defense in depth - lessons learned from securing over 100,000 drupal sites
TRANSCRIPT
PANTHEON
Defense in DepthLessons Learned from Securing 100,000 Drupal Sites
PANTHEON
Nick Stielau - @nstielauPantheon - Director of EngineeringManaging Security for 100,000+ Drupal Sites
Chris Teitzel - @technerdteitzelCellar Door Media - FounderArchitected secure platform for large scale e-commerce site
Luke Probasco - @geetarlukeTownsend Security - Drupal General ManagerManage Drupal business for Townsend Security
Introductions
PANTHEON
Nick StielauPlatform Architect
Chris TeitzelDrupal Architect
Luke ProbascoCompliance, encryption, andsecurity consultant
Three Perspectives
PANTHEON
“There are only two types of companies: those that have
been hacked, and those that will be. Even that is merging into one category: those that have
been hacked and will be again.”
Robert Meuller, Former FBI Director
PANTHEON
Son of a BreachThe average cost of a data breach is:
● $3.5 million per breach● $145 per record
So far this year (as of 4/28/15):● 270 breaches● 102,372,157 records exposed● ~10 records/second
PANTHEON
PANTHEON
YOUwill be hacked*
*unless your site is permanently offline
PANTHEON
PANTHEON
Step 1: Build a security consciousness
PANTHEON
How to think about security
It’s a frame of mind
PANTHEON
Security is All Around Us
Ignorance Paranoia
PANTHEON
Risk MitigationR
isk
Security Investment
PANTHEON
● The low bar for data security● Declares the minimum security for you● Qualified Security Auditor (QSA) can
help you meet compliance● Encryption and key management help
Compliance
PANTHEON
● Confidentiality ● Integrity● Availability
CIA Security Triad
PANTHEON
What Does Hacked Mean?
● Defacement● Denial of
Service● Data Breach● …● ...●
PANTHEON
Step 2: Defense in Depth
PANTHEON
Defense in Depth
PANTHEON
Dont do this….
Secure Drupal
Secure Hosting Environment
Unhardened SSH
PANTHEON
Are you vulnerable?
● US Cert● Drupal.org/security● Fedora/Ubuntu Mailing Lists● Apache/Nginx/Varnish/Redis Mailing lists● Twitter
PANTHEON
PCI Data Security Standard (PCI DSS) - Retail
HIPAA - Healthcare
GLBA / FFIEC - Financial
FISMA - US government agencies
FERPA - Educational institutions
State and Federal Privacy Notification laws
Compliance Regulations
PANTHEON
“Use of a PCI DSS compliant CSP does not result in PCI DSS compliance for the clients. The client must still ensure they are using the service in a compliant manner, and is also ultimately responsible for the security of their CHD.”
PCI DSS Cloud Computing Guidelines
SHARED
RESPONSIBILITY
PANTHEON
● NIST Special Publication 800-122 defines PII● Examples:
Full name Credit card numbers
Home address Digital identity
Email address Date of birth
IP address Birthplace
Drivers license Telephone number
Login name, screen name, etc.
Face, fingerprints, or handwriting
Personally Identifiable Information (PII)What is it and why does it matter?
PANTHEON
Zip Code
Birthday
Coke or Pepsi?
State
Piecing Together Identity
PANTHEON
Step 3: Essential Security
PANTHEON
Back it up
So you can sleep at night.
PANTHEON
Use Version Control
So that you know if your code has been changed.
PANTHEON
Use Secure Passwords
PANTHEON
Two Factor Authentication
PANTHEON
You’re Not Alone
PANTHEON
Key Management
PANTHEON
Step 3: Securing your Stack
PANTHEON
Evaluating HostingHosting
Operating System
Database
Web Server
Drupal
JavaScript
Team
Does your hosting provider help
you secure the whole
stack?
PANTHEON
Corporate Datacenter
Fluffy marketing brochureware site
Your entire business
PANTHEON
● Install security updates● Achieve sensible configuration● Invest in ability to safely,
quickly update servers● Definitely do:
○ iptables○ ssh (no root, no passwords)○ sudoers
Securing your OSHosting
Operating System
Database
Web Server
Drupal
JavaScript
Team
PANTHEON
Securing Nginx and ApacheHosting
Operating System
Database
Web Server
Drupal
JavaScript
Team
Hosting
● One of the quickest places to lock down, add headers i.e. X-Frame-Options
● Make use of logs (logrotate)● Disable server tokens.● Use proper .htaccess in files directory
PANTHEON
● Change default password● Lock down access to required hosts● Secure your backups
Securing your DatabaseHosting
Operating System
Database
Web Server
Drupal
JavaScript
Team
Hosting
Data/database
PANTHEON
Data EncryptionHosting
Operating System
Database
Web Server
Drupal
JavaScript
Team
Hosting
Data/database
Encryption Modules: Encrypt, Key, Encrypt User, Encrypt Form, Encrypted Files, AES Encrypt
PANTHEON
Best Practice: Store and manage keys on a different server than where the data is
Encryption Key Management (Don’t tape your key to the front door)
Hosting
Operating System
Data/database
Web Server
Drupal
JavaScript
Team
Hosting
PANTHEON
Best Practice: Don’t share your API keys with developers that don’t need access to them. (aka the Principle of Least Privilege)
Best Practice: User per-developer and per-system keys
Protecting API Keys
PANTHEON
Drupal Core Security
Keep it updated!Hosting
Operating System
Database
Web Server
Drupal
JavaScript
Team
Hosting
Avoid getting creative with permissions
PANTHEON
Active, popular plugins are most likely to have security scrutiny
Understanding ‘contrib’ module security
HostingHosting
Operating System
Database
Web Server
Drupal
JavaScript
Team
Hosting
PANTHEON
Securing your TeamHosting
Operating System
Database
Web Server
Drupal
JavaScript
Team
Hosting● Enforce 2FA, strong passwords
● Build a security consciousness
PANTHEON
Step 4: What happens in the Real World
PANTHEON
Pantheon Trenches
PANTHEON
https://pantheon.io/blog/what-we-are-seeing-drupal-sa-2014-005
Drupalgeddon
More about Drupalgeddon from Matt Korostoff, 5pm HERE
PANTHEON
7k attacks per week
Constant SSH Attacks
p.s. Check out fail2ban for
curbing the worst
offenders
PANTHEON
Targeted HTTP DDOS
PANTHEON
What happens when you’re handed a db of credit card data?
(a lot of) Credit Card Data
PANTHEON
● No one wants to see their name in the headlines for a breach
● Brand damage, loss of customers, loss of jobs
● Do the right thing
Case Study: Hotel chain intranet
Risk Mitigation - C.Y.A.
PANTHEON
Don’t Panic… React!1. Rollback2. Review3. Reach out!
Halp! I Got hacked!!
https://www.drupal.org/node/2365547
PANTHEON
PANTHEON
Keep the Conversation going!
PANTHEON
Image Attributeshttps://flic.kr/p/4b4MK8 - Cogshttp://www.digitalthreat.net/2011/12/anti-virus-wont-keep-your-data-safe/# - CIA Triadhttps://farm8.staticflickr.com/7313/9762758421_ff318a9c1f_o.jpg - Frame of Mindhttp://cybersecurity.mit.edu/2013/12/open-source-software-is-it-secure/ - Open and Secure?http://jr19759.deviantart.com/art/Team-Supreme-350105585 - Team Supremehttps://www.flickr.com/photos/37873897@N06/8049569753/ - thoughtful dudehttps://xkcd.com/936/ - XKCD Password strength