Best practices to prevent data hacks


(Richard Millington) #1

Reading up more on the implications of the Ashley Madison hack today.

I can’t imagine any would want to hack our site, almost everything is in the public sphere (and we’re just not big enough to merit the effort) but I am interested if anyone has a list of best practices to prevent hacks.

Something that we could publish as a checklist resource would be terrific here.

Does anyone have anything?


(Bas van Leeuwen) #2

tl;dr: Hire a competent sysadmin.

This is a tough one, there are simply too many things to know if you want to do this as an aside. There are many, many, many different avenues of attack for a determined attacker. You can’t protect yourself against all without invasive, expensive, annoying measures that are kept up-to-date. This will include two-factor authorization for all admins, encryption of all your devices, separation of passwords from user tables, having of those passwords, not handling creditcard details yourself, explaining to all staff members what phishing is and how to prevent it (don’t trust anyone basically), automated intrusion detection systems, encrypted offsite backups, recovery plans etc.

Probably not worth it unless you are a valuable target (such as Ashley Madison); luckily for most communities, their data is semi-public anyway.


(Darren Gough) #3

It’s tough to be totally secure on this.

Mumsnet were hacked recently and I know their security is pretty tight. We got DDOS’d at MSE a few times and whilst we took every care, as @Bas_van_Leeuwen says you can’t cover every single possible attack point 100% without massive cost and massively inconveniencing users (and sometimes not even then).

Generally I think you just make sure that what you have within your capability and budget to oversee is as protected and up to date as it can be, then deal with any probs as and when they happen


(Richard Millington) #4

Is there any way to make this more practical?

I.e. How do you find a good system admin? What can you do at different levels of budget? What should different sites do?


(Bas van Leeuwen) #5

The most practical advice I can honestly give: don’t host yourself unless and don’t customize non-trivial things you know what you are doing.


(Richard Millington) #6

I refuse to accept that this is as practical as we can get here.

Let me push this a little.

  1. What are the qualities of a good system admin? What sort of experience should you be looking for? What background do we want them to have?

  2. What is the definition of ‘know what you’re doing’ - if you know what you’re doing what can you specifically do to make your site more hacker proof?

  3. Are hosted sites as likely to get hacked as non-hosted sites?

I’m not looking so much for the answers as where to go to get the answers to these questions.


(mark david mcCreary) #7

Richard

There are not any easy answers to good computer security, and asking community moderators to prepare a security checklist would be a disservice. You would need a big book from the security community, and even that is inadequate, as it takes human experience and judgment too, in this rapidily changing environment.

For starters, everybody’s system is different, and even when the platform is the same, the versions, or the underlying OS, or the personal security practices of the site administrators is different. It only takes one flaw to be owned.

If you had the budget to hire somebody, I would suggest hiring an outside company that specializes in that sort of thing. It would be tough to be the only sysadmin at a place, and there would not be much of a career ladder, or peer support when you are by yourself.

And if you had the budget to work on being secure, I would also hire somebody to be a white hat hacker, and try to penetrate your systems. After the initial work on penetration testing, that role should be able to recede to part time. And that position could definitely be an outside resource.

A hosted community platform would be best, as the system administrators have enough volume to spend the necessary time on doing things right.

Often times, security practices interfere with getting real work done, and somebody needs to make a judgment call on what the priorities really are. So in the real world, security is often knowingly ignored, as new features take precedence.

Most people, including management, have no idea of the amount of money and work it takes to get and keep secure, and they really don’t want to know either. The best you can hope for is that somebody makes an attempt to put a dollar amount on what the worst case could be in the event of a security breach, and if it’s a large number, they start contacting security professionals.

In Ashley Madison’s case, the worst case is the collapse of their company, and I think they knew that. The question is, did they ever hire some security professionals and follow their advice.

And it’s quite possible they did, but still got breached.

mark david mcCreary


(Richard Millington) #8

Agree with everything you say @mark_david_mcCreary, but I’m not keen for our line to be: “there’s nothing we can do about hacks” here.

I’m not looking for definitive answers, just the place to find the answer at this point. If the average community manager wants to check / make their community more secure, what should they do? Who should they speak to? What book should they pick up? Where can they learn?

What sort of budget do these things cost? how do we find people? What is penetration testing who/how do we do it?

Does this make sense? It’s not a hunt for the answers, it’s the hunt for a trail to find the answers.


(mark david mcCreary) #9

Richard

Pretty much any advice I could give, would be subject to being sued for malpractice. That is, for a non security expert, any action you might take could make things worse.

If I was a typical community manager, I would find out if there was a budget for security. If not, then that is the first priority.

Penetration testing is exploring your own site for security holes, proactively. Pretending to be a hacker and trying to get in. It could be via software security holes, it could be by social engineering, that is, finding a human being inside that helps you break in.

