Tom Canavan Joomla Security and Disaster Recovery


Published on

Presentation by Tom Canavan, of, for Security & Disaster Recovery

Published in: Technology, Business
1 Comment
1 Like
  • Try It will help you with finding security issues on your website.
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Tom Canavan Joomla Security and Disaster Recovery

    1. 1. “ Is your site ready?” Disaster planning, preparation and recovery for Joomla! TM Sites Tom Canavan ™
    2. 2. Welcome <ul><li>Tom Canavan </li></ul><ul><ul><li>Author : </li></ul></ul><ul><ul><ul><ul><li>Dodging the bullets, A disaster preparation guide for Joomla! Based sites </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Upcoming book: Joomla! Web Security </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Co-Author – Joomla! Cash </li></ul></ul></ul></ul><ul><ul><li>Twenty-two years in Computer Business </li></ul></ul><ul><ul><ul><ul><li>Dell, AST Research, Texas Instruments </li></ul></ul></ul></ul><ul><ul><li>Co-host – The Podcast </li></ul></ul><ul><ul><li>Certifications include </li></ul></ul><ul><ul><ul><ul><li>Microsoft Certified Professional, Novell CNE and Certified Ethical Hacker (Pending) </li></ul></ul></ul></ul><ul><ul><ul><ul><li>And a huge Monty Python Fan </li></ul></ul></ul></ul>
    3. 3. Disasters DO happen <ul><li>Disaster preparedness is what you do before, not after, a disaster hits. </li></ul><ul><li>Crackers/hackers are only part of your concern. </li></ul><ul><li>Disaster—the meaning of the word has its root in early Italian, from the word disastro (Meaning away from star). </li></ul><ul><li>It was thought that an unfavorable position of a star or planet </li></ul><ul><li>was the cause of mishaps and calamities 1 </li></ul><ul><li>1 Robert K. Barnhart, “The Barnhart concise Dictionary of Etymology – The origins of American English words”, (New York: HarperCollins books, 1995) 208 </li></ul>
    4. 4. What do you consider a disaster? 4-19-1995 Murrah Bldg Okla City 9-11-2001 Ground Zero 8/28/2005 Hurricane Katrina
    5. 5. I’ll take Disaster Recovery Planning for $500.00 <ul><li>-QUIZ- </li></ul><ul><li>Who has a working DR Plan? </li></ul><ul><li>If your site was offline for 7 to 10 days, </li></ul><ul><li>would your company go bankrupt? </li></ul>
    6. 6. 404: Page Not found <ul><li>A 1978 Study by the University of Minnesota showed that if a business could not recover their systems within a week, </li></ul><ul><li>will be out of business in a year. </li></ul><ul><li>That’s only four to six days </li></ul><ul><li>of interruption of services in 1978 </li></ul>Aasgaard, D.O. et al., “An evaluation of Data processing ‘Machine room’ Loss and Selected Recovery Strategies,” MISRC Working Papers (Minneapolis, MN: University of Minnesota, 1978) 1 1-
    7. 7. Disaster Planning Life Cycle 1 2 3 4 Determine Risks Document Your Business Build Your plan Test & document
    8. 8. Worst Practices for DR/DP <ul><li>Failure to get management support </li></ul><ul><li>No risk assessment </li></ul><ul><li>No written plan </li></ul><ul><li>Lack of ‘good’ backup’s </li></ul><ul><li>You put the tapes where?? </li></ul>
    9. 9. Today’s agenda Planning Determine risks Fortify Test/Document The elements, issues and challenges with planning Hackers are only one concern – there’s more Chances are GOOD you are exposed somewhere to attack Test and Documentation is vital to a healthy plan Communications Who needs to be informed, how to inform, Media/Press Ω
    10. 10. Determine Risks <ul><li>What ‘could’ go wrong? </li></ul><ul><ul><li>Hardware/Software Failure, DNS, Hackers </li></ul></ul><ul><li>What can you do to mitigate it? </li></ul><ul><ul><li>Hot site, backups, planned recovery </li></ul></ul>
    11. 11. Determine Risks <ul><li>People </li></ul><ul><ul><li>Safety (of staff) </li></ul></ul><ul><ul><li>Where will they work? </li></ul></ul><ul><ul><li>Do they KNOW procedures (fire drill much?) </li></ul></ul><ul><li>Telephones, Pagers, Cell Phones, Email </li></ul><ul><li>Hosting </li></ul><ul><ul><li>Co-Location (shared, dedicated, VPS) </li></ul></ul><ul><ul><li>Workstations </li></ul></ul>
