SlideShare a Scribd company logo
Welcome to the
Business Track
FFWagency.com @FFWglobal
>Full-service digital agency
>World’s largest Drupal agency
>420 employees worldwide
>Portfolio includes Pfizer, NBC, Stanford University,
City of Copenhagen, and General Electric
>FFW Center of Excellence – thousands of hours of
free Drupal training at www.ffwagency.com/event
about FFW
ray saltini
director FFW Center of Excellence
@raysaltini, ray.saltini@ffwagency.com
www.ffwagency.com/event
FFWagency.com @FFWglobal
The FFW Center of Excellence was
launched in 2015 to further the
advancement of open source internet
technologies through evangelism, training
and code contributions.
The Center is the primary vehicle for FFW’s engagement with
the Drupal community. Since it’s launch large enterprise
organizations and SMBEs have registered for more than
$200,000 worth of free training around Drupal best practices and
Drupal 8, and FFW developers have logged nearly 1,000 hours
toward code contributions.
Simplifying Security: Protecting your
Clients and Your Company
FFWagency.com @FFWglobal
right now
Chris Teitzel
Founder/CEO at Cellar Door Media
Drew Gorton
Director @ Pantheon. Co-Founder, NodeSquirrel, CEO Emeritus,
Gorton Studios. Ex-Developer
Luke Probasco
Drupal General Manager/Director of Marketing at Townsend Security
“having the security conversation”
Simplifying Security:
Protecting your Clients and your Company
Pantheon.io
Who Dat?
6
Drew Gorton
@dgorton
Luke Probasco
@geetarluke
Chris Teitzel
@technerdteitzel
Time For a Quick Game
8www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks
9www.haveibeenpwned.com
Because that is where
the money is.
- Willie Sutton
Pantheon.io 11
Take Aways
● Breaches aren’t a matter of “if”, but “when”
● Protect more than credit cards - that’s not what hackers
really want anyway
Five Common Security Myths
I’m too small to be
a target.
Private businesses
are not regulated.
Encryption is complicated.
Security kills performance.
My clients aren’t
paying me for security.
Pantheon.io 18
Take Aways
● Hackers are targeting small and mid-sized organizations
● Compliance covers all industries
● You need to build security into sites, client’s shouldn’t
have to ask for it
● It’s not that hard
Security Fundamentals
Pantheon.io 20
What is Security?
CIA Triad
● Confidentiality
● Integrity
● Availability
Security is a Continuum
● More vs. Less
● Not On vs. Off
Pantheon.io 21
Personally Identifiable Information (PII)
Information that can be combined with something
else to determine a specific person:
● Name, address, email, date of birth, telephone number,
company, title ...
Some compliance regulations specify what data
Don’t build
Death Star
security.
- David Strauss
Pantheon.io 23
Defense in Depth
● Each layer takes time, which is
the enemy of hackers
● Involves every portion of the
company
http://www.slideshare.net/warpforge/dont-build-death-star-security-oreilly-software-architecture-conference-2016-nyc
Pantheon.io 24
Take Aways
● There is no security “magic bullet”
● Have a “defense in depth” approach
● If you don’t have to collect or store it, don’t
Security is Good for Business
Pantheon.io 26
Business Wins
● Stand out in your proposals
● Win more RFP’s
○ Larger RFP’s usually require attention
to security
○ Add into proposals even when not
asked for it
Pantheon.io 27
Business Wins
● You can be liable for a breach
● Reduce your risk by implementing
proper security
○ Even if the client doesn’t ask for it
○ Even if you have to eat the cost
Pantheon.io 28
Business Wins
● Minimize exposure to sensitive
client data
○ Don’t store passwords
○ Don’t hold onto credentials
● May mean telling a client no or that
you cannot do what is asked
Pantheon.io 29
Business Wins
● Build a name for yourself
● Security is a growing niche
● Security builds trust and clients
who trust you are clients who
refer you
Pantheon.io 30
Business Fails
California Data Breach Report, 2012 - 2015
Recommendation 1: The 20 controls in the Center for Internet
Security’s Critical Security Controls define a minimum level of
information security that all organizations that collect or maintain
personal information should meet. The failure to implement all the
Controls that apply to an organization’s environment constitutes a lack
of reasonable security.
Everyone has the right
to the protection of
personal data.
General Data Protection Regulation (GDPR) - EU
Pantheon.io 32
Take Aways
● Win more and larger projects
● Security can be one more tool in tool
belt
● Protect your business by protecting
your clients
● Growing niche
Questions to Ask Your Clients
Pantheon.io 34
Questions to ask your clients
What information is collected?
Who will have logins?
Anything being sold? Any donations?
Pantheon.io 35
Trigger Words
● Ecommerce
● Donations
● Integration
● API
● Registered Users
● Paywall
● Forms in general
Pantheon.io 36
Take Aways
● PII is more than Credit Cards
● Use Discovery to uncover security concerns
● Dig in deeper on trigger words
Creating a Culture of Security
Pantheon.io 38
Creating a culture of Security
Every person on the team is responsible
for their part to be secure
Pantheon.io 39
Creating a Culture of Security
● Sales/Marketing
○ Use services and vendors that have been vetted for
security (payment gateways, cloud storage etc.)
○ Website responsibility is usually under Marketing
○ When in doubt, don’t post it
○ Get away from FUD, instead use security to empower
Pantheon.io 40
Creating a Culture of Security
● Development Team
○ Allow for time spent researching/learning
○ Regular code audits
○ Award and recognize failures caught by the team
○ Involve the development team in every proposal to ensure
the right questions are asked
Pantheon.io 41
Creating a Culture of Security
● Practical Tips
○ Use password managment tools
○ Use single sign-on / 2FA for all business critical items
○ Keep internal and guest wifi separate (don’t give out wifi
to everyone who walks in the door)
○ Regular security audits, discussions, memos etc.
Pantheon.io 42
Take Aways
● Everyone is responsible for security, not just developers
● Communication is key, encourage it!
● Learn from failures!
● “Your focus on security keeps us all secure”
Security Profiles & Case Studies
Pantheon.io 44
Security Profiles & Case Studies
Profile:
Small Business
Site: Brochureware, MailChimp, PayPal, no users
Focus on: Hosting platform, Drupal, API Keys
Pantheon.io 45
Security Profiles & Case Studies
Profile:
Higher Education
Site: Admissions, student records, donations
Focus on: Encryption, key management, compliance
Pantheon.io 46
Security Profiles & Case Studies
Profile:
Enterprise
Site: Corporate site, intranet, sub-sites
Focus on: Hosting, 2FA, encryption, key management, compliance
Pantheon.io 47
Take Aways
● Sites large and small have similar security concerns
● Modules and services can help
● Security is a good business investment
Evaluating Hosting Platforms
https://www.drupal.org/hosting
Pantheon.io 50
Traditional Options
Pantheon.io 51
Real World Mess
Pantheon.io 52
Better Way: Cloud. Consistent, Scalable
Pantheon.io 53
Take Aways
● Start with Drupal.org
● No Shared Hosting!
● Ask about Drupalgeddon process, timeframe, results
● Ask about Heartbleed process, timeframe, results
Securing Drupal
Pantheon.io 55
Secure Configuration
● Secure User 1
○ No simple passwords
○ Don’t share passwords
across sites
○ Doesn’t have to be ‘admin’
● Permissions & Roles
○ Administer * is powerful
○ Administer filters can pwn site
● No PHP (!!!)
● Update module
○ Wednesdays are security
releases
○ Turn it on. Get the
notifications. Do them
Pantheon.io 56
Drupal Modules (1 of 2)
■ Password Policy + Password Strength: enforce strong passwords
■ Security Review: tests for easy-to-make configuration mistakes
■ Security Kit: security-hardening options
■ Hacked!: check for altered code
■ Paranoia: identify and block PHP evals
■ Permissions Lock: more granular control over 'Administer
Permissions'
Pantheon.io 57
Drupal Modules (2 of 2)
■ Login Security: limit login attempts
■ Automated Logout: force logout after a specified time of inactivity
■ Two Factor Authentication: base module for two-factor
authentication
■ Encrypt: provides an API for performing two-way data encryption
■ Key: gives site administrators the ability to define how and where keys
are stored
Migrate to Drupal 8!
Pantheon.io 59
Drupal 8 FTW
● Drupal 6 is EOL
○ Great update opportunity
○ Migration is focused first on 6 -> 8 compatibility
○ Fix mistakes in the upgrade - don’t just keep bad practices in place
Pantheon.io 60
Drupal 8 FTW
● Drupal 8 is the most secure Drupal
○ Core isn’t an island anymore
○ String sanitization
○ NO PHP IN CORE!
○ Twig - No more bad practices!
90% of site-specific
vulnerabilities are in the
custom theme
- Peter Wolanin
https://dev.acquia.com/blog/drupal-8/10-ways-drupal-8-will-be-more-secure/2015/08/27/6621
Pantheon.io 62
Drupal 8 FTW
● Upgrade Cycle is a great opportunity for businesses to sell
● Built in REST API
○ Secure access to data
○ Opportunity for expanded projects
Pantheon.io 63
Take Aways
● Drupal 8 is newer, faster, and more secure!
● Upgrade opportunity from Drupal 6 -> 8 to fix issues and add new
business
● Expand projects with API support (be careful what you expose)
Bringing It Full Circle
Pantheon.io 65
In Conclusion
✓ You and your clients are targets
✓ Business value of security
✓ Build security into your processes, culture, proposals and billing
✓ Use a secure hosting provider
✓ Improve Drupal’s security with Configuration + Modules
Rate this Session and Get the
Slides
https://events.drupal.org/neworleans2016/sessions/simplifying-security-protecting-your-clients-and-your-company
Pantheon.io
Questions?
67
Drew Gorton
@dgorton
Luke Probasco
@geetarluke
Chris Teitzel
@technerdteitzel
Pantheon.io 68