I would spend some money at Odesk.com now Upwork.com. Find a Freelancer and put in “penetration testing”. That returns at least 50 people.

Hopefully you can find somebody you trust, and who knows what a “Certified Ethical Hacker” really means, or if you can trust people from your own country more than someplace halfway around the world. Which is back to my point that you can make things worse instead of better.

If I learned some negative things about my site, I would take those findings to management and see if they are concerned enough to spend some more money. If I got a clean slate, I would probably try it again, with a different person in the near future.

Good security people are hard to find and very expensive. Banks and retail companies are paying $200,000 a year and up for those type of people.

So the first step is to find a budget for making things more secure. And I’m not sure most community managers will ever get past the first step. And if they do, then need to find help from security professionals, not other community managers.

mark david mcCreary


(Richard Millington) #10

Surely that would equally apply to any advice anyone gives in any situation?

So the budget thing we can’t do too much about.

But I like the next steps. Head to Upwork, look for a freelancer that knows ‘penetration testing’.

How would you know if someone knows what a Certified Ethical Hacker is?

Anything else we can do to find good security professionals?


(Alena Rybik) #11

Good article, it brings out a very important point - that the majority of people have been taken their privacy online for granted. And they shouldn’t. Hopefully this will change after this hack and more people will start looking into becoming more security literate. I’ve been following discussions in the large Internet security and privacy communities for a couple of years now and everything I’ve read can be boiled down to the simple fact that everything is hack-able. Facebook, Google, CIA, you name it. It’s just a question of determination and resources. In the Ashley Madison case the guys had a lot of determination :slight_smile: The best you can do is to take precautions so that if your data is compromised, it won’t be of much use (meaning encrypted and salted). In fact, encryption should be paramount to all communication via Internet (business and private). The fact that a site like Ashley Madison can store your data unencrypted is out of this world.

When it comes to communities of a lower profile that are, hypothetically, not that interesting to hackers and other culprits, here’s a (very basic) check list off the top of my head that I’d stick to and insist all employees to stick to as well. The security of sites like Community Geek is often directly dependent on the good security habits of its admins, moderators and everyone who works with it.

  1. Choose a reliable encryption method for storing personal data.
  2. Limit the amount of third-party apps you use on your site. Each of them is a potential loophole.
  3. Use unique, strong passwords and/or a password manager (you would be surprised how many people still don’t).

Of course, this is all just scratching the surface but such measures would suffice for many smaller communities currently under the radar. Hope this helps."


(Bas van Leeuwen) #12

Mind you, the advice the FBI gives to banks:

"You are going to be hacked. Have a plan."
https://csis.org/publication/evolution-cybersecurity-requirements-us-financial-industry

Compare it with securing your home.

  • If you want to be absolutely sure that no one will get in, you’d need to live n a bank vault.
  • If you want to prevent the average burglar to bother, you invest in proper locks, some laminated glass and maybe if you have valuable art or some such and alarm system.

For websites and communities that is basically the same, you should plan on making sure that
a) your information isn’t attractive enough for someone to bother (public forums are a good example here)
b) you shore up security to make it more-difficult than average; with hashed passwords, up-to-date patches, security conscious staff etc.

But keep in mind that if you host sensitive (thus valuable) information, and someone is willing to spend weeks to get it, they most likely will.


(Richard Millington) #13

Alena,

Thanks for this. a few follow-up questions.

  1. How do you choose a reliable encryption method? What are the options?
    What physically has to happen?

  2. How do you check the 3rd party apps / remove them?


(Richard Millington) #14

Bas,

THanks for this.

A few questions then.

  1. How do you implement hashed passwords / check you have them.
  2. What is ‘security conscious’ staff?
  3. How do you check when new patches are released
  • Rich

(Bas van Leeuwen) #15
  1. ask a security professional to implement this for you;
    1b) if you want to do this yourself you must use a recent hashing algorithm (currently scrypt or pkdf2 probably are your best bet) with a server-side salt; never ever ever ever store a password, only store and compare hashes.

If you want to know what your current forum uses, ask the vendor (discourse uses PKDF2)

  1. that is indeed rather undefined. I find it hard to explain to be honest; it again will depend on your organisation; even RSA (a famous digital security company) failed when employees got tricked.
    For a non-tech manager it’s probably best to start with a book like this and see what applies to your organisation.

  2. depends on the vendor. Nearly all will have an announcement list where you can subscribe, if you use an external host, they should do this for you. If possible, turn on auto-updates; they will prevent a lot of harm.


(Alena Rybik) #16

Richard,

  1. For one, you need to encrypt the traffic to the servers with ssl/tls or VPN (I assume this is being already done though). For this you buy a Wildcard certificate. This is pretty basic stuff, there are standard open libraries and all programmers should know how to do it. When it comes to storing personal data, such as passwords and emails, they need to be hashed / salted (I used the term “encryption” in my previous post, but it’s a bit different thing.) Again, just tell your developer to follow owasp best practices. I am also all in favour of hashing / encrypting email addresses but very few do it (Ashley Madison should have done it). Hashing is a one way randomization of a string of data. You can not get the same data back if you have the hash, but you can get the same hash if you have the same data.

  2. By third party apps I mean social media management apps, Facebook and Google sign-ins, Open IDs, all sorts of plugins etc. etc. One company I worked for was “hacked” via one those + employee using same password/login on a couple of sites.

I’ve run my basic list through a friend of mine who is a security professional and, according to him, it all is a minor stuff (still has to be done, of course). This is his list of things that should reduce your risk by 99% (some things are the same as Bas has mentioned above):

  1. Always patch ALL systems when security patches are available
  2. Take control of the staff’s computers/phones (lock them down completely, only allow tested and approved software and it has to be authorised by a manager. For phones you use MDM tools, for windows you use group policies.)
  3. Give people the least amount of permissions to things you can
  4. Disable flash and Java everywhere.

(Bas van Leeuwen) #17

While I agree with you @alenarybik, keep in mind that any security policy you implement has downsides (imagine living in a bank-secure house and forgetting something when leaving, you’d need to unlock the door, call security, scan your iris, open the vault; just because you forgot your umbrella)

e.g. hashing email addresses will prevent you from sending notification etc.

This will most likely scare away quite a few people; you’d lose most of the hacktivist types; most competent developers can’t work on locked down systems etc. I for one dread working at organisations that lock you down like that.


(mark david mcCreary) #18

Richard

Giving advice on security is like giving advice on brain surgery. It’s very complex and mistakes are deadly.

A “Certified Ethical Hacker” is earned by somebody that has taken a security class and test. It’s like being Microsoft Certified.

There are many people on Odesk with that title in their profile, and it might be better to search on Certified Ethical Hacker than Penetration Testing. I would give some weight to people that are a Certified Ethical Hacker.

If I did hire somebody to do penetration testing, I would be looking for a high degree of trust and communication. They might do a stress test on your system and crash it. They might be able to get inside one level of your system, and break something trying to get to the next level. They might discover a security hole, and then hold you for ransom.

Ignorance is not better than knowing what the reality is, but I would make sure everybody in my organization was onboard with this idea before applying it.

mark david mcCreary


(Richard Millington) #19

Feel like we’re making really good progress here.

This is a field I know very little about, so would like to turn this into a resource for us.

So a few action items I have to check and improve the security of our communities. I need your help to answer some outstanding questions here.

1) Find a good security professional. Community managers just don’t know enough. Where can we find these? Anyone we recommend? What do we look for?

2) If managing a community with sensitive information/or a large community, find a certified ethical hacker to run penetration testing. Lot of trust involved here. Upwork might be a place to start. What would be the going rate for this? What kind of budget is needed?

3) Check third-party apps with access to the site. How do we do this?

4) Use strong/unique passwords and/or a password manager. This is personally for the community manager right?

5) Choose a reliable encryption method for storing personal data?. Is this the same as hashing below? If not, what are the options and how do we do it?

6) Implement hashed passwords (scrypt or pkdf2 with a server-side salt (what is this? does it match which you use?, ask your vendor what you use today.

7) Always keep security patches up to date - sign up to receive these updates - where are they most likely to come form?

8) Identify and train employees to spot threats. This book might be useful: http://www.amazon.com/Computer-Security-McGraw-Hill-Professional-Education/dp/0072262826.

10) Disable flash/java - does this mean on the communities themselves? Or in company software/systems? (same with permissions).

Aside from the questions above, is there anything else I’m missing?


(Bas van Leeuwen) #20
  1. Roughly the same as finding a developer
  2. Don’t know
  3. Depends on your setup; the admin should have a list since they should have approved everything
  4. Using strong individual passwords is personal, the password manager could be corporate.
  5. Encryption and hashing are related, but separate concepts. Hashing allows you check if two things are the same, without knowing what they are; encryption allows you to read things only if you have the correct decryption key. Hashing passwords is a must; encrypting all traffic (https) is advisable, encrypting all your data is a could-have depending on your business (wouldn’t make too much sense for feverbee since all the data is publicly available on the forum anyway).
  6. I don’t quite understand the question; recommendation if your software doesn’t has passwords by default, stay (get) away, it is indicative of much larger issues.
  7. they’ll come from your vendor(s)

I think @mark_david_mcCreary hit the nail on the head with the brain surgery remark; this is difficult, it is a vast space and you won’t know what you don’t know if you’re not a veteran.