Best practices to prevent data hacks

Bas,

THanks for this.

A few questions then.

  1. How do you implement hashed passwords / check you have them.
  2. What is ‘security conscious’ staff?
  3. How do you check when new patches are released
  • Rich
  1. ask a security professional to implement this for you;
    1b) if you want to do this yourself you must use a recent hashing algorithm (currently scrypt or pkdf2 probably are your best bet) with a server-side salt; never ever ever ever store a password, only store and compare hashes.

If you want to know what your current forum uses, ask the vendor (discourse uses PKDF2)

  1. that is indeed rather undefined. I find it hard to explain to be honest; it again will depend on your organisation; even RSA (a famous digital security company) failed when employees got tricked.
    For a non-tech manager it’s probably best to start with a book like this and see what applies to your organisation.

  2. depends on the vendor. Nearly all will have an announcement list where you can subscribe, if you use an external host, they should do this for you. If possible, turn on auto-updates; they will prevent a lot of harm.

Richard,

  1. For one, you need to encrypt the traffic to the servers with ssl/tls or VPN (I assume this is being already done though). For this you buy a Wildcard certificate. This is pretty basic stuff, there are standard open libraries and all programmers should know how to do it. When it comes to storing personal data, such as passwords and emails, they need to be hashed / salted (I used the term “encryption” in my previous post, but it’s a bit different thing.) Again, just tell your developer to follow owasp best practices. I am also all in favour of hashing / encrypting email addresses but very few do it (Ashley Madison should have done it). Hashing is a one way randomization of a string of data. You can not get the same data back if you have the hash, but you can get the same hash if you have the same data.

  2. By third party apps I mean social media management apps, Facebook and Google sign-ins, Open IDs, all sorts of plugins etc. etc. One company I worked for was “hacked” via one those + employee using same password/login on a couple of sites.

I’ve run my basic list through a friend of mine who is a security professional and, according to him, it all is a minor stuff (still has to be done, of course). This is his list of things that should reduce your risk by 99% (some things are the same as Bas has mentioned above):

  1. Always patch ALL systems when security patches are available
  2. Take control of the staff’s computers/phones (lock them down completely, only allow tested and approved software and it has to be authorised by a manager. For phones you use MDM tools, for windows you use group policies.)
  3. Give people the least amount of permissions to things you can
  4. Disable flash and Java everywhere.

While I agree with you @alenarybik, keep in mind that any security policy you implement has downsides (imagine living in a bank-secure house and forgetting something when leaving, you’d need to unlock the door, call security, scan your iris, open the vault; just because you forgot your umbrella)

e.g. hashing email addresses will prevent you from sending notification etc.

This will most likely scare away quite a few people; you’d lose most of the hacktivist types; most competent developers can’t work on locked down systems etc. I for one dread working at organisations that lock you down like that.

Richard

Giving advice on security is like giving advice on brain surgery. It’s very complex and mistakes are deadly.

A “Certified Ethical Hacker” is earned by somebody that has taken a security class and test. It’s like being Microsoft Certified.

There are many people on Odesk with that title in their profile, and it might be better to search on Certified Ethical Hacker than Penetration Testing. I would give some weight to people that are a Certified Ethical Hacker.

If I did hire somebody to do penetration testing, I would be looking for a high degree of trust and communication. They might do a stress test on your system and crash it. They might be able to get inside one level of your system, and break something trying to get to the next level. They might discover a security hole, and then hold you for ransom.

Ignorance is not better than knowing what the reality is, but I would make sure everybody in my organization was onboard with this idea before applying it.

mark david mcCreary

2 Likes

Feel like we’re making really good progress here.

This is a field I know very little about, so would like to turn this into a resource for us.

So a few action items I have to check and improve the security of our communities. I need your help to answer some outstanding questions here.

1) Find a good security professional. Community managers just don’t know enough. Where can we find these? Anyone we recommend? What do we look for?

2) If managing a community with sensitive information/or a large community, find a certified ethical hacker to run penetration testing. Lot of trust involved here. Upwork might be a place to start. What would be the going rate for this? What kind of budget is needed?

3) Check third-party apps with access to the site. How do we do this?

4) Use strong/unique passwords and/or a password manager. This is personally for the community manager right?

5) Choose a reliable encryption method for storing personal data?. Is this the same as hashing below? If not, what are the options and how do we do it?

6) Implement hashed passwords (scrypt or pkdf2 with a server-side salt (what is this? does it match which you use?, ask your vendor what you use today.

