Open Source CMS in Financial Services?

January 11, 2014

I ran a a small personal blog on Drupal for a number of years. Drupal can dramatically simplify some categories of web content management compared to competing technology options.

A quick job search this evening for financial services openings involving Drupal in New York suggests a range of banking, finance, investments, and insurance organizations use this stack today.

Drupal is an open source content management platform powering millions of websites and applications. It is built, used, and supported by an active and diverse community of people around the world. It is written in PHP that uses a MySQL database, and supports a range of other emerging web technologies.

One reason I drifted off my Drupal platform involved the level of effort required to keep it updated and patched as new security vulnerabilities and exploits were published.

Drupal has a well-established record of moderately-critical and critical security vulnerabilities. This is not necessarily a bad thing. There is an active Drupal security team using relatively-well documented processes (https://drupal.org/security-team and https://drupal.org/node/1424708) in the context of an exemplary level of transparency.

In 2013 there were 3 major collections of remotely-exploitable critical & highly-critical vulnerabilities in the Drupal core, as well as 97 (mostly) remotely exploitable vulnerabilities in Drupal extensions.

Implications:

  1. Running a Financial Services web site on Drupal with a range of typical features & integrations involves the same range of risk management obligations as with any other technology stack. As a result, security needs to be built into your software development lifecycle end-to-end — from requirements-gathering & architecture, through configuration, deployment & operations, and every step in between.
  2. We need to develop & document a set of core company-standard coding conventions & formal standards that attempt to incorporate exploit resistance and attack-awareness, along with security-centric logging/alerting/alarming/reporting practices throughout all Drupal-hosted application content (code, templates, configurations, CSS, etc.). If your organization does not support PHP development today, Drupal will drive you to PHP support. Building out a secure coding practice for a programming language without legacy support in your organization will require a non-trivial investment. The Drupal security team maintains code-level security guidance at: https://drupal.org/writing-secure-code, which should help boot strap company-specific efforts which should be enthusiastically-integrated into all code/configuration activities.
  3. We need to use careful, thoughtful, skeptical and paranoid security code reviews of all ‘code’ & configuration changes prior to deployment.
    Organizations should also invest in a regular service of centralized security code analysis, along with security assessments in a deployed context, and ‘certification’ of Drupal modules — permitting only ‘certified’ or approved modules in production and pilot environments. This type of review does not guarantee risk-free operations, but would help to demonstrate Financial Services-grade due diligence and help to deliver a certain degree of safety in the module code. Some static security code analysis SaaS vendors support PHP to help your staffing challenges here.
  4. We need to have enough trained technical and leadership personnel on deck at all times in order to react efficiently & effectively to security advisories or exploit announcements that require relatively-immediate site and/or code changes.
  5. Finally, revisit the first recommendation above again and follow-through across your entire SDLC. That said we also need to invest in ongoing platform penetration testing & web application vulnerability assessments in order to ensure that we are not exposed to a known or not-yet-announced vulnerability. Again, SaaS support opportunities abound in the dynamic application testing. ‘App pen testing’ is not the solution to your web application needs, it is only one facet of a multi-dimensional full life-cycle approach that is critically-important.

REFERENCES

Security Advisories – Drupal Core
https://drupal.org/security
Security Advisories – Contributed Projects
https://drupal.org/security/contrib
Security Advisories – Public Service Announcements
https://drupal.org/security/psa

“Security Issues in Drupal Content Management System.” (2013)
http://www.examiner.com/article/security-issues-drupal-content-management-system

The 10 most critical Drupal security risks. (2012)
http://www.cameronandwilding.com/blog/pablo/10-most-critical-drupal-security-risks

CVE Drupal Vulnerability Statistics:
http://www.cvedetails.com/vendor/1367/Drupal.html
CVE Drupal Vulnerability Details:
http://www.cvedetails.com/vulnerability-list/vendor_id-1367/product_id-2387/Drupal-Drupal.html

Drupal Administration Guide — Securing your Site
https://drupal.org/security/secure-configuration

Drupal Writing secure code. Last updated September 12, 2013
https://drupal.org/writing-secure-code

“Drupal Security Best Practices — A Guide for Governments and Nonprofits.”
By OpenConcept Consulting Inc. for Public Safety Canada
Principal Author: Mike Gifford, with a collection of contributors
http://openconcept.ca/drupal-security-guide

Public Example: Drupal Security at University of Pennsylvania
Drupal Security Considerations
https://www.sas.upenn.edu/computing/infosec_drupal
Drupal Secure Configuration
https://www.sas.upenn.edu/computing/drupal-security
Drupal Approved Modules
https://www.sas.upenn.edu/computing/drupal-approved-modules

“Mad Irish . net — Open source software security.”
http://www.madirish.net/tag/drupal

Advertisements

Does Government Owning Your iPhone Matter?

