Best practices to prevent data hacks

Just saw this post on the FeverBee blog and I’d like to jump in. Hopefully this helps address some of your questions @richard_millington

I’m the Senior Community Manager for Bugcrowd, we’re a crowdsourced security community. Our community is made up of over 19,000 ethical hackers/security researchers.

In terms of finding freelancers or consultants, I’d suggest contacting your local OWASP group in your city and seeing if they can recommend anyone that’s local. I may also be able to help, since many folks in Bugcrowd’s community are security consultants and freelancers.

For pentesting programs, I’d suggest looking into something like a bug bounty program. It’s what we do at Bugcrowd and it gets great results for your money. We work with Pinterest, Tesla, Dropbox, Western Union, LastPass and many others.

For any kind of pentesting I’d expect your budget to start at 10k, but prepare to spend closer to 30-50k for one of your first engagements.


So some of my suggestions:

  • Find the security person in your company and if you don’t have one, encourage your company to hire one.
  • Use a Password Manager like LastPass to generate secure passwords and to share passwords with others in your organization
  • Always, always, always update your software and make sure you’re using the latest security updates. If your forum or website is running on ancient stuff, you’re going to get owned.
  • In terms of personal security, make sure that all of your devices are password protected and that your data/harddrives are encrypted. This is really easy with Mac Devices, make sure the firewall is enabled and that you’ve turned on harddrive encryption.
1 Like

Thanks everyone for the info, interesting and helpful read, Got a few tips that I can use right away to make my world more secure. - Tim

1 Like

@alenarybik - how often do you send that message? Do you have the exact message you would mind sharing here? That could be useful to see.

The incentivising to change passwords is an interesting one. Just wondering how other communities could positively incentivise people to change their passwords.

That’s really awesome - thanks @SamHouston. Going to drop this into a document at some point.

at the $40k range - this is going to be for the 50k+ communities I imagine? Which are also probably those that outsource their community security to platforms like lithium/jive etc? Have you seen many online communities using this?

For knowledge sake - would you mind quickly linking to / explaining how to encrypt the hard drive and enable the firewall ?

Wanted to tag in @zapleahy - do you involve yourself much in the security side at Fitbit ?

I’m surprised that there has only been limited and relatively recent discussion on this thread regarding the community platform itself.

How many of us factor in security considerations when choosing a platform for our community? @richard_millington - how much time did you take reviewing security when choosing Discourse?

Given the almost unlimited attack vectors available, I am of the mindset that if someone wants to hack a site, they almost certainly will if they are determined and/or skilled enough. Fortunately for many of us there would be limited gains available should our sites be targeted, at least in terms of the worth of the data we hold. Reputational damage and plain old vandalism are different matters completely, obviously.

I think for most of us, the following are practical steps we can take:

  • Consider security when selecting a platform (search for the name of your platform along with terms like ‘hacked’, ‘security’ and ‘compromised’ etc)
  • Do the above again for any hosts you are considering.
  • Ensure all patches and updates for your platform are applied as soon as you possibly can.
  • Ensure all users with enhanced privileges (admins, mods etc) are instructed to use very strong passwords (enforce via software if possible) and are changed regularly.
  • Check your logs for suspicious activity. Assume the worst if you spot an irregularity.
  • Backup your community data often and host it away from your community itself so you can rebuild should the very worst happen.
  • If you can, rename the pages (e.g. admin.php) to something more obscure so the obvious front-door is hidden from prying eyes.
  • If your platform has a ‘weak password checker’ (vBulletin does for e.g.) use it and let people know who may be at risk.
  • Remind your users not to use the same username or email address and password combo for your site as for others. I see no harm in stating that whilst you will try your very hardest to protect their accounts, they should be aware that you do not operate bank levels of security nor do you have the resources to do so.

Hope this helps,

Darren

3 Likes

Sure, here’s how to encrypt your drives:

Here’s how to turn on your firewall on Mac OS:

If you’re using an outside vendor for your community, like Lithium or Jive, I’d very directly ask your account rep what they do to test the security of their systems. Ask what they do to encrypt your customer data, what they do to protect billing info, what kind of security testing they do, etc. I’d also ask them how they keep your installation up to date and running the latest security updates.

You may not want to security test their software but you can put pressure on your vendors so that they test their own software.

I would highly suggest that all community managers make security a top priority across the entire company, not just within the context of your community or your community software. Sure, the forums could be an entry point, but so could that ancient page you setup 3 years ago to take contest entries. Companies like Yahoo have hundreds or thousands of marketing pages setup that they’ve forgotten about and these pages are used by hackers as an entry point.

