hello everyone welcome to Vamsi ons
guide to security in higher education
and beyond my name is David Needham I'm
a developer advocate at Pantheon what
that means that I get to sort of sit
between the developers that are actually
out from the world using Pantheon and
the developers that are creating
Pantheon and making it better so it's
been a lot of time doing training
creating the curriculum leading
workshops and coming to camps and
conferences just like this my name is
Paul Gill so I'm a programmer analyst at
the University of Missouri my title is
programmer in this but I also serve
part-time with the security team and
help triage website compromises as well
as David I'm the go-between between the
web developers on campus and the
security team to make sure that as
they're developing they're doing it in a
secure fashion so real quick how many of
you are actually actually work in higher
education a couple of inch so you know
okay so some of the examples I gave are
specific to higher ed but the general
concepts overall are apply a protocol to
every site and everybody's web site so
even though it says higher it actually
is applicable I will give you some
warnings about myself I feel like to
wander around I always like to talk
really fast and I know we just finished
lunch so you're probably kind of little
sleepy so I'm gonna try to keep the
energy levels high keep you engaged and
energetic but if I happen to go too fast
don't hesitate slowing down if I happen
to go over your parts don't hesitate to
kick me and let me know so the whole
this whole talk this presentation really
boils down to minimizing risk how do we
as developers how's my site
administrators minimize risks well we
have to make sure first that we're all
working from the same definition of risk
so whoops I skipped one slide there no
fast
backup here
sorry about that so when I say risk in
terms of this presentation what I mean
by is that intersection there where
assets threats and vulnerabilities kind
of overlap all right so we need to make
sure that everybody is clear what I mean
by those three now so an asset can be
people it can be property it can be
information or data it's basically
everything that we need to protect
anything that we're trying to protect
those things that are important to us
that have value that we need to protect
a threatening it is anything that poses
a danger to those assets whether
intentionally or by accident
in addition that threatens what we're
trying to protect against and a threat
agent is a person or a group that he's
going to implement or exploit a
vulnerability against that asset to
cause that threat to occur a
vulnerability then is you skipping my
slides I'm sorry fingers going too fast
a vulnerability then is a weakness or a
whole gap something and either your
security measures or it's something that
allows that threat agent to take
advantage of a vulnerability and cause
that threat to happen makes sense so far
okay so as a as an analogy let's say
that you are the asset alright and the
thread is rain and the vulnerability is
that you have a hole in your own bro so
what's the risk and this analogy
getting away right okay but there's one
key piece from our definition of risk
that I overlooked I didn't mention so
let's say it's Friday afternoon and it's
raining but it's just a light drizzle
you're gonna walk home there is a
holding your umbrella but you have no
plans to even you're just going to go
home and watch the TV so how big of a
deal is it if you get wet if that threat
that risk comes that past middle all
right now let's say instead after work
on Friday you have a really big event
you're going to they're gonna walk there
and you have some really expensive shoes
that cannot get wet now happy gonna deal
is it yeah that impact really is much
greater if that comes to pass
so that piece that we're missing
it's the potential for loss or damage to
those assets because of a threat
exploiting a vulnerability multiplied by
the impact of that threat courage makes
sense so then in terms of minimizing
risk what we're trying to do is minimize
any of these things if we can minimize
the threats we've minimized the risk if
we can minimize the assets we minimize
the risk if we can minimize the impacts
we minimize the risk
buddy good I follow along any questions
so far
alright now for those of you in higher
education we are we come are in a very
interesting industry I worked in hired
for almost 20 years now we are a weird
industry all right we often I'll often
mention ideals and I understand fully
how in higher it is hard to hit those
ideals but we're particularly interested
particularly attractive as a target
because we very many reasons one is we
have a lot of network bandwidth and
availability how many of you been on
campus when the network goes down
what kind of stormed that create
especially among your students right so
we have huge amounts of capacity and
massive uptime in addition we're often
rich in hardware infrastructure
especially if you're a research
institution you might have your own data
centers and you might have your own hive
available hi Billy bit I can't talk
today high availability machines so we
often have lots of hardware for all that
richness and hardware though we're often
in fairly poor in those human resources
the number of people the number of staff
that are available to temperature tech
and maintain those those pieces of
hardware we're all so resistant to
blacklisting how many can anybody hit
about edu top-level domain no you have
to be vetted you have to be in Institute
of Education in order to get a dot edu
so because of that were often resistant
not immune but resistance to
blacklisting
search engines span house those that
monitor those IP addresses that have
been compromised will often give us the
benefit of the doubt and give us a bit
more
time to clean things up they were just a
regular comma or so in terms of an
attacker if I'm looking to run maybe a
spam SEO campaign that's going to be an
extreme value because I know that dot
e-d-u is going to be resistant to black
listing on your SEO reputation again
because not everybody can have a dot edu
you rank higher in those search results
because of your domain so if I can get
my links on to your pages that's going
to elevate my search engine rankings
beyond that how much personally
identifiable information and sensitive
information you have it higher it Wow
so think about you've got all kinds of
information on your students you got all
kinds of information on your staff and
your faculty a ton of PII and SII SBI
you might have if you're connected to a
medical institution or a hospital you
might have protected health information
I gave you a research institution you
might have content confidential
intellectual property you might have
national security secrets or export
control data we have a ton and what are
all these now this is higher ed but a
lot of this applies those of you who are
not been hiring right your website is
running on some type of machine whether
that's virtual real right you have our
SEO reputation you could be used to send
out spam you might get black with a
little bit faster but that's gonna
impact your business so even though
