SlideShare a Scribd company logo

Drupal Camp Atlanta 2011 - Drupal Security

Download as PPT, PDF
Mediacurrent
Mediacurrent

Introduction to security on Drupal and introduces some testing tools, common problems and solutions. We also introduce the concept of a response team and best practices to get you started.

Technology
1 of 26
Locking down Drupal and  managing security breaches By Andy Thornton Mediacurrent Consultant Twitter: @BohemianPixel [email_address]
Overview ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
What is SQL Injection ,[object Object],Example SQL Statement: statement = "SELECT * FROM users WHERE name = '" + userName + "';" But what would happen if they added something else to their name, something we didn't plan for ..
even more simply ...
Handling SQL Injection ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],Sanitise your inputs
SQL Injection ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],Writing secure queries based on inputs
What is Cross Site Scripting? ,[object Object]
What just happened? ,[object Object]
More Examples... ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Protection from XSS ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Permissions ,[object Object],[object Object],[object Object],[object Object],chown , changes ownership of the file or directory. For drupal we would give the world (Apache) read only access to our settings.php, but let the user own the rest of the directory chmod 400 settings.php chown www-data:www-data settings.php
Social Engineering Meet Kevin Mitnick Master of Social  Engineering. http://mitnicksecurity.com/ It seems to be a universal truth that most people don't believe Social Engineering (gaining information by deceit) could be so easy. "No one could be that stupid" is a common phrase heard from people who first learn how these types of attacks work.  However, once demonstrated (especially with some personal information of theirs) they become hard and fast believers. Just seeing it in action brings home the reality that information can leak through most any worker and that one must always be on guard. 
Couple of one-liners ... ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Web Application Firewalls
Handy Tools to know ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Tiger Teams ,[object Object]
What is a tiger team? ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],The term originated in aerospace design but is also used in other settings, including information technology and emergency management. According to a 1964 definition,  "It has been described as a team of undomesticated and uninhibited technical specialists, selected for their experience, energy, and imagination, and assigned to track down relentlessly every possible source of failure in a spacecraft subsystem." - wikipedia
What do they do? ,[object Object],[object Object],[object Object]
Always have a plan ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],"I have a plan so cunning you could stick a tail on it and call it a weasel" - Lord Edmund Blackadder
Always remember ... ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Handling a security breach
First Off
Unleash the Tigers
Activate your CSIRT .. Tiger Team! ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],Follow your workflow and communication plan.
Resources ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],Secret Service Atlanta Electronic Crimes Task Force 404-331-6111 Email:  [email_address]
Questions?

Recommended

Map Reduce
Map ReduceMap Reduce
Map ReduceMichel Bruley
 
AWS VPC.pdf
AWS VPC.pdfAWS VPC.pdf
AWS VPC.pdfShagun Rathore
 
Sensitive Data Exposure
Sensitive Data ExposureSensitive Data Exposure
Sensitive Data Exposureabodiford
 
Hadoop File system (HDFS)
Hadoop File system (HDFS)Hadoop File system (HDFS)
Hadoop File system (HDFS)Prashant Gupta
 
Introduction to Amazon Relational Database Service
Introduction to Amazon Relational Database ServiceIntroduction to Amazon Relational Database Service
Introduction to Amazon Relational Database ServiceAmazon Web Services
 
McAfee - MVISION Cloud (MVC) - Cloud Access Security Broker (CASB)
McAfee - MVISION Cloud (MVC) - Cloud Access Security Broker (CASB)McAfee - MVISION Cloud (MVC) - Cloud Access Security Broker (CASB)
McAfee - MVISION Cloud (MVC) - Cloud Access Security Broker (CASB)Iftikhar Ali Iqbal
 
Amazon Web Services - Elastic Beanstalk
Amazon Web Services - Elastic BeanstalkAmazon Web Services - Elastic Beanstalk
Amazon Web Services - Elastic BeanstalkAmazon Web Services
 
Lecture26 cc-security1
Lecture26 cc-security1Lecture26 cc-security1
Lecture26 cc-security1Ankit Gupta
 

