This post is related to a twitter thread I made earlier about the basics of
I do security, and sometimes I consult, and the steps laid out here would put
me in another line of business if people had followed them before reaching out.
The steps outlined here are not technical. They will not be about advanced
things like encryption, firewalls, tls, intrusion detection.
They will be about security. The first steps of security.
This is applicable to any size of company, from a one-person consulting with
an home-office, through your first handful of coworkers, and into medium sized
This is also not going to aim for perfect. This aims at what you need to
have. What I'm laying out here will be the things that will save your company.
It'll be the bare basics because of that.
What are the basics
The basics don't include hacking protection, auditing, firewalls, antivirus,
intrusion detection system, proxies, encryption or web application firewalls.
The basics of security contain:
- Access handling
- Reset plan
- System valuation
- Recovery plan
- Data valuation and protection
In technical terms, Access Handling, System Valuation, and Data Valuation
are part of your
asset management or inventory management. Doing full
asset management is not where you start, but following these steps should get
you partially there.
First up, you need to know what you have that is valuable, and what you have
that are liabilities. Frank assessments here are important.
Examples of this would be:
- Client contact information
- API tokens
- DNS control panel password
- Email control panel password
- Keys to the office
- Computers (physical things)
Make a spreadsheet, Google Sheets or
wherever. In this sheet you need at least the the following data:
- Who has access
- What it accesses
- Where is the accessed
- How do you recover it
|Employee name||Name||Site||Recovery method|
|Jane Smith||DNS Control panel||gandi.net||phone gandi, fax passport copies|
|Jane Smith||Site listing in google maps||maps.google.com||recovery link, sends postcard to registered address|
|Jane Smith||Email control panel||mail.google.com||recovery codes in safe, phone number +XXX-XXX-YYY-XXX|
|Jack Alltrades||Office keys||OfficeAddress 32||Talk to landlord at +YYY-XXX-XXX-XXX|
|Jack Alltrades||Server room keys||OfficeAddress 32||Get locksmith|
|Jack Alltrades||Server root password||login.example.com||Reinstall login.example.com|
|Pam Outsourcing||API keys amazon||aws.amazon.com||recovery codes in safe, reset API keys, manually place on srvr1.example.com, srvr2.example.com|
|Pam Outsourcing||Facebook company site||https://www.facebook.com/||Jane Smith has Admin access.|
Print it and keep copies.
This list should cover who has keys where, who has access to DNS/Email admin
panels, API keys, and how to reset or recover them!
Do note that nothing on this list should be secrets, no recovery codes, no
passwords or similar.
This sheet will be the basics of your reset plan.
The reset plan is for when you have a break in, employees get fired, you get
hacked, or when you hire new staff.
The reset plan should use the above sheet in order to create, terminate or reset:
- Cloud accounts
- Infrastructure (DNS, Email, Amazon, webhosting)
- Doors and locks
- Backup services
The reverse application of your reset plan will be a selective on-boarding for
new employees. Sort your plan in base of "most important first".
Do not store secrets/recovery codes inside the plan or the the sheet. You don't
want it to be a one-click own-our-company.
Make sure both the sheet and the plan are available offline, printed, and
preferrably keep an off-site copy.
Keeping the reset plan up to date is important, but generally doesn't take much
work. Most of the sites that deserve to end up there go through some kind of
billing process, so simply following invoices can be enough. Some of the
services you depend on may be free, such as facebook accounts, etc.
If you fire the accountant for failing to pay cloud bills and being locked out,
you want to recover your cloud accounts. While your accountant didn't have the
AWS login, you still need to be able to reset and regain access to it.
If you have a breakin at home, your bag with laptop, and keychain gets stolen,
you want to know which systems and doors needs to be reset, and who to contact
When you stop using the marketing agency that designed your webshop and set up
your facebook page, you may want to reset the API tokens/logins, as well as
ensure you have sole administrative control.
Imagine a disaster. AWS wiped, office fire, water leak ruining things, break in
looting everything, a police raid impounding all computers in your office.
Your recovery plan should cover enough business that you can bill customers the
next few months, and pay your own bills. That is, access to bank accounts, and
the ability to conduct "enough" business that you won't go under, instantly.
If you're a consulting agency, it's usually simple. A spare laptop, and a cloud
backup or two. With recovery codes, copied at home and offsite.
If you work from home and it's a house fire, it may not be possible to recover.
The impact of losing both your home, and your business at once may be too
stressful that you cannot sustain yourself, recover your living, and business
at the same time.
Write that down. Contemplate it, then think of fixes.
It is okay to write: "In case of office fire: We close business". It is also
okay to buy extra fire extinguishers and invest in fireproof cabinets for
In a software company, you probably don't need all your servers or
functionality to continue running the corporation. Think about it, and put
value on it.
You do know which services are necessary to keep your company running the
next few months, and which are just nice to have, don't you?
Most organizations don't know which services are necessary for their survival
DNS, Email archives, Hosting accounts, etc. For some businesses, that's their
life. Others would just shrug at them being gone, and pick up the phone.
Now Schedule a meeting with your CEO about this. Name it something fancy,
Emergency Planning Meeting is a good name.