To help give you an idea of what companies are testing, check out Pinterest’s bug bounty page: https://bugcrowd.com/pinterest

Pinterest has most of their sites and sections of their site “in-scope” for testing, which means most things are fair gaming for testing. This includes the help section of their site, anything on pinterest.com, etc.

At the end of the day, security should be a top priority for your entire organization. I’ve been the community manager that gets a call at 1am on a Friday because a security breach happened, and my entire weekend/week was ruined because I had to make the announcements, I was quoted in the press, etc. We can help limit the possibility of crap like that by putting pressure on our organizations to make security a priority.

To be fair to @richard_millington – the Discourse side of things is my responsibility.
Discourse is open-source, which by nature means it’s likely to be more secure than proprietary s/w.
You can read more about security on Discourse here.

That reads as “Hmmm, we didn’t really think of it that much. Fingers crossed!”

To me it reads like “we trust that the guy who designed Stack Overflow knows what he’s doing”; which to me is a fair assumption.

1 Like

Maybe.

I wasn’t intending to sound facetious there. My point is that my gut feel that security considerations are not amongst the top criteria being considered when selecting a community platform. Maybe I’m wrong on that though.

1 Like

I think you’re right, hardly anyone seems to consider security these days. Now that I work in security and I’ve seen the light, I hope to help change that :smile:

I recently launched a Discourse forum for Bugcrowd, a community of 19k hackers. Security was definitely a concern and a part of my process. I chose discourse for a multitude of reasons, two of which were:

  • Budget. Since we’ve never had a forum, I didn’t want to spend $30k-100k on a forum vendor when we could get something off the shelf and host it ourselves.
  • Development team moves quickly and is easy to get a hold of. This ties into the security bit, but I feel like if something really needed to happen or change, I’m more likely to get an audience with Discourse than I would with most other vendors.

That said, I can’t be 100% certain that Discourse is the most secure product on the market and I’ve not had a great experience when asking their team about my security concerns with the product.

But at the end of the day, I think I could still get something fixed quickly if we did find a security flaw and needed it to be fixed.

Re: Open Source software being more secure, I don’t think that’s a safe assumption. Heartbleed was found in software that’s been open source for decades. You should assume that there will be security flaws in any software you’re looking at, regardless of if it’s closed-source or open-source.

Guys, let’s not overdo it here. Most communities aren’t interesting targets (except for passwords) because nearly all of the data is public anyway. :wink:

2 Likes

Thanks for the ping, @richard_millington. I am involved in security at Fitbit from both the community platform and CS tools integration as well as the customer safety side. Have enjoyed the contributions to this discussions thus far.

Beyond proactively enforcing (via platform tools) and sharing internet safety tips (via community content), a lot of my efforts have been around designing process to escalate potential security concerns and communicate any issues (and how to handle them/protect against them) back to our users.

The Fitbit Aria was featured at Defcon’s IoT Village this year. Novice hackers learned about logic probing and hardware analysis and tried to play tricks on people. We were able to address any security concerns through a firmware patch released before the event, which, when combined with the fact that Defcon is HUGE, made for a very noiseless practice run.

A few practical tips from my vantage:
1 - know where you store your data and minimize access points
2 - opt to display data in non-owned systems as widgets whenever possible; don’t store data in databases you don’t own or know (your amazing sysadmin won’t be of any use there!)
3 - use SSO or two-factor authentication
4 - have a process in place for investigating data vulnerability claims of freelance hackers (most likely to tweet at you from an anonymous handle and request donations for information on the security hole they’ve discovered)
5 - hire your own white hat hackers
6 - design a process to escalate, validate, and communicate any phishing attempts using brand assets
7 - leverage advanced content filter tools like regular expressions, which enable you to prevent members from publishing email addresses, credit card numbers, social security numbers, etc.
8 - build in alert mechanisms - right now, i’m relying on a combination of pingdom alerts, platform status alerts, and a manual escalation process from my 24 hour team (if anyone has ideas on how to bulk this up, i’m all ears!)
9 - publish a webpage with key information (check out ours at fitbit.com/security)

2 Likes

This really has been awesome discussion. Thanks Allison for this.

What process does fitbit use for investigating vulnerability claims? (do you get many?)

Where do you hire your white hat hackers?

We use pingdom too. Not sure what else we use. Curious to see what others have here?

Ideally a company will have their own internal security team, with part of the team doing their own internal pentests on your systems. If you don’t have those sorts of resources you could do what I suggested earlier which was hiring external freelancers or consultants to do a penetration test (and then do them again regularly throughout the year, especially if you’re releasing new software continuously).

I can offer how we handle security vulnerability reports at Bugcrowd and how many of our customers handle security reports. You’ll want any report sent by a researcher to include reproduction steps, which enables you to pass the vuln report onto the appropriate engineering team within your organization. If the team can reproduce the issue, the team should fix the vulnerability (you can look up a lot of common mitigation steps or fixes online for various security vulns. Lean on the OWASP wiki for some of this information)

It’s best practice to reward the researcher for their valid vulnerability report. You can do this in a structured way through a company like Bugcrowd (Full Disclosure: I work there), or often times companies do this by sending researchers swag. If you want more robust security testing and great reports, you’ll want to pay out cash rather than swag.

We have an internal security team that handles platform and physical security. We also just launched a bounty on BugCrowd: https://bugcrowd.com/fitbit. (Very cool community, @SamHouston!)

Our Support and Community teams have worked with Security to implement a rapid escalation system that enables Supervisors to flag and route everything from abusive users to vulnerability claims to Security.

Over the past two years, I’ve fielded one low-risk stored XSS vulnerability report and one unsubstantiated claim, so I would say that’s (thankfully) quite minimal volume. With 75 researchers participating on BugCrowd, we may see that number creep up, but those reports aren’t likely to come across my field of vision–and community.fitbit.com is actually out of scope for that bounty.

1 Like

Notes on Penetration Testing

I decided to follow my own advice, and have somebody do some security testing. I have about 20 servers in the Amazon Cloud, mostly running email and web servers, using open source packages in the Ubuntu distribution.

I’ve been using Upwork / Odesk - http://www.upwork.com - the past couple of years, as it’s rolled up several of it’s competitors. However, their new software platform has become very buggy, and is unusable at times. I’m aware of Guru.com, and if anybody has suggestions for other marketplaces for techie people, I’d love to know about them.

At any rate, I posted a job request on Upwork last month for penetration testing and got about a dozen responses within 2 days. I hired a guy with a CISSP designation, who does Pen Testing full time. He used Nessus and ACUNETIKS, and both of these packages cost at least $2,000 a year to license.

I got back a couple of PDF reports with lots of trivia, and a listing of recommendations labeled Low, Medium or High risk. For example, my web servers allow the RC4 cipher, which has been deprecated recently. And I have not removed all the deployed default content from your website, that is, the Apache web pages that come with the installation.

All in all, I got a pretty clean report, and that is all due to the tens of thousand of open source programmers maintaining all the software and distributions, so I am very grateful to all of them.

Total cost for this exercise was $245. The scanning packages do most of the work, but the tester must have good tools that are up to date, and know how to use them.

I do understand what @SamHouston is saying when he mentions a $30,000 budget, and the real cost comes with implementing the fixes to the problems that are found. However, for less than $500, somebody can get a valuable insight into their situation.

If anybody wants me to connect them with this particular Pen Tester, please contact me via private email at mdm@mail-list.com

Thanks to Richard for bringing this subject up, and all the other contributions, as it spurred me into action.

mark david mcCreary

1 Like

Without getting into too much of a debate about what constitutes real security, a scanning tool like Nessus is only going to find so much. It’s not going to find all of the things that are actually going to make your company or products vulnerable. That’s why you hire a contractor/consultant (and companies like Bugcrowd, WhiteHat, etc) to do security assessments.

So yes, a tool scan is part of the solution…but it doesn’t address the full issue :wink: . That’s why the costs are so different.

A lot of great information here.

I want to emphasize a few things…

Size Does Not Matter
You don’t have to be a multi-million dollar company to be hacked. There are many types of hacks. Some are complex, some are simple, some are very specific such as:

  1. Personal data
  2. Deface your site (entertainment/ego)
  3. Redirect traffic
  4. Inject malware/virus
  5. Etc

Nothing is Fullproof.
Technology is constantly changing. Always run the latest version. This includes software for your forums, blog, apps, server(s), etc.

Contact Your Host/Network
Ask your host. You may have some security measures in place. They may even offer you additional services at a cost. Things you should look for… Firewall protection, brute force detection, hardening, vulnerability scans, security audits, backup, etc.

Have a Backup Plan
Ask your host. Make sure you have a backup plan. At the very least, you should have a daily backup of your site. I recommend continuous backup and recovery plan to an offsite facility.

Security Policy
Everyone should have a ‘Security Policy’ in place. What steps are to be taken if a breach occurs. It can be as simple as an outline. Make sure the whole team is aware of the plan. An active breach is not the best time to do research.

Prevention: 2-Factor Authentication
Using 2-factor authentication such as Duo Security or Google Authenticator will help prevent most hacks. If you have staff (volunteer or paid) with any kind of edit / backend permissions you should install ASAP.

Create Alerts / Notifications
Send notifications whenever changes to backend (file edits / access / etc) occurs. Notifications should contain time/date, ip address, files accessed, file location, etc. This will make it easier to follow the steps of a hacker in most cases.

1 Like