Minimum Viable Security

Video in TIB AV-Portal: Minimum Viable Security

Formal Metadata

Minimum Viable Security
Title of Series
Part Number
Number of Parts
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Release Date

Content Metadata

Subject Area
We'll look at creating a full security program for a startup-sized company, one that can start quite small, but can be iterated on continually, and grown to match the growth of your business. This talk uses the conceit of a five day program, to be completed in a one-week sprint, but the steps could easily be scaled down to just a few hours, spread out, or otherwise modified to fit your time and organization. Day 1 - Training: for a security program to work, it needs to be everybody's responsibility, not just a select few. So your first step in creating a security program is to establish a minimum bar for secure coding techniques. Luckily, basic secure coding is easily explained and taught, and there are great free guides and resources that can form the backbone of a simple, easy training program. On Day 1, you'll pull together these guides and create a training manual. Day 2 - Secure Development Lifecycle: now we know how to write good code, but how do we ensure that best practices are followed? As we learn lessons about our own product and its security posture, how do we make sure those learnings are captured, retained, and applied in the future? The answer to these questions lies in creating a Secure Development Lifecycle, which is just a fancy name for procedures and checklists that capture your best practices, and help remind you of them as you ship new features. On day 2, you'll write those checklists, adopt some lightweight process, and being tracking your product security. Day 3 - Incident Response: sooner or later, something will go wrong. When it does, will you be able to respond? Trying to make up an incident response process when something's already on fire is an unpleasant experience, and you can avoid it with a little bit of preparation. On day 3, you'll develop a basic IR plan, run a table-top exercise to try it out, and be ready to respond if and when something goes bump in the night. Day 4 - Governance, Risk, and Compliance: there's an alphabet soup of security standards: ISO, SOC, SIG, PCI, HIPAA, FIPS, FISMA, FedRAMP... oh my! At small scale, most of these are formal attestations probably aren't worth the investment. However, at larger scale these ways of formally proving security standards start to become increasingly important. Completely ignoring formal risk programs can get you into a bind if you decide to pursue them later. Thus, on day 4 you'll lay the groundwork for a formal GRC program, making sure you're ready to start down this path once your business grows to that point. Day 5: Brag about it! At this point, you've got a security program far better than most startups (and better than many established businesses). This is great! Security is increasingly a concern even for non-technical customers, and now that you've got a good story to tell, you should tell it! On day 5, you'll lay out that security story, publicly, and make sure your customers know about all your hard work.
Context awareness Multiplication sign Forcing (mathematics) Software developer Maxima and minima Mereology Cryptography Computer programming Template (C++) Process (computing) Computer animation Computer programming Password Videoconferencing Self-organization Speech synthesis Right angle Information security Reading (process)
Medical imaging Building Computer programming Right angle Maxima and minima Mereology Information security Product (business)
Building Software developer Planning Staff (military) Mereology Computer programming Hand fan Revision control Software Meeting/Interview Computer programming Formal grammar Quicksort Information security
Context awareness Group action Service (economics) Link (knot theory) Multiplication sign Decision theory System administrator Continuous integration Information privacy Field (computer science) Number Mathematics Goodness of fit Bit rate Computer configuration Profil (magazine) System programming Utility software Information security Traffic reporting Computing platform Injektivität Dependent and independent variables Focus (optics) Email Software developer Graph (mathematics) Electronic mailing list Shared memory Mathematical analysis Bit Staff (military) Machine code Flow separation Data management Message passing Process (computing) Computer animation Vector space Internet service provider Password Chain Self-organization Website Right angle Pattern language Procedural programming Quicksort
Existential quantification Service (economics) Observational study Divisor Multiplication sign Decision theory Coma Berenices Test-driven development Computer programming Product (business) Average System programming Software testing Functional programming Information security Graph (mathematics) Information Gender Software developer Keyboard shortcut Data storage device Staff (military) Bit Machine code Type theory Data management Process (computing) Googol Computer animation File archiver Self-organization Right angle Cycle (graph theory) Writing Asynchronous Transfer Mode
NP-hard Context awareness Sequel Electronic program guide Mereology Bookmark (World Wide Web) Goodness of fit Different (Kate Ryan album) Computer programming Information security Traffic reporting Vulnerability (computing) Injektivität Programming language Arm Information Prime factor Surface Expert system Staff (military) Machine code Cryptography Cartesian coordinate system Type theory Data management Word Pointer (computer programming) Software Integrated development environment Password Quicksort Writing
Slide rule Focus (optics) View (database) Software developer Maxima and minima Machine code Software Flowchart Formal grammar Self-organization Energy level Diagram Cycle (graph theory) Information security Resultant
