Ask HN: IT Security Checklist for Startups?
Hi HN,
Does anyone have a list of IT security stuff that you should setup for your early stage startup?
Like for example DNSSEC, VPN, forcing employees to use 2-factor etc.
Does anyone have a list of IT security stuff that you should setup for your early stage startup?
Like for example DNSSEC, VPN, forcing employees to use 2-factor etc.
82 comments
[ 3.2 ms ] story [ 160 ms ] threadand the owasp's cheatsheets in general
For an early stage startup I feel that some unnecessary risks are caused by the lack of separation of privileges because a few people do have the rights to do everything. I'd recommend having your key people keep a separate account for privileged actions so that you're not reading your email with an account that has the access to the keys of the kingdom, that you're not doing stuff on your cloud provider with a user account that has the privileges to accidentally delete everything. Have the superuser accounts on all the third-party systems be something that you use rarely, make a limited account for your daily work.
That is specifically written for startups that may have to do SOC2 compliance in the future. But it is a useful starting point for most people.
1) Capturing them 2) Indexing/acting on them
Most tools focus on one or the other, some focus on both.
> Logstash? Beats? Elastic Agent? Is ELK-Stack right in 2022?
Loki and Graylog solve both issues in an integrated way.
logstash, beats and syslog tend to focus only on the 1st part, moving the lots to a central place.
> How do I get Logs out of Docker to Logstash? Do I?
Yes you want the logs from Docker jobs. You can use a sidecar, or you can have the Docker image ship the logs or if you are running k8s, Nomad, etc they might be able to do it for you.
The more important thing is the 1st, getting them all to one host, in pretty much any format. Once you have them there, then you can worry about trying to make sense of them.
[0] https://grafana.com/docs/loki/latest/operations/storage/bolt...
[1] https://grafana.com/docs/loki/latest/operations/storage/#sup...
[2] https://grafana.com/docs/loki/latest/fundamentals/architectu...
[3] https://github.com/grafana/helm-charts/blob/main/charts/loki...
[4] https://github.com/grafana/loki/issues/643
(I started with Grafana and Prometheus FWIW)
> If there is one thing to understand about SOC2 audits, it’s: SOC2 is about documentation, not reality. SOC2 audits are performed by accountants, not pentesters. You’ll tell your audit team what security things you try to do. They’ll call upon the four cardinal directions of ontology in a ceremony of shamanic accountancy. They’ll tell you those security things are just fine. Then they’ll give you a 52,000-line questionnaire called the Information Request List (IRL), based in some occult way on what you told them you’re doing. And you’ll fill it out. You’ll have a few meetings and then write them a check. They’ll put your company name on a report.
They had really well documented controls and the screenshot of the AD settings they sent me looked great in my report. (Yup - all AD settings in one screenshot).
I would hold fast on #1 (Single Sign-On). Do SSO now. Make it one of the first security things you do. It's worth it on its own merits, and if you do it right, it makes things easier, not harder. My one-two punch for most startups would be Google SSO and Tailscale.
If you're hosting in AWS, you basically have to turn CloudTrail on, which was my #5. It's not slowing you down; you just need the data collecting. You can't deploy on AWS and not have an audit trail; that's bananas.
If I was writing that article over again, I'd strike #6 (MDM). It's fallen out of fashion to do endpoint security in SOC2; you should introduce endpoint security when you have the bandwidth to do it well.
So: #1-5 and #7, I'd do right away.
#6, I'd wait until after my first security hire.
I misunderstood your intent on #5.
I still think SSO is inappropriate because it’s going to bump you into enterprise tiers for random products when you need to be the most frugal with your burn. Going with 1Password or similar gets the job done. You 100% need SSO eventually and it does get harder to implement the longer you wait, but I still don’t think it’s worth it early.
I think MDM is still a thing for SOC2, but my point is that most startups will not need a SOC2 immediately and folks should be mindful of what moves the needle security wise vs what auditors want.
You can pick which apps to enroll in SSO; you don't have to pay the sso.tax on everything. Most of the time it's not material anyways.
Interesting note about MDM, any idea what contributes to that trend?
I guess I'd add that almost anything goes pre-PMF. I think it's actually pretty reasonable to consciously minimize security engineering spending before you've got a real product locked down.
Without SSO, you have no idea who has access to services. People come and go, contractors do their thing and take off, etc. You need to know they’re gone. On top of it, it’s so trivial to just use Google Workspace as an SSO it’s ridiculous not to use it.
MDM becomes a thing when you’re a little bigger. Anything with customer data should be managed imo.
- MDM for laptops/phones, don't let people use their own devices. The point of MDM isn't to stop people installing their favourite IDE, the point of it is to make sure the device is patched and running latest OS. If you have a VPN (even AWS Client VPN supports this...) tie MDM together with device attestation so only patched machines can connect to your VPN.
- Unified login, for a start up you can use Google workspace or even GitHub as your identity provider (this gets weird if you have non-devs but you can push it for a bit). Don't have more than one account/password for things, you just log into your google account then use OIDC/SAML to auth against internal apps. If you do this you probably don't need VPN. Use this to auth into AWS too.
- Don't share accounts on SaaS services (e.g domain registrar), this will make rotating stuff when someone leaves a nightmare. If a service doesn't support teams or you don't want to pay for the enterprise version then it's OK for the CTO and 1 other person to have their own login.
- Minimise/avoid static credentials for your infra (e.g. web server talking to postgres) prefer to use AWS Instance roles with short lived dynamic credentials.
- Make sure network isolation is set up correctly, your Mongo db shouldn't be listening on the internet
- Use 2fa but make sure it's WebAuthn/FIDO. Issue everyone with 2x security keys. People wipe / screw up their phones/TOTP authenticator apps far too much.
- Centralised logging, make sure your apps can output logs to opensearch/datadog/whatever. Whenever a user performs an action make sure this gets logged.
- Don't let people manage prod infrastructure without using Infrastructure as code tools (CDK/Pulumi/Terraform), best thing would be not to give people prod access and all changes have to go through CI
- Make sure you know your product is down before your users start calling/emailing. Set up healhchecks.io / pingdom whatever.
- Ensure full disk encryption
- Time limit on how long people can defer OS upgrades
- Report on software installed and versions
- Enforce somewhat complex password
- Enforce password after screen has become locked
- Allow us to remote wipe the machine if lost/stolen
It didn't stop you from installing / uninstalling anything - even itself. Although if your machine stopped phoning home for a certain amount of time we had some alerts set up for the IT support team to follow up.
I'm hoping things are better now - I think Canonical have some sort of MDM for Ubuntu but I couldn't figure out how to pay for it.
If you issue 2 you greatly increase the chances of MFA devices going missing without it being reported to IT since people will either A) use one of them and forget they even have the other and not keep track of it or B) lose one and just start using the other one and never bothering to report it to IT so they can invalidate the missing one.
Employees are VERY reluctant to report lost devices, even after being told there are no consequences or costs to them as long as they report it. I've seen employees get buddies to buzz them into the building for weeks before finally admitting to IT that they lost their access badge.
The main complication is if your company relies on outside software that doesn't have provisions for administrator oversight. For example, if you're using Google Apps, any admin can go in and replace a missing MFA device for an employee, but this isn't possible if you're using some other platforms (especially the free tiers).
https://www.cisecurity.org/controls/cis-controls-list
CIS Top 18 Version 8 works sequentially too, so you implement control 1 and it sets you up in a good place to then implement control 2, and so on.
--- Cyber Essentials: --- The UK's Cyber Essentials scheme is a certification standard (but you can ignore that and just use it as a checklist if you'd like).
It's designed for small to medium size organizations, and focused on getting the foundations right.