More Related Content

Viewers also liked

Drupal without coding
Drupal without codingDrupal without coding
Drupal without coding
Stefan van Hooft
 
Envisio Live Portfolio Updated
Envisio Live Portfolio UpdatedEnvisio Live Portfolio Updated
Envisio Live Portfolio Updated
David Osei
 
Portfolio of the digital agency Spider Group
Portfolio of the digital agency Spider GroupPortfolio of the digital agency Spider Group
Portfolio of the digital agency Spider Group
Spider Group
 
Portfolio of Beatnik
Portfolio of BeatnikPortfolio of Beatnik
Portfolio of Beatnik
Beatnik
 
Activate company profile 2016
Activate company profile 2016Activate company profile 2016
Activate company profile 2016
Anton Bakerjian
 
Digital Agency Portfolio
Digital Agency PortfolioDigital Agency Portfolio
Digital Agency Portfolio
Cement Marketing
 
Better understanding your prospects, clients, stakeholders and end users usin...
Better understanding your prospects, clients, stakeholders and end users usin...Better understanding your prospects, clients, stakeholders and end users usin...
Better understanding your prospects, clients, stakeholders and end users usin...
Kubair Shirazee
 
Our Portfolio | TeamD - A Full Service Marketing Agency
Our Portfolio | TeamD - A Full Service Marketing AgencyOur Portfolio | TeamD - A Full Service Marketing Agency
Our Portfolio | TeamD - A Full Service Marketing Agency
Khawaja Rehan Ahmed
 

Viewers also liked (8)

Drupal without coding
Drupal without codingDrupal without coding
Drupal without coding
 
Envisio Live Portfolio Updated
Envisio Live Portfolio UpdatedEnvisio Live Portfolio Updated
Envisio Live Portfolio Updated
 
Portfolio of the digital agency Spider Group
Portfolio of the digital agency Spider GroupPortfolio of the digital agency Spider Group
Portfolio of the digital agency Spider Group
 
Portfolio of Beatnik
Portfolio of BeatnikPortfolio of Beatnik
Portfolio of Beatnik
 
Activate company profile 2016
Activate company profile 2016Activate company profile 2016
Activate company profile 2016
 
Digital Agency Portfolio
Digital Agency PortfolioDigital Agency Portfolio
Digital Agency Portfolio
 
Better understanding your prospects, clients, stakeholders and end users usin...
Better understanding your prospects, clients, stakeholders and end users usin...Better understanding your prospects, clients, stakeholders and end users usin...
Better understanding your prospects, clients, stakeholders and end users usin...
 