Point (geometry) Group action Identifiability GUI widget INTEGRAL Decision theory Multiplication sign Online help Information technology consulting Subset Hierarchy Touch typing Authorization Energy level Information security Position operator Identity management Computer architecture Adventure game Multiplication Software developer Graph (mathematics) Feedback Moment (mathematics) Projective plane Expert system Planning Staff (military) Flow separation 10 (number) Arithmetic mean Process (computing) Computer animation Blog Video game Self-organization Right angle Quicksort Cycle (graph theory) Game theory Figurate number Library (computing)
State observer Multiplication sign Line (geometry) Checklist Mereology Measurement Centralizer and normalizer Process (computing) Computer animation Bit rate Video game Quicksort Information security Sinc function Resultant
Data management Computer animation Open set Quicksort Checklist Variable (mathematics)
Word Process (computing) Overhead (computing) Software Multiplication sign Staff (military) Cycle (graph theory) Quicksort Machine code Information security
Point (geometry) Dependent and independent variables Digital electronics Graph (mathematics) Regulator gene Decision theory View (database) Multiplication sign Graph (mathematics) Planning Process capability index Information privacy System call Goodness of fit Process (computing) Software Password Authorization Video game Right angle Quicksort Office suite Information security
Point (geometry) Web page Existential quantification Group action Service (economics) Computer file Observational study Decision theory Electronic program guide Function (mathematics) Login Mereology Theory Product (business) Software bug Facebook Root Causality Profil (magazine) Energy level System programming Software framework Information security Traffic reporting Task (computing) Dependent and independent variables Graph (mathematics) Information Graph (mathematics) Planning Division (mathematics) Data management Arithmetic mean Googol Pointer (computer programming) Telecommunication Self-organization Right angle Pattern language Whiteboard Quicksort Reading (process) Sinc function
Web page Information Alphabet (computer science) Multiplication sign Computer programming Cellular automaton Formal grammar Self-organization Plastikkarte Medizinische Informatik Absolute value Computer programming
Point (geometry) Trail Game controller Confidence interval Decision theory Multiplication sign Electronic program guide Checklist Mereology Rule of inference Formal language Number Wiki Goodness of fit Energy level System programming Traffic reporting Information security Thumbnail Exception handling Programming language Email Information Graph (mathematics) Line (geometry) Category of being Skeleton (computer programming) Word Process (computing) Computer animation Software repository Password Formal grammar Self-organization Right angle Quicksort Whiteboard Arithmetic progression Directed graph
Web page Point (geometry) Group action Link (knot theory) Multiplication sign Modal logic Shape (magazine) Information privacy Checklist Template (C++) Product (business) Revision control Meeting/Interview Different (Kate Ryan album) Computer programming Touch typing FAQ Energy level Software testing Information security Vulnerability (computing) Mobile Web Programming language Dependent and independent variables Graph (mathematics) Information Key (cryptography) Knowledge base Cellular automaton Forcing (mathematics) Software developer Shared memory Planning Bit Staff (military) Peer-to-peer Data management Wave Process (computing) Computer animation Formal grammar Website Right angle Quicksort Cycle (graph theory)
Information File format Well-formed formula Computer programming Multiplication sign Information security
what and of the and the of the and the and the and and and votes so I'm going to get you
thinking systemically about security not thinking about the the what might you know cryptography and hashing password security and and using template of escaping me and I'm not talking the technical details although I can Chelsea gave a talk earlier today which covers a lot of technical details in that so if you want to know more about that watch the video but no 1 has to talk about is how does your innovation think about security in what is it what is your security program and we can get a quick reading how many people here what for organizational you would say has an established security program now because on some of that you more than I thought and how many of you do some form of security in your day job but don't really understand exactly how it fits into a larger picture of your organization's security posture right if you're a guy called so I'm speaking I seeking to the people who is and the 2nd time I'm speaking to the people who didn't raise their hands all who don't think that they have a partner don't understand their pardon organizations security you really only answer was simple questions here which is what we're minimum viable security program look like you you can not at OK which part of sales force right sales force 15 thousand employees we we've got a security program got lots of security programs and I I'll answer what does this look like if your if your for people if you 12 people if your last name development team within a larger context it needs to sort of get its act together really talk about minimum bad
products were not talking about but we're talking about just 1 part right of this image here really describes like exactly how you should think about what minimum viable means it doesn't mean let's just build 1 part of it means let's build something that satisfies so in this example and I won't tell you how to build a skateboard but so the
conceit of this talk is let's say you got 1 week in spread on this for we can sit down with your co-workers in the end that week you wanna have an established defined measured successful security program ready to be iterated on over the next 5 weeks 5 months 5 years that or building so here will do but Monday
