSL • If using messaging applications, use the ones that have end to end encryption • Bonus points if it has ability to delete messages
Document processes around onboarding and exits • A clearly defined steps to follow to add a user to corporate email and other accounts (apps inventory) • A clearly defined steps to follow to remove a user from corporate email and other accounts (apps inventory)
Who needs access? Can you avoid giving access to everyone? Thinking in terms of Service Security 😮
Can you enforce a password policy? Thinking in terms of Service Security Top 10 weakest passwords for 2019 so far
Can you enforce a 2FA policy? Thinking in terms of Service Security Passwords fail to protect against the following attacks Credential Stuffing Phishing Keystroke Logging Local Discovery (Password Sharing) Password Spraying Extortion Brute-force There are over 4 billion stolen passwords in circulation😮 😮
Woah! Dude that was bloody complicated 1. Understood, we have a great talk planned by Abhisek on how attackers exploit your online presence 2. We have a great panel planned to answer all the questions you may have post this talk 
Self evaluation checklist • Protect your personal email account (used to register to everything else initially with 2FA) • Make sure email is setup with proper SPF, DKIM, DMARC • Don’t lose control of your mobile number
Understand risks with examples Potential risk Can you do anything about it? Anyone on the internet can try my DNS records Nope People are able to see who my domain registrar is Nope My ISP/Hosting company/Government is insecure Nope My OS/Processor/Hardware company is insecure Nope
Does my registrar support 2FA? Yes  Understand how does the 2FA reset process works  Make a note of what will need to be done, in case 2FA needs to be disabled  Enable 2FA for login  Bonus Points – If authentication logs can be stored No  Change your provider
Does my registrar support whois privacy? Yes  Understand how to enable domain whois privacy  Enable domain whois privacy before configuring the domain to do anything No  Change your provider  If not an option, accept that as a potential risk factor
Does my domain email support 2FA? Yes  Understand how does the 2FA reset process works  Make a note of what will need to be done, in case 2FA needs to be disabled  Enable 2FA for login  Bonus Points – If authentication logs can be stored No  Change your provider
Protecting the domain admin email Dos  Enable 2FA  Ideally not SMS based but app based  Use a reputed 3rd party provider (like Gmail maybe)  Make sure your password is sufficiently random  Put in a process to change it after a fixed duration Don’ts  Use that email address for registering to other sites  Never reuse that password if you have to use the same email ID elsewhere
Any Questions or thoughts? Akash Mahajan | akash@appsecco.com | @makash
How to-become-secure-and-stay-secure

Recomendados

Your internet-exposure-that-makes-you-vulnerable
Your internet-exposure-that-makes-you-vulnerableYour internet-exposure-that-makes-you-vulnerable
Your internet-exposure-that-makes-you-vulnerable
IIMBNSRCEL
 
Securing Yourself in the Cyber World
Securing Yourself in the Cyber WorldSecuring Yourself in the Cyber World
Securing Yourself in the Cyber World
Emil Tan
 
Protecting your online identity - Managing your passwords
Protecting your online identity - Managing your passwordsProtecting your online identity - Managing your passwords
Protecting your online identity - Managing your passwords
Bunmi Sowande
 
Web Application Security - DevFest + GDay George Town 2016
Web Application Security - DevFest + GDay George Town 2016Web Application Security - DevFest + GDay George Town 2016
Web Application Security - DevFest + GDay George Town 2016
Gareth Davies
 
Where To Start When Your Environment is Fucked
Where To Start When Your Environment is FuckedWhere To Start When Your Environment is Fucked
Where To Start When Your Environment is Fucked
Amanda Berlin
 
Career In Information security
Career In Information securityCareer In Information security
Career In Information security
Anant Shrivastava
 
How secure is your website?
How secure is your website?How secure is your website?
How secure is your website?
Ian Grey
 
Mobile phone Data Hacking
Mobile phone Data HackingMobile phone Data Hacking
Mobile phone Data Hacking
Md Abu Syeem Dipu
 

Recomendados

Your internet-exposure-that-makes-you-vulnerable
Your internet-exposure-that-makes-you-vulnerableYour internet-exposure-that-makes-you-vulnerable
Your internet-exposure-that-makes-you-vulnerable
IIMBNSRCEL
 
Securing Yourself in the Cyber World
Securing Yourself in the Cyber WorldSecuring Yourself in the Cyber World
Securing Yourself in the Cyber World
Emil Tan
 
