SlideShare a Scribd company logo

Drupal Camp Atlanta 2011 - Drupal Security

Download as PPT, PDF
Mediacurrent
Mediacurrent

Introduction to security on Drupal and introduces some testing tools, common problems and solutions. We also introduce the concept of a response team and best practices to get you started.

Technology
1 of 26
Locking down Drupal and  managing security breaches By Andy Thornton Mediacurrent Consultant Twitter: @BohemianPixel [email_address]
Overview ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
What is SQL Injection ,[object Object],Example SQL Statement: statement = "SELECT * FROM users WHERE name = '" + userName + "';" But what would happen if they added something else to their name, something we didn't plan for ..
even more simply ...
Handling SQL Injection ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],Sanitise your inputs
SQL Injection ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],Writing secure queries based on inputs
What is Cross Site Scripting? ,[object Object]
What just happened? ,[object Object]
More Examples... ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Protection from XSS ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Permissions ,[object Object],[object Object],[object Object],[object Object],chown , changes ownership of the file or directory. For drupal we would give the world (Apache) read only access to our settings.php, but let the user own the rest of the directory chmod 400 settings.php chown www-data:www-data settings.php
Social Engineering Meet Kevin Mitnick Master of Social  Engineering. http://mitnicksecurity.com/ It seems to be a universal truth that most people don't believe Social Engineering (gaining information by deceit) could be so easy. "No one could be that stupid" is a common phrase heard from people who first learn how these types of attacks work.  However, once demonstrated (especially with some personal information of theirs) they become hard and fast believers. Just seeing it in action brings home the reality that information can leak through most any worker and that one must always be on guard. 
Couple of one-liners ... ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Web Application Firewalls
Handy Tools to know ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Tiger Teams ,[object Object]
What is a tiger team? ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],The term originated in aerospace design but is also used in other settings, including information technology and emergency management. According to a 1964 definition,  "It has been described as a team of undomesticated and uninhibited technical specialists, selected for their experience, energy, and imagination, and assigned to track down relentlessly every possible source of failure in a spacecraft subsystem." - wikipedia
What do they do? ,[object Object],[object Object],[object Object]
Always have a plan ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],"I have a plan so cunning you could stick a tail on it and call it a weasel" - Lord Edmund Blackadder
Always remember ... ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Handling a security breach
First Off
Unleash the Tigers
Activate your CSIRT .. Tiger Team! ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],Follow your workflow and communication plan.
Resources ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],Secret Service Atlanta Electronic Crimes Task Force 404-331-6111 Email:  [email_address]
Questions?

Recommended

Cloud Native Workload ATT&CK Matrix
Cloud Native Workload ATT&CK MatrixCloud Native Workload ATT&CK Matrix
Cloud Native Workload ATT&CK MatrixMITRE ATT&CK
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing TechniquesAvinash Thapa
 
20120612 04 - Les différentes facettes de la securité. La vision IBM
20120612 04 - Les différentes facettes de la securité. La vision IBM20120612 04 - Les différentes facettes de la securité. La vision IBM
20120612 04 - Les différentes facettes de la securité. La vision IBMLeClubQualiteLogicielle
 
WAF ASM / Advance WAF - Brute force lior rotkovitch f5 sirt v5 clean
WAF ASM / Advance WAF - Brute force lior rotkovitch f5 sirt v5 cleanWAF ASM / Advance WAF - Brute force lior rotkovitch f5 sirt v5 clean
WAF ASM / Advance WAF - Brute force lior rotkovitch f5 sirt v5 cleanLior Rotkovitch
 
Chapter 3 Basic Cryptography
Chapter 3 Basic CryptographyChapter 3 Basic Cryptography
Chapter 3 Basic CryptographyDr. Ahmed Al Zaidy
 
Bilgi güvenliği ve Kriptografi Soruları
Bilgi güvenliği ve Kriptografi SorularıBilgi güvenliği ve Kriptografi Soruları
Bilgi güvenliği ve Kriptografi SorularıAhmet Han
 
F5 BIG-IP Misconfigurations
F5 BIG-IP MisconfigurationsF5 BIG-IP Misconfigurations
F5 BIG-IP MisconfigurationsDenis Kolegov
 