when would develop a training program to make sure that the that developers understand what building secure software means Tuesday Tuesday worried about the STL which is a fancy version of saying what what is security here and how does it work the when they were plan for when the shit hits the fan excuse my french have those they were going to talk about what a lot of people think of as sort of the boring parts of security governance risk and compliance formal security programs and failure to tell the world that you've just done some awesome work what's in the so train your
staff the to security is a shared
responsibility a system is only as strong as its weakest link in this means we need to strengthen or all of the links on every single person at your organization is in some sense accountable for the security of your organization whether they are a developer needs to write code that protects against evil injection or an admin who needs to not fall prey to our us a phishing attack and share corporate calendars or a janitor needs to keep the door is locked or a manager who needs to not you know up let someone up approve the change that that would be a bad idea for the company's overall risk profile where these are all actions that people need to take to ensure that we're doing our best job protecting our organization and most importantly our customers so you really need to have a a whole list security awareness training for every 1 of the companies do this this is an optional armor talk a bit about why in a minute on also I suggest you do is focus on some some very basic security hygiene practices good passwords is the is the easy 1 the luckily there are several good password management utilities last pass in 1 pass then they are not hard to use hesitated met last passes a little hard to use but it has some good features so it's kind with that so you can make a decision they're about you versus features and decide which 1 you like I'm trainees after using a password and that will dramatically level out how to read that the sort of organizational security posture of of the platform shared password reuse that is using the same password on 1 side of another and then cite a gets compromising attackers use it on site B is and credibly common on X . vector there was an interesting breach a number of years ago of a company I was in and they were go among good DB as a service provider and the way that they were compromised was that the password that was used was used by as vise staff member on on Adobe's website and Adobe was compromised and with the compromise to the mother provided a shared password used by a user of that service was used to compromise another serve a continuous integration server and so you have this chain of the attacker moving from platform to platform harvesting passwords and trying them across other other systems so cutting out after reuse through the use of technology is a really good way to cut that down multifactor offers a thing it works train your you can train your staff how to use it n basic training in on some in customer privacy procedures is something that you should probably be that spending some time writing down and helping your staff understand this will differ from organization to organization depending on who your customers are and what what privacy means to them um but this is worth worth the investment but without a bit of fishing because that's the biggest threat that you'll probably face to this this a general population of of your staff the the so
Fisher thing this is from the Isle otherwise in the the yearly data breach investigation report be compiled data on security breaches from hundreds of organizations and do a bunch of analysis and then grouping of the types of of of the of all abilities and they found that more than two-thirds of incidents of that that follow this pattern of trying to steal data feature fishing most attacks start with either a targeted on on targeted phishing e-mails pay which really scary if you're in the security field is that almost a quarter of recipients open phishing messages and 10 per cent of them click on attachments the which means that just 10 females you 90 per cent success rate right that's pretty scary that means there's an attack on to you your company 10 e-mails they have a fairly good chance of of successfully fission someone the so what we do
about this this is a big threat and it's really hard to address because it's it's it's people so this some technology tools I am you good either filtering helps Jeanelle's great I be able to store and archive all of your organization's e-mail so that you can and you can determine the scope of a phishing attack if 1 occurs as another great technological stuff but really training is the main thing that you that you have to do here but the the same the same study that the DID are also found that but the best early warning system for phishing attacks is is your own staff from a properly trained staff the average time to respond to a phishing attack was 20 minutes so if you have a staff and knows what fishing is and understands the what it is and how to report it to you and how and how to sort of tell you that something something's up and you have a better than average chance of catching attack early on but you can do this yourself you can also pay for this starfish me . com is really good del thereon run phishing attacks against your staff for you you give them your staff you know less than they you targeted in and different types of phishing attacks and anyone who fails for 1 gets taken to a special customized training specifically for that style of phishing attack but it's a it's a good service I can I can recommend them if you if throwing money at the problem is something you can do but this practices is writing code where programming conference I'd be remiss I talk about code a little bit the so who do you think should be responsible for Writing Secure Code whose job is it to write secure covered that some of everyone and it's you know it's the same question is who is responsible for writing tests we used to have this we use that this idea about software testing that you have like test engineers and they will write test code and then the the other engineers would right near the code code and then they'd like I don't know meet with pistol that Don something I'm I'm like yes it to say that didn't work and you know 1 of the the the the main innovation of test-driven development isn't necessarily the acronyms and the and the styles in the gender and the and the functions which is the idea that testing encoding odd this inextricably linked cycle in the same way with secure development