Protecting your online identity - Managing your passwords
Protecting your online identity - Managing your passwordsProtecting your online identity - Managing your passwords
Protecting your online identity - Managing your passwords
Bunmi Sowande
 
Web Application Security - DevFest + GDay George Town 2016
Web Application Security - DevFest + GDay George Town 2016Web Application Security - DevFest + GDay George Town 2016
Web Application Security - DevFest + GDay George Town 2016
Gareth Davies
 
Where To Start When Your Environment is Fucked
Where To Start When Your Environment is FuckedWhere To Start When Your Environment is Fucked
Where To Start When Your Environment is Fucked
Amanda Berlin
 
Career In Information security
Career In Information securityCareer In Information security
Career In Information security
Anant Shrivastava
 
How secure is your website?
How secure is your website?How secure is your website?
How secure is your website?
Ian Grey
 
Mobile phone Data Hacking
Mobile phone Data HackingMobile phone Data Hacking
Mobile phone Data Hacking
Md Abu Syeem Dipu
 
Hijacking Softwares for fun and profit
Hijacking Softwares for fun and profitHijacking Softwares for fun and profit
Hijacking Softwares for fun and profit
Nipun Jaswal
 
Web security
Web security Web security
Web security
Kaushal Bhavsar
 
Mobile Hacking
Mobile HackingMobile Hacking
Mobile Hacking
Novizul Evendi
 
Mobile security, OWASP Mobile Top 10, OWASP Seraphimdroid
Mobile security, OWASP Mobile Top 10, OWASP SeraphimdroidMobile security, OWASP Mobile Top 10, OWASP Seraphimdroid
Mobile security, OWASP Mobile Top 10, OWASP Seraphimdroid
Nikola Milosevic
 
The Quiet Rise of Account Takeover
The Quiet Rise of Account TakeoverThe Quiet Rise of Account Takeover
The Quiet Rise of Account Takeover
IMMUNIO
 
OWASP Top 10 for Mobile
OWASP Top 10 for MobileOWASP Top 10 for Mobile
OWASP Top 10 for Mobile
Appvigil - Mobile App Security Scanner
 
Passwords are passé. WebAuthn is simpler, stronger and ready to go
Passwords are passé. WebAuthn is simpler, stronger and ready to goPasswords are passé. WebAuthn is simpler, stronger and ready to go
Passwords are passé. WebAuthn is simpler, stronger and ready to go
Michael Furman
 
OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017
TecsyntSolutions
 
Cyberskills shortage: Where is the cyber workforce of tomorrow
Cyberskills shortage: Where is the cyber workforce of tomorrowCyberskills shortage: Where is the cyber workforce of tomorrow
Cyberskills shortage: Where is the cyber workforce of tomorrow
Stephen Cobb
 
Steven Porter Seville | Ideas about Computer clouding
Steven Porter Seville | Ideas about Computer cloudingSteven Porter Seville | Ideas about Computer clouding
Steven Porter Seville | Ideas about Computer clouding
'Self-Employed'
 
OWASP A4 XML External Entities (XXE)
OWASP A4 XML External Entities (XXE)OWASP A4 XML External Entities (XXE)
OWASP A4 XML External Entities (XXE)
Michael Furman
 
Tim Willoughby presentation to cloud workshop 2016
Tim Willoughby presentation to cloud workshop 2016Tim Willoughby presentation to cloud workshop 2016
Tim Willoughby presentation to cloud workshop 2016
Tim Willoughby
 
Top 10 web application security risks akash mahajan
Top 10 web application security risks akash mahajanTop 10 web application security risks akash mahajan
Top 10 web application security risks akash mahajan
Akash Mahajan
 
OWASP Mobile Top 10
OWASP Mobile Top 10OWASP Mobile Top 10
OWASP Mobile Top 10
NowSecure
 
Invited Talk - Cyber Security and Open Source
Invited Talk - Cyber Security and Open SourceInvited Talk - Cyber Security and Open Source
Invited Talk - Cyber Security and Open Source
hack33
 
Kludges and PHP. Why Should You Use a WAF?
Kludges and PHP. Why Should You Use a WAF?Kludges and PHP. Why Should You Use a WAF?
Kludges and PHP. Why Should You Use a WAF?
Sucuri
 
Continuous Integration and Quality Development
Continuous Integration and Quality DevelopmentContinuous Integration and Quality Development
Continuous Integration and Quality Development
Gareth Davies
 
Secure Your WordPress Site - And Your Business
Secure Your WordPress Site - And Your BusinessSecure Your WordPress Site - And Your Business
Secure Your WordPress Site - And Your Business
Stacy Clements
 