Firewall and Types of firewall
Firewall and Types of firewallFirewall and Types of firewall
Firewall and Types of firewallCoder Tech
 

Recommended

Cloud Native Workload ATT&CK Matrix
Cloud Native Workload ATT&CK MatrixCloud Native Workload ATT&CK Matrix
Cloud Native Workload ATT&CK MatrixMITRE ATT&CK
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing TechniquesAvinash Thapa
 
20120612 04 - Les différentes facettes de la securité. La vision IBM
20120612 04 - Les différentes facettes de la securité. La vision IBM20120612 04 - Les différentes facettes de la securité. La vision IBM
20120612 04 - Les différentes facettes de la securité. La vision IBMLeClubQualiteLogicielle
 
WAF ASM / Advance WAF - Brute force lior rotkovitch f5 sirt v5 clean
WAF ASM / Advance WAF - Brute force lior rotkovitch f5 sirt v5 cleanWAF ASM / Advance WAF - Brute force lior rotkovitch f5 sirt v5 clean
WAF ASM / Advance WAF - Brute force lior rotkovitch f5 sirt v5 cleanLior Rotkovitch
 
Chapter 3 Basic Cryptography
Chapter 3 Basic CryptographyChapter 3 Basic Cryptography
Chapter 3 Basic CryptographyDr. Ahmed Al Zaidy
 
Bilgi güvenliği ve Kriptografi Soruları
Bilgi güvenliği ve Kriptografi SorularıBilgi güvenliği ve Kriptografi Soruları
Bilgi güvenliği ve Kriptografi SorularıAhmet Han
 
F5 BIG-IP Misconfigurations
F5 BIG-IP MisconfigurationsF5 BIG-IP Misconfigurations
F5 BIG-IP MisconfigurationsDenis Kolegov
 
Firewall and Types of firewall
Firewall and Types of firewallFirewall and Types of firewall
Firewall and Types of firewallCoder Tech
 
Suricata
SuricataSuricata
Suricatatex_morgan
 
Benefits of Web Application Firewall
Benefits of Web Application FirewallBenefits of Web Application Firewall
Benefits of Web Application Firewalldavidjohnrace
 
Reverse proxy & web cache with NGINX, HAProxy and Varnish
Reverse proxy & web cache with NGINX, HAProxy and VarnishReverse proxy & web cache with NGINX, HAProxy and Varnish
Reverse proxy & web cache with NGINX, HAProxy and VarnishEl Mahdi Benzekri
 
Web Application Firewall
Web Application FirewallWeb Application Firewall
Web Application FirewallChandrapal Badshah
 
Http and its Applications
Http and its ApplicationsHttp and its Applications
Http and its ApplicationsNayan Dagliya
 
Firewall fundamentals
Firewall fundamentalsFirewall fundamentals
Firewall fundamentalsThang Man
 
Understanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryUnderstanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryDaniel Miessler
 
ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...
ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...
ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...JamieWilliams130
 
Security Analyst Workshop - 20200212
Security Analyst Workshop - 20200212Security Analyst Workshop - 20200212
Security Analyst Workshop - 20200212Florian Roth
 
Security and Linux Security
Security and Linux SecuritySecurity and Linux Security
Security and Linux SecurityRizky Ariestiyansyah
 
Exploit access root to kernel 2.6.32 2.6.36 privilege escalation exploit
Exploit access root to kernel 2.6.32 2.6.36 privilege escalation exploitExploit access root to kernel 2.6.32 2.6.36 privilege escalation exploit
Exploit access root to kernel 2.6.32 2.6.36 privilege escalation exploitCarlos Eduardo
 
iOS recon with Radare2
iOS recon with Radare2iOS recon with Radare2
iOS recon with Radare2NowSecure
 
The Dark Side of Malware Analysis - Andrea Pompili - Codemotion Rome 2015
The Dark Side of Malware Analysis - Andrea Pompili - Codemotion Rome 2015The Dark Side of Malware Analysis - Andrea Pompili - Codemotion Rome 2015
The Dark Side of Malware Analysis - Andrea Pompili - Codemotion Rome 2015Codemotion
 
Secure Your Encryption with HSM
Secure Your Encryption with HSMSecure Your Encryption with HSM
Secure Your Encryption with HSMNarudom Roongsiriwong, CISSP
 