7) Always keep security patches up to date - sign up to receive these updates - where are they most likely to come form?

8) Identify and train employees to spot threats. This book might be useful: http://www.amazon.com/Computer-Security-McGraw-Hill-Professional-Education/dp/0072262826.

10) Disable flash/java - does this mean on the communities themselves? Or in company software/systems? (same with permissions).

Aside from the questions above, is there anything else I’m missing?

  1. Roughly the same as finding a developer
  2. Don’t know
  3. Depends on your setup; the admin should have a list since they should have approved everything
  4. Using strong individual passwords is personal, the password manager could be corporate.
  5. Encryption and hashing are related, but separate concepts. Hashing allows you check if two things are the same, without knowing what they are; encryption allows you to read things only if you have the correct decryption key. Hashing passwords is a must; encrypting all traffic (https) is advisable, encrypting all your data is a could-have depending on your business (wouldn’t make too much sense for feverbee since all the data is publicly available on the forum anyway).
  6. I don’t quite understand the question; recommendation if your software doesn’t has passwords by default, stay (get) away, it is indicative of much larger issues.
  7. they’ll come from your vendor(s)

I think @mark_david_mcCreary hit the nail on the head with the brain surgery remark; this is difficult, it is a vast space and you won’t know what you don’t know if you’re not a veteran.

Bas,

Absolutely, I agree with you on this. It goes without saying that the security question must be treated in the same way as any functionality or a feature in a community or business - the balance between costs and profit (generally speaking) should make sense. This has to be considered for each particular community individually, and questions such as risk being hacked, usability sacrifice etc. should be taken into account. I believe this is a bit different discussion though, Richard was suggesting to discuss best practices to prevent a hypothetical community from being hacked, like what happened to Ashley Madison.

As for your point about driving hacktivists away, I am with you on this. However, I also understand where the IT is coming from when imposing such strict guidelines. In fact, every single “hack” or screw-up I’ve witnessed before could have been avoided if employees were more restricted in what they can install. Let’s face it, in any company there will be more security-illiterate employees than the ones with good security habits, and it’s better to err on the side of caution. Determining this with each employee individually, based on their level of security savviness, would of course be the best solution, but again, a question of costs and resource pops in, especially when the company is large. I am usually happy with following the guidelines (save an occasional grumble), even though it might mean some bottleneck for me.

1 Like

Another topic. What can community managers do to help members help themselves here?

A lot of the ashley madison members used their work e-mail accounts for example. What are the other basic digital privacy hygiene factors here? I’m guessing not using real name, having a fresh e-mail address, not revealing any personally identifiable information etc?

Anything else?

We remind users to change their passwords (and use unique passwords / password manager), especially when we detect a range of unauthorized log in attempts to players’ accounts (happens every now and then when some site’s database gets hacked / leaked and usernames and passwords become available to culprits who then try to log in to other sites using the acquired login details.)

The gaming company Wargaming goes further than that - they are actually offering their players in-game currency for changing their account:

"The security of our users’ accounts is of the highest priority for Wargaming. As such, we have decided as a precautionary measure to run a ‘Change Your Password’ event, increasing the safety of Wargaming.net accounts. During this event, players who change their password will receive 300 Gold

In order to participate in the event, change the current password for your account to one that is more secure:

New password should consist of capital letters, lower-case letters and numbers.
The password should be at least 8 characters long.
To change your password, log in to the portal, go to the Account Management page and choose the Change Password option. The 300 gold will be credited after the password has been changed.*

2 Likes

Just saw this post on the FeverBee blog and I’d like to jump in. Hopefully this helps address some of your questions @richard_millington

I’m the Senior Community Manager for Bugcrowd, we’re a crowdsourced security community. Our community is made up of over 19,000 ethical hackers/security researchers.

In terms of finding freelancers or consultants, I’d suggest contacting your local OWASP group in your city and seeing if they can recommend anyone that’s local. I may also be able to help, since many folks in Bugcrowd’s community are security consultants and freelancers.

For pentesting programs, I’d suggest looking into something like a bug bounty program. It’s what we do at Bugcrowd and it gets great results for your money. We work with Pinterest, Tesla, Dropbox, Western Union, LastPass and many others.

For any kind of pentesting I’d expect your budget to start at 10k, but prepare to spend closer to 30-50k for one of your first engagements.


