Data Breaches are on the Rise — Is it too hard to p̶r̶e̶v̶e̶n̶t̶ control data breaches?
Recent widely publicized data breaches have exposed the personal information of hundreds of millions of people. Some reports point to alarming increases in both the size and frequency of data breaches. Also, there are two types of breaches:
- One, which you know and is public.
- Second, which you actually don’t come to know because data was never put on Dark web but it was actually used by attackers for personal gain.
In April 2019 @haveibeenpwned reported 8 public new breaches -
Most common causes of a data breach?
- #1 Weak and Stolen Credentials, a.k.a. Passwords
- #2 Old, Unpatched Security Vulnerabilities
- #3 Application level Vulnerabilities
- #4 Improper Configuration at Network/Infra Level
- #5 Social Engineering
- #6 Human Negligence / Error
- #7 Insider Threats
Mistakes happen and errors are made but it’s important to learn from those mistakes and never repeat them again. The key point to note:
Security is not a one time process, it’s a continuous process.
There is nothing like 100% secure, there are always some security loopholes, it’s important to identify them, patch them and repeat the process.
you have to be lucky every time but the attacker needs to be lucky only once
Effective ways to control data breaches:
- Assets Management
1.1 — Mapping your external surface
1.2 — Identify and Assess
1.3 — Monitoring external surface.
2. Code Review / Deployment Review
2.1 — Static and Dynamic code review
2.2 — Read your Javascript files
3. Organization Secrets Monitor
3.1 — Publicly Disclosed Sensitive Information
3.2 — Monitoring Breaches
4. Internal Practices
4.1 — Two/Multi-Factor Authentication
4.2 — Security Practices: Off Boarding / On-Boarding
4.3 — Employee Security Training
4.4 — Employee’s Personal Security Checklist
4.5 — Sharing Sensitive Information Internally (Hosted Pastebin Solution)
4.6 — Limiting Staging / Development Server in Restricted IPs / Proxy
4.7 — Cloud Infrastructure Security.
4.8 — Making Engineering Team Active in InfoSec
4.9 — Logging and Monitoring
5. Best Practices — Responsible Disclosure
5.1 — Security.txt
5.2 — Responsible Disclosure Policy
6. Last but not least…..
6.1 — Follow cool guys on Twitter.
6.2 — Go Hack yourself — Detectify
6.3 — Best Security Checklists out there.
6.4 — Awesome Incident Response
6.5 — Awesome Threat Detection & intelligence
1. Assets Management
I’ve seen companies do not even have the proper information about all the services they are using. It’s really important to have the assets inventory. Monitoring of the assets from the assets inventory.
If You’re Not Doing Continuous Asset Management You’re Not Doing Security — Daniel Miessler
Continuous Monitoring of your External Surface is very important than you think.
1.1 — Mapping your external surface.
OSINT — Collecting data regarding your company using Open source intelligence tools. OSINT plays a very important role in giving whole insight into the companies at a relatively lower cost. OSINT uses publicly available sources together with the important data related to your organization.
jivoi/awesome-osint
scream: A curated list of amazingly awesome OSINT - jivoi/awesome-osint
github.com
Shodan — Shodan is a search engine that lets the user find specific types of computers connected to the internet using a variety of filters.
Censys — find and monitor every server on the internet.
1.2 — Identify and Assess
The Critical part of the application and data and audit it for security vulnerabilities. For auditing, you can hire someone internally or you can also outsource the work to a reputable security service provider. do a regular security assessment of the critical part of the applications.
Generally, the different part of the application has a different kind of vulnerabilities, we need to identify the part of the application with respect to the risk associated with them.
The security strength is determined by the security of the weakest part of the application.
The part of the application exposed to the public is the weakest part, the external surface should always be on priority.
1.3 — Continuous monitoring of your External surface.
You can create your own slack bots to notify you whenever new subdomain popup in added public sources. uses of slack bots are limitless.
2 — Code Review / Deployment Review
Doing manual testing for your application is very important but we cannot do the manual testing when there are thousands of lines of code deployed every day, for overall security Approach, you have to include security components into your development cycle. This includes static and dynamic code review.
Secure Development cycle with security components
Developers write code → Passed through static code analyzer → Passed though sensitive information disclosure tools → Passed open source vulnerability scanner → deployment to the staging server → Manual testing using proxy tools, (Create checklist according to the business requirement. ) → PRODUCTION.
2.1 — Static and Dynamics code review
Implementation of the Static code analyzer in your pipeline. The static code analyzer tools collect the information based on the source code provided.
2.2 — Read your public Javascript files
Don’t hardcode your sensitive keys/data/login in javascript.
Scan your javascript files for sensitive paths and information hard-coded.
3 — Organization Secret Monitor
3.1 — Publicly disclosed Sensitive Information
It is very important to define the keywords related to your organization, this could include the domains externally and internally your team is using. you can use your defined keywords to see what things have been publicly posted.
