So you have been voluntold to improve security at your company? 

Building a Cybersecurity Program is no easy task and requires a heart of lion to get started. Let’s get answers to several questions to build a solid foundation without getting lost into the abyss of fear, uncertainty, and doubt. Keep in mind that the goal of security is to be build resiliency into the company from a cyber attack by enabling the business, not to halting operations.  No matter how much information is available to you via the companies intranet, make sure you’re meeting the executives and program leads the moment you get hired to get to understand their world and how things operate at this company. As security professionals we know the existing threats yet the priority at this moment is to build trust among your peers at first prior to rolling up your sleeves to get work done, this is common sense to tenured professionals but for those coming up this can be burdensome. Your first 90 days will be critical to your success at this new company, ensure you’ve at least had introduction calls with all your immediate team, middle management and key personnel in other areas such as Finance, HR, Engineering, IT, and Legal. Below is a visual which has been helpful to determine Cybersecurity Maturity of any organization to prioritize created by SANS, one of the top institutes to earn Cybersecurity certifications and even degrees now.

SANS Security Awareness Maturity

We will be able to mitigate many threat vectors through technology yet the human factor poses the largest risk. Even the brightest security individual can be victim to social engineering, fraud, scams, and susceptible to a cyber attack with the right pre-text.

The questions below were derived from reading Startup Secure by Chris Castaldo, NIST Cybersecurity Framework, SANS, and filtering them with what has worked in my personal experience as a practitioner.

The answers to the following will help communicate with executives

• Why is Cybersecurity important at this company?
• What are we trying to secure?
  • Credibility of the company
  • Trust from business partners
  • Intellectual property, Data, and Availability to our systems to name a few
• When was the last time a risk assessment at this company was done?
• Have my managers, peers, or direct reports operated in regulated companies before?
  • If they have, security awareness will not be something new

In the event of a Ransomware attack:

1. Where do we store the data we have for our customers/clients?
2. Who would we call if we suffered a ransomware/data breach?
3. Do we have any controls in place to defend against the example that affected other xyz company in our industry?
4. How long could we survive the attack and how long could our services be down for?
5. How long would it take to recover fully from the attack?
6. How would we notify customers, investors, and the general public?
7. Which executive is responsible for this?

Enterprise Security Fundamentals (Startup Secure):

Reading the Start Up Secure book was exactly what I needed when I began working for a startup, it helped me determine what controls I should focus on to building for the company to have a strong foundation. I recommend reading the book through O’Reilly or Amazon Kindle for a more in depth explanation. 

Email security (Virtru, Proofpoint, & Paubox)

Protecting inbound and outbound email will become more apparent as you spend more days at your company. 3.4 Billion phishing emails are sent daily and keep your fellow employees from getting reeled should be a priority. Preventative controls by using the enterprise version of both Outlook & G Suite will pay off in the long run. Consider running a monthly call to keep employees aware of recent phishing and cyber trends to keep the company vigilant. 

Secure credentials

 Credentials should be treated as intellectual property. Compromised credentials are the initial causes of data breaches.

• Enable MFA
• Enforce role-based access controls for all systems such as SaaS tools and endpoint devices
• Identify all the digital keys we use across the company (API, SSH, etc)
  • Store keys in key management (Vault)
  • Never in code repository (GitHub)
  • Limit scope and access

Two types of common attacks against credentials:

• Social engineering
  1. Suspicious emails with high sense of urgency that require you to do something grand
  2. Phone calls that require you to click on links or provide any level of sensitive data
• Software Vulnerabilities

• Enabling all security settings in GitHub is critical

1. Strong passphrase
2. Enabled MFA
3. Ensuring no credentials are hardcoded
4. Secure Development
   1. DevSecOps to cover open source software risks. 80% of software is built upon open-source

• Patching

1. Asset management
2. Working with IT to bake in automatic updates for windows
3. For MacOS users, ensure they’re updating their devices once every 2 weeks
4. Fixing CVE’s, Configurations, and installed software across cloud environment (AWS/Azure/GCP)
5. Introduce patching into the IDE by getting Snyk integrated into VS Code, Scan our Repo’s, and prioritize open source vulnerabilities

• Endpoint Protection

1. With laptops touching typically touching the cloud environment and having access to important business data, the laptops will need to be protected with endpoint, detection, and response solutions. If the company has reached over 45 employees it’s best to choose a leader in this space.

On-Site Office Network

1. What is our current setup? What router technology are we using? Ensure that the office is not using wireless setup that is for home.
2. Security Assessment of Wifi will help understand our risks

–Christian Galvan

Notes:

1. This page will be updated as additional information is learned. Many edits have been made since publishing. 

2. I’ve read numerous blogs, white papers, research, and books. The most notable is Startup Secure by Chris Castaldo. 

3. If you have any ideas or suggestions, please reach out and you will get credit for your contribution.