Prelude

This post is related to a twitter thread I made earlier about the basics of security.

I do security, and sometimes I consult, and the steps laid out here would put me in another line of business if people had followed them before reaching out.

The steps outlined here are not technical. They will not be about advanced things like encryption, firewalls, tls, intrusion detection.

They will be about security. The first steps of security.

This is applicable to any size of company, from a one-person consulting with an home-office, through your first handful of coworkers, and into medium sized businesses.

This is also not going to aim for perfect. This aims at what you need to have. What I'm laying out here will be the things that will save your company.

It'll be the bare basics because of that.

What are the basics

The basics don't include hacking protection, auditing, firewalls, antivirus, intrusion detection system, proxies, encryption or web application firewalls.

The basics of security contain:

  • Access handling
  • Reset plan
  • System valuation
  • Recovery plan
  • Data valuation and protection

In technical terms, Access Handling, System Valuation, and Data Valuation are part of your asset management or inventory management. Doing full asset management is not where you start, but following these steps should get you partially there.

Access sheet

First up, you need to know what you have that is valuable, and what you have that are liabilities. Frank assessments here are important.

Examples of this would be:

  • Databases
  • Client contact information
  • API tokens
  • DNS control panel password
  • Email control panel password
  • Keys to the office
  • Computers (physical things)

Make a spreadsheet, Google Sheets or wherever. In this sheet you need at least the the following data:

  • Who has access
  • What it accesses
  • Where is the accessed
  • How do you recover it

An example:

Employee nameNameSiteRecovery method
Jane SmithDNS Control panelgandi.netphone gandi, fax passport copies
Jane SmithSite listing in google mapsmaps.google.comrecovery link, sends postcard to registered address
Jane SmithEmail control panelmail.google.comrecovery codes in safe, phone number +XXX-XXX-YYY-XXX
Jack AlltradesOffice keysOfficeAddress 32Talk to landlord at +YYY-XXX-XXX-XXX
Jack AlltradesServer room keysOfficeAddress 32Get locksmith
Jack AlltradesServer root passwordlogin.example.comReinstall login.example.com
Pam OutsourcingAPI keys amazonaws.amazon.comrecovery codes in safe, reset API keys, manually place on srvr1.example.com, srvr2.example.com
Pam OutsourcingFacebook company sitehttps://www.facebook.com/Jane Smith has Admin access.

Print it and keep copies.

This list should cover who has keys where, who has access to DNS/Email admin panels, API keys, and how to reset or recover them!

Do note that nothing on this list should be secrets, no recovery codes, no passwords or similar.

This sheet will be the basics of your reset plan.

Reset Plan

The reset plan is for when you have a break in, employees get fired, you get hacked, or when you hire new staff.

The reset plan should use the above sheet in order to create, terminate or reset:

  • Cloud accounts
  • Infrastructure (DNS, Email, Amazon, webhosting)
  • Doors and locks
  • Backup services

The reverse application of your reset plan will be a selective on-boarding for new employees. Sort your plan in base of "most important first".

Do not store secrets/recovery codes inside the plan or the the sheet. You don't want it to be a one-click own-our-company.

Make sure both the sheet and the plan are available offline, printed, and preferrably keep an off-site copy.

Keeping the reset plan up to date is important, but generally doesn't take much work. Most of the sites that deserve to end up there go through some kind of billing process, so simply following invoices can be enough. Some of the services you depend on may be free, such as facebook accounts, etc.

Example usecases:

If you fire the accountant for failing to pay cloud bills and being locked out, you want to recover your cloud accounts. While your accountant didn't have the AWS login, you still need to be able to reset and regain access to it.

If you have a breakin at home, your bag with laptop, and keychain gets stolen, you want to know which systems and doors needs to be reset, and who to contact for it.

When you stop using the marketing agency that designed your webshop and set up your facebook page, you may want to reset the API tokens/logins, as well as ensure you have sole administrative control.

Recovery Planning

Imagine a disaster. AWS wiped, office fire, water leak ruining things, break in looting everything, a police raid impounding all computers in your office.

Your recovery plan should cover enough business that you can bill customers the next few months, and pay your own bills. That is, access to bank accounts, and the ability to conduct "enough" business that you won't go under, instantly.

If you're a consulting agency, it's usually simple. A spare laptop, and a cloud backup or two. With recovery codes, copied at home and offsite.

If you work from home and it's a house fire, it may not be possible to recover. The impact of losing both your home, and your business at once may be too stressful that you cannot sustain yourself, recover your living, and business at the same time.

Write that down. Contemplate it, then think of fixes.

It is okay to write: "In case of office fire: We close business". It is also okay to buy extra fire extinguishers and invest in fireproof cabinets for important things.

In a software company, you probably don't need all your servers or functionality to continue running the corporation. Think about it, and put value on it.

You do know which services are necessary to keep your company running the next few months, and which are just nice to have, don't you?

Most organizations don't know which services are necessary for their survival

DNS, Email archives, Hosting accounts, etc. For some businesses, that's their life. Others would just shrug at them being gone, and pick up the phone.

Now Schedule a meeting with your CEO about this. Name it something fancy, Emergency Planning Meeting is a good name.

