2. + Agenda !
Why and When does it matter ?
Real Security Needs v/s FUD !
Case Studies !
Take Away !
3. + Why Security ?
Most folk’s attitude towards security is
similar to that of exercise and diet.
Startups are no different
may be even worse !
4. + When is Security Relevant ?
Enabler to Business
Payments and allied services (all online ordering ones)
E-commerce
Legal/Regulation mandated
Healthcare, Legal
Banking and Finance
Prudent / Good to have (Privacy, Bad PR)
Facebook, linkedin
Portals
5. + FUD is irrelevant to Startups
Limited Budget or No budget.
Focus is on getting up and running
somehow.
Any publicity is a good publicity (Have
heard cases where founders
themselves planted fraud stories)
6. + Case Study 1 : A well-known cab
company
Technology Hack
Well publicized event of an ethical hacker hacking the API
due to lack of Authentication and encryption.
He was able to access the servers/DB as well as the credit
card info of the customers stored there.
He also claimed he could recharge his mobile wallet.
Huge negative publicity ensued and the cab company issued
a clarification saying it is only their test bed and not
production system that stores the actual customer data etc.
Social Engineering
Driver collecting the money multiple times for the incentives.
7. + Case Study 2 : A Legal Process
Outsourcing company
A LPO startup with Indo-US operations dealing with a patent
case in US.
Disgruntled ex-employee got a document (supposedly stored)
in a secure vault (and only available for viewing) sent a mail
through fake email to the opposite party of the legal case
claiming to be in possession of the document.
The opposing party did the right thing and showed it to the
judge and the judge froze the case and ordered the LPO to
address the issues.
The client cancelled the contract and they had to struggle to
show that they indeed followed all the process.
8. + What is the bare minimum security
?
Authentication
Encryption (https)
Backup / Disaster recovery
Logs
Fraud Management
Compliance and Certificate
Software Development Security
Privacy
9. + Prudent View
Security is continuous process.
Best infrastructure and technology doesn’t guarantee no
hacking as weak processes and people issues may defeat
them.
Security is a stance; it is best to have one and prepare for the
eventualities rather than get caught in the attacks and then
scramble.
The stance after understanding the detailed risk profile could
be
Cross it when it comes,
Mitigate and continuously reduce
Insure against.
Which one is yours ?