the opposite to breeze who runs crime security but has said that 1 of the key factors in her success at Google has been to push decisions around security is that are down the chain as possible and this is kind of counterintuitive because you might you might intuitively think you know these a company-wide risks we need to have the director of security making all the security decisions because there will be really secure and other really work that way the further you get from the you know the hands on keyboard the people writing the code the less contacts information you have in the less able you are really assess arrest and so you know it if you don't like me or someone in management your main job should be to to be and power and push those decisions as far down the stack as possible Sean model that incident you need command-and-control right you need top down you know crisis mode leadership in the middle of an incident but the for the day-to-day bread and butter of writing code that it's gotta be you know it's gotta be people average developers writing code day-to-day and so there is some good news here which
is that actually Writing Secure Code is easy now is this idea that like security is really really hard so we need to leave it to the experts and I the other push back on that 1 that yes there are parts of security that are hard cryptography is impossible I barely understand how has sort of prime factorization crypto works and I got this elliptical key stuff and at beginning you left the behind a lot sometime ago but but but most most coding does not involve the rightmost coding is good day fairly easy basic security hygiene and basic security hygiene can get you a surprisingly far away when you look into breach reports those that happened because of variable software the only basic stuff sequel injection cross-site scripting cross that request forgery that the basics the stuff that's this is the last part and it is rare for a truly novel and hard security vulnerability to actually to real world so by expanding a small amount of effort in basic training you can get really really
far and there's a lot of good resources out there on the surface of my favorite is probably quite a few others um and last maintain the the sort of top 10 Security rests with information on how to address them and how to I and and what they look like and and you know pointers to different languages arm was secure coding guidelines the probably the best are publicly available application security guidelines they're somewhat language-agnostic of them was right a lot of the code in Python Django so it'll play well to this crowd i Microsoft's guidelines or a little more focused words compiled software I app has all apples and so depending on what environment your writing for what type of sort rewriting 1 or more of these may make a good secure coding guide in and you're company secure coding that could literally be go read the last top 10 that would be you know that already put you many many feet above average I so Monday's complete we've developed the basic security awareness training program covering phishing attacks multifactor off his password managers and you've picked a secure coding guide maybe you customize a little bit maybe you've just taken off the shelf and put some resources linking I've out your staff the a
so Tuesday when the bill that's the L. focus at a buzzword side as the them for Secure Development Lifecycle and and that depending on the level of formality view of your organization this this could involve lots of fancy flow charts and diagrams that look like they're offer government slide but but but really it as the as
an answer to a very basic question OK we we've whole people highlight secure code how we make sure it happens right we know that the best practices are we know that status Martin wants to do them what is a mechanism for making sure that they do and for me at the heart of an STL is figuring out this virtuous cycle is figuring out how we take we take the things that we know we translate them into best practices for our organization we found all those best practices in development but things happen either successes or failures we analyze them and that those more knowledge how we build this program so that we continually feeding in the results of the things we learn about security as we develop software continuously so for me the minimum
STL needs to answer 3 basic questions I when do we do security at that point doing that joined up suffer development life cycle do we think about security who is doing that thinking I am and what does doing security even mean the so you can answer these questions in several ways I have a suggestion and is identity on I think doing security throughout development as much as possible is the best way to go on we have an internal security now unless 2 we have a chat channel and we use the you'll get heard comments so we we have no multiple ways accurate roku for staff to get in touch with us and ask us questions ranging from very simple like what library do we use for off again to you know and designing an entirely new you know crypto widget and I need a lot of help right any size of engagement when were that were there so you know being of it having experts available for questions and and and you building a culture where it's called ask that stuff in and where people help each other out with it as much as possible but on it's probably a good idea to have an explicit security step when you're sort of planning and building a new product on and probably again review just before you shipped these these are hard when it comes to agile because we we don't have as many explicit designed up front steps and shipping might be something that we do tens or hundreds of times a day but it's so I don't have a great answer this is still 1 of these you know really hard problems figuring