/learn-security

:closed_lock_with_key: For most technology projects Security is an "after thought", it does not have to be that way; let's be proactive!

Learn IT Security & Privacy contributions welcome

Security, Privacy and Data Protection in information technology systems is NOT "Optional".
And yet, most people prefer to ignore the subject ...

image

resorting to "ignorance is bliss" convincing themselves that the problem will somehow go away.

Why?

For most (small/medium) organizations (and many large ones!) technology project(s) security is an "afterthought",
which people only consider when they have to; usually when the "unthinkable" (data compromise) happens...

The loss of people's data can be devastating both on a personal and organizational level.
Why not take a few simple steps to prevent it...?

Who?

Everyone in your organization must have a security mindset!

security-fail-cable-tie-chain

Preferably everyone in all the organizations you work/associate with will have be security-educated,
because sadly, (naive/well-meaning) people remain the "weakest link"
.

What?

Firstly we must come to terms with the fact that it's impossible to be 100% secure because there will always be "uncertainty". That does not mean we should "give up"

There are many areas of IT security that people in your team(s) need to be aware of, they include:

How?

magic-pill

Sadly there is no "magic pill" we can take to make everything secure.
Thankfully, there are several simple principles/practices we can follow that will help!

Be Paranoid

Be paranoid about security.
(Sadly) Personal data is "Big Business"
(Unscrupulous) people/organizations are (actively) trying to "acquire" your data.
"Nasty" people are constantly running scripts, trying to "crack" websites.
If you hope to be successful, you should expect your website/application to be "probed" by somebody somewhere. Don't wait till the breach happens. Plan ahead and be paranoid!

image

Highly recommend reading "Only the Paranoid Survive" by Andy Grove:
https://www.amazon.com/Only-Paranoid-Survive-Exploit-Challenge/dp/0385483821
If you don't have "time" to read it, listen to the summary: https://youtu.be/jisR88yR9pk
Also, watch: 10 Things to be Paranoid About as an Entrepreneur: https://youtu.be/LqQomkp0P9Y

Principle of Least Privilege

"Every program and every privileged user of the system should operate using the least amount of privilege necessary to complete the job."

The level of access granted to a person/user or program/script should be only that necessary for its legitimate purpose. The simple rule of thumb is: if the person/program only needs read-access don't give it write access. https://en.wikipedia.org/wiki/Principle_of_least_privilege

Never Share User Accounts/Passwords

If you have an account on a system (e.g: GitHub or AWS) maintain accountability for yourself an others by never sharing your account or password with others.

Note: this is not a question of "trusting" the people in your life/work! We trust drivers with our lives each time we get into a vehicle with them, but not all trust is the same.
Most non-technical people do not have good "security habits".
e.g: some people click on any (every) link sent to them by "Facebook". Most people cannot distinguish a "real" email from "Facebook" from a a fake (phishing) email. These people are trivial to socially engineer. Despite our multiple attempts to "educate" these people, unless they have "felt the pain" of identity fraud, for example, they are unlikely to see the benefit of being careful online.

I know this might sound "dramatic" but if I can impress the seriousness of this upon you, in a memorable way I will do so:

... think about sharing your account/password like sharing a needle!

djs-dont-share-needles

Note: this is why systems that charge per user-account per month are to be avoided
because they perversely incentivize people to share account in order to avoid paying
for more "users", "seats" or "licenses". Salesforce/Atlassian/Microsoft we're looking at you!!

Use Encryption!

encryption

Encrypting data which does not need to be full-text searchable is generally a good idea.
Encrypting any/all personally identifiable data required by your application is essential.

If you are new to cryptography (encryption) see: https://github.com/dwyl/learn-cryptography

OWASP Top 10

The Open Web Application Security Project (OWASP) is a great source of information
about the most common vulnerabilities in web applications/sites.
see: https://en.wikipedia.org/wiki/OWASP

Rather than repeat the OWASP "Top 10" here we encourage you to view the list and learn how each vulnerability on the list can be mitigated.

Cheat Sheet: https://www.owasp.org/index.php/OWASP_Top_Ten_Cheat_Sheet

Security Standards

ISO 27001 ?

If you are interested in the ISO 27001 Information Technology Security standard,
please see: https://github.com/dwyl/ISO-27001-2013-information-technology-security

GDPR

The General Data Protection Regulation (GDPR) is the new EU data protection framework that will take over from the UK Data Protection Act 1998 as of 25th May 2018, for any organisations operating in or offering goods/services to individuals in the EU.

[For the UK] The government has confirmed that the UK’s decision to leave the EU will not affect the commencement of the GDPR.

We have read through these and pulled out information relevant to the kind of work that we do at dwyl and focus mostly on changes from DPA, but please see the Recommended Reading section below for resources with further details which may pertain to you and are not included here.

Key Points

Fines for breaches and non-compliance are considerably heftier than under DPA and remember, both data controllers and data processors are now liable under GDPR.

Recommended Reading

Videos