Security is always important, but any of our NPO's ignore it entirely, what are some security best practices that we can use and what are peoples security concerns.
Question: what are the bad things that are currently happening?
- cracking is now a professional industry
- less script kiddy tagging and more takeover of machines for reuse
- botnets are big, used for Denial of Service attacks
- people put comments on your site to put link spam on it
- someone could use your machine to host kiddy-porn and the FBI will take all your stuff
- credit cards standards are tightening, small sites are no longer proccessing credit card on their sites
Observation: With CMSes core security is usually very good, but when you add modules it goes down
Observation: Security is about building hurdles. Many mendium sized hurdles trump trying to make one big hurdle
Observation: Ex-employees are your biggest threat. They have intimate knowledge of your system and may be disgruntled
Observation: Email accounts are important because they can be used to do other password resets
Observation: Individulas are spending a lot of time to repurpose mail sending systems, the biggest target
Observation: Spam is big business even the russian mafia is getting into it
Observation: SSL is kinda broken now and open to man-in-the-middle attacks. It is a hurdle, but no longer an insurmoutable one.
Observation: Your own users with defeat your security if you make things too hard (too complicated passwords to remember in their head)
Tip: Cyberduck is a good SFTP/SCP/S3 client
Observation: You are always at risk. Know how much you have to lose, and position yourself accordingly.
Quote: "Security through obscurity is no security at all"
Question: what can you do to prevent personal security exploits?
- Have strong passwords (one of the main points of attack is to try dictionary terms)
- Use different passwords for every account and service (use an encrypted password manager to keep track of them)
- Don't put your password into a strange computer, such as a public kiosk
- Fill random crap into "security questions" so people can't hack your account by just knowing the name of your dog
- Log into accounts using a secure https ssl connection
- If you are using a mail client make sure you configure it to use SSL
- Don't sign into anything that asks for your username and password (for posting to Twitter or Facebook) only use Facebook connect or OAuth
Question: what can you do to prevent platform security exploits?
- Be serious about security if you are going to expose any platform to the Internet or hire someone to do it
- Restrict the number of logins and the permissions of those accounts
- Never share accounts or passwords, have one user account for every user
- Disable accounts and permissions as soon as they are no longer needed
- Put CAPTCHAs on every web form, but don't only rely on them
- When you write code, write good clean software. Sanitize your inputs!
- Use a framework! If you build something from scratch you are more likely include a common exploit
- Update your framework's code often to get the latest security patches
Question: what can you do to prevent server security exploits?
- Be serious about security if you are going to expose any server to the Internet or hire someone to do it
- Use the minimum amount of software, plugins, and modules, since they all add potential exploits
- Learn about the quality of code on any system that you add to your server or platform
- Patch all your programs and systems to keep them up to date
- Never use FTP, it passes passwords in cleartext. Use SFTP or SCP.
- Turn off FTP if at all possible
- Dissable root login via SSH
- Tripwire runs on your server and alerts you when files change
- Make sure you have backups!
- Test your backups!
Question: what can you do to prevent organizational security exploits?
- Have a manual or otherwise tell all the employees of an orginzation proper security