Recommended

Map Reduce
Map ReduceMap Reduce
Map ReduceMichel Bruley
 
AWS VPC.pdf
AWS VPC.pdfAWS VPC.pdf
AWS VPC.pdfShagun Rathore
 
Sensitive Data Exposure
Sensitive Data ExposureSensitive Data Exposure
Sensitive Data Exposureabodiford
 
Hadoop File system (HDFS)
Hadoop File system (HDFS)Hadoop File system (HDFS)
Hadoop File system (HDFS)Prashant Gupta
 
Introduction to Amazon Relational Database Service
Introduction to Amazon Relational Database ServiceIntroduction to Amazon Relational Database Service
Introduction to Amazon Relational Database ServiceAmazon Web Services
 
McAfee - MVISION Cloud (MVC) - Cloud Access Security Broker (CASB)
McAfee - MVISION Cloud (MVC) - Cloud Access Security Broker (CASB)McAfee - MVISION Cloud (MVC) - Cloud Access Security Broker (CASB)
McAfee - MVISION Cloud (MVC) - Cloud Access Security Broker (CASB)Iftikhar Ali Iqbal
 
Amazon Web Services - Elastic Beanstalk
Amazon Web Services - Elastic BeanstalkAmazon Web Services - Elastic Beanstalk
Amazon Web Services - Elastic BeanstalkAmazon Web Services
 
Lecture26 cc-security1
Lecture26 cc-security1Lecture26 cc-security1
Lecture26 cc-security1Ankit Gupta
 
Aws certified solutions architect
Aws certified solutions architectAws certified solutions architect
Aws certified solutions architectSyed Measum Haider Bokhari
 
Deep Dive: Amazon RDS
Deep Dive: Amazon RDSDeep Dive: Amazon RDS
Deep Dive: Amazon RDSAmazon Web Services
 
What is AWS?
What is AWS?What is AWS?
What is AWS?Martin Yan
 
Identity and Access Management (IAM)
Identity and Access Management (IAM)Identity and Access Management (IAM)
Identity and Access Management (IAM)Identacor
 
DevOps on AWS
DevOps on AWSDevOps on AWS
DevOps on AWSAmazon Web Services
 
Disaster Recovery Strategies - AWS Siklab 2022.pptx
Disaster Recovery Strategies - AWS Siklab 2022.pptxDisaster Recovery Strategies - AWS Siklab 2022.pptx
Disaster Recovery Strategies - AWS Siklab 2022.pptxJohn Louis Garcia
 
Aws ppt
Aws pptAws ppt
Aws pptRamyaG50
 
Ms sql server architecture
Ms sql server architectureMs sql server architecture
Ms sql server architectureAjeet Singh
 
Cloud and Data Privacy
Cloud and Data PrivacyCloud and Data Privacy
Cloud and Data PrivacyMaganathin Veeraragaloo
 
VPC Design and New Capabilities for Amazon VPC
VPC Design and New Capabilities for Amazon VPCVPC Design and New Capabilities for Amazon VPC
VPC Design and New Capabilities for Amazon VPCAmazon Web Services
 
RDS Postgres and Aurora Postgres | AWS Public Sector Summit 2017
RDS Postgres and Aurora Postgres | AWS Public Sector Summit 2017RDS Postgres and Aurora Postgres | AWS Public Sector Summit 2017
RDS Postgres and Aurora Postgres | AWS Public Sector Summit 2017Amazon Web Services
 
Cyber security fundamentals
Cyber security fundamentalsCyber security fundamentals
Cyber security fundamentalsCloudflare
 
Aws overview
Aws overviewAws overview
Aws overviewabhijeetrajpurohit29
 
Whitepaper IBM Guardium Data Activity Monitor
Whitepaper IBM Guardium Data Activity MonitorWhitepaper IBM Guardium Data Activity Monitor
Whitepaper IBM Guardium Data Activity MonitorCamilo Fandiño Gómez
 
Multi-Tenant Approach
Multi-Tenant ApproachMulti-Tenant Approach
Multi-Tenant ApproachPerfectial, LLC
 
Azure storage
Azure storageAzure storage
Azure storageRaju Kumar
 
Identity and Access Management
Identity and Access ManagementIdentity and Access Management
Identity and Access ManagementPrashanth BS
 
Introduction to GCP (Google Cloud Platform)
Introduction to GCP (Google Cloud Platform)Introduction to GCP (Google Cloud Platform)
Introduction to GCP (Google Cloud Platform)Pulkit Gupta
 
Amazon Relational Database Service (Amazon RDS)
Amazon Relational Database Service (Amazon RDS)Amazon Relational Database Service (Amazon RDS)
Amazon Relational Database Service (Amazon RDS)Amazon Web Services
 
Cloud Application architecture styles
Cloud Application architecture styles Cloud Application architecture styles
Cloud Application architecture styles Nilay Shrivastava
 
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wnedLayer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wnedfangjiafu
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by defaultSlawomir Jasek
 

More Related Content

What's hot

Identity and Access Management (IAM)
Identity and Access Management (IAM)Identity and Access Management (IAM)
Identity and Access Management (IAM)Identacor
 
Disaster Recovery Strategies - AWS Siklab 2022.pptx
Disaster Recovery Strategies - AWS Siklab 2022.pptxDisaster Recovery Strategies - AWS Siklab 2022.pptx
Disaster Recovery Strategies - AWS Siklab 2022.pptxJohn Louis Garcia
 
Ms sql server architecture
Ms sql server architectureMs sql server architecture
Ms sql server architectureAjeet Singh
 
VPC Design and New Capabilities for Amazon VPC
VPC Design and New Capabilities for Amazon VPCVPC Design and New Capabilities for Amazon VPC
VPC Design and New Capabilities for Amazon VPCAmazon Web Services
 
RDS Postgres and Aurora Postgres | AWS Public Sector Summit 2017
RDS Postgres and Aurora Postgres | AWS Public Sector Summit 2017RDS Postgres and Aurora Postgres | AWS Public Sector Summit 2017
RDS Postgres and Aurora Postgres | AWS Public Sector Summit 2017Amazon Web Services
 
Cyber security fundamentals
Cyber security fundamentalsCyber security fundamentals
Cyber security fundamentalsCloudflare
 
Whitepaper IBM Guardium Data Activity Monitor
Whitepaper IBM Guardium Data Activity MonitorWhitepaper IBM Guardium Data Activity Monitor
Whitepaper IBM Guardium Data Activity MonitorCamilo Fandiño Gómez
 
Identity and Access Management
Identity and Access ManagementIdentity and Access Management
Identity and Access ManagementPrashanth BS
 
Introduction to GCP (Google Cloud Platform)
Introduction to GCP (Google Cloud Platform)Introduction to GCP (Google Cloud Platform)
Introduction to GCP (Google Cloud Platform)Pulkit Gupta
 
Amazon Relational Database Service (Amazon RDS)
Amazon Relational Database Service (Amazon RDS)Amazon Relational Database Service (Amazon RDS)
Amazon Relational Database Service (Amazon RDS)Amazon Web Services
 
Cloud Application architecture styles
Cloud Application architecture styles Cloud Application architecture styles
Cloud Application architecture styles Nilay Shrivastava
 

What's hot (20)

Aws certified solutions architect
Aws certified solutions architectAws certified solutions architect
Aws certified solutions architect
 
Deep Dive: Amazon RDS
Deep Dive: Amazon RDSDeep Dive: Amazon RDS
Deep Dive: Amazon RDS
 
What is AWS?
What is AWS?What is AWS?
What is AWS?
 
