SlideShare a Scribd company logo

Drupal Camp Atlanta 2011 - Drupal Security

Download as PPT, PDF
Mediacurrent
Mediacurrent

Introduction to security on Drupal and introduces some testing tools, common problems and solutions. We also introduce the concept of a response team and best practices to get you started.

1 of 26
Downloaded 31 times
Locking down Drupal and  managing security breaches By Andy Thornton Mediacurrent Consultant Twitter: @BohemianPixel [email_address]
Overview Slides will be made available at the end of the presentation Common Security Issues Drupal Best Practices Testing Tools Web Application Firewalls Tiger Teams Planning and Policies Managing a security breach. Resources Questions
What is SQL Injection In it's simplest form .. Example SQL Statement: statement = "SELECT * FROM users WHERE name = '" + userName + "';" But what would happen if they added something else to their name, something we didn't plan for ..
even more simply ...
Handling SQL Injection Drupal makes it easy. check_plain() check_markup() filter_xss() filter_xss_admin() Bad:  $username=$node->field_uname[0][‘value’]; Good:  $username=check_plain($node->field_uname[0][‘value’]); Tip : Don't forget this with other forms of input, such as arguments passed in the URL. Sanitise your inputs
SQL Injection Drupal 6 db_query() db_rewrite_sql() Bad: $result = db_query("SELECT * from {users} WHERE name = $myvar"); Good: $result = db_query(“SELECT pass FROM {users} WHERE name = ‘%s’, $myvar); Drupal 7 Example: $result = db_query(“SELECT nid, title FROM {node} WHERE type = :type”, array( ‘ :type’ => ‘page’, )); Writing secure queries based on inputs
What is Cross Site Scripting? Cross-site scripting holes are vulnerabilities where a user can inject malicious scripts into web pages, an attacker can gain elevated access-privileges to sensitive page-content, session cookies, and a variety of other information maintained by the browser on behalf of the user.
What just happened? The script from the previous slide doesn't do anything in Chrome, but when I open the page in Firefox or IE ....
More Examples... Don't try these out on your site. ¼script¾alert(¢XSS¢)¼/script¾ <object classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389><param name=url value=javascript:alert('XSS')></object> <IMG SRC=&quot;http://www.thesiteyouareon.com/somecommand.php?somevariables=maliciouscode&quot;> <SCRIPT a=&quot;>&quot; SRC=&quot;http://www.dodgysite.com/xss.js&quot;></SCRIPT> <A HREF=&quot;http://0x42.0x0000066.0x7.0x93/&quot;>XSS</A>   <A HREF=&quot;javascript:document.location='/logout'&quot;>XSS</A>
Protection from XSS Never allow &quot;Full HTML&quot; on your posting Input filter for general users. filter_xss($string, $allowed_tags = array('a', 'em', 'strong', 'p')) Wrap you content with   filter_xss() check_plain() check_markup() Examples: <body class=&quot;<?php print check_plain($_GET['parameter']); ?>&quot;> Rule of Thumb   Never trust user input.   You can take user input, check it against a reference list and use resulting output to print the actual data.
Permissions chmod , changes permissions on a file depending on who the user is, which groups they are members of, or how the rest of the world can interact with it. Supports +/- , so chmod o-w myfile This example removes the ability for the world to edit the file making it read only. chown , changes ownership of the file or directory. For drupal we would give the world (Apache) read only access to our settings.php, but let the user own the rest of the directory chmod 400 settings.php chown www-data:www-data settings.php
Social Engineering Meet Kevin Mitnick Master of Social  Engineering. http://mitnicksecurity.com/ It seems to be a universal truth that most people don't believe Social Engineering (gaining information by deceit) could be so easy. &quot;No one could be that stupid&quot; is a common phrase heard from people who first learn how these types of attacks work.  However, once demonstrated (especially with some personal information of theirs) they become hard and fast believers. Just seeing it in action brings home the reality that information can leak through most any worker and that one must always be on guard. 
