WingNews logo WingNews GitHub [2]
top | item 32662385

Ask HN: IT Security Checklist for Startups?

133 points| faizshah | 3 years ago | reply

Hi HN,

Does anyone have a list of IT security stuff that you should setup for your early stage startup?

Like for example DNSSEC, VPN, forcing employees to use 2-factor etc.

78 comments

order
[+] dfc|3 years ago|reply
https://latacora.micro.blog/2020/03/12/the-soc-starting.html

That is specifically written for startups that may have to do SOC2 compliance in the future. But it is a useful starting point for most people.

    #1: Single Sign-On
    #2: PRs, Protected Branches, and CI/CD
    #3: Centralized Logging
    #4: Terraform Or Something
    #5: CloudTrail And AssumeRole
    #6: MDM
    #7: VendorSec
[+] pc86|3 years ago|reply
The most important (IMO) paragraph from that page:

> If there is one thing to understand about SOC2 audits, it’s: SOC2 is about documentation, not reality. SOC2 audits are performed by accountants, not pentesters. You’ll tell your audit team what security things you try to do. They’ll call upon the four cardinal directions of ontology in a ceremony of shamanic accountancy. They’ll tell you those security things are just fine. Then they’ll give you a 52,000-line questionnaire called the Information Request List (IRL), based in some occult way on what you told them you’re doing. And you’ll fill it out. You’ll have a few meetings and then write them a check. They’ll put your company name on a report.

[+] dyeje|3 years ago|reply
IMO 1, 5, and 6 are not appropriate for early stage startups (unless you’re making enterprise software). They’re going to slow you down, add unnecessary burn, and just generally not be value adds. You should be focused on making a product that people pay money for, not box checking for a hypothetical SOC2.
[+] number6|3 years ago|reply
I am currently stuggeling setting up centralized logging; just can´t grok it. Logstash? Beats? Elastic Agent? Is ELK-Stack right in 2022? How do I get Logs out of Docker to Logstash? Do I? Seems I need to get my head around this...
[+] jms703|3 years ago|reply
Came here to post this!
[+] ross-sec-audio|3 years ago|reply
--- CIS Top 18: --- CIS have a top 18 critical security control checklist, which is pretty incredible.

https://www.cisecurity.org/controls/cis-controls-list

CIS Top 18 Version 8 works sequentially too, so you implement control 1 and it sets you up in a good place to then implement control 2, and so on.

--- Cyber Essentials: --- The UK's Cyber Essentials scheme is a certification standard (but you can ignore that and just use it as a checklist if you'd like).

It's designed for small to medium size organizations, and focused on getting the foundations right.

This would be a useful place to start but it won't cover some of the specific threats and risks associated with software/app development. See @snowstormsun's comment about OWASP Top 10 for that.

https://www.ncsc.gov.uk/cyberessentials/overview

--- There's loads of other standards like this out there, that are free to use and are each focused on different security challenges etc.

I've shared these two standards as they both setup a solid foundation.

[+] tptacek|3 years ago|reply
This list is very general (it's about high-level controls, not actual tactics) and is geared towards enterprises, so there are things on it that definitely are not startup best-practices. For example: most startups don't do any serious network monitoring (even if they do operate monitorable networks, which isn't a given).
[+] _tk_|3 years ago|reply
Giving security advice in a format like this is always a bit weird. You will never catch all interesting bits much less all the edge cases. On top of that Thomas Ptacek is watching your every move.

As already noted, a tailored list for startups doesn't really exist. IMO, there are two approaches when it comes to establishing security in a Startup. You can either go the standard route or the checklist route.

1. Standard route: You hire a consultant, decide on a standard (preferably ISO27k) and go implementing. Costs a lot of money, takes a lot of time/energy, you will be happy about it in the future, if your company is not broke by then.

The German Federal Office for Information Security has adapted the ISO27001 standard in the past and created the so called Core Protection methodology. You can find the details here: https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Grundsch...

It's a nice compromise between adherence to the standard and pragmatism.

As a Startup you basically want to protect two things: your IP and availability of your product. The core protection method allows you to specify a very narrow scope that you want to protect and helps you to develop protection requirements.

2. The checklist route: If standards are not your thing, I would advise you to take a look at CISA's "Cyber Essentials" checklist for Small and Midsize Businesses.