Identity and Access Management (IAM)
Identity and Access Management (IAM)Identity and Access Management (IAM)
Identity and Access Management (IAM)
 
DevOps on AWS
DevOps on AWSDevOps on AWS
DevOps on AWS
 
Disaster Recovery Strategies - AWS Siklab 2022.pptx
Disaster Recovery Strategies - AWS Siklab 2022.pptxDisaster Recovery Strategies - AWS Siklab 2022.pptx
Disaster Recovery Strategies - AWS Siklab 2022.pptx
 
Aws ppt
Aws pptAws ppt
Aws ppt
 
Ms sql server architecture
Ms sql server architectureMs sql server architecture
Ms sql server architecture
 
Cloud and Data Privacy
Cloud and Data PrivacyCloud and Data Privacy
Cloud and Data Privacy
 
VPC Design and New Capabilities for Amazon VPC
VPC Design and New Capabilities for Amazon VPCVPC Design and New Capabilities for Amazon VPC
VPC Design and New Capabilities for Amazon VPC
 
RDS Postgres and Aurora Postgres | AWS Public Sector Summit 2017
RDS Postgres and Aurora Postgres | AWS Public Sector Summit 2017RDS Postgres and Aurora Postgres | AWS Public Sector Summit 2017
RDS Postgres and Aurora Postgres | AWS Public Sector Summit 2017
 
Cyber security fundamentals
Cyber security fundamentalsCyber security fundamentals
Cyber security fundamentals
 
Aws overview
Aws overviewAws overview
Aws overview
 
Whitepaper IBM Guardium Data Activity Monitor
Whitepaper IBM Guardium Data Activity MonitorWhitepaper IBM Guardium Data Activity Monitor
Whitepaper IBM Guardium Data Activity Monitor
 
Multi-Tenant Approach
Multi-Tenant ApproachMulti-Tenant Approach
Multi-Tenant Approach
 
Azure storage
Azure storageAzure storage
Azure storage
 
Identity and Access Management
Identity and Access ManagementIdentity and Access Management
Identity and Access Management
 
Introduction to GCP (Google Cloud Platform)
Introduction to GCP (Google Cloud Platform)Introduction to GCP (Google Cloud Platform)
Introduction to GCP (Google Cloud Platform)
 
Amazon Relational Database Service (Amazon RDS)
Amazon Relational Database Service (Amazon RDS)Amazon Relational Database Service (Amazon RDS)
Amazon Relational Database Service (Amazon RDS)
 
Cloud Application architecture styles
Cloud Application architecture styles Cloud Application architecture styles
Cloud Application architecture styles
 

Similar to Drupal Camp Atlanta 2011 - Drupal Security

Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wnedLayer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wnedfangjiafu
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by defaultSlawomir Jasek
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by defaultSecuRing
 
Javascript Security
Javascript SecurityJavascript Security
Javascript Securityjgrahamc
 
How We Learned To Love The Data Center Operating System
How We Learned To Love The Data Center Operating SystemHow We Learned To Love The Data Center Operating System
How We Learned To Love The Data Center Operating Systemsaulius_vl
 
Integris Security - Hacking With Glue ℠
Integris Security - Hacking With Glue ℠Integris Security - Hacking With Glue ℠
Integris Security - Hacking With Glue ℠Integris Security LLC
 
You Spent All That Money And Still Got Owned
You Spent All That Money And Still Got OwnedYou Spent All That Money And Still Got Owned
You Spent All That Money And Still Got OwnedJoe McCray
 
Don't get stung - an introduction to the OWASP Top 10
Don't get stung - an introduction to the OWASP Top 10Don't get stung - an introduction to the OWASP Top 10
Don't get stung - an introduction to the OWASP Top 10Barry Dorrans
 
The Ultimate Guide to Docker & Kubernetes Forensics and Incident Response.pdf
The Ultimate Guide to Docker & Kubernetes Forensics and Incident Response.pdfThe Ultimate Guide to Docker & Kubernetes Forensics and Incident Response.pdf
The Ultimate Guide to Docker & Kubernetes Forensics and Incident Response.pdfChristopher Doman
 
IBCAST 2021: Observations and lessons learned from the APNIC Community Honeyn...
IBCAST 2021: Observations and lessons learned from the APNIC Community Honeyn...IBCAST 2021: Observations and lessons learned from the APNIC Community Honeyn...
IBCAST 2021: Observations and lessons learned from the APNIC Community Honeyn...APNIC
 
Red Team Methodology - A Naked Look
Red Team Methodology - A Naked LookRed Team Methodology - A Naked Look
Red Team Methodology - A Naked LookJason Lang
 
