What are the minimum security precautions to put in place for a startup?

Question

I'm working with a start-up, mostly doing system administration and I've come across a some security issues that I'm not really comfortable with. I want to judge whether my expectations are accurate, so I'm looking for some insight into what others have done in this situation, and what risks/problems came up. In particular, how critical are measures like placing admin tools behind a vpn, regular security updates (OS and tools), etc.

Keep in mind that as this is a start-up, the main goal is to get as many features as possible out the door quickly, so I'll need as much justification as I can get to get the resources for security (i.e. downtime for upgrades, dev time for application security fixes).

Background Info:

• Application is LAMP as well as a custom java client-server.
• Over the next 3 months, I project about 10k anonymous visitors to the site and up to 1000 authenticated users.
• Younger audience (16-25) which is guaranteed to have an above average number of black-hats included.

Thanks in advance for your responses, and I'll welcome any related advice.

Answer 1

Make sure you know what version and patch level your servers are running, not just the OS, but all related components and everything that is actually executing the the machine. Then make sure you are never more than a day behind. Not doing so leads to much pain, and you don't hear of most of it - most of my past employers would never publicly admit being hacked as it reflects badly on them, so you can assume systems are getting hacked left and right with pretty serious consequences to companies, you just don't hear about most of these events.

Answer 2

These will probably be obvious:

• Limit password attempts.
• Sanitize your database inputs
• Measures to prevent XSS attacks

It's also worth mentioning that, as you said, the network architecture should be set up appropriately. You should definitely have a decent firewall that's locked down as much as possible. Some people recommend putting your systems between dual firewalls of different makes so that in the event one of them has a critical vulnerability, the second will most likely not have the same vulnerability and you'll be safe. It all depends on what you can afford since it's a startup.

Answer 3

Reputation is everything here, especially for a startup. As a startup, you don't have a long history of reliability/security/... - so all depends on users to give you the 'benefit of the doubt' when they start using your app.

If your server gets hacked and your users notice that, your reputation is gone. Once it's gone, it doesn't matter whether your app and your features are the 'next new thing' or not. It doesn't matter whether the security breach was minor or not - people won't trust your app/company anymore.

So, I would consider security to be the top priority.

Answer 4

If security isn't thought of and built into the application and its infrastructure from day one it will be much more difficult to retrofit it in later. Now is the time to build the processes for regular OS/tool patching, upgrades, etc.

• What kind of data will users be creating/storing on the site?
• What effect will a breach have on your users?
• What effect will a breach have on your company?
• Will you be able to regain the users' trust after a breach?

Since your company is dependent on keeping existing users and attracting new ones, you should present your concerns along the lines of how the users would react to a breach. The higher-ups will understand that the users are your bread and butter.

Answer 5

I agree with Stefan about reputation. You don't want to get hacked because you were lacking on security. Not only will that hurt your site and company, it will look bad on you since you're in charge of that.

My personal opinion is to do as much as you can because no matter how much you do there will be vulnerabilities.

Unfortunately security like testing and documentation are often afterthoughts. You should really make sure to do risk assessments early in your site/software's life and to keep on doing assessments. I think it is important to patch all software for security holes.

Answer 6

Also, don't forget you need to have your server secured from current (that is, soon-to-be-past) employees. Several startups were totally wiped due to employee sabotage, e.g. http://www.geek.com/articles/news/disgruntled-employee-kills-journalspace-with-data-wipe-2009015/

Answer 7

A few basic "security" measures here that while are more reactive than proactive, are some things to consider.

1) Backup strategy, of course not just for those who hack into your site, but it is nice to restore everything back to pre-hack days if possible, make sure it's reliable and most importantly was tested in a near-live restore drill
2) Mitigation, have plans in place at least on a napkin somewhere for how to react if the server is hacked
3) Insurance, find insurance companies that understand the world of cyber-business and the damages resulting from these things, buy policies
4) Someone already mentioned employee sabotage problems, you're screening your employees beforehand right? Background checks are cheap and do dig up stuff...

Answer 8

If you're explicitly trying to attract the sort of users who are inclined to try to crack systems, then you can pretty well bet that your system will come under attack.

You should suggest to the management that if they're not going to take security seriously, then you should just go ahead and post the company's bank statements and accounting books (in clear text) on the site, with a prominent link from the home page. At least that way, you can tell them, the end result will be about the same, but they're less likely to damage everything else to get what they're looking for.

I'd think that the reputation issue might have a slightly different cast with this audience, too -- they may forgive you for being hacked, but they probably won't forgive you for being an easy target.

Answer 9

My best suggestion is monitoring.

There is no perfect security and it is all about accepting risks and preventing them when necessary. However, if you have no monitoring in place you will have no way to know if something (an attack) has succeeded and how it happened.

So, keep your system updated and install a few lightweight tools to monitor it properly. If you have custom applications, add logging in there. Log on error-generated errors (bad input), failed passwords, or any user-generated error.

As for lightweight tools to monitor, there is quite a few free/open source:

• OSSEC (to look for anomalies, changes and logs)
• modsecurity (web-based monitoring)
• Sucuri (whois/dns/blacklisting monitoring)

Answer 10

Have a look at Mod Security for the various possibilities in the software setup: Do a Google search for "mod_security howto example"

Simple example to start: http://www.ghacks.net/2009/07/15/install-mod%5Fsecurity-for-better-apache-security/