you're not in higher ed you still have a
ton of assets that are out there that
are valuable and need to be protected
all right so what we're going to go over
it's kind of the most common things that
are suggested you do to protect your
website all right and not not any
particular order these aren't ranked as
far as the importance of them just
general things that are suggested but
more importantly we're gonna talk about
the whys so maybe you've heard you
should do backups you should do backups
but if you don't understand why you're
doing the backups maybe you've done them
but you hadn't really understood the
concept behind it all right so that's
what we're going to cover so what a
backup is specifically it's simply a
snapshot of the files that come from are
not compromised make up your website get
the code and maybe the documents the
images the j/s the CSS all the pieces as
well as the database so snapshot goes
and takes a snapshot takes a backup of
all those things all right why do you
want to do that why is this important
because you can replace it yeah you
should have a plan B right cuz it's not
a matter of if you get compromised it's
a matter of what win right this is why
it's just a matter of win
so should always have a plan B but even
more importantly than that it addresses
two types of threats the first is a data
loss of damage we talked about that so
if I have a backup if I've got a back of
my database and then somebody
compromises my database something deal
I've never lose anything except maybe
the information between witness snapshot
was taken and when it was compromised
it addresses disruption and service and
as far as how it reduces risk it's going
to lower the impact because again if my
site is completely compromised but I
know I've got a good backup in place
it's not as much of an impact to have
that compromise happen because I can
just roll back to that backup all right
some bonus points you should protect
your backups now I don't know is how
many Drupal modules as far as that do
your backups backup into unprotected
places I do a lot of work on the
WordPress site as far as compromised
sites and a lot of those backup the
backups into publicly available areas
once you create a backup what does it
become an asset right so we got to
protect those assets so make sure you're
protecting the backup don't put don't
place your back up into your git
repository put it on the github you know
gonna take a sequel snapshot and put it
out there and get it over if I can get
it you want to make sure you protect
those backups so don't keep them in
publicly accessible areas and this is
one that most of the documents most of
the Articles that you read about how to
exercise always get how many you test
your backups on a routine basis good but
that's one person this will remove right
most people especially don't understand
why you're backing up don't go and test
what do you not want to have happen in
the instance where you are compromised
not defined right not that's the reason
we test our backup since we weren't able
to read exactly because you don't want
to get your situation where it's like
you're compromised like it's no big deal
it's cool yeah backup go to the backup
it's corrupted now what do you do you
want to make sure you're testing those
backups on a routine basis now as far as
Pantheon goes I'm gonna hand it over to
you talking about how pay at the on
handles backups yeah but before we do
before we do that though I just want to
say I'd love the posters that you've
added to this presentation where did you
get these from these are actually from
the NSA the NSA I can't mean back in 60s
to encourage security back when we were
in the Cold War and they were recent
released through the freedom information
the the timeline for when they're
confidential expired and now they're
back in the public domain so you
actually download all these and they're
great some of these are fantastic cool
hey can we switch back to you exactly
yep cool so hey we have a a Pantheon
site here this is the standard you want
run-of-the-mill Pantheon site but when
you have a site on Pantheon you
automatically get backups created for
you they happen automatically every day
so it's not something you have to think
about so just as an example for the sake
of a demo we have this live site if I
visit the live URL I can see wait for it
we have a website but oh oh no this site
has been hacked sword we have a problem
because something has happened here
that you know we would rather not have
to deal with well we could we need to
figure out exactly how this happened and
get to the end of that but before we do
that we it's quick and easy just to
restore our backup and I'm doing this as
an example but again like testing your
backups on a regular basis is something
that you're gonna want to do and
something that Pantheon makes really
easy to so if I jump over to the backup
section I can see all the backups that
have happened over time I can see
actually there is a recent one that
happened today but it was actually
before I hacked to this site or after I
hacked the site so I'm gonna restore
from this manual one that I created I'm
just gonna click restore
and since I'm doing this on the live
site obviously it's over writing you
know the database the files which are
like the content related files images in
PDFs as well as the code so it's not
something you're going to want to do all
the time it's not something hopefully
you'll never have to do on the live
environment but this is something that
you could do in any of your other
environments you could spin up a
development site apply all the backed up
files there and just verify that it's
actually working all right so it's in
the process of restoring let's just flip
back over to a quick refresh and there
we go it's back to exactly how it was
before
so quick and easy no drama not a problem
as I mentioned in the introduction I end
up doing a lot of trainings one of the
most common questions I get from people
is how do i make off-site backups how do
i set up a custom schedule how do i
conform with whatever security internal
security regulations that have to save
this in multiple locations all over the
place not just rely on what Pantheon has
and well it was pretty easy I've always
said like hey you can just write a
script well I just wrote a script so you
can check that out if you'd like this is
using continuous integration
specifically it's a process you can spin
up on circle CI you can go out and grab
this code and it's really really easy it
uses our command line tool called
terminus it just runs a few simple
commands on whatever cron schedule you
want you log into terminus and then you
create a backup and then you get the
backup
and once you have the backup you can put
it wherever you want you can store it
locally you can store it Amazon kind of
wherever you choose to put it all right
that's it for the all right could be
every Wednesday it could be every it was
like what yeah it was windy this week
how many attach every time so you should
definitely try as best you can to keep
Drupal up-to-date as soon as those
security patches come out they often
address security issues known