Scout xss csrf_security_presentation_chicago
Scout xss csrf_security_presentation_chicagoScout xss csrf_security_presentation_chicago
Scout xss csrf_security_presentation_chicagoknaddison
 
Application Security
Application SecurityApplication Security
Application Securityflorinc
 
Tips on Securing Drupal Sites - DrupalCamp Atlanta (DCA)
Tips on Securing Drupal Sites - DrupalCamp Atlanta (DCA)Tips on Securing Drupal Sites - DrupalCamp Atlanta (DCA)
Tips on Securing Drupal Sites - DrupalCamp Atlanta (DCA)cgmonroe
 
Exploring Solaris Autoregistration
Exploring Solaris AutoregistrationExploring Solaris Autoregistration
Exploring Solaris AutoregistrationTom Kranz
 

Similar to Drupal Camp Atlanta 2011 - Drupal Security (20)

Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wnedLayer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by default
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by default
 
Javascript Security
Javascript SecurityJavascript Security
Javascript Security
 
How We Learned To Love The Data Center Operating System
How We Learned To Love The Data Center Operating SystemHow We Learned To Love The Data Center Operating System
How We Learned To Love The Data Center Operating System
 
Integris Security - Hacking With Glue ℠
Integris Security - Hacking With Glue ℠Integris Security - Hacking With Glue ℠
Integris Security - Hacking With Glue ℠
 
PHP Security
PHP SecurityPHP Security
PHP Security
 
You Spent All That Money And Still Got Owned
You Spent All That Money And Still Got OwnedYou Spent All That Money And Still Got Owned
You Spent All That Money And Still Got Owned
 
Don't get stung - an introduction to the OWASP Top 10
Don't get stung - an introduction to the OWASP Top 10Don't get stung - an introduction to the OWASP Top 10
Don't get stung - an introduction to the OWASP Top 10
 
Old Linux Security Talk
Old Linux Security TalkOld Linux Security Talk
Old Linux Security Talk
 
The Ultimate Guide to Docker & Kubernetes Forensics and Incident Response.pdf
The Ultimate Guide to Docker & Kubernetes Forensics and Incident Response.pdfThe Ultimate Guide to Docker & Kubernetes Forensics and Incident Response.pdf
The Ultimate Guide to Docker & Kubernetes Forensics and Incident Response.pdf
 
<img src="xss.com">
<img src="xss.com"><img src="xss.com">
<img src="xss.com">
 
Fav
FavFav
Fav
 
IBCAST 2021: Observations and lessons learned from the APNIC Community Honeyn...
IBCAST 2021: Observations and lessons learned from the APNIC Community Honeyn...IBCAST 2021: Observations and lessons learned from the APNIC Community Honeyn...
IBCAST 2021: Observations and lessons learned from the APNIC Community Honeyn...
 
Red Team Methodology - A Naked Look
Red Team Methodology - A Naked LookRed Team Methodology - A Naked Look
Red Team Methodology - A Naked Look
 
Owasp top 10 2013
Owasp top 10 2013Owasp top 10 2013
Owasp top 10 2013
 
Scout xss csrf_security_presentation_chicago
Scout xss csrf_security_presentation_chicagoScout xss csrf_security_presentation_chicago
Scout xss csrf_security_presentation_chicago
 
Application Security
Application SecurityApplication Security
Application Security
 
Tips on Securing Drupal Sites - DrupalCamp Atlanta (DCA)
Tips on Securing Drupal Sites - DrupalCamp Atlanta (DCA)Tips on Securing Drupal Sites - DrupalCamp Atlanta (DCA)
Tips on Securing Drupal Sites - DrupalCamp Atlanta (DCA)
 
Exploring Solaris Autoregistration
Exploring Solaris AutoregistrationExploring Solaris Autoregistration
Exploring Solaris Autoregistration
 

More from Mediacurrent

Penn State News: Pivoting to Decoupled Drupal with Gatsby
Penn State News: Pivoting to Decoupled Drupal with GatsbyPenn State News: Pivoting to Decoupled Drupal with Gatsby
Penn State News: Pivoting to Decoupled Drupal with GatsbyMediacurrent
 
