Peeling Back the Onion: Drupal Security and Compliance

Drupal GovCon 2016 | Drupal Security and Compliance | Fen @openprivacy | Adam @n3rdstein | @CIVICACTIONS

Who are we...

CivicActions is …

Open Agile Transparent

What is security?

Problem of Security

WHAT ARE THE GOALS OF SECURITY?

Security Objective: Practical, preventative

measures for mitigating risk

COMPLIANCE DOES NOT MEAN SECURITY

Goals of Security

Image courtesy of the book: Information Security Principles of Success Breithaupt and Merkow, 2014

Information Assurance

The practice changes for each system and need

Let’s evaluate some guiding principles to achieve the

outlined goals

1. Least Privilege / Access Control 2. Complete Mediation 3. Attack Vectors 4. Logging, Auditing, Monitoring 5. Nonrepudiation

Security Principles

Security Principles 1. Least Privilege / Access Control 2. Complete Mediation 3. Attack Vectors 4. Logging, Auditing, Monitoring 5. Nonrepudiation

Be proactive and test your security practices

Why Compliance?

Compliance is not just a good idea,

it’s the law

Compliance is not just a good idea,

it’s the law

When you’re told that the new system has to be compliant

Continuous Monitoring is to be implemented by 2017 per OMB M-14-03.

See also: CDM from DHS and GSA.

The Risk Management Framework

Control Types

● Administrative ○ Guidelines, procedures (Security Policy)

● Technical ○ Intrusion detection systems, ACLs (Least Privilege)

● Physical ○ Physical (USB, media) access (Separation of Duties)

Practical Benefits of Compliance

● Scanning regularly (CVEs, STIGs, …) ● Keeping LAMP stack up-to-date ● Keeping Drupal up-to-date ● Reviewing logs ● Managing Access Control ● Incident Response Training ● Bastion SSH host and CDN

Compliance does not mean Security

Compliance controls provide guidance, but they do not prescribe security practices.

How are they related?

The Onion

1. Network - Ports, VPC, Monitor 2. Infrastructure - Instance OS, CDN, SSH

proxy, Load Balancer 3. Application - Drupal, Solr, HTTPD,

JavaScript 4. Data - MySQL, Shared Filesystem

proxy, Load Balancer 3. Application - Drupal, Solr, HTTPD, JavaScript 4. Data - MySQL, Shared Filesystem

proxy, Load Balancer 3. Application - Drupal, Solr, HTTPD,

JavaScript 4. Data - MySQL, Shared Filesystem

Look at each tier of the system to map controls to

security practices

Making the onion tasty

What are the most common compliance controls you need to be aware of?

Typical Controls

● AC: Access Control ● IA: Identification and Authentication ● AU: Audit & Accountability ● CM: Configuration Management ● RA: Risk Assessment

The 18 RMF (Risk Management Framework) “Control Families”

Defined in NIST SP 800-37 Rev 4

What is an example?

AC: Access Control

● AC-2 Account Management ● AC-2(5) Inactivity Logout ● AC-5 Separation of Duties ● AC-6 Least Privilege ● IA-5 Authenticator Management

AC: Drupal Solutions

● Roles and Perms ● Autologout ● Password Policy ● TFA / SimpleSAMLPHP ● * Permissions (Field Permissions,

Taxonomy Access Control, etc)

Handout

We have a handout that outlines additional security and compliance

recommendations

Current Challenges

1. Poorly defined best practices 2. Education of developers and reviewers 3. Tools are not robust or comprehensive 4. Tools are not accessible 5. No magic bullet (security is relative to your

system)

CURRENT CHALLENGES

system)

CURRENT CHALLENGES

system)

CURRENT CHALLENGES

system)

CURRENT CHALLENGES

system)

CURRENT CHALLENGES

Fun Stuff

Where do we see security and compliance going?

Innovation at every tier of the onion

The three year ATO cycle is transforming into

continuous assurance

Compliance is pushing more into DevOps

Build small, discrete components and automate

Intrusion Detection Isolate Threats

Minimize Damage

System predicts 85 percent of cyber-attacks using input from human experts Virtual artificial intelligence analyst developed by the Computer Science and Artificial Intelligence Lab and PatternEx reduces false positives by factor of 5. http://news.mit.edu/2016/ai-system-predicts-85-percent-cyber-attacks-using-input-human-experts-0418

Artificial Intelligence: The Next Frontier

Examples

OpenSCAP is free and open source, automated security scanning for operating systems* and selected applications.

*only Red Hat 6 & 7 for now, but can be extended

The GovReady Dashboard puts compliance info in a Drupal report.

*Alpha - Not yet ready for production, but interesting work.

Call To Action

We need to define best practices and build the tools

to support it

Open Concept’s Guide: Drupal Security Best

Practices

Drupal 8 Security Review New Plugin System Code Sprint

Thank you.

Peeling Back the Onion: Drupal Security and Compliance · The three year ATO cycle is transforming...

Documents

SAP dassian GOVCON webcast march 2013

Drupal GovCon 2020 | Drupal GovCon - Content Everywhere · 2018. 4. 19. · others are creating—think Game of Thrones vs. a police procedural. If your content isn’t differentiated,

Deltek Touch Time & Expense for GovCon 1.2 User Guidefiles.constantcontact.com/786cabf4501/615c874b-eb2... · Deltek Touch Time & Expense for GovCon, the touch screen version of the

FEDERAL Govt Contracting - Maximizing The Value of Your GovCon Business

Drupal GovCon · On-Page SEO - Title Tag Under 60 Characters Don’t overdo keywords Give every page a unique title Put important keywords first ... Off-Page SEO - Backlinks. Off-Page

Capital Edge Consulting, Inc. Corporate Brochure · Corporate Brochure, GovCon, Government Contacting, Government Contactor, Government Contacting Compliance, GovConCompliance, FAR,

ATF.gov en español - Drupal GovCon 2020 | Drupal GovCon · Drupal CMS Leverage memory Translate • Recruiting volunteers • TMS training • Assignments • Content review Subject

Getting “Cleared” for Launch GovCon Webinar Kathleen Smith

Drupal 8 Configuration Workflow in - Drupal GovCon 2020 … · Example: Configuration Workflow Code Review / QA 1. Install Drupal 2. Import Configuration 3. Configuration Creates

GovCon: Strategies and Trends for Winning Today

Advancing nysenate.gov Logo - Drupal GovCon · A self-proclaimed Drupal evangelist and member of the Drupal Association, Brad MacDonald has nearly ten years of Drupal ... of Drupal

GovCon Positioning to Win Series: Recruiting to Win

Drupal GovCon 2017 - Peer-to-peer Fundraising · Drupal Views shows campaign details Raise Fundraising Campaigns Fundraising Campaigns U of M fundraising pages Climb 4 Kidney Cancer

Three Key Steps to Ensure Security Compliance with Drupal in the Cloud

Panic-Free Project Prep - Drupal GovCon · – Attainable – If the client implements a new ecommerce solution, it may not be enough by itself to increase the sales conversion rate

Single Sign On - Drupal GovCon...Data Source Name (DSN) to access PHP Data Objects (PDO)s Tables created automatically, prefix if many SimpleSAML installations using single DB Memcache

Cultivating Extraordinary Culture on Distributed Teams · DRUPAL GOVCON 2015 | CULTIVATING EXTRAORDINARY CULTURE ON DISTRIBUTED TEAMS | AARON PAVA | @PAVA @CIVICACTIONS. 1. Ability

DEPLOYMENT MADE EASY! - Drupal GovCon Made...DSFederal Inc. - “Connecting the dots” Necessity is the Mother of Invention »Project Requirements – Budget – Team Size – Time

Bill Brantley Drupal GovCon 2015 · Drupal GovCon 2015 . Personnel Information (COBOL) Job Application Tracking #1 Job Application Tracking #2 Performance Management Onboarding Training

GovCon Strategies & Approaches for Winningmdbizoppssummit.com/wp-content/uploads/2018/10/... · GovCon Strategies & Approaches for Winning Presented by Bounce Back Consulting, LLC