vulnerabilities that are actively being
exploited now sometimes it's they don't
have any known that's the same they
don't know that they're being attacked
immediately in awhile but they often try
to get those in as quickly as possible
so it potentially was an exploitable
vulnerability how subscribe that
security newsletter so you know as soon
as that thing is out you're gonna get
that notification that it's available
and you can start running those patches
Patridge systems if you don't want to
sign up for that the easiest way is
really just to log in to drupal.org if
you don't have an account definitely set
up an account you can go into your
settings there where the list of all the
drupe newsletters are and then this will
get you emails anytime that there's a
security release for Drupal core or any
of the modules of the security team
actively monitors so it's a great way of
you know whether you have one site or
lots of sites being aware of what all
the security things that are coming down
the pipe are and I know a lot of a lot
of times when I get to a compromise site
and it's running an out-of-date software
whether it's Drupal or WordPress and I'm
Sam and I asked because that's gonna be
one of the first things I ask it's a
debate is why is it not up to date
what's the number one reason people give
didn't have time or come I know one of
you in here has probably said this exact
thing affecting what well though that's
that's absolutely true - I've ever heard
that one I didn't want to break my sight
right I don't want to quietly because I
don't know what it's gonna do so one of
the great things about Pantheon is you
can actually test an update in a
different environment you can clone your
production environment down to another
environment run those patches bring the
site up and run your automated test do
visual testing whatever you need to do
to ensure it's actually not going to
break so you don't have to worry about
applying with updates as quickly you can
do those in the test environment right
and so related to that we we have a
script also that also uses continuous
integration that can completely automate
the process of doing all of your updates
so the the sort of studio code once you
set up the script it automatically spins
up a branch a multi dev environment
that's isolated and dedicated to this
update it applies the updates there it
then does visual regression testing
which I'll talk about tomorrow and now I
am as well as behavior testing with B
hats even some other sorts of testing if
you want to make sure it's working right
and then if all the tests pass then it
can automatically create backups on your
other sites and deploy it up to your
live site so you can be totally
hands-off let it do all the backups for
you fully tested with confidence or if
that concerns you a little bit about
having a deploy directly to the live
site you can have it notify you via
slack or SMS or whatever method you
choose so that you know this packet are
this flight has been updated here's the
tests go check it out and then you can
push the button to actually deploy it
alive although this is something you
should do regardless of where you are
like the test or the the scripts that we
wrote is specifics panthéon because it's
right it's writing to panthéon it
integrating with our api but this is
something we should have anywhere
regardless where you're being hosted ass
they updated istant there we go you knew
what it was coming up so the security
principle as far as how doing or staying
up-to-date applies back to core security
principles is that you don't use
components with known vulnerabilities
you don't put things into your system
you don't use things in your systems
that have known problems because if you
know there's a problem who else knows
there's a problem yeah the bad guys
attackers right so you don't want to use
components with no vulnerabilities same
exact thing but there are themes and
modules you don't you need to keep those
up-to-date as quickly as possible as
well so you're gonna want to get those
updates back into your systems as fast
as possible some bonus points to be
again going back to to compromise sites
and you get in there in years
you bring it up and there's like you
know hundred modules and seventeen
themes in there and you're like why are
all what is all this stuff like do you
actually it's not as bad WordPress we
need we press that in Drupal - yeah
WordPress you've read because you have
up you know literally 40 or 50 plugins
and you're like why do you need all
these and the number one answer is I
don't know well why aren't they updated
I don't want to bring my site so you
need to go back need to make sure you
know exactly what you have installed as
far as modules and Dean's and know why
it's there initially limit your module
thing menus as much as possible I mean
use the modules that you need use the
themes that you need but if you're not
going to use it get rid of it hosting
provider that's the next one so that's
when you're gonna come often see in full
the full disclosure Paul gave this talk
at a wordpress event
mm-hm WP campus down in st. Louis last
year yeah and it was totally not
pantheon related in any way but he named
dropped Pantheon so many times for his
presentation as a non Pantheon customer
that we've collaborated on a few things
since then and this this is obviously
woman and this
because I believe in this one I mean I
truly believe that a hosting provider is
crucial to the success of your website
because if Drupal is the brain right
it's managing you learning everything
and your contents the heart and soul of
your site well that hosting providers
the rest of the body and it doesn't
really matter does it catches up with me
doesn't matter how well you've secured
Drupal you could have every patch
rolling you can have every module and
theme updated you get all the right
pieces in place but if your host is
compromised you just shoot yourself in
the foot right so it doesn't matter how
what how much work you've done if the
host is compromised your site's going to
be compromised and it still remains top
vectors for sites to be compromised
compromising the host itself to take
over the site's security principle and
great it goes back to the one we just
talked about and that's don't use
components with no vulnerabilities and a
good host and this is one of the reasons
I named drop an Theon is you want to
make sure you establish secure to false
or it's also known as failing safely so
which file in Drupal contains all of
your delicious secrets the settings have
PHP so usually if you've got a packs
you've got engine X that's that's set up
to take PHP when somebody calls PHP and
send it over product cache bf p.m. and
it processes the PHP what happens is
that relationship all breaks and then
Apache gets requests for that file
what's it gonna serve it as text so now
if I'm an attacker and I know your host
is bad and I can cause engine X to flake
out or and cause patchy to flake out and
drop that relationship and then go to
that file what am I now got use the
castle right so you want to fail safely
you want to make sure that your host is
failing back to a safe environment and
that's one of the things that Pantheon
