Security

7 Physical Security Controls That'll Keep Your Data Safe

Security breaches in the headlines tend to involve nefarious actors in another country or the catastrophic failure of technology.

These stories are exciting to read but never easy for the hacked company to admit to. The reality is, regardless of the significance or the scope of a breach it is typically caused by an action or failure of someone or process inside the company.

The Yahoo! security fiasco is one example in which, for several years, the company was aware of a massive breach of 500 to 800 million customer passwords and failed to even take the most basic steps of resetting the login credentials of affected users.

The disclosure of the breach last summer (2016) during the due diligence process that Verizon undertook as part of its acquisition deal with Yahoo! led to a significant reduction in valuation (around 20%).

Our conclusion is that software companies must take action to ensure they aren’t the next big headline. 

Architecture Matters

While there is no silver bullet for solving all security issues, at Hockeystick we strongly believe that implementing physical security controls is a key component in finding and fixing software weaknesses before a hacker does.

1. Database Encryption

For many organizations, databases are a treasure trove of sensitive information containing data ranging from customers’ personal details to intellectual property. This is why database encryption at rest should be a high priority for organizations intent on protecting this data.

Most software companies use multiple hardware solutions like routers and firewalls to increase the security of confidential data, including Hockeystick. But hackers have developed numerous ways to attack organizations' networks and obtain necessary information.

In the case that one of these ways actually works and a company's first line of defense has been penetrated, encryption makes it much more difficult to access the data.

If you are unsure of how to begin this process, we recommend leveraging your cloud provider. For example, AWS offers encryption of drive volumes which is based on the AES-256 bit algorithm.

2. Hardening

Hardening is the process of securing your computer system which typically refers to software configuration. For example, the software can be configured to enforce password requirements at the OS level, or even configured to make web servers and databases less vulnerable to buffer overflow attacks.

At Hockeystick, we have traversed the extra mile of hardening all our servers at the OS level, the web application server and database application server in accordance with best practices, as well as installing firewalls at every level of our infrastructure from the load balancer to the virtual private cloud to even our subnets and servers.

Learn More About Hockeystick's Security Practices.

3. Black-Box Testing

When testing software, it is necessary to employ a methodology that is as free from bias as possible.

Development can be easily influenced by giving the tester too much information about the development process itself. The best-case scenario is that the tester is simply given a task to accomplish using the software in question, with no guidance on how to accomplish the task. To this end, black-box testing is utilized. 

Black-box testing activities almost universally involve tools to aid testers to identify potential security vulnerabilities within a system, such as vulnerability scans and penetration testing.

This form of testing is incredibly valuable because it can be applied to every level of software testing: unit, integration, system and acceptance, and allows companies to catch bugs or software security flaws before someone else does. 

4. White-Box Testing

If a tester is intimately familiar with the implementation, design, and structural aspects of the software that is being tested, they can “see inside the box” and view how the software is put together, hence the name white-box. Because they engineer or understand the desired inputs and outputs, they can test the outcomes against their expectations.

In contrast to black-box testing, it is more like looking under the hood of a car and testing the engine’s workings.

Tools can be used to conduct static code analysis which analyzes application code to identify security issues at any stage of development. 

5. Monitoring

One of the easier steps that a company can take against hacking is to proactively monitor services. This means gathering intelligence by aggregating information from blacklists, IP reputation feeds, threat feeds, and underground websites where people might be talking about compromising a firm.

Hockeystick uses numerous services for monitoring and alerting. For example, we use an ELK stack (elasticsearch, logstash and kibana) on our production and staging environments to monitor incoming web traffic and requests. Moreover, we utilize monit to alert us of CPU load and memory usage and OSSEC to notify us of any potential security breaches. 

6. Audit Tables

Audit tables capture data changes that have occurred in a database, usually including the information on who made the change, which resources were affected by it, when it was made and from where. Audit tables can be used to reconstruct and reproduce security breaches so that we have a better understanding of how we can patch issues.

 7. Security Audit

Has your software undergone a security audit by a reputable firm? These audits involve on-site visits and remote testing from third-party organizations like Securis and EY. Such auditing provides a clear picture of security control performance and allows companies to make necessary changes to mitigate the likelihood of data breaches or hack attacks.

The AICPA SOC audit motivated Hockeystick to implement state of the art security with secure best practices.

Don’t Give Hackers a Chance

Given the very real threat of cyber attacks, companies are reassessing their entire security stance and are placing greater emphasis on security when they build and buy enterprise software products. In fact, a number of companies (including Hockeystick) are increasingly being subjected to vulnerability assessments and penetration testing by customers purchasing software subscriptions.

To match customers’ expectations and to better address today’s security challenges, companies need to design their software with security in mind from the outset. Security has been a company-wide priority at Hockeystick since day one — it’s ingrained in the DNA of our business.

That may sound like a significant investment of time and money, but we believe it is a worthwhile investment. By preventing the otherwise unavoidable security breaches that lie ahead, we are able to create even more value for our customers.

This is an approach that promises to pay big dividends in the years to come.

 

New Call-to-action

Subscribe

to get more from Hockeystick.

Keep exploring Security

The Newest Face of Corporate Trust and Responsibility

Recent high-profile data breaches like Cambridge Analytica have put the pressure on companies to develop new ways to protect consumer data while also building corporate trust.
Read More

How to Develop a Security Culture for Your Startup

Cybersecurity is a team sport. In this article, we will aim to outline how to develop a security culture for your startup.
Read More

This is What You Need to Know About GDPR (SlideShare)

The EU's new General Data Protection Regulation (GDPR) will enter into force this year. Is your startup prepared?
Read More