Defense in Depth - Lessons Learned from Securing over 100,000 Drupal Sites
-
Upload
pantheon -
Category
Technology
-
view
180 -
download
0
Transcript of Defense in Depth - Lessons Learned from Securing over 100,000 Drupal Sites
PANTHEON
Nick Stielau - @nstielauPantheon - Director of EngineeringManaging Security for 100,000+ Drupal Sites
Chris Teitzel - @technerdteitzelCellar Door Media - FounderArchitected secure platform for large scale e-commerce site
Luke Probasco - @geetarlukeTownsend Security - Drupal General ManagerManage Drupal business for Townsend Security
Introductions
PANTHEON
Nick StielauPlatform Architect
Chris TeitzelDrupal Architect
Luke ProbascoCompliance, encryption, andsecurity consultant
Three Perspectives
PANTHEON
“There are only two types of companies: those that have
been hacked, and those that will be. Even that is merging into one category: those that have
been hacked and will be again.”
Robert Meuller, Former FBI Director
PANTHEON
Son of a BreachThe average cost of a data breach is:
● $3.5 million per breach● $145 per record
So far this year (as of 4/28/15):● 270 breaches● 102,372,157 records exposed● ~10 records/second
PANTHEON
● The low bar for data security● Declares the minimum security for you● Qualified Security Auditor (QSA) can
help you meet compliance● Encryption and key management help
Compliance
PANTHEON
Are you vulnerable?
● US Cert● Drupal.org/security● Fedora/Ubuntu Mailing Lists● Apache/Nginx/Varnish/Redis Mailing lists● Twitter
PANTHEON
PCI Data Security Standard (PCI DSS) - Retail
HIPAA - Healthcare
GLBA / FFIEC - Financial
FISMA - US government agencies
FERPA - Educational institutions
State and Federal Privacy Notification laws
Compliance Regulations
PANTHEON
“Use of a PCI DSS compliant CSP does not result in PCI DSS compliance for the clients. The client must still ensure they are using the service in a compliant manner, and is also ultimately responsible for the security of their CHD.”
PCI DSS Cloud Computing Guidelines
SHARED
RESPONSIBILITY
PANTHEON
● NIST Special Publication 800-122 defines PII● Examples:
Full name Credit card numbers
Home address Digital identity
Email address Date of birth
IP address Birthplace
Drivers license Telephone number
Login name, screen name, etc.
Face, fingerprints, or handwriting
Personally Identifiable Information (PII)What is it and why does it matter?
PANTHEON
Evaluating HostingHosting
Operating System
Database
Web Server
Drupal
JavaScript
Team
Does your hosting provider help
you secure the whole
stack?
PANTHEON
● Install security updates● Achieve sensible configuration● Invest in ability to safely,
quickly update servers● Definitely do:
○ iptables○ ssh (no root, no passwords)○ sudoers
Securing your OSHosting
Operating System
Database
Web Server
Drupal
JavaScript
Team
PANTHEON
Securing Nginx and ApacheHosting
Operating System
Database
Web Server
Drupal
JavaScript
Team
Hosting
● One of the quickest places to lock down, add headers i.e. X-Frame-Options
● Make use of logs (logrotate)● Disable server tokens.● Use proper .htaccess in files directory
PANTHEON
● Change default password● Lock down access to required hosts● Secure your backups
Securing your DatabaseHosting
Operating System
Database
Web Server
Drupal
JavaScript
Team
Hosting
Data/database
PANTHEON
Data EncryptionHosting
Operating System
Database
Web Server
Drupal
JavaScript
Team
Hosting
Data/database
Encryption Modules: Encrypt, Key, Encrypt User, Encrypt Form, Encrypted Files, AES Encrypt
PANTHEON
Best Practice: Store and manage keys on a different server than where the data is
Encryption Key Management (Don’t tape your key to the front door)
Hosting
Operating System
Data/database
Web Server
Drupal
JavaScript
Team
Hosting
PANTHEON
Best Practice: Don’t share your API keys with developers that don’t need access to them. (aka the Principle of Least Privilege)
Best Practice: User per-developer and per-system keys
Protecting API Keys
PANTHEON
Drupal Core Security
Keep it updated!Hosting
Operating System
Database
Web Server
Drupal
JavaScript
Team
Hosting
Avoid getting creative with permissions
PANTHEON
Active, popular plugins are most likely to have security scrutiny
Understanding ‘contrib’ module security
HostingHosting
Operating System
Database
Web Server
Drupal
JavaScript
Team
Hosting
PANTHEON
Securing your TeamHosting
Operating System
Database
Web Server
Drupal
JavaScript
Team
Hosting● Enforce 2FA, strong passwords
● Build a security consciousness
PANTHEON
https://pantheon.io/blog/what-we-are-seeing-drupal-sa-2014-005
Drupalgeddon
More about Drupalgeddon from Matt Korostoff, 5pm HERE
PANTHEON
7k attacks per week
Constant SSH Attacks
p.s. Check out fail2ban for
curbing the worst
offenders
PANTHEON
● No one wants to see their name in the headlines for a breach
● Brand damage, loss of customers, loss of jobs
● Do the right thing
Case Study: Hotel chain intranet
Risk Mitigation - C.Y.A.
PANTHEON
Don’t Panic… React!1. Rollback2. Review3. Reach out!
Halp! I Got hacked!!
https://www.drupal.org/node/2365547
PANTHEON
Image Attributeshttps://flic.kr/p/4b4MK8 - Cogshttp://www.digitalthreat.net/2011/12/anti-virus-wont-keep-your-data-safe/# - CIA Triadhttps://farm8.staticflickr.com/7313/9762758421_ff318a9c1f_o.jpg - Frame of Mindhttp://cybersecurity.mit.edu/2013/12/open-source-software-is-it-secure/ - Open and Secure?http://jr19759.deviantart.com/art/Team-Supreme-350105585 - Team Supremehttps://www.flickr.com/photos/37873897@N06/8049569753/ - thoughtful dudehttps://xkcd.com/936/ - XKCD Password strength