Most CTOs today have a software engineering background but have only limited knowledge about securing applications at scale.
The goal of this post is to be an easy to understand resource get you started on the path to a more secure app. This is a guide that early stage CTOs (and anyone else) can use to harden their security, without it feeling like a chore.
Restrict internal services by IP addresses
Connections to your infra and non-public properties (hosted CIs, Admin interfaces, databases etc.) should only be accessible through a bounce host (VPC, VPN etc.)
Network segmentation / Segment the network
Limit the network’s visibility. Split your network into subnetworks, each one being a network segment.
Take control of who accesses the network by implementing VLANs. Your network structure is only visible locally, so the attacker will find themselves with the task of understanding the non-visible network infrastructure, that’s one more step for them and a little more peace of mind for you.
This measure allows the business to limit the effects of issues or failures generated in a network segment, in this way, the segment could be put on quarantine avoiding the damage propagation to the other segments.
Node hardening / Harden your nodes
Avoid pivoting to give some additional security to your network segments.
“Will do!”, you say, “but what the heck is pivoting?”
Well, it’s the technique of jumping from one network segment to another to gain a broader attack range. So, how can I be safe from this? Hardening is a common network technique where we give special attention to device configurations.
This usually means to update default credentials and remove unnecessary software, logins, and services. In the following list we will give you some basic tasks that are hardening activities.
- Use strong passwords
- Close key ports that you don’t use(Ex: ssh)
- Update security patches
- Encrypt, but don’t try to reinvent the wheel
- Implement virtual machines or containers techs
Implement a firewall
Firewalls are beautiful programs that could be the difference between a server working correctly, and a server being down.
The firewall’s job is to protect internal networks from unauthorized external access and attack attempts.
Have your firewall carefully configured, they are really useful, but if you don’t take the time to customize it, it could just be a waste of valuable resources.
Run it unprivileged
If an attacker successfully hacks your application, having your services running as a restricted-user will force them to scale privileges, making it harder for the attacker to take over the host and/or to bounce to other services.
Privileged users are called root on Unix systems, and Administrator or System on Windows systems.
These users have complete control of the system, so it’s really important leave them alone and only use them on those cases where they are specifically and inevitably necessary.
A common scenario is to find the databases running as root/system or under a unique user for more than one database, which brings us to another weakness.
If an attacker gains access to one of database, they automatically will have access to all the rest. So, don’t use privileged users and create one user and password for each database and service you have.
Make sure all your critical services are secured
As a company you rely on a variety of services like Google Apps, Slack, WordPress etc. Don’t settle for the security defaults of these tools, they are some of the first things the attackers try and they can be an easy attack vector if not configured properly.
There are different tools to generate and save credentials like KeePass or LastPass, they use a master key to access the information, or in their mobile versions, allow you to use touch ID.
Also, make sure you update everything regularly, this is not only because you’ll get a nicer interface, but in the majority of cases updates are released to fix vulnerabilities and add new functionality, which could include new security measures.
So, if you have any default credentials, update them! And, if you have any software, service, or platform with a pending update, update it!
Backup, then backup again
Backup all your critical assets. Ensure that you attempt to restore your backups frequently so you can guarantee that they’re working as intended.
Don’t do it only when you remember to do it, nor with a year between each backup. Be regular, and do it with reasonable periods of time. Don’t take unnecessary risks. S3 is a very cheap and effective way to backup your assets:
Enforce a password policy
Please, don’t act surprised if I just guessed at least one of your passwords.
There are too many tools to automate password brute-forcing, a technique normally used by hackers to get default or insecure passwords.
Get in the habit of generating secure passwords and taking note of them, you don’t need remember each one. Your customer, personal and enterprise data will be much harder to steal if you require complex passwords: mixed case, special characters, minimum length, etc.
It’s very common for an employee to leave a company, while their credentials can still be used to access the servers or platforms they had been working with before.
We’ve seen this happen up to three years after the employee has left 😱
This is usually because no one keeps track of what kind of access is given to workers, so when one of them moves on to a different job, there’s no guide to see the what she or he had authorization to access, and looking up every single set of credentials can be a daunting task.
To solve this, you can use a simple spreadsheet in which you can detail name, last name, position, service/platform name, user, password, privileges and any other important information.
Do not click everything
Phishing could be in any corner of the web, that includes your email inbox, even from your computer or your cell phone, and according to Intel, 97% of people in the the world don’t have the capacity to recognize a complex phishing email.
It’s important understand that sometimes a simple click is not as simple as we think. At any point in time we can click into the wrong page, and just give away our personal – and probably credit card – info to the wrong person, or download some kind of malware that could infect not only our computer but also the whole network.
Train each and every one of your employees to identify this kind of attack, and check the link, sender, file extension before clicking.
If you or someone in your team have any doubts about the content of an email, try and contact the person the email came from through some other channel, give them a call or shoot them an SMS. It’ll only take a few minutes of your time and it’s better to be safe than sorry.
Yes, you’re a target
People have a habit of saying “No, that’ll never happen to me!”, and fate has a tendency of showing them otherwise.
You need to understand that you’re a target, especially if you’re sure that you’re not. Be proactive, take enough precautions (and a bit more), and remember: security shouldn’t feel like a chore.