Top 5 Cyber Security Self-Defense Tips for Businesses with Custom Applications

Working in cybersecurity tends to create a “worst-case-scenario” mindset. Which means I’m really fun at parties. After people find out what I do for a living, a typical reaction would be to discuss some recent security breach in the news followed by a question about how (or why) does this keep happening. This question is often followed by a question of how to respond to ransomware, but that is a topic for another blog post.

When a security incident occurs it is fashionable, both legally and practically, to consider the company that was hacked as the “victim”. No one likes to look too closely at the victim’s choices before the attack because no one really wants to blame the victim for the crime. The FBI and other Federal and State law enforcement agencies have the same policy. This is a good practice, however in cybersecurity, the hard truth is: the only entity in a position to prevent a security breach is the potential victim. A perception shift could be helpful. We must not imagine ourselves as living in a safe neighborhood, protected by layers of society provided security, but instead, as independent ships upon the high seas. As an entity in open waters, we are responsible for our own immediate security against pirates. Shifting our mindset can be a challenge and the question becomes: what are the practical measures of self-defense that a private organization needs to protect itself from becoming the victim of a cybersecurity incident?

Here are our top five that apply to any company, regardless of size, that has custom software exposed to the Internet.

Rietta’s Top 5 Self-Defense Tips

5. Robust logging sufficient to detect/investigate incidents

Among the OWASP Top 10 is insufficient logging and monitoring. This means you need to think about what information your application sends to its logger. The default information sent by your programming framework is not enough, you need to add logging even if it makes the code uglier. You need specific, custom log messages coded based on you application’s domain not just general programming stuff.

When your application makes authentication decisions:

if login_successful?
  logger.info("User #{current_user} authentication success.")
  # ...actions for successful login user experience
else
  logger.info("User #{current_user} authentication failed.")
  # ... actions for invalid login user experience
end

And when your controllers make authorization decisions:

def show
  if !can_view?(@page)
    logger.info("[Security] Permission denied for page #{@page}, request by user #{current_user}.")
    raise UnauthorizedException
  end
  # ...return content for the authorized user
end

What you log and how long you keep those log entries should be determined by your threat modeling and business risk. Three (3) days is probably too short of a time to keep security related logs and forever is too long. Adopt a retention policy and then stick with it. Make sure your cloud-provider log groups are configured to match your chosen policy.

By keeping the right amount of log detail, you can investigate problems with your application and also tell what happened when the proverbial cyber bump in the night occurs.

4. Systematic error handling

Your application should be programed to raise and handle errors correctly. Don’t swallow exceptions and plow ahead. Low level exceptions from your application and dependencies may in fact be signs of more than just a bug, but of security scanners or worse an attacker poking at your system. Don’t ignore low level SQL exceptions because it may be that a bad SQLi attempt failed with an error but another one succeeded and returned data to the adversary.

3. Immature application development processes hindering rapid deployments

A significant number of companies are incapable of patching their production software in the time frames necessary to not be compromised via a published CVE against dependencies in their software supply chain. You need to update and patch quickly. This is easier if you have significant automated test coverage that can prove that the application that worked yesterday continues to work today.

When there is a software supply chain vulnerability, you are in a race against a bot net to get your system patched. There is not time for days and weeks to go by without getting the fix into production. At Rietta, we believe that in the future computers will need to automatically patch and deploy to production without human intervention as soon as the automated tests pass.

Steps to remediate

1. Systematically add automated testing, both writing automated tests for new code and systematically increasing test coverage for legacy code
2. Ensure that the test suite is in a state of good repair and that all tests passing mean its working. Do not fall into the trap of having a bunch of “those always fail” tests
3. Systematically monitor your dependencies for security updates and update those in your code base ASAP.
4. Be in the habit of merging and deploying as soon as the automated tests pass. If that scares you then you need to be systematically improving the automated tests until you can do so with confidence.

2. Robust customer service action monitoring

85% of data breaches according to the 2021 Verizon Data Breach Investigations Report involved a human element! Spend a good bit of time thinking about how your customer service agent powers can be abused either maliciously or by an adversary who obtains your staff credentials. Put protections in place

1. Backups, Backups, Backups

Most ransomware attacks are not all that sophisticated. Software gets executed as a user with permissions to overwrite files. When those files cannot be restored from backup, the victim is stuck paying the ransom or losing all the data. Implement a 3-2-1 backup strategy like explained by CrashPlan at SMB Data Loss Threats & How the 3-2-1 Backup Method Can Help and BackBlaze at The 3-2-1 Backup Strategy.

For a home user, it is incredibly important to have a reliable cloud-based backup. For small businesses, I think CrashPlan’s offering is worth it and BackBlaze is ideal for individuals and families. Both let you specify your own strong password to encrypt the data such that they cannot see your data. If you do this, write that password down, seal in an envelope and put it in a safe place like a safe deposit box. Because if you have to restore and don’t have the password then the data is gone.

For your cloud-based servers and resources, ensure that backups are enabled when available.

Practice restoring your data periodically, at least annually.

You can do better when you are prepared

As with any endeavor in life, the tips here are not extremely complicated but it is hard. After a certain size, it makes sense to engage security companies with 24/7 monitoring and response capabilities. But even if your company is still a developer and a business co-founder you need to put our tips in place.

The goal is not to minimize the difficulty it is to keep up with security and implement secure practices. But just like one cannot run a marathon without first being physically prepared, a business cannot be in business today without being prepared for self defense from cyber threats.

And you have to be prepared. Law enforcement and national resources are not there to protect you. They may be able to obtain some a deportation and conviction of the bad guy years from now. But you are responsible for the here and now.

The Internet coast guard is not coming to your aid. You are your own first responder in high seas that are the Internet upon which your organization sails.