Scriptless Attacks - Stealing the Pie without touching the Sill
Scriptless Attacks - Stealing the Pie without touching the SillScriptless Attacks - Stealing the Pie without touching the Sill
Scriptless Attacks - Stealing the Pie without touching the SillMario Heiderich
 
ASP.NET Web Security
ASP.NET Web SecurityASP.NET Web Security
ASP.NET Web SecuritySharePointRadi
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2Scott Sutherland
 
Data encryption standard DES & 3DES
Data encryption standard DES & 3DESData encryption standard DES & 3DES
Data encryption standard DES & 3DESLaís Berlatto
 
Defensive programming
Defensive programmingDefensive programming
Defensive programmingMark Reynolds
 
[OPD 2019] Attacking JWT tokens
[OPD 2019] Attacking JWT tokens[OPD 2019] Attacking JWT tokens
[OPD 2019] Attacking JWT tokensOWASP
 
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wnedLayer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wnedfangjiafu
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by defaultSlawomir Jasek
 

More Related Content

What's hot

Benefits of Web Application Firewall
Benefits of Web Application FirewallBenefits of Web Application Firewall
Benefits of Web Application Firewalldavidjohnrace
 
Reverse proxy & web cache with NGINX, HAProxy and Varnish
Reverse proxy & web cache with NGINX, HAProxy and VarnishReverse proxy & web cache with NGINX, HAProxy and Varnish
Reverse proxy & web cache with NGINX, HAProxy and VarnishEl Mahdi Benzekri
 
Http and its Applications
Http and its ApplicationsHttp and its Applications
Http and its ApplicationsNayan Dagliya
 
Firewall fundamentals
Firewall fundamentalsFirewall fundamentals
Firewall fundamentalsThang Man
 
Understanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryUnderstanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryDaniel Miessler
 
ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...
ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...
ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...JamieWilliams130
 
Security Analyst Workshop - 20200212
Security Analyst Workshop - 20200212Security Analyst Workshop - 20200212
Security Analyst Workshop - 20200212Florian Roth
 
Exploit access root to kernel 2.6.32 2.6.36 privilege escalation exploit
Exploit access root to kernel 2.6.32 2.6.36 privilege escalation exploitExploit access root to kernel 2.6.32 2.6.36 privilege escalation exploit
Exploit access root to kernel 2.6.32 2.6.36 privilege escalation exploitCarlos Eduardo
 
iOS recon with Radare2
iOS recon with Radare2iOS recon with Radare2
iOS recon with Radare2NowSecure
 
The Dark Side of Malware Analysis - Andrea Pompili - Codemotion Rome 2015
The Dark Side of Malware Analysis - Andrea Pompili - Codemotion Rome 2015The Dark Side of Malware Analysis - Andrea Pompili - Codemotion Rome 2015
The Dark Side of Malware Analysis - Andrea Pompili - Codemotion Rome 2015Codemotion
 
Scriptless Attacks - Stealing the Pie without touching the Sill
Scriptless Attacks - Stealing the Pie without touching the SillScriptless Attacks - Stealing the Pie without touching the Sill
Scriptless Attacks - Stealing the Pie without touching the SillMario Heiderich
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2Scott Sutherland
 
Data encryption standard DES & 3DES
Data encryption standard DES & 3DESData encryption standard DES & 3DES
Data encryption standard DES & 3DESLaís Berlatto
 
Defensive programming
Defensive programmingDefensive programming
Defensive programmingMark Reynolds
 
[OPD 2019] Attacking JWT tokens
[OPD 2019] Attacking JWT tokens[OPD 2019] Attacking JWT tokens
[OPD 2019] Attacking JWT tokensOWASP
 

What's hot (20)

Suricata
SuricataSuricata
Suricata
 
Benefits of Web Application Firewall
Benefits of Web Application FirewallBenefits of Web Application Firewall
Benefits of Web Application Firewall
 
Reverse proxy & web cache with NGINX, HAProxy and Varnish
Reverse proxy & web cache with NGINX, HAProxy and VarnishReverse proxy & web cache with NGINX, HAProxy and Varnish
Reverse proxy & web cache with NGINX, HAProxy and Varnish
 
Web Application Firewall
Web Application FirewallWeb Application Firewall
Web Application Firewall
 
Http and its Applications
Http and its ApplicationsHttp and its Applications
Http and its Applications
 
Firewall fundamentals
Firewall fundamentalsFirewall fundamentals
Firewall fundamentals
 
Understanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryUnderstanding Cross-site Request Forgery
Understanding Cross-site Request Forgery
 
ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...
ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...
ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...
 