Our Portfolio | TeamD - A Full Service Marketing Agency
Our Portfolio | TeamD - A Full Service Marketing AgencyOur Portfolio | TeamD - A Full Service Marketing Agency
Our Portfolio | TeamD - A Full Service Marketing Agency
 

Similar to Simplifying Security: Protecting Your Clients and Your Company

Securing The Reality of Multiple Cloud Apps: Pandora's Story
Securing The Reality of Multiple Cloud Apps: Pandora's StorySecuring The Reality of Multiple Cloud Apps: Pandora's Story
Securing The Reality of Multiple Cloud Apps: Pandora's Story
CloudLock
 
How I Learned to Stop Worrying and Love Building Data Products
How I Learned to Stop Worrying and Love Building Data ProductsHow I Learned to Stop Worrying and Love Building Data Products
How I Learned to Stop Worrying and Love Building Data Products
Alejandro Correa Bahnsen, PhD
 
Keynote Information Security days Luxembourg 2015
Keynote Information Security days Luxembourg 2015Keynote Information Security days Luxembourg 2015
Keynote Information Security days Luxembourg 2015
Claus Cramon Houmann
 
Iurii Garasym - Cloud Security Alliance Now in Ukraine. Mission, Opportunitie...
Iurii Garasym - Cloud Security Alliance Now in Ukraine. Mission, Opportunitie...Iurii Garasym - Cloud Security Alliance Now in Ukraine. Mission, Opportunitie...
Iurii Garasym - Cloud Security Alliance Now in Ukraine. Mission, Opportunitie...
Cloud Security Alliance Lviv Chapter
 
The 5 ws of Cyber Security
The 5 ws of Cyber SecurityThe 5 ws of Cyber Security
The 5 ws of Cyber Security
Misha Hanin
 
Year Zero
Year ZeroYear Zero
Year Zero
leifdreizler
 
User management - the next-gen of authentication meetup 27012022
User management - the next-gen of authentication meetup 27012022User management - the next-gen of authentication meetup 27012022
User management - the next-gen of authentication meetup 27012022
lior mazor
 
Keynote at the Cyber Security Summit Prague 2015
Keynote at the Cyber Security Summit Prague 2015Keynote at the Cyber Security Summit Prague 2015
Keynote at the Cyber Security Summit Prague 2015
Claus Cramon Houmann
 
Security Fundamentals and Threat Modelling
Security Fundamentals and Threat ModellingSecurity Fundamentals and Threat Modelling
Security Fundamentals and Threat Modelling
Knoldus Inc.
 
Protecting endpoints from targeted attacks
Protecting endpoints from targeted attacksProtecting endpoints from targeted attacks
Protecting endpoints from targeted attacks
AppSense
 
Keyless Technologies - NOAH19 London
Keyless Technologies - NOAH19 LondonKeyless Technologies - NOAH19 London
Keyless Technologies - NOAH19 London
NOAH Advisors
 
Scot Secure 2019 Edinburgh (Day 2)
Scot Secure 2019 Edinburgh (Day 2)Scot Secure 2019 Edinburgh (Day 2)
Scot Secure 2019 Edinburgh (Day 2)
Ray Bugg
 
Securing your digital world - Cybersecurity for SBEs
Securing your digital world - Cybersecurity for SBEsSecuring your digital world - Cybersecurity for SBEs
Securing your digital world - Cybersecurity for SBEs
Sonny Hashmi
 
Securing your digital world cybersecurity for sb es
Securing your digital world   cybersecurity for sb esSecuring your digital world   cybersecurity for sb es
Securing your digital world cybersecurity for sb es
Sonny Hashmi
 
Privacy for tech startups
Privacy for tech startups Privacy for tech startups
Privacy for tech startups
Marc Gallardo
 
Beware the Firewall My Son: The Workshop
Beware the Firewall My Son: The WorkshopBeware the Firewall My Son: The Workshop
Beware the Firewall My Son: The Workshop
Michele Chubirka
 
Ten security product categories you've (probably) never heard of
Ten security product categories you've (probably) never heard ofTen security product categories you've (probably) never heard of
Ten security product categories you've (probably) never heard of
Adrian Sanabria
 
Customer Story: Scaling Security With Detections-as-Code
Customer Story: Scaling Security With Detections-as-CodeCustomer Story: Scaling Security With Detections-as-Code
Customer Story: Scaling Security With Detections-as-Code
Panther Labs
 
Google Case Study: Becoming Unphisable: Towards Simpler, Stronger Authenticat...
Google Case Study: Becoming Unphisable: Towards Simpler, Stronger Authenticat...Google Case Study: Becoming Unphisable: Towards Simpler, Stronger Authenticat...
Google Case Study: Becoming Unphisable: Towards Simpler, Stronger Authenticat...
FIDO Alliance
 
Open Secrets of the Defense Industry: Building Your Own Intelligence Program ...
Open Secrets of the Defense Industry: Building Your Own Intelligence Program ...Open Secrets of the Defense Industry: Building Your Own Intelligence Program ...
Open Secrets of the Defense Industry: Building Your Own Intelligence Program ...
Sean Whalen
 

Similar to Simplifying Security: Protecting Your Clients and Your Company (20)