When the internet bleeded : RootConf 2014
When the internet bleeded : RootConf 2014When the internet bleeded : RootConf 2014
When the internet bleeded : RootConf 2014
Anant Shrivastava
 
Users awarness programme for Online Privacy
Users awarness programme for Online PrivacyUsers awarness programme for Online Privacy
Users awarness programme for Online Privacy
Kazi Sarwar Hossain
 
Onlinesecurityrecomendations2014 141230081030-conversion-gate02
Onlinesecurityrecomendations2014 141230081030-conversion-gate02Onlinesecurityrecomendations2014 141230081030-conversion-gate02
Onlinesecurityrecomendations2014 141230081030-conversion-gate02
amiinaaa
 
Cyber Security Seminar
Cyber Security SeminarCyber Security Seminar
Cyber Security Seminar
Jeremy Quadri
 

Mais conteúdo relacionado

Mais procurados

Mais procurados (19)

Hijacking Softwares for fun and profit
Hijacking Softwares for fun and profitHijacking Softwares for fun and profit
Hijacking Softwares for fun and profit
 
Web security
Web security Web security
Web security
 
Mobile Hacking
Mobile HackingMobile Hacking
Mobile Hacking
 
Mobile security, OWASP Mobile Top 10, OWASP Seraphimdroid
Mobile security, OWASP Mobile Top 10, OWASP SeraphimdroidMobile security, OWASP Mobile Top 10, OWASP Seraphimdroid
Mobile security, OWASP Mobile Top 10, OWASP Seraphimdroid
 
The Quiet Rise of Account Takeover
The Quiet Rise of Account TakeoverThe Quiet Rise of Account Takeover
The Quiet Rise of Account Takeover
 
OWASP Top 10 for Mobile
OWASP Top 10 for MobileOWASP Top 10 for Mobile
OWASP Top 10 for Mobile
 
Passwords are passé. WebAuthn is simpler, stronger and ready to go
Passwords are passé. WebAuthn is simpler, stronger and ready to goPasswords are passé. WebAuthn is simpler, stronger and ready to go
Passwords are passé. WebAuthn is simpler, stronger and ready to go
 
OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017
 
Cyberskills shortage: Where is the cyber workforce of tomorrow
Cyberskills shortage: Where is the cyber workforce of tomorrowCyberskills shortage: Where is the cyber workforce of tomorrow
Cyberskills shortage: Where is the cyber workforce of tomorrow
 
Steven Porter Seville | Ideas about Computer clouding
Steven Porter Seville | Ideas about Computer cloudingSteven Porter Seville | Ideas about Computer clouding
Steven Porter Seville | Ideas about Computer clouding
 
OWASP A4 XML External Entities (XXE)
OWASP A4 XML External Entities (XXE)OWASP A4 XML External Entities (XXE)
OWASP A4 XML External Entities (XXE)
 
Tim Willoughby presentation to cloud workshop 2016
Tim Willoughby presentation to cloud workshop 2016Tim Willoughby presentation to cloud workshop 2016
Tim Willoughby presentation to cloud workshop 2016
 
Top 10 web application security risks akash mahajan
Top 10 web application security risks akash mahajanTop 10 web application security risks akash mahajan
Top 10 web application security risks akash mahajan
 
OWASP Mobile Top 10
OWASP Mobile Top 10OWASP Mobile Top 10
OWASP Mobile Top 10
 
Invited Talk - Cyber Security and Open Source
Invited Talk - Cyber Security and Open SourceInvited Talk - Cyber Security and Open Source
Invited Talk - Cyber Security and Open Source
 
Kludges and PHP. Why Should You Use a WAF?
Kludges and PHP. Why Should You Use a WAF?Kludges and PHP. Why Should You Use a WAF?
Kludges and PHP. Why Should You Use a WAF?
 