does instead of hard-coding those
beautiful secrets in that sense and you
have a sample of that I do out there yep
yep so we freely preload environment
variables for the name the credentials
the faults all that stuff so it's not
something if someone could read this it
would mean absolutely nothing to them
like they I'm just so someone could be
you know get a hold of this file and it
really wouldn't matter because all it is
is pulling the variable the environment
variable and inserting it into the
settings not PHP file where it needs to
go which just means you don't you don't
worry it fails safely just as Paul said
there you see how I better not sorry I
was kind of kind of tiny
it's down here scenario yeah fresco
sentence that's wonder the bass yep so
if someone got a hold of this file it
wouldn't mean anything in fact this is
the file that's on github for our Drupal
on your own site as well if you have a
plan and this is what I mean by failing
safely so this way even if there is that
failure yourself you've fallen back
you've failed to a safe State nobody's
gonna get any valuable information out
of this file and Pantheon also has we'll
talk about from this little later
Pantheon has some assumptions about how
your site should we set up for the sake
of security including file write
permissions things you shouldn't
shouldn't have access to on a live
environment you know hiding the dev
environments from search engine and
things like that so in addition most of
them will follow some type of pattern
and separating duties the segments so
you're not running your database server
on the same application the same server
as your web server you're separating
those pieces out your file storage isn't
necessarily on the same server it's
segmented goes out so that if one is
compromised they haven't just
compromised everything that's just that
one piece is compromised
you know Pantheon we have several layers
of this I mean between each sites
between each environment for each site
it's they're all separate containers
each piece running each piece is a
separate container so it's a distinct
container running your database on your
live environment than any other
environment any other site so you're not
mixing up your day with some of that
some other customers data alright some
bonus points for hosting providers you
should know what your host is running
you should be engaging with those teams
especially hire it for a long time and
even still now we like on prim
we have we struggle with moving to the
cloud we have we have distinct policies
in place we have requirements in place
that kind of make this new arm trim so
if you're not your team isn't the one
responsible for web hosting on your
canvas engage with that team make sure
you know what you're running make sure
they know and you need to know what
you're running and work with them to
make sure things are updated as quickly
as possible and it's worth you should do
that the thing with you on - like before
you sign the contract before your
company gets all connected you should
make sure like make sure that your team
is aware of what you know we're doing as
well it's absolutely regardless of where
you're going that's that's effective oh
so David I should mention file directing
permissions that's simply ensuring the
files and directories that your web
server has access to are set to the
lowest possible the lowest access
possible in other words do you want
seven seven seven on your directors no
no you want to make sure that those that
nobody outside of who should have access
has the ability to do anything to those
files in addition you know there are
certain areas you don't want anybody to
be leaving touch right so you want to
make sure that all those files and
directors are set to the lowest possible
as far as how it reduces risk well
improper permissions are going to give
away again those keys of the castle you
know we've seen situations where
somebody puts an API token inside the
website and leaves that directory is is
more readable and now all of a sudden
anybody can get that API key and once
they've got the API key I can do all
kinds of stuff so you want to make sure
you've restricted or modify those
permissions down as low as possible the
security principle did you the way this
comes into play on Pantheon is we don't
allow code right access on any
environment except for your development
environment so if you want to change
code if you're going to do module
updates or development or theming or
whatever it all has to be in debt or a
multi dev environment if you're trying
to change code on live it's gonna fail
we is automatically not allowed which
means if you have a security
vulnerability
like the Drupal geddens of our past
history and somewhat recent history have
just not been an issue on an Theon
because your Ottoman
the immune like if you cannot write
access on your neck to code on your live
site it's not a problem for you the the
person doesn't have anything they can do
if they got access to your site and
tagging on to that in addition let's say
that because there are certain areas you
should write to write I mean you can
upload an image file on your own it's
not right that somewhere but and this is
another good example of a securing
different having good secure defaults is
that on Pantheon when you upload even if
you upload a PHP file to that right area
in that area scripts aren't allowed to
run so even if they get the file onto
the server they can't do anything with
it it's not going to execute the
security principle this comes back to is
the principle of least privilege and
when I say these privilege what I mean
is that you're going to give the
necessary permissions to to a person to
a service whatever it is you're given
the permissions they need to perform a
duty from limited amount of time and
it's the bare minimum they need it is
exactly what they need and only what
they need nothing more and then as soon
as they're done you revoke those
privileges those permissions that's what
I mean by that principle of least
privilege so some bonus points you
should lock down all areas of Drupal to
read-only except for those areas that
usually explicitly need to be able to
write you and in those areas you can
don't allow script execution and that's
really your files directory yeah think
about straight on again I drove
environment allows it set those to only
readable if you can only readable by the
owner usually I would bet you're in pant
down that's probably F p.m. but either
way actually don't know whatever is
running your processes make sure it's
only readable by that owner
please
oh and minimizing attack sir so this
Sabonis a guy I love this one
so the boating security principle in
this aspect if you're limiting these
areas if you're saying okay you can't
write anywhere but here and then this
right area if you even get fire you can
you can't run an inscription to only
read files you're minimizing an attack
service so what I mean by an attack
surface is it all the sum of the paths
that lead into and out of your
application plus all of the code that
secures those paths plus all the data
used in the application and all of the
code that works to secure that data so
