CyberSecurity for StartupsGood security need not be expensive

whoami

● Sastry Tumuluri– CEO, Digital Self Defense InfoSec– Program Leader, Startup Leadership Program (SLP), Delhi Chapter– Was

● CISO of Haryana State● Architect of MCA21 system● Chapter Leader, NULL & OWASP Chandigarh

– Been around for a long time

Security People are Awesome

● Only telling the truth● Truth hurts● We only want perfection.

Nothing more.

The rest of us are ...

Together, we are ...

But we use Antivirus & Firewalls!

First... some stories

● My AWS network bills shot up● I got a really nasty email from my ISP● Oh no, ransomware hit!● My servers were shutdown one day before the launch● I only have a few users, but everything is slow now

The big guys have their big guns

Don’t we need our little something?

#1 – Eat Healthy

● For those who are/have techies – harden your servers!– Use free checklists available on the net– Change defaults!– Lynis audit

● For others – Use a managed hosting service– Choose one that offers backups, updates & security– Several good options for WordPress – More expensive than the cheapest option, but still reasonable

● No... no no no... not shared hosting please!

#2 - Exercise Regularly

● Update your OS and all other software regularly– Make it a daily routine– Tell your developers to stay on top of new versions

● Sometimes upgrades break your application● Trade off!

● Please repeat after me– Take regular backups!

#3 – Go For Regular Health Checkups

● Scan your web site regularly for weaknesses– Yes, one more task in your daily routine– Several free scanning options are available

● Some downloads, most are services● Some are limited in some ways ● Try and buy the services if you like them

● Check your backups... make sure they’re good

#4 – Watch your assets on CCTV

● This is probably the hardest● Startup-friendly monitoring solutions are hard to find● But we’re happy to help

– <skipping our advertisement here>● If no other option, check your logs regularly

– Daily routine... will take the longest; also the hardest to make sense of

#5 – Rapid Response, Expert Response

● No matter how good your IT staff are... – Security breaches are best handled by experts– Knowing the latest hacker-techniques is a full-time job

● Do your homework beforehand– React in minutes/hours, not days– Look for Incident Response specialists, not hackers

#6 – Securing yourself & your laptop

● Email hygiene– Beware links & attachments in emails

● Browsing hygiene– Use uBlock Origin, an ad-blocker– Don’t click everything you see, don’t go to dark alleys

● Mobile hygiene– Beware fake apps, beware app-permissions abuse– Update regularly... but wait! Sadly, it’s not in your hands

● Password hygiene– Use Password Managers, setup 2FA (two step authentication via SMS / other)

● Trust hygiene – the mother of all security issues

#7 – A few extras

● Use free Web Application Firewall / equivalent options– e.g., modsecurity, CloudFlare

● Secure Coding – is a biggie, but this is not a tech class– Ask your developers to attend NULL/OWASP meetups regularly

● Use SSH Keys to access your servers, not passwords!– Stop helping the hackers!

● Secure your email servers; advise your customers & employees– Mails from CEO asking wiretransfers– Mails to customers saying your bank account details have changed

Stay safe... and Thank you!

sas3@dsdinfosec.com@sastrytumuluri