out how to integrate security and agile is is is an ongoing problem and something that sort of you know pretty tricky book but I still think you can identify moments where I you can identify sort of touch points and you have about to launch a new feature if some of you take the time write a blog post about it yeah maybe at the same time you might wanna take some time to do an explicit Security Review if to who does this work and then you should be pushing security decisions down as far as possible so we really focus on giving engineers tools and documentation and authority to make decisions and taking a defect position of trust you know we all as basic assumption is that everyone is reasonably competent at their job and trying to do it well and that the decisions they make a more informed decisions that we make and so we should start from a fall of trusting what average staff to if you have dedicated security staff your lucky enough to have a dedicated security team I think the best position for that team is sort of a consulting role right you're not necessarily saying this is the architecture or yes you may build that 0 no you may not have our the you're consult you're asking questions you're answering questions you're giving expert feedback on with the thing we talk about on the team about and we try not to say no we try to say yes right so don't just say like securities were shouldn't be you can't do that it should be there are risks how do you plan to address them and the decision about half the up those 2 those those risk decisions make need to be based on some some fairly good understanding of what risk means for your organization there is such a thing as acceptable risk right you're going to come up with a situation where you've got unknown problem but if you don't ship tomorrow it's going to cost a company 40 thousand dollars and so you have to make a decision do we do we pay them is a security risk but so bad that we need to pay the money or or do we have a plan to remediated in a reasonable appeared time that it's worth it's worth the rest and the greater the risk in the group you know on on either side of the hierarchy problem 1 a push that decisions that's a company-wide risk decisions were probably needs to be made company-wide a we
build tools this is 1 that we have we have a little but we we we we refer to this as the twine game it's like a choose your own adventure sort of point click to sort of figure out what level of risk of particular project is going to be answered self-service decision about but whether you might wanna involve our team a not and so what is doing security
mean this is the last part here what what we were talking about we say doing security so I think checklist of the greatest invention since since sliced bread public better I would I would give up sliced bread if if I got to keep checklists
of good introduction to checklist is in October 1 this book the checkers manifesto great but he's an amazing writer really good to read when 1 example he gives is on so there there is a a a doctor at Hopkins called pupil than us to sort of the invention of using checklist in inventor using Texas in medicine and uh and there have been a big problem with central line infections in and so he designed a check was sitting at 5 items are a really simple like do you have clean drapes is the needle clean I you wash your hands like it was really really basic stuff and so forth it so they do this to to all the doctors and nurses doing central lines and monitor the results and the time the infection rate went from 11 per cent 1 in 10 patents were getting infected to 0 and in fact it was so surprised by this result they thought they were doing something wrong so the measure for another 18 months because they thought that they had messed something up and and so on that to have you the were true central line infections after the introduction of the checklist down from 10 1 and 10 to 2 over 2 a half years I'm grounded notes that that there there's these 3 kinds of problems in the world there are simple problems like baking take what you know how to bake a cake you can do it repeatedly over over again you can give someone a recipe who's never baked a cake and they can probably do an OK job the the complicated problems extending a rocket to a moon the recipe is much much longer but there's the recipe we know want less well the steps that we get it wrong they often because it's more complicated but we could write a check list for sending a rocket to the moon would be a lot longer than the cake but it would be a thing of the complex problems like raising a child there is no 1 way to raise a child you can't give someone a laminated checklists on how to raise a child and expect that to work repeatedly every time or even like any time but it and the key observation is that we are besieged by simple problems life is still a fairly easy things that we just don't know how to do or that we just don't do consistently as a checklist for how we solve
simple problems we can someone a checklist that reminds them how to do the simple problem that is a couple of hours I let's see what ideas this is isn't this is and short this is sort a project-level assessment like the self-service checklist that a developer or through and getting ready to write a new component or and or reviewing 1 we have a checklist for the variability management and that's when knew we find out the best of our ability and Open SSL just hypothetically and have to decide what we're going to do about it but a lot of these we think they're great but if you wanna
get into dive into the checklist well those yes there a checklist for writing checklists and that will tell you how to write a good a good checklists and then of course is gone his book which is pretty fantastic so
Tuesday you try you created an STL you've documented your virtuous cycle when do we do security code does security and what is doing security and and you know if you take only 1 idea away from this talk like please let it be checklist they're they're great they an incredibly lightweight way of introducing introducing something you can call process without the sort of like overhead and and sort of I had you know business bullshit that you normally associate with words like process and policy and