if we think about this young model
alright she's she's the asset the rain
is the attacker
she has minimized her attack surface by
using a raincoat and galoshes an
umbrella
she's minimized the amount of skin
that's available to get wet it's the
same thing as minimizing that attack
surface you're very okay all right make
sure I'm not boring you am I no okay ah
next step is removing the mutant themes
and models I alluded to this earlier
that's simply just taking anything that
you are not actively using and this
isn't just I should mention not just
themes modules and users but also
anything in your systems and you have on
print systems and you've got an Apache
web server and it's got my sequel and
soul but you're not using my sequel on
that server you've got my sequel
somewhere else that you're connecting to
to get rid of it because it's another
service that's not being used it can be
attacked so remove everything that isn't
in active use it reduces risk because
even in fact module or theme is
deactivated the code is still there on
the server right and if it has a
vulnerability if it has an actionable
exploit it's possibly still exploitable
even though it's not activated I think
this is actually pretty understated in
the Drupal community because yes if you
have a let's say you have a module on
your site and over the course of its
life you've stopped using it so you
disable the module you uninstall it
whatever if you don't actually remove
the code for that though it's still
there and Drupal is not checking for
updates on disabled modules so if
there's a security issue with the code
that's running that module you're not
getting an update for it or you're not
even aware that there's a problem right
so going through and deliberately
removing oh I was just gonna show you
something real quick
um you ever heard of droop scan I didn't
heard of it before Paul brought it up so
this is one of those tools that can be
used for good or bad there's a lot of
these tools drupes can scan CMS's and
what I can do I'm not gonna do it here
because it'll take too long I can
actually point it at a site a Drupal
site and it'll scan the Drupal site and
find the modules that are installed and
now I can go back and find those modules
and see if they have any known exploits
in addition I can look for all kinds of
interesting things so I can say hey you
know uh scan this site in find the admin
and admin area give me a location I can
log in or I can say hey what version are
they running this 186 nine and what it
does called black box scanning cuz I
don't necessarily know anything but it's
gonna scan the site possibly unless
you're really watching for it you're not
even gonna know your access logs
possibly fingerprinting things it's
gonna pull GIS files it's gonna pull CSS
files and get the hashes for those to
figure out what version you're using
it's gonna look for common login areas
and pull those out alright so even if
you have modules uninstalled and excuse
me it not on this goal deactivate it if
you haven't actually removed them an
attacker can still scan your site and
see if you have them install and then
take advantage of those if you got users
but you don't tell you all of the
modules that are on your site that are
I use including if you've got a sunblock
or within views or whatever that's not
being that's a perfectly sane to tie you
to command or things for updating
modules there is an option in the player
there to say like check the disabled
bundle hello I didn't know perfect IVs
that before yeah so be again kind of
like with the backups we should be doing
routine audits of your modules and
themes and your users because if you've
got users in your site that aren't
active well that's just one more account
that can compromise and again it removes
those potential vulnerabilities bonus
points make those things in audio just
make it a habit you know you're gonna
test your backups I'm gonna go see what
deactivated modules look at but I see
what deactivates games I'm gonna see
when the last time you user logged in
and I'm gonna remove those because you
don't put a user back right you
deactivate their account you get rid of
that account they come back and they
need it you can always put them back but
you minimize that attack surface by
removing that user and they can't be
compromised if they're not there or in
Drupal you can also block the account
that's well you're being used it'll
prevent them from being able to login it
also maintains any Content they've
created under their authorship so it's a
common practice to just block anyone
that is no longer a needing access to
the site and then if they need again if
you need to give them access again it's
easy to do that ah your homework you
should do your homework on themes and
moms you should research those themes
and modules your installed it Drupal is
better I will say this about Drupal with
WordPress anybody can write a plug-in
and get into public repository Drupal is
better than that at least they attempt
to do a true scan before they add in but
how do you know for sure how well that
theme or modules been coded
all right unless you're gonna do your
own island on top here here
you're totally relying whoops it's good
well your movie totally relying on
somebody else to make sure that that
code is secure so you should definitely
do some research you can bring up okay
yeah so one thing that the security team
does is it maintains a list of modules
that it automatically checks if it has
that little shield there it means that
what I was just saying that's what I was
looking for word if you have a little
green shield it means that your site is
actively being monitored by the security
team it is under its umbrella of
protection basically there are other
modules that can be added other tests
experimental things or really edge cases
that are not all that common if you
visit a site it'll probably I think it's
yellow if it's not currently being
monitored it doesn't have the little
shield and it's a there's a big warning
that says this is not being monitored
you know by the security team you can
still report any issues that exist with
those and they will jump in but it's
it's one thing to be aware of as you are
going through and researching which
themes or modules you might want to use
so how does it reduce risk well every
piece of code no matter where it comes
from
even from Drupal directly every piece of
code you added increases your attack
service right you're increasing the
available area for an attacker to attack
every piece of code that you add it has
that potential to add or introduce a new
vulnerability into your system and the
security principle in play here is to be
paranoid and be skeptical all your
paranoia is exhausting that's that being
paranoid is really a security principle
I spent let's say you
should treat all third party code as
hostile all right when you introduce new
code into your system you are data not
just Kovac data as well you should just
automatically assume or take a stay at
that that code that data is hostile
you're introducing potential problems
into your system some bonus steps here
for those of you in higher ed I strongly
strongly strongly urge you to take
