Successfully reported this slideshow.
Your SlideShare is downloading. ×

JoomlaExpo Presentation on Security by Tom Canavan

Loading in …3

Check these out next

1 of 43 Ad

More Related Content

Similar to JoomlaExpo Presentation on Security by Tom Canavan (20)


Recently uploaded (20)

JoomlaExpo Presentation on Security by Tom Canavan

  1. 1. “ Is your site ready?” Disaster planning, preparation and recovery for Joomla! TM Sites Tom Canavan ™
  2. 2. Disasters DO happen <ul><li>Disaster preparedness is what you do before, not after, a disaster hits. </li></ul><ul><li>Crackers/hackers are only part of your concern. </li></ul><ul><li>Disaster—the meaning of the word has its root in early Italian, from the word disastro (Meaning away from star). </li></ul><ul><li>It was thought that an unfavorable position of a star or planet </li></ul><ul><li>was the cause of mishaps and calamities 1 </li></ul><ul><li>1 Robert K. Barnhart, “The Barnhart concise Dictionary of Etymology – The origins of American English words”, (New York: HarperCollins books, 1995) 208 </li></ul>
  3. 3. What do you consider a disaster? 4-19-1995 Murrah Bldg Okla City 9-11-2001 Ground Zero 8/28/2005 Hurricane Katrina
  4. 4. I’ll take Disaster Recovery Planning for $500.00 <ul><li>-QUIZ- </li></ul><ul><li>Who has a working DR Plan? </li></ul><ul><li>If your site was offline for 7 to 10 days, </li></ul><ul><li>would your company go bankrupt? </li></ul>
  5. 5. 404: Page Not found <ul><li>A 1978 Study by the University of Minnesota showed that if a business could not recover their systems within a week, </li></ul><ul><li>will be out of business in a year. </li></ul><ul><li>That’s only four to six days </li></ul><ul><li>of interruption of services in 1978 </li></ul>Aasgaard, D.O. et al., “An evaluation of Data processing ‘Machine room’ Loss and Selected Recovery Strategies,” MISRC Working Papers (Minneapolis, MN: University of Minnesota, 1978) 1 1-
  6. 6. Disaster Planning Life Cycle 1 2 3 4 Determine Risks Document Your Business Build Your plan Test & document
  7. 7. Worst Practices for DR/DP <ul><li>Failure to get management support </li></ul><ul><li>No risk assessment </li></ul><ul><li>No written plan </li></ul><ul><li>Lack of ‘good’ backup’s </li></ul><ul><li>You put the tapes where?? </li></ul>
  8. 8. Today’s agenda Planning Determine risks Fortify Test/Document The elements, issues and challenges with planning Hackers are only one concern – there’s more Chances are GOOD you are exposed somewhere to attack Test and Documentation is vital to a healthy plan Communications Who needs to be informed, how to inform, Media/Press Ω
  9. 9. Determine Risks <ul><li>What ‘could’ go wrong? </li></ul><ul><ul><li>Hardware/Software Failure, DNS, Hackers </li></ul></ul><ul><li>What can you do to mitigate it? </li></ul><ul><ul><li>Hot site, backups, planned recovery </li></ul></ul>
  10. 10. Determine Risks <ul><li>People </li></ul><ul><ul><li>Safety (of staff) </li></ul></ul><ul><ul><li>Where will they work? </li></ul></ul><ul><ul><li>Do they KNOW procedures (fire drill much?) </li></ul></ul><ul><li>Telephones, Pagers, Cell Phones, Email </li></ul><ul><li>Hosting </li></ul><ul><ul><li>Co-Location (shared, dedicated, VPS) </li></ul></ul><ul><ul><li>Workstations </li></ul></ul>
  11. 11. Determine Risk <ul><li>Restoration costs BY host ($$$) </li></ul><ul><li>Backups, Yes but.. </li></ul><ul><ul><li>License keys </li></ul></ul><ul><ul><li>Copies of source/apps – do they exist? </li></ul></ul><ul><ul><li>Safe place to keep digital media </li></ul></ul><ul><li>Identify ‘stakeholders’ </li></ul><ul><li>Insurance – Do you have any? </li></ul><ul><li>Your own computers – virus free? </li></ul><ul><li>What about your ‘backup server’ itself? </li></ul>
  12. 12. Affordability of a Risk <ul><li>Elements to consider </li></ul><ul><ul><li>How much $$$ are you willing to spend </li></ul></ul><ul><ul><li>Does management buy into your plan? </li></ul></ul><ul><ul><li>Are they willing to commit to it financially? </li></ul></ul><ul><ul><li>Does your site “justify” a DR plan </li></ul></ul><ul><li>Determine if risks JUSTIFY cost </li></ul><ul><li>At the end of the day, if you have a blog site, </li></ul><ul><li>then perhaps its not worth it. If you have an </li></ul><ul><li>ecommerce site, then it WILL be. </li></ul>
  13. 13. Key Points <ul><li>Know your risks </li></ul><ul><li>Know your what the costs are </li></ul><ul><ul><li>Cost of experiencing the risk </li></ul></ul><ul><ul><li>Cost of restoration from downtime </li></ul></ul><ul><li>Have a plan to mitigate and recover </li></ul>
  14. 14. Why do need a plan? <ul><li>Recognize that trouble WILL come </li></ul><ul><ul><li>Mr. Murphy on line one for you… </li></ul></ul><ul><li>Your plan should be : SMART based </li></ul><ul><ul><ul><li>Specific, Measurable, Attainable, Realistic, and Time-sensitive </li></ul></ul></ul><ul><li>&quot; A good plan, violently executed now, is better than a perfect plan next week .“ </li></ul><ul><li>General George Patton </li></ul>
  15. 15. Preparing to Plan <ul><li>Recognize the following </li></ul><ul><ul><li>A hard to execute plan will likely fail </li></ul></ul><ul><ul><li>Avoid ‘conforming’ to multiple opinions </li></ul></ul><ul><ul><li>Staff members will fight the plan </li></ul></ul><ul><ul><li>A plan untested is no good </li></ul></ul><ul><ul><li>Plans take time to build </li></ul></ul><ul><ul><li>A solid “one-page” plan is better than none </li></ul></ul>
  16. 16. Planning Elements <ul><li>RTO/RPO – what is yours? </li></ul><ul><ul><li>Recovery Time Objective </li></ul></ul><ul><ul><li>Recovery Point Objective </li></ul></ul><ul><li>Who is in charge? </li></ul><ul><ul><li>Who else is in charge </li></ul></ul><ul><li>Moving parts of your plan </li></ul><ul><ul><ul><li>Where to store media, labeling, media type </li></ul></ul></ul>
  17. 17. Planning Elements <ul><li>Do you have a ‘fall-back’ </li></ul><ul><li>When will you ‘activate’ you plan? </li></ul><ul><li>Define a communications strategy </li></ul><ul><li>Which ‘systems’ have priority? </li></ul><ul><li>Develop a schedule to plan </li></ul><ul><li>Can you afford your plan? </li></ul>
  18. 18. Key Points <ul><li>Keep your planning team small </li></ul><ul><li>Involve Sr. Mgmt, CAREFULLY </li></ul><ul><li>Keep strong focus, for short bursts </li></ul><ul><ul><li>Planning takes ‘time’ – and comfort </li></ul></ul><ul><li>Your Plan WILL fail the first time you use it </li></ul><ul><li>Your staff will not buy in at first </li></ul><ul><li>Setup a start, middle and end for plan </li></ul>
  19. 19. Fortification <ul><li>Preparation of your site is key – check: </li></ul><ul><ul><li>Extensions, hosting, root kits, open ports </li></ul></ul><ul><li>Set permissions correctly </li></ul><ul><ul><li>Files and directories (644 / 755) </li></ul></ul><ul><li>Latest version of Joomla (1.0.xx and 1.5) </li></ul><ul><li>Check your HOST’s setup </li></ul><ul><ul><li>Ports, Versions of apache, etc. </li></ul></ul>
  20. 20. Fortify at risk code Can you find the problem?
  21. 21. Vulnerable Code <ul><li>It’s missing the critical code: </li></ul><ul><li>// no direct access </li></ul><ul><li>defined( '_VALID_MOS' ) or die( 'Restricted access‘); </li></ul><ul><li>While this problem is less prevalent - It still exists and can trip you up </li></ul><ul><li>Note: the previous code snip was purposely modified for demonstration purposes only ! </li></ul>
  22. 22. Fortify - .htaccess .htaccess – your first line of defense