Continuous Integration and Quality Development
Continuous Integration and Quality DevelopmentContinuous Integration and Quality Development
Continuous Integration and Quality Development
 
Secure Your WordPress Site - And Your Business
Secure Your WordPress Site - And Your BusinessSecure Your WordPress Site - And Your Business
Secure Your WordPress Site - And Your Business
 
When the internet bleeded : RootConf 2014
When the internet bleeded : RootConf 2014When the internet bleeded : RootConf 2014
When the internet bleeded : RootConf 2014
 

Semelhante a How to-become-secure-and-stay-secure

Onlinesecurityrecomendations2014 141230081030-conversion-gate02
Onlinesecurityrecomendations2014 141230081030-conversion-gate02Onlinesecurityrecomendations2014 141230081030-conversion-gate02
Onlinesecurityrecomendations2014 141230081030-conversion-gate02
amiinaaa
 
IT Security Management -- People, Procedures and Tools
IT Security Management -- People, Procedures and ToolsIT Security Management -- People, Procedures and Tools
IT Security Management -- People, Procedures and Tools
Andrew S. Baker (ASB)
 

Semelhante a How to-become-secure-and-stay-secure (20)

Users awarness programme for Online Privacy
Users awarness programme for Online PrivacyUsers awarness programme for Online Privacy
Users awarness programme for Online Privacy
 
Onlinesecurityrecomendations2014 141230081030-conversion-gate02
Onlinesecurityrecomendations2014 141230081030-conversion-gate02Onlinesecurityrecomendations2014 141230081030-conversion-gate02
Onlinesecurityrecomendations2014 141230081030-conversion-gate02
 
Cyber Security Seminar
Cyber Security SeminarCyber Security Seminar
Cyber Security Seminar
 
Secure End User
Secure End UserSecure End User
Secure End User
 
Security 101 for No- techies
Security 101 for No- techiesSecurity 101 for No- techies
Security 101 for No- techies
 
Technology Training - Security, Passwords & More
Technology Training - Security, Passwords & MoreTechnology Training - Security, Passwords & More
Technology Training - Security, Passwords & More
 
Hyphenet Security Awareness Training
Hyphenet Security Awareness TrainingHyphenet Security Awareness Training
Hyphenet Security Awareness Training
 
Cyber Security Magazine
Cyber Security MagazineCyber Security Magazine
Cyber Security Magazine
 
Survey Presentation About Application Security
Survey Presentation About Application SecuritySurvey Presentation About Application Security
Survey Presentation About Application Security
 
7 Small Business Security Tips
7 Small Business Security Tips7 Small Business Security Tips
7 Small Business Security Tips
 
Hyphenet Security Awareness Training
Hyphenet Security Awareness TrainingHyphenet Security Awareness Training
Hyphenet Security Awareness Training
 
TACOM 2014: Back To Basics
TACOM 2014: Back To BasicsTACOM 2014: Back To Basics
TACOM 2014: Back To Basics
 
Security Best Practices for Regular Users
Security Best Practices for Regular UsersSecurity Best Practices for Regular Users
Security Best Practices for Regular Users
 
Security best practices for regular users
Security best practices for regular usersSecurity best practices for regular users
Security best practices for regular users
 
Word press security 101
Word press security 101 Word press security 101
Word press security 101
 
Cyber security for small businesses
Cyber security for small businessesCyber security for small businesses
Cyber security for small businesses
 
6 Biggest Cyber Security Risks and How You Can Fight Back
6 Biggest Cyber Security Risks and How You Can Fight Back6 Biggest Cyber Security Risks and How You Can Fight Back
6 Biggest Cyber Security Risks and How You Can Fight Back
 
Meeting the Cybersecurity Challenge
Meeting the Cybersecurity ChallengeMeeting the Cybersecurity Challenge
Meeting the Cybersecurity Challenge
 
IT Security Management -- People, Procedures and Tools
IT Security Management -- People, Procedures and ToolsIT Security Management -- People, Procedures and Tools
IT Security Management -- People, Procedures and Tools
 
Executive Directors Chat:It's easy to stay safe online.pdf
Executive Directors Chat:It's easy to stay safe online.pdfExecutive Directors Chat:It's easy to stay safe online.pdf
Executive Directors Chat:It's easy to stay safe online.pdf
 

Mais de IIMBNSRCEL

Mais de IIMBNSRCEL (20)

Payments Regulations
Payments RegulationsPayments Regulations
Payments Regulations
 
Fin tech regulation in india jsa 14 02 2020
Fin tech regulation in india jsa 14 02 2020Fin tech regulation in india jsa 14 02 2020
Fin tech regulation in india jsa 14 02 2020
 
Open Source For Startup
Open Source For StartupOpen Source For Startup
Open Source For Startup
 
The marketing stack
The marketing stackThe marketing stack
The marketing stack
 
Email marketing
Email marketingEmail marketing
Email marketing
 
Buyer persona
Buyer personaBuyer persona
Buyer persona
 
Storytelling For Startups
Storytelling For StartupsStorytelling For Startups
Storytelling For Startups
 
Building big data & analytics startup
Building big data & analytics startupBuilding big data & analytics startup
Building big data & analytics startup
 
