Setting Up Security Metrics
What is a security metric, and why would we want to have one? For the purpose of this book, a security metric is a set of measures put in place to track key incident events. For instance, number of attempted incursions into your site, and so forth. This section will be discussed from a high level and will not delve into heavy specifics. The intent is to make you aware of the need to measure your security and some high-level views on measurement. In this section, we will discuss establishment of baselines, setting up good measures, and metrics. These metrics will apply to your site and to the machines you use to work on your site. We will wrap up with a few words and precautions on reporting to forums, and reporting to hosts about incidents.
Establishing a Baseline
You can think of a baseline as a "known good" standard. This is like the "foot" standard in the United States, or in the metric standard, the "meter". These are known lengths that are used to ensure our "copy" of the foot or meter is accurate. In your site, you need a known good "baseline" to measure the future changes against.
What is a good baseline?
A baseline is a snapshot in time when things are good or are performing their best. The reason for this is two-fold: one, it will give you an opportunity to put your measures and metrics in place to measure security. If this goes awry, it will affect your uptime and the availability of your site to the clients and customers who may want your goods and services. The second reason for establishing this base line is to help you design procedures that assure you are doing everything you can to protect yourself. If you are working with more than one person, you will want to work with your staff to come up with a set of metrics that are meaningful, will yield actionable data, and can be proven under most circumstances. A good metric that's often used is the "uptime" of an important system. However, just giving me a figure and saying that it is up and running does not tell me anything 95% of the time. There are many factors involved in this measurement. Establishing what is important to that number is your baseline uptime number. While it may not be spoken, you can be assured that most people will be unforgiving if you don't have the perception of 100% uptime. Note that I said perception. As you know, with Joomla!, you can switch the site off and put up a friendly message stating that its down for maintenance, or an upgrade. This could be a ruse on your part if you are defaced, to simply cover it up while you activate your disaster recovery plan. On the whole, this baseline will be your model of a secure (as you can make it) site. Here's an instance to consider. You set up your fancy new website, using say version 1.0.15 from the Joomla Forge site. You research your extensions carefully, and you follow the directions to install them. Your site is up and you submit it to Google for the entire world to see. Let's say you even advertise that your site is up and running for business! A few brisk weeks of sales, and you are happy. Then one day you wake up and find that you've been attacked by some third-world punk who defaced your site! Barring anything else, that alone would give most customers a pause to purchase from you.
What happened in our fantasy example? Here, you did not rename
htaccess.txt
to.htaccess
and put in some base controls to stop ordinary kiddie scripts. Having a baseline of understanding would prevent a mistake such as this from happening.What are you going to measure?
That is a good question, and is VERY dependent on your site and your situation. There are a few common things that should be a part of your baseline measurement, for instance, log files. Your baseline should have a way to collect and review them. There are several logging tools from the community and you will have to pick one. In any case, the logs should be collected every "x" minutes. This metric would yield all kinds of actionable data relating to security.
Here is an example:
Our required data points are as follows:
The number of visitors over a twenty-four hour period.
Where they originated from.
What they did while they were there (this could be anything).
Metrics:
"X" visitors came to our site in the last twenty-four hours.
Of those "X" visitors, "Y" attempts were made to do an SQL injection on our site.
The IP addresses attempting the attack (barring IP spoofing) are originating from a specific region in the world.
The SQL attack is on an extension that we do not have on our site.
No other attempts were made on the site itself from the logs.
Action Required:
This has two answers—one, you could do a DENY FROM, and put in the country's IP block, or just those specific IPs to stop them in your
.htaccess
file. Two, you could ignore them and laugh at them because they are "lamers". A good cracker would have researched your site to determine if you were using it. Either way, that choice is yours to make. But because you have established a metric that provided you with actionable data, you have the information needed to make the right choice.
You can see a simple example, on monitoring attacks by IP/type of attack. However, and I strongly caution you to think this through, if that extension in our example were vulnerable, you would not be reading the footprints these lamers left behind. You would likely be mopping up the damage. This example is to show you how to collect actionable data. The following is an example of a report you may produce for your site showing % of attacks by visitors:
The things you may wish to measure include the following:
Number of attempted attacks
Type of attempted attacks
Locations where the attacks are coming from (geography)
Attempts to authorize credit cards multiple times
Attempts to "obtain" a lost password more than once from an IP
These are just a few examples of what kind of things you can measure. Some may apply to you; some may not apply to you.
How are you going to measure?
