 Thank you very much for coming. I am absolutely astonished at the turn out So thank you very very much for taking the time to come and join us at this first Drupal ACT meet-up in over a year It's been a while. I'll admit from the outset that I don't live in Canberra. I live in Melbourne. I Know but I'm not from Sydney Sorry So I have a lot of clients in Canberra, so I was very interested in seeing this event took place again and that the Canberra community was meeting up And I got the idea to get involved with this when I met with two people Who I work with that were both doing the same thing but totally disconnected from each other And I just thought you guys need a venue where you can meet and talk about all the cool stuff that you're doing So I want to say huge thanks to Annex for hosting and thanks to Marge for all of the help that she's done on the ground I've just been directing And so tonight I'm going to do sort of a preview demonstration of the talk that I'm giving a Drupal con pride in the next three weeks And then make them walls going to give us an update on gov CMS and then We'll see where the evening takes us. I would also like at some point There is no camera. I'm sorry. There's a camera here If you're waving you're waving here And we're looking to probably do this every month or two months moving forward obviously with triple south coming up If you haven't heard Drupal South is coming up in Brisbane on the 19th to 21st of October So grab your tickets for that. They're still relatively cheap at this point early bird pricing and all of that and So, yeah, early November. We're thinking about doing a panel. We don't know what the panel would be about But if you have any suggestions, please let us know and then early December. We're thinking about just going somewhere for drinks so without further ado, I will Share my screen and we'll get stuck into This presentation. I'll have a little bit of liquid courage I Had a little bit of an incentive like Part of quite this is good for me is that I had to have it ready early The interesting test will be as if it's anything like this by the time it makes it to cross who's it I know? Everyone here So Yeah, my name is Michael Richardson. I run a managed triple platform as a service provider called iron star We provide managed triple hosting for state, federal and local government as well as enterprise clients in payment processing aviation And another sector that I'm totally blanking on but they're a very valuable client Tonight I'm going to be talking about how business managers and project leaders can gain confidence in their site security as a bit of a Survey who here would describe themselves as non-technical when it comes to dribble Okay This talk who here would describe themselves as a decision maker who is non-technical when it comes to dribble All right, this talk is for you Everyone else You are my guinea pigs because I'm sure all of you who are technically oriented and come from technical backgrounds have to Encourage and guide non-technical decision makers in making technical decisions about your Drupal site and This talk and this experience is really it's based on an experience that I had about three years ago where I failed to Correctly and effectively educate a non-technical decision maker on the merits of dribble and specifically dribble's security capabilities I was asked by a client that we work with to get involved in a Client of theirs. So this is an agency their client had about 12 sites that were hosted somewhere else and those sites were having performance issues No one knew what was going on and they asked us if we could get involved do a bit of assessment provide a report to the client With a set of recommendations pretty standard stuff Pretty quickly after getting in there We found that they've been hacked and that someone had put a crypto miner on both of their web servers and we're just Generating Bitcoin or Ethereum or whatever it was And no one was aware We provided we cleaned everything up. We did what we had to do and then we provided a report to The chief marketing officer of that company and her takeaway from that conversation was dribble is insecure And I don't know where in that conversation I went wrong, but I could not get back from that deduction that she had made I tried very hard to explain that dribble was not insecure her Implementation of dribble was insecure, but at the end of the day the entire organization Re-platformed all 12 of their sites on two wordpress so So that was just failure to failure really But in my work I very often almost daily talk to long technical decision makers who are responsible for very technical Decisions, and I have a lot of empathy for them in that situation because they don't come from computer science background They don't come from a programming background. They haven't built triple sites. They haven't hosted triple sites I mean if they're responsible for sites that generate in some cases millions and millions of dollars That are essential to the organizations that they work for and they get asked to make these decisions that they don't have any real understanding of but nonetheless, they are responsible and they are accountable so That's I've gone through all of that and skip that slide so we'll move past that So yeah, this talk is about some of the things that you should be asking your teams about to secure your dribble sites We're gonna talk about this from