Data driven @startups
Data driven @startups Data driven @startups
Data driven @startups
 
Analytics for Startups
Analytics for StartupsAnalytics for Startups
Analytics for Startups
 
ESOPs for startups
ESOPs for startupsESOPs for startups
ESOPs for startups
 
Valuations For Startups
Valuations For StartupsValuations For Startups
Valuations For Startups
 
Valuations For Startups
Valuations For StartupsValuations For Startups
Valuations For Startups
 
Iim vizag v1
Iim vizag v1Iim vizag v1
Iim vizag v1
 
Laying the foundation of startup marketing
Laying the foundation of startup marketingLaying the foundation of startup marketing
Laying the foundation of startup marketing
 
Content marketing for startups iim vizag
Content marketing for startups iim vizagContent marketing for startups iim vizag
Content marketing for startups iim vizag
 
Pitch presentation kaushal
Pitch presentation kaushalPitch presentation kaushal
Pitch presentation kaushal
 
Key thoughts for a killer investor pitch deck
Key thoughts for a killer investor pitch deckKey thoughts for a killer investor pitch deck
Key thoughts for a killer investor pitch deck
 
Content marketing for startups (iim indore, hiver)
Content marketing for startups (iim indore, hiver)Content marketing for startups (iim indore, hiver)
Content marketing for startups (iim indore, hiver)
 
Marketing For Startups
Marketing For StartupsMarketing For Startups
Marketing For Startups
 

Último

Hyderabad Call Girls Service ☎ ️82500–77686 ☎️ Enjoy 24/7 Escort Service
Hyderabad Call Girls Service ☎ ️82500–77686 ☎️ Enjoy 24/7 Escort ServiceHyderabad Call Girls Service ☎ ️82500–77686 ☎️ Enjoy 24/7 Escort Service
Hyderabad Call Girls Service ☎ ️82500–77686 ☎️ Enjoy 24/7 Escort Service
Damini Dixit
 
Dehradun Call Girls Service ☎ ️82500–77686 ☎️ Enjoy 24/7 Escort Service
Dehradun Call Girls Service ☎ ️82500–77686 ☎️ Enjoy 24/7 Escort ServiceDehradun Call Girls Service ☎ ️82500–77686 ☎️ Enjoy 24/7 Escort Service
Dehradun Call Girls Service ☎ ️82500–77686 ☎️ Enjoy 24/7 Escort Service
Damini Dixit
 
Shareholders Agreement Template for Compulsorily Convertible Debt Funding- St...
Shareholders Agreement Template for Compulsorily Convertible Debt Funding- St...Shareholders Agreement Template for Compulsorily Convertible Debt Funding- St...
Shareholders Agreement Template for Compulsorily Convertible Debt Funding- St...
StartupSprouts.in
 
Sohna Call Girls Service ☎ ️93326-06886 ❤️‍🔥 Enjoy 24/7 Escort Service
Sohna Call Girls Service ☎ ️93326-06886 ❤️‍🔥 Enjoy 24/7 Escort ServiceSohna Call Girls Service ☎ ️93326-06886 ❤️‍🔥 Enjoy 24/7 Escort Service
Sohna Call Girls Service ☎ ️93326-06886 ❤️‍🔥 Enjoy 24/7 Escort Service
Damini Dixit
 
Tirupati Call Girls Service ☎ ️82500–77686 ☎️ Enjoy 24/7 Escort Service
Tirupati Call Girls Service ☎ ️82500–77686 ☎️ Enjoy 24/7 Escort ServiceTirupati Call Girls Service ☎ ️82500–77686 ☎️ Enjoy 24/7 Escort Service
Tirupati Call Girls Service ☎ ️82500–77686 ☎️ Enjoy 24/7 Escort Service
Damini Dixit
 
EV Electric Vehicle Startup Pitch Deck- StartupSprouts.in
EV Electric Vehicle Startup Pitch Deck- StartupSprouts.inEV Electric Vehicle Startup Pitch Deck- StartupSprouts.in
EV Electric Vehicle Startup Pitch Deck- StartupSprouts.in
StartupSprouts.in
 
Lucknow Call Girls Service ☎ ️82500–77686 ☎️ Enjoy 24/7 Escort Service
Lucknow Call Girls Service ☎ ️82500–77686 ☎️ Enjoy 24/7 Escort ServiceLucknow Call Girls Service ☎ ️82500–77686 ☎️ Enjoy 24/7 Escort Service
Lucknow Call Girls Service ☎ ️82500–77686 ☎️ Enjoy 24/7 Escort Service
Damini Dixit
 
