Heartbleed, Shell Shock, POODLE, Drupalgeddon and Ghost. How is it possible to secure my website in the face of the hackzor onslaught? Every bit of software in your stack composes compromisable surface area, so you have to think about security from the OS to the JS, and beyond. When securing your website, you need to think breadth as well as depth; there’s no use in having 3 deadbolts a pit bull and a portcullis on your front door while leaving your porch door unlocked. We’ll start at the 10,000’ level, reviewing the risks and drivers of website security, then zoom in for a birds-eye view of security best practices, and finally deep-dive on a few of the most effective attack mitigation strategies. Topics we will cover: - What security means for your business: compliance and risk management - The security triad: Confidentiality, Integrity, and Availability - OWASP Top 10 - Evaluating hosting options based on security - Securing your operating system - Configuring Nginx and Apache for security - Understanding ‘contrib’ module security - Configuring Drupal for Security - How to address DOS with a CDN (a battle of 3 letter acronyms) - Data encryption - Key Management (Don’t tape your key to the front door) - PII - What is it and why does it matter? - Securing your users: Password security and best practices - Real world scenarios Watch the session video: https://www.youtube.com/watch?v=KtdY5eSEfAk

2. PANTHEON
Defense in Depth
Lessons Learned from Securing
100,000 Drupal Sites

3. PANTHEON
Nick Stielau - @nstielau
Pantheon - Director of Engineering
Managing Security for 100,000+ Drupal Sites
Chris Teitzel - @technerdteitzel
Cellar Door Media - Founder
Architected secure platform for large scale e-
commerce site
Luke Probasco - @geetarluke
Townsend Security - Drupal General Manager
Manage Drupal business for Townsend Security
Introductions

4. PANTHEON
Nick Stielau
Platform Architect
Chris Teitzel
Drupal Architect
Luke Probasco
Compliance, encryption, and
security consultant
Three Perspectives

5. PANTHEON
“There are only two types
of companies: those that have
been hacked, and those that will
be. Even that is merging into
one category: those that have
been hacked and will be again.”
Robert Meuller,
Former FBI Director

6. PANTHEON
Son of a Breach
The average cost of a data breach is:
● $3.5 million per breach
● $145 per record
So far this year (as of 4/28/15):
● 270 breaches
● 102,372,157 records exposed
● ~10 records/second

7. PANTHEON

8. PANTHEON
YOU
will be hacked*
*unless your site is permanently offline

9. PANTHEON

10. PANTHEON
Step 1: Build a security
consciousness

11. PANTHEON
How to think about security
It’s a frame
of mind

12. PANTHEON
Security is All Around Us
Ignorance Paranoia

13. PANTHEON
Risk Mitigation
Risk
Security Investment

14. PANTHEON
● The low bar for data security
● Declares the minimum security for you
● Qualified Security Auditor (QSA) can
help you meet compliance
● Encryption and key management help
Compliance

15. PANTHEON
● Confidentiality
● Integrity
● Availability
CIA Security Triad

16. PANTHEON
What Does Hacked Mean?
● Defacement
● Denial of
Service
● Data Breach
● …
● ...
●

17. PANTHEON
Step 2:
Defense in Depth

18. PANTHEON
Defense in Depth

19. PANTHEON
Dont do this….
Secure
Drupal
Secure
Hosting
Environment
Unhardened
SSH

20. PANTHEON
Are you vulnerable?
● US Cert
● Drupal.org/security
● Fedora/Ubuntu Mailing Lists
● Apache/Nginx/Varnish/Redis Mailing lists
● Twitter

21. PANTHEON
PCI Data Security Standard (PCI DSS) - Retail
HIPAA - Healthcare
GLBA / FFIEC - Financial
FISMA - US government agencies
FERPA - Educational institutions
State and Federal Privacy Notification laws
Compliance Regulations

22. PANTHEON
“Use of a PCI DSS compliant CSP does not result in PCI
DSS compliance for the clients. The client must still ensure
they are using the service in a compliant manner, and is
also ultimately responsible for the security of their CHD.”
PCI DSS Cloud Computing Guidelines
SHARED
RESPONSIBILITY

23. PANTHEON
● NIST Special Publication 800-122 defines PII
● Examples:
Full name Credit card numbers
Home address Digital identity
Email address Date of birth
IP address Birthplace
Drivers license Telephone number
Login name, screen
name, etc.
Face, fingerprints, or
handwriting
Personally Identifiable Information (PII)
What is it and why does it matter?