Evolving How We Measure Digital Success in Higher Ed
Evolving How We Measure Digital Success in Higher EdEvolving How We Measure Digital Success in Higher Ed
Evolving How We Measure Digital Success in Higher EdMediacurrent
 
Penn State scales static Drupal to new heights
Penn State scales static Drupal to new heightsPenn State scales static Drupal to new heights
Penn State scales static Drupal to new heightsMediacurrent
 
Delivering Meaningful Digital Experiences in Higher Ed
Delivering Meaningful Digital Experiences in Higher EdDelivering Meaningful Digital Experiences in Higher Ed
Delivering Meaningful Digital Experiences in Higher EdMediacurrent
 
Content Strategy: Building Connections with Your Audience
Content Strategy: Building Connections with Your AudienceContent Strategy: Building Connections with Your Audience
Content Strategy: Building Connections with Your AudienceMediacurrent
 
Decoupled Drupal and Gatsby in the Real World
Decoupled Drupal and Gatsby in the Real WorldDecoupled Drupal and Gatsby in the Real World
Decoupled Drupal and Gatsby in the Real WorldMediacurrent
 
A Better Way to Build and Manage Sites with Rain for Drupal 9
A Better Way to Build and Manage Sites with Rain for Drupal 9A Better Way to Build and Manage Sites with Rain for Drupal 9
A Better Way to Build and Manage Sites with Rain for Drupal 9Mediacurrent
 
Drupal Security: What You Need to Know
Drupal Security: What You Need to KnowDrupal Security: What You Need to Know
Drupal Security: What You Need to KnowMediacurrent
 
Leveraging Design Systems to Streamline Web Projects
Leveraging Design Systems to Streamline Web ProjectsLeveraging Design Systems to Streamline Web Projects
Leveraging Design Systems to Streamline Web ProjectsMediacurrent
 
Reimagining Your Higher Ed Web Strategy
Reimagining Your Higher Ed Web StrategyReimagining Your Higher Ed Web Strategy
Reimagining Your Higher Ed Web StrategyMediacurrent
 
How to Digitally Transform Higher Ed with Drupal
How to Digitally Transform Higher Ed with DrupalHow to Digitally Transform Higher Ed with Drupal
How to Digitally Transform Higher Ed with DrupalMediacurrent
 
Is my website accessible? Common mistakes (and how to fix them)
Is my website accessible? Common mistakes (and how to fix them)Is my website accessible? Common mistakes (and how to fix them)
Is my website accessible? Common mistakes (and how to fix them)Mediacurrent
 
Managing Images In Large Scale Drupal 8 & 9 Websites
Managing Images In Large Scale Drupal 8 & 9 WebsitesManaging Images In Large Scale Drupal 8 & 9 Websites
Managing Images In Large Scale Drupal 8 & 9 WebsitesMediacurrent
 
Paragraphs v Layout Builder - The Final Showdown
Paragraphs v Layout Builder - The Final ShowdownParagraphs v Layout Builder - The Final Showdown
Paragraphs v Layout Builder - The Final ShowdownMediacurrent
 
MagMutual.com: On the JAMStack with Gatsby and Drupal 8
MagMutual.com: On the JAMStack with Gatsby and Drupal 8 MagMutual.com: On the JAMStack with Gatsby and Drupal 8
MagMutual.com: On the JAMStack with Gatsby and Drupal 8Mediacurrent
 
Creating an Organizational Culture of Giving Back to Drupal
Creating an Organizational Culture of Giving Back to DrupalCreating an Organizational Culture of Giving Back to Drupal
Creating an Organizational Culture of Giving Back to DrupalMediacurrent
 
Level Up Your Team: Front-End Development Best Practices
Level Up Your Team: Front-End Development Best PracticesLevel Up Your Team: Front-End Development Best Practices
Level Up Your Team: Front-End Development Best PracticesMediacurrent
 