It's important that this gets buy-in from the top. Make them aware. In small companies, this isn't difficult, just make them sit with you as you go through and build a detailed plan. In larger corporations, you might want to do more preparations before taking their time.

Let them ask questions (What is this? Why do we need it? What does it do? How much does a new one cost? How long does it take to get it back up? Can we have a spare in the cloud?)

Ask them what you really need to have left to survive as a company. How many days can you go without email and still continue existing? How many days can your homepage be down and you still continue existing as a company?

Phrase everything with and still continue existing. We don't care about harmed profit margins here, we care about Company Ending Events. For some companies, it's phones being down for more than four hours, other companies can go for weeks without their phones.

Do note that some people may be overly enthusiastic and will say that "everything is important". Avoid this trap and push back against it at this phase. This is the basics.

At this point, you know the core valuables, and you can work out the recovery plan.

Recovery Plan

Recovery is why you take backups, it's also what you do after things have gone Wrong(™). Your recovery plan should cover getting your business back up and limping from a set of disasters, and should also include who to contact, and who is responsible for each step. When you're stressed out about your livelyhood, woken up early in the night, and shaken to your core is not the finest moments to take decisions. When you're panicking, you're not smart.

The plan is there to help you not to take decisions then. It's also going to turn out to be generally useful, in corporate mode, "valuating your assets", and as a partial thing to follow when other, minor problems arise.

The recovery plan is not supposed to cover every and all eventuality, but to cover enough.

Minimum incidents to be able to recover from:

  1. Office fire
  2. Cryptolocker
  3. Cloud accounts terminated & wiped
  4. Bursting sewage pipe above you leaking into the office, causing evacuation
  5. Police raid seizing all equipment

One of the first four might cause the last to happen, due to late invoices in your corporate email, the one that's currently unavailable for some reason.

Plan for that to happen.

Once you know the bare essentials you need to stay alive, you can make a recovery plan, it might look like this, but should have a bit more detail to it:

Web services Example

  1. Communicate with customers (CEO)
  2. Register new cloud account (Janet, Tess)
  3. Lease 4 servers (CEO)
  4. Bring in backups from Janes home
  5. Communicate with customers (CEO)
  6. Restore backups (Janet, Tess)
  7. Repoint DNS (Janet, Tess)
  8. Communicate with customers (CEO, Janet, Tess)

Financial services Example

  1. Buy new hardware from closest physical shop (CEO, Janet, Tess)
  2. Restore financial backup from cloud.backup.example.com, (Jane has access, Janet & Tess competency)
  3. Check the data (Tim, Janet)
  4. Send a bill (Tim)
  5. Reactivate bank integration (CEO, Tim)
  6. Pay out salaries (Tim)

Details about the plan

The plan should be as specific as you might think it needs to be. If any of the steps needs authorization, get it pre-authorized, signed and sealed away. The action plan should both have a what and a who for each item. Where may be required as well.

Back up your plan, print it out, and try it. Verify that you can do the steps. This part is often skimped on, but necessary, or things may break.

If you need money to action the emergency plan, make sure there's an emergency fund you can take it from.

Then you schedule a meeting with your CEO to revise this plan in 6 months. Go through the list of targets again, and check that the values are still there. You might have migrated to a cloud financial platform, or something else.

Once you have planned for this kind of disaster, pretty much all the other ones are minor. Also note that this plan implicitly covers everything from "single server crashed" to "full office fire".

Data Valuation

Next up, a data valuation. You're a modern company, you have a collection of data. Do you anywhere in your org have a collection of data that's "oh shit" if leaked?

Oh Shit Examples:

  • Personal information
  • Customer data
  • Banking details
  • Customers clients data
  • Source code
  • Credit card data
  • Full corporate backups

For different companies, it can be different things. For some, the knowledge that you do business with some parties may be an oh shit moment. For others, 2 million recordings of children speaking to their teddy-bears might be.

Interview everyone, talk to them, take notes. Just ask them what data they can't do their work without, and what might be bad if others saw. You can make seasoned guesses, but it's important to talk to people here.

This is your high value data set. Now you can track it. See where it's copied (cloud, drives,backups, sync, email?)

All systems that store the High Value set are prio 1 protection systems.

Your goal will be to reduce these systems to a manageable amount, and make sure Two Factor Authentication (2FA) is required for their access. You may want to look at encryption, preferrably full disk encryption, for this data.

If you have High Value data in cloud services, we generally consider them safe, but enforce 2fa.

Having High Value data in a Dropbox/git style sync is bad, since that turns every user/laptop into prio 1 machine. Avoid that.

That's it.

Last words

Getting this done should usually not be that hard. It's a few days of work, and then regular maintenance. What it will reveal is that you may have valuables in places you didn't know, and that some of the things that seem important, might not be so.

The steps once you've done this, are gradually more complex, and will start not about recovering, but about protecting. However, before you put in any protective measures, you need to have an idea of what to protect. And that's where the valuations and recovery plans stand.

In all, this is the first step towards security. This is the basics, and it requires no specialized knowledge, and almost no techincal knowledge that you don't already have.

And feel free to contact me @Spidler or email if you wish to know more, or tell me how horribly wrong I am about everything.