Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Security and Your Salesforce Org
1. Security and your Salesforce Org
CyberSecurity techniques to harden your org.
Francis Pindar
Technical Architect
francis@netstronghold.com
@radnip
2. Security and your
Salesforce org
CyberSecurity techniques to harden your org.
Francis Pindar
Technical Architect
francis@netstronghold.com
@radnip
www.radnip.com
LinkedIn.com/in/francisuk
5. Salesforce Security
Applicable to the Sales Cloud, Service Cloud, Communities, Chatter, database.com, site.com and Force.com. For audits, certification and security information or other services, please see
the Trust & Compliance section of help.salesforce.com.
Infrastructure-level SecurityApplication-level Security
Firewall SSL
Accelerators
Web/App
Servers
Load
Balancers
Database
Servers
Trusted
Networks
Authentication
Options
Field Level
Security
Object Level
Security
(CRUD)
Audit Trail
Object History
Tracking
10. Two Factor Authentication (2FA)
• Provides an extra layer of security beyond
a password
• If a user’s credentials are compromised,
much harder to exploit
• Require a numeric token on login
• Can be received via app, SMS, email,
hardware (YubiKey)
12. My Top Risky System Permissions
“System Admin” Permission Set Standard Profile
Export Report* Yes Yes No
Data Export No No No
Modify All Data No? No No
Manage Profile
Permission Sets
Yes No No
View Setup Yes Yes No
View All Data Yes? No No
View Encrypted Data No No No
Manage Remote Access Yes No No
Password Never Expires No No No
Bulk API Hard Delete No No No
Permissions you need to have
* Enable reCapture -> Send case to Salesforce
13. My Top Risky System Permissions
“System Admin” Permission Set Standard Profile
API Enabled No Yes No
Manage Interactions Yes No No
Manage Two Factor
Authentication
No No No
Permissions you need to have
Source: placeholder
20. CyberSecurity by FutureLearn/Open University
https://www.futurelearn.com/courses/introduction-to-cyber-security
• FREE online course
• Duration: 8 weeks
• 3 hours a week
• Certificates available
Next Start dates:
• 4th
July 2016
• 3rd
October 2016
21. Key Principles – The Human Factor
• Limit the number of users with admin rights
• Provide users with minimum access to do their job
• Create rigorous process for user termination/deactivation
• Basic security training for all users on credential/password
security, phishing, and social engineering
• Trailhead for ongoing, role-focused education
• Effective security requires cross-org communication
https://developer.salesforce.com/trailhead
22. thank y u
Francis Pindar
francis@netstronghold.com
@radnip
www.radnip.com
LinkedIn.com/in/francisuk
Notas do Editor
BBC Good Food Show tomorrow.
Experts are saying British businesses are not doing enough to protect themselves. Cyber attacks are exacting a heavy toll on british businesses. Research company Cebr last year reported £34bn of increase IT expenditure and lost revenue.
[CLICK]
The UK Government found boards of half of FTSE 350 companies only hear about cyber incidents only on an occasional basis or when something goes wrong.
But Damage can sometimes harm a companies reputation more than the actual attack.
UK Governments Public Policy Exchange is saying the threat from cyber attacks to the UK’s national security is “Real and Growing”. Such attacks have been called a “Tier One” threat to the UK.
[CLICK]
A recent report of UK companies showed that nearly half (46%) of small business owners have no employee responsible for data security and more alarming 27% have no process or policy at all. But its not just isolated to small companies. Last year saw an conservative estimate 487,731,758 records (based on public information) of data leaks from companies like Hyatt, Hilton Hhonors, Costa Coffee, Mumsnet, 56 Deans Street clinic leaks 780 HIV patients (NHS Trust fined £180k), JD Wetherspoon nearly 700,000 personal details were stolen and TalkTalk 156,000.
Secure Your Salesforce Org
Some administrators are surprised when they learn that security is part of their job. Salesforce is built with security as the foundation for the entire service. This foundation includes both protection for your data and applications, as well as the ability to implement your own security scheme to reflect the needs of your organization.
However, protecting your data is a joint responsibility between you and Salesforce but it ultimately your responsibility under EU Data Protection Laws. The security features in Salesforce enable you to help your users to do their jobs efficiently, while also limiting exposure of data to users that need to act upon it. Implement security controls that you think are appropriate for the sensitivity of your data. Your data is protected from unauthorized access from outside your company, and you should also safeguard it from inappropriate usage by your own users.
