TL;DR: Make someone responsible for security, understand and secure your users & technology, use standard processes and review everything frequently
This is a simple guide for small and medium sized organisations with limited IT and cybersecurity expertise looking to setup a initial security strategy
This guide assumes you are:
- Fully or mostly remote team
- Have anonymous team members and/or contribuitors
- Using GitHub/GitLab for Software Development
- Make it someone's job (full or part time) to look after security for the organisation, or hire a third party consultant/advisor to help with this
- Detailed Records: Maintain records for all team members and contributors, including names/usernames, contact details, roles, and access levels
- End-User Devices: Include all portable and mobile devices, recording hardware addresses, machine names, and owner details.
- Network Devices & IoT: Document networking and non-computing devices, with specific roles within the infrastructure noted.
- Servers: Catalog of server hardware, including each machine's function, operating system, and security configurations
- Licensed and Cloud Services: List of all software and cloud services used (e.g., Google, AWS, Slack), with details on who the admins are and contact points for support or in case of emergencies
- Enforce MFA and secure settings for all accounts, including personal and professional platforms as Twitter, Gmail, Discord, Telegram. Enforce the use of password vaults and hardware crypto wallets
- Ensure all devices have anti-malware, firewalls, disk encryption, login authentication, auto lock-out mechanisms, and OS hardening. Implement secure DNS solutions, disable unnecessary ports/services like SSH, adopt Zero Trust Network architecture, utilize VPNs, enforce unique and complex passwords, enable automatic patching, and maintain detailed logs
- Implement SSO and MFA across all platforms, use hardware security keys for critical services, deactivate default accounts, enforce unique and complex passwords, set up automatic patching, and maintain comprehensive logs
- Secure configurations, DDOS Protection (e.g., Cloudflare), setup MFA, SPF/DKIM/DMARC, monitor DNS changes
- Enforce MFA, Secrets Scanning (e.g., GitHub, TruffleHog, GitGuardian), Branch Protection (PR Approvals, Signed Commits, no forced push), Static Code Analysis (e.g., CodeQL, Sonarcloud), Dependency Updates (e.g., Dependabots, Snyk), CI/CD Pipeline (e.g., GitHub Actions), Separate Environments (e.g., dev, staging, prod)
- User On-boarding/Off-boarding: Standardize onboarding tasks and preform background checks and recommendations. Ensure prompt deactivation of all accounts and access upon departure or extended leave
- Patches, Upgrades and Deployments: Define and enforce processes and checklists for each activity to avoid mistakes. Rollback plans are just as important!
- Incident Response Process: Establish clear protocols with contact points (e.g., https://securityalliance.org/), immediate actions, and post-mortem analysis procedures
- Monthly/Quarterly Reviews: Update all lists regularly, review access controls, ensuring appropriateness and necessity
- Security Assessments: Weekly vulnerability scans and annual or situational penetration testing and security audits of your products (e.g. after a major upgrade or a security incident)
- Backups: Secure and regularly update backups for all assets and software.
- Monitoring: Review security alerts regularly and take prompt action
- Security Awareness: Conduct security awareness and phishing campaigns for all team members