Securing The Reality of Multiple Cloud Apps: Pandora's Story
Securing The Reality of Multiple Cloud Apps: Pandora's StorySecuring The Reality of Multiple Cloud Apps: Pandora's Story
Securing The Reality of Multiple Cloud Apps: Pandora's Story
 
How I Learned to Stop Worrying and Love Building Data Products
How I Learned to Stop Worrying and Love Building Data ProductsHow I Learned to Stop Worrying and Love Building Data Products
How I Learned to Stop Worrying and Love Building Data Products
 
Keynote Information Security days Luxembourg 2015
Keynote Information Security days Luxembourg 2015Keynote Information Security days Luxembourg 2015
Keynote Information Security days Luxembourg 2015
 
Iurii Garasym - Cloud Security Alliance Now in Ukraine. Mission, Opportunitie...
Iurii Garasym - Cloud Security Alliance Now in Ukraine. Mission, Opportunitie...Iurii Garasym - Cloud Security Alliance Now in Ukraine. Mission, Opportunitie...
Iurii Garasym - Cloud Security Alliance Now in Ukraine. Mission, Opportunitie...
 
The 5 ws of Cyber Security
The 5 ws of Cyber SecurityThe 5 ws of Cyber Security
The 5 ws of Cyber Security
 
Year Zero
Year ZeroYear Zero
Year Zero
 
User management - the next-gen of authentication meetup 27012022
User management - the next-gen of authentication meetup 27012022User management - the next-gen of authentication meetup 27012022
User management - the next-gen of authentication meetup 27012022
 
Keynote at the Cyber Security Summit Prague 2015
Keynote at the Cyber Security Summit Prague 2015Keynote at the Cyber Security Summit Prague 2015
Keynote at the Cyber Security Summit Prague 2015
 
Security Fundamentals and Threat Modelling
Security Fundamentals and Threat ModellingSecurity Fundamentals and Threat Modelling
Security Fundamentals and Threat Modelling
 
Protecting endpoints from targeted attacks
Protecting endpoints from targeted attacksProtecting endpoints from targeted attacks
Protecting endpoints from targeted attacks
 
Keyless Technologies - NOAH19 London
Keyless Technologies - NOAH19 LondonKeyless Technologies - NOAH19 London
Keyless Technologies - NOAH19 London
 
Scot Secure 2019 Edinburgh (Day 2)
Scot Secure 2019 Edinburgh (Day 2)Scot Secure 2019 Edinburgh (Day 2)
Scot Secure 2019 Edinburgh (Day 2)
 
Securing your digital world - Cybersecurity for SBEs
Securing your digital world - Cybersecurity for SBEsSecuring your digital world - Cybersecurity for SBEs
Securing your digital world - Cybersecurity for SBEs
 
Securing your digital world cybersecurity for sb es
Securing your digital world   cybersecurity for sb esSecuring your digital world   cybersecurity for sb es
Securing your digital world cybersecurity for sb es
 
Privacy for tech startups
Privacy for tech startups Privacy for tech startups
Privacy for tech startups
 
Beware the Firewall My Son: The Workshop
Beware the Firewall My Son: The WorkshopBeware the Firewall My Son: The Workshop
Beware the Firewall My Son: The Workshop
 
Ten security product categories you've (probably) never heard of
Ten security product categories you've (probably) never heard ofTen security product categories you've (probably) never heard of
Ten security product categories you've (probably) never heard of
 
Customer Story: Scaling Security With Detections-as-Code
Customer Story: Scaling Security With Detections-as-CodeCustomer Story: Scaling Security With Detections-as-Code
Customer Story: Scaling Security With Detections-as-Code
 
Google Case Study: Becoming Unphisable: Towards Simpler, Stronger Authenticat...
Google Case Study: Becoming Unphisable: Towards Simpler, Stronger Authenticat...Google Case Study: Becoming Unphisable: Towards Simpler, Stronger Authenticat...
Google Case Study: Becoming Unphisable: Towards Simpler, Stronger Authenticat...
 
Open Secrets of the Defense Industry: Building Your Own Intelligence Program ...
Open Secrets of the Defense Industry: Building Your Own Intelligence Program ...Open Secrets of the Defense Industry: Building Your Own Intelligence Program ...
Open Secrets of the Defense Industry: Building Your Own Intelligence Program ...
 

More from Drew Gorton

Understanding Marketing: DrupalCon Global 2020
Understanding Marketing: DrupalCon Global 2020Understanding Marketing: DrupalCon Global 2020
Understanding Marketing: DrupalCon Global 2020
Drew Gorton
 
Drupalers Guide to Marketing: DrupalCon Seattle
Drupalers Guide to Marketing: DrupalCon SeattleDrupalers Guide to Marketing: DrupalCon Seattle
Drupalers Guide to Marketing: DrupalCon Seattle
Drew Gorton
 
Marketing for Drupalers - Drupal Europe
Marketing for Drupalers  - Drupal EuropeMarketing for Drupalers  - Drupal Europe
Marketing for Drupalers - Drupal Europe
Drew Gorton
 
Growing Great Teams - WordCamp Minneapolis
Growing Great Teams - WordCamp MinneapolisGrowing Great Teams - WordCamp Minneapolis
Growing Great Teams - WordCamp Minneapolis
Drew Gorton
 
Web User Experience in 2021
Web User Experience in 2021Web User Experience in 2021
Web User Experience in 2021
Drew Gorton
 
Understanding and implementing website security
Understanding and implementing website securityUnderstanding and implementing website security
Understanding and implementing website security
Drew Gorton
 
Word Press at Scale - WordCamp Minneapolis
Word Press at Scale - WordCamp MinneapolisWord Press at Scale - WordCamp Minneapolis
Word Press at Scale - WordCamp Minneapolis
Drew Gorton
 
Web User Experience in 2020
Web User Experience in 2020Web User Experience in 2020
Web User Experience in 2020
Drew Gorton
 
Understanding and Implementing Website Security
Understanding and Implementing Website SecurityUnderstanding and Implementing Website Security
Understanding and Implementing Website Security
Drew Gorton
 