advantage of dork BOTS the University of
Texas has a program in place where they
will scan your environment on routine
basis yeah it's a circle flip back of it
it's a security guy you Texas dot edu
slash dork bot we're pretty much me
search for dork by you'll find it too
but once you give them so you got a
whitelist them because they are going to
be running simulated attacks so you got
a white listed in your network once
you've whitelist them they'll run
routine on it on your network looking
for common vulnerabilities and then
notify you of those common
vulnerabilities so it has been fantastic
I don't know about you University of
Missouri is completely decentralized the
web on our campus has grown organically
over the last thirty years it is
complete mess we have we don't even know
how many sites we have so this has been
a godsend in somebody contacting us
letting us know hey you have to site
it's got a sequel injection
vulnerability and now we can go out and
get that patched you know we didn't even
know it was there
right and it's not specific to Drupal or
WordPress right it's just scanning
everything in your network and it is
free for hiring so if you're in higher
ed take advantage of it's fantastic if
you can you should run that third-party
third-party food through PHP code
sniffer and their security on it you can
automate that part of the CI stuff he
was talking about you can just have all
that code running through that security
our flag potential vulnerabilities and
if you can have your developers run
static code analysis as they're
developing to kind of flag potential
problematic areas
all right limited user roles I think
you're gonna talk about this a little
bit there yep so when I mean you want to
say it's it's kind of like with the file
permissions when you give somebody an
account on your site you should give
them the bare minimum permission they
need in order to perform the functions
that are supposed to do no more how many
of you go into Drupal to add content as
an administrator this is it this is a
safe space you can admit I do so why did
you do that oh really you should you
should only log in with a higher
privileged account when you need the
permission that higher privileged
account nice to have in order to do
those other functions a similar question
might be how many people login as user
one Oh
after the site's been build which if you
don't know the first user is the one
that has and then it ignores all
permission checks so you automatically
get that's an account that you should
create you know when you set up the
account and maybe use it to build this
site but then it should go like not go
away but you should never use it unless
you're doing a major improvement in
something yes and that and so that
security principle again ending with the
file permissions that security of least
privilege and it's not just in Drupal
it's also in whatever system you're
using to manage your site itself
so in pantheon yeah you know I don't
know if we ever if I ever got you there
out uses for this but let's so in
Pantheon both at the site level you can
choose people on your team so here I
have I have people on my team and you
can choose at this level what access
they have you can choose between
developer our team member or admin as a
developer you can write commits but you
can't actually deploy them up to like
the live site or the test site so that's
good for developers on your team that
don't need to do that deployment or for
contractors you might be working with
where maybe you need to review their
work before you can get it up to the
live site so that level exists here at
the site level but it also exists at the
agency level or the ORA global so you
can set up that tiered
at that level as well give people access
to all of your sites at whatever tier is
appropriate so how does it reduce risk
again well it's gonna minimize the
damage of an account is compromised
right so if somebody compromises an
account you're minimizing because it
being compromised the author accountable
all we're gonna be able to do is change
content it also reduces the opportunity
for a rogue user so if you've got an
employee who's fired and you forgot they
were fired and they're upset about it
well if you've limited what they can do
you've minimized how much damage and
this is one that most people forget it's
just somebody making a mistake right I
mean do you want somebody on Pantheon to
be able to go in and deployed a lie if
they're really not somebody that should
be deploying to live they might not even
meet you they might just like click the
button by accident not know what they're
doing so by minimizing those roles
you're also reducing the opportunity for
somebody to make a mistake inadvertently
and cause a problem so obviously we were
looking at an Theon for these but the
Drupal level also it's super super easy
to create different rules that are for
each unique thing yeah it's easy to do
that so easy that you shouldn't feel
like you have to give someone advanced
permissions if they just need to do one
particular thing it's so easy to grant
like create a new role give them that
permission and then ya know that they're
just doing that and ya don't take the
easy way out every there said I needed
this and you don't just go that's fine I
can either Minister take the time give
them a custom role make sure they have
just what they need I didn't get a duty
on it go back and look and see how many
administrators are have on this site how
many other roles do I have and is ever
is all are all these people active are
they you do they still need the
permission that I gave them at some
point maybe they changed roles in their
job and I no longer need those elevated
privileges so again another routine
audit just add into that second routine
basis
protecting says we kind of touched on
this earlier you should
protect the settings file you should add
rules prevent direct access move the
file somewhere that's not publicly
accessible if you can do that I'm workin
well we talked about this but it
contains no database credentials and
danger salt and you don't want to
accidentally expose that to the world
and bonus points if you can set the
permissions again to 400 which basically
just means the owner whatever process is
running the PHP processor only the owner
of that can read one piece to add to
this - yeah that's good right is if
you're working locally on your computer
is easy to set up a local settings about
PHP files so that you don't have to like
get the credentials for the server on
your computer or kind of biax lose all
the time it's easier than some people
expect any questions so far I want to
make sure cause because again you're
kind of all there's sleepy-looking
okay
and that's faint and that is fantastic
make sure double check always make sure
SSL
what is simply a DSL or TLS SSL
certificate to your site it does not
encrypt your site there's a lot of
confusion with this it doesn't encrypt
your site it encrypts the data
transmission between your site and the
end-user that's what it does so as they
send you information as you process the
site processes the information and sends
it back
that's what's encrypted doesn't encrypt