This would be a useful place to start but it won't cover some of the specific threats and risks associated with software/app development. See @snowstormsun's comment about OWASP Top 10 for that.
https://www.ncsc.gov.uk/cyberessentials/overview
--- There's loads of other standards like this out there, that are free to use and are each focused on different security challenges etc.
I've shared these two standards as they both setup a solid foundation.
Any service that is needed for the day-to-day working of your business should be properly secured. You mention DNSSEC but it starts with the user accounts that are used to log in to your registrar, hosting provider, payment provider, any SaaS... Generate unique, strong passwords for every business related service. Use a password vault like keepass or a service like 1password for secure storage and ease of use. Multi-factor everything you can, and prefer to use an app or physical token over SMS-based multifactor. I have recommended Twilio Authy a lot due to the multi-device support and google authenticator compatibility. Use DNSSEC for your domain(s), enable SPF, DKIM and DMARC for your mail, set up TLS for your website(s). Depending your needs, cloudflare has some great options for the latter.
Security of the endpoints and endusers greatly depends on wether your employees BYOD, what the network looks like and most of all, what you are protecting. I recommend to search for some public "acceptable use policy" or "security policy" documents, especially in the context of ISO27001 and create an own policy based on that, depending on your needs and environment. Even better than policy is proper training for employees on security hygiene, how to avoid phishing and if relevant, secure development. Ceate an open environment for employees to report potential issues or mistakes. Regarding secure development, OWASP is a great resource for anything application security.
My point is not so much to litigate DNSSEC itself (although I'll do that) as it is to establish the ground truth that DNSSEC-signing is not a norm among tech companies. It would be a particularly weird bit of ops overhead for a young startup to invest in.
If you'd like some tips on how to quickly test whether a startup (or a large list of them) have signed their domains, I'm happy to help.
Norms change and from my perspective there is still a big ongoing effort to push DNSSEC adoption worldwide.
I'm curious to know why you'd argue against DNSSEC and what your experiences are with operational overhead.
Again, a good way to rebut this would be to present examples of established startups that have DNSSEC-signed their domains. For instance: you could take the top startups list from YC (it's on the front page, and you can pull the domains out easily in the Chrome console) and then check all of them to see if they're signed.
A bunch of them are! About 8%. But that's because a bunch of them are not in North America, and European registrars in particular automatically DNSSEC-sign new zones. But take a wild guess about Stripe (huge security team). Or Instacart. Or Cruise. Or Brex (banking!). Or Reddit. Or Gusto. Zapier. Segment. Vanta (the YC standard for SOC2, FWIW).
To the extent "no DNSSEC" is a norm, and not a best practice (it is both), that norm is unlikely to change; I think DNSSEC adoption is likely to decline (as it has in some previous years). It just doesn't work.
https://www.sans.org/cloud-security/securing-web-application...
Outside of basic netsec for your app and “corporate network” (creatively defined for a remote startup), it’s worth focusing on decisions that do initial security hygiene that long term really helps but is hard to fix retroactively, and once in place it’s easier to build the exotic controls on top of. You should also not forget basic GRC capabilities, as a bulk of the “doing security” tasks can easily turn into passing vendor audits and RFPs because sales is big for a startup, so having a bank of security policies complete way ahead of time and knowing the way around frameworks like CIS or NIST CSF will save you a lot of work during a sales-stress period.
So, in practice, I think getting these done early naturally leads to good decisions and a decent security program to start.
- corporate IT:
> seriously, make a large and vocal push to get off of personal computers and on to work laptops. Its worth burning some of your security capital for. All of the follow-on work you’ll do for security, to include sales support for the startup (so, you can tie this decision to revenue) gets undermined security-technically and passing audit-ally via work on personal computers.
> password manager, or can get by for a while with in-browser password managers vs LastPass
> secrets management: very early on, get a firm handle where the passwords/keys to production and service accounts are, store them in a shareable way (AWS secrets manager or shared LastPass), and don’t budge on this. They will too easily (and probably will anyway) end up all over developer computers and note apps. Eventually one will leak this way. By having a work computer, easier to guarantee safety around this loose secrets manager. By having them stored how I said, easy to find and rotate when they leak.