Security Analyst Workshop - 20200212
Security Analyst Workshop - 20200212Security Analyst Workshop - 20200212
Security Analyst Workshop - 20200212
 
Security and Linux Security
Security and Linux SecuritySecurity and Linux Security
Security and Linux Security
 
Exploit access root to kernel 2.6.32 2.6.36 privilege escalation exploit
Exploit access root to kernel 2.6.32 2.6.36 privilege escalation exploitExploit access root to kernel 2.6.32 2.6.36 privilege escalation exploit
Exploit access root to kernel 2.6.32 2.6.36 privilege escalation exploit
 
iOS recon with Radare2
iOS recon with Radare2iOS recon with Radare2
iOS recon with Radare2
 
The Dark Side of Malware Analysis - Andrea Pompili - Codemotion Rome 2015
The Dark Side of Malware Analysis - Andrea Pompili - Codemotion Rome 2015The Dark Side of Malware Analysis - Andrea Pompili - Codemotion Rome 2015
The Dark Side of Malware Analysis - Andrea Pompili - Codemotion Rome 2015
 
Secure Your Encryption with HSM
Secure Your Encryption with HSMSecure Your Encryption with HSM
Secure Your Encryption with HSM
 
Scriptless Attacks - Stealing the Pie without touching the Sill
Scriptless Attacks - Stealing the Pie without touching the SillScriptless Attacks - Stealing the Pie without touching the Sill
Scriptless Attacks - Stealing the Pie without touching the Sill
 
ASP.NET Web Security
ASP.NET Web SecurityASP.NET Web Security
ASP.NET Web Security
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2
 
Data encryption standard DES & 3DES
Data encryption standard DES & 3DESData encryption standard DES & 3DES
Data encryption standard DES & 3DES
 
Defensive programming
Defensive programmingDefensive programming
Defensive programming
 
[OPD 2019] Attacking JWT tokens
[OPD 2019] Attacking JWT tokens[OPD 2019] Attacking JWT tokens
[OPD 2019] Attacking JWT tokens
 

Similar to Drupal Camp Atlanta 2011 - Drupal Security

Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wnedLayer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wnedfangjiafu
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by defaultSlawomir Jasek
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by defaultSecuRing
 
Javascript Security
Javascript SecurityJavascript Security
Javascript Securityjgrahamc
 
How We Learned To Love The Data Center Operating System
How We Learned To Love The Data Center Operating SystemHow We Learned To Love The Data Center Operating System
How We Learned To Love The Data Center Operating Systemsaulius_vl
 
Integris Security - Hacking With Glue ℠
Integris Security - Hacking With Glue ℠Integris Security - Hacking With Glue ℠
Integris Security - Hacking With Glue ℠Integris Security LLC
 
You Spent All That Money And Still Got Owned
You Spent All That Money And Still Got OwnedYou Spent All That Money And Still Got Owned
You Spent All That Money And Still Got OwnedJoe McCray
 
Don't get stung - an introduction to the OWASP Top 10
Don't get stung - an introduction to the OWASP Top 10Don't get stung - an introduction to the OWASP Top 10
Don't get stung - an introduction to the OWASP Top 10Barry Dorrans
 
The Ultimate Guide to Docker & Kubernetes Forensics and Incident Response.pdf
The Ultimate Guide to Docker & Kubernetes Forensics and Incident Response.pdfThe Ultimate Guide to Docker & Kubernetes Forensics and Incident Response.pdf
The Ultimate Guide to Docker & Kubernetes Forensics and Incident Response.pdfChristopher Doman
 
IBCAST 2021: Observations and lessons learned from the APNIC Community Honeyn...
IBCAST 2021: Observations and lessons learned from the APNIC Community Honeyn...IBCAST 2021: Observations and lessons learned from the APNIC Community Honeyn...
IBCAST 2021: Observations and lessons learned from the APNIC Community Honeyn...APNIC
 
