简体繁体 English

为创业公司制定的最低安全预防措施是什么？

[英]What are the minimum security precautions to put in place for a startup?

原文 2009-01-09 19:25:13 4 10 java/ security/ lamp/ infrastructure

I'm working with a start-up, mostly doing system administration and I've come across a some security issues that I'm not really comfortable with. 我正在与一家初创公司合作，主要是进行系统管理，而且我遇到了一些我不太满意的安全问题。 I want to judge whether my expectations are accurate, so I'm looking for some insight into what others have done in this situation, and what risks/problems came up. 我想判断我的期望是否准确，所以我正在寻找其他人在这种情况下做了什么，以及出现了哪些风险/问题。 In particular, how critical are measures like placing admin tools behind a vpn, regular security updates (OS and tools), etc. 特别是，在vpn背后放置管理工具，定期安全更新（操作系统和工具）等措施有多重要。

Keep in mind that as this is a start-up, the main goal is to get as many features as possible out the door quickly, so I'll need as much justification as I can get to get the resources for security (ie downtime for upgrades, dev time for application security fixes). 请记住，由于这是一个初创公司，主要目标是尽快获得尽可能多的功能，所以我需要尽可能多的理由来获取安全资源（即停机时间）升级，开发应用程序安全修复程序的时间）。

Background Info: 背景资料：

Application is LAMP as well as a custom java client-server. 应用程序是LAMP以及自定义Java客户端 - 服务器。
Over the next 3 months, I project about 10k anonymous visitors to the site and up to 1000 authenticated users. 在接下来的3个月里，我预计该站点将有大约1万名匿名访问者和最多1000名经过身份验证的用户。
Younger audience (16-25) which is guaranteed to have an above average number of black-hats included. 较年轻的观众（16-25）保证包括高于平均数量的黑帽子。

Thanks in advance for your responses, and I'll welcome any related advice. 在此先感谢您的回复，我欢迎任何相关的建议。

10 个解决方案

Also, don't forget you need to have your server secured from current (that is, soon-to-be-past) employees. 此外，不要忘记您需要让您的服务器免受当前（即即将过去）员工的影响。 Several startups were totally wiped due to employee sabotage, eg http://www.geek.com/articles/news/disgruntled-employee-kills-journalspace-with-data-wipe-2009015/ 由于员工的破坏，几家初创公司完全被清除，例如http://www.geek.com/articles/news/disgruntled-employee-kills-journalspace-with-data-wipe-2009015/

Reputation is everything here, especially for a startup. 声誉就是这里的一切，特别是对于初创公司。 As a startup, you don't have a long history of reliability/security/... - so all depends on users to give you the 'benefit of the doubt' when they start using your app. 作为一家初创公司，您没有可靠性/安全性的悠久历史/ ... - 因此，当他们开始使用您的应用程序时，所有这些都取决于用户给您“怀疑的好处”。

If your server gets hacked and your users notice that, your reputation is gone. 如果您的服务器被黑客攻击并且您的用户注意到了，您的声誉就会消失。 Once it's gone, it doesn't matter whether your app and your features are the 'next new thing' or not. 一旦它消失了，你的应用程序和你的功能是否是“下一个新事物”并不重要。 It doesn't matter whether the security breach was minor or not - people won't trust your app/company anymore. 无论安全漏洞是否轻微都无关紧要 - 人们不再相信您的应用/公司。

So, I would consider security to be the top priority. 所以，我认为安全是首要任务。

If security isn't thought of and built into the application and its infrastructure from day one it will be much more difficult to retrofit it in later. 如果从第一天开始就没有考虑到安全性并将其内置到应用程序及其基础架构中，那么稍后对其进行改进将更加困难。 Now is the time to build the processes for regular OS/tool patching, upgrades, etc. 现在是构建常规OS /工具修补，升级等流程的时候了。

What kind of data will users be creating/storing on the site? 用户在网站上创建/存储哪些数据？
What effect will a breach have on your users? 违规会对您的用户产生什么影响？
What effect will a breach have on your company? 违规会对贵公司产生什么影响？
Will you be able to regain the users' trust after a breach? 违规后你能否重新获得用户的信任？

Since your company is dependent on keeping existing users and attracting new ones, you should present your concerns along the lines of how the users would react to a breach. 由于您的公司依赖于保留现有用户并吸引新用户，因此您应该根据用户对违规行为的反应来表达您的疑虑。 The higher-ups will understand that the users are your bread and butter. 高层将了解用户是你的面包和黄油。

I agree with Stefan about reputation. 我同意斯特凡的声誉。 You don't want to get hacked because you were lacking on security. 你不想被黑客入侵，因为你缺乏安全性。 Not only will that hurt your site and company, it will look bad on you since you're in charge of that. 这不仅会对您的网站和公司造成伤害，而且由于您负责这项工作，因此会对您造成不良影响。

My personal opinion is to do as much as you can because no matter how much you do there will be vulnerabilities. 我个人的意见是尽可能多地做，因为无论你做多少，都会有漏洞。

Unfortunately security like testing and documentation are often afterthoughts. 不幸的是，测试和文档等安全性往往是事后的。 You should really make sure to do risk assessments early in your site/software's life and to keep on doing assessments. 您应该确保在网站/软件的生命早期进行风险评估，并继续进行评估。 I think it is important to patch all software for security holes. 我认为修补所有安全漏洞的软件非常重要。

These will probably be obvious: 这些可能很明显：

Limit password attempts. 限制密码尝试。
Sanitize your database inputs 清理数据库输入
Measures to prevent XSS attacks 防止XSS攻击的措施