The following blog post lists the common keywords used by the Bug bounty hunter or hackers in general to find sensitive information related to your organization.
Monitor what your employee posted on Public channels like, Github, Pastebin, etc
You can use the following tools to scan your code if you have hardcoded any sensitive information.
3.2 — Monitoring Breaches
Breaches happen every day and you should know about every breach where your or your organization's data is compromised.
Subscribe on Have I been Pwned using your security@company.com
‘; — have I been pwned?
Firefox Monitor
4 — Internal Practices
4.1 — 2FA/Multi-Factor Authentication
Use 2-Factor Authentication on every 3rd party services you are using including Gsuite, GitHub, Gitlab, etc and cloud service providers.
The following services must have enabled the 2FA for everyone at the company.
- Google Services — Gsuite, Gmail, etc
- Github, Gitlab, Atlassian
- Cloud Service providers — AWS, Google Cloud, Azure, Alibaba cloud, etc.
- Companies official social media platforms — Twitter, Facebook, Youtube, etc
4.2 — Security Practices: On-Boarding / Off Boarding
Secure onboarding and offboarding is very important for an organization,
Onboarding —
When a new employee enters an organization there are various behind-the-scenes activities that must take place to ensure the new hire efficient onboarding experience. Many are administrative in nature and are taken care of by HR.
But then there are those related to cybersecurity — and they are far too often overlooked.
Offboarding —
Companies often do a good job of monitoring and controlling employees tech use on the job, but need to better evaluate vulnerabilities in their offboarding process with an eye toward protecting organizational data and resources.
Remove their access to the Internal systems ASAP and rotate credentials they might have access to.
4.3 — Employee Security Training
Security Training for everyone in the organization.
Security training for Engineers.
Setting up Guidelines for Engineers for secure software development, you can take reference from the below repo.
4.4 — Employee’s Personal Security Checklist
During Induction you can provide information on how we do Security at our organization and how you can contribute to it and how to do your work in a secure way.
4.5 — Sharing Sensitive Internally (Hosted Pastebin Solution)
Don’t share the credentials/secrets etc via slack, hangout, WhatsApp, etc use a tool — Privatebin to share the credentials/secrets internally.
4.6 — Limiting Staging / Development Server in Restricted IPs / Proxy
Make all your non-prod and staging environment behind the VPN Only. you can use the Open source VPN Pritunl.
Know about your assets before someone else does, build your own monitoring system.
4.7 — Cloud Infrastructure Security.
Organizations are more and more going for the cloud infrastructure because it has numerous benefits over the traditional way.
Amazon web services are the leader in the cloud infrastructure providers and let's discuss best practices for AWS
- Enable 2FA for your AWS account.
- You can allow login to your AWS console from some specific IP’s only.
- Make sure your database is not reachable from outside.
- Don’t provide the access more than required. Control it using IAM policies.
Cloud provider provided all the options and features to secure themselves but due to the carelessness of a single individual, it could lead to disaster for the whole organization.
Scout2 by NCC group for AWS
4.8 — Making Engineering Team Active in InfoSec
Create a technology group or security group and add your team members in there and share information related to Information security.
Identify an individual from the team who has better knowledge when it comes to security and is passionate enough to learn something new. Make them lead the security piece within their team. It will help in bringing up the awareness and the team will only get stronger.
4.9 — Logging and monitoring —
Currently, lack of Logging and monitoring is the #10 vulnerability in latest OWASP top 10 most critical vulnerabilities.
Nagios — Nagios provides complete monitoring of security logs and security data — including access logs, audit logs, application logs, log files, event logs, service logs, and system logs on Windows servers, Linux servers, and Unix servers
Gauntlt — Go Ahead, Be Mean To Your Code — Security and Rugged Testing
Kibana — Kibana lets you visualize your Elasticsearch data and navigate the Elastic Stack, so you can do anything from learning why you’re getting paged at 2:00 a.m. to understanding the impact rain might have on your quarterly numbers.
5 — Best Practices — Responsible Disclosure
5.1 — Security.txt
A proposed standard which allows websites to define security policies.
Implementation of the security.txt, as robots.txt is for the bots and search engines similarly the security.txt is for external security researchers and bug bounty. the companies should provide a secure way to responsibly disclose the vulnerability anyone found intentionally or unintentionally.
5.2 — Responsible Disclosure Policy
Having a responsible disclosure program is a must. It’s not always necessary to start with a bounty program, having a VDP helps an organization to get reports from researchers who might have knowingly or unknowingly stumbled upon something which you would like to know. After which you can investigate and decide if you would like to make a payout to the researching for his finding.
6 — Last but not least…..
6.1 — Be active in the infosec community — follow cool security guys.
6.2 — Go Hack yourself — Detectify
6.3 — Best Security Checklists out there.
6.4 — Awesome Incident response
6.5 — Awesome Threat detection and intelligence