Best Practices for Moving to Drupal 9
Best Practices for Moving to Drupal 9Best Practices for Moving to Drupal 9
Best Practices for Moving to Drupal 9Mediacurrent
 
How to Prove Marketing ROI: Overcoming Digital Marketing Challenges
How to Prove Marketing ROI: Overcoming Digital Marketing ChallengesHow to Prove Marketing ROI: Overcoming Digital Marketing Challenges
How to Prove Marketing ROI: Overcoming Digital Marketing ChallengesMediacurrent
 
Prepare Your Drupal 9 Action Plan
Prepare Your Drupal 9 Action Plan Prepare Your Drupal 9 Action Plan
Prepare Your Drupal 9 Action Plan Mediacurrent
 

More from Mediacurrent (20)

Penn State News: Pivoting to Decoupled Drupal with Gatsby
Penn State News: Pivoting to Decoupled Drupal with GatsbyPenn State News: Pivoting to Decoupled Drupal with Gatsby
Penn State News: Pivoting to Decoupled Drupal with Gatsby
 
Evolving How We Measure Digital Success in Higher Ed
Evolving How We Measure Digital Success in Higher EdEvolving How We Measure Digital Success in Higher Ed
Evolving How We Measure Digital Success in Higher Ed
 
Penn State scales static Drupal to new heights
Penn State scales static Drupal to new heightsPenn State scales static Drupal to new heights
Penn State scales static Drupal to new heights
 
Delivering Meaningful Digital Experiences in Higher Ed
Delivering Meaningful Digital Experiences in Higher EdDelivering Meaningful Digital Experiences in Higher Ed
Delivering Meaningful Digital Experiences in Higher Ed
 
Content Strategy: Building Connections with Your Audience
Content Strategy: Building Connections with Your AudienceContent Strategy: Building Connections with Your Audience
Content Strategy: Building Connections with Your Audience
 
Decoupled Drupal and Gatsby in the Real World
Decoupled Drupal and Gatsby in the Real WorldDecoupled Drupal and Gatsby in the Real World
Decoupled Drupal and Gatsby in the Real World
 
A Better Way to Build and Manage Sites with Rain for Drupal 9
A Better Way to Build and Manage Sites with Rain for Drupal 9A Better Way to Build and Manage Sites with Rain for Drupal 9
A Better Way to Build and Manage Sites with Rain for Drupal 9
 
Drupal Security: What You Need to Know
Drupal Security: What You Need to KnowDrupal Security: What You Need to Know
Drupal Security: What You Need to Know
 
Leveraging Design Systems to Streamline Web Projects
Leveraging Design Systems to Streamline Web ProjectsLeveraging Design Systems to Streamline Web Projects
Leveraging Design Systems to Streamline Web Projects
 
Reimagining Your Higher Ed Web Strategy
Reimagining Your Higher Ed Web StrategyReimagining Your Higher Ed Web Strategy
Reimagining Your Higher Ed Web Strategy
 
How to Digitally Transform Higher Ed with Drupal
How to Digitally Transform Higher Ed with DrupalHow to Digitally Transform Higher Ed with Drupal
How to Digitally Transform Higher Ed with Drupal
 
Is my website accessible? Common mistakes (and how to fix them)
Is my website accessible? Common mistakes (and how to fix them)Is my website accessible? Common mistakes (and how to fix them)
Is my website accessible? Common mistakes (and how to fix them)
 
Managing Images In Large Scale Drupal 8 & 9 Websites
Managing Images In Large Scale Drupal 8 & 9 WebsitesManaging Images In Large Scale Drupal 8 & 9 Websites
Managing Images In Large Scale Drupal 8 & 9 Websites
 
Paragraphs v Layout Builder - The Final Showdown
Paragraphs v Layout Builder - The Final ShowdownParagraphs v Layout Builder - The Final Showdown
Paragraphs v Layout Builder - The Final Showdown
 
MagMutual.com: On the JAMStack with Gatsby and Drupal 8
MagMutual.com: On the JAMStack with Gatsby and Drupal 8 MagMutual.com: On the JAMStack with Gatsby and Drupal 8
MagMutual.com: On the JAMStack with Gatsby and Drupal 8
 