Bangalore Call Girls Service ☎ ️82500–77686 ☎️ Enjoy 24/7 Escort Service
Bangalore Call Girls Service ☎ ️82500–77686 ☎️ Enjoy 24/7 Escort ServiceBangalore Call Girls Service ☎ ️82500–77686 ☎️ Enjoy 24/7 Escort Service
Bangalore Call Girls Service ☎ ️82500–77686 ☎️ Enjoy 24/7 Escort Service
Damini Dixit
 
Sangareddy Call Girls Service ☎ ️82500–77686 ☎️ Enjoy 24/7 Escort Service
Sangareddy Call Girls Service ☎ ️82500–77686 ☎️ Enjoy 24/7 Escort ServiceSangareddy Call Girls Service ☎ ️82500–77686 ☎️ Enjoy 24/7 Escort Service
Sangareddy Call Girls Service ☎ ️82500–77686 ☎️ Enjoy 24/7 Escort Service
Damini Dixit
 

Último (12)

Hyderabad Call Girls Service ☎ ️82500–77686 ☎️ Enjoy 24/7 Escort Service
Hyderabad Call Girls Service ☎ ️82500–77686 ☎️ Enjoy 24/7 Escort ServiceHyderabad Call Girls Service ☎ ️82500–77686 ☎️ Enjoy 24/7 Escort Service
Hyderabad Call Girls Service ☎ ️82500–77686 ☎️ Enjoy 24/7 Escort Service
 
Dehradun Call Girls Service ☎ ️82500–77686 ☎️ Enjoy 24/7 Escort Service
Dehradun Call Girls Service ☎ ️82500–77686 ☎️ Enjoy 24/7 Escort ServiceDehradun Call Girls Service ☎ ️82500–77686 ☎️ Enjoy 24/7 Escort Service
Dehradun Call Girls Service ☎ ️82500–77686 ☎️ Enjoy 24/7 Escort Service
 
Dàni Velvet Personal Brand Exploration (1).pptx
Dàni Velvet Personal Brand Exploration (1).pptxDàni Velvet Personal Brand Exploration (1).pptx
Dàni Velvet Personal Brand Exploration (1).pptx
 
Shareholders Agreement Template for Compulsorily Convertible Debt Funding- St...
Shareholders Agreement Template for Compulsorily Convertible Debt Funding- St...Shareholders Agreement Template for Compulsorily Convertible Debt Funding- St...
Shareholders Agreement Template for Compulsorily Convertible Debt Funding- St...
 
Famedesired Project portfolio1 . Fullsail
Famedesired Project portfolio1 . FullsailFamedesired Project portfolio1 . Fullsail
Famedesired Project portfolio1 . Fullsail
 
Sohna Call Girls Service ☎ ️93326-06886 ❤️‍🔥 Enjoy 24/7 Escort Service
Sohna Call Girls Service ☎ ️93326-06886 ❤️‍🔥 Enjoy 24/7 Escort ServiceSohna Call Girls Service ☎ ️93326-06886 ❤️‍🔥 Enjoy 24/7 Escort Service
Sohna Call Girls Service ☎ ️93326-06886 ❤️‍🔥 Enjoy 24/7 Escort Service
 
Call girls in Andheri with phone number 9892124323
Call girls in Andheri with phone number 9892124323Call girls in Andheri with phone number 9892124323
Call girls in Andheri with phone number 9892124323
 
Tirupati Call Girls Service ☎ ️82500–77686 ☎️ Enjoy 24/7 Escort Service
Tirupati Call Girls Service ☎ ️82500–77686 ☎️ Enjoy 24/7 Escort ServiceTirupati Call Girls Service ☎ ️82500–77686 ☎️ Enjoy 24/7 Escort Service
Tirupati Call Girls Service ☎ ️82500–77686 ☎️ Enjoy 24/7 Escort Service
 
EV Electric Vehicle Startup Pitch Deck- StartupSprouts.in
EV Electric Vehicle Startup Pitch Deck- StartupSprouts.inEV Electric Vehicle Startup Pitch Deck- StartupSprouts.in
EV Electric Vehicle Startup Pitch Deck- StartupSprouts.in
 
Lucknow Call Girls Service ☎ ️82500–77686 ☎️ Enjoy 24/7 Escort Service
Lucknow Call Girls Service ☎ ️82500–77686 ☎️ Enjoy 24/7 Escort ServiceLucknow Call Girls Service ☎ ️82500–77686 ☎️ Enjoy 24/7 Escort Service
Lucknow Call Girls Service ☎ ️82500–77686 ☎️ Enjoy 24/7 Escort Service
 
