https://devsummit.aspirationtech.org/index.php?title=Security_101&feed=atom&action=historySecurity 101 - Revision history2024-03-28T16:18:31ZRevision history for this page on the wikiMediaWiki 1.35.1https://devsummit.aspirationtech.org/index.php?title=Security_101&diff=828&oldid=prevVivian: 1 revision imported2015-05-15T22:11:49Z<p>1 revision imported</p>
<p><b>New page</b></p><div>Security is always important, but any of our NPO's ignore it entirely, what are some security best practices that we can use and what are peoples security concerns.<br />
<br />
<br />
== Session Notes ==<br />
<br />
<br />
<br />
Question: what are the bad things that are currently happening?<br />
<br />
- cracking is now a professional industry<br />
<br />
- less script kiddy tagging and more takeover of machines for reuse<br />
<br />
- botnets are big, used for Denial of Service attacks<br />
<br />
- people put comments on your site to put link spam on it<br />
<br />
- someone could use your machine to host kiddy-porn and the FBI will take all your stuff<br />
<br />
- credit cards standards are tightening, small sites are no longer proccessing credit card on their sites <br />
<br />
<br />
<br />
Observation: With CMSes core security is usually very good, but when you add modules it goes down<br />
<br />
Observation: Security is about building hurdles. Many mendium sized hurdles trump trying to make one big hurdle<br />
<br />
Observation: Ex-employees are your biggest threat. They have intimate knowledge of your system and may be disgruntled<br />
<br />
Observation: Email accounts are important because they can be used to do other password resets<br />
<br />
Observation: Individulas are spending a lot of time to repurpose mail sending systems, the biggest target<br />
<br />
Observation: Spam is big business even the russian mafia is getting into it<br />
<br />
Observation: SSL is kinda broken now and open to man-in-the-middle attacks. It is a hurdle, but no longer an insurmoutable one.<br />
<br />
Observation: Your own users with defeat your security if you make things too hard (too complicated passwords to remember in their head)<br />
<br />
Tip: Cyberduck is a good SFTP/SCP/S3 client<br />
<br />
Observation: You are always at risk. Know how much you have to lose, and position yourself accordingly.<br />
<br />
Quote: "Security through obscurity is no security at all"<br />
<br />
<br />
<br />
Question: what can you do to prevent personal security exploits?<br />
<br />
- Have strong passwords (one of the main points of attack is to try dictionary terms)<br />
<br />
- Use different passwords for every account and service (use an encrypted password manager to keep track of them)<br />
<br />
- Don't put your password into a strange computer, such as a public kiosk<br />
<br />
- Fill random crap into "security questions" so people can't hack your account by just knowing the name of your dog<br />
<br />
- Log into accounts using a secure https ssl connection<br />
<br />
- If you are using a mail client make sure you configure it to use SSL<br />
<br />
- Don't sign into anything that asks for your username and password (for posting to Twitter or Facebook) only use Facebook connect or OAuth<br />
<br />
<br />
<br />
Question: what can you do to prevent platform security exploits?<br />
<br />
- Be serious about security if you are going to expose any platform to the Internet or hire someone to do it<br />
<br />
- Restrict the number of logins and the permissions of those accounts<br />
<br />
- Never share accounts or passwords, have one user account for every user<br />
<br />
- Disable accounts and permissions as soon as they are no longer needed<br />
<br />
- Put CAPTCHAs on every web form, but don't only rely on them<br />
<br />
- When you write code, write good clean software. Sanitize your inputs!<br />
<br />
- Use a framework! If you build something from scratch you are more likely include a common exploit<br />
<br />
- Update your framework's code often to get the latest security patches<br />
<br />
<br />
<br />
Question: what can you do to prevent server security exploits?<br />
<br />
- Be serious about security if you are going to expose any server to the Internet or hire someone to do it<br />
<br />
- Use the minimum amount of software, plugins, and modules, since they all add potential exploits<br />
<br />
- Learn about the quality of code on any system that you add to your server or platform<br />
<br />
- Patch all your programs and systems to keep them up to date<br />
<br />
- Never use FTP, it passes passwords in cleartext. Use SFTP or SCP.<br />
<br />
- Turn off FTP if at all possible<br />
<br />
- Dissable root login via SSH<br />
<br />
- Tripwire runs on your server and alerts you when files change<br />
<br />
- Make sure you have backups!<br />
<br />
- Test your backups!<br />
<br />
<br />
<br />
Question: what can you do to prevent organizational security exploits?<br />
<br />
- Have a manual or otherwise tell all the employees of an orginzation proper security</div>Vivian