Creating an Organizational Culture of Giving Back to Drupal
Creating an Organizational Culture of Giving Back to DrupalCreating an Organizational Culture of Giving Back to Drupal
Creating an Organizational Culture of Giving Back to Drupal
 
Level Up Your Team: Front-End Development Best Practices
Level Up Your Team: Front-End Development Best PracticesLevel Up Your Team: Front-End Development Best Practices
Level Up Your Team: Front-End Development Best Practices
 
Best Practices for Moving to Drupal 9
Best Practices for Moving to Drupal 9Best Practices for Moving to Drupal 9
Best Practices for Moving to Drupal 9
 
How to Prove Marketing ROI: Overcoming Digital Marketing Challenges
How to Prove Marketing ROI: Overcoming Digital Marketing ChallengesHow to Prove Marketing ROI: Overcoming Digital Marketing Challenges
How to Prove Marketing ROI: Overcoming Digital Marketing Challenges
 
Prepare Your Drupal 9 Action Plan
Prepare Your Drupal 9 Action Plan Prepare Your Drupal 9 Action Plan
Prepare Your Drupal 9 Action Plan
 

Recently uploaded

Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 

Recently uploaded (20)

Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 

Drupal Camp Atlanta 2011 - Drupal Security

  • 1. Locking down Drupal and  managing security breaches By Andy Thornton Mediacurrent Consultant Twitter: @BohemianPixel [email_address]
  • 2.
  • 3.
  • 5.
  • 6.
  • 7.
  • 8.
  • 9.
  • 10.
  • 11.
  • 12. Social Engineering Meet Kevin Mitnick Master of Social  Engineering. http://mitnicksecurity.com/ It seems to be a universal truth that most people don't believe Social Engineering (gaining information by deceit) could be so easy. "No one could be that stupid" is a common phrase heard from people who first learn how these types of attacks work.  However, once demonstrated (especially with some personal information of theirs) they become hard and fast believers. Just seeing it in action brings home the reality that information can leak through most any worker and that one must always be on guard. 
  • 13.
  • 15.
  • 16.
  • 17.
  • 18.
  • 19.
  • 20.
  • 24.
  • 25.

Editor's Notes

  1. Talk about noexec / nosuid
  2. What is a web application firewall?
  3. What is a tiger team. A tiger team is a group of experts assigned to investigate and/or solve technical or systemic problems.  The term may have originated in aerospace design but is also used in other settings, including information technology and emergency management.[citation needed] According to a 1964 definition,  "In case the term 'tiger team' is unfamiliar to you, it has been described as 'a team of undomesticated and uninhibited technical specialists, selected for their experience, energy, and imagination, and assigned to track down relentlessly every possible source of failure in a spacecraft subsystem." The term used by Rockwell Collins for a roaming installation team. It is believed that they came up with the term "Tiger Team" - source, wikipedia.
  4. As part of the tiger team Identify contact points for out of hours.  Setup a mailing list for all team members. Provide all contact numbers for external resources to the team. Access to communications plan and any associated documents. Identify a chain of command, escallating issues down the chain. Schedule daily response meetings during the investigation. Establish a communication plan for the team to keep all stake holders informed. Have a web page on your intranet. Flag emails with an incident response code, so they can be collated by legal. Setup communication plan for employees so they know how to respond if contacted by the press. Manage disclosure between employees and the public. Team members will keep their own departments apprised of the status of the investigation. Appoint a team leader, dedicated to the task.
  5. Corporate Communication Plan - Different levels according to scope of the breach - Internal staff, how to respond to requests for information from reporters, bloggers etc. - Prepared press statement. - Single point of contact, usually your corporate communications manager. - Consult with authorities before communicating anything to the public How prepared is your information technology (IT) department or administrator to handle security incidents? Many organizations learn how to respond to security incidents only after suffering attacks. By this time, incidents often become much more costly than needed. Proper incident response should be an integral part of your overall security policy and risk mitigation strategy.
  6. Shutting down the server can execute code to clean evidence, powering down is much safer and preserves evidence.