Bangalore Call Girls Service ☎ ️82500–77686 ☎️ Enjoy 24/7 Escort Service
Bangalore Call Girls Service ☎ ️82500–77686 ☎️ Enjoy 24/7 Escort ServiceBangalore Call Girls Service ☎ ️82500–77686 ☎️ Enjoy 24/7 Escort Service
Bangalore Call Girls Service ☎ ️82500–77686 ☎️ Enjoy 24/7 Escort Service
 
Sangareddy Call Girls Service ☎ ️82500–77686 ☎️ Enjoy 24/7 Escort Service
Sangareddy Call Girls Service ☎ ️82500–77686 ☎️ Enjoy 24/7 Escort ServiceSangareddy Call Girls Service ☎ ️82500–77686 ☎️ Enjoy 24/7 Escort Service
Sangareddy Call Girls Service ☎ ️82500–77686 ☎️ Enjoy 24/7 Escort Service
 

How to-become-secure-and-stay-secure

  • 1. How to become secure and stay secure online Become resilient against security threats without breaking the bank
  • 2. A presentation by Akash Mahajan CoFounder Appsecco InfoSec For Startups #ForStartups
  • 3. Akash Mahajan – About Me • Co-Founder of Appsecco (appsecco.com) • A boutique security consulting start-up • Co-Founder of null0x00 (null.co.in) • An Open Security Community • Author of Security Books • Burp Suite Essentials • Security Automation using Ansible2 • Security Trainer • Nullcon, BlackHat US • Community Member (Ex-Chapter Lead) • Null Bangalore, OWASP Bangalore
  • 4. • Some of you are going to be pissed • Because you may find this too simplistic • Because you may have already spent money on security products and services • Because you may find that I move too much on the stage • Some of you are going to be a bit dazed • Because this talk is too abstract • Because too many cool buzzwords are being thrown around • Because you don't think this is relevant to your start-up at all DISCLAIMER – By the end of this talk
  • 5. Buzz Word Why did I use it? Simplistic Usually security done right is simple, usable and intuitive Sunken Cost No matter when you start your security journey, by the end of this talk you will know what should matter and what can be left alone Abstract While the ideas may see not applicable, these will allow for a contextual (relevant to you) action items Buzzwords We will get a chance to explain all of them during the Q and A with the panel Relevance If you feel they are not relevant, you may not be right person being responsible for this, share it with the techie in charge I understand the variety of emotions - 😠 😳 😮
  • 6. We want to answer the question How to become secure and stay secure online
  • 7. Keeping in mind the following constraint Become resilient against security threats without breaking the bankbreaking the bank
  • 8. A simplified depiction of the start-up’s journey Great Idea Documented Idea in laptop Idea shared with co-founder Potential team formedDomain & Email • Website • Source Code • Processes • Shared files • Presentations • Strategy Documents • SuperSecret Sauce • List of potential clients • Clients • Financial Details $$$ Exit$$$
  • 9. A start-up’s journey in becoming secure - Great Idea Documented Idea in laptop Idea shared with co-founder Potential team formedDomain & Email • Website • Source Code • Processes • Shared files • Presentations • Strategy Documents • SuperSecret Sauce • List of potential clients • Clients • Financial Details $$$ Exit$$$
  • 10. Laptop Security – Becoming and Staying Secure • Securing a laptop that you use for work Use licensed software Keep up with security patches Install anti-virus, anti-malware Don’t use unknown USB flash drives Don’t download and install unknown software from the internet
  • 11. Laptop Security – Resilience against security threats Take continuous, encrypted, incremental backups of the software and data • Best defense against ransomware attacks • Allows for business continuity in case of hardware failure • Reduce Mean Time To Recovery in case of laptop theft
  • 12. Domain & Email – Becoming and Staying Secure • Securing domain and email Use reputed domain registrars Use reputed email/office suite providers Ensure 2FA for admin accounts Reminders for renewing accounts and domains
  • 13. Domain and Email – Resilience against security threats Ensure that you retain control of the billing and ownership of domain and email accounts management • Best defense against hijacking attempts (insider or external) • Allows for business continuity in case of active phishing attempts
  • 14. Sensitive Data – Becoming and Staying Secure • Securing sensitive data, files etc. Use secure file sharing solutions Use reputed email/office suite providers Ensure 2FA for admin accounts Create role-based access depending on need of access
  • 15. Sensitive Data – Resilience against security threats Provide access to sensitive data, as and when required, revoke when not required • Best defense against data breach/leakages • Understand how to revoke access before providing any as employees/contractors can and will leave you