If you have 90% of these things implemented - which should be very easy for a startup - you will have a better security posture than 90% of all other companies out there (if not more).

https://www.cisa.gov/cyber-essentials

[+] baxtr|3 years ago|reply
> As a Startup you basically want to protect two things: your IP and availability of your product.

On what basis do you make this claim? I’m working in cyber and see the damage side in large companies. IP is never a thing. It’s mostly service / production availability and, with companies doing business in the US, data breaches (loss of PII).

[+] r4vik|3 years ago|reply
It's all about good hygiene early.

- MDM for laptops/phones, don't let people use their own devices. The point of MDM isn't to stop people installing their favourite IDE, the point of it is to make sure the device is patched and running latest OS. If you have a VPN (even AWS Client VPN supports this...) tie MDM together with device attestation so only patched machines can connect to your VPN.

- Unified login, for a start up you can use Google workspace or even GitHub as your identity provider (this gets weird if you have non-devs but you can push it for a bit). Don't have more than one account/password for things, you just log into your google account then use OIDC/SAML to auth against internal apps. If you do this you probably don't need VPN. Use this to auth into AWS too.

- Don't share accounts on SaaS services (e.g domain registrar), this will make rotating stuff when someone leaves a nightmare. If a service doesn't support teams or you don't want to pay for the enterprise version then it's OK for the CTO and 1 other person to have their own login.

- Minimise/avoid static credentials for your infra (e.g. web server talking to postgres) prefer to use AWS Instance roles with short lived dynamic credentials.

- Make sure network isolation is set up correctly, your Mongo db shouldn't be listening on the internet

- Use 2fa but make sure it's WebAuthn/FIDO. Issue everyone with 2x security keys. People wipe / screw up their phones/TOTP authenticator apps far too much.

- Centralised logging, make sure your apps can output logs to opensearch/datadog/whatever. Whenever a user performs an action make sure this gets logged.

- Don't let people manage prod infrastructure without using Infrastructure as code tools (CDK/Pulumi/Terraform), best thing would be not to give people prod access and all changes have to go through CI

- Make sure you know your product is down before your users start calling/emailing. Set up healhchecks.io / pingdom whatever.

[+] PowerBar|3 years ago|reply
I would recommend only issuing a single MFA device. If you only issue 1, then the employee is forced to come to IT if/when they lose it to get a new one issued. IT will need to use their admin access to activate the new fob (and deactivate the old one), but at least you're assured that employees aren't losing them without telling anyone.

If you issue 2 you greatly increase the chances of MFA devices going missing without it being reported to IT since people will either A) use one of them and forget they even have the other and not keep track of it or B) lose one and just start using the other one and never bothering to report it to IT so they can invalidate the missing one.

Employees are VERY reluctant to report lost devices, even after being told there are no consequences or costs to them as long as they report it. I've seen employees get buddies to buzz them into the building for weeks before finally admitting to IT that they lost their access badge.

The main complication is if your company relies on outside software that doesn't have provisions for administrator oversight. For example, if you're using Google Apps, any admin can go in and replace a missing MFA device for an employee, but this isn't possible if you're using some other platforms (especially the free tiers).

[+] dissent|3 years ago|reply
MDM for laptops? No thanks. It's a world of security theatre - the main purpose of which seems to be to stop me doing my job. Also it invariably means Windows.
[+] badrabbit|3 years ago|reply
Others mention important things but go nowhere near as far as they should. I can list dozens of high level things you should have on that list, but I think the most important decision is at what point will you hire a dedicated career-security person? The earlier the better.

You can have protected branches, pubkey auth everywhere with yubikeys and macs everywhere it all helps reduce noise but security architecture ensures there are no cracks in your defenses. These checklist solutions can do more harm than good by leaving you with the impression that you have a better security-posture and risk appettite than you actually do leading you to make catastrophic decisions.

IT/OPs/Engineering folks who know enough security to be dangerous would say things like "but _____ defensive measure is there,that wouldn't work" or "if they got past all this then we have bigger issues anyways" and be dangerously wrong.