So some of my suggestions:

  • Find the security person in your company and if you don’t have one, encourage your company to hire one.
  • Use a Password Manager like LastPass to generate secure passwords and to share passwords with others in your organization
  • Always, always, always update your software and make sure you’re using the latest security updates. If your forum or website is running on ancient stuff, you’re going to get owned.
  • In terms of personal security, make sure that all of your devices are password protected and that your data/harddrives are encrypted. This is really easy with Mac Devices, make sure the firewall is enabled and that you’ve turned on harddrive encryption.
1 Like

Thanks everyone for the info, interesting and helpful read, Got a few tips that I can use right away to make my world more secure. - Tim

1 Like

@alenarybik - how often do you send that message? Do you have the exact message you would mind sharing here? That could be useful to see.

The incentivising to change passwords is an interesting one. Just wondering how other communities could positively incentivise people to change their passwords.

That’s really awesome - thanks @SamHouston. Going to drop this into a document at some point.

at the $40k range - this is going to be for the 50k+ communities I imagine? Which are also probably those that outsource their community security to platforms like lithium/jive etc? Have you seen many online communities using this?

For knowledge sake - would you mind quickly linking to / explaining how to encrypt the hard drive and enable the firewall ?

Wanted to tag in @zapleahy - do you involve yourself much in the security side at Fitbit ?

I’m surprised that there has only been limited and relatively recent discussion on this thread regarding the community platform itself.

How many of us factor in security considerations when choosing a platform for our community? @richard_millington - how much time did you take reviewing security when choosing Discourse?

Given the almost unlimited attack vectors available, I am of the mindset that if someone wants to hack a site, they almost certainly will if they are determined and/or skilled enough. Fortunately for many of us there would be limited gains available should our sites be targeted, at least in terms of the worth of the data we hold. Reputational damage and plain old vandalism are different matters completely, obviously.

I think for most of us, the following are practical steps we can take:

  • Consider security when selecting a platform (search for the name of your platform along with terms like ‘hacked’, ‘security’ and ‘compromised’ etc)
  • Do the above again for any hosts you are considering.
  • Ensure all patches and updates for your platform are applied as soon as you possibly can.
  • Ensure all users with enhanced privileges (admins, mods etc) are instructed to use very strong passwords (enforce via software if possible) and are changed regularly.
  • Check your logs for suspicious activity. Assume the worst if you spot an irregularity.
  • Backup your community data often and host it away from your community itself so you can rebuild should the very worst happen.
  • If you can, rename the pages (e.g. admin.php) to something more obscure so the obvious front-door is hidden from prying eyes.
  • If your platform has a ‘weak password checker’ (vBulletin does for e.g.) use it and let people know who may be at risk.
  • Remind your users not to use the same username or email address and password combo for your site as for others. I see no harm in stating that whilst you will try your very hardest to protect their accounts, they should be aware that you do not operate bank levels of security nor do you have the resources to do so.

Hope this helps,

Darren

3 Likes

Sure, here’s how to encrypt your drives:

Here’s how to turn on your firewall on Mac OS:

If you’re using an outside vendor for your community, like Lithium or Jive, I’d very directly ask your account rep what they do to test the security of their systems. Ask what they do to encrypt your customer data, what they do to protect billing info, what kind of security testing they do, etc. I’d also ask them how they keep your installation up to date and running the latest security updates.

You may not want to security test their software but you can put pressure on your vendors so that they test their own software.

I would highly suggest that all community managers make security a top priority across the entire company, not just within the context of your community or your community software. Sure, the forums could be an entry point, but so could that ancient page you setup 3 years ago to take contest entries. Companies like Yahoo have hundreds or thousands of marketing pages setup that they’ve forgotten about and these pages are used by hackers as an entry point.

To help give you an idea of what companies are testing, check out Pinterest’s bug bounty page: Pinterest’s bug bounty program - Bugcrowd

Pinterest has most of their sites and sections of their site “in-scope” for testing, which means most things are fair gaming for testing. This includes the help section of their site, anything on pinterest.com, etc.

At the end of the day, security should be a top priority for your entire organization. I’ve been the community manager that gets a call at 1am on a Friday because a security breach happened, and my entire weekend/week was ruined because I had to make the announcements, I was quoted in the press, etc. We can help limit the possibility of crap like that by putting pressure on our organizations to make security a priority.

To be fair to @richard_millington – the Discourse side of things is my responsibility.
Discourse is open-source, which by nature means it’s likely to be more secure than proprietary s/w.
You can read more about security on Discourse here.

That reads as “Hmmm, we didn’t really think of it that much. Fingers crossed!”

To me it reads like “we trust that the guy who designed Stack Overflow knows what he’s doing”; which to me is a fair assumption.

1 Like