your site but it does protect those
credentials because if a user is logging
in what are they sending to your site
yeah password right that's an asset we
want to protect that asset so what
that's calls worrying drifting in trans
in transit we're encrypting that
information as it goes across with it
somebody sitting out on the web can't
sniff that information as it goes by so
in that case looking we're minimizing
that attack service we're reducing the
ability we're reducing the areas that
someone can attack some bonus steps if
you can you should just enforce HTTPS
Everywhere yep and this isn't as big of
a deal as it was a couple years ago it's
actually much much easier now to add an
SSL cert and I believe
well yeah it's getting much easier
across the web but Pantheon also
provides it for free automatically every
site every environment and it's it is
easy to update like a redirect rule and
your settings not PHP or through some
other process you know HT access if you
have a different hosting provider so it
always redirects your traffic to the
HTTPS version because as Paul said here
you want that to be for the entire site
not just your login page
even if you don't care about security it
will help your SEO yes Hugh amount takes
into account whether or not your you've
got that search so we have some content
here on strong passwords but I'd say
let's skip through this a little bit my
colleague here Dan
has a talk tomorrow at 9:00 a.m. about
well why don't you tell us about this
real quick a little bit about just
general personal internet security or
just we're gonna talk a lot about
password we're gonna talk about a little
bit about HTTPS encryption and that type
of thing too just some things you can be
aware of whether you are being secure or
not I think it's um 3:12 a.m. go to his
so you should use a password that's long
and we're it contains randomized Alpha
characters digits special characters
doesn't contain any common name words in
the dictionary how does it reduce the
risk well historically we've seen what I
call brute force attacks where they try
every possible combination right I'm
gonna just scan through and just try
every possible combination of letters
and characters and numbers so it makes
it more difficult it prevents
unauthorized access again compromising
that account but my slide catches up
with me even more important than
complexity is life simply by adding
three or four more characters to your
password has the same entropy that same
randomness or are available combinations
as adding special characters or more
complex carriers so what you want to do
is you want a really long password
alright so this is your new password yes
don't don't actually use this as your
app we have given this presentation
before and it is out there on the
Internet so so using this password this
so you see them a hundred billion
guesses per second it's going to take
six point two two million trillion
trillion trillion centuries to
brute-force it okay I'm going to use
that password on all of my sites it also
has to be unique it's got to be unique
for every say every account you have no
matter where it is no matter how you're
using it should have a unique password
for it the reason why as a 20-17 the end
of 2017 7 billion billion with ABI
credentials have been leaked you are
definitely on a list somewhere with some
credentials in fact you've never heard
of having been poned
you should check that site they keep a
track of all these and that's a great
one actually if you go there and you
take em your email addresses it will
notify you every time that it detects
your email address and password being
used on the internet and some sort of a
leak to list somewhere so go through at
all of your email addresses that you use
and then go and reset the passwords from
those places whenever they've been
denounced because we dork BOTS it makes
you dork buck that's another nice thing
about dork bags when these lists are
leaked and they're finally publicly
available if any of them match your
domains they will email you the list and
say hey you've got 13,000 accounts that
have shown up on these these leak lists
you need to check we just literally less
than a month ago got a collection of
now it's only four out of thirteen
thousand that's pretty good but we
started going back and looking at the
ones that looked like we might be
legitimate passwords and sure enough
when we contacted a random selection of
people and said hey have you ever used
this as a password they're like oh yeah
that was the one I used here like last
year or that's the one I'm still using
over here at this other site so every
site needs a unique password I won't go
too far there too much farther into that
credential stuffing I mentioned earlier
about historically they do a brute force
instead now they do credential stuffing
and what that is
leafless they go through that's been
analyzed they pull out the most common
thousand ten thousand and then they just
try all of those passwords it's much
much faster than trying to brute force
because now I've got a collection of
commonly used passwords that I can go
through much faster and that's how in a
lot of situations we compromise counts
now someone goes to these pretty quick
you should use password excuse me a
password manager hey how many of you can
remember thirty two completely random
characters times a thousand for all your
sites
it's impossible the only way to do this
as humans the only way to do this now is
a password manager you have to use a
password manager and not just for
yourself but then enforce these strong
passwords for all your users in every
one of your sites if you can a lot of us
on in higher ed have single sign-on
systems either using Shibboleth of Cass
LDAP I mean whatever one you're you
eighty tie into your single sign-on
systems if you can because those systems
are designed to handle credentials so
let them handle those pieces and force
those strong passwords tie into those
systems that's it I'm gonna speed up
just look at the closeout of time you
should lock accounts that have too many
family tips cuz he a credential stuffing
if I get your let's say you log in with
gills on P you know that's your login
name and I grant I started trying all
there and allow me to try to guess
no even if it's not gonna match even if
I've got a really good password what's
it doing to your system as I'm doing
that talking of resources it's taking
away from servicing your customers and
your clients so what you want to do is
you want to lock down or block access to
an account or to an IP address if
they've had too many failed attempts
reduces risk because it treats if that
threat is an unauthorized access excuse
me and then that weakness is a
vulnerability or common password to
reduce the ability of threat agent to
exploit that vulnerability and we're
minimizing the attack surface again two
factors kind of the same thing I simply
adds a secondary or multiple step that
has to be completed in order to
authenticate so even if the password is
in the common list and they get that
well then they stop your stop the next
baby positive reduced risk and this is
why we get your it has an extra layer in
the fence and the security principle is