It's important that this gets buy-in from the top. Make them aware. In small
companies, this isn't difficult, just make them sit with you as you go through
and build a detailed plan. In larger corporations, you might want to do more
preparations before taking their time.
Let them ask questions (What is this? Why do we need it? What does it do? How much does a new
one cost? How long does it take to get it back up? Can we have a spare in the cloud?)
Ask them what you really need to have left to survive as a company. How many
days can you go without email and still continue existing? How many days can
your homepage be down and you still continue existing as a company?
Phrase everything with
and still continue existing. We don't care about
harmed profit margins here, we care about Company Ending Events. For some
companies, it's phones being down for more than four hours, other companies
can go for weeks without their phones.
Do note that some people may be overly enthusiastic and will say that
"everything is important". Avoid this trap and push back against it at this
phase. This is the basics.
At this point, you know the core valuables, and you can work out the recovery
Recovery is why you take backups, it's also what you do after things have gone
Wrong(™). Your recovery plan should cover getting your business back up and
limping from a set of disasters, and should also include who to contact, and
who is responsible for each step. When you're stressed out about your
livelyhood, woken up early in the night, and shaken to your core is not the
finest moments to take decisions. When you're panicking, you're not smart.
The plan is there to help you not to take decisions then. It's also going to
turn out to be generally useful, in corporate mode, "valuating your assets",
and as a partial thing to follow when other, minor problems arise.
The recovery plan is not supposed to cover every and all eventuality, but to
Minimum incidents to be able to recover from:
- Office fire
- Cloud accounts terminated & wiped
- Bursting sewage pipe above you leaking into the office, causing evacuation
- Police raid seizing all equipment
One of the first four might cause the last to happen, due to late invoices in
your corporate email, the one that's currently unavailable for some reason.
Plan for that to happen.
Once you know the bare essentials you need to stay alive, you can make a
recovery plan, it might look like this, but should have a bit more detail to
Web services Example
- Communicate with customers (CEO)
- Register new cloud account (Janet, Tess)
- Lease 4 servers (CEO)
- Bring in backups from Janes home
- Communicate with customers (CEO)
- Restore backups (Janet, Tess)
- Repoint DNS (Janet, Tess)
- Communicate with customers (CEO, Janet, Tess)
Financial services Example
- Buy new hardware from closest physical shop (CEO, Janet, Tess)
- Restore financial backup from cloud.backup.example.com, (Jane has access, Janet & Tess competency)
- Check the data (Tim, Janet)
- Send a bill (Tim)
- Reactivate bank integration (CEO, Tim)
- Pay out salaries (Tim)
Details about the plan
The plan should be as specific as you might think it needs to be. If any of the
steps needs authorization, get it pre-authorized, signed and sealed away. The
action plan should both have a what and a who for each item. Where may be
required as well.
Back up your plan, print it out, and try it. Verify that you can do the steps.
This part is often skimped on, but necessary, or things may break.
If you need money to action the emergency plan, make sure there's an emergency
fund you can take it from.
Then you schedule a meeting with your CEO to revise this plan in 6 months. Go
through the list of targets again, and check that the values are still there.
You might have migrated to a cloud financial platform, or something else.
Once you have planned for this kind of disaster, pretty much all the other ones
are minor. Also note that this plan implicitly covers everything from "single
server crashed" to "full office fire".
Next up, a data valuation. You're a modern company, you have a collection
of data. Do you anywhere in your org have a collection of data that's
"oh shit" if leaked?
Oh Shit Examples:
- Personal information
- Customer data
- Banking details
- Customers clients data
- Source code
- Credit card data
- Full corporate backups
For different companies, it can be different things. For some, the knowledge
that you do business with some parties may be an oh shit moment. For others,
2 million recordings of children speaking to their teddy-bears might be.
Interview everyone, talk to them, take notes. Just ask them what data they
can't do their work without, and what might be bad if others saw. You can make
seasoned guesses, but it's important to talk to people here.
This is your high value data set. Now you can track it.
See where it's copied (cloud, drives,backups, sync, email?)
All systems that store the High Value set are prio 1 protection systems.
Your goal will be to reduce these systems to a manageable amount, and make sure
Two Factor Authentication (2FA) is required for their access. You may want to
look at encryption, preferrably full disk encryption, for this data.
If you have High Value data in cloud services, we generally consider them safe,
but enforce 2fa.
Having High Value data in a Dropbox/git style sync is bad, since that turns
every user/laptop into prio 1 machine. Avoid that.
Getting this done should usually not be that hard. It's a few days of work, and
then regular maintenance. What it will reveal is that you may have valuables in
places you didn't know, and that some of the things that seem important, might
not be so.
The steps once you've done this, are gradually more complex, and will start not
about recovering, but about protecting. However, before you put in any
protective measures, you need to have an idea of what to protect. And that's
where the valuations and recovery plans stand.
In all, this is the first step towards security. This is the basics, and it
requires no specialized knowledge, and almost no techincal knowledge that you
don't already have.
And feel free to contact me @Spidler or email
if you wish to know more, or tell me how horribly wrong I am about everything.