Online learning platforms have revolutionized the teaching landscape, but with this comes the imperative of securing your students' private data in the digital realm. Have you taken every measure to ensure their data's security? Are you aligned with your organization's cybersecurity standards? What about your insurer and your country's data protection regulations?
This book offers practical insights through real-world examples to ensure compliance. Equipping you with tools, techniques, and approaches, Moodle 4 Security guides you in mitigating potential threats to your Moodle platform. Dedicated chapters on understanding vulnerabilities familiarize you with the threat landscape so that you can manage your server effectively, keeping bad actors at bay and configuring Moodle for optimal user and data protection.
By the end of the book, you'll have gained a comprehensive understanding of Moodle's security issues and how to address them. You'll also be able to demonstrate the safety of your Moodle platform, assuring stakeholders that their data is measurably safer.
Author(s): Ian Wild
Edition: 1
Publisher: Packt
Year: 2024
Language: English
Pages: 288
Cover
Title Page
Copyright
Dedication
Contributors
Table of Contents
Preface
Part 1:Moodle Security Primer
Chapter 1: Moodle Security – First Steps
Technical requirements
A short history of hacking
The Watergate scandal – a man-in-the-middle attack
Phreaking – VoIP fraud
Cracking encryption – SSL attacks
Fundamental security requirements
Understanding risk
The regulatory environment
Statutory requirements
Insurance requirements
Service License Agreement (SLA) requirements
ITT requirements
Creating a risk register
Description of risk
Probability
Impact
Mitigation action
Summary
Chapter 2: Moodle Threat Modeling
Technical requirements
Cybersecurity terminology
What are we working on?
Data flow diagrams
Microsoft Threat Modeling Tool
Identifying threats with STRIDE
Spoofing
Tampering
Repudiation
Information Disclosure
Denial of Service
Elevation of Privilege
What are we going to do about it?
Transferring threat risks
Eliminating risks
Accepting risks
Mitigating risks
Did we do a good job?
Summary
Chapter 3: Security Industry Standards
Technical requirements
The Open Web Application Security Project – OWASP
The OWASP Top 10 Web Application Security Risks
OWASP Top 10 – conclusions
The Center for Internet Security (CIS), Inc.
The CIS Critical Security Controls
The CIS Benchmarks
The Center for Internet Security – conclusions
Federal agency recommendations
The NIST Cybersecurity Framework – overview
The Framework Core
Bringing security industry standards together – the CIA triad
Summary
Part 2: Moodle Server Security
Chapter 4: Building a Secure Linux Server
Technical requirements
Creating your first cloud-based VM
Adding a new super user
Authentication using SSH keys
How secure is SSH?
Linux server multi-factor authentication (MFA)
Server patching
Enabling TLS/SSL
Installing an SSL certificate
Configuring SSL/TLS client connections
SSL certificate validation
Alternatives to Let’s Encrypt SSL certificates
Investigating firewalls
Linux server firewalls
Uncomplicated Firewall
fail2ban
Learning about exfiltration
Exploring server immutability
CI/CD with GitLab
An introduction to containerization
Summary
Chapter 5: Endpoint Protection
Technical requirements
Malware
What are rootkits?
Defending against rootkits
What are viruses?
Protecting against viruses
Understanding the Apache access logs
Logging geolocation data
Implementing a new Apache log format
ModSecurity WAF
What is ModSecurity?
Configuring ModSecurity for Moodle
Tuning ModSecurity using the audit log
Going further with ModSecurity
Summary
Chapter 6: Denial of Service Protection
Technical requirements
The Apache web server
What is PHP-FPM?
Configuring Apache to use PHP-FPM
Tuning PHP-FPM
Introduction to Apache JMeter
Installing JMeter
Creating a test plan
Running load tests
Analyzing test data
Going further with JMeter load tests
mod_evasive
Installing mod_evasive
Testing mod_evasive
Identifying threat actors from server access logs
Summary
Chapter 7: Backup and Disaster Recovery
Technical requirements
Understanding backup requirements
Data backup and restore
Database backup to file
MySQL database binary log replication
Cloud provider database replication solutions
MySQL point-in-time recovery
File backup and restore
Rsync
BorgBackup
Deployment using backups
Disaster recovery
Backup data storage locations
Disaster recovery scenarios
Disaster recovery drill
Summary
Part 3: Moodle Application Security
Chapter 8: Meeting Data Protection Requirements
Technical requirements
Background and concepts of data protection
Implementing a privacy officer role
Specifying a privacy policy
The Default (core) policy handler
Using the Policies (tool_policy) handler
The digital age of consent
Data retention
Managing data requests and data deletion
Creating data requests
Creating subject access and data deletion requests
Summary
Chapter 9: Moodle Security Audit
Technical requirements
The defense in depth strategy
Content Security Policy configuration
Testing content security policy restrictions
HTTP/2
Exploring Moodle security checks
Using Kali Linux
Information gathering tools
Vulnerability scanning tools
Exploitation tools
Summary
Chapter 10: Understanding Vulnerabilities
Technical requirements
Tracking vulnerabilities
Moodle security management and protocols
Vulnerability scanners
Static Application Security Testing (SAST)
Dynamic Application Security Testing (DAST)
Third-party vulnerability scanners
PHP_CodeSniffer (phpcs)
MDLCode – Moodle development plugin
Black Duck, Coverity, and the Synopsys Polaris platform
Exploring cloud host-specific security tools
Amazon Web Services (AWS)
Azure Front Door
Cloudflare
Summary
Part 4: Moodle Infrastructure Monitoring
Chapter 11: Infrastructure Monitoring
Technical requirements
What is infrastructure monitoring?
Investigating Grafana
Installing the Grafana agent
Configuring Grafana data sources and data sinks
Grafana dashboards
Reports and alerts
Alternative infrastructure monitoring tools
Nagios
New Relic
AWS CloudTrail and CloudWatch
Microsoft Azure Monitor
Summary
Index
About PACKT
Other Books You May Enjoy