Welcome to Drupal
Welcome to DrupalWelcome to Drupal
Welcome to Drupal
Drew Gorton
 
10 Lessons Learned as a Drupal Entrepreneur
10 Lessons Learned as a Drupal Entrepreneur10 Lessons Learned as a Drupal Entrepreneur
10 Lessons Learned as a Drupal Entrepreneur
Drew Gorton
 
Responsive HTML Email with Drupal
Responsive HTML Email with DrupalResponsive HTML Email with Drupal
Responsive HTML Email with Drupal
Drew Gorton
 
Welcome to Drupal: Midcamp 2015
Welcome to Drupal: Midcamp 2015Welcome to Drupal: Midcamp 2015
Welcome to Drupal: Midcamp 2015
Drew Gorton
 
Drupal for Communicators
Drupal for CommunicatorsDrupal for Communicators
Drupal for Communicators
Drew Gorton
 
Welcome to the Drupal
Welcome to the DrupalWelcome to the Drupal
Welcome to the Drupal
Drew Gorton
 

More from Drew Gorton (15)

Understanding Marketing: DrupalCon Global 2020
Understanding Marketing: DrupalCon Global 2020Understanding Marketing: DrupalCon Global 2020
Understanding Marketing: DrupalCon Global 2020
 
Drupalers Guide to Marketing: DrupalCon Seattle
Drupalers Guide to Marketing: DrupalCon SeattleDrupalers Guide to Marketing: DrupalCon Seattle
Drupalers Guide to Marketing: DrupalCon Seattle
 
Marketing for Drupalers - Drupal Europe
Marketing for Drupalers  - Drupal EuropeMarketing for Drupalers  - Drupal Europe
Marketing for Drupalers - Drupal Europe
 
Growing Great Teams - WordCamp Minneapolis
Growing Great Teams - WordCamp MinneapolisGrowing Great Teams - WordCamp Minneapolis
Growing Great Teams - WordCamp Minneapolis
 
Web User Experience in 2021
Web User Experience in 2021Web User Experience in 2021
Web User Experience in 2021
 
Understanding and implementing website security
Understanding and implementing website securityUnderstanding and implementing website security
Understanding and implementing website security
 
Word Press at Scale - WordCamp Minneapolis
Word Press at Scale - WordCamp MinneapolisWord Press at Scale - WordCamp Minneapolis
Word Press at Scale - WordCamp Minneapolis
 
Web User Experience in 2020
Web User Experience in 2020Web User Experience in 2020
Web User Experience in 2020
 
Understanding and Implementing Website Security
Understanding and Implementing Website SecurityUnderstanding and Implementing Website Security
Understanding and Implementing Website Security
 
Welcome to Drupal
Welcome to DrupalWelcome to Drupal
Welcome to Drupal
 
10 Lessons Learned as a Drupal Entrepreneur
10 Lessons Learned as a Drupal Entrepreneur10 Lessons Learned as a Drupal Entrepreneur
10 Lessons Learned as a Drupal Entrepreneur
 
Responsive HTML Email with Drupal
Responsive HTML Email with DrupalResponsive HTML Email with Drupal
Responsive HTML Email with Drupal
 
Welcome to Drupal: Midcamp 2015
Welcome to Drupal: Midcamp 2015Welcome to Drupal: Midcamp 2015
Welcome to Drupal: Midcamp 2015
 
Drupal for Communicators
Drupal for CommunicatorsDrupal for Communicators
Drupal for Communicators
 
Welcome to the Drupal
Welcome to the DrupalWelcome to the Drupal
Welcome to the Drupal
 

Recently uploaded

Study of international anticancer research trends.pdf
Study of international anticancer research trends.pdfStudy of international anticancer research trends.pdf
Study of international anticancer research trends.pdf
Preston University
 
Team Cymru Community Services,Overview of all public services
Team Cymru Community Services,Overview of all public servicesTeam Cymru Community Services,Overview of all public services
Team Cymru Community Services,Overview of all public services
Bangladesh Network Operators Group
 
Portugal Dreamin 24 - How to easily use an API with Flows
Portugal Dreamin 24  - How to easily use an API with FlowsPortugal Dreamin 24  - How to easily use an API with Flows
Portugal Dreamin 24 - How to easily use an API with Flows
Thierry TROUIN ☁
 
Rent remote desktop server mangohost .net
Rent remote desktop server mangohost .netRent remote desktop server mangohost .net
Rent remote desktop server mangohost .net
pdfsubmission50
 
DASH, presented by Elly Tawhai at PacNOG 33
DASH, presented by Elly Tawhai at PacNOG 33DASH, presented by Elly Tawhai at PacNOG 33
DASH, presented by Elly Tawhai at PacNOG 33
APNIC
 
Top 50 Telephone Conversation Sample Examples For IT Industries.pdf
Top 50 Telephone Conversation Sample Examples For IT Industries.pdfTop 50 Telephone Conversation Sample Examples For IT Industries.pdf
Top 50 Telephone Conversation Sample Examples For IT Industries.pdf
Krishna L
 
Trump Assassination Shirt Trump Assassination Shirt
Trump Assassination Shirt Trump Assassination ShirtTrump Assassination Shirt Trump Assassination Shirt
Trump Assassination Shirt Trump Assassination Shirt
exgf28
 
Trump fist pump t shirts Trump fist pump t shirts
Trump fist pump t shirts Trump fist pump t shirtsTrump fist pump t shirts Trump fist pump t shirts
Trump fist pump t shirts Trump fist pump t shirts
exgf28
 
Network Security version1.0 - Module 3.pptx
Network Security version1.0 - Module 3.pptxNetwork Security version1.0 - Module 3.pptx
Network Security version1.0 - Module 3.pptx
Infotainmentforall
 
upgrade to zabbix-7 0 como atualiza lts1
upgrade to zabbix-7 0 como atualiza lts1upgrade to zabbix-7 0 como atualiza lts1
upgrade to zabbix-7 0 como atualiza lts1
diogolsew
 