Couple of one-liners ... Nosuid / Noexec Set up /site/default/files and /tmp on their own partitions. /dev/sda3 /home/andy/public_html/sites/default/files ext3 defaults,nosuid Set wgetrc to not save downloads. delete_after = on Regular Security Scans against code. Use a tool like openvas / RATS or a web application firewall such as WhiteHat sentinal. Limit who has access to your code base and server. Don't let vendors have more access than they need Code for what you expect. Stop playing whack-a-mole and take ownership of your code. 
Web Application Firewalls
Handy Tools to know Opensource Tools Openvas R.A.T.S. Tripwire NAXSI Commercial Web Inspect (HP) Whitehat (WAF) Barracuda (WAF) Imperva (WAF) Command Line Warriors lsof grep find Web Application Firewalls NAXSI   Armorlogic Array Networks  Barracuda Web Application Firewall Cisco Citrix NetScaler F5 Networks Fortinet ModSecurity Radware SonicWALL Imperva WhiteHat Security
Tiger Teams “ It is better to  BE  ready, than to GET ready.”
What is a tiger team? Who's on it and why? IT Department. Website Technical Lead (or project manager) Management stakeholders. Marketing & Corporate Communications team Legal Department. Trivia note: Microsoft refers to a Tiger Team as &quot; C ore C omputer S ecurity I ncident R esponse T eam&quot; or CCSIRT for short. They have a good article on Technet on roles in a Tiger...<oops> CCSIRT team. http://technet.microsoft.com/en-us/library/cc700825.aspx The term originated in aerospace design but is also used in other settings, including information technology and emergency management. According to a 1964 definition,  &quot;It has been described as a team of undomesticated and uninhibited technical specialists, selected for their experience, energy, and imagination, and assigned to track down relentlessly every possible source of failure in a spacecraft subsystem.&quot; - wikipedia
What do they do? Have access to contact points for out of hours members of the team / stakeholders & third parties.  Setup an email for the team. (eg: tiger@mycompany.com)  Access to communications plan and any associated documents. Secure area of network for collating evidence and documentation. Identify a chain of command, escalating communication down the chain. Schedule daily response meetings during the investigation. Establish a communication plan for the team to keep all stake holders informed.  Flag emails with an incident response code, so they can be collated by legal or include tiger email. Setup communication plan for employees so they know how to respond if contacted by the press. Manage disclosure between employees and the public. Team members will keep their own departments apprised of the status of the investigation. Appoint a team leader, dedicated to the task they are prime contact for the management team.
Always have a plan Corporate Communication Plan. Incident Response Worksheet. Prepared Press release. Internal Communication Policy. (loose lips, sink ships) Communication list of internal stakeholders. Appoint a single point of contact for inquiries. Collect contact numbers for everyone involved and all third party resources. Have a secure place put set aside on your network / Intranet. &quot;I have a plan so cunning you could stick a tail on it and call it a weasel&quot; - Lord Edmund Blackadder
Always remember ... Sanitise your in/output. Use Drupal methods, Keep your site up to date. Have a plan in place. Audit your code. Never, never hack core. Or Dries will send out creatures from Acquia's secret lab specifically trained to hunt Kittens ...
Handling a security breach
First Off
Unleash the Tigers
Activate your CSIRT .. Tiger Team! Start the clock. Pull the plug, don't shut it down. Redirect to a static page from a DNS level. If possible, take a copy of the disk and store it offline. Get the authorities involved the moment you have verified data has been compromised. Don't use a backup without knowing the cause of the attack. Don't change passwords or try and fix files. If the filesystem was compromised, don't trust that server build. Investigate in parallel to the authorities. Follow your workflow and communication plan.
Resources Security Team:  http://drupal.org/node/32750  Security advisories:  http://drupal.org/security Secure Text Handling: http://drupal.org/node/28984 Writing Secure Code: http://drupal.org/writing-secure-code Responding to IT Security Incidents http://technet.microsoft.com/en-us/library/cc700825.aspx Slides http://bit.ly/dca-security   Secret Service Atlanta Electronic Crimes Task Force 404-331-6111 Email:  [email_address]
Questions?