2FA with yubi? Cookie theft is now popular. SSH pubkey on a mac? Commodity multiplatform stealers in Rust and Golang of course are a thing and they include stealing private keys and sensitive files as a feature. MDM doesn't protect you against malware and SSO while still should be implemented makes cookie theft one working attack away from pwning all things the user has access to. Boring old things like segmentation, (good)logging and proactive monitoring (probably MSP for you at the start) are still top of the "list" and despite what pop-security personalities have you believe, not only do you need AV but you need a cross-platform good EDR as soon as possible as well as corporate VPNs and while gsuite is popular with startups, O365 has better security and DLP.

I could go on but my point is you at least need a consultant at the begining and have a solid plan on when you will hire a proper security pro to architect things and make all the devs and engineers do things they disagree with passionately leading some to even leave lol.

[+] tptacek|3 years ago|reply
O365 and DLP are absolutely not startup best practices. Almost nobody uses either.

As I've noted elsewhere on the thread, the norm among startups is to make a first security hire somewhere between engineer #20 and #40. Pentesters usually get brought in after PMF, sometime around the "first version" of the product the startup settles on.

[+] PeterisP|3 years ago|reply
If you do proper 2FA, always change the default credentials (including dev/test/temporary systems!) and test the recovery of your backups you're probably above the median already. Logging turned on, and preferably centralized is also low-hanging fruit.

For an early stage startup I feel that some unnecessary risks are caused by the lack of separation of privileges because a few people do have the rights to do everything. I'd recommend having your key people keep a separate account for privileged actions so that you're not reading your email with an account that has the access to the keys of the kingdom, that you're not doing stuff on your cloud provider with a user account that has the privileges to accidentally delete everything. Have the superuser accounts on all the third-party systems be something that you use rarely, make a limited account for your daily work.

[+] Mandatum|3 years ago|reply
2FA is fine.

Don't bother with VPN's if you're SaaS-based. Just take the zero-trust route with mandatory MFA everywhere, invest in Yubikeys for all employees and set up a SIEM box to ingress audit logs from your various systems.

Setting up an Elastic box for this should be relatively straightforward. For many people it's easier to keep SIEM locally hosted (pulling data, no external access) and then periodically push encrypted backups offsite).

You'll probably end up setting up business metrics monitoring from this eventually too, at least in the early days before you start the "data lake" approach.

DNSSEC is a waste of time right now.

[+] coleca|3 years ago|reply
In addition to the advice already commented, if you are using AWS I'd recommend checking out our recently released AWS Startup Security Baseline Prescriptive Guidance: https://docs.aws.amazon.com/prescriptive-guidance/latest/aws...

This is not a comprehensive checklist per se, but a minimum set of security controls to implement to help secure your AWS account and workloads running on AWS within your account.

[+] Amedeemus|3 years ago|reply
I do not know of a go-to checklist but as I work in the industry, I hope I can provide some tips from experience.

Any service that is needed for the day-to-day working of your business should be properly secured. You mention DNSSEC but it starts with the user accounts that are used to log in to your registrar, hosting provider, payment provider, any SaaS... Generate unique, strong passwords for every business related service. Use a password vault like keepass or a service like 1password for secure storage and ease of use. Multi-factor everything you can, and prefer to use an app or physical token over SMS-based multifactor. I have recommended Twilio Authy a lot due to the multi-device support and google authenticator compatibility. Use DNSSEC for your domain(s), enable SPF, DKIM and DMARC for your mail, set up TLS for your website(s). Depending your needs, cloudflare has some great options for the latter.

Security of the endpoints and endusers greatly depends on wether your employees BYOD, what the network looks like and most of all, what you are protecting. I recommend to search for some public "acceptable use policy" or "security policy" documents, especially in the context of ISO27001 and create an own policy based on that, depending on your needs and environment. Even better than policy is proper training for employees on security hygiene, how to avoid phishing and if relevant, secure development. Ceate an open environment for employees to report potential issues or mistakes. Regarding secure development, OWASP is a great resource for anything application security.

[+] tptacek|3 years ago|reply
You're recommending this startup do DNSSEC. Can you rattle off some pre-acquisition startups of any note that have DNSSEC-signed their domains? Slack, for instance, is DNSSEC-signed (signing infamously took them off the Internet for the better part of a day) --- because Salesforce, their acquirer, required it; they did the same to Heroku (which also suffered a DNS outage).

My point is not so much to litigate DNSSEC itself (although I'll do that) as it is to establish the ground truth that DNSSEC-signing is not a norm among tech companies. It would be a particularly weird bit of ops overhead for a young startup to invest in.