  • 16. Finance/Banking – Becoming and Staying Secure • Access your finance services/banking with paranoia Use secure laptop with secure network (Don’t use open Wi-Fi) Avoid using mobile apps Enable and use 2FA Create a process of alerts on all transactions
  • 17. Finance/Banking – Resilience against security threats Use secure laptop, over a secure network to access bank website and enable 2FA for sensitive transactions • Know how to block bank transactions by calling them • Understand that fraud to steal your money can happen to you as well
  • 18. Four pillars of abstract thoughts on Security 1. Create an inventory 2. Always do secure communications 1. Invest in account governance 3. Create and document processes for access and usage of information assets in the company 1. All processes need to have a source of truth 2. As processes evolve, put them under version control 4. Think in terms of service security
  • 19. Create Inventory • Of users for email • Of users for file sharing • Of various websites and apps being used by the start-up • Of users who are also admins
  • 20. Doing Secure Communications • Add team members to domain/corporate email before exchanging sensitive information • Ensure email is set to use TLS/SSL • If using messaging applications, use the ones that have end to end encryption • Bonus points if it has ability to delete messages
  • 21. Document processes around onboarding and exits • A clearly defined steps to follow to add a user to corporate email and other accounts (apps inventory) • A clearly defined steps to follow to remove a user from corporate email and other accounts (apps inventory)
  • 22. Who needs access? Can you avoid giving access to everyone? Thinking in terms of Service Security 😮
  • 23. Can you enforce a password policy? Thinking in terms of Service Security Top 10 weakest passwords for 2019 so far
  • 24. Can you enforce a 2FA policy? Thinking in terms of Service Security Passwords fail to protect against the following attacks Credential Stuffing Phishing Keystroke Logging Local Discovery (Password Sharing) Password Spraying Extortion Brute-force There are over 4 billion stolen passwords in circulation😮 😮
  • 25. Woah! Dude that was bloody complicated 1. Understood, we have a great talk planned by Abhisek on how attackers exploit your online presence 2. We have a great panel planned to answer all the questions you may have post this talk 
  • 26. Self evaluation checklist • Protect your personal email account (used to register to everything else initially with 2FA) • Make sure email is setup with proper SPF, DKIM, DMARC • Don’t lose control of your mobile number
  • 27. Understand risks with examples Potential risk Can you do anything about it? Anyone on the internet can try my DNS records Nope People are able to see who my domain registrar is Nope My ISP/Hosting company/Government is insecure Nope My OS/Processor/Hardware company is insecure Nope
  • 28. Does my registrar support 2FA? Yes  Understand how does the 2FA reset process works  Make a note of what will need to be done, in case 2FA needs to be disabled  Enable 2FA for login  Bonus Points – If authentication logs can be stored No  Change your provider
  • 29. Does my registrar support whois privacy? Yes  Understand how to enable domain whois privacy  Enable domain whois privacy before configuring the domain to do anything No  Change your provider  If not an option, accept that as a potential risk factor
  • 30. Does my domain email support 2FA? Yes  Understand how does the 2FA reset process works  Make a note of what will need to be done, in case 2FA needs to be disabled  Enable 2FA for login  Bonus Points – If authentication logs can be stored No  Change your provider
  • 31. Protecting the domain admin email Dos  Enable 2FA  Ideally not SMS based but app based  Use a reputed 3rd party provider (like Gmail maybe)  Make sure your password is sufficiently random  Put in a process to change it after a fixed duration Don’ts  Use that email address for registering to other sites  Never reuse that password if you have to use the same email ID elsewhere
  • 32. Any Questions or thoughts? Akash Mahajan | akash@appsecco.com | @makash

Notas do Editor

  1. A presentation At IIMB NSRCEL Event HashTag
  2. In other words – There are different types of audience always
  3. We acknowledge what you are experiencing
  4. Key words become and stay that way
  5. This is a tough ask! Since there are so many different types of audience here. So let us start with a simple model
  6. Storage is cheap. Use open source software with data backed up in something like BackBlaze for dirt cheap backups
  7. Point 2 is a bit technical. You may need the support of your provider in case you don’t have a technical resource available
  8. This is what we have done as well
  9. Akash Mahajan akash@appsecco.com @makash on Twitter https://appsecco.com