There are features built into the platform that you have the opportunity to activate to make the experience as secure as possible for your company.
Today we will focus on two of the key features that Salesforce highly recommends that customers enable – Two Factor Authentication and Login IP Ranges. We will also talk at a high level about protecting data by “who sees what”, or setting up roles and profiles.
No security strategy or feature is bullet-proof, but shoring up your implementation with these capabilities will decrease the likelihood that your org is compromised and may reduce the amount of data that can be stolen by attackers.
For any organization, its people present the biggest security threat and the greatest opportunity for hackers. Cyber criminals have shifted their tactics from technological attacks to targeted assaults on employees by manipulating basic human behaviors. Now more than ever, every person has an impact on security regardless of their function or title.
According to the PWC Global State of Information Security Survey, 2015, employees remain the most cited source of security compromise (over 55%), and incidents attributed to business partners also climbed 22 percent.
Only 17% of firms have given staff Cyber Security Training.
Open University warned last week that businesses believe upgrading their systems will keep them safe.
It takes only one employee to set off a chain of events that can compromise your company’s data. In this way, security is a job expectation critical to your company’s success. There are basic behaviors that every employee can do to make the company more secure.
Potential steps your users can take in the spirit of protecting data are:checking links in emails by hovering over them with their mouse, stop letting people in their office without checking for a badge, and continue to update logins using stronger passwords. We will talk about specifics later on.
For any organization, its people present the biggest security threat and the greatest opportunity for hackers. Cyber criminals have shifted their tactics from technological attacks to targeted assaults on employees by manipulating basic human behaviors. Now more than ever, every person has an impact on security regardless of their function or title.
According to the PWC Global State of Information Security Survey, 2015, employees remain the most cited source of security compromise (over 55%), and incidents attributed to business partners also climbed 22 percent.
Only 17% of firms have given staff Cyber Security Training.
Open University warned last week that businesses believe upgrading their systems will keep them safe.
It takes only one employee to set off a chain of events that can compromise your company’s data. In this way, security is a job expectation critical to your company’s success. There are basic behaviors that every employee can do to make the company more secure.
Potential steps your users can take in the spirit of protecting data are:checking links in emails by hovering over them with their mouse, stop letting people in their office without checking for a badge, and continue to update logins using stronger passwords. We will talk about specifics later on.
Setting the Stage: The Human Factor
These entry point methods represent common techniques that cyber criminals use to prey on our humanity and get what they want.
1. Phishing/Malware – An attempt to acquire sensitive information such as usernames, passwords, and credit card details by masquerading as a trustworthy entity. This can be used to trick users into downloading software intended to damage a computer, mobile device, computer system, or computer network, or to gain access to its operation.
2. Social Engineering - In the context of security, it is understood to mean the art of manipulating people into taking action or revealing confidential information.
3. Exploiting Public Info - Using publicly available information to help design a social engineering attack, crack a password login, or create a targeted phishing email.
4. Badge Surfing - A method of gaining unauthorized entry into a secured area. Typically, an intruder simply follows behind a legitimate badge holder as they pass through to the secured area or somehow convince that individual to hold the door open for them and knowingly give them access.
5. Eavesdropping - Secretly listening in on private conversations.
6. Rubbish Collection - Collecting sensitive information from the recycling or rubbish that was not appropriately destroyed.
7. Installing Rogue Devices - Malicious wireless routers or USB thumb drives installed on premise to allow a hacker access to a secure network.
Software Engineer for Salesforce.com
Secure Behavior
There are a few more key principles that can help augment the layers of security at your company.
First, limit the number of users with admin rights, and check periodically to make sure that, the same individuals need to have admin permissions. This can change over time. A key principle of security in general is to provide users with the minimum access they need to do their job. There is no need, for example, for a business analyst to see billing information for customers.
For those of you who haven’t checked out Trailhead yet, we highly encourage you to check out this fun and engaging educational tool available for self-paced training. There is a Data Security module that will give you hands-on for some of the things we reviewed today.
And last, cross-org communication is critical to security, not only between org admins, but also with your IT and security departments. Some key things you can talk about with IT:
How can you partner to improve security awareness of Salesforce users
How can you better understand company security policies and integrate into your administration of Salesforce, including password policies
Creating a process for notifying you when a user should be deactivated
What are the most common IP addresses that employees log in from
As foreign as it may seem to some, there is a lot to gain from building a relationship with your IT and Security departments.