Enhancing seamless access using TIGERfed
Enhancing seamless access using TIGERfedEnhancing seamless access using TIGERfed
Enhancing seamless access using TIGERfed
Bangladesh Network Operators Group
 
Do it again anti Republican shirt Do it again anti Republican shirt
Do it again anti Republican shirt Do it again anti Republican shirtDo it again anti Republican shirt Do it again anti Republican shirt
Do it again anti Republican shirt Do it again anti Republican shirt
exgf28
 
Week 1 - Pendidikan Pancasila - Gr 1.docx
Week 1 - Pendidikan Pancasila - Gr 1.docxWeek 1 - Pendidikan Pancasila - Gr 1.docx
Week 1 - Pendidikan Pancasila - Gr 1.docx
JunaManroe1
 
Ontology for the semantic enhancement, database definition and management and...
Ontology for the semantic enhancement, database definition and management and...Ontology for the semantic enhancement, database definition and management and...
Ontology for the semantic enhancement, database definition and management and...
Edward Blurock
 
Digital ethnography of the Polish darknet drug trade community
Digital ethnography of the Polish darknet drug trade communityDigital ethnography of the Polish darknet drug trade community
Digital ethnography of the Polish darknet drug trade community
Piotr Siuda
 
Best CSS Animation Libraries for Web Developers
Best CSS Animation Libraries for Web DevelopersBest CSS Animation Libraries for Web Developers
Best CSS Animation Libraries for Web Developers
Shrestha Raaz
 
Understanding Threat Intelligence | What is Threat Intelligence
Understanding Threat Intelligence | What is Threat IntelligenceUnderstanding Threat Intelligence | What is Threat Intelligence
Understanding Threat Intelligence | What is Threat Intelligence
Lumiverse Solutions Pvt Ltd
 
Mobile SEO India | Mobile SEO Service | Mobile SEO Company
Mobile SEO India | Mobile SEO Service | Mobile SEO CompanyMobile SEO India | Mobile SEO Service | Mobile SEO Company
Mobile SEO India | Mobile SEO Service | Mobile SEO Company
SIB Infotech
 
Open Source TCP or Netflow Log Server Using Graylog
Open Source TCP or Netflow Log Server Using GraylogOpen Source TCP or Netflow Log Server Using Graylog
Open Source TCP or Netflow Log Server Using Graylog
Bangladesh Network Operators Group
 
202254.com香蕉影视,沙丘2在线播放,沙丘2线上看,最新电影沙丘2在线,热门电影推荐,2024最新科幻片推荐。
202254.com香蕉影视,沙丘2在线播放,沙丘2线上看,最新电影沙丘2在线,热门电影推荐,2024最新科幻片推荐。202254.com香蕉影视,沙丘2在线播放,沙丘2线上看,最新电影沙丘2在线,热门电影推荐,2024最新科幻片推荐。
202254.com香蕉影视,沙丘2在线播放,沙丘2线上看,最新电影沙丘2在线,热门电影推荐,2024最新科幻片推荐。
yilin01100
 

Recently uploaded (20)

Study of international anticancer research trends.pdf
Study of international anticancer research trends.pdfStudy of international anticancer research trends.pdf
Study of international anticancer research trends.pdf
 
Team Cymru Community Services,Overview of all public services
Team Cymru Community Services,Overview of all public servicesTeam Cymru Community Services,Overview of all public services
Team Cymru Community Services,Overview of all public services
 
Portugal Dreamin 24 - How to easily use an API with Flows
Portugal Dreamin 24  - How to easily use an API with FlowsPortugal Dreamin 24  - How to easily use an API with Flows
Portugal Dreamin 24 - How to easily use an API with Flows
 
Rent remote desktop server mangohost .net
Rent remote desktop server mangohost .netRent remote desktop server mangohost .net
Rent remote desktop server mangohost .net
 
DASH, presented by Elly Tawhai at PacNOG 33
DASH, presented by Elly Tawhai at PacNOG 33DASH, presented by Elly Tawhai at PacNOG 33
DASH, presented by Elly Tawhai at PacNOG 33
 
Top 50 Telephone Conversation Sample Examples For IT Industries.pdf
Top 50 Telephone Conversation Sample Examples For IT Industries.pdfTop 50 Telephone Conversation Sample Examples For IT Industries.pdf
Top 50 Telephone Conversation Sample Examples For IT Industries.pdf
 
Trump Assassination Shirt Trump Assassination Shirt
Trump Assassination Shirt Trump Assassination ShirtTrump Assassination Shirt Trump Assassination Shirt
Trump Assassination Shirt Trump Assassination Shirt
 
Trump fist pump t shirts Trump fist pump t shirts
Trump fist pump t shirts Trump fist pump t shirtsTrump fist pump t shirts Trump fist pump t shirts
Trump fist pump t shirts Trump fist pump t shirts
 
Network Security version1.0 - Module 3.pptx
Network Security version1.0 - Module 3.pptxNetwork Security version1.0 - Module 3.pptx
Network Security version1.0 - Module 3.pptx
 
upgrade to zabbix-7 0 como atualiza lts1
upgrade to zabbix-7 0 como atualiza lts1upgrade to zabbix-7 0 como atualiza lts1
upgrade to zabbix-7 0 como atualiza lts1
 
Enhancing seamless access using TIGERfed
Enhancing seamless access using TIGERfedEnhancing seamless access using TIGERfed
Enhancing seamless access using TIGERfed
 
Do it again anti Republican shirt Do it again anti Republican shirt
Do it again anti Republican shirt Do it again anti Republican shirtDo it again anti Republican shirt Do it again anti Republican shirt
Do it again anti Republican shirt Do it again anti Republican shirt
 
Week 1 - Pendidikan Pancasila - Gr 1.docx
Week 1 - Pendidikan Pancasila - Gr 1.docxWeek 1 - Pendidikan Pancasila - Gr 1.docx
Week 1 - Pendidikan Pancasila - Gr 1.docx
 
Ontology for the semantic enhancement, database definition and management and...
Ontology for the semantic enhancement, database definition and management and...Ontology for the semantic enhancement, database definition and management and...
Ontology for the semantic enhancement, database definition and management and...
 
