Cybersecurity breaches are at an all-time high - the global Covid-19 pandemic and the fact that many businesses are now operating remotely makes companies even more vulnerable to malicious attacks. Despite organizations strengthening their defenses against cyber threats, 95% of cybersecurity breaches are still caused by human error.
Because of this, we’ve decided to raise awareness among startups and share some security best practices. For this year’s Cybersecurity Month, we’ve partnered with BIT SENTINEL, a cybersecurity company that helps businesses manage their security, improve their defenses, and stay on top of all the security threats that run in the wild, to hold a webinar series meant to help you prepare and avoid becoming a victim to a cyber attack. In case you missed those webinars, here’s a summary of our discussion.
Common threats to SaaS
In the last few years, these are the most common ways we’ve seen attackers gain access to SaaS infrastructures:
1. Supply chain attacks: this is one of the most common ways to gain access to different infrastructures, experienced mostly by businesses that have both cloud infrastructure and on-premise assets and technologies. This happens because, even though you might try to protect your services as best as possible if you whitelist suppliers and customers, they can then gain access to these services and your internal network.
2. Insecure dependencies: another way attackers can gain access to your infrastructure is related to applications, especially packages, dependencies, etc. Many attacks these days happen because the technologies used to build the applications (whether they are new technologies or old and obsolete ones) have vulnerabilities.
3. Application-level vulnerabilities: it’s not that your application is weak from a security point of view; instead, it’s more probable that your developers might have never encountered such attacks, so they don’t know what they should pay attention to when building the application. Frameworks can help you build secure enough apps up to a point, but you can’t solely rely on them to cover every issue.
4. Obsolete or forgotten services and software: one common example is a staging environment that uses a database mirrored from production. Often, staging environments don’t have the same level of protection or are not updated as often as production environments, so they become easy targets for attackers to identify vulnerabilities that they can then use to attack the production environment.
Ways to prevent attacks
At Bunnyshell, we help startups manage their infrastructure, so we also enforce some security best practices. Here are a few basic ways (but not all the ways!) you can secure your infrastructure:
For servers:
- use firewalls
- use private networks
- hide server IPs
- prevent IP access
- prevent intrusion from brute-force attacks
For web servers:
- prevent web server information leakage
- use a Web Application Firewall (WAF)
- implement rate limiting
- implement DDoS protection
For authentication and access:
- implement access management policies
- enforce secure authentication
For applications:
- isolate applications
- store credentials securely
- perform regular patches updates
- regularly scan for vulnerabilities
For databases:
- use at rest and in transfer encryption for data and backups
- obfuscate data for staging environments
- monitor database activity.
Examples of data breaches
The biggest recent data breach attack was the SolarWinds Supply-Chain Attack that highlighted the significant role weak and exposed passwords can play in enterprise security. It’s a well-known fact that users tend to use simple passwords and reuse them for several accounts, despite expert recommendations.
Due to the nature of this attack, no single security solution could have prevented it. However, building solutions for early detection and remediation of exposed credentials could help prevent similar attacks from happening in the future.
For more examples of data breaches attacks, as well as some defense tips to prevent them, check out the first part of our Cybersecurity for Your Startup Webinar Series: https://www.youtube.com/watch?v=mymuH-AJVSU.
Cybersecurity myths busted
During the second part of our Cybersecurity for Your Startup Webinar Series, we tackled the most common myths around cybersecurity and shared some tips and tricks startups and small companies can use to ensure healthy cyber security hygiene for their business.
Myth #1: I am too small to be targeted by cyberattacks
Hackers don’t look at the size of the company they attack - they will try to breach any business connected to the internet. So even if you only have a presentation website or use a CRM to interact with your customers, attackers will try to bypass all the security measures you have in place and try to gain access to your internal network and database.
Myth #2: I never had a cybersecurity incident, so I don’t need protection
Well, are you sure about that? Do you use tools that can help you identify whether your systems have been breached? Or do you work with a cybersecurity company that regularly monitors your company’s logs and activity and can identify whether a breach has occurred in the past? Besides antivirus software and sometimes a VPN connection, most companies don’t use any other tools. So it’s hard to affirm with 100% confidence that your company has never been attacked before.
Not all attacks produce damage that’s immediately visible; the most sophisticated ones start as breaches that go undetected for months or even years, enough time for hackers to gather large amounts of data that they can then use to exploit vulnerabilities in both your company and your customers.
Myth #3: I keep my infrastructure in the cloud, so my cloud provider handles security
Usually, the cloud provider is just a level of service in your organization - you build your tools, services, and custom applications on top of that infrastructure. But these apps are not and will never be the responsibility of your cloud provider; you are solely responsible for everything you build on top of that infrastructure. Of course, they can provide you with logs to help you keep an eye on your internal activity, but if no one in your team is in charge of actually analyzing these logs, breaches will go undetected.
We busted more security myths during our webinar, so make sure to check it out: https://www.youtube.com/watch?v=wMHSNrbB1pU.
We hope this series has helped you become more aware of the cybersecurity threats that are lurking on the internet. Make sure to share this webinar series with your team and if there are any other scenarios you would like us to discuss during future events, don’t hesitate to reach out to us. Stay safe!