Successfully reported this slideshow.

Sucuri Webinar: How Websites Get Hacked

6

Share

How WEBSITES get HACKEDWEBINAR
Tony Perez | @perezbox #AskSucuri
WEBINAR
Tony Perez | @perezbox #AskSucuri
#AskSucuri
How ...
How WEBSITES get HACKEDWEBINAR
Tony Perez | @perezbox #AskSucuri
WEBINAR
Tony Perez | @perezbox #AskSucuri
TONY PEREZ
@per...
How WEBSITES get HACKEDWEBINAR
Tony Perez | @perezbox #AskSucuri
WEBINAR
Tony Perez | @perezbox #AskSucuri
WHO IS THIS TAL...

YouTube videos are no longer supported on SlideShare

View original on YouTube

Loading in …3
×
1 of 37
1 of 37

More Related Content

Related Books

Free with a 14 day trial from Scribd

See all

Related Audiobooks

Free with a 14 day trial from Scribd

See all

Sucuri Webinar: How Websites Get Hacked

  1. 1. How WEBSITES get HACKEDWEBINAR Tony Perez | @perezbox #AskSucuri WEBINAR Tony Perez | @perezbox #AskSucuri #AskSucuri How Websites Get Hacked
  2. 2. How WEBSITES get HACKEDWEBINAR Tony Perez | @perezbox #AskSucuri WEBINAR Tony Perez | @perezbox #AskSucuri TONY PEREZ @perezbox Tony Perez | @perezbox
  3. 3. How WEBSITES get HACKEDWEBINAR Tony Perez | @perezbox #AskSucuri WEBINAR Tony Perez | @perezbox #AskSucuri WHO IS THIS TALK FOR? • Currently infected • Have been infected • Curious how someone hacked their website • Curious about the various attack vectors
  4. 4. How WEBSITES get HACKEDWEBINAR Tony Perez | @perezbox #AskSucuri WEBINAR Tony Perez | @perezbox #AskSucuri Quick Review The Impacts of Compromise
  5. 5. How WEBSITES get HACKEDWEBINAR Tony Perez | @perezbox #AskSucuri WEBINAR Tony Perez | @perezbox #AskSucuri Malware Distribution Search Engine Poisoning Spam EmailPhishing Lures Infection Types Defacement DDoS/Bots/Backdoors Ransomware
  6. 6. How WEBSITES get HACKEDWEBINAR Tony Perez | @perezbox #AskSucuri WEBINAR Tony Perez | @perezbox #AskSucuri THE IMPACTS OF COMPROMISE Brand Website Blacklisting Emotional Distress Economic Business Visitor Compromise Technical SEO Impacts
  7. 7. How WEBSITES get HACKEDWEBINAR Tony Perez | @perezbox #AskSucuri WEBINAR Tony Perez | @perezbox #AskSucuri Website Hacks
  8. 8. How WEBSITES get HACKEDWEBINAR Tony Perez | @perezbox #AskSucuri WEBINAR Tony Perez | @perezbox #AskSucuri April 2016 – 1.02 Billion Websites 73%33% CMS Powered Websites CMS Market Share
  9. 9. How WEBSITES get HACKEDWEBINAR Tony Perez | @perezbox #AskSucuri WEBINAR Tony Perez | @perezbox #AskSucuri The Environment A complex ecosystem
  10. 10. How WEBSITES get HACKEDWEBINAR Tony Perez | @perezbox #AskSucuri WEBINAR Tony Perez | @perezbox #AskSucuri Environment Local Machine Local Network User Attack Surface
  11. 11. How WEBSITES get HACKEDWEBINAR Tony Perez | @perezbox #AskSucuri WEBINAR Tony Perez | @perezbox #AskSucuri Domain Threat Landscape Environment  Devices (i.e., Desktop, Notebooks, Tablets)  Networks (i.e., Public Wifi, Insecure Networks)  End-users (i.e., Poor administration / maintenance) Application Server Infrastructure  CMS (i.e., WordPress, Joomla!, Magento, Drupal, etc..)  Non-CMS Applications (i.e,. Plesk, WHCMS, Cpanel, etc..)  Multi-function environments (i.e., email / file servers, etc…)  Web Server (i.e., Apache, NGINX, Varnish, IIS, etc…)  Operating Systems (i.e., Linux, Windows, etc…)  Languages (i.e., PHP, .NET, Node.js, etc…)  Server Daemons (i.,e FTP, SFTP, SSH, etc...)  Hosting companies  Physical servers  Hardware peripherals (i.e., Routers, Switches)
  12. 12. How WEBSITES get HACKEDWEBINAR Tony Perez | @perezbox #AskSucuri WEBINAR Tony Perez | @perezbox #AskSucuri Application Server InfrastructureEnvironment Security Chain
  13. 13. How WEBSITES get HACKEDWEBINAR Tony Perez | @perezbox #AskSucuri WEBINAR Tony Perez | @perezbox #AskSucuri Types of Attacks
  14. 14. How WEBSITES get HACKEDWEBINAR Tony Perez | @perezbox #AskSucuri WEBINAR Tony Perez | @perezbox #AskSucuri Targeted Attacks Attacks of Opportunity  Occurs .001% of the time  There is a specific “target”  How the attack will happen is unknown  The exploit is unknown, defined by what is found  There is enough motivation and return  Automated / Manual  High-level of skill / expertise  Personal (i.e., political, competitor, hatred)  Modus operandi for organizations  Occurs 99.99% of the time  Don’t have a specific “target”  The attack is known  The exploit is known, low-hanging fruit  The motivation and return is dependent on mass affect  Mostly automated  Low-mid level skill / expertise  Not-Personal (i.e., wrong place, wrong time)  Modus operandi for website attacks