January 2, 2014

A recent burst of news about NSA access to individual’s iPhones serves as a reminder that using modern mobile devices for some types of Financial Services business activities involves elevated risk.  Risk that is difficult to quantify.

Late last summer I wrote a little about the potential for NSA data gathering to influence Financial Services privacy and security promises.
This reference to iPhone surveillance is a reminder that using consumer devices to perform material company business of any kind, or to perform many types of common operations using company non-public data involves a certain amount of risk.  This should be factored into your ‘risk appetite’ discussions and planning — and this should occur at a number of levels throughout your Financial Services organizations.

Mass surveillance by U.S. intelligence organizations has been relatively-frequently documented in the last 7 years since Mark Klein, a retired AT&T communications technician, revealed that AT&T provided U.S. National Security Agency personnel with full access to its customers’ phone calls, and shunted its customers’ internet traffic to data-mining equipment installed in a San Francisco switching center since 2003.  The U.S. is not the only government engaged in mass surveillance.

REFERENCES:
———-
“Shopping for Spy Gear: Catalog Advertises NSA Toolbox.” By Jacob Appelbaum, Judith Horchert and Christian Stöcker; 12-29-2013; http://www.spiegel.de/international/world/catalog-reveals-nsa-has-back-doors-for-numerous-devices-a-940994.html

“…an NSA division called ANT has burrowed its way into nearly all the security architecture made by the major players in the industry — including American global market leader Cisco and its Chinese competitor Huawei, but also producers of mass-market goods, such as US computer-maker Dell.”
“These NSA agents, who specialize in secret back doors, are able to keep an eye on all levels of our digital lives — from computing centers to individual computers, and from laptops to mobile phones. For nearly every lock, ANT seems to have a key in its toolbox. And no matter what walls companies erect, the NSA’s specialists seem already to have gotten past them. “

“How The NSA Hacks Your iPhone (Presenting DROPOUT JEEP).” By Tyler Durden; 12-30-2013; http://www.zerohedge.com/news/2013-12-30/how-nsa-hacks-your-iphone-presenting-dropout-jeep

“NSA Data Gathering Hits Financial Services Privacy & Security Promises.” September 8, 2013; https://completosec.wordpress.com/2013/09/08/nsa-data-gathering-hits-financial-services-privacy-security-promises/

Historical References to U.S. Mass Surveillance:
———————————————–

“Whistle-Blower Outs NSA Spy Room.” By Ryan Singel; 04-07-2006; http://www.wired.com/science/discoveries/news/2006/04/70619
And “Wiretap Whistle-Blower’s Account.” Statement By Mark Klein; 04-06-2006; http://www.wired.com/science/discoveries/news/2006/04/70621

“NSA’s Domestic Spying Grows As Agency Sweeps Up Data — Terror Fight Blurs Line Over Domain; Tracking Email.” By Siobhan Gorman; 03-10-2008; http://online.wsj.com/news/articles/SB120511973377523845

“The central role the NSA has come to occupy in domestic intelligence gathering has never been publicly disclosed. But an inquiry reveals that its efforts have evolved to reach more broadly into data about people’s communications, travel and finances in the U.S. than the domestic surveillance programs brought to light since the 2001 terrorist attacks.”
“According to current and former intelligence officials, the spy agency now monitors huge volumes of records of domestic emails and Internet searches as well as bank transfers, credit-card transactions, travel and telephone records. The NSA receives this so-called “transactional” data from other agencies or private companies, and its sophisticated software programs analyze the various transactions for suspicious patterns.”
“The Treasury, for instance, built its database “to look at all the world’s financial transactions” and gave the NSA access to it about 15 years ago, said a former NSA official. The data include domestic and international money flows between bank accounts and credit-card information, according to current and former intelligence officials.   The NSA receives from Treasury weekly batches of this data and adds it to a database at its headquarters. Prior to 9/11, the database was used to pursue specific leads, but afterward, the effort was expanded to hunt for suspicious patterns.”  The NSA also has access from the Treasury to financial transactions globally via their connection to the Society for Worldwide Interbank Financial Telecommunication, or Swift, the Belgium-based clearinghouse for records of international transactions between financial institutions.

“Government Is Tracking Verizon Customers’ Records.” By Siobhan Gorman And Jennifer Valentino-DeVries; 06-06-2013; http://online.wsj.com/news/articles/SB10001424127887324299104578528181094177900

“Verizon is required to provide NSA with “all call detail records” of customers, including all local and long-distance calls within the U.S., as well as calls between the U.S. and overseas, according to a court order labeled “top secret” published Wednesday by the Guardian newspaper.”
 