Red Team Methodology - A Naked Look
Red Team Methodology - A Naked LookRed Team Methodology - A Naked Look
Red Team Methodology - A Naked LookJason Lang
 
Scout xss csrf_security_presentation_chicago
Scout xss csrf_security_presentation_chicagoScout xss csrf_security_presentation_chicago
Scout xss csrf_security_presentation_chicagoknaddison
 
Application Security
Application SecurityApplication Security
Application Securityflorinc
 
Tips on Securing Drupal Sites - DrupalCamp Atlanta (DCA)
Tips on Securing Drupal Sites - DrupalCamp Atlanta (DCA)Tips on Securing Drupal Sites - DrupalCamp Atlanta (DCA)
Tips on Securing Drupal Sites - DrupalCamp Atlanta (DCA)cgmonroe
 
Exploring Solaris Autoregistration
Exploring Solaris AutoregistrationExploring Solaris Autoregistration
Exploring Solaris AutoregistrationTom Kranz
 

Similar to Drupal Camp Atlanta 2011 - Drupal Security (20)

Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wnedLayer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by default
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by default
 
Javascript Security
Javascript SecurityJavascript Security
Javascript Security
 
How We Learned To Love The Data Center Operating System
How We Learned To Love The Data Center Operating SystemHow We Learned To Love The Data Center Operating System
How We Learned To Love The Data Center Operating System
 
Integris Security - Hacking With Glue ℠
Integris Security - Hacking With Glue ℠Integris Security - Hacking With Glue ℠
Integris Security - Hacking With Glue ℠
 
PHP Security
PHP SecurityPHP Security
PHP Security
 
You Spent All That Money And Still Got Owned
You Spent All That Money And Still Got OwnedYou Spent All That Money And Still Got Owned
You Spent All That Money And Still Got Owned
 
Don't get stung - an introduction to the OWASP Top 10
Don't get stung - an introduction to the OWASP Top 10Don't get stung - an introduction to the OWASP Top 10
Don't get stung - an introduction to the OWASP Top 10
 
Old Linux Security Talk
Old Linux Security TalkOld Linux Security Talk
Old Linux Security Talk
 
The Ultimate Guide to Docker & Kubernetes Forensics and Incident Response.pdf
The Ultimate Guide to Docker & Kubernetes Forensics and Incident Response.pdfThe Ultimate Guide to Docker & Kubernetes Forensics and Incident Response.pdf
The Ultimate Guide to Docker & Kubernetes Forensics and Incident Response.pdf
 
<img src="xss.com">
<img src="xss.com"><img src="xss.com">
<img src="xss.com">
 
Fav
FavFav
Fav
 
IBCAST 2021: Observations and lessons learned from the APNIC Community Honeyn...
IBCAST 2021: Observations and lessons learned from the APNIC Community Honeyn...IBCAST 2021: Observations and lessons learned from the APNIC Community Honeyn...
IBCAST 2021: Observations and lessons learned from the APNIC Community Honeyn...
 
Red Team Methodology - A Naked Look
Red Team Methodology - A Naked LookRed Team Methodology - A Naked Look
Red Team Methodology - A Naked Look
 
Owasp top 10 2013
Owasp top 10 2013Owasp top 10 2013
Owasp top 10 2013
 
Scout xss csrf_security_presentation_chicago
Scout xss csrf_security_presentation_chicagoScout xss csrf_security_presentation_chicago
Scout xss csrf_security_presentation_chicago
 
Application Security
Application SecurityApplication Security
Application Security
 
Tips on Securing Drupal Sites - DrupalCamp Atlanta (DCA)
Tips on Securing Drupal Sites - DrupalCamp Atlanta (DCA)Tips on Securing Drupal Sites - DrupalCamp Atlanta (DCA)
Tips on Securing Drupal Sites - DrupalCamp Atlanta (DCA)
 
Exploring Solaris Autoregistration
Exploring Solaris AutoregistrationExploring Solaris Autoregistration
Exploring Solaris Autoregistration
 