  15. 15. How WEBSITES get HACKEDWEBINAR Tony Perez | @perezbox #AskSucuri WEBINAR Tony Perez | @perezbox #AskSucuri Attack Flow
  16. 16. How WEBSITES get HACKEDWEBINAR Tony Perez | @perezbox #AskSucuri WEBINAR Tony Perez | @perezbox #AskSucuri Automation • Key in today’s attacks, making it the most effective way to affect 10’s of thousands of websites at the same time (i.e., maximum exposure and increased potential for success) • Introduces efficiency and effectiveness into the attack sequence, enabling less skill adversaries (i.e., new breed of script kiddies) • Allows bad actors to be faster to the draw targeting new software vulnerabilities • Enabled by the development and expansion of global bot networks (botnets)
  17. 17. How WEBSITES get HACKEDWEBINAR Tony Perez | @perezbox #AskSucuri WEBINAR Tony Perez | @perezbox #AskSucuri Reconnaissance Identification Exploitation Sustainment Compromise Cleanup AutomatedTargeted
  18. 18. How WEBSITES get HACKEDWEBINAR Tony Perez | @perezbox #AskSucuri WEBINAR Tony Perez | @perezbox #AskSucuri Phase Targeted Reconnaissance Scanning a specific environment Identification Exploitation Sustainment Identify the potential attack vectors on the network Exploit a specific weakness based on services in environment Ensure attacker can continue to get into environment Compromise Cleanup Accomplish the objective Reduce odds of detection, cover tracks Scanning the web for a specific issue Occurs in Reconnaissance phase Exploit known weakness Ensure attacker can continue to get into environment Accomplish the objective N/A Opportunity
  19. 19. How WEBSITES get HACKEDWEBINAR Tony Perez | @perezbox #AskSucuri WEBINAR Tony Perez | @perezbox #AskSucuri Phase Considerations Reconnaissance How are you reducing your attack surface? Identification Exploitation Sustainment How do you know what vulnerabilities exist? How are you mitigating exploitation attempts? How do you know there are no backdoors? Compromise Cleanup How do you know if you’re currently compromised? Are you retaining all activity remotely?  Disable unused services, ports, applications  Vulnerability management program (i.e., wpscan, joomlascan, etc… )  Employ cloud-based WAF / IPS  Employ IDS technology designed to detect these issues  Employ IDS technology designed to report Indicators of Compromise (IoC) and integrity issues  Employ an auditing / remote retention mechanism Security Controls
  20. 20. How WEBSITES get HACKEDWEBINAR Tony Perez | @perezbox #AskSucuri WEBINAR Tony Perez | @perezbox #AskSucuri Availability • Availability describes your websites uptime, or accessibility, to your audience. • Some hacks don’t intend on compromising the website or it’s resources, instead they are content with overwhelming resources and disrupting it’s availability • Known as Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks. • Attackers are able to overwhelm resources on a network, drastically affects shard hosts and small web servers, can lead to websites being disabled to save the network
  21. 21. How WEBSITES get HACKEDWEBINAR Tony Perez | @perezbox #AskSucuri WEBINAR Tony Perez | @perezbox #AskSucuri Attack Vectors
  22. 22. How WEBSITES get HACKEDWEBINAR Tony Perez | @perezbox #AskSucuri WEBINAR Tony Perez | @perezbox #AskSucuri How Websites Get Hacked Access Control Software Vulnerabilities Cross-site Contamination Third-Party Integrations Hosting
  23. 23. How WEBSITES get HACKEDWEBINAR Tony Perez | @perezbox #AskSucuri WEBINAR Tony Perez | @perezbox #AskSucuri Access Control • Refers to how access is restricted to specific areas, places, or things. • Websites access control extends to all applications that provide some form of access to the web environment: • CMS Administration panel • Hosting Administration Panel • Server Access Nodes (i.e., FTP, SFTP, SSH) • When thinking about access control, think beyond the website. application. • Attacks to access control come in he form of Brute Force attacks.
  24. 24. How WEBSITES get HACKEDWEBINAR Tony Perez | @perezbox #AskSucuri WEBINAR Tony Perez | @perezbox #AskSucuri Software Vulnerabilities • Refers to bugs in code that can be abused to perform nefarious acts. They include things like: • SQL Injection (SQLi), Cross-Site Scripting (XSS), Remote Code Execution (RCE), Remote File Inclusion (RFI), etc.… • Familiarize yourself with the Open Web Application Security Project (OWASP), specifically the OWASP Top 10. • CMS applications struggle with vulnerabilities in their extensible parts (i.e., plugins, themes, extension, modules, etc…)
  25. 25. How WEBSITES get HACKEDWEBINAR Tony Perez | @perezbox #AskSucuri WEBINAR Tony Perez | @perezbox #AskSucuri Cross-site Contamination • Refers to the lateral movement an attacker makes once in the web server. • This is referred to as an internal attack, not an external one. An attacker is able to gain entry into the web server via a vulnerable site, then use that to leap frog into all other websites on the web server. • It’s often the contributing factor to a number of reinfections, website owners focus on the website affected and the symptoms, but spend little time looking at the websites that show no external signs of compromise. • Rampant in environments that do not employ functional isolation on the web server, and employ improper permissions and configurations.
  26. 26. How WEBSITES get HACKEDWEBINAR Tony Perez | @perezbox #AskSucuri WEBINAR Tony Perez | @perezbox #AskSucuri Third-Party Integrations • Third-party integration refer to a number of things, the most prevalent affecting security is the integration of ads and their associated ad networks. • These integrations are introducing a weak link into the security chain, where ad networks are attacked and used to penetrate unsuspecting websites - malvertising • Malvertising is the act of manipulate ads to distribute malware, often in the form of malicious redirects and drive-by-downloads • Exceptionally difficult to detect because of their conditional nature, and the fact that they are outside of the website environment
  27. 27. How WEBSITES get HACKEDWEBINAR Tony Perez | @perezbox #AskSucuri WEBINAR Tony Perez | @perezbox #AskSucuri Hosting • It’s been a long time since there has been a mass-compromise of a large shared-hosting provider (circa 2011) • The issues with hosts today revolve around hosts that aren’t really hosts; organizations that try to offer a complete solution – marketing / development / security / hosting / SEO, etc.. • Inexperienced service providers that introduce confusion and noise to an already crowded marketplace • They know enough to be dangerous, but rarely house the in-house skills or knowledge • Contribute to a number of cross-site contamination issues due to poor configurations
  28. 28. How WEBSITES get HACKEDWEBINAR Tony Perez | @perezbox #AskSucuri WEBINAR Tony Perez | @perezbox #AskSucuri Thinking Website Security How to improve your website security posture
  29. 29. How WEBSITES get HACKEDWEBINAR Tony Perez | @perezbox #AskSucuri WEBINAR Tony Perez | @perezbox #AskSucuri Security is not a static state, it’s a continuous process.
  30. 30. How WEBSITES get HACKEDWEBINAR Tony Perez | @perezbox #AskSucuri WEBINAR Tony Perez | @perezbox #AskSucuri
  31. 31. How WEBSITES get HACKEDWEBINAR Tony Perez | @perezbox #AskSucuri WEBINAR Tony Perez | @perezbox #AskSucuri Technology will never replace your responsibility as a website owner.
  32. 32. How WEBSITES get HACKEDWEBINAR Tony Perez | @perezbox #AskSucuri WEBINAR Tony Perez | @perezbox #AskSucuri
  33. 33. How WEBSITES get HACKEDWEBINAR Tony Perez | @perezbox #AskSucuri WEBINAR Tony Perez | @perezbox #AskSucuri Security is not a Do It Yourself (DIY) project.
  34. 34. How WEBSITES get HACKEDWEBINAR Tony Perez | @perezbox #AskSucuri WEBINAR Tony Perez | @perezbox #AskSucuri
  35. 35. How WEBSITES get HACKEDWEBINAR Tony Perez | @perezbox #AskSucuri WEBINAR Tony Perez | @perezbox #AskSucuri Q & A Tweet us @SucuriSecurity using #AskSucuri
  36. 36. How WEBSITES get HACKEDWEBINAR Tony Perez | @perezbox #AskSucuri WEBINAR Tony Perez | @perezbox #AskSucuri THANK YOU!

×