> have 2Fa/MFA setup by default from the get go. Don’t make compromises on this
> MDM/EDR: start trying to move towards this, but work computers are worth getting deployed prior to pushing for MDM. MDM or anti-virus or preferable EDR will show up as a requirement very soon via sales or audits. EDR can be surprisingly cheap for a small fleet of computers, so I’d look there and skip AV and table MDM. Also, these tools will generate alerts, so you’ll have to have a process in place to respond to the alerts.
- Developer productivity
> get the enterprise GitHub hardened very early on - know where the audit logs are, turn on alerts that GH has for free for compromised dependencies, and have a plan for API keys ending up in GH, yours or personal ones accidentally pushed to. Both will happen.
> get a handle on what IDE extensions are installed, and have a firm line on what is not safe to install, and get a senior eng leader to verify and support this decision. Stuff like a random extension to connect and quickly test a prod DB via your IDE suddenly leads to a random malicious extension having your prod DB secrets and connection string. It’s not worth pursuing white/blacklists really, but it’s worth getting a list of really unsafe library types to use and make sure everyone knows why.
- AWS
> heavily support any impulse in the company to use IaC - cloudformation, terrsrorm, etc. this will get a lot of secure-by-default capabilities in place.
> turn on guardduty across all accounts and start watching. I’d stay away from securityhub as it generates a lot of noise and it’s not worth knowing about until you have the means to fix it and other stuff is taken care of in this list.
> build your cloud accounts under an AWS Organization or equivalent. If accounts start under an Org, it’s much easier to build and enforce blanket configs/tooling across a...
https://github.com/strongdm/comply
https://www.security4startups.com/
I'm an independent consultant that can help guide infrastructure and devops decisions in early stage start ups. I've spent a lot of time in highly regulated industries. Feel free to reach out with any questions. contact at pallissard dot net.
Rationale: I have seen enough organizations with the checklist-based approach to security. In all of them, it had nothing to do with actual security, but with convincing customers that the organization is safe to deal with - even if it is in fact false. People responsible for filling in such questionnaires often had an outdated vision of the practices of the company.
Also, once you allow any checklist in, or hire any so-called cybersecurity expert who is actually a checkbox-ticking expert, you will be under constant pressure to strengthen this "security posture" more and more, way beyond reasonable. Hypothetical example: this expert decides that you have to comply with Cyber Essentials, and one of the requirements is to install, on each laptop and desktop, an antivirus that can live-check all of the web pages loaded in browsers. But no such desktop-ready thing exists for Linux, and this expert will tell you to stop using Linux on desktops, thus leading to mass-resignation of developers. While the proper solution would have been "don't deal with the UK government".
* Vulnerability management: Our customers (I do pentests) sometimes only have a vague idea what IT assets they have and what firmware/software version these are running. Think an Excel list maintained by some random person from accounting, because "IT knows it all and after all all servers&switches are in the network plan". That way you get an out-dated QNAP NAS hosting backups (easy target for ransomware), or an IPMI nobody uses with IPMI-over-LAN enabled & a weak password (trivial to hack). So get a good idea what hardware you have, and what firmware/software is running on that. Whatever you use for that, make sure to get notified about new CVEs and general updates. I can not recommend a specific solution, the only thing I was demoed until now was something by Tenable; that was pretty nice but it's probably out of "startup budget". Worst case you can always run OpenVAS to scan your intranet.
* Apply the principle of least necessary privilege: If a dev gets pwned, an attacker should not be able to steal all your internal data, only the portion that specific dev needed for their work.
* If you really have no idea, push for a CISO (and the budget for the CISO to fulfill their role).
* You can hire a pentesting company to check your IT (usually this is recommended to be done regularly, e.g. twice a year).