OK so you you you know your staff is trained in other words if your software now it's time to start thinking about when things go wrong but you know as as but they said
everybody must get owned have that right the fact is that this is this is sort of unfortunately true and the but wish I observed that were starting to sort of view breaches as a fact of life on and this is by so this is depressing because it shows just how bad we are jobs and how much we need to really level up here to stay ahead of the black hats that this this and so allowing to that for people involved in security because it means and then judged on our response or time to respond our ability to contain an attack or transparency are security practices and really interesting quite an this this is attended but this just happened the other but there was a circuit court that ruled that the FTC has the authority to find companies for violating security practices under that under the idea that it's deceptive trade practices to offer your customers privacy and then not follow basic security practices but this is a really interesting decision because it implies that the the FTC might actually be getting into that the courts and and regulators are getting the business not just of like you know regulating PCI and Hepburn those sorts of things that actually like do you have passwords you don't have your password that's an accepted best practice fine you for doing it and so suddenly I think you were reaching a point where companies security practices are being critiqued certainly in the court of public opinion as we've seen with with Sony inaction Madison but but I think actually shortly going to start seeing companies security practices critique in that the court of of of courts and I think that's nothing but a good thing right I think that will drive much more adherence to the things that we already know are are best practices but what this means for us is
that we need to and we need to get our house in order before anything happens there's no way if if if you're incident response planning starts when you get that phone call telling you that something's wrong or that their attackers on a network of that was a log in from someone the left the company and a half ago but yeah I mean it's just going to be it's going to be disastrous I know 1 company that was breached last year that I I spoke to a person who introduced themselves as as the sea so under the director security and I found out later that they didn't have a security department and when the breach began the CEO call this person said and promoting you to achieve security officer deal with this with yeah that stuff don't do that you so it's hard for me to be more P
as prescriptive as I've been in previous points here because I think the details of what it means in a response plan will be you're going to be very specific to your organization and your risk profile and your you regulatory exposure and your customer base in your product and etc. so additionally give you some questions to think about and F and a framework to structure your is response response planning and the the work in writing in San response plan is is is answering these questions so so I break out on IR into into 5 steps and the the first one is you know initiating of response how to how does someone report a breach how do we track incidents theory of a bug tracker you used you have a whiteboard do you use Trello where you track that stuff what other on the the the point what happens if the thing that you used to track is the thing that's been compromised good good question to ask on what are the responsibilities during during an incident as you move into action managing the incident you need understand how communication is going to be happen happening who who communicates where does it happen who's involved how often you send situation updates and you'll important question for people at the serve on a senior management level is like about point do I need to wake up you know the CEO the executive team like how severe does need to get what I need to bring in lawyers you know those sorts of questions the and we need to figure out what's even gone wrong like and how we can collect this information who's going to follow up on this can be fairly lightweight are preferred tool for our assessment during a breach is just a google doc we open a sinc we open a google doc and everyone just rights in it and by the end of the incident there might be a hundred pages of just random notes an output from file logs and just random should never now we've got a nice complete on timestamped log of everything that we did during during responses that need to be heavyweight stuff but knowing that that's what you're going to do saves you those 5 minutes of all you think about what you're going to where you can attract you work so what we figured out how severe a problem is I'm we need to know what our response selling needs to be a mean you know that the reality is that not every but not every incident is everything is on fire all hands on deck stop the presses something's are you know you know this thing is bad but you know worse would be waking up the team responsible for let's get them in the morning to fix any Papsin system for determining that so it's not a seat-of-the-pants decision on let's that you fix things were really common problem is to sort of knee-jerk and fix the 1 thing that happened in that situation even though it actually maybe that's not the root cause or or maybe this incident exposes a lot of other long-term things so how do you how you going to ensure that any long-term remediation tasks are actually followed through on I'm and for for people with i customer notification requirements you it's important to know what your your legal your ethical your moral requirements are around notifying customers but there are likely going to be both legal requirements and I hope also ethical requirements around when you tell your customers of something happened and