Digital ethnography of the Polish darknet drug trade community
Digital ethnography of the Polish darknet drug trade communityDigital ethnography of the Polish darknet drug trade community
Digital ethnography of the Polish darknet drug trade community
 
Best CSS Animation Libraries for Web Developers
Best CSS Animation Libraries for Web DevelopersBest CSS Animation Libraries for Web Developers
Best CSS Animation Libraries for Web Developers
 
Understanding Threat Intelligence | What is Threat Intelligence
Understanding Threat Intelligence | What is Threat IntelligenceUnderstanding Threat Intelligence | What is Threat Intelligence
Understanding Threat Intelligence | What is Threat Intelligence
 
Mobile SEO India | Mobile SEO Service | Mobile SEO Company
Mobile SEO India | Mobile SEO Service | Mobile SEO CompanyMobile SEO India | Mobile SEO Service | Mobile SEO Company
Mobile SEO India | Mobile SEO Service | Mobile SEO Company
 
Open Source TCP or Netflow Log Server Using Graylog
Open Source TCP or Netflow Log Server Using GraylogOpen Source TCP or Netflow Log Server Using Graylog
Open Source TCP or Netflow Log Server Using Graylog
 
202254.com香蕉影视,沙丘2在线播放,沙丘2线上看,最新电影沙丘2在线,热门电影推荐,2024最新科幻片推荐。
202254.com香蕉影视,沙丘2在线播放,沙丘2线上看,最新电影沙丘2在线,热门电影推荐,2024最新科幻片推荐。202254.com香蕉影视,沙丘2在线播放,沙丘2线上看,最新电影沙丘2在线,热门电影推荐,2024最新科幻片推荐。
202254.com香蕉影视,沙丘2在线播放,沙丘2线上看,最新电影沙丘2在线,热门电影推荐,2024最新科幻片推荐。
 