24. PANTHEON
Zip
CodeBirthday
Coke or
Pepsi?State
Piecing Together Identity

25. PANTHEON
Step 3:
Essential Security

26. PANTHEON
Back it up
So you can sleep at night.

27. PANTHEON
Use Version Control
So that you know if your code has been changed.

28. PANTHEON
Use Secure Passwords

29. PANTHEON
Two Factor Authentication

30. PANTHEON
You’re Not Alone

31. PANTHEON
Key Management

32. PANTHEON
Step 3:
Securing your Stack

33. PANTHEON
Evaluating Hosting
Hosting
Operating System
Database
Web Server
Drupal
JavaScript
Team
Does your hosting
provider help
you secure
the whole
stack?

34. PANTHEON
Corporate Datacenter
Fluffy
marketing
brochureware
site
Your entire
business

35. PANTHEON
● Install security updates
● Achieve sensible configuration
● Invest in ability to safely,
quickly update servers
● Definitely do:
○ iptables
○ ssh (no root, no passwords)
○ sudoers
Securing your OS
Hosting
Operating System
Database
Web Server
Drupal
JavaScript
Team

36. PANTHEON
Securing Nginx and Apache
Hosting
Operating System
Database
Web Server
Drupal
JavaScript
Team
Hosting
● One of the quickest places to lock down,
add headers i.e. X-Frame-Options
● Make use of logs (logrotate)
● Disable server tokens.
● Use proper .htaccess in files directory

37. PANTHEON
● Change default password
● Lock down access to required hosts
● Secure your backups
Securing your Database
Hosting
Operating System
Database
Web Server
Drupal
JavaScript
Team
Hosting
Data/database

38. PANTHEON
Data Encryption
Hosting
Operating System
Database
Web Server
Drupal
JavaScript
Team
Hosting
Data/database
Encryption Modules:
Encrypt,
Key,
Encrypt User,
Encrypt Form,
Encrypted Files,
AES Encrypt

39. PANTHEON
Best Practice: Store
and manage keys on
a different server than
where the data is
Encryption Key Management
(Don’t tape your key to the front door)
Hosting
Operating System
Data/database
Web Server
Drupal
JavaScript
Team
Hosting

40. PANTHEON
Best Practice: Don’t share
your API keys with
developers that don’t need
access to them. (aka the
Principle of Least
Privilege)
Best Practice: User per-
developer and per-system
keys
Protecting API Keys

41. PANTHEON
Drupal Core Security
Keep it updated!
Hosting
Operating System
Database
Web Server
Drupal
JavaScript
Team
Hosting
Avoid getting creative
with permissions

42. PANTHEON
Active, popular
plugins are most likely
to have security scrutiny
Understanding ‘contrib’ module security
HostingHosting
Operating System
Database
Web Server
Drupal
JavaScript
Team
Hosting

43. PANTHEON
Securing your Team
Hosting
Operating System
Database
Web Server
Drupal
JavaScript
Team
Hosting● Enforce 2FA, strong
passwords
● Build a security
consciousness

44. PANTHEON
Step 4: What happens
in the Real World

45. PANTHEON
Pantheon Trenches

46. PANTHEON
https://pantheon.io/blog/what-we-are-seeing-drupal-sa-2014-005
Drupalgeddon
More about
Drupalgeddon from
Matt Korostoff, 5pm
HERE

47. PANTHEON
7k attacksper week
Constant SSH Attacks
p.s. Check out fail2ban for
curbing the worst
offenders

48. PANTHEON
Targeted HTTP DDOS

49. PANTHEON
What happens when you’re handed a
db of credit card data?
(a lot of) Credit Card Data

50. PANTHEON
● No one wants to see their name in the headlines for
a breach
● Brand damage, loss of customers, loss of jobs
● Do the right thing
Case Study: Hotel chain intranet
Risk Mitigation - C.Y.A.

51. PANTHEON
Don’t Panic… React!
1. Rollback
2. Review
3. Reach out!
Halp! I Got hacked!!
https://www.drupal.org/node/2365547

52. PANTHEON

53. PANTHEON
Keep the Conversation going!

54. PANTHEON
Image Attributes
https://flic.kr/p/4b4MK8 - Cogs
http://www.digitalthreat.net/2011/12/anti-virus-wont-keep-your-data-safe/# - CIA Triad
https://farm8.staticflickr.com/7313/9762758421_ff318a9c1f_o.jpg - Frame of Mind
http://cybersecurity.mit.edu/2013/12/open-source-software-is-it-secure/ - Open and Secure?
http://jr19759.deviantart.com/art/Team-Supreme-350105585 - Team Supreme
https://www.flickr.com/photos/37873897@N06/8049569753/ - thoughtful dude
https://xkcd.com/936/ - XKCD Password strength