finally you know the all this is useless if you don't learn something from it and so you should have a you should understand how you're going to reflect back on the work and explore the causes of and and what what do we need to correct happen in what we need to collect what sort of information do we need to know I'm again there may be legal reasons for this you know we have some requirements around the information we have to collect about around incidents further of for a b of the sort of talk about this to our customers and but you may also want a b of the collect metric on you know we cause you can go back in 5 years and say you know a 5 years ago half of of all division network-related now only you know all of them are we should focus elsewhere or whatever so all of a reading on all give you a few pointers and we wrote about its response act roku the the the pattern that we use for handling and this purpose in particular is about production outages service goes down the we use the same system for managing security incidents and it's based on the the incident command system from like search response teams of and then this last 1 of some of you are i in the last name is escaping me here and security at do you want the study Facebook UN Security calling bases got a pretty good pedigree and he kind wrote like a 0 shit you don't died of and and you you could do a lot worse than just starting with that as your as your I R guide yeah so Wednesday is this hot day is the hardest part of your of your of your weak on creating Aaronson response plan so Thursday governance risk and
compliance this is lost some part of there
is an absolute alphabet soup of but of governance and compliance regimes out there for a for companies and and for and for organizations it just below that of the US like I'm sure that there are like 37 million more across the world and for the vast majority of at least more organizations none of it worth your time now this may not be true if you have information for might that was back all on the pages of it is your best friend if you're to pay if you're taking credit card payments you better know PCI if you wanna sell things to people in Europe so if I was going to be pretty important but for most small organizations but you can skip right over these things but you ignore
the afternoon with programs at your peril because sooner or later you will want to take credit card payments you will get into the health information market you will allow the cell to people in Europe as can be very important when that happens for you not to shot yourself in the foot in the early days by completely ignoring this work so you can save yourself a ton of effort by laying a very easy and simple ground work right now for a formal risk program that really what
we mean when we talk about GRC documentation right words were the GenGO confidence I don't have to sell you on documentation like we know it's a good thing so document security work right have you made a decision about company policy write down really really easy stuff but surprisingly a lot of sort of company policy decisions stay in e-mail you know everyone from from to firm you must use multifactor off with your a get account you have to track that anywhere and so someone when order asks for years later like or how watcher policy around multifactor off again you can't produce anything to show them ways if you just taken that he know and put it on like a wiki somewhere now you've got a policy but you don't need to about formal language this idea a lot in compliance that like you need uses various stilted legalistic business language and that the only if you're not judges and lawyers they can be very informal official password policy I allows us the work requires that you use at least 2 of letters numbers uppercase lowercase and emoji and nearly every time we show that 2 highlights the little emoji line and then gives us a big thumbs up the the other part of this is this is tracking as much as you can so if someone asked you for access to again have repo you know reply that with me now yes some confirming I'm giving you access to this report and it seems a little friend we'll but it ensures that you have a paper trail again this is when you get a point to being monitored this is what matters will look for is a paper trail what you've done but even better most of us are engineers will work with them like a system to track access control access request we what 1 it's great Ortiz love the i also would suggest that you write 3 documents and to be becoming the skeleton of your risk progress I did a classification guide on that data you have where it's stored who has access to it what controls around around it what category is it is it is it P I personally identifiable information is it payment data is at customer data you know how can you classify and think about your data and control access to it the the 2nd checklist for access control think onboarding off boarding ribosome starts were leaves your organization each in each make sure that there year counter turned up and turned down but this is important for formal it's but it's also a common way for people to get breached is yourself someone who used to work at 3 years ago still has access to get help for some reason and their you know account gets taken over and now you can do that from there so having a checklist of who gets access to what when and how and tracking that and then you can go through and uncheck items 1 by 1 as you as the person off boards by and the 3rd thing is a weird thing the document when you don't have much process already but I think it's 1 of most important you can have as what is your exception process there are always going to be exceptions they're always gonna be situations where you need to break a rule and it's so much better to know how to break levels than to pretend the rules never get broken because if you just think that everyone always follows this policy always and you never know when someone's not and bites you to come later but if you spend the time to decide you know who approves exception the what level the need to go out our detractors source of basic things again I always love it and it's the level of your your company security posture the so document everything right some basic policies