More from Mediacurrent

Penn State News: Pivoting to Decoupled Drupal with Gatsby
Penn State News: Pivoting to Decoupled Drupal with GatsbyPenn State News: Pivoting to Decoupled Drupal with Gatsby
Penn State News: Pivoting to Decoupled Drupal with GatsbyMediacurrent
 
Evolving How We Measure Digital Success in Higher Ed
Evolving How We Measure Digital Success in Higher EdEvolving How We Measure Digital Success in Higher Ed
Evolving How We Measure Digital Success in Higher EdMediacurrent
 
Penn State scales static Drupal to new heights
Penn State scales static Drupal to new heightsPenn State scales static Drupal to new heights
Penn State scales static Drupal to new heightsMediacurrent
 
Delivering Meaningful Digital Experiences in Higher Ed
Delivering Meaningful Digital Experiences in Higher EdDelivering Meaningful Digital Experiences in Higher Ed
Delivering Meaningful Digital Experiences in Higher EdMediacurrent
 
Content Strategy: Building Connections with Your Audience
Content Strategy: Building Connections with Your AudienceContent Strategy: Building Connections with Your Audience
Content Strategy: Building Connections with Your AudienceMediacurrent
 
Decoupled Drupal and Gatsby in the Real World
Decoupled Drupal and Gatsby in the Real WorldDecoupled Drupal and Gatsby in the Real World
Decoupled Drupal and Gatsby in the Real WorldMediacurrent
 
A Better Way to Build and Manage Sites with Rain for Drupal 9
A Better Way to Build and Manage Sites with Rain for Drupal 9A Better Way to Build and Manage Sites with Rain for Drupal 9
A Better Way to Build and Manage Sites with Rain for Drupal 9Mediacurrent
 
Drupal Security: What You Need to Know
Drupal Security: What You Need to KnowDrupal Security: What You Need to Know
Drupal Security: What You Need to KnowMediacurrent
 
Leveraging Design Systems to Streamline Web Projects
Leveraging Design Systems to Streamline Web ProjectsLeveraging Design Systems to Streamline Web Projects
Leveraging Design Systems to Streamline Web ProjectsMediacurrent
 
Reimagining Your Higher Ed Web Strategy
Reimagining Your Higher Ed Web StrategyReimagining Your Higher Ed Web Strategy
Reimagining Your Higher Ed Web StrategyMediacurrent
 
How to Digitally Transform Higher Ed with Drupal
How to Digitally Transform Higher Ed with DrupalHow to Digitally Transform Higher Ed with Drupal
How to Digitally Transform Higher Ed with DrupalMediacurrent
 
Is my website accessible? Common mistakes (and how to fix them)
Is my website accessible? Common mistakes (and how to fix them)Is my website accessible? Common mistakes (and how to fix them)
Is my website accessible? Common mistakes (and how to fix them)Mediacurrent
 
Managing Images In Large Scale Drupal 8 & 9 Websites
Managing Images In Large Scale Drupal 8 & 9 WebsitesManaging Images In Large Scale Drupal 8 & 9 Websites
Managing Images In Large Scale Drupal 8 & 9 WebsitesMediacurrent
 
Paragraphs v Layout Builder - The Final Showdown
Paragraphs v Layout Builder - The Final ShowdownParagraphs v Layout Builder - The Final Showdown
Paragraphs v Layout Builder - The Final ShowdownMediacurrent
 
MagMutual.com: On the JAMStack with Gatsby and Drupal 8
MagMutual.com: On the JAMStack with Gatsby and Drupal 8 MagMutual.com: On the JAMStack with Gatsby and Drupal 8
MagMutual.com: On the JAMStack with Gatsby and Drupal 8Mediacurrent
 
Creating an Organizational Culture of Giving Back to Drupal
Creating an Organizational Culture of Giving Back to DrupalCreating an Organizational Culture of Giving Back to Drupal
Creating an Organizational Culture of Giving Back to DrupalMediacurrent
 
Level Up Your Team: Front-End Development Best Practices
Level Up Your Team: Front-End Development Best PracticesLevel Up Your Team: Front-End Development Best Practices
Level Up Your Team: Front-End Development Best PracticesMediacurrent
 
Best Practices for Moving to Drupal 9
Best Practices for Moving to Drupal 9Best Practices for Moving to Drupal 9
Best Practices for Moving to Drupal 9Mediacurrent
 
