Accounting for Website Security in Higher Education
•Download as PPTX, PDF•
1 like•3,552 views
Online threats against web applications are growing at an exponential rate and is estimated to continue to grow in the coming years. Higher education finds itself in a precarious position trying to balance the need to provide services like external websites to it's various business units, while working to stay ahead of such threats. This is further exasperated by the adoption and deployment of open-source CMS applications like WordPress and Drupal. In this talk, I explore the latest tactics, techniques and procedures being employed by cyber criminals, their threats to Higher Education institutions and provide a security framework from which organizations can expand on within their own organizations.
Recommended
Recommended
More Related Content
More from Tony Perez
More from Tony Perez (12)
Recently uploaded
Recently uploaded (20)
Accounting for Website Security in Higher Education
- 1. Website Security in Higher Education #AskSucuri #HighEdWeb
Editor's Notes
- My name is Tony Perez, perezbox online, and I am the Co-Founder / CEO of Sucuri. Sucuri is a website security company that specializes in incident response services and cloud-based hack prevention.
- For those unfamiliar, Sucuri is a website security company that specializes in post-hack incident response services and cloud-based hack prevention. In other words, we clean infected websites and work hard to keep hackers out. We’ve worked with a number of organizations in this room, assisting in a number of post-compromise incident response services as well as deployment of solutions to provide better visibility and prevention.
- I will use that experience to hopefully provide better context around today’s threats and to hopefully offer you a way to think about and account for website security. This discussion will be divided into three key domains.. We’ll take a journey into the Why… why does this website security even matter to me? … we’ll progress into the what.. What are these cybercriminals doing in our environments.. And finally, we’ll end with what I hope is a very practical approach on how to think about and account for security within your respective institution regardless of size..
- To achieve this I will leverage a concept known as Defense in Depth… A principle that has been around milleniums with the first signs of it’s implementation dating back to the second Punic Wars (216 B.C) The InfoSec community eagerly adopted the principle as the best and most practical approach to accounting for the evolution of cyber attacks over the years. The premise of the ideology is based on one very simple principle: There is no single solution capable of protecting any environment 100%. And so to combat this we employed this idea of layered defenses, in which we deploy multiple defensive mechanisms, all that have overlapping features, and that complement each other. In the hopes if one fails, the other will pick up the slack.
- On a quick note, here is the blue print of the first ever castle dating back to 1295 which illustrates the how a defense in depth strategy was employed. You can see the moat that was designed to keep the attacker from breaching the walls. You can see the multiple walls and towers were they were would have spotters and you would see how access would be controlled. Things to consider..
- A good defense in depth strategy looks at not only the depth of the defensive controls, but also takes into consideration the breadth of the attack surface and the differing tools across the stack. This approach provides you a more complete picture of today’s threat landscape. It clearly illustrates that security extends well beyond the application or its extensible components. The goal with this strategy is to employ a more holistic approach to website security
- Website security is but a very small piece of the security ecosystem for any organization though… it’s often overlooked and under staffed… In fact, in many ways website security is likely the most under values sec domain within most organization, not just education. Those responsible for it’s maintenance are often the marketing / communication person who drew the shortest straw or was voluntold to add a new job to their, role, but don’t worry it’ll only take 10% of your time… The teams that do exist lack funding, skills and knowledge on where to even start and there in lies the problem...
- In higher education you can boil down the network security requirements down to three distinct business functions.. Each one today has not only to worry about internal network and device issues… but each has it’s own external web presence that connects the network with the rest of the internet...
- In fact, in a SANS study of the higher education space in 2014, they found that 64% of the security respondents they surveyed were concerned not only about their end point devices, but equally shared concern with their web applications.
- This should be no surprise taking into consideration the decentralized nature higher education networks. Educational institutions were built on the idea of trust. They are open and diverse environments that encourage a collaborative environments. They are all the qualities that make it extraordinarily difficult to defend. This ideology is also problematic in that bleeds into them be early adopters of technologies that also share that mindset.
- We can see take place in the adoption of open-source technologies… Today, the open-source craze in full effect in all organizations… it’s especially true in the web ecosystem, from adoption of open-source web servers (Apache, NGINX) to the adoption of technologies like open-source CMS applications like WordPress, Joomla! And Drupal.. While it’s impossible for me to guestimate how many of you are using / deploying these technologies I’d venture to say more than ¾ of you in this room have some charter to manage, deploy and make available some variation of one of these technologies to your various business units.. Which is deployed is likely heavily dependent on the in-house skills you have at your disposal.
- The on feature that resonates with higher ed when it comes to open-source is that it’s the right price tag - “Free” But we have to remember that Free does not mean Free of effort or labor or responsibility.
- ********* This is a re-designed version of the previous slide. Felt like the clipboard didn’t properly represent “a process”. Maybe the “timeline” does a better job of that?
- The same SANS study from 2014 found that 64% of the security teams surveyed believed they required up to 5 FTE’s, but 43% of had 1 FTE or less.. Note that this survey was not done specifically for website security, but for all of security pertaining to their schools.. This is the dire state higher education finds itself…
- This will undeniably come to a head as it has in so many industries in the past. In fact, in 2015 educational institutions finally had enough security incidents to make it into the Symantec Internet Security Threat Report, ranking #6 in terms of frequency of exploits against it’s websites..
- As for what they are after? It’s a simpler, I boil it down to four things in higher education: Valuable information - Personal Identifiable Information (PII), Personal Health Information (PHI) , Intellectual Property (IP), Research, and other sensitive information Powerful Infrastructure - servers, network bandwidth and availability, power Search Ranking - extremely attractive. Blacklinks from TLD sites of .edu are highly coveted. They’re given special treatment by search engines forgoing some of the controls that private organizations are restricted to. When a link is coming from a high-trust source like universities Google seems to overlook factors like domain or page relevancy, title or other on page SEO elements. Audience - the user base is rich in terms of targets for drive by download targets, from businesses, government organizations to students
- They achieve their goals through one of these five actions on objective: Data Breach - in line with valuable information, perhaps the most expected compromise is likely is data exfiltration. A study was actually performed in 2014 by the EDUCAUSE Higher Education Information Security Council (HEISC) in which, using data provided by the Privacy Rights Clearinghouse (PRC) they found that while the education industry does have a larger number of reported breaches, they also have fewer records exposed. This doesn’t preclude the responsibility we have to ensure the safekeeping of our data, but does talk to the effectiveness of the controls being put in place. Search Engine Poisoning - Just a few weeks ago eTraffic ( a web marketing company) shed light on a huge backlink campaign affecting 76 Universities, including a few Ivy League skills in which attackers were able to systematically compromise their website and inject anchor links throughout the content of their sites allowing them to create very valuable backlinks to their website of choice (which happened to be a gambling site that they were an affiliate for). This however is but one example, other forms of campaigns include spam injections right into the content, and redirects in search engines to their properties of choice. Defacements - While as a whole we see a decrease in defacements as a whole, perhaps the one industry, second probably only to the government, most affected by defacements is higher education. Brought about my hacktivism to promote social or political position. Malware Distribution - Educational website, especially research groups, make great targets for waterhole attacks to leapfrog into larger enterprises. In water hole attacks cyber criminals interested in a target might target a website that their specific audience might be interested in (think research groups) and by infiltrating one of those properties, they’re able to indirectly attack an organization by adversely affecting the visitor through some form of “drive-by-download” attack. Botnet Inclusion - One evolution we continue to observe by attackers are attacks whose action on objective is not the exfiltration of data, distribution of malware or maliciously abusing ranking authority. Instead, it’s their desire to bolster their network capabilities to be used in other larger scale attacks and they achieve this by targeting the infrastructure itself.
- Fun little fact, higher education ranks as one of the top industries for data breaches. They are second only to the medical industry. Interesting enough however, a study by EDUCASE Center for Analysis and Research found that while historical data showed that education institutions seemed to have a larger number of reported breaches, they also had fewer actual records exposed.
- Attackers are able to compromise our environments by making use of two types of attacks: External Attacks: Brute Force Attempts Exploitation of Software Vulnerabilities Security Misconfiguration Internal Attacks: Cross-Site Contamination Server / Infrastructure Misconfiguration
- The leading contributing attack vector today continues to come from software vulnerabilities being remotely exploited. To help combat this we have to have better conversations around vulnerability / patch management and we need to: 1 - look to implement some form of prioritization system 2 - leverage tools that allow us to virtually patch without affecting production environments
- Perhaps the great injustice we’re doing to ourselves telling everyone to “just update” … If it was that easy to do, people would be doing it. Most people in here can’t update their phones, let alone their desktops, let alone their websites. This is not to say that updates are not valuable, the contrary.. They are… but there has to be a better way to apply them when they’re made available. They also only address “known knowns”
- So how do we account for this? Understanding our challenges, where do we go from here?
- The first step, as introduced earlier, our websites are part of a complex ecosystem and complex things break in complex ways…
- We need to look at the entire attack surface we’re working with and recognize the areas that affect our application and identify the people that are responsible for each…
- Every one of these domains creates what is known as the security chain.. In security we’re only as strong as the weakest link in the chain…
- We can also look to understand the anatomy of today’s web attacks by spending some time better understanding how attackers perform the attacks themselves. The best illustration of this can be seen in the Lockheed martin kill chain model in which they illustrate the different phases and attacker goes through when attacking an environment. Although originally built for enterprise networks, this model an be adjusted and applied to the website environment as well…
- The only problem with the LM Kill Chain model is that it proposes the idea that by identifying an intrusion earlier in the process you’re able to effectively mitigate a compromise. It is built on the assumption that the attacker works linearly through this flow, but that’s not true when working with external web properties. Because of the technologies at our disposal attackers are able to skip steps through the life cycle. We propose that each phase can definitely be used to develop a plan to implement different controls designed to account for each phase, but don’t think of it as a singular event. Instead, we have to be looking at the entire lifecycle and have controls along the entire process.
- *** HACKERS WERE BLINDLY ATTACKIN WEBSITES. BLINDFOLDED BOXER / BLINDFOLDED BOMB / HACKER ICON WITH BLINDFOLD A perfect example is to look at the RevSlider vulnerability, a plugin in WordPress, or Drupalgeddon, a SQLi vulnerability in Drupal core. Two platforms that many in this room are likely intimately familiar with. Revslider alone has seen 100’s of thousands of websites compromised since its disclosure in 2014. Drupalgeddon on the other hand is probably one of the more severe vulnerabilities in recent history affecting any of the core open-source platforms - WordPress, Joomla, Magento, Drupal. In either case, when these vulnerabilities went into the wild we noticed two types of attacks. In some instances, attackers were scanning looking for sites, associated with Phase 1 of the model, but in most instances the attackers jumped right into Phase 4 (exploitation) and instead of looking to see which platforms were being used, just immediately commenced with exploitation attempts. If it was successful, great! If not, no harm no foul.
- There are of course other contributing factors I believe contribute to the challenges we’ve discussing… based on my own observations working with other institutions such as many in this room: There is no centralized management of external websites The configuration / change control processes are too stringent not accounting for high severity issues. There is no visibility into what external sites exist actually exist There is no ownership on the site This shouldn’t be a surprise to many here, and it doesn’t begin to look at the challenges around qualified personnel or money. But it highlights some interesting areas that I think can definitely be improved upon.
- Most organizations we work with website security is an afterthought, and I want to try and change that… one way is to provide you a simple, repeatable framework that you can adjust to your liking..
- To achieve this, I’ll leverage concepts by NIST and adjust them for our own purpose…
- The basis of the framework, along with many aspects of security is Risk.. Specifically Risk Management.. Risk management is an ongoing process of identifying, assessing and responding to risk. To achieve this, an organization must understand the likelihood of an event occurring and the impacts if it does.
- On a side note… here have been the regulation drivers defining risk to assets and asset criticality for PII as defined in the same SANS 2014 higher education study of security professionals
- For example: Assume I have built a student portal using an open-source technology like Drupal. I have a stringent change control process for pushing and updating things in production (including security updates).
- A potential risk might be the release of a vulnerability that I’m unable to patch in a timely manner. The likelihood of this event coming to fruition is high based on the state of today’s online threats and the impacts could be devastating if a bad actor was able to gain access to sensitive customer data. A classic example of this use case can be seen with Drupalgeddon in 2014 Every organization is responsible for identifying and aligning the risk with criticality within their own organization business objectives. In short, it’s on each organization to build and identify their own risk tolerance. This can be as high or as low as you want to make it and there are a number of documents available to help you in the process.
- Additionally we have to spend a few minutes talking about Goals… As an organization what are you looking to achieve? Your goals will help dictate the paths you take and also help prioritize... What are your goals with security? What are we looking to do?
- Whatever they are, they too are a continuous process and must be expanded upon. As you move down the list, you don’t forget about them, but instead they become part of your sustainment process while you expand the list with new goals to address. By breaking the process into small manageable pieces you’re able to make better progress to improve your overall security posture.
- The framework NIST proposes, and the one I think we can leverage is divided into five functions, categories, subcategories and informative references. The benefits of the framework are that it offers: A way to describe your existing security posture; Identify and priority opportunities for improvement; Provides a common taxonomy for all organizations; Provides a communication medium to talk about security risks;
- The Framework core is comprised of five concurrent and continuous functions: Identify Protect Detect Respond Recover These functions are then divided into key Categories, subcategories and references as appropriate. The framework is not designed to facilitate a checklist mindset, but is built to help priorities security activities.
- When you put it together, this is what the framework looks like and using the structure we just defined we can start filling in the table.
- Often though, we as organizations place all our emphasis in Protection and Detection, but forget the other functional domains.
- I cannot stress enough the importance of this being a continuous process.
- And so before we break away for the afternoon, I encourage you to follow some simple steps.. 1 - leverag a sensible framework, something you can hold yourself accountable too…
- 2 - you need to know what you have, that’s hands down. You can’t secure what you don’t know eists..
- 3 - Once you figure out what your risks are implement controls.. They extend beyond just technical controls.. Implement controls that force you to hold yourself accountable.. Maybe set up a schedule to provide some form of maintenance like every Friday before you leave for the weekend.. They key is habit
- 4 - be an active member of your site if you’re the administrator.. Actively administer and manager it… there should be no one more familiar with your own site than yourself as the website owner..
- 5 - Revisit the process continuously.. The security threat landscape is evolving daily… it’s important you constantly check if everything is good to go or if you need to apply new controls, adjust risk.. Etc…
- Finally, remember that security is a continuous process and so is this process…
- With that, I’ll open it up for questions from the audience if there are any.