1

I'm helping to administer a LAMP web server for a charity which runs CiviCRM on Joomla. This system is going to be accessed over the Internet by many volunteers from devices I have no control over.. Are there any professional tried-and-tested suggestions for hardening given such a scenario?

For example, one way could be through a VPN and a spreadsheet that lists users & devices with access together with their "security readiness state":

  • Username
  • Access granted (i.e. group membership)
  • Access needed (i.e. gently making people justify being admin..)
  • Device name
  • Device location
  • Device OS
  • Device security software in use
  • Link to device-specific security checklist
  • Date security checklist last ran
  • Device VPN key thumbprint

The spreadsheet could be viewable organisation-wide, thus encouraging transparency and accountability, hopefully giving me leverage in getting users to at least adopt the standards of their peers. To do this I would be interested in ways of auditing a device's security posture. If it could be audited and enforced by the VPN (quarantine & remediation) that'd be even better.

eug
  • 111
  • 3
  • 1
    Exactly what is your question? What are you looking for? – Neil Smithline Jun 22 '16 at 16:51
  • 1
    @Jedi I'm looking for best practices to harden BYOD-based access to a LAMP server. The spreadsheet is not public but organisation-only. I've edited the question, hopefully it is now clearer. – eug Jun 23 '16 at 14:23

2 Answers2

0

Are end-user devices provided to the volunteers by the charity? If not, are you really sure that you want to personally take in charge the hardening and ensuring support of all volunteers' devices of all kind?

Unless you are in a corporate-like environment where devices are provided and managed by the company, you would rather consider that end-user devices management is up to the end-users themselves. This does not prevent you from giving useful advises, but nothing formal and nothing engaging you to provide some kind of universal support service to the end-users.

On your side however, if required you can try to detect suspicious activities on the server side and prepare an action-plan in case such alert would be raised. For instance, you can tell the users some example of activities assimilated as suspicious (it can be the same user connecting suddenly from a different country, posting advertisements / offensive / unusual messages, manifestly trying to penetrate unauthorized areas, etc.) and explain what would follow (revocation of the VPN access, user contacted by phone / mail / whatever, etc.).

I talked about a VPN because you mentioned, but if all you want to provide access to is a website, client-side certificates may be a lighter and more appropriate option than a full-fledged VPN.

WhiteWinterWolf
  • 19,082
  • 4
  • 58
  • 104
  • Thanks for the reply & edit. End-user devices are currently the volunteer's own personal ones - this is where the crux of the problem lies. You're right that I certainly don't want to manage and support them, but since they'll be accessing organisational data I want to provide advice and ensure as best I can that they're not hacked and have at least instaled AV & OS updates. Anomally detection sounds very useful too but I suppose that would be a separate question. – eug Jun 23 '16 at 14:28
  • @eug *"ensure as best I can that they're not hacked and have at least instaled AV & OS updates"*: I fear this may be just impossible when you have control neither on the OS nor the AV. If such control are indeed possible in corporate environment, it is because each corporate device is similar, allowing to write very strict policy rules. Now, when you have to handle a combination of a dozen of different OS versions with possibly several dozen of AV providers, I do not think there is any easy way to technically enforce anything and your main solution would just be user education and training. – WhiteWinterWolf Jun 23 '16 at 15:24
0

I'm writing an answer based on assumption as below.

You are responsible for LAMP and the application, volunteers are allowed for BYOD, you seek inputs on hardening the security. My responses will be

  1. Assume this as a normal application which is live and anyone with Internet has access to it.
  2. Authentication, authorization and auditing are the key aspects to be handled.
  3. Follow principal of least privileges.
  4. To tackle the situation of permitted BYOD, you'd thought of a spreadsheet, I say that is awesome, this way you can keep track of all the white listed devices and log the activities against one account.
  5. If possible, consider MAC based filtering (I understand this directly counters BYOD if I've multiple devices but this is way smooth for a person with responsibilities for security and auditing).
  6. Create your own standards and guidelines for what device basic criteria has to be met (antivirus, firewall, periodic scans, one user only or whatever you feel preferable).
  7. Make design secure by considering security practices for hardening application security (OWASP).

No matter what an application is going to serve, how cheap or costly it is, if one wants to make it live one has to give due respect to InfoSec so feel free to reach the hierarchy to propose your security implementation plans, a stich in time saves your honour (this is how business justification should be given on a lighter note, cause charitable or commercial all organisations value their brand/image).

Vilican
  • 2,703
  • 8
  • 21
  • 35
GhostSpeaks101
  • 411
  • 2
  • 7