a cost-benefit point of view not everybody has an unlimited security budget If you have an unlimited security budget, please see me later on this evening. I have some stuff I want to talk to you about But really not there is no security solution that everybody should have It's all risk and benefit and choosing what fits you But there is a lot of stuff that you can do to your triple site that will make it very secure That I find in my experience a lot of organizations and a lot of teams aren't doing and this stuff is free or cheap and most of the time very very So we'll start by talking about the easy wins These are the things that are free and that are very very simple to do and that very few Drupal sites actually seem to have And the first one is security heads using the security kick module I would imagine most of the technical hands that we saw earlier Would be familiar with security kit and security headers But for those of you who aren't a header is something that your web server sends as a metadata to anybody who's requesting any object So when a user visits your site, they get a bunch of headers The headers provide instructions to the browser and security headers in particular provide security instructions To explain I want you to always talk to me with SSL I want you to do this to avoid cross-site request forgery or cross-site scripting click-jacking all of that sort of stuff Security headers are free. The security kit module is free. It is all very very easy to set up and it does work it provides quite a lot of effective control against these sort of Manipulation of users in real time against your with the browser that they're using against your site So we should be asking the question all about technical things Do we have security kit? Are we doing are we sending security headers with our site? And I will be configuring them correctly to do things like put a quick check in the cross-site request forgery The next thing that is on the I'm sorry There is a flight called security headers calm Which you can plug in any domain name into and it will give you a report and a grading on that site And I encourage you grab your phone if you want to plug in the websites or Website or sites that you're responsible for and have a look and you don't have to tell anyone the score you can keep it to yourself But it will give you this site will give you really really great guidance on okay You're missing these headers. Here's why you should have them here's more information about how you should implement them so highly recommend checking that out and The next thing which is going to feel like a no-brainer and surely everyone's patching everything all the time But in my experience no There is a security release for Drupal every month more or less It's it is a time thing every month. They may not necessarily be something every month, but they generally is There are the security patches for modules and I tend to find that things either fall into one or two camps Or three really the third being everyone's patching, which is fantastic The second is the agency or Contractor a consultant that takes care of the site isn't able to convince the customer that they should be paying for the time required To do the patching so patching comes about when there's a security vulnerability and everybody's panicking or Patching comes about only like there is a conscious effort that we will patch our website But that update doesn't really apply to us We'll wait and see what happens next month next month comes around that update doesn't really apply to us either We'll just keep waiting until there's one that applies to us and then six months later There's a massive vulnerability everyone's exposed and you've got six months of patches to apply and one of them breaks your site So what should have been a 20-minute patch? Cycle turns into two three four five days and for that entire period of time that site is exposed So very strongly encouraged non-technical decision makers to be talking to their team about how often they patch How automated those patches are and if they're patching not just the Drupal core But also the Drupal modules that they're using as well patching should be boring. It should be routine So that when you really have to do it in a hurry, there's no surprises The next thing that we should be looking at these content delivery networks This is an area that used to be very very expensive content delivery networks or CDNs are a distributed network of servers that Receive requests on behalf of your web servers, and if they have a locally caged copy, they will deliver it Sorry if users in pride for example And they request content and something that we host and there's a CDN node near them They'll get a copy of that content closer to that has a lot of benefits the first being that it significantly reduces the load on your Web server, which will help you reduce your hosting costs. I'm not terribly excited about that, but it's something that clients like the next is If there is an attack a denial of service attack on your website that network is going to absorb Most of that attack depending on the type of attacks. Sorry a CDN Generally, you can get the free. I've got a little bit of an analysis here on four of the largest providers being cloud player falsely AWS is Cloudfront and Azure's CDN product They have varying degrees of complexity, but there are many many more choices than this. This is a very commoditized Product offering which is great for anyone who's delivering a website because most of you can get a CDN For nothing or for very very little relative to the cost of the actual hosting and the cost that you spend maintaining the site every month The next thing on the list of things that are free and easy to do is Two-factor authentication. I see very very few sites with two-factor authentication Most if not all users are now really familiar with two-factor off. They've got it in their phones They've got it on their company accounts. They've got it pretty much everywhere. So the learning curve is gone And two-factor authentication is probably the most silver bullet of all things that you could find When it came to preventing an attack on your website if somebody gets the username and password for one of your users It's a whole other kettle of fish to get the two-factor authentication code can be done can be bypassed. However Two-factor off with Drupal. There's a few different modules that do it. They do it in different ways You can find the one that fits you best. They are free. They are easy So you should be asking your team. Do we have two-factor authentication on our websites? The last thing in terms of free and easy, which is another thing that we don't see often enough is email security records This is probably the slide that I had the hardest difficulty with not getting too technical But if you think back to the security headers and the fact that they instruct browsers What to do when they access your site security email? Sorry email security records do the same thing that between mail servers They tell mail service how to be sure that someone that's pretending to send email as you is actually you is from a server That you trust and even more importantly or just as important What to do if they get an email that is pretending and fails that test You effectively want to know if someone's trying to send phishing attempts as you And the D mark record is a way to do that and finally the MTA STS record there Will tell mail servers how to interact with your mail servers using SSL so that you encrypt connections over email Again, this is something that we see very very rarely all this stuff is free It's somewhat more complicated to implement but not very difficult at all And certainly something that whoever takes care of your domain name and your email you should be talking to about this So that's it for the the quick and easy stuff And if you went through and you implemented all of those things I think you would have a more secure Drupal site than probably 80% of the Drupal installations that I've ever sent And all that stuff is free Except maybe the CDN The next up we're going to talk about is the work while endeavors if you've done all of that stuff And you're in a really good place and you want to think about okay I'm I'm more exposed than most applications or I'm more worried about risk than most people What are the next things that I can do as an add-on to your content delivery network that you've gone and successfully deployed You can look at a web application file It works similarly to the CDN and that it receives requests from all over the world And it analyzes them before it sends them on to your web server and it looks for malicious patterns in those requests It can be programmed to be aware of specific Drupal security threats when major Drupal vulnerabilities have come out in the past a lot of the CDN slash WAP providers have Put in rule sets even before the Drupal patch is available or just as it's available So that even if you haven't patched your site if you're behind this web application firewall of this WAP You've got a lot of that protection on all that control So we should be asking our teams. Do we have a WAP? Are we programming specific rules that are unique to our organization and our own risks? And do we monitor WAP alerts? If something is attacking us, are we going to know about it? The next thing and I promise this is not a plug Or at least it's a it's a generic plug for everybody The next thing is specialist Drupal hosting in six years working with Drupal. I have seen seven websites of seven servers that have been hacked and They've all been either self-hosted or hosted by a provider that wasn't a Drupal specialist It's very very very easy to host a Drupal website and that's part of the wonder of Drupal But that's also part of the risk of Drupal because it's very easy to think right I've got a Drupal server my site's being hosted everything's okay. I'll walk away But there are specific nuances to the implementation that you need to be aware of and I would encourage you to ask your team does our host actually understand Drupal and If we have major exploits or if we have problems with scale can our host help us do that? If you're looking for something that's a bit more turnkey and a bit Easier to access especially on a tight budget then platform that SH and Pantheon have very very good products at that price point They're very powerful tools And I would certainly recommend them and if you're looking for something more specialized Especially if you're looking for something that's compliant with federal government frameworks like the ISM then amazing Einstein and Acquia are also very very good choices, but Sorry and go CMS But I kind of forget everyone here is already familiar with that But if you're if you're self-hosting or you're hosting with someone who isn't a Drupal specialist You need to be asking them those questions. Are you equipped to take care of Drupal? The next thing along the line in terms of medium effort stuff is single sign-on I'm gonna go out on a limb here and bet that everybody in this room has Authentication to their workplace using something like Azure AD or off-door or Google Workspace or something like that almost certainly Azure AD But if you have more than one user and more than one Drupal site single sign-on is something that you should definitely be talking to your teams about If I see a lot of sites where someone's rolled onto a project worked on it for a few months Rolled off the project maybe even left the organization But no one has an awareness of who has access to what and how tightly controlled their accesses They may have admin rights when they're just a content editor And this can go on for months or years if that person's username and password But they reused for the Drupal site gets leaked from another database Suddenly you're exposed and you wouldn't even know about it single sign-on is a really easy way to give people access to sites and remove it And generally if somebody leaves an organization, you know about it in like you're at least removing and may log in for their email So you should be picking back on that authentication process Slightly more effort to configure Cost depends on whether or not you've already got a single sign-on framework like Azure AD or off-door If you do then the cost should be effectively nothing aside from a couple of days cells And then finally it will talk about a couple of things that you can do To build a culture that's focused on Security so you've done the stuff. It's really really easy. You've done the stuff It's a little bit difficult and cost a little bit of money. Where do you go from there? and the answers to that is far more complicated than I'll go into here because there is probably a hundred things that you can do to Build a enterprise grade government grade very very high security website But I want to talk about a few things really quickly and the first is automated security scans If you're if you've built and deployed a Drupal website that is secure today It may not necessarily be secure in three months or six months There may be a component that you're using in your website Or even a dependency in your website that has a dependency that has a dependency that has a dependency That becomes vulnerable at some point in six months time And if you're not automatically patching that stuff and you're not monitoring that stuff You won't know but that vulnerability exists in your site so one thing that you can talk to your team about doing is Setting up a daily automated security scan that orders your code base for no one vulnerabilities I've got an example here. I didn't have a Drupal app that I could use as an example But this is a Node.js app And this is static application security scanning from GitLab GitHub and pretty much everybody has something in this space But this will look at dependencies and find vulnerabilities in your code and let you know about it And you can set this up so that it runs daily and you can get an alert that tells you hey That site that was perfectly fine yesterday isn't okay anymore and we need to look into it The other option or the additional option I should say is dynamic application security scanning which will log into your website instead of analyzing your code and analyzes it When it's lying in runtime will log in it will scan around. I'm not aware of anything yet. That's a very Drupal aware In terms of testing specifically for Drupal runtime vulnerabilities But there are a lot like intruder.io that I've used here to have a PHP awareness, so there's still a lot of value there So that's another area that's really worth looking at So we should be asking our team. Are we scanning our code for vulnerabilities? How does that thing take place? And again, how do we get notified if it picks something up? Are we going to be aware of? The next thing on the list is workstation security This is one that we've just gone through a very very very long process with And we are still going through the process with it's I think it's more difficult than service security But it's also often overlooked if you read about a data spill Someone an organization has a list of their customers exposed or a copy of their database exposed very very often in their stories You'll hear about a laptop that was left behind somewhere Wasn't secured and just had a copy of the production database. So this slide on the next one address that The first is workstation security making sure all your users have encryption turned on making sure all your users Connect through a secure net secure VPN all your users have any device all that sort of stuff Is a lot of work? But if you've got secure service the next thing you need to be looking at is secure workstations and finally Sanitization of database exports this isn't this is free. So it doesn't really fit in this part of the discussion, but It's something that I think has slightly less value compared to the stuff that came earlier I wouldn't have this before I had the other stuff But you can set up scripts that will when a developer copies their production database to their works Station or to another environment it will scramble the user data That is copied things like emails usernames everything else So that if that database was stolen from that employees laptop or lost somewhere else the data is effectively useless Might be slightly useful to a competitor, but to someone who's just looking to data my personal information. It's pointless So that is a free tool that is well worth looking into So a quick summary Again, if you don't have everything here that is effort minimal Then I would suggest that's the very first thing you should be looking at won't cost you very much at all if anything And then you can work further down that list to just gradually Improve the security of your site over time security is something that you must evolve with a site that is secure today We're not necessarily being secure a year from now And that's not a Drupal thing. That's we all know that that's that's technology and that software and all CMS is evolved like that So Thank you very much If anyone has any questions, I'll take it otherwise. I did mention I'm doing this talk at fraud If you can't see that which I wouldn't blame you if you can't Ionstar.io slash GCISS is a survey for this presentation. It's enormous I would love any feedback you have whether you're not you're a technical person or a non-technical person. I appreciate this may not have been terribly exciting for 90% of the room, but again, you don't have to go through this whole this the same thing of Providing technical recommendations to non-technical decision-making So if you feel like there's more that can be done here to make this more effective for that room In Prague, that's hopefully going to be a far less technical audience then please let me know otherwise. Thank you very much question How do you go about for the Vincent people they need to do patching regularly because that's a common problem, right? Mate if I knew the answer It's it's a very hard sell especially to the audience that is Will patch when we need to will patch when it's relevant And that is so far only something it's only a option that I've learned that I've seen learnt the hard way where There is that critical patch and it can't go out for a few days and okay. Well, that's pretty bad but I think It's Again, if it's easy and it's done routinely it's not a challenge to sell it so I would talk about automation I Would talk about Getting a routine for it and doing it you know to that routine and never breaking that rule I can see you when we get them sort of in a managed service or all similar. Yes, because I mean they pay for it, right? So it's easy, but I Think everyone has that problem. Yeah, everyone. I work with definitely Talk about it in terms of insurance. Yes, it's like if you enjoy your car And you're ensuring your house patching is ensuring your service or your website or your whatever it is Yeah, and the same way that you well hopefully you wouldn't drive away without ensuring your car You should do the same thing to your website That's how I can be as people We have a raised hand on meat Let's see if I can work that out. Oh Thank you guys. My name is Joseph. I'm from a department of finance. I'm a developer and Thank you for your presentation. I think it is a really awesome and they're really good to pass the triple security to our community So one quick thought is that regarding to the non-tech person From my past experience is like personally I'm strongly recommend that sort of like a Drupal Adversary team or Drupal security advisory ketchup can be happened weekly As we know that Drupal team has a calendar basically has a routine release of Drupal core security updates and Drupal country module security updates In a in the in the calendar So that I think I strongly recommend that the non-tech person has a Like the routine ketchup with the technical person because we do understand that there's a gap there, right? So maybe the the technical person like developer. We all we all know that tomorrow We are going to have a critical something Drupal Like the module needs to be update However, we need to like to put it into a catch up with the non-tech person and Present such information in a non-tech way So that this communication can be smooth this and then we can put this For example like a Drupal security updates happened and the non-tech person can and understand us So this isn't my point. Thank you. That's a really great point. Everyone could everyone hear that? Okay. Yeah, great Okay. Yeah, that is a really really good point time the security meeting to the Drupal security advisories And then you've got a lot of extra context for the conversation. Thank you. Any other questions? I Will be interested what tools if you say tools to use for sanitize the database What kind of tools just the the drush Sanitized command or SQL sanitize command. It's built into drush So you can you can and you can program it to be a bit more aware of your specific data structure And the columns that you want it to to scramble when it does an export So it's all yeah, it's all just built into drush I don't know if there's other tools that do it or other ways to do it, but that's the one Yes mtk on skipper where you can use this customize what they want to sanitize Okay, cool All right, thanks everyone. Um, we'll take like five minutes You can all get some refreshments stretch your legs and then uh, and then we'll hear from Nathan who's going to give us an update on God see you max So yeah, we'll be back at uh, let's say seven ten Nathan. Is that all right? All right, fantastic. Thanks everyone