You cannot measure anything without a tool or a set of standards. How you measure is as important as what you measure. In the previous example, we may be running the logging tool BSQ-SITE SITES (visit: bs-squared.com to review this logging tool) to collect our stats. If so, we will have crafted a simple process to use this tool and to respond to the events. For example, as this chapter was being written, the author stopped to review his own logs. Sure enough, three attempts were made to use "kiddie-scripts" to break into the site. They were not successful because the site was not running the vulnerable scripts they were attacking. The actionable data, that is the standard policy, is to block the IP address. This is not because of the concern that they may eventually get in, rather it helps to filter the attempted criminal activity from real paying customer activity. We are concerned with both, and taking time for reviewing log entries only to discover multiple attempts to break in is a waste of time if you do not take action. Additionally, it is doubtful that anyone who attempts this will come back with intent to spend money. Hence, locking them out saves time, bandwidth, money, frustration, and potential future attacks. Once you have determined your metrics, take time to decide how you will measure them.
The tools that can be used to gather these statistics are abundant:
BSQ-Site Stats (GPL-GNU)
Joomla-Visits (GPL-GNU)
Entana Statistics 2.0.0 (commercial license)
Google Analytics Tracking Module (other Open Source/free)
Your host's logging tools through CPanel or some other method
These are just a few of the tools available out there. The author doesn't recommend a particular one, because each tool measures things slightly differently, and with different emphasis on how they collect statistics. The key take away: Pick a tool that will gather the data you need. Learn it, keep it updated, and use it.
Where will we gather these numbers from?
For the most part in our example site, the stats were gathered from the log files that are written constantly. In fact, there is so much log data collected that you could write an entire volume on logging alone. Other sources may be a credit card authorization and verification system, such as
authorize.net
. They will collect information that would not be picked up by our tracking systems at all. This could help you establish a trend that could impact you. For instance, you might be held liable in some instances for credit card fraud. Knowing that fraudulent activity is taking place will help you negate the effects. Again, establish the baseline, measure, and create actionable data.When will the baseline be established?
If you have a brand new site, then establishment of your baseline should be a part of your design criteria. In other words, design it as if you were adding an extension. Later, we'll cover some tools that are available, and should be a part of your site. More than likely if you have an established a site, this is a bit of a different tack. You will need to ensure that you are safe and secure by adding in the items that are missing, for instance, a common problem is leaving Register Globals ON. This could be part of cleanup, and will secure your site. Once you have done all the right things then you are ready to establish that snapshot.
Server Security Metrics
What are you going to measure?
You have several items to establish here. Some are technical in nature, and some are social in nature.
Permissions checked: This is a baseline activity. You will need to make sure that you set it properly.
Host security: This might require a call to your host. Ask them how and what they do specifically to protect your site. Some of the common things that are (should be) in place for sure: firewalls, load balancers, Apache
mod_security
. If they cannot tell you these things, get a different host. If you are hosting your site in-house, then make sure you take the necessary precautions to protect your data and infrastructure. This is of paramount importance if you are taking and accepting credit cards. Security of a server is a full time job. Another item you will require to gather information on is patching: When is it done, how is it tested, what are the critical-path items currently in place on the server.
Host IDS (Intrusion Detection System): Think of this as an alarm on your server. It monitors for attempted intrusions, allowing the NOC (network operation center) to respond to the attacks. This tool would be useful for detection of a DoS (denial of service) attack on your site as well. This tool works by placing "sensors" around the network, to detect intrusion or attempted intrusion into a system. Placement of these sensors can occur inside the firewall: that makes them an intrusion detection system. Placing them outside the firewall sets them up to be an attack detection device. A very good article that covers this topic in detail can be found at: http://www.linuxjournal.com/article/5616. There are several intrusion detection systems available, and having a cursory knowledge of them will be vital in your research. Here is an abbreviated list:
Snort (http://www.snort.org/) note: this is one of the best-known out there on the market.
LIDS (http://www.lids.org)
Ask your host about which one they use and if they don't have any, ask why.
Threats, Vulnerabilities, Countermeasures: Another metric you need to establish is a research metric to research on a regular basis about the threats that exist, the vulnerabilities discovered, and the counter measures you can deploy.
http://www.joomspyder.com has a collection of news articles kept up to date via RSS feeds from several different security sites.
Personal Computing Security Metrics
You probably thought this whole book was about Joomla! security—you're right. However, this small detour off our main road is very important. Why Personal Computing Security Metrics?—that is because the Joomla! site is set up from somewhere, and that somewhere is your desktop.
The clients that visit your site won't be likely to browse it from the confines of their server's browser. They will be using their desktop or notebook computer. These devices, which are easily compromised if not protected, can become an attack point to break into your site.
While you cannot guarantee the integrity of your visitors' computers, you can ensure that you are safe. And perhaps you will gain some knowledge about how to communicate security to your clientele.
Basic protection mechanisms
The author recently switched the anti-virus prevention and detection from a well-known package to Kapersky (see www.kapersky.com), and it (kapersky) found three viruses on his machine that the very popular package seemed to have missed. This is not an endorsement of Kapersky; however, it is a worthwhile package to consider. It has hourly updates, it has a running total of new threats discovered, the time to put out a patch, and much more. Whatever you do, put the metric of anti-virus updating in place. The following is a list of a few things to consider for measuring and doing:
Anti-virus protection on your machines: Personally, I use Kaperesky; however there are several fine products available. Make sure you choose one and use it.
Spam protection: One excellent service that is available to filter your email is known as MXlogic (see:http://www.mxlogic.com). This system actually filters your email before it reaches you for spam, viruses, and spyware junk. Additionally, it can help with compliance by monitoring your outbound mail for restricted materials leaving your computers.
Good (read strong) passwords: You need to establish a metric and reporting process to change passwords of your employees, your computers, your website, and so on frequently. A good time frame is at least once in thirty days. By doing so, you will lower the risk of password compromise.
Spyware: This is an extremely viable threat to you. Through the use of spyware, you can for instance, get a Trojan horse on your machine that could watch for passwords to your website, your bank, and so on. If they were able to obtain your website administrative password, there would be no way to stop them from getting in. Products such as Webroot (http://www.webroot.com) do a great job in preventing and removing spyware. There are many free spyware products in the market, and some of them are known to be a cover-up for putting spyware on your machine. This is a bit of a social engineering attack.
Check your physical security—you/your employees: How much "information" do you leak? The author uses the term "coffee-house" rules to describe a method of communicating in public. What this means is that with the plethora of wireless hot-spots in coffee shops and other areas, an intruder can (and it has happened) set up a "fake" hot-spot for free. Your machine connects, and he or she is the "man-in-the-middle" now. He or she forwards your requests on, all the while collecting vital information. But what about the human element? Another famous technique that works quite well for gaining passwords is "shoulder-surfing". This is where someone watches over your shoulder to steal some, or all of your passwords. Establishing a good program for your staff would be one of security awareness and education. The metric could be attendance, testing, and so forth. One other item to be somewhat aware of is the physical key loggers that can be attached to a keyboard. They appear innocuous but are deadly. If there is any possibility of outsiders being in your facility, it's a great idea to establish a program to check your equipment for tampering.
Wireless security: Have you tested it? Can anyone get on? There are several attack tools meant to break WEP encryption. So again, establishing a good password schema, and a plan to update and change it on a regular basis is vital. If by some weird chance you are running default settings on your wireless equipment, put this book down right now and go set up your security.
Rouge devices: Has someone added a wireless device that you don't know about in your facility? It has been known to happen frequently. Sweep your building for these devices on a regular basis.
Incident Reporting—Forums and Host
Eventually, you may need to visit the Joomla! forum or contact your host about security-related issues. Here are a few thoughts on proper usage and what you might encounter. When you approach the Joomla! forum, be aware that there is a ton of really good information available and by spending a few minutes researching you are likely to net your answer. However, if you do your research and find that the answer is obscure or does not exist, then yes, report it. Be prepared to get three kinds of responses from the forum:
No Response
Excellent help and pointers to postings that might answer your question
Flaming, name calling, censorship
Sadly, the last one does occurs more than it should on Joomla! and other forums. In the author's opinion, this is partially because those who donate their time to support the forum will become exasperated when you haven't researched the issue. This is your responsibility and it makes you a good Joomla! citizen to not waste everyone's time. It is not their responsibility to look it up for you.
However, sometimes, some people are just jerks and that's the way it is. Some of the moderators are heavy-handed and believe they should censor your posts. So be prepared.
Fortunately though, the first two are the prevalent items. If you do not get a response, research your facts again, check the way you are asking the question. Does it make sense? Are you giving the readers enough information to support you? In essence, if you feel you have been, or you know you have been hacked, here are a few rules for the forum that will prevent the dreaded flaming nonsense:
DO NOT publish the code that was used to attack you. This WILL result in censorship and for a good reason. You don't want to reveal that information for a lot of reasons.
DO your research before posting. Start with checking and searching for keywords, looking in the forums and reading a few postings, and so on. You might be surprised by what you find.
DO NOT use offensive language, even if you are called a name.
DO REPORT FACTS so others can help you. Often, you will see a desperate poster who puts up a post that says, "Help I've been hacked", and then they begin to bemoan their misery to you. This is not helpful. How was it attacked? What occurred? Why are you posting it? Do you need help? If so, ask! State how you were hacked (for instance a defacement), and then move on to getting the assistance you need. But do so by formulating a question before hitting send.
There are several other good-citizen type things, but these will specifically help you in the middle of a crisis.