    12. 12. Determine Risk <ul><li>Restoration costs BY host ($$$) </li></ul><ul><li>Backups, Yes but.. </li></ul><ul><ul><li>License keys </li></ul></ul><ul><ul><li>Copies of source/apps – do they exist? </li></ul></ul><ul><ul><li>Safe place to keep digital media </li></ul></ul><ul><li>Identify ‘stakeholders’ </li></ul><ul><li>Insurance – Do you have any? </li></ul><ul><li>Your own computers – virus free? </li></ul><ul><li>What about your ‘backup server’ itself? </li></ul>
    13. 13. Affordability of a Risk <ul><li>Elements to consider </li></ul><ul><ul><li>How much $$$ are you willing to spend </li></ul></ul><ul><ul><li>Does management buy into your plan? </li></ul></ul><ul><ul><li>Are they willing to commit to it financially? </li></ul></ul><ul><ul><li>Does your site “justify” a DR plan </li></ul></ul><ul><li>Determine if risks JUSTIFY cost </li></ul><ul><li>At the end of the day, if you have a blog site, </li></ul><ul><li>then perhaps its not worth it. If you have an </li></ul><ul><li>ecommerce site, then it WILL be. </li></ul>
    14. 14. Why do need a plan? <ul><li>Recognize that trouble WILL come </li></ul><ul><ul><li>Mr. Murphy on line one for you… </li></ul></ul><ul><li>Your plan should be : SMART based </li></ul><ul><ul><ul><li>Specific, Measurable, Attainable, Realistic, and Time-sensitive </li></ul></ul></ul><ul><li>&quot; A good plan, violently executed now, is better than a perfect plan next week .“ </li></ul><ul><li>General George Patton </li></ul>
    15. 15. Key Points <ul><li>Know your risks </li></ul><ul><li>Know your what the costs are </li></ul><ul><ul><li>Cost of experiencing the risk </li></ul></ul><ul><ul><li>Cost of restoration from downtime </li></ul></ul><ul><li>Have a plan to mitigate and recover </li></ul>
    16. 16. Preparing to Plan <ul><li>Recognize the following </li></ul><ul><ul><li>A hard to execute plan will likely fail </li></ul></ul><ul><ul><li>Avoid ‘conforming’ to multiple opinions </li></ul></ul><ul><ul><li>Staff members will fight the plan </li></ul></ul><ul><ul><li>A plan untested is no good </li></ul></ul><ul><ul><li>Plans take time to build </li></ul></ul><ul><ul><li>A solid “one-page” plan is better than none </li></ul></ul>
    17. 17. Planning Elements <ul><li>RTO/RPO – what is yours? </li></ul><ul><ul><li>Recovery Time Objective </li></ul></ul><ul><ul><li>Recovery Point Objective </li></ul></ul><ul><li>Who is in charge? </li></ul><ul><ul><li>Who else is in charge </li></ul></ul><ul><li>Moving parts of your plan </li></ul><ul><ul><ul><li>Where to store media, labeling, media type </li></ul></ul></ul>
    18. 18. Planning Elements <ul><li>Do you have a ‘fall-back’ </li></ul><ul><li>When will you ‘activate’ you plan? </li></ul><ul><li>Define a communications strategy </li></ul><ul><li>Which ‘systems’ have priority? </li></ul><ul><li>Develop a schedule to plan </li></ul><ul><li>Can you afford your plan? </li></ul>
    19. 19. Key Points <ul><li>Keep your planning team small </li></ul><ul><li>Involve Sr. Mgmt, CAREFULLY </li></ul><ul><li>Keep strong focus, for short bursts </li></ul><ul><ul><li>Planning takes ‘time’ – and comfort </li></ul></ul><ul><li>Your Plan WILL fail the first time you use it </li></ul><ul><li>Your staff will not buy in at first </li></ul><ul><li>Setup a start, middle and end for plan </li></ul>
    20. 20. Fortification <ul><li>Preparation of your site is key – check: </li></ul><ul><ul><li>Extensions, hosting, root kits, open ports </li></ul></ul><ul><li>Set permissions correctly </li></ul><ul><ul><li>Files and directories (644 / 755) </li></ul></ul><ul><li>Latest version of Joomla (1.0.xx and 1.5) </li></ul><ul><li>Check your HOST’s setup </li></ul><ul><ul><li>Ports, Versions of apache, etc. </li></ul></ul>
    21. 21. Fortify at risk code Can you find the problem?
    22. 22. Vulnerable Code <ul><li>It’s missing the critical code: </li></ul><ul><li>// no direct access </li></ul><ul><li>defined( '_VALID_MOS' ) or die( 'Restricted access‘); </li></ul><ul><li>While this problem is less prevalent - It still exists and can trip you up </li></ul><ul><li>Note: the previous code snip was purposely modified for demonstration purposes only ! </li></ul>
    23. 23. Fortify - .htaccess .htaccess – your first line of defense
    24. 24. Fortify - Permissions <ul><li>Permissions </li></ul><ul><ul><li>Very common problem </li></ul></ul><ul><ul><li>Check files and Dirs </li></ul></ul><ul><ul><li>FILES: 644 </li></ul></ul><ul><ul><li>DIR : 755 </li></ul></ul>
    25. 25. Fortify – PHP.INI <ul><li>Safe Mode: OFF </li></ul><ul><li>Open basedir: none </li></ul><ul><li>Display Errors: ON </li></ul><ul><li>Short Open Tags: ON </li></ul><ul><li>File Uploads: ON </li></ul><ul><li>Magic Quotes: ON </li></ul><ul><li>Register Globals: OFF </li></ul>
    26. 26. Fortify - Versions <ul><li>Using 1.0.xx </li></ul><ul><ul><li>Make sure you are at least at 1.0.15 </li></ul></ul><ul><li>Using 1.5 </li></ul><ul><ul><li>Make sure you are at least at 1.5.3 </li></ul></ul><ul><li>Older versions are exploitable </li></ul>
    27. 27. Fortify – Common Trip Ups <ul><li>Common issues </li></ul><ul><ul><ul><li>Admin still named ADMIN </li></ul></ul></ul><ul><ul><ul><li>Easy to guess passwords like P@ssw0rd </li></ul></ul></ul><ul><ul><ul><li>Permissions set wrong </li></ul></ul></ul><ul><ul><ul><li>Lack of .htaccess or php.ini </li></ul></ul></ul><ul><ul><ul><li>Vulnerable components </li></ul></ul></ul><ul><ul><ul><li>Hosts not setup properly </li></ul></ul></ul>
    28. 28. Fortify - Poor Host Security <ul><li>Example: Ports open that need not be </li></ul><ul><ul><li>Real case from Client </li></ul></ul><ul><ul><ul><ul><li>The host had 1,700 ports open. </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Port 53 – Allows for Zone Transfers </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Port 23 – Telnet – Allowed “Banner Grabbing” </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Port 21 – Allowed me (shouldn’t have) to FTP in </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Port 6667 (note BackOrfice) – Cult of the Dead Cow </li></ul></ul></ul></ul><ul><ul><ul><ul><li>And 1,677 more – (HUN???) </li></ul></ul></ul></ul><ul><ul><ul><li>Host told client: </li></ul></ul></ul><ul><li>“ That’s ok you have a Virtual private Server (VPS) setup” </li></ul>
    29. 29. Fortification Tools <ul><li>Tools to check host out: </li></ul><ul><ul><li>NMAP ( only with host’s permission ) </li></ul></ul><ul><ul><li>Tools from </li></ul></ul><ul><ul><ul><li>Domain Dossier </li></ul></ul></ul><ul><ul><li>Joomla Health Check (available from J!) </li></ul></ul><ul><li>Google </li></ul><ul><ul><li>Google Hacks (again permission please) </li></ul></ul><ul><li>Hire </li></ul>
    30. 30. Documentation <ul><li>Documentation is a product of your risk assessment, goals, planning and fortification. </li></ul><ul><li>It’s the chief cornerstone of your DR plan. </li></ul>
    31. 31. Documentation <ul><li>Documentation considerations </li></ul><ul><ul><ul><li>First recognize its not the Holy Bible </li></ul></ul></ul><ul><ul><ul><ul><li>It CAN be changed as needed to fit </li></ul></ul></ul></ul><ul><li>Establish a review process </li></ul><ul><ul><ul><li>It will change from time to time </li></ul></ul></ul><ul><ul><ul><li>Make sure the Date is on it </li></ul></ul></ul><ul><li>Keep it in a safe place </li></ul><ul><ul><ul><li>Key DR team members must have it </li></ul></ul></ul><ul><ul><ul><li>Don’t let it fall into competitors hands </li></ul></ul></ul>
    32. 32. Maintaining your plan <ul><li>Test your plan </li></ul><ul><ul><ul><li>Accomplished through drills </li></ul></ul></ul><ul><ul><ul><li>Document the results </li></ul></ul></ul><ul><ul><ul><li>Change documentation as needed </li></ul></ul></ul><ul><ul><ul><li>Collect old docs, distribute new </li></ul></ul></ul><ul><li>Tracking changes </li></ul><ul><ul><ul><li>Why did you change it? </li></ul></ul></ul><ul><li>Always ask WHY changes </li></ul><ul><li>will increase survivability </li></ul>