* You can also hire people to assist you with creating a ISO27001-compliant security policy; not sure if that makes sense for a startup, except maybe if you really have no idea what you're doing IT security wise. But then you should get help anyway.
* 2FA with FIDO/U2F/Yubikeys or similar hardware tokens (no need to get the expensive Yubikeys if generic FIDO/U2F do the job as well)
* No BYOD
* Only IT admins need admin/root privileges on their machines.
* If you're using Active Directory: At least use the "legacy AD tier model", or take a look at the https://docs.microsoft.com/en-us/security/compass/privileged... -- if you're going to go the simple route (giving IT admins one account for their daily work, which also has domain admin privileges) lateral movement on your IT becomes much easier
* Use a password manager; we use the enterprise version of 1Password. If that's out of budget, take a look at vaultwarden (self-hosted bitwarden), which is FOSS; I'm happy with that at home.
* I wouldn't have mentioned it, as I don't think it's imperative to have. But since major players had such problems with roll out after their startup phase, I'd take away the opposite lesson of what some people recommend: It might be a good idea to implement DNSSEC early on, while it's easier to integrate and doesn't cause too much trouble.
* HTTPS with proper certs for everything. Might be difficult in an intranet: In my lab network I'm running a SmallStep CA with a NameConstraint for 'foobar.tld' (so that can only be used to sign certs for my domain; if it is hacked, an attacker can not produce a cert for google.com that I'd accept). I've setup ACME on that CA, so all my PCs can just do internal HTTP challenges to get/renew certs (DHCP clients are on '$clientname.dhcp.foobar.tld', so they can't spoof e.g. 'vaultwarden.foobar.tld'). However most companies I've seen run a AD-based PKI and use other mechanisms for cert roll out. My variant is still about as safe as Let's Encrypt (as long as the CA VM isn't breached).
* If you're running Active Directory (which you want to do in case you're on Windows), harden the crap out of it. We usually point our customers to German checklists, but I bet there are also good English language ones.
* Network segmentation (VLANs) with firewalls b...
If you really have no idea, push for a CISO (and the budget for the CISO to fulfill their role).
There's no hard-and-fast rule for this but the sense I get from doing this work is that the startup industry norm is to make a first security hire somewhere between engineer #20 and #40. That hire is usually not a CISO: your first security hire needs to be a hands-on-keyboard person, and CISOs are not that. "Senior Security Engineer" is probably the modal first security hire at startups, followed by "Director of Security" (for startups that expect to hire security person #2 within 6-9 months of #1).
A decent general rule might be "if you have to ask, you shouldn't be hiring a CISO".
* You can hire a pentesting company to check your IT (usually this is recommended to be done regularly, e.g. twice a year).
The industry standard here is software/prodsec pentests done once a year or on major releases, whichever interval is longer. Figure a serious software pentest is going to cost $25k-35k for a typical SAAS product.
You can get network pentests done; they're much cheaper than software pentests. I probably wouldn't do them annually.
Also, don't do DNSSEC.
* A CISO is management-team and, especially, customer-facing.
* A CISO's reports tend to be managers, not IC's.
* A CISO often reports to the CEO, the CFO (if they own risk), and, sometimes, to the board.
* A CISO will tend to own multiple security sub-practices: product security, IT security, abuse, sometimes risk.
* A Dir/Sec tends to report to engineering management.
* A Dir/Sec is occasionally customer-facing, but it's not most of the job.
* A Dir/Sec will tend not to own things like abuse and risk.
* A Dir/Sec will usually, when first hired, do IC-level work on prodsec and IT security.
* A Dir/Sec's reports are usually ICs.
A pretty normal progression might be:
1. Hire a Sr Sec Eng
2. Hire another Sr Sec Eng
3. Hire a Dir/Sec
4. Hire a bunch of Sec Eng (build out an ops team, a product security team, and a team for IT stuff)
5. Promote the Dir/Sec to VP/Sec and hire managers for the teams.
6. Get real big.
7. Promote or hire a CISO (the CISO hire is often an opportunity to bring a marquee resume into the company to impress the market).
I think the thing to remember about startups is that even startups with traction rarely have the headcount slots to get past (2) or (3) on that list until they have lots of engineers; I don't have numbers to back this up but my guess is that the median startup with a 3+ person security team has over 100 employees.
So, if you're talking about your first security hire, as a young startup, it's hard to make a CISO make sense. You might call your first security hire "the CISO", but I'd say willingness to be called a "CISO" at a startup when you have low-single-digit reports is probably a mild red flag for that person.
It may be an idiosyncrasy of mine to call the title "Dir/Sec"; "Dir/Sec" is the fluffiest title I think an experienced security person would be comfortable taking in a young startup. But you could also call that person a "Security Manager" or a "Security Lead"; some of this also depends on how flat your org is.
(Ah, well, obviously I have no idea about startups ;))
As already noted, a tailored list for startups doesn't really exist. IMO, there are two approaches when it comes to establishing security in a Startup. You can either go the standard route or the checklist route.
1. Standard route: You hire a consultant, decide on a standard (preferably ISO27k) and go implementing. Costs a lot of money, takes a lot of time/energy, you will be happy about it in the future, if your company is not broke by then.
The German Federal Office for Information Security has adapted the ISO27001 standard in the past and created the so called Core Protection methodology. You can find the details here: https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Grundsch...
It's a nice compromise between adherence to the standard and pragmatism.
As a Startup you basically want to protect two things: your IP and availability of your product. The core protection method allows you to specify a very narrow scope that you want to protect and helps you to develop protection requirements.
2. The checklist route: If standards are not your thing, I would advise you to take a look at CISA's "Cyber Essentials" checklist for Small and Midsize Businesses.
If you have 90% of these things implemented - which should be very easy for a startup - you will have a better security posture than 90% of all other companies out there (if not more).
https://www.cisa.gov/cyber-essentials
On what basis do you make this claim? I’m working in cyber and see the damage side in large companies. IP is never a thing. It’s mostly service / production availability and, with companies doing business in the US, data breaches (loss of PII).
Reputation is really hard to measure and has not been observed in cyber to my knowledge. People say they care, but most don’t.
Trade secrets is IP what OP mentioned. It’s not a big thing in the incidents I have seen.
I agree, IP is very hard to measure. Especially for large corporations it is impossible to monitor if competitors gained access to IP due to an incident. I don't think the measurement portion is too interesting though. If a startup develops one product, or one solution, then that's the one thing your business revolves around. If your competitors can copy your product easily, because your S3 buckets are wide open you may go bankrupt. Cybersecurity is a means to an end. Not all things may lead to you going out of business. Focus on those that could.
If I understand your last point correctly, we seem to agree on the Availability piece.
This is not a comprehensive checklist per se, but a minimum set of security controls to implement to help secure your AWS account and workloads running on AWS within your account.
A capability is an access token to a resource, and NOT a user account. Think of it as a $10 bill. If you pull a $10 capability from your wallet, you can't lose $1000 by accident, no matter how badly things go.
Flickr makes it possible to give out a guest pass for photos, for example.[2] The nice thing about a guest pass is you can revoke it at any time.
[1] - https://en.wikipedia.org/wiki/Capability-based_security
[2] - https://www.flickrhelp.com/hc/en-us/articles/4404069601172-C...
Whether a startup, a small company or a large corporation, there is at least one IT security standard in each developed country, if not an international standard (e.g., ISO27002 , NIST cybersecurity, etc.). Their role is exactly what they are called for: they tell whoever owns an IT system what should be done to protect it.
Unless you're an academic doing research, or you have personally reached the limits of a standard in your organization, there is no reason to look elsewhere.
Pull the standard from your country, or pull the ISO27002, and start working on your spreadsheet and assigning tasks :)