Simplifying Security: Protecting Your Clients and Your Company

  • 1. Welcome to the Business Track FFWagency.com @FFWglobal
  • 2. >Full-service digital agency >World’s largest Drupal agency >420 employees worldwide >Portfolio includes Pfizer, NBC, Stanford University, City of Copenhagen, and General Electric >FFW Center of Excellence – thousands of hours of free Drupal training at www.ffwagency.com/event about FFW
  • 3. ray saltini director FFW Center of Excellence @raysaltini, ray.saltini@ffwagency.com www.ffwagency.com/event FFWagency.com @FFWglobal The FFW Center of Excellence was launched in 2015 to further the advancement of open source internet technologies through evangelism, training and code contributions. The Center is the primary vehicle for FFW’s engagement with the Drupal community. Since it’s launch large enterprise organizations and SMBEs have registered for more than $200,000 worth of free training around Drupal best practices and Drupal 8, and FFW developers have logged nearly 1,000 hours toward code contributions.
  • 4. Simplifying Security: Protecting your Clients and Your Company FFWagency.com @FFWglobal right now Chris Teitzel Founder/CEO at Cellar Door Media Drew Gorton Director @ Pantheon. Co-Founder, NodeSquirrel, CEO Emeritus, Gorton Studios. Ex-Developer Luke Probasco Drupal General Manager/Director of Marketing at Townsend Security “having the security conversation”
  • 5. Simplifying Security: Protecting your Clients and your Company
  • 6. Pantheon.io Who Dat? 6 Drew Gorton @dgorton Luke Probasco @geetarluke Chris Teitzel @technerdteitzel
  • 7. Time For a Quick Game
  • 10. Because that is where the money is. - Willie Sutton
  • 11. Pantheon.io 11 Take Aways ● Breaches aren’t a matter of “if”, but “when” ● Protect more than credit cards - that’s not what hackers really want anyway
  • 13. I’m too small to be a target.
  • 17. My clients aren’t paying me for security.
  • 18. Pantheon.io 18 Take Aways ● Hackers are targeting small and mid-sized organizations ● Compliance covers all industries ● You need to build security into sites, client’s shouldn’t have to ask for it ● It’s not that hard
  • 20. Pantheon.io 20 What is Security? CIA Triad ● Confidentiality ● Integrity ● Availability Security is a Continuum ● More vs. Less ● Not On vs. Off
  • 21. Pantheon.io 21 Personally Identifiable Information (PII) Information that can be combined with something else to determine a specific person: ● Name, address, email, date of birth, telephone number, company, title ... Some compliance regulations specify what data
  • 23. Pantheon.io 23 Defense in Depth ● Each layer takes time, which is the enemy of hackers ● Involves every portion of the company http://www.slideshare.net/warpforge/dont-build-death-star-security-oreilly-software-architecture-conference-2016-nyc
  • 24. Pantheon.io 24 Take Aways ● There is no security “magic bullet” ● Have a “defense in depth” approach ● If you don’t have to collect or store it, don’t
  • 25. Security is Good for Business
  • 26. Pantheon.io 26 Business Wins ● Stand out in your proposals ● Win more RFP’s ○ Larger RFP’s usually require attention to security ○ Add into proposals even when not asked for it
  • 27. Pantheon.io 27 Business Wins ● You can be liable for a breach ● Reduce your risk by implementing proper security ○ Even if the client doesn’t ask for it ○ Even if you have to eat the cost
  • 28. Pantheon.io 28 Business Wins ● Minimize exposure to sensitive client data ○ Don’t store passwords ○ Don’t hold onto credentials ● May mean telling a client no or that you cannot do what is asked
  • 29. Pantheon.io 29 Business Wins ● Build a name for yourself ● Security is a growing niche ● Security builds trust and clients who trust you are clients who refer you
  • 30. Pantheon.io 30 Business Fails California Data Breach Report, 2012 - 2015 Recommendation 1: The 20 controls in the Center for Internet Security’s Critical Security Controls define a minimum level of information security that all organizations that collect or maintain personal information should meet. The failure to implement all the Controls that apply to an organization’s environment constitutes a lack of reasonable security.
  • 31. Everyone has the right to the protection of personal data. General Data Protection Regulation (GDPR) - EU
  • 32. Pantheon.io 32 Take Aways ● Win more and larger projects ● Security can be one more tool in tool belt ● Protect your business by protecting your clients ● Growing niche
  • 33. Questions to Ask Your Clients
  • 34. Pantheon.io 34 Questions to ask your clients What information is collected? Who will have logins? Anything being sold? Any donations?
  • 35. Pantheon.io 35 Trigger Words ● Ecommerce ● Donations ● Integration ● API ● Registered Users ● Paywall ● Forms in general
  • 36. Pantheon.io 36 Take Aways ● PII is more than Credit Cards ● Use Discovery to uncover security concerns ● Dig in deeper on trigger words
  • 37. Creating a Culture of Security
  • 38. Pantheon.io 38 Creating a culture of Security Every person on the team is responsible for their part to be secure
  • 39. Pantheon.io 39 Creating a Culture of Security ● Sales/Marketing ○ Use services and vendors that have been vetted for security (payment gateways, cloud storage etc.) ○ Website responsibility is usually under Marketing ○ When in doubt, don’t post it ○ Get away from FUD, instead use security to empower
  • 40. Pantheon.io 40 Creating a Culture of Security ● Development Team ○ Allow for time spent researching/learning ○ Regular code audits ○ Award and recognize failures caught by the team ○ Involve the development team in every proposal to ensure the right questions are asked
  • 41. Pantheon.io 41 Creating a Culture of Security ● Practical Tips ○ Use password managment tools ○ Use single sign-on / 2FA for all business critical items ○ Keep internal and guest wifi separate (don’t give out wifi to everyone who walks in the door) ○ Regular security audits, discussions, memos etc.
  • 42. Pantheon.io 42 Take Aways ● Everyone is responsible for security, not just developers ● Communication is key, encourage it! ● Learn from failures! ● “Your focus on security keeps us all secure”
  • 43. Security Profiles & Case Studies
  • 44. Pantheon.io 44 Security Profiles & Case Studies Profile: Small Business Site: Brochureware, MailChimp, PayPal, no users Focus on: Hosting platform, Drupal, API Keys
  • 45. Pantheon.io 45 Security Profiles & Case Studies Profile: Higher Education Site: Admissions, student records, donations Focus on: Encryption, key management, compliance
  • 46. Pantheon.io 46 Security Profiles & Case Studies Profile: Enterprise Site: Corporate site, intranet, sub-sites Focus on: Hosting, 2FA, encryption, key management, compliance
  • 47. Pantheon.io 47 Take Aways ● Sites large and small have similar security concerns ● Modules and services can help ● Security is a good business investment
  • 52. Pantheon.io 52 Better Way: Cloud. Consistent, Scalable
  • 53. Pantheon.io 53 Take Aways ● Start with Drupal.org ● No Shared Hosting! ● Ask about Drupalgeddon process, timeframe, results ● Ask about Heartbleed process, timeframe, results
  • 55. Pantheon.io 55 Secure Configuration ● Secure User 1 ○ No simple passwords ○ Don’t share passwords across sites ○ Doesn’t have to be ‘admin’ ● Permissions & Roles ○ Administer * is powerful ○ Administer filters can pwn site ● No PHP (!!!) ● Update module ○ Wednesdays are security releases ○ Turn it on. Get the notifications. Do them
  • 56. Pantheon.io 56 Drupal Modules (1 of 2) ■ Password Policy + Password Strength: enforce strong passwords ■ Security Review: tests for easy-to-make configuration mistakes ■ Security Kit: security-hardening options ■ Hacked!: check for altered code ■ Paranoia: identify and block PHP evals ■ Permissions Lock: more granular control over 'Administer Permissions'
  • 57. Pantheon.io 57 Drupal Modules (2 of 2) ■ Login Security: limit login attempts ■ Automated Logout: force logout after a specified time of inactivity ■ Two Factor Authentication: base module for two-factor authentication ■ Encrypt: provides an API for performing two-way data encryption ■ Key: gives site administrators the ability to define how and where keys are stored
  • 59. Pantheon.io 59 Drupal 8 FTW ● Drupal 6 is EOL ○ Great update opportunity ○ Migration is focused first on 6 -> 8 compatibility ○ Fix mistakes in the upgrade - don’t just keep bad practices in place
  • 60. Pantheon.io 60 Drupal 8 FTW ● Drupal 8 is the most secure Drupal ○ Core isn’t an island anymore ○ String sanitization ○ NO PHP IN CORE! ○ Twig - No more bad practices!
  • 61. 90% of site-specific vulnerabilities are in the custom theme - Peter Wolanin https://dev.acquia.com/blog/drupal-8/10-ways-drupal-8-will-be-more-secure/2015/08/27/6621
  • 62. Pantheon.io 62 Drupal 8 FTW ● Upgrade Cycle is a great opportunity for businesses to sell ● Built in REST API ○ Secure access to data ○ Opportunity for expanded projects
  • 63. Pantheon.io 63 Take Aways ● Drupal 8 is newer, faster, and more secure! ● Upgrade opportunity from Drupal 6 -> 8 to fix issues and add new business ● Expand projects with API support (be careful what you expose)
  • 65. Pantheon.io 65 In Conclusion ✓ You and your clients are targets ✓ Business value of security ✓ Build security into your processes, culture, proposals and billing ✓ Use a secure hosting provider ✓ Improve Drupal’s security with Configuration + Modules
  • 66. Rate this Session and Get the Slides https://events.drupal.org/neworleans2016/sessions/simplifying-security-protecting-your-clients-and-your-company