How to Prove Marketing ROI: Overcoming Digital Marketing Challenges
How to Prove Marketing ROI: Overcoming Digital Marketing ChallengesHow to Prove Marketing ROI: Overcoming Digital Marketing Challenges
How to Prove Marketing ROI: Overcoming Digital Marketing ChallengesMediacurrent
 
Prepare Your Drupal 9 Action Plan
Prepare Your Drupal 9 Action Plan Prepare Your Drupal 9 Action Plan
Prepare Your Drupal 9 Action Plan Mediacurrent
 

More from Mediacurrent (20)

Penn State News: Pivoting to Decoupled Drupal with Gatsby
Penn State News: Pivoting to Decoupled Drupal with GatsbyPenn State News: Pivoting to Decoupled Drupal with Gatsby
Penn State News: Pivoting to Decoupled Drupal with Gatsby
 
Evolving How We Measure Digital Success in Higher Ed
Evolving How We Measure Digital Success in Higher EdEvolving How We Measure Digital Success in Higher Ed
Evolving How We Measure Digital Success in Higher Ed
 
Penn State scales static Drupal to new heights
Penn State scales static Drupal to new heightsPenn State scales static Drupal to new heights
Penn State scales static Drupal to new heights
 
Delivering Meaningful Digital Experiences in Higher Ed
Delivering Meaningful Digital Experiences in Higher EdDelivering Meaningful Digital Experiences in Higher Ed
Delivering Meaningful Digital Experiences in Higher Ed
 
Content Strategy: Building Connections with Your Audience
Content Strategy: Building Connections with Your AudienceContent Strategy: Building Connections with Your Audience
Content Strategy: Building Connections with Your Audience
 
Decoupled Drupal and Gatsby in the Real World
Decoupled Drupal and Gatsby in the Real WorldDecoupled Drupal and Gatsby in the Real World
Decoupled Drupal and Gatsby in the Real World
 
A Better Way to Build and Manage Sites with Rain for Drupal 9
A Better Way to Build and Manage Sites with Rain for Drupal 9A Better Way to Build and Manage Sites with Rain for Drupal 9
A Better Way to Build and Manage Sites with Rain for Drupal 9
 
Drupal Security: What You Need to Know
Drupal Security: What You Need to KnowDrupal Security: What You Need to Know
Drupal Security: What You Need to Know
 
Leveraging Design Systems to Streamline Web Projects
Leveraging Design Systems to Streamline Web ProjectsLeveraging Design Systems to Streamline Web Projects
Leveraging Design Systems to Streamline Web Projects
 
Reimagining Your Higher Ed Web Strategy
Reimagining Your Higher Ed Web StrategyReimagining Your Higher Ed Web Strategy
Reimagining Your Higher Ed Web Strategy
 
How to Digitally Transform Higher Ed with Drupal
How to Digitally Transform Higher Ed with DrupalHow to Digitally Transform Higher Ed with Drupal
How to Digitally Transform Higher Ed with Drupal
 
Is my website accessible? Common mistakes (and how to fix them)
Is my website accessible? Common mistakes (and how to fix them)Is my website accessible? Common mistakes (and how to fix them)
Is my website accessible? Common mistakes (and how to fix them)
 
Managing Images In Large Scale Drupal 8 & 9 Websites
Managing Images In Large Scale Drupal 8 & 9 WebsitesManaging Images In Large Scale Drupal 8 & 9 Websites
Managing Images In Large Scale Drupal 8 & 9 Websites
 
Paragraphs v Layout Builder - The Final Showdown
Paragraphs v Layout Builder - The Final ShowdownParagraphs v Layout Builder - The Final Showdown
Paragraphs v Layout Builder - The Final Showdown
 
MagMutual.com: On the JAMStack with Gatsby and Drupal 8
MagMutual.com: On the JAMStack with Gatsby and Drupal 8 MagMutual.com: On the JAMStack with Gatsby and Drupal 8
MagMutual.com: On the JAMStack with Gatsby and Drupal 8
 
Creating an Organizational Culture of Giving Back to Drupal
Creating an Organizational Culture of Giving Back to DrupalCreating an Organizational Culture of Giving Back to Drupal
Creating an Organizational Culture of Giving Back to Drupal
 