the the so you've you've done most of the work now it's time to tell people about it but you know the fact is if you if you actually work through
this this checklist but you will be better off than that most of your peers let's say now I mean look like again we only have to look back over the history of data breaches the last few years to see that people are going on through some pretty basic stuff so if you've taken the time to address the basic stuff you are doing a really good job and I know that this stuff is scary and I know that security seems like of a battle we can't win then maybe is but we can win in most of the time and we can win against most of the attacks and if you've taken the time to address this basic stuff you and you're pretty good shape you should feel fairly good about this foundation and you should be comfortable and happy fragment your customers about the work that you've done so I'd suggest there are 3 things on you do need a privacy policy this is of a legal requirement here if you taking any sort of personally identifiable information on that should live act your site last privacy I suggest a security page as well that talks about what you what you do about security it's no documents and the stuff that we've talked about earlier and and then you should maintain a securities of knowledge base come talk about later about whether there should be public or private that's a that's an interesting question the so on the privacy policies necessary outlook the company just went into business with you on you know for sales force again when I wanna buy by saying I had the 1st that I've still out to send for the initial legal review like this all you know link for where I need to put it in the link to their privacy policy and I know if there have 1 but I can even get the request stock right like you know are are procurement team are legal review teams were even think about buying from you if you don't have a privacy policy which is a non-starter the if you have no is the right 1 for you but if you don't and automatic is published a couple of templates that are worth starting work weirdly on automatic and workers have different privacy policies even though they're the same company to about I figure that maybe they're just 2 different versions of the same template but the book so you could you could still some good steel and a tribute to performance and that and show like and use them are your security page you should summarize a security practices but this can be less than so the the best way to think about this is sort of this is where you tell your security narrative right like this is where you talk about at a high level what your security program is trying to accomplish you know you can kind of explaining their what the things that you do what your program looks like so many of you can grab a little bit about how you have a you have a of a risk program in a document and a response plan and you know well documented privacy policies in know you can talk about all of this stuff in in somewhat that's somewhat bragging languages if you have any formal attestations if you've done PCI above or etc. you should list them here but and the most important thing the shallowness pages 10 people how to report vulnerabilities and you should probably have a security no unless you should probably have a PGP key and that's kind of like abound in men and test like um uh he looked up in wikipedia if you don't get the reference and the idea is a sort of a sniff test like a wave of people to for people that how that you're serious if you have a PGP key that I'll tell you in like 2 and a half years rhetoric within 1 person is and doesn't have be e-mail itself there you go the but if you tell people how to get in touch with the security team I there would be much more likely to actually do that and not I publish something publicly about how they tried to report a audibility and you didn't listen so the last 1 is the Security FAQ umbrella think about this is every time a customer asks you a question about security well in interpersonal Product Manager cells person a marketing person your non-technical asked about security write down the answer and over time you'll discover there's some natural groupings yet at work of course there are a lot of questions about containerization like how how do we separated by 1 daimyo from another diner this comes up a lot and so there's a lot of questions and then we kind of group them all around like containers secure you'll notice that we don't publish hours publicly and this is an interesting point on transparency is is a really important value but there are also some good reasons to limit this information there may be confidential information in there there may be things that disclose information on other customers you might not want but there may be information about the level of your security readiness program that you want to be transparent with customers but you probably don't wanna share with non customers because they're not but you know the because that's a much broader group of people that 100 yeah so my latest litmus test for publishing security information is this transparency going to make my customers safe if it is published it even if it hurts if it's not if it's going to make them less safe that publish even if it hurts and so that's your day 5 privacy policy security page and a Security FAQ to recap your minimum but
mobile security per program is to train your staff develop STL a virtuous cycle to ensure that you continually develop and learn from your suffer development practices have planned for incident response when something goes wrong be ready to do the do something about it laid the foundations for a formal risk program the and how the world
the Japanese better security program that
you few formula in the halls and the rest of the week in those contact info there so you can ask me questions on any of those formats but I will be taking here accept my way in the time of the year the and