  23. 23. Fortify - Permissions <ul><li>Permissions </li></ul><ul><ul><li>Very common problem </li></ul></ul><ul><ul><li>Check files and Dirs </li></ul></ul><ul><ul><li>FILES: 644 </li></ul></ul><ul><ul><li>DIR : 755 </li></ul></ul>
  24. 24. Fortify – PHP.INI <ul><li>Safe Mode: OFF </li></ul><ul><li>Open basedir: none </li></ul><ul><li>Display Errors: ON </li></ul><ul><li>Short Open Tags: ON </li></ul><ul><li>File Uploads: ON </li></ul><ul><li>Magic Quotes: ON </li></ul><ul><li>Register Globals: OFF </li></ul>
  25. 25. Fortify - Versions <ul><li>Using 1.0.xx </li></ul><ul><ul><li>Make sure you are at least at 1.0.15 </li></ul></ul><ul><li>Using 1.5 </li></ul><ul><ul><li>Make sure you are at least at 1.5.3 </li></ul></ul><ul><li>Older versions are exploitable </li></ul>
  26. 26. Fortify – Common Trip Ups <ul><li>Common issues </li></ul><ul><ul><ul><li>Admin still named ADMIN </li></ul></ul></ul><ul><ul><ul><li>Easy to guess passwords like P@ssw0rd </li></ul></ul></ul><ul><ul><ul><li>Permissions set wrong </li></ul></ul></ul><ul><ul><ul><li>Lack of .htaccess or php.ini </li></ul></ul></ul><ul><ul><ul><li>Vulnerable components </li></ul></ul></ul><ul><ul><ul><li>Hosts not setup properly </li></ul></ul></ul>
  27. 27. Fortify - Poor Host Security <ul><li>Example: Ports open that need not be </li></ul><ul><ul><li>Real case from Client </li></ul></ul><ul><ul><ul><ul><li>The host had 1,700 ports open. </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Port 53 – Allows for Zone Transfers </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Port 23 – Telnet – Allowed “Banner Grabbing” </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Port 21 – Allowed me (shouldn’t have) to FTP in </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Port 6667 (note BackOrfice) – Cult of the Dead Cow </li></ul></ul></ul></ul><ul><ul><ul><ul><li>And 1,677 more – (HUN???) </li></ul></ul></ul></ul><ul><ul><ul><li>Host told client: </li></ul></ul></ul><ul><li>“ That’s ok you have a Virtual private Server (VPS) setup” </li></ul>
  28. 28. Fortification Tools <ul><li>Tools to check host out: </li></ul><ul><ul><li>NMAP ( only with host’s permission ) </li></ul></ul><ul><ul><li>Tools from </li></ul></ul><ul><ul><ul><li>Domain Dossier </li></ul></ul></ul><ul><ul><li>Joomla Health Check (available from J!) </li></ul></ul><ul><li>Google </li></ul><ul><ul><li>Google Hacks (again permission please) </li></ul></ul><ul><li>Hire </li></ul>
  29. 29. Documentation <ul><li>Documentation is a product of your risk assessment, goals, planning and fortification. </li></ul><ul><li>It’s the chief cornerstone of your DR plan. </li></ul>
  30. 30. Documentation <ul><li>Documentation considerations </li></ul><ul><ul><ul><li>First recognize its not the Holy Bible </li></ul></ul></ul><ul><ul><ul><ul><li>It CAN be changed as needed to fit </li></ul></ul></ul></ul><ul><li>Establish a review process </li></ul><ul><ul><ul><li>It will change from time to time </li></ul></ul></ul><ul><ul><ul><li>Make sure the Date is on it </li></ul></ul></ul><ul><li>Keep it in a safe place </li></ul><ul><ul><ul><li>Key DR team members must have it </li></ul></ul></ul><ul><ul><ul><li>Don’t let it fall into competitors hands </li></ul></ul></ul>
  31. 31. Maintaining your plan <ul><li>Test your plan </li></ul><ul><ul><ul><li>Accomplished through drills </li></ul></ul></ul><ul><ul><ul><li>Document the results </li></ul></ul></ul><ul><ul><ul><li>Change documentation as needed </li></ul></ul></ul><ul><ul><ul><li>Collect old docs, distribute new </li></ul></ul></ul><ul><li>Tracking changes </li></ul><ul><ul><ul><li>Why did you change it? </li></ul></ul></ul><ul><li>Always ask WHY changes </li></ul><ul><li>will increase survivability </li></ul>
  32. 32. Drill for results <ul><li>Establish a ‘failure’ test </li></ul><ul><li>Purpose: </li></ul><ul><ul><li>To shake down your documentation </li></ul></ul><ul><ul><li>To train your staff </li></ul></ul><ul><ul><li>To learn where your plan works and fails </li></ul></ul><ul><li>Establish a ‘regular’ drill time </li></ul><ul><ul><li>Key members should be present at each test </li></ul></ul>
  33. 33. Some things your plan should have <ul><li>Team member contact information </li></ul><ul><ul><li>Plan initiation instructions </li></ul></ul><ul><ul><ul><li>‘when’ we activate the plan </li></ul></ul></ul><ul><ul><li>Location of backup media </li></ul></ul><ul><ul><li>Passwords and other security information </li></ul></ul><ul><ul><li>Contact for host </li></ul></ul><ul><ul><ul><li>Technical support, escalation procedures </li></ul></ul></ul><ul><ul><li>Instructions on HOW to restore </li></ul></ul>
  34. 34. Documentation Example
  35. 35. A few words on drilling Conducting a live test helps increase your site’s survivability by proving your plan works, and ensuring your staff knows their job
  36. 36. About your plan &quot;No plan survives first engagement with the enemy&quot; Von Clausewitz.—Prussian Military Thinker
  37. 37. Key Points <ul><li>Your Plan/Docs is a living document </li></ul><ul><ul><li>Care and feed for it </li></ul></ul><ul><li>Test it once you develop </li></ul><ul><ul><li>Conduct regular drills </li></ul></ul><ul><li>Change it if its not working </li></ul><ul><li>Establish a process for distribution </li></ul><ul><li>Keep it safe </li></ul>
  38. 38. Communications <ul><li>Understanding crisis communication </li></ul><ul><li>Preparing media kits in advance </li></ul><ul><li>Communicating with your team </li></ul>
  39. 39. Crisis Communication <ul><li>Internal with team </li></ul><ul><ul><ul><li>Coordinates efforts for recovery </li></ul></ul></ul><ul><li>Internal with employees other staff </li></ul><ul><ul><ul><li>Helps to control rumors </li></ul></ul></ul><ul><li>Communications with media / customers </li></ul><ul><ul><ul><li>Prepare plan in advance </li></ul></ul></ul><ul><ul><ul><li>This helps you control the message </li></ul></ul></ul><ul><ul><ul><li>Helps retain customer base </li></ul></ul></ul>
  40. 40. Media Communications <ul><li>Media contact </li></ul><ul><ul><li>Baseline communication regarding the event. </li></ul></ul><ul><ul><li>Reestablishes trust and ensure facts not conjecture. </li></ul></ul><ul><ul><li>The message should drive the behavior you want </li></ul></ul><ul><ul><li>Accomplish this through advanced preparation </li></ul></ul><ul><ul><ul><li>Talking points for employees. </li></ul></ul></ul><ul><ul><ul><li>A template for developing a news release. </li></ul></ul></ul><ul><ul><ul><li>A list of reporters, media outlets or blog sites you want your message directed to. </li></ul></ul></ul><ul><ul><ul><li>A fact sheet for media, both downloadable PDF and paper based. </li></ul></ul></ul>
  41. 41. Staff Communications <ul><li>Establish a communications tree </li></ul><ul><li>Assign a Communications person or team </li></ul><ul><li>Make sure you do two things </li></ul><ul><ul><li>Communicate openly and often with DR team </li></ul></ul><ul><ul><li>Carefully distribute information to rest of staff </li></ul></ul><ul><li>Keep in mind what you say, may end up </li></ul><ul><li>on a blog or in the paper. </li></ul>
  42. 42. Tools for communication <ul><li> </li></ul><ul><li>Establish a media checklist </li></ul><ul><li>Establish a Priority system </li></ul><ul><li>Be as ‘open’ as you can </li></ul><ul><ul><li>If you’re hacked and had credit card data stolen, it may not be the best time to discuss it DURING the crisis </li></ul></ul>
  43. 43. Key Points <ul><li>Be sure you have a plan to communicate </li></ul><ul><li>Keep in mind nothing is “off the record” </li></ul><ul><li>Internal/External communications is vital </li></ul><ul><ul><li>Keeps speculation down </li></ul></ul>

Editor's Notes