It's also worth mentioning that, as you said, the network architecture should be set up appropriately. 值得一提的是，正如您所说，应该适当地设置网络架构。 You should definitely have a decent firewall that's locked down as much as possible. 你肯定应该有一个像往常一样锁定的防火墙。 Some people recommend putting your systems between dual firewalls of different makes so that in the event one of them has a critical vulnerability, the second will most likely not have the same vulnerability and you'll be safe. 有些人建议将您的系统置于不同品牌的双防火墙之间，以便在其中一个具有严重漏洞的情况下，第二个很可能没有相同的漏洞并且您将是安全的。 It all depends on what you can afford since it's a startup. 这一切都取决于你能负担得起的，因为它是一个创业公司。

If you're explicitly trying to attract the sort of users who are inclined to try to crack systems, then you can pretty well bet that your system will come under attack. 如果您明确地试图吸引那些倾向于尝试破解系统的用户，那么您可以很好地打赌您的系统将受到攻击。

You should suggest to the management that if they're not going to take security seriously, then you should just go ahead and post the company's bank statements and accounting books (in clear text) on the site, with a prominent link from the home page. 您应该向管理层建议，如果他们不打算认真对待安全问题，那么您应该继续在网站上发布公司的银行对帐单和会计帐簿（明文），并在主页上显示一个突出的链接。 At least that way, you can tell them, the end result will be about the same, but they're less likely to damage everything else to get what they're looking for. 至少就是这样，你可以告诉他们，最终结果大致相同，但他们不太可能损害其他一切，以获得他们正在寻找的东西。

I'd think that the reputation issue might have a slightly different cast with this audience, too -- they may forgive you for being hacked, but they probably won't forgive you for being an easy target. 我认为声誉问题也可能与这些观众略有不同 - 他们可能原谅你被黑客入侵，但他们可能不会原谅你成为一个容易攻击的目标。

My best suggestion is monitoring. 我最好的建议是监控。

There is no perfect security and it is all about accepting risks and preventing them when necessary. 没有完美的安全性，而是在必要时接受风险并防止风险。 However, if you have no monitoring in place you will have no way to know if something (an attack) has succeeded and how it happened. 但是，如果您没有监控，您将无法知道某些事件（攻击）是否成功以及它是如何发生的。

So, keep your system updated and install a few lightweight tools to monitor it properly. 因此，请保持系统更新并安装一些轻量级工具以正确监控它。 If you have custom applications, add logging in there. 如果您有自定义应用程序，请在其中添加日志记录 Log on error-generated errors (bad input), failed passwords, or any user-generated error. 登录错误生成的错误（错误输入），密码失败或任何用户生成的错误。

As for lightweight tools to monitor, there is quite a few free/open source: 至于要监控的轻量级工具，有很多免费/开源：

OSSEC (to look for anomalies, changes and logs) OSSEC （寻找异常，变化和日志）
modsecurity (web-based monitoring) modsecurity （基于网络的监控）
Sucuri (whois/dns/blacklisting monitoring) Sucuri （whois / dns /黑名单监控）

Make sure you know what version and patch level your servers are running, not just the OS, but all related components and everything that is actually executing the the machine. 确保您知道服务器运行的版本和补丁级别，而不仅仅是操作系统，还包括所有相关组件以及实际执行机器的所有内容。 Then make sure you are never more than a day behind. 然后确保你永远不会落后一天。 Not doing so leads to much pain, and you don't hear of most of it - most of my past employers would never publicly admit being hacked as it reflects badly on them, so you can assume systems are getting hacked left and right with pretty serious consequences to companies, you just don't hear about most of these events. 不这样做会导致很多痛苦，而你却没有听说过大部分内容 - 我过去的大多数雇主都不会公开承认被黑客入侵，因为它反映了他们，所以你可以假设系统被左右攻击对公司造成严重后果，你只是听不到大部分这些事件。

A few basic "security" measures here that while are more reactive than proactive, are some things to consider. 这里有一些基本的“安全”措施，虽然比主动更具反应性，但有些事情需要考虑。

1) Backup strategy, of course not just for those who hack into your site, but it is nice to restore everything back to pre-hack days if possible, make sure it's reliable and most importantly was tested in a near-live restore drill 1）备份策略，当然不仅适用于那些侵入您网站的人，但如果可能的话，将所有内容恢复到预先破解的日子是很好的，确保它是可靠的，最重要的是在近乎实时的恢复演练中进行了测试
2) Mitigation, have plans in place at least on a napkin somewhere for how to react if the server is hacked 2）缓解措施，至少在餐巾纸上有计划，以便在服务器被黑客入侵时如何应对
3) Insurance, find insurance companies that understand the world of cyber-business and the damages resulting from these things, buy policies 3）保险，找到了解网络业务世界的保险公司以及因这些事情造成的损害，购买保单
4) Someone already mentioned employee sabotage problems, you're screening your employees beforehand right? 4）有人已经提到员工破坏问题，你事先是在筛选员工吗？ Background checks are cheap and do dig up stuff... 背景调查很便宜并且挖掘东西......

Have a look at Mod Security for the various possibilities in the software setup: Do a Google search for "mod_security howto example" 看一下Mod Security，了解软件设置的各种可能性：Google搜索“mod_security howto example”

Simple example to start: http://www.ghacks.net/2009/07/15/install-mod_security-for-better-apache-security/ 简单示例： http ： //www.ghacks.net/2009/07/15/install-mod_security-for-better-apache-security/