    33. 33. Drill for results <ul><li>Establish a ‘failure’ test </li></ul><ul><li>Purpose: </li></ul><ul><ul><li>To shake down your documentation </li></ul></ul><ul><ul><li>To train your staff </li></ul></ul><ul><ul><li>To learn where your plan works and fails </li></ul></ul><ul><li>Establish a ‘regular’ drill time </li></ul><ul><ul><li>Key members should be present at each test </li></ul></ul>
    34. 34. Some things your plan should have <ul><li>Team member contact information </li></ul><ul><ul><li>Plan initiation instructions </li></ul></ul><ul><ul><ul><li>‘when’ we activate the plan </li></ul></ul></ul><ul><ul><li>Location of backup media </li></ul></ul><ul><ul><li>Passwords and other security information </li></ul></ul><ul><ul><li>Contact for host </li></ul></ul><ul><ul><ul><li>Technical support, escalation procedures </li></ul></ul></ul><ul><ul><li>Instructions on HOW to restore </li></ul></ul>
    35. 35. Documentation Example
    36. 36. A few words on drilling Conducting a live test helps increase your site’s survivability by proving your plan works, and ensuring your staff knows their job
    37. 37. About your plan &quot;No plan survives first engagement with the enemy&quot; Von Clausewitz.—Prussian Military Thinker
    38. 38. Key Points <ul><li>Your Plan/Docs is a living document </li></ul><ul><ul><li>Care and feed for it </li></ul></ul><ul><li>Test it once you develop </li></ul><ul><ul><li>Conduct regular drills </li></ul></ul><ul><li>Change it if its not working </li></ul><ul><li>Establish a process for distribution </li></ul><ul><li>Keep it safe </li></ul>
    39. 39. Communications <ul><li>Understanding crisis communication </li></ul><ul><li>Preparing media kits in advance </li></ul><ul><li>Communicating with your team </li></ul>
    40. 40. Crisis Communication <ul><li>Internal with team </li></ul><ul><ul><ul><li>Coordinates efforts for recovery </li></ul></ul></ul><ul><li>Internal with employees other staff </li></ul><ul><ul><ul><li>Helps to control rumors </li></ul></ul></ul><ul><li>Communications with media / customers </li></ul><ul><ul><ul><li>Prepare plan in advance </li></ul></ul></ul><ul><ul><ul><li>This helps you control the message </li></ul></ul></ul><ul><ul><ul><li>Helps retain customer base </li></ul></ul></ul>
    41. 41. Media Communications <ul><li>Media contact </li></ul><ul><ul><li>Baseline communication regarding the event. </li></ul></ul><ul><ul><li>Reestablishes trust and ensure facts not conjecture. </li></ul></ul><ul><ul><li>The message should drive the behavior you want </li></ul></ul><ul><ul><li>Accomplish this through advanced preparation </li></ul></ul><ul><ul><ul><li>Talking points for employees. </li></ul></ul></ul><ul><ul><ul><li>A template for developing a news release. </li></ul></ul></ul><ul><ul><ul><li>A list of reporters, media outlets or blog sites you want your message directed to. </li></ul></ul></ul><ul><ul><ul><li>A fact sheet for media, both downloadable PDF and paper based. </li></ul></ul></ul>
    42. 42. Staff Communications <ul><li>Establish a communications tree </li></ul><ul><li>Assign a Communications person or team </li></ul><ul><li>Make sure you do two things </li></ul><ul><ul><li>Communicate openly and often with DR team </li></ul></ul><ul><ul><li>Carefully distribute information to rest of staff </li></ul></ul><ul><li>Keep in mind what you say, may end up </li></ul><ul><li>on a blog or in the paper. </li></ul>
    43. 43. Tools for communication <ul><li> </li></ul><ul><li>Establish a media checklist </li></ul><ul><li>Establish a Priority system </li></ul><ul><li>Be as ‘open’ as you can </li></ul><ul><ul><li>If you’re hacked and had credit card data stolen, it may not be the best time to discuss it DURING the crisis </li></ul></ul>
    44. 44. Key Points <ul><li>Be sure you have a plan to communicate </li></ul><ul><li>Keep in mind nothing is “off the record” </li></ul><ul><li>Internal/External communications is vital </li></ul><ul><ul><li>Keeps speculation down </li></ul></ul>
    45. 45. Dodging The Bullets - Book
    46. 46. A Rabbit? My men are not afraid of a Rabbit!