[OWASP-Bangalore] Security Checklist

Sandeep Garg rcg001 at gmail.com
Thu Sep 26 05:20:25 UTC 2013

Hi Maanav,


Yes, that’s right. I meant Windows AD.





From: Maanav [mailto:maanav.saavadhaan at gmail.com] 
Sent: Saturday, September 21, 2013 5:15 PM
To: 'Sandeep Garg'; 'OWASP Bangalore Mailing List'
Subject: RE: [OWASP-Bangalore] Security Checklist


Dear Sandeep


By domain server, do you mean Windows AD?





From: Sandeep Garg [mailto:rcg001 at gmail.com] 
Sent: Wednesday, September 18, 2013 7:38 PM
To: 'Maanav'; 'OWASP Bangalore Mailing List'
Subject: RE: [OWASP-Bangalore] Security Checklist


Hi Maanav,


Thanks for taking out time to write this detailed checklist. Please recommend some products which can help with below tasks. Something which can provide centralized security control without the need of a Domain server will be preferred.





From: Maanav [mailto:maanav.saavadhaan at gmail.com] 
Sent: Wednesday, September 18, 2013 11:05 AM
To: 'OWASP Bangalore Mailing List'; rcg001 at gmail.com
Subject: RE: [OWASP-Bangalore] Security Checklist


Dear friends, Akash, and Mr. Garg


Just thinking aloud:-


1.       To start with, identify who will do what (roles and responsibilities) – this is the most important step, I cannot underscore it more;

2.       Establish a document management system (you can find many open source tools for this);

a.       Put all your documentation on this system & establish a practice to use ONLY this system even after you scale (do not use shared folders, etc.);

b.      Setup logging on this system (so that you will know who downloaded / made changes to the document, etc.);

c.       Provide role & need based access to data through this system (refer to the first point above);

3.       Implement a good combo of anti-virus, DLP, encryption, etc. Paid one will be better because they offer integrated solutions and have lower opex; also they can take care of many items in point #6 through their host based clients;

a.       Implement DLP (although there are open source tools available, I would suggest you to implement them after testing and comparing them to their paid counterparts) on ALL machines (even on servers, NO exceptions);

b.      Assign someone to read the logs by the DLP tool and to act on them – THIS IS THE MOST IMPORTANT STEP;

4.       Get your own email server;

5.       Get everyone to sign an NDA with specific clauses related to data theft & leak; Prepare a presentation and ensure that every employee / contractor has seen / understood it;

6.       Establish baseline security practices:-

a.       No admin rights

b.      No USB

c.       No external mail usage (e.g., gmail / yahoo mail, etc.);

d.      No third party external storage sites (e.g., google drive, drop box, box, etc.); you can control it through web filtering. Many bundled solutions also have them on their clients, which means no matter which network they are part of, they cannot access some sites.


However, another caveat that one needs to be aware of is this threat scenario – if I am an employee / contractor of your company and have a laptop provided by you (with all bells and whistles), would it stop me from connecting to my home network (with one or two PCs), and offloading some official data ONTO one of the shared folders on that network? Does it ring an alarm? The DLP system needs to be tested along these scenarios as well.


Some providers integrate all systems (i.e., anti-virus, DLP, web control, etc.) and offer them as a solution. IMHO, that should be considered (after rigorous risk assessment, though).


However, it is all process and it should be started along with the startup so that it becomes the DNA of it, rather than a patch (which means no exception for anyone in the start-up).






From: owasp-bangalore-bounces at lists.owasp.org [mailto:owasp-bangalore-bounces at lists.owasp.org] On Behalf Of Akash
Sent: Tuesday, September 17, 2013 10:23 AM
To: owasp-bangalore at lists.owasp.org
Subject: [OWASP-Bangalore] Security Checklist



Posting this on behalf of Sandeep Garg (rcg001 at gmail.com)

Looking for expert advice on steps which can be taken by startups to prevent
the sensitive data theft by employees/contractors. I am looking for
something which is simple & affordable like:

.        Do not give Admin rights on Laptops.

.        Disable all USB ports and DVD drives and put strong BIOS password.

If someone can help with a checklist like above, it will be quite useful for
many startups which can't afford costly solutions initially. Use of open
source SW is fine.

Also is there a alternative to Windows Domain Server to control policies &
permissions centrally.



Warm regards,
Akash Mahajan

That Web Application Security Guy | +91 99 805 271 82
akashm.com | @makash on twitter | linkd.in/webappsecguy
OWASP Bangalore Chapter Lead | null Community Manager

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-bangalore/attachments/20130926/a3f66b54/attachment.html>

More information about the OWASP-Bangalore mailing list