Level Up Your Team: Front-End Development Best Practices
Level Up Your Team: Front-End Development Best PracticesLevel Up Your Team: Front-End Development Best Practices
Level Up Your Team: Front-End Development Best Practices
 
Best Practices for Moving to Drupal 9
Best Practices for Moving to Drupal 9Best Practices for Moving to Drupal 9
Best Practices for Moving to Drupal 9
 
How to Prove Marketing ROI: Overcoming Digital Marketing Challenges
How to Prove Marketing ROI: Overcoming Digital Marketing ChallengesHow to Prove Marketing ROI: Overcoming Digital Marketing Challenges
How to Prove Marketing ROI: Overcoming Digital Marketing Challenges
 
Prepare Your Drupal 9 Action Plan
Prepare Your Drupal 9 Action Plan Prepare Your Drupal 9 Action Plan
Prepare Your Drupal 9 Action Plan
 

Recently uploaded

Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
What is Artificial Intelligence?????????
What is Artificial Intelligence?????????What is Artificial Intelligence?????????
What is Artificial Intelligence?????????blackmambaettijean
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embeddingZilliz
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rick Flair
 

Recently uploaded (20)

Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
What is Artificial Intelligence?????????
What is Artificial Intelligence?????????What is Artificial Intelligence?????????
What is Artificial Intelligence?????????
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embedding
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...
 

Drupal Camp Atlanta 2011 - Drupal Security

  • 1. Locking down Drupal and  managing security breaches By Andy Thornton Mediacurrent Consultant Twitter: @BohemianPixel [email_address]
  • 2.
  • 3.
  • 5.
  • 6.
  • 7.
  • 8.
  • 9.
  • 10.
  • 11.
  • 12. Social Engineering Meet Kevin Mitnick Master of Social  Engineering. http://mitnicksecurity.com/ It seems to be a universal truth that most people don't believe Social Engineering (gaining information by deceit) could be so easy. "No one could be that stupid" is a common phrase heard from people who first learn how these types of attacks work.  However, once demonstrated (especially with some personal information of theirs) they become hard and fast believers. Just seeing it in action brings home the reality that information can leak through most any worker and that one must always be on guard. 
  • 13.
  • 15.
  • 16.
  • 17.
  • 18.
  • 19.
  • 20.
  • 24.
  • 25.

Editor's Notes

  1. Talk about noexec / nosuid
  2. What is a web application firewall?
  3. What is a tiger team. A tiger team is a group of experts assigned to investigate and/or solve technical or systemic problems.  The term may have originated in aerospace design but is also used in other settings, including information technology and emergency management.[citation needed] According to a 1964 definition,  "In case the term 'tiger team' is unfamiliar to you, it has been described as 'a team of undomesticated and uninhibited technical specialists, selected for their experience, energy, and imagination, and assigned to track down relentlessly every possible source of failure in a spacecraft subsystem." The term used by Rockwell Collins for a roaming installation team. It is believed that they came up with the term "Tiger Team" - source, wikipedia.
  4. As part of the tiger team Identify contact points for out of hours.  Setup a mailing list for all team members. Provide all contact numbers for external resources to the team. Access to communications plan and any associated documents. Identify a chain of command, escallating issues down the chain. Schedule daily response meetings during the investigation. Establish a communication plan for the team to keep all stake holders informed. Have a web page on your intranet. Flag emails with an incident response code, so they can be collated by legal. Setup communication plan for employees so they know how to respond if contacted by the press. Manage disclosure between employees and the public. Team members will keep their own departments apprised of the status of the investigation. Appoint a team leader, dedicated to the task.
  5. Corporate Communication Plan - Different levels according to scope of the breach - Internal staff, how to respond to requests for information from reporters, bloggers etc. - Prepared press statement. - Single point of contact, usually your corporate communications manager. - Consult with authorities before communicating anything to the public How prepared is your information technology (IT) department or administrator to handle security incidents? Many organizations learn how to respond to security incidents only after suffering attacks. By this time, incidents often become much more costly than needed. Proper incident response should be an integral part of your overall security policy and risk mitigation strategy.
  6. Shutting down the server can execute code to clean evidence, powering down is much safer and preserves evidence.