Infosec at FanAI

Information security is important for any business because if your security is poor, hackers can get in and disrupt your business, steal money or trade secrets, or even data, which is like gold nowadays.

Infosec Landscape

Hundreds of millions of records of PII (personally identifiable information) are stolen every year by hackers. Here’s an infographic of some the most egregious breaches in recent times:

Worlds biggest hacks, courtesy of https://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/

Some interesting stats (from the Symantec Cloud Security Research results):

1. ¾ of enterprises have experienced a breach due to poor config, or not using 2FA, DLP, or encryption
2. 68% of enterprises have their data for sale on the dark web

Security is Paramount

Infosec is especially important for our business because we store PII for millions of sports & entertainment fans. In a nutshell, our miracle is being able to tell rights-holders and brands that because of a sponsorship, the fans of said rights-holder are spending more money on said brand. In order to accomplish this miracle, we need to gather, aggregate, and analyze a lot of sensitive information about those fans, like who they are, and what they’re spending their money on. Because we deal with so much sensitive data, security is paramount at FanAI. Consumers are trusting our data partners with their sensitive data and our data partners are in turn trusting us with that data, so we take data security very seriously around here. If we had a breach and that data got leaked, it would tarnish our business forever, our clients may not trust us anymore, and it could mean the end of our business.

Best Practices

Here are some best practices that we’ve adopted to help keep our data secure. We’ll go into each one of these in detail:

1. Never click suspicious links in email
2. 2FA / MFA
3. Encrypting Data
4. Zero Trust
5. Sensitive Data Handling
6. Endpoint Protection
7. Physical Security

Spear Fishing

Spear fishing is the most common way that enterprises are compromised. Spear fishing is typically an email sent to many employees that is disguised as a legitimate email asking for login credentials to a secure site. It may also attempt to get the target to click on a link and install some malware.

Here’s an example of a real life spear fishing attack hackers have been executing against FanAI:

Spear fishing attack against FanAI. You can see it comes from a bogus email but is pretending to be from our CEO, Johannes Waldstein. The attack vector here is to get my phone number and then ask me for something, probably money, via text.

Luckily, Gmail correctly identifies this as a dangerous message, but we still must educate our employees to be careful about checking the true source of emails and only clicking on links or opening attachments in email that are from known, trusted sources.

2FA / Password Management

2FA (2 factor authentication) is a security feature on many web services nowadays which requires 2 methods to identify yourself in order to get access to the service. Typically these are something you know (like an email/password combination) and either something you have (like an authenticator code) or something you are (like a fingerprint). We enforce the usage of 2FA on every service that offers it.

We also utilize 1Password, a password management service, across the entire company so that we can ensure our passwords our complex and not guessable.

Encryption

Encryption is a way to ensure that even if bad actors do get a hold of your data, they can’t just view it in plain text. We encrypt data at rest in Google Cloud Platform (it’s the default way that Google stores your data). We also encrypt data in transit by ensuring that all of our APIs are over https.

Zero Trust

Zero trust is a security model and mindset that requires strict identification for every user getting access to secure data and systems. Nobody is trusted by default, even those who are already inside the network and even those who may be physically sitting right next to you in the office.

Another related principle is least privilege access. Least privilege access means that on every system which deals with sensitive data, every user only has the permissions they need to get the job done, and nothing more.

Sensitive Data Handling

Relatedly, there are a number of other practices that we’ve adopted to keep data secure and keep access to it to a minimum. For example:

1. We only keep PII in one of our GCP projects that only a select few members of the company are allowed to access (least privilege access).
2. We keep PII in logically separate buckets in GCP (we don’t mix client PII). This helps with adhering to data privacy regulation like GDPR and CCPA as well (which I’ll get into in a separate post).
3. We anonymize data whenever we can.
4. We send hashed data (e.g. emails) to data partners for enrichment (instead of sending them the raw data)
5. We destroy / delete data when we’re no longer working with clients to ensure that data is never stolen or used in any way it was not intended to.
6. We do not store or make available any PII on the frontend. The frontend of our platform (aka the website) only gets data anonymized and in aggregate.

Endpoint Protection & Device Security

Endpoint protection is the practice of securing devices at the edge of your network which have access to the internet. In our case, we are mostly concerned with employee laptops and mobile phones that they use for work. We try to do all processing of sensitive data in the cloud, but there is a small chance that some sensitive data could be left on employee devices, and therefore we must protect them.

We utilize a service called Symantec Endpoint Protection Cloud to protect our devices. The most important features it has are antivirus protection and remote wipe capability. If any of our devices are lost or compromised, we can clear the device remotely with the click of a button.

We also ensure that all employee hard drives are encrypted utilizing Mac or Windows utilities.

Physical Location Security

For the most part, we are a colocated team in Santa Monica, and need to protect our office space as well. We use an electronic / remote key locking system to ensure only employees and service people have access to the front door, and only during certain hours. We also have 24x7 video recording of the facilities.

We also remind all employees to lock their computers whenever they’re away from their desk. And finally, as we’ve touched on, we keep all sensitive data in the cloud (on Google servers) and not on prem (on our own servers).

Penetration Testing

We had our first penetration test performed by an outside vendor in 2019 and passed with flying colors. We plan to get one done annually to ensure we don’t slip up.