More Related Content

Drupal Camp Atlanta 2011 - Drupal Security

  • 1. Locking down Drupal and  managing security breaches By Andy Thornton Mediacurrent Consultant Twitter: @BohemianPixel [email_address]
  • 2. Overview Slides will be made available at the end of the presentation Common Security Issues Drupal Best Practices Testing Tools Web Application Firewalls Tiger Teams Planning and Policies Managing a security breach. Resources Questions
  • 3. What is SQL Injection In it's simplest form .. Example SQL Statement: statement = &quot;SELECT * FROM users WHERE name = '&quot; + userName + &quot;';&quot; But what would happen if they added something else to their name, something we didn't plan for ..
  • 5. Handling SQL Injection Drupal makes it easy. check_plain() check_markup() filter_xss() filter_xss_admin() Bad:  $username=$node->field_uname[0][‘value’]; Good:  $username=check_plain($node->field_uname[0][‘value’]); Tip : Don't forget this with other forms of input, such as arguments passed in the URL. Sanitise your inputs
  • 6. SQL Injection Drupal 6 db_query() db_rewrite_sql() Bad: $result = db_query(&quot;SELECT * from {users} WHERE name = $myvar&quot;); Good: $result = db_query(“SELECT pass FROM {users} WHERE name = ‘%s’, $myvar); Drupal 7 Example: $result = db_query(“SELECT nid, title FROM {node} WHERE type = :type”, array( ‘ :type’ => ‘page’, )); Writing secure queries based on inputs
  • 7. What is Cross Site Scripting? Cross-site scripting holes are vulnerabilities where a user can inject malicious scripts into web pages, an attacker can gain elevated access-privileges to sensitive page-content, session cookies, and a variety of other information maintained by the browser on behalf of the user.
  • 8. What just happened? The script from the previous slide doesn't do anything in Chrome, but when I open the page in Firefox or IE ....
  • 9. More Examples... Don't try these out on your site. ¼script¾alert(¢XSS¢)¼/script¾ <object classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389><param name=url value=javascript:alert('XSS')></object> <IMG SRC=&quot;http://www.thesiteyouareon.com/somecommand.php?somevariables=maliciouscode&quot;> <SCRIPT a=&quot;>&quot; SRC=&quot;http://www.dodgysite.com/xss.js&quot;></SCRIPT> <A HREF=&quot;http://0x42.0x0000066.0x7.0x93/&quot;>XSS</A>   <A HREF=&quot;javascript:document.location='/logout'&quot;>XSS</A>
  • 10. Protection from XSS Never allow &quot;Full HTML&quot; on your posting Input filter for general users. filter_xss($string, $allowed_tags = array('a', 'em', 'strong', 'p')) Wrap you content with   filter_xss() check_plain() check_markup() Examples: <body class=&quot;<?php print check_plain($_GET['parameter']); ?>&quot;> Rule of Thumb   Never trust user input.   You can take user input, check it against a reference list and use resulting output to print the actual data.
  • 11. Permissions chmod , changes permissions on a file depending on who the user is, which groups they are members of, or how the rest of the world can interact with it. Supports +/- , so chmod o-w myfile This example removes the ability for the world to edit the file making it read only. chown , changes ownership of the file or directory. For drupal we would give the world (Apache) read only access to our settings.php, but let the user own the rest of the directory chmod 400 settings.php chown www-data:www-data settings.php
  • 12. Social Engineering Meet Kevin Mitnick Master of Social  Engineering. http://mitnicksecurity.com/ It seems to be a universal truth that most people don't believe Social Engineering (gaining information by deceit) could be so easy. &quot;No one could be that stupid&quot; is a common phrase heard from people who first learn how these types of attacks work.  However, once demonstrated (especially with some personal information of theirs) they become hard and fast believers. Just seeing it in action brings home the reality that information can leak through most any worker and that one must always be on guard. 
  • 13. Couple of one-liners ... Nosuid / Noexec Set up /site/default/files and /tmp on their own partitions. /dev/sda3 /home/andy/public_html/sites/default/files ext3 defaults,nosuid Set wgetrc to not save downloads. delete_after = on Regular Security Scans against code. Use a tool like openvas / RATS or a web application firewall such as WhiteHat sentinal. Limit who has access to your code base and server. Don't let vendors have more access than they need Code for what you expect. Stop playing whack-a-mole and take ownership of your code. 
  • 15. Handy Tools to know Opensource Tools Openvas R.A.T.S. Tripwire NAXSI Commercial Web Inspect (HP) Whitehat (WAF) Barracuda (WAF) Imperva (WAF) Command Line Warriors lsof grep find Web Application Firewalls NAXSI   Armorlogic Array Networks  Barracuda Web Application Firewall Cisco Citrix NetScaler F5 Networks Fortinet ModSecurity Radware SonicWALL Imperva WhiteHat Security
  • 16. Tiger Teams “ It is better to  BE  ready, than to GET ready.”
  • 17. What is a tiger team? Who's on it and why? IT Department. Website Technical Lead (or project manager) Management stakeholders. Marketing & Corporate Communications team Legal Department. Trivia note: Microsoft refers to a Tiger Team as &quot; C ore C omputer S ecurity I ncident R esponse T eam&quot; or CCSIRT for short. They have a good article on Technet on roles in a Tiger...<oops> CCSIRT team. http://technet.microsoft.com/en-us/library/cc700825.aspx The term originated in aerospace design but is also used in other settings, including information technology and emergency management. According to a 1964 definition,  &quot;It has been described as a team of undomesticated and uninhibited technical specialists, selected for their experience, energy, and imagination, and assigned to track down relentlessly every possible source of failure in a spacecraft subsystem.&quot; - wikipedia
  • 18. What do they do? Have access to contact points for out of hours members of the team / stakeholders & third parties.  Setup an email for the team. (eg: [email protected])  Access to communications plan and any associated documents. Secure area of network for collating evidence and documentation. Identify a chain of command, escalating communication down the chain. Schedule daily response meetings during the investigation. Establish a communication plan for the team to keep all stake holders informed.  Flag emails with an incident response code, so they can be collated by legal or include tiger email. Setup communication plan for employees so they know how to respond if contacted by the press. Manage disclosure between employees and the public. Team members will keep their own departments apprised of the status of the investigation. Appoint a team leader, dedicated to the task they are prime contact for the management team.
  • 19. Always have a plan Corporate Communication Plan. Incident Response Worksheet. Prepared Press release. Internal Communication Policy. (loose lips, sink ships) Communication list of internal stakeholders. Appoint a single point of contact for inquiries. Collect contact numbers for everyone involved and all third party resources. Have a secure place put set aside on your network / Intranet. &quot;I have a plan so cunning you could stick a tail on it and call it a weasel&quot; - Lord Edmund Blackadder
  • 20. Always remember ... Sanitise your in/output. Use Drupal methods, Keep your site up to date. Have a plan in place. Audit your code. Never, never hack core. Or Dries will send out creatures from Acquia's secret lab specifically trained to hunt Kittens ...
  • 24. Activate your CSIRT .. Tiger Team! Start the clock. Pull the plug, don't shut it down. Redirect to a static page from a DNS level. If possible, take a copy of the disk and store it offline. Get the authorities involved the moment you have verified data has been compromised. Don't use a backup without knowing the cause of the attack. Don't change passwords or try and fix files. If the filesystem was compromised, don't trust that server build. Investigate in parallel to the authorities. Follow your workflow and communication plan.
  • 25. Resources Security Team:  http://drupal.org/node/32750  Security advisories:  http://drupal.org/security Secure Text Handling: http://drupal.org/node/28984 Writing Secure Code: http://drupal.org/writing-secure-code Responding to IT Security Incidents http://technet.microsoft.com/en-us/library/cc700825.aspx Slides http://bit.ly/dca-security   Secret Service Atlanta Electronic Crimes Task Force 404-331-6111 Email:  [email_address]

Editor's Notes

  • #14: Talk about noexec / nosuid
  • #15: What is a web application firewall?
  • #17: What is a tiger team. A tiger team is a group of experts assigned to investigate and/or solve technical or systemic problems.  The term may have originated in aerospace design but is also used in other settings, including information technology and emergency management.[citation needed] According to a 1964 definition,  &amp;quot;In case the term &apos;tiger team&apos; is unfamiliar to you, it has been described as &apos;a team of undomesticated and uninhibited technical specialists, selected for their experience, energy, and imagination, and assigned to track down relentlessly every possible source of failure in a spacecraft subsystem.&amp;quot; The term used by Rockwell Collins for a roaming installation team. It is believed that they came up with the term &amp;quot;Tiger Team&amp;quot; - source, wikipedia.
  • #18: As part of the tiger team Identify contact points for out of hours.  Setup a mailing list for all team members. Provide all contact numbers for external resources to the team. Access to communications plan and any associated documents. Identify a chain of command, escallating issues down the chain. Schedule daily response meetings during the investigation. Establish a communication plan for the team to keep all stake holders informed. Have a web page on your intranet. Flag emails with an incident response code, so they can be collated by legal. Setup communication plan for employees so they know how to respond if contacted by the press. Manage disclosure between employees and the public. Team members will keep their own departments apprised of the status of the investigation. Appoint a team leader, dedicated to the task.
  • #20: Corporate Communication Plan - Different levels according to scope of the breach - Internal staff, how to respond to requests for information from reporters, bloggers etc. - Prepared press statement. - Single point of contact, usually your corporate communications manager. - Consult with authorities before communicating anything to the public How prepared is your information technology (IT) department or administrator to handle security incidents? Many organizations learn how to respond to security incidents only after suffering attacks. By this time, incidents often become much more costly than needed. Proper incident response should be an integral part of your overall security policy and risk mitigation strategy.
  • #25: Shutting down the server can execute code to clean evidence, powering down is much safer and preserves evidence.