Joomla! World Conference 2016: Dre Armeda - The Gentle Art of Website Security
•Download as PPTX, PDF•
0 likes•319 views
We live in an age where the threats against our website are real, and their impacts have the potential to be devastating. As open-source CMS applications continue to become a staple in our infrastructure stack, organizations are faced with the challenges of accounting for this new attack vector. With limited resources and knowledge, organizations need a streamlined approach to managing their web assets. This talk will provide a holistic security framework that organizations can adapt and deploy internally to better improve their security posture.
Recommended
More Related Content
More from Sucuri
More from Sucuri (20)
Recently uploaded
Recently uploaded (12)
Joomla! World Conference 2016: Dre Armeda - The Gentle Art of Website Security
- 1. The Gentle Art of Website Security #AskSucuri
- 8. DRE ARMEDA, CISSP CO-FOUNDER OF SUCURI
- 9. KEYNOTE OBJECTIVES • I want you to have a better grasp of how you should be thinking about website security • I want you to Tweet me to tell me that you started training Jiu Jitsu
- 18. Security is also a continuous process, not a static state.
Editor's Notes
- I got out of the military 9 years ago. Thanks to all of our active duty servicemen and women, and all those who ever served! I was a heavy smoker and absolutely complacent after some time in the civilian world. My idea of exercise was moving from one couch to another. That picture is from over 20 years ago. I was a skinny kid in great shape. A kid who just wanted to work on computers A couple of years after I got out of the Navy, I was fortunate enough to team up with Daniel Cid and Tony Perez. NEXT -> We founded Sucuri Inc.
- We founded Sucuri Inc. Man Many many long nights we spent cleaning up malware infections and working to fix client websites. We were super competitive with each other. Let's see who cleans more websites every day. Lets see who has the highest total at the end of the month.
- In 2012 Tony and I travelled to Brazil to meet with Daniel for our yearly planning and forecasting. I quit smoking that trip and never looked back. In fact, I picked up a new habit….EAT ALL THE THINGS! Don’t Judge Me! Judge free zone right now, k? Now at the time, Daniel was training Jiu Jitsu, and Tony had been on the mats for a couple years. In fact they would mess with me and would often try to convince me to check it out and start training. I would tell them to me it was a spectator sport. Maybe they were worried for my health. Maybe they just really wanted to choke me. I’m still not sure. Instead of picking up Jiu Jitsu, I ate. And it was delicