 Well, good morning everybody properly caffeinated Get in there It might take the rest of the morning. The caffeine doesn't work orange juice stretches exercise in place I'm Brace Altini. Thank you very much For being here at Drupal con. How many first-timers? Awesome, okay How many folks Two plus Drupal cons onto their belt. All right, brilliant. Very good. Very good. Well, you're in for a treat This morning, and I think you're in for a treat with the business track in general So if you're here because you are involved with your your own Drupal undertakings and helping other people leverage the benefit of Drupal I think you're gonna want to enjoy and pop in and out of the business Track that during the course of the week And you're starting off the right way with a presentation on security issues so So welcome. Thank you a little bit about FFW and who we are who we used to be and what we Hope to continue to do so We used to be known As blink reaction and pro-people and three or four other brands internationally and last year we came together And became wow the largest Drupal service agency of its kind on the planet And we while we consider that that may be a temporary condition because it's very variable Business and many of you in the audience may may aspire But what we really hope That you aspire to is is what we try to be not just the biggest but hopefully one of the best In in doing that and one of the ways that we Like to think that we are one of the best is by providing as much support as we possibly can to the Drupal community So we're back again This year as a diamond sponsor Of Drupal con very proud of it. We were diamond sponsors last year when we launched our new brand identity We're about 400 people strong Across the globe and we really did it because we wanted to be able to serve Our clients and the Drupal community from a global perspective because many of our clients are large enterprise organizations that have that work in those different markets And so rather than then leave those clients Without the ability to to get qualified Drupal services in those markets with folks They had worked with we felt that we had to grow with them grow with Drupal And I think that's probably the reason why a lot of you all are here as well so one of the very special things that we do and I have a privilege of doing is Managing the Drupal 8 Excuse me the FFW center of excellence. And so if you care to visit our website FFW agency comm slash event and we have a whole bunch of free Drupal training online and in different markets and that's really brings me to the next bed the next Event that you're gonna be spending your time here for the next hour You've got three individuals here who've been in the Drupal community for a very long time None of whom I know particularly well personally, but for those first timers You're gonna you're gonna find that you get to know people pretty quickly because a Drupal event after Drupal event When you see folks that you recognize just stop them start a conversation Talk to them about some of their passions and in particular about some of their Experience and so all three of these folks here no surprise have terrific experience in the area that you're here for But you're you're here to have the security Conversation as I as I understand it and you're in good good hands And it's our pleasure to help bring it to you so stop by our booth say hi say hi to me Say hi to our other team members, but make sure you engage these folks and get the most out of it So thanks very much. Thank you guys How about that introduction? Thanks, right? Okay, so here's the thing we have a pretty long presentation here So but we're gonna at the end of every section. There's gonna be key takeaways. So that's when your pencils can come out It's also great to see some familiar faces here. We really appreciate you guys showing up And if you guys have questions, there's a wireless mic Up there that will will do I think we'll save questions and there's also really good We just found this on Google slides. So Bear with us with technology here But if you go to the link that's gonna be at the top of the slides up there You'll be able to ask questions to us and it'll hit us in the panel here This is great. If you have a question that you don't really feel comfortable standing up to the mic and questioning us with Or if you see something on a slide and you want to ping us with a quick question without interrupting us, that's fine But also feel free This is very much like a conversation that we want to have And so if you guys do have a question and it just can't wait and you can't shoot it on here Feel free to raise a hand or something, but try to use this because it's pretty fun Yeah, and by the way the session will be live in a couple hours online So you can tweet it out to your friends say you just were sitting in the best first session of Drupal con that there Especially all you people that are here for the this is your first Drupal con It will automatically be the best session you've ever been. That's true. Yeah All right So let's do just a brief introduction. We all we bring a few different perspectives. So yeah So I'm Drew Gordon. I'm director of community and agency outreach at Pantheon. I used to run I was once upon a time I was a developer started my own agency grew a team became a CEO was doing that and created a product And so I have a variety of perspectives on a lot of topics And now at Pantheon I get to work with a lot of different agencies and see a lot of different practices across a lot of verticals and spectrums and I'm Luke from Asco Townsend security. We are a data security company Multi-platform encryption and key management solutions for the enterprise. We've been focusing on Drupal lately and I do a lot of business development within the Drupal community and we work a lot with Drupal shops who need to deploy encryption and key management to meet compliance and manage risk of data breaches And I'm Chris Taitzel Founder of cellar door media and as well locker product that we just recently launched a couple months ago The cellar door side of things we've been doing for many years now We do apps and and website development and as as we're going through that we found the need for more security And so we built our own key management as a service platform called locker. So All right, so we're gonna start off with you know like the let's wake up quick game So just like show of hands How many people at you know like in your own personal web use how many of you you reuse email addresses when you sign up for accounts like How many of you are okay, right? All right, and user names likewise user names same username same username. Yeah Anyone ever share a password occasionally maybe just on the services. You don't care about you know, not to your friends, but like Real names that like go to that you create accounts. You've got your real names day to birth Posting things publicly on LinkedIn Facebook. Do any of that Twitter a lot. Yeah a lot of these so One of the things that a lot of us think about when we think about security is that it's about credit cards And that's actually not really true credit cards are yes an asset, but like the the the dark market that's out there the value of a credit card the stolen credit card is It's gonna range it's gonna depend on time and place and other things like that But say order of magnitude five to thirty dollars something like that stolen credit card One of the reasons for that is because the credit card companies are really good about shutting things down, right? They see a fraud on the purchase. How many people have had that happen? I mean, I certainly have right. They're really quite good about it the on the other hand Things that you can do with personally identifiable information and take and sort of fake a person's Actual information and use it to say create a medical record That's orders of magnitude much more valuable to someone who wants to use your information maliciously open up bank accounts Do all kinds of things like that. That's hundreds of dollars per account. So piecing together Information from Facebook LinkedIn other accounts and such is is in fact what hackers would like to do if you leave a credit card lying around They'll take it But that's not the only thing they're looking for and it's really important to realize that a lot of the information that we work With on a regular basis is actually stuff that's potentially Like a resource for hackers and something that we need to be careful about securing All right, so In an interesting stat here from the identity theft resource center as of May 3rd So, you know what a week ago so far this year there have been 348 breaches with 11361,000 547 records exposed. I mean that's that's pretty mind-boggling if you think about it And we're only five months into the year That's this year So, you know, we as we talked about you know, just be careful what kind of information is online I actually recently had just as an example had a friend who Whose Facebook got hacked they had a lot of public information So a hacker actually recreated this person's Facebook account their name all of their pictures Like galleries everything and then started to like fish information from like the friend list So you just got to be very careful about that And there's a very famous hack that happened a few years back with one of the editors for wired And the the hacker was able to go to Amazon and go to customer service and say hey I'm having some issues getting into my account. Can you help me out and they go? Oh, is this the account that ends in with credit card one two three four and they go. Oh, yeah, that's it What's your email address? I forgot hang up Then they called up Apple and said hey, I need access to my iCloud account They go can you give us the last four digits of your credit card One two three four and they were able to get in reset the iCloud a race years and years of this guy's Family pictures his all of his accounts all of his devices And it was all just so that they can get access to a three-letter Twitter account and so It's a good example of that seemingly Information that you don't think is very important Can be used and can be leveraged in many different situations So as we're building websites and some of us are building some very large websites We need to we need to talk to each other and and know what are we using as identifiers? What are we using? And what are we storing and what are we giving people access to because if I have something that I think is Worthless, and it's all of a sudden your identifier We have an ability to cross over and have a hack and just take a quick look at the slide Look at look at all the top reaches there and think about how many of those actually involve credit cards So just to kind of make a point there Yeah, and if you're and and if that concerns you and you sort of wonder like what what do I have out there? It's okay to check right now. Have I been bone calm it is a is a site throwing an email address It's actually run by a security researcher. I'm not going to do any more than you know sort of mention that Just check that and no So we all like this quote Upon his capture in 1934 Willie Sutton as a bank robber was asked by the FBI agents Why do you rob banks? His answer is because that's where the money is and so You have to think about people are coming to your sites hackers are coming to your sites because that's where the information is That's where the money is for them And so, you know, we're going to be talking about scale if you're small or large You have information that is worth something to someone so you need to think about that Just got a Question in the Google slides. It says what's the URL for that website? I'm assuming that it's for the the big Infographic it's posted at the bottom of it. Unfortunately the Projectors kind of cutting off the bottom one thing I did forget to mention is that if you go to this session on The events page, we do have the slides already posted up there so you can follow along locally if you want to do that as well Yeah, so about that. Yeah, so Breaches are not a matter of if but when Robert Mueller the former director the FBI was quoted as saying There are only two types of companies those that have been hacked and those that will be And it's even merging into one category those that have been hacked and those that will be again And one that we like to add to that is those that don't even know they've been hacked And so sometimes people can get in and start siphoning off information and you just don't even know it And so if you can get anything out of this session. Yes, we all know credit cards are important Hopefully none of you are storing credit cards. I'll get to some stories about that later, but What we want to emphasize here is that security on your site is more than just a credit card There's so much more information out there and and if you're hacked you can get access or you're gonna be giving access to folks information All right, so we're gonna talk about a few common security myths And and the the first one we're talking about is that you're too small be a target So we're looking at that big the infographic from information is beautiful That had all of you know, like Ali, you know 60 million right how many of us like build websites with 60 million records, right? All right. Okay. All right several of us Okay, but most of us don't all right and most maybe most of the websites that we build don't have that many records And so I think it's kind of natural for people to think like I'm just too small to be a target Like why would they care about me? That is absolutely incorrect In fact, you have by virtue of having a website you have a number of assets one You have an internet connected computer that computer can itself be used in further attacks, right? It could be something in a chain or it could be used like Later on as a botnet you also have visitors, right people go to your website They might be using outdated or insecure browsers. What if they want to install something on all of those people's, you know, those vulnerable browsers? You have proximity to other systems like the Mossack Fonseca hack plausibly could have been caused by Vulnerabilities in either in both WordPress and Drupal as well as a couple of other things like it wasn't Drupal that had the All of the information but it was Drupal as a first and a change to another server and get to the next server And all of a sudden all of this information is exposed And if you do have personally identifiable information, you do have credit card information You do have other things that's a bonus But just those other things in and of themselves are reason for someone to target you and your website And one thing I just want to add to to the quote. I'm too small to be a target a lot of hackers actually know this And that's why they're not Actually why they're focusing on the small medium-sized businesses. They know that the enterprises are hard to crack They have huge security teams and how you know all the barriers in place so and one thing to note is that a lot of times people just go around knocking on doors is what I like to call it and They're just going around just tapping tapping tapping and all of a sudden one of them opens up So just put on the common deadbolts if nothing else from this conversation you guys get is here are some deadbolts Here are some ways that you can protect your site because if you look at a hack like target The target hack came from a small vendor that was that was hacked They had a pipeline directly into the financial system of target. Don't ask me why And that allowed a foot in the door that they then creeped through their system got to the credit card terminals and stole everyone's credit card So You're seemingly small. I think it was an air conditioning vendor in in New Jersey You're seemingly small website can all of a sudden become an attack vector for a large multinational corporation so We're gonna just roll into you know We're talking about some myths here and we can just do this one quick private businesses are not regulated We also often talk to businesses that fall under compliance regulations, and that's that's just false Oftentimes actually organizations fall under multiple compliance regulations Some of the common ones that you might want to be asking your clients if they fall under or even just what industries They're within for example PCI DSS, which is anyone that takes credit cards You have HIPAA for people that are in health care FFIEC for people in banking FISMA for government agencies and FERBA for educational institutions and a lot of times the You know if you're working with people within these industries They might not necessarily think to say hey, I fall under these regulations, but as Drupal shops and Drupal developers It's also I think a little bit on on your shoulders to make sure that you're setting up your clients for success and meeting compliance The next one that we often hear and this is what I hear a lot from our work in encryption is that encryption is complicated It's too difficult. It's really not And part of what we've been trying to do at least with the suite of encryption modules around Drupal is to make it dead Simple for someone to use and use properly And so yes, encryption itself is incredibly difficult. It's a complex mathematical equation that Basically, if you took all the energy output from the Sun in 32 years You would still only count to 192 bits and we're at 256 bits So you can understand that mathematically. It's impossible to brute force a An encryption key, but someone's going to find that key and so if you start looking at Standards and and what is published out there as the recommended steps You'll find that there are some very clear steps to say this is Approved and recommended encryption methods. These are approved and recommended key management methods And if you follow those encryption can't Can be very easy to implement especially within the Drupal system And so a lot of times people and and you know as a developer I I fall prey to this as well as that it's too complicated Is there another way that I can do it and at at times the answer should be no like you should should be encrypting that data And and just briefly another myth that we hear security kills performance, so it is true that Tools like encryption have a performance cost But there are many factors that affect the total system performance And in fact applications such as databases and all the major operating systems Have been tuned for decades to provide optimal performance by minimizing the amount of time spent Going to disk so as long as encryption is implemented correctly overhead is very very minimal And as a note from the the encryption modules that we're building in Drupal We've addressed this with You know memory based key caching for the entire bootstrap of Drupal all this different stuff So if your developers come to you and say hey, I don't want to do encryption It's going to kill our site performance. Um, you can kind of point them to this and say no, it really won't And the the last thing that we often hear is that clients aren't paying me for security and uh, No, that's really wrong. Actually, they're they're paying you for results. Like if you asked your clients Do you expect your website to be secure? I bet they will all say yes And and if you're not really sure about that like what if the people look below you in the stack What if the you know, how would you feel like if your hosts or the platform you're running on sort of felt the same way like You know, they're just doing Drupal. It doesn't really need to be secure. Like that would be very alarming to you This is the same assumption that your clients bring to you, right? They are paying you for results and they don't you know, like they might not know the word csa or it's not a really word They might not know the acronym css, but they are paying you for it because that's one of the things that you're delivering right security should be one of those things and uh Uh, if uh, and it and you know, we'll be talking about this actually quite a bit more But it's also a place to differentiate yourself if the client is not educated about security If they're not asking for it in the rfp Maybe you can stand out from the crowd of people that are also replying to that and add a section And maybe you can actually even add some price and add some stuff and then they're going to be wow Well, you know, we thought we had this much of a project But we're going to go with this, you know a larger project for this better agency because wow They just taught us a lot about security and we know they're going to do it right. Who are the rest of these people And are they even thinking about? Yeah, exactly, right? All right, and so big takeaways here. So Hackers are in fact targeting small and mid-sized organizations compliance does covers all industries You've got to build security in the sites clients should not have to ask for it. And it's really not that hard And so one thing we wanted to point out here is that at the end of each of these sections that we're going to do We're going to have a takeaway slide So that way you guys don't have to feverishly write notes throughout it These are kind of the boil down bullet points. And so we'll be doing these for each section And then you can grab the the slides later online All right, so we're going to get into some security fundamentals We'll just kick this off. We'll start with the the cia triad Not something we made up and also doesn't have to do with the actual cia But it's a great way to educate yourself and think about all aspects of security You should be focusing on them all not just one So what does cia stand for? Confidentiality integrity and availability Think about confidentiality as the data that is supposed to be protected Confidentiality is roughly equivalent to privacy Encryption which we've talked a little bit about already is a common method for ensuring confidentiality User IDs and passwords constitute a standard procedure You should also be thinking about two-factor authentication It's becoming more of norm and you should also just really err on the side of more confidentiality integrity So this means like only the people that should have access to that data have access And availability Make sure the site's always online Make sure that you have high availability In case something goes down There should be redundant resources serving up the infrastructure and Something that may actually influence availability just for like a real-life example Maybe like a DDoS attack Which is a distributed denial of service It basically means that somebody's going to be flooding your site and your server so hard that that server crashes. And so This happened, uh, I believe it was last year with some of the online gaming platforms PlayStation and xbox both underwent DDoS attacks and were offline for for a couple of days apiece Because of that, um, yeah, they're not hacking data. They're not stealing credit cards But they just took down a major service and that cost microsoft and that cost sony real dollars in um in not only having the service down but then also um customer, you know trust and everything else so Brand sentiment Yeah, so there's a whole bunch of different ways that that somebody can hack your site or or attack it That you need to be looking out for not just they're going to grab a credit card data No, and another piece of this is important to understand that security is not something that's on or off It's not it's not a binary It's not a yes no question It is more and less and there are ways you can be more secure and ways you can be less secure And hopefully by attending this and you know, like there's there are other security sessions. I think We have there's watch the hackers hack. I think a little bit later on And I think 345 today. Are you doing that one? Yeah, okay So that's going to be put on by some of the members of the security team You can see maybe some of the techniques like some of the forces of evil Um, and and what they're up to but Through that learn how to make your site more secure and then Educate yourself as to ways to make it even more secure. Um, and that's a lot of the things. So it's not it's not just on and off It's more or less Okay, all right. And so, uh, personally, sorry. I wish you could see the screen That'd be really nice to know the slide we're on. Uh, sorry about that So, uh, personally identify an identifiable information or p. I. I Is is is part of the jargon. So it's just something like if you haven't if you're not familiar with this term You should, you know, be aware of that. Um Again set yourself apart when you're talking to your clients about p. I. I p. I is is uh Is any piece of information that can be combined with something else to come up with someone's identity? So for example phone numbers, uh, email addresses, date of birth Uh, those kinds of things, uh, can be combined with another piece to sort of like triangulate who a person is Um, and uh, sometimes depending on like, uh, uh, luk mentioned a number of compliance models We'll talk about some of those as we get into some like common case studies about, you know, what small businesses need and and uh, education organizations such but, um, sometimes those like pci or other, um, frameworks can say like These are the pieces of p. I so it can depend on the, uh, the compliance regulations that you need to meet And another, uh, interesting, um, kind of game that we played in a previous talk that we did in Barcelona Um, we had everyone stand up and then we asked three, um, seemingly, you know, innocuous questions from what would be assumed from someone's facebook We did it last year in la as well. How many people live east of the mississippi? How many people Have a birthday in march and how many people own a dog? Three things that you would find on anyone's facebook page and we were able to take a room about 300 people and And whittle it down to three And so if you again, if you think that the information that you're collecting is not Sensitive It is If you're collecting information on one of your users it is sensitive information because it can be combined with others Just one other thing that i'd like to point out drew was talking about the different kinds of information that websites collect You know phone numbers first name last name If you think about just even the context that a lot of companies are collecting this information it doesn't have to be like a like a Healthcare account, you know, and it could just be a marketing website that's collecting information for white paper But you now have all this pii for like a big list of people So, um, we got a couple of great questions that are that are coming in here One of them is uh, if we have stats around market perception sentiments towards open source security Um, we can definitely find some we'll tweet some out later One thing to note and one thing is is you're talking with folks you're going to hear people say I don't want to use Drupal. It's insecure. It's open source. Um, that's the opposite of of what it um, what it is really Because an open source project by nature has more eyeballs on it. Yes, the code is published Um, but by the code being published and more eyes on it, you actually end up with a more secure platform Um, if i'm going to write something and i'm the only one who knows it, um I can easily skip over something or a team of five developers can easily skip over something But you have, you know, wonderful people like the Drupal security team that are constantly monitoring And every module that's published on Drupal.org is backed by the Security team and there are security fixes and there's there's protocols for all this so Open source not secure not true. Um, and the other one was about a DDoS attack The way to protect yourself from DDoS attacks is put something in front of your website Don't just have your website be plugged directly into the web. Um, and so a good example of this is is pantheon aquia and a lot of the hosting providers all Have layers and firewalls in front that will detect that and then shut off traffic cloud flares another great one They are a dns service that will monitor traffic and as They detect a DDoS attack elsewhere in the world or on a different site They'll actually prevent that ip from hitting your site as well And so if you if you join Either hosting providers that are a larger hosting provider and not hosting it yourself or you go through Someone like cloud flare you can kind of benefit from the internet at large as one DDoS attack happens You'll be protected from it as well. And that that actually brings up our our next link quite well, which is defense in depth so, um, David Strauss, um, one of the pantheon founders Has this great term of don't build death star security We've all seen Hopefully this wonderful movie and The idea here is that Defense is not a perimeter barrier. We don't just build the great wall and hope nobody jumps over it, right? We don't build a death star and leave an exhaust port that's going to blow the whole thing up We want to make sure that everything we do in security is layers upon layers upon layers because When it comes to, uh, defense in depth the more layers that you have in place The the more time it takes to jump And in in hacking and encounter hacking or addressing somebody who's trying to attack your site It's all about time How fast can you? Realize that somebody's hacking your site and shut them off and then how long does it take for them to get through? So if the first couple steps are really easy, but then they have a couple of larger walls to jump over It's going to slow them down and hopefully you have the the pieces in place to be able to to detect some of those those earlier breaches to prevent the deeper breaches from occurring and so You can't just say well, I have password policy installed on my Drupal site. So all my passwords are secure I don't have to worry about anything wrong There are so many different vectors than just one and so when we talk about security and we talk about Defense, it really is everything on the site But being here in the business track, we also have to think about it's everywhere in the company, right? It's not just the developers the developers aren't your only, you know wall of security in your in your company You need to start thinking about the marketing team the sales team the executive team Everyone that's in the room in the company has a role to play in security so Takeaways here. There's no magic bullet. I'm sorry. We wish we could give you one, but If you have a defense in depth approach and you have these layers that are building up You're gonna you're gonna be better off. And then another thing is We always like to say if you don't have to collect it or store it don't It's one good way of getting around having your site be the hub of all information that Is going to be hacked if you don't keep that information a lot of third-party vendors now are doing a really good job For instance stripe and some of the other payment providers are now allowing Javascript Libraries that you can send credit cards to them without ever having to go through your servers Well, you've just reduced your pc i footprint considerably by doing that If you're using a credit card processing that goes through your website Your pc i burden becomes much larger and so Um rely on other folks If you can And so this is the heart of what we want to get to is that security is actually really good for your business And and not just good for your business from hey our websites up But from a dollars and cents point of view so First off Stand out in your proposals. Um win more rfps If you're going out and and bidding on an rfp or you're going out and putting out proposals Um, you're going to be competing against a bunch of other people if you can stand out in the crowd and have a clear Um outline of what security you're going to be implementing on that project and how you're going to be taking the steps Maybe the security steps within your own company You're going to stand out from the crowd And as drew was mentioning earlier A lot of larger rfps will require security because they've been through a longer process internally And they know and they have security teams that are going to say we require this this and this So if you start implementing good security within your business and within your development You'll actually be able to go out and start becoming competitive at some of these larger rfps if not a great way to kind of Add some extra juice to the the proposal and add some extra scope to what you're doing is Always add security in if somebody hasn't put it in be like, hey, we're going to do this this and this And it's going to make you more secure I can almost guarantee you and as a business owner myself if somebody comes to me and says Hey, you're going to spend a little bit extra money, but you're going to be more secure Nobody's going to say no It just if you can make the clear point that this tool will make you more secure and because of that you'll be a better business It's very hard for a business owner to say no to that The next thing that we have to look at here is that you can actually be liable for a breach And so this is kind of a cya thing as a as a dev shop We had some internal banter about this Technically the breach From a security standards point of view from HIPAA and PCI and all those will fall on your client Because they're they're solely responsible for their implementation of it, but Myself included and a lot of dev shops that we've talked to You have to structure your contracts with your clients to make sure that a That liability is is clearly defined and if it's not and all of a sudden they're hit with a 10 million dollar Fine because of this they could turn around and sue you for 10 million dollars because you're the one who implemented that And if your contracts aren't correct, uh, you can be liable for that and and raise of hands How many people here could just walk out with 10 million dollars out of their business? And be in business tomorrow Exactly so, um, this is something that we need to, um Reduce the risk by implementing the proper security that you have Even if they don't ask for it again and um, even if you, um have to take on the cost yourself We've had to do that on a couple of clients. It's like look I know you're not going to pay for this, but I have to do this. Otherwise. I just Am opening myself up to too much liability here out of curiosity here Show of hands. How many people evaluate their contracts and what it actually says about security? Is this is this a big issue for you guys? All right, cool. Great great um, and so then also, um Minimize your exposure to um to sensitive data um Don't store passwords. Don't have clients send you passwords. Um, it just is bad I have clients that will send me like root passwords to your server and it's like great You just added 10 hours to scope because I have to go rebuild everything now um, so One of the things that we need to think about here is that as a business and to make your business profitable From security, um is to minimize your exposure if you are going to be held liable minimize what you're going to be held liable for um And in in certain situations, um This means telling your client no And that's something that you as a developer and you as a business can do it's it's actually possible Um, you can tell your client no I'm not going to do that and they'll actually respect you for it Um, and you can bring up that dialogue of saying I'm not going to do it and here's why I'm not going to do it I've had examples of this with clients where um, they've asked me to build a certain database or a certain form Um, and I'm like that's just not secure I won't do that if you want to find someone else that will great if you want me to build another solution I will um, and so Feel feel confident in saying no we can't stand up to a client and say no we don't want to collect that information Um, and then also, you know, this is a burgeoning Industry, uh, it's it's been around for a long time and it's becoming more and more prevalent as almost every business now has a website almost every business is now, uh Exposed to an attack so Start building a name for yourself. Um security is growing Now that we have iot you have the internet in your refrigerator and your shoes and everywhere else Um security is everywhere now It's not just in your website and if you can become one of the leaders in security You're gonna start growing your business in ways that you you may not be right now How many how many of you are interested in raising your hourly rates? Yeah, all right. Yeah, if all of a sudden you become the security professional Um, you can do that and you can you can kind of start You know raising your rates and becoming the security professional that comes in and helps out And it builds trust and and as you guys well know as business owners and and um and managers yourself Is that if a client trusts you they're going to come back to you for more and more work You've turned that three month project into a three-year project And then they're going to go talk to all of their friends or people that come to them in their network And so um as you start building that trust of man, these guys really save my bacon We almost got attacked, but we didn't They're going to tell folks about that and your name is going to start getting out there One other thing I just I just kind of thought about this right now Is is you know, I see a lot of people out here that maybe you're like like well I'm not a security expert. How am I supposed to make a security focused agency? There's good thing is there's resources like you know us that you can then work with and then We can help bolster your agency and have that bring that expertise to your your agency You don't necessarily have to be a security expert yourself or your company Just bring in those resources. Yeah, and there's a ton of stuff. I mean and you don't need to go to third parties There's a ton of stuff. You like just spend time learning it make it a priority absolutely Tons and tons and tons of resources so a couple of questions that have come in Um, do any of the tools that you mentioned report breach attempts within Drupal itself or they platform specific The beauty of having platforms and and I can speak this from not being from pantheon The beauty of having platforms such as pantheon and aquee and the rest is that This is happening constantly. Um, if you're on them, your site is being ddost right now You just don't know it and it's being protected because somebody else is worrying about it for you There are um, there's a hack module For Drupal that you can install and it'll kind of run through some of the basic, you know Known hacks. Um, a good example of this was after Drupal Geddin Um, there was a great tool that you could just run down all your sites and say were any of these Breached from this and these are the known ways that people were getting into it and and provide those and we can provide You guys with a list of those later as well Another question is while you speak about all the personal data be important to protect such as do you have a dog What do you say about sites with rich public user profiles where this data is exposed intentionally? Um, personally, I don't like to expose a lot of that data. I choose You have a choice as a user to to put out into the world what you want Some people will put more some people will put less. Um, and then as that site, uh, um, builder you have to think It is the benefit of this being in a public profile Worth the risk of it being exposed. Um, and that's something you have to weigh on a on a time by time basis I'm not going to critique anyone's one site. Uh, would you say by default to make your site HTTPS? Yes. Yes. Yes. Yes. Yes. Yes Yeah, so google's now, uh, uh, upranking people that are using, um, ssl, which is awesome. Um, ssl is now free with let's encrypt So you don't have to pay these four five hundred dollars a year for a security certificate You can actually go get them for free now. Um, if you don't want to do that cloud flare, um We brought them up earlier as a as a dns Protection tool they also now allow for secure relaying. So basically they sit between your user and your site and provide that ssl connection. So At this point the cost of of securing your site with HTTPS is so Minimal and sometimes free that there's no excuse not to Um, and then the last one is are there any tools available for securing sending credentials to clients and partners? I like one password. Um, there's password manager tools Last pass all of those have the ability to invite people into your organization. You can share passwords. It's all encrypted And you're you're protected in how you um send passwords That's how I like to do it. Um, and and every every employee that's onboarded at our company instantly gets uh Password or one password installed on their computer and it's like you will start using this immediately And and I always tell people the best passwords you have or the ones you don't know. So Um, yeah, so those are some of the questions there, you know, so we've got Also just like note to ourselves here We've got 15 minutes left. Yeah, so we're gonna run through. We've got a few things. Um, towards the end of this deck though We have some very specific Drupal modules that we recommend some stuff about securing Drupal very specifically So if you're looking ahead looking at the slides online again to go to the the node on the conference site Yeah, and we'll just jump a couple of slides here This quote here is is really in particular. It says everyone has the right to the protection of personal data And this is coming from an eu mandate Europe is is Leaps and bounds ahead of us right now in terms of how they're protecting their users and the public in general And I think you're going to start seeing this trickle down into the us as well And this is something we need to be watching and looking for is that Data privacy is now not just a good thing to have it. It's a right And that's opening you up to You know a whole range of of things from lawsuits and everything else if you infringe on that, right? And this this slide in the in the prior one, we're not going to go too in depth But the just of what we wanted to convey here is uh compliance requirements and regulations are evolving It's not just like your pcis anymore. The people New organizations. There's continually guidance that's being updated So takeaways here win more projects win larger projects security can be More tools in your tool belt protect your business by protecting your clients and Grow your business in the process all right, so In the process so you go through a process Either in a proposal stage or in discovery There are a number of questions that you really can you should focus in and ask your clients about So think like what information is going to be collected? Who's going to have logins? Anything being sold the donations like and sort of like have those Parts of the conversations those of you doing sales those you're doing project scoping Make sure that these kinds of questions are in there and if you hear any of these words along the way e-commerce donations integration apis Registered users paywall or any just forms in general like these are places to like sort of like perk up Oh interesting. I'm going to note this like and again like if you're sort of on this journey of learning security And uh, you know, you don't have you're not you don't feel confident yet in being a security expert You know bring this back to the person at the organization who is and sort of like they mentioned this You know make sure you sort of track these as like key places to focus And uh, you know, we've really already talked about this so uh, oh no, these are the digout So yeah, that's why we have talked about all right, so yeah So use discovery to cover security concerns and dig in deeper on those on those trigger words And so in your business and as you start growing your dev team and just within the marketing and sales that you do It's important to create a culture of security not just a line item of security And so every person on the team is responsible for their part to be secure whether it's a developer whether it's a marketing Whether it's your c-suite. It doesn't matter who? Where they need to be thinking about security I know I've worked at companies in the past where it's like Um, all of a sudden the ceo is like, hey, I've here's my email password. Can you log in and help me with this issue? It's like, no, I can't and you just screwed over my day because I have to reset your passwords and all this Um, so every person no matter if they're um touching the code or not is responsible for their portion of it. Um So sales and marketing make sure you use services and tools that have been vetted for security payment gateways cloud storage Use things like box boxes are really cool Encryption now that allows you to even bring your own key. So you're the one encrypting it with your own key Which makes it extra secure for those of you that are working in large enterprises payment gateways all of those are stuff that You should not be touching any of that and so leave it to the people who who can The website responsibility more and more is falling under marketing So have your marketing team know about website security in a general sense and what to look for And when in doubt, don't post it. Um, this includes internal memos external Blog posts all that type of stuff think about what you're posting out and is it going to be creating a Vector for attack and then One of the things that and this is what we kind of deal with in in doing a lot of security is that Stay away from the fud the fear uncertainty and doubt It really kind of boils this it's primal to us all and so we all kind of react to it And it's not in a good way And what I like to say is rather than using fud you use it Security as an empowerment tool like we are going to make you more secure and by doing that you're going to be better Rather than coming in and being like, ah, if you don't do this You're going to be hacked and you'll lose millions of dollars and all that good stuff Fudd just doesn't feel good for For a lot of folks so For the dev team Allow time for them to Spend researching and learning about it. Don't just push your dev so hard That they just can't think about security Do regular code audits so have other folks in the company look over the code that's being created More eyes equal more More security. This is why open source is good An award and recognized failures caught by the team I have a quick antidote that I really like is that google has a division That doesn't all their experimental stuff and they actually award failure They will give out awards. They will give out bonuses based on your project failing And I think that's a really interesting take to On business is that if something fails, you are protecting profits and margins in the future And so if somebody on your team finds a bug in someone else's code, don't just be like, oh quick it You know Fix it quick and let's just not talk about that again. Bring it up celebrate it be like, hey, good job You fixed that you saved us now. Let's go let's go do the next one I think that's an important culture to to build And also involve the development team in the proposal process. I know this sounds very You know basic but at times it's like I will get a proposal As a developer sometimes and I'll get a proposal or hey, we just landed this project here you go And it's like I had no idea what is going on here. And if I did I would have changed five different things So just because the development team is working on this portion of of the Of the project give them access to more of it so that they can Tell you about different security concerns there. So practical tips We've run through some of these already use password managers to fa to factor authentication. So Text you a login password That type of stuff Keep your internal external wifi separate If you are going to provide a guest access so that way your guests don't just save your password and all of a sudden They're on your your network forever And then do regular security audits Discussions memos create that culture of conversation around security and don't just have it be this taboo word that you just Don't want to discuss right So takeaways everyone's responsible communicate is key and encourage it Learn from your failures. It's okay to fail. We will all have a site that will be hacked And it's more of how do you react to it? And how do you use that to make yourself and your your team and your company better? And then also your being more secure makes me more secure. So focus on security and we'll be we'll be good Okay Just going to cruise through these Pretty quickly here as a security company We see a lot of people coming us to for two two primary reasons One to meet compliance requirements and the other to manage risk We're going to look at kind of three case studies here small business enterprise and higher ed and You know the interesting thing about these is uh, they all have similar requirements. Um, and we'll just go through here pretty quickly They all usually integrate other services like whether it's a paypal or a mail chimp There's api keys associated with that and so a security best practice As well as oftentimes encryption keys a security best practice is to always keep those keys separate from Like your website or your encrypted data that way if a hacker breaks into your site They don't have the keys to the kingdom talked with uh Some people could hear on last year. They were just doing crazy stuff and like have you could tell when they had the aha moment They're like, yeah, I work for this big company We uh, you know media company and people submit forms online Because they want to be on a reality show Oh no Like that needs to be protected um, so Lots of we'll just kind of cruise through here. You got the encryption keys api keys Higher ed. Those are just it's a total ecosystem. Uh, how many folks here from the higher ed? Uh, we tend to have quite a bit of folks great So you got you have probably wellness centers. So people fall under HIPAA. You have bookstores. So you fall under PCI You're a higher ed. So you fall under FERPA. Um, you gotta gotta think about all these compliance rights So let's Go there, uh, so to takeaways here You know, they all have similar concerns, uh sites large and small There's a lot of modules and services that can help and uh security is a good business investment Uh, a couple of questions that have come up here. Um, how do you handle the current united states government push to a week in the rsa? It's horrible Anyone that is in the security industry will tell you that this is pandora's box that we do not want to open If you want to go on twitter rant later with me or if you want to in person Over a couple of years. I will talk your ear off on this topic The site for free ssl is let's encrypt and Cloudflare, uh, would you say that sso is better in terms of security? Yes, because you're Having one source of truth rather than having passwords in multiple places. So Using google using facebook and some of these other ones to allow your your, um, Users to log into your site is a good thing. Um, and then we'll go through, uh, we'll go through some of these for For the how to test for modules or the hack modules and those, um, and there's actually some, uh, Yeah, we'll get into some other ones here real quick And saml if you're in higher ed probably yeah saml. Yep Um sso meaning single-sided. So one of the things like if the in those case studies, uh, it was like, you know What should you focus on the you know this starting with a small business they've got, um, They need the hosting secure. They need dupal secure. They need some api keys secure And then if you're bigger you need that plus more plus more plus more one of the things that's a piece and that is constantly is hosting Here we are a drupal con hooray drupal. We like drupal. It's a good thing If you're looking for a host and you want to Find a good hosting provider you should start at the drupal.org page for hosting Because these are organizations that care enough to put money back into drupal and support it in that way In preparing for this talk However, like sort of realize that that page starts off with a class of hosts called shared hosting and Probably proclaiming like sort of blinking numbers like 295 That's not going to be really great for security. Unfortunately. So From that perspective, I you'd be very very careful of shared security and i'm just going to unscripted Ask the drupal security team member here in the audience Without impugning specific organizations. Do you recommend secure shared hosting? No, that's there's a head shake of no So one of my one of my favorite quotes that the drew said in the past is if your site is worth more than 295 Pay more than 295 for hosting. Um, and and that's just something to think about. Yeah, yeah, so um again like It's complex. There's a lot of stuff out there We're short on time. I would be happy to sort of discuss this at much greater length cloud architecture though is is sort of like the new There's a better way to do hosting and pantheon is certainly an example of this in the drupal space There are others heroku other kinds of you know a different sort of philosophy in the way that you deploy computers and keep them secure And again happy to discuss that at greater length, but let's go ahead. So, um If you're looking for a secure host start on drupal.org, but don't do the shared hosting kind And add some add some security questions to an evaluation of a host for example drupal getten big big big security problem about a year and a half ago and If they don't if the host doesn't have a story about like, oh, yeah, we were able to you know Like do this and here we go and we were protected and we saw the attacks start rolling in later They don't have a story like that. You should like whoa red flag that likewise things like harpley There are lots of kinds of vulnerabilities happening constantly being exposed in the platform You know Just like again to architecture because the way the pantheon works. What's what happens that we're able to change that Once and then float across the entire Infrastructure is powering hundreds of thousands websites billions of page views and we you know a couple engineers The way it should work computers at boom all good Yeah, so, um, we're going to kind of combine these um These next couple pieces together Again, the slides are going to be posted. Um, this is one of the hard topics about securities You just start getting really passionate about it and you can talk forever on it So come find us later and we'll talk to you more about it. But um, there are some great References here for how to secure drupal. These are some great tips Um some modules like we we mentioned earlier and there had been some questions about um And so take a look at those um everything from encryption to key management login security Because we're here at Drupal con and in Drupal 8 was just released Drupal 8 is The most secure version of Drupal to date. Um, it is An incredible advancement here from a business side. Drupal 6 is end of life. Um, which means that It's a great opportunity for you as businesses to start Going out and doing these migrations from d6 to d8 and in that you can start mentioning Hey, we're gonna push you to a more secure platform. Um, as many of you that uh, have looked at the code on d6 sites A lot of it is really nasty. Um, and it's just because we had to do what we had to do. Um, and so Upgrading it and and as you upgrade um fix those pieces Don't just do a straight port from d6 to d8 take a step back and and look at what you're doing and say Can we do this better? Can we do it more secure? Um Yeah, so core isn't an island anymore again The whole open source is more secure theory here more eyes on the project more people around it No php in core, which is awesome Because now if somebody hacks your site and gets access to user one, they can't just enable php and start running for For the hills with it You know your theme layer is actually very insecure um in drupal 6 and drupal 7 and so You'll hear a lot about twig and that's a big security advancement there Um, and so then also you got opportunities like I said earlier to upsell And then the whole api um piece that jesus was talking about today You're now opening drupal up to more places. You're going to have more Vulnerabilities when you start introducing this api layer. It's things to start thinking about how do you access and manage control to the data? So takeaways drupal 8 is leaner newer faster better upgrade now And uh, and you'll expand um your projects and your scope by doing so All right, so in conclusion, so uh, just to like you and your clients are all targets There is a business value to security. There's a lot there You start building security into your processes and culture and proposals can we go next one? And into your billing add the line items for it Use a secure hosting provider and improve drupal security with some configuration modules And again those specific ones we listed are on the slides the the module pages have a great overview of them So thank you. We went long. Yeah, sorry about that um One more question that popped up in here somebody's building a distro for d8 And they want to encrypt a lot of it, but they don't want to own their keys come talk to us Luke and I can tell you about keys all day long. Um, and if there's any questions, um, I mean we're technically over Um, so if you want to ask a real quick question at the mic you can or you can just come up and talk to us And uh, come on up talk. We're friendly and thank you everybody for coming. Thanks. Yeah, it's um, if you go to the