defense in depth so I'm talking about
defense in depth real quick how many of
you have ever played whoa hey where's my
oh well here we'll skip to it because
we're almost at dynamic group have one
slide away but how many of you ever play
cornhole knowing that is all right it's
a game where you've got a board it's got
a hole in it you got beanbags you're
trying to get it into the hole let's say
it's a modified game or a carnival the
board is vertical it's spinning it's got
a pole in it you got three beat back and
your objective is to get one of the
beanbags through the hole and you win
the prize so how hard is it to get that
feedback to the whole heart impossible
no all right let's say it's not one
board it's two boards the second board
is spinning in the opposite direction
the hole is slightly different size and
it slightly to the location now how hard
is it to get my beam back to the hole
it's definitely hard right not
impossible I can watch get a feel for
where they line it up and if I time my
throat just right I'm gonna getting in
there let's say it's not - let's say
it's three it's four it's five it's
eight boards almost anything opposite
direction from each other oh now how
hard is it you said what I wanted to
hear that's exponentially hard okay that
is defense in depth defense in depth
acknowledges that every layer of defense
everything that you can do has a
vulnerability has a possible exploit
that's just the way it is but if we can
layer them one on top of the other we're
gonna slow down an attackers because if
he or she gets through one they're gonna
get a second one they get through that
they might hit a third and a fourth what
we're trying to do is slow them down or
possibly stop but at least slow them
down and convince them to give up and
move on to the next easier target
all right now watching you come
analyzing my target that's that's more
an example of a a singular focused
attack let's say let's say instead that
somebody shows up in the game with an
automatic beanbag gun just ways like
that's like an automated attack where
you're just gonna get hit they're just
throwing everything in your sight hoping
to finally land that one perfect shot
all the way through your defenses
because how many times does an attacker
have to be successful to win once how
many times you have to be successful all
right um I think we can skip right to
the end at this point yeah we won't have
about four minutes left so we should
probably stop for questions soon that's
the summary so real quick the summary
just give to you all at once just all of
you thinking in terms of how you can
minimize risk
remember that risk is that those assets
you got to protect so the fewer assets
you have that lowers the risk what are
the threats the more you can reduce the
stress you minimize that risk if you can
lower the impact of a threat occurring
you're lowering that risk so always be
thinking in terms and how you can
minimize risk minimize the attack
surface reduce the available area that
can be attacked use print
least privileged use defense-in-depth
don't use the phone with no
vulnerabilities be paranoid begin
thinking in terms of okay as this system
or as this code comes in as this data
comes in I have to treat it as if it's
already bad
um and I hope this is the most visited
the most important thing it's just know
that it's a continual process it's not
I'm gonna I'm gonna do this thing I'm
gonna do some security stuff and now I'm
done I don't want to do anything anymore
it's not it's a continuous process that
you always have to revisit because the
landscape is always changing attackers
are always coming up with new in
different ways to compromise oops what
questions do you have for us
oh sorry before we get worried in front
call for questions uh please do give us
feedback visit the URL if you can do it
now or like you know right away that
would be even better let us know we can
improve and all those things also if you
would like the slides I know that
there's a few links there's a lot of
content that we talked about today not
currently available on this this site
right here on the the page for this talk
but it will be yeah before the end of
the day I'm going to get this tied up
into a PDF and put up on the website
also I will be tweeting at it at David
Needham I'll send out a tweet with a
link and you can get it from there yeah
if you have after after this and give
questions I am really really easy to
find online it's GI l zo w just like it
sounds yells oh and I am gills Oh
everywhere there's like fifteen gills
those in the US and they're all related
to me so if you get the wrong one
they're gonna find me so I'm really easy
to find did everybody learn at least one
new thing anyway do you might not learn
one new thing cuz we didn't we can stay
after and I'll help you will learn
something okay any questions for
anything at all sure it's also training
it so absolutely yes yep yes in fact
that was the light bulb for me I was a
developer and I had built an application
system for human resources and it was
attacked at that time we stored Social
Security numbers and it was compromised
and at that point I got mad that
somebody did that to me I went in
training got my GSE gsa at the time
whichever this answer is got my standard
learned about security and that's what
and then all of a sudden was like the
light bulb went off on my whoa this is
this is how they do this so you
absolutely train it's crucial and we
don't do enough of it interestingly in
education you can use depending on
depending on the option that you choose
you can do this two-factor
authentication with that also which will
give you another layer make sure that
password is as secure as it can be also
it all goes back down to minimizing risk
which is riskier having the same
password in a bunch of places using a
really easy to guess password everywhere
or having really really super secure
passwords in 99.999% of the place and
then have one password that gets into
those it's a trade-off right you're
absolutely right if somebody gets my
password manager password then yes all
they've got the keys to everything
Jayda it is it is it's you go out
depending edge beaches right I can't
speak to every password manager I should
be encrypted but if they yeah your
password to that encrypted database you
can decrypt it then they get everything
but again as long as your one password
that you're using is secure it's long
make it as long as you can you can even
have that one store in another security
password maybe really complicated with
it but as long as you're protecting that
one and routinely changing it like you
should go in and update every office but
every so often it's it's a it's a trade
off but I think it's still one that far
outweighs your part and companies like
Pantheon we also have a few bikies which
are like ethical yet physical device
have you plug into your computer and
push a button to authorize a login so in
traditional where they yeah so we're
actually out of time thank you all for
coming today
and we will move to the side actually
we're gonna move to the panthéon booth
presenter can come on in and set up but
if you have any other questions we'd
love to talk to you more