Security 101

From DevSummit
Jump to navigation Jump to search

Security is always important, but any of our NPO's ignore it entirely, what are some security best practices that we can use and what are peoples security concerns.

Session Notes

Question: what are the bad things that are currently happening?

- cracking is now a professional industry

- less script kiddy tagging and more takeover of machines for reuse

- botnets are big, used for Denial of Service attacks

- people put comments on your site to put link spam on it

- someone could use your machine to host kiddy-porn and the FBI will take all your stuff

- credit cards standards are tightening, small sites are no longer proccessing credit card on their sites

Observation: With CMSes core security is usually very good, but when you add modules it goes down

Observation: Security is about building hurdles. Many mendium sized hurdles trump trying to make one big hurdle

Observation: Ex-employees are your biggest threat. They have intimate knowledge of your system and may be disgruntled

Observation: Email accounts are important because they can be used to do other password resets

Observation: Individulas are spending a lot of time to repurpose mail sending systems, the biggest target

Observation: Spam is big business even the russian mafia is getting into it

Observation: SSL is kinda broken now and open to man-in-the-middle attacks. It is a hurdle, but no longer an insurmoutable one.

Observation: Your own users with defeat your security if you make things too hard (too complicated passwords to remember in their head)

Tip: Cyberduck is a good SFTP/SCP/S3 client

Observation: You are always at risk. Know how much you have to lose, and position yourself accordingly.

Quote: "Security through obscurity is no security at all"

Question: what can you do to prevent personal security exploits?

- Have strong passwords (one of the main points of attack is to try dictionary terms)

- Use different passwords for every account and service (use an encrypted password manager to keep track of them)

- Don't put your password into a strange computer, such as a public kiosk

- Fill random crap into "security questions" so people can't hack your account by just knowing the name of your dog

- Log into accounts using a secure https ssl connection

- If you are using a mail client make sure you configure it to use SSL

- Don't sign into anything that asks for your username and password (for posting to Twitter or Facebook) only use Facebook connect or OAuth

Question: what can you do to prevent platform security exploits?

- Be serious about security if you are going to expose any platform to the Internet or hire someone to do it

- Restrict the number of logins and the permissions of those accounts

- Never share accounts or passwords, have one user account for every user

- Disable accounts and permissions as soon as they are no longer needed

- Put CAPTCHAs on every web form, but don't only rely on them

- When you write code, write good clean software. Sanitize your inputs!

- Use a framework! If you build something from scratch you are more likely include a common exploit

- Update your framework's code often to get the latest security patches

Question: what can you do to prevent server security exploits?

- Be serious about security if you are going to expose any server to the Internet or hire someone to do it

- Use the minimum amount of software, plugins, and modules, since they all add potential exploits

- Learn about the quality of code on any system that you add to your server or platform

- Patch all your programs and systems to keep them up to date

- Never use FTP, it passes passwords in cleartext. Use SFTP or SCP.

- Turn off FTP if at all possible

- Dissable root login via SSH

- Tripwire runs on your server and alerts you when files change

- Make sure you have backups!

- Test your backups!

Question: what can you do to prevent organizational security exploits?

- Have a manual or otherwise tell all the employees of an orginzation proper security