How secure is your data?
Questions to ask your CIO or IT team
As Facebook’s stock takes a tumble and Mark Zuckerberg declines a state sponsored London vacation to the Houses of Parliament, data security is becoming more and more buzzy in executive circles. No one wants their name splashed with the words breach, compromised or abused, especially when it comes to data.
With today’s digital first ethos and the broadening of technology adoption in the workplace, you should know the questions that need to be asked to get a “thumb in the air” sense of how secure (or not) your systems really are.
So without further ado, here’s our recommended “How secure is our data?” cheat sheet of questions to ask your CIO or IT team.
Protecting your app
- Do you carefully consider the data we’re collecting, ensuring our data collection does not become a liability? What harm can be done if someone gains unauthorized access to this data?
- Do you track bad login attempts? If so, how many attempts do you allow before an owner’s account is locked? (We recommend no more than 12 before locking down the account and informing the owner via email).
- Do you use the “Have I Been Pwned” V2 API to check accounts to ensure they are not re-using a password that’s been leaked in another dump? Remember, accounts that use the same password can all be defeated at the same time.
- Do you check passwords against the seclist dump of the 1 million most common passwords?
- Have you turned on a time-based one-time password (TOTP) two factor authentication (2FA) for your own internal admin tools?
- Are you gathering metrics needed to detect any increase in volumes of traffic from accounts, and developing tools needed to block an account if needed?
Protecting your delivery
- Do you have 2FA enabled on the hosting platform (AWS or other) you are using, and are you rotating all of your passwords so that they are not re-used anywhere?
- If you use AWS, have you setup private VPCs to keep the AWS ECS cluster and DBs off of the internet? Are you using bastions, NAT, and security groups to isolate your applications? Are you encrypting your data at rest?
- Have you turned on an AWS WAF firewall in front of the app with a paid rules for OWASP top 10 and another to block bad actors?
- Do you use a 3rd party (such as trustwave) to schedule periodic penetration testing?
- How often do you do a static code analysis to look for vulnerabilities in your code and dependencies?
- Do you keep your systems fully patched?
- Do you run any OWASP scanners?
- Have you added some logfile based alerting and do period manual reviews of the logs for suspicious activity?
- Have you gotten keybase.io accounts setup and only communicate sensitive information via keybase?
- For mobile apps, are you familiar with the OWASP Mobile Application Security Verification Standard (MASVS)?
Protecting your data
Most of the attacks we have seen recently fall into one of two groups:
- A hacker gains access to a site or tools by using email accounts and passwords found in a leak from another site.
- A hacker uses a botnet to bring a website offline.
So what can you ask?
- Have you noticed an increased spike in traffic from countries such as Russia, Mexico and Taiwan? These are countries we have seen an increased volume of hackers trying to use stolen passwords.
- If you have no customers/users in a specific country and see high volumes of traffic, do you block that country from accessing your services?
- Are you ensuring you are compliant with GDPR and are onside with the regulations coming into effect?
- Are you FOTSA/SESTA compliant, ensuring no illegal content is being hosted or solicited using your services?
These questions should be easy to answer for most experienced CIOs and IT teams. However, it is worth recalling the wise words of Voltaire: “common sense is not so common”.
If you aren’t satisfied, or the answers aren’t given at all, it may be time to reevaluate your processes before you wind up in the unfortunate position of being called before congress.