If you'd like some tips on how to quickly test whether a startup (or a large list of them) have signed their domains, I'm happy to help.

[+] tptacek|3 years ago|reply
Your startup should absolutely not be doing DNSSEC; virtually nobody does this, most especially at successful startups with security teams. This is a good example of why a good checklist like this would be useful; I wish I had one to offer.
[+] nokya|3 years ago|reply
By just looking at the vast variety of answers in this thread, I think we have a telltale sign of the magnitude of the problem, and the state of denial in which society has evolved.

Whether a startup, a small company or a large corporation, there is at least one IT security standard in each developed country, if not an international standard (e.g., ISO27002 , NIST cybersecurity, etc.). Their role is exactly what they are called for: they tell whoever owns an IT system what should be done to protect it.

Unless you're an academic doing research, or you have personally reached the limits of a standard in your organization, there is no reason to look elsewhere.

Pull the standard from your country, or pull the ISO27002, and start working on your spreadsheet and assigning tasks :)

[+] tptacek|3 years ago|reply
The idea that national security standards are the actual blueprint for running a security practice at a startup is risible.
[+] patrakov|3 years ago|reply
Let me share my (unpopular) opinion: whatever minimum mandated by the applicable laws, and nothing else. If you are not a bank, and don't have EU customers, it could as well be an empty checklist. If you need anything more, you are not a startup. Well, if you disagree, let me add one item to your checklist: know when to stop expanding it.

Rationale: I have seen enough organizations with the checklist-based approach to security. In all of them, it had nothing to do with actual security, but with convincing customers that the organization is safe to deal with - even if it is in fact false. People responsible for filling in such questionnaires often had an outdated vision of the practices of the company.

Also, once you allow any checklist in, or hire any so-called cybersecurity expert who is actually a checkbox-ticking expert, you will be under constant pressure to strengthen this "security posture" more and more, way beyond reasonable. Hypothetical example: this expert decides that you have to comply with Cyber Essentials, and one of the requirements is to install, on each laptop and desktop, an antivirus that can live-check all of the web pages loaded in browsers. But no such desktop-ready thing exists for Linux, and this expert will tell you to stop using Linux on desktops, thus leading to mass-resignation of developers. While the proper solution would have been "don't deal with the UK government".

[+] more_corn|3 years ago|reply
Require disk encryption and screen lock. Deploy SSO everywhere you can. Provide a password manager. No passwords in slack. If they show up they have to be rotated immediately. Create a simple security policy (and password policy) to let people know expectations. Create an onboarding and off boarding checklist. Create a BYOD policy (if people choose to have work coms on their phone) Require phone password, encryption and find my device. Prohibit password reuse. Buy people yubikes if they want em. Encourage 2fa Rotate credentials at most annually. Create a culture of blameless postmortems so people feel comfortable raising concerns early. Set up your cloud accounts with SSO. Secure your CI/CD system. It usually has the keys to the castle. Deploy or enable cred-scan, dep-scan, sast-scan in CI/CD Don’t allow public items in S3 buckets unless the bucket is explicitly public.
[+] mikewarot|3 years ago|reply
If you're building a product, consider using capability based security.[1]

A capability is an access token to a resource, and NOT a user account. Think of it as a $10 bill. If you pull a $10 capability from your wallet, you can't lose $1000 by accident, no matter how badly things go.

Flickr makes it possible to give out a guest pass for photos, for example.[2] The nice thing about a guest pass is you can revoke it at any time.

[1] - https://en.wikipedia.org/wiki/Capability-based_security

[2] - https://www.flickrhelp.com/hc/en-us/articles/4404069601172-C...

[+] fouadmatin|3 years ago|reply
We wrote up a starting five on our blog at Indent: https://indent.com/blog/security-for-startups-the-starting-f...

  1. Create a security policy — decide what does/doesn't matter
  2. Train employees on security — just do the basic stuff, but all the time (strong passwords, 2FA)
  3. Implement security measures — for what matters, take security very seriously
  4. Use single sign-on — whether it's Google SSO/Okta/etc, you'll thank yourself later
  5. Grant access on-demand — people generally don't need permanent access to sensitive systems, set up groups and grant people time-bounded roles