Open Source Websites : Protection
Chris Davis
Director of Security and Compliance
1
Open Source Websites : Protection
Open Source Powered Websites
Protect Your Enterprise and Yourself
2
Open Source Websites : Protection
This is not a
DISCLAIMER
• Learn from our findings and
apply to your environment
• This ...
Open Source Websites : Protection
HOW BAD IS IT?
82% of Websites have at least one security issue
63% have issues of high,...
Open Source Websites : Protection
Verizon / United States Secret Service Data Breach Investigation Report, 2010
54% of att...
Open Source Websites : Protection
OPEN SOURCE ON THE RISE
6
Open Source Websites : Protection
THE GAME HAS CHANGED
• Web, HTTPS (SSL) &
XML Vulnerabilities
• SQL Injection
• Session ...
Open Source Websites : Protection
HACKER PROFILES (Two Types)
Egomaniac CriminalTHE THE
8
Open Source Websites : Protection
9
Open Source Websites : Protection
• TextPattern CMS
• Co-wrote book on
Textpattern = No Rookie
• SEO Bots = “Spammy” Links...
Open Source Websites : Protection
11
Open Source Websites : Protection
• WordPress CMS - Hacked
• During Migration we gained
access to over 1000 Websites
• Yes...
Open Source Websites : Protection
13
Open Source Websites : Protection
SECURITY IS ABOUT THE ECOSYSTEM
Network Routers / Firewalls
Operating Systems Windows / ...
Open Source Websites : Protection
Humans
The Biggest Security Vulnerability
15
Open Source Websites : Protection
WHAT CAN YOU DO?
• Security isn’t convenient
• Choose only leading CMS platforms
• Stay ...
Open Source Websites : Protection
THE REALITIES OF MODULES/PLUGINS
Keep Them Under Control
17
Open Source Websites : Protection
LOVE YOUR MODULES
Website Enhancements
• Only download from trusted sources
• Check bug ...
Open Source Websites : Protection
YOU AND YOUR ADMIN
Don’t Be Afraid
• SSL – It’s not just for shopping carts
• Configure ...
Open Source Websites : Protection
THE DATABASE
What Are You Exposing?
• Logins
MySQL UN/PW different from Root Login
• Sha...
Open Source Websites : Protection
• Network Firewalls
• VPN Access
• Anti-Virus
• SSL Certificates
• Isolated Environments...
Open Source Websites : Protection
Thank You
Questions?
Email chris.davis@firehost.com
Twitter twitter.com/davischrism
Chri...
Upcoming SlideShare
Loading in...5
×

Open Source Powered Websites: Protect Your Enterprise and Yourself - Chris Davis, Firehost

1,159

Published on

Open Source Powered Websites: Protect Your Enterprise and Yourself - Chris Davis, Founder & CEO, Firehost

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,159
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
8
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Open Source Powered Websites: Protect Your Enterprise and Yourself - Chris Davis, Firehost

  1. 1. Open Source Websites : Protection Chris Davis Director of Security and Compliance 1
  2. 2. Open Source Websites : Protection Open Source Powered Websites Protect Your Enterprise and Yourself 2
  3. 3. Open Source Websites : Protection This is not a DISCLAIMER • Learn from our findings and apply to your environment • This is a very serious problem and it’s only getting worse Sales Pitch 3
  4. 4. Open Source Websites : Protection HOW BAD IS IT? 82% of Websites have at least one security issue 63% have issues of high, critical or urgent severity 70% of the top 100 most popular web sites either hosted malicious content or contained a masked redirect to malicious sites WhiteHat Security, 2008 Websense, 2009 4
  5. 5. Open Source Websites : Protection Verizon / United States Secret Service Data Breach Investigation Report, 2010 54% of attacks are on the web application layer 92% of web application attacks resulted in over 90% of record access WEB APPLICATIONS – THE LARGEST THREAT
  6. 6. Open Source Websites : Protection OPEN SOURCE ON THE RISE 6
  7. 7. Open Source Websites : Protection THE GAME HAS CHANGED • Web, HTTPS (SSL) & XML Vulnerabilities • SQL Injection • Session Hijacking • Cross Site Scripting (XSS) • Form Field Tampering • Known Worms • Zero Day Web Worms • Buffer Overflow • Cookie Poisoning • Denial of Service • Web Server & Operating System Attacks • Directory Traversal • Anonymous Proxy • Open Source Vulnerabilities • OS Command Injection • Cross-Site Request Forgery • Google Hacking • Remote File Inclusion • Illegal Encoding • Malicious Robots • Parameter Tampering • Brute Force Login • Malicious Encoding • Site Recon • Illegal Encoding • Credit Card Exposure • Patient Data Disclosure • Phishing • Data Destruction • US SSN Leakage Rise in Application Level Attacks (Port 80 and 443 – Unblocked by Firewalls) Strict Compliance Requirements (U.S. and Abroad) U.S. Department of Health & Human Services Policy of Responding to Breaches of Personally Identifiable Information (PII) HHS-OCIO-2008-0001.002 – April 15, 2008 7
  8. 8. Open Source Websites : Protection HACKER PROFILES (Two Types) Egomaniac CriminalTHE THE 8
  9. 9. Open Source Websites : Protection 9
  10. 10. Open Source Websites : Protection • TextPattern CMS • Co-wrote book on Textpattern = No Rookie • SEO Bots = “Spammy” Links • Users = Normal but with display:none list of links NATHAN SMITH Static & CMS-Powered Website Hacked on Cloud Hosting 10
  11. 11. Open Source Websites : Protection 11
  12. 12. Open Source Websites : Protection • WordPress CMS - Hacked • During Migration we gained access to over 1000 Websites • Yes… we had Karl report the hack  KARL SWEDBERG WordPress Hacked 12
  13. 13. Open Source Websites : Protection 13
  14. 14. Open Source Websites : Protection SECURITY IS ABOUT THE ECOSYSTEM Network Routers / Firewalls Operating Systems Windows / Linux / OS X Applications Open Source / Commercial Database Oracle / MySQL / MS SQL Web Server Apache / Microsoft IIS 3rd Party Web Applications Open Source / Commercial Custom Web Applications PHP / ASP.NET / Java Physical / Virtual Access / Social Engineering Responsibility Solution Managed Hosting Responsibility Yours or FireHost Firewall, Virus Protection, Patches, IDS, etc. App Level or WAF 14
  15. 15. Open Source Websites : Protection Humans The Biggest Security Vulnerability 15
  16. 16. Open Source Websites : Protection WHAT CAN YOU DO? • Security isn’t convenient • Choose only leading CMS platforms • Stay up-to-date with core updates • Decent security plug-ins out there • Use a secure hosting provider Be Smart About It 16
  17. 17. Open Source Websites : Protection THE REALITIES OF MODULES/PLUGINS Keep Them Under Control 17
  18. 18. Open Source Websites : Protection LOVE YOUR MODULES Website Enhancements • Only download from trusted sources • Check bug reports • Only activate one at a time • Three dirty letters – DEV • Don’t install unless it supports your core version or higher • Search “x hacked” first and read results 18
  19. 19. Open Source Websites : Protection YOU AND YOUR ADMIN Don’t Be Afraid • SSL – It’s not just for shopping carts • Configure .htaccess or IIS security on admin directory Don’t worry about changing the directory name • Don’t trust your connection Especially WiFi ARP Poisoning is easy 19
  20. 20. Open Source Websites : Protection THE DATABASE What Are You Exposing? • Logins MySQL UN/PW different from Root Login • Sharing Do not share your database with other apps • Change Table Prefixes Obfuscate table names to something unknown only to you • Non-Public Remove DB from public access • Segment Segment where appropriate to limit scope of access • Back Up! Not much to say here 20
  21. 21. Open Source Websites : Protection • Network Firewalls • VPN Access • Anti-Virus • SSL Certificates • Isolated Environments (Web/DB – Prod/Dev) • Web Application Firewalls • Two-Factor Authentication • Vulnerability Monitoring • Intrusion Detection • Log Management • Scrubbing Centers • Disk Encryption YOUR HOSTING ENVIRONMENT 21
  22. 22. Open Source Websites : Protection Thank You Questions? Email chris.davis@firehost.com Twitter twitter.com/davischrism Chris Davis 22
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×