Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

WordPress Security Begins With Good Posture

2,062 views

Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

WordPress Security Begins With Good Posture

  1. 1. #wceu @perezbox | @sucuri_security
  2. 2. #wceu @perezbox | @sucuri_security
  3. 3. #wceu @perezbox | @sucuri_security
  4. 4. WordPress Security It Starts With Good Posture #wceu @perezbox | @sucuri_security
  5. 5. Background #wceu @perezbox | @sucuri_security
  6. 6. “As a species, we are risk adverse when it comes to gains, but risk seeking when it comes to loss…” - Bruce Schneider, BlackHat 2014 State of Incident Response #wceu @perezbox | @sucuri_security
  7. 7. Why should I worry about security? #wceu @perezbox | @sucuri_security
  8. 8. • Audience • Business • Responsibility #wceu @perezbox | @sucuri_security
  9. 9. “The value of a network is equals the square of the number of users.” - Metcalf Law – Value of a Network #wceu @perezbox | @sucuri_security
  10. 10. Attacks come in many forms Malware distribution, email spam, web server abuses, phishing lures #wceu @perezbox | @sucuri_security
  11. 11. Security begins with Good Posture #wceu @perezbox | @sucuri_security
  12. 12. Security is about Risk Reduction The risk will never be zero #wceu @perezbox | @sucuri_security
  13. 13. As posture increases, risk reduces #wceu @perezbox | @sucuri_security
  14. 14. Protection Response Detection #wceu @perezbox | @sucuri_security
  15. 15. Maintenance Protection Response Detection #wceu @perezbox | @sucuri_security
  16. 16. Best Practices/ Response Protection Principles Maintenance Detection #wceu @perezbox | @sucuri_security
  17. 17. “The biggest weakness we face as a community in security is also it’s greatest strength as a platform – its extensibility and ease of use.” - Tony Perez #wceu @perezbox | @sucuri_security
  18. 18. Diving into the WordPress Security LifeCycle #wceu @perezbox | @sucuri_security
  19. 19. Best Practice / Principles The Foundation #wceu @perezbox | @sucuri_security
  20. 20. Best Practice/Principles • Defense in Depth – Layered Defenses • Principle of Least Privileged – 20 admins? • Function Isolation (Production vs Staging vs Testing) – Soup Kitchen Servers #wceu @perezbox | @sucuri_security
  21. 21. Maintenance It Begins with Good Administration #wceu @perezbox | @sucuri_security
  22. 22. Maintenance • User Management • Backups • Account Management • Software Management #wceu @perezbox | @sucuri_security
  23. 23. Protection Stopping attacks from impacting your website #wceu @perezbox | @sucuri_security
  24. 24. Protection • Denial of Service Attacks • Brute Force Attacks • Exploitation of Software Vulnerabilities • Application Hardening #wceu @perezbox | @sucuri_security
  25. 25. Detection Identifying security events #wceu @perezbox | @sucuri_security
  26. 26. Detection • Activity Monitoring • Security Scanning • Malware / Non-Malware Scanning • Indicators of Compromise #wceu @perezbox | @sucuri_security
  27. 27. Response How do you address the problem? #wceu @perezbox | @sucuri_security
  28. 28. Response • Incident Handling • What’s an Incident? • Brand / Business Impacts #wceu @perezbox | @sucuri_security
  29. 29. The WordPress security plugin ecosystem http://blog.sucuri.net/2014/09/understand ing-the-wordpress-security-plugin-ecosystem. html #wceu @perezbox | @sucuri_security
  30. 30. Access Control – Login 33% of infected websites come from poor credentials and user management #wceu @perezbox | @sucuri_security
  31. 31. Access Control • Whitelisting Access • Two Factor Authentication • Password Managers #wceu @perezbox | @sucuri_security
  32. 32. Online Habits Your security goes beyond just the application #wceu @perezbox | @sucuri_security
  33. 33. Online Habits • Local AntiVirus – Mac / Windows • Personal Virtual Private Network’s • Auto Play / Enabled JS #wceu @perezbox | @sucuri_security
  34. 34. When all else fails, enlist the help of professionals #wceu @perezbox | @sucuri_security
  35. 35. Get in touch Let’s get social: • Twitter: @perezbox • Twitter: @sucuri_security • Facebook: /SucuriSec Read what I write: • http://blog.sucuri.net • http://tonyonsecurity.com #wceu @perezbox | @sucuri_security

×