“Mass Surveillance in America: A Timeline of Loosening Laws and Practices.” By Cora Currier, Justin Elliott and Theodoric Meyer; 06-07-2013; http://projects.propublica.org/graphics/surveillance-timeline
“FAQ: What You Need to Know About the NSA’s Surveillance Programs.” By Jonathan Stray; 08-05-2013; http://www.propublica.org/article/nsa-data-collection-faq

“U.S. Collects Vast Data Trove — NSA Monitoring Includes Three Major Phone Companies, as Well as Online Activity.” By Siobhan Gorman, Evan Perez and Janet Hook; 06-07-2013; http://online.wsj.com/article/SB10001424127887324299104578529112289298922.html?mod=WSJ_hpp_LEFTTopStories

“The National Security Agency’s monitoring of Americans includes customer records from the three major phone networks as well as emails and Web searches, and the agency also has cataloged credit-card transactions, said people familiar with the agency’s activities.”
“Civil-liberties advocates slammed the NSA’s actions. “The most recent surveillance program is breathtaking. It shows absolutely no effort to narrow or tailor the surveillance of citizens,” said Jonathan Turley, a constitutional law expert at George Washington University.”
“The Washington Post and the Guardian reported earlier Thursday the existence of the previously undisclosed program, which was described as providing the NSA and FBI direct access to server systems operated by tech companies that include Google Inc., Apple Inc., Facebook Inc., Microsoft Corp.  The newspapers, citing what they said was an internal NSA document, said the agencies received the contents of emails, file transfers and live chats of the companies’ customers as part of their surveillance activities of foreigners whose activity online is routed through the U.S.”
“The arrangement with Verizon, AT&T and Sprint, the country’s three largest phone companies means, that every time the majority of Americans makes a call, NSA gets a record of the location, the number called, the time of the call and the length of the conversation, according to people familiar with the matter.”

“Gamma FinSpy Surveillance Servers in 25 Countries.” By Vernon Silver; 03-13-2013; http://www.bloomberg.com/news/2013-03-13/gamma-finspy-surveillance-servers-in-25-countries.html

“Computers running U.K.-based Gamma Group’s FinSpy surveillance tool, which can remotely take over computers and phones, have been found in 25 countries, according to an updated global scan of the Internet that mapped the locations of servers that control infected machines.”

“U.S. Confirms That It Gathers Online Data Overseas.” By Charlie Savage, Edward Wyatt and Peter Baker; 06-06-2013; http://www.nytimes.com/2013/06/07/us/nsa-verizon-calls.html

“The federal government has been secretly collecting information on foreigners overseas for nearly six years from the nation’s largest Internet companies like Google, Facebook and, most recently, Apple, in search of national security threats, the director of national intelligence confirmed Thursday night.”
“In the internal documents, experts boast about successful access to iPhone data in instances where the NSA is able to infiltrate the computer a person uses to sync their iPhone. Mini-programs, so-called “scripts,” then enable additional access to at least 38 iPhone features.”

“Privacy Scandal: NSA Can Spy on Smart Phone Data.” By Marcel Rosenbach, Laura Poitras and Holger Stark; 09-07-2013; http://www.spiegel.de/international/world/privacy-scandal-nsa-can-spy-on-smart-phone-data-a-920971.html

“SPIEGEL has learned from internal NSA documents that the US intelligence agency has the capability of tapping user data from the iPhone, devices using Android as well as BlackBerry, a system previously believed to be highly secure.”
“The material viewed by SPIEGEL suggests that the spying on smart phones has not been a mass phenomenon. It has been targeted, in some cases in an individually tailored manner…”

“iSpy: How the NSA Accesses Smartphone Data.” By Marcel Rosenbach, Laura Poitras and Holger Stark; 09-09-2013; http://www.spiegel.de/international/world/how-the-nsa-spies-on-smartphones-including-the-blackberry-a-921161.html

According to internal NSA documents from the Edward Snowden archive that SPIEGEL has been granted access to, “The US intelligence agency NSA has been taking advantage of the smartphone boom. It has developed the ability to hack into iPhones, android devices and even the BlackBerry, previously believed to be particularly secure.”
“A detailed NSA presentation titled, “Does your target have a smartphone?” shows how extensive the surveillance methods against users of Apple’s popular iPhone already are.”

——————————————————————————–

Finally, if you are interested in an excellent recent 1-hour technical presentation on some of the technical surveillance aspects of this topic by Jacob “@ioerror” Applebaum at the 30C3: 30th Chaos Communication Congress (Hamburg, Germany, Dec 27-30, 2013)
http://www.youtube.com/watch?feature=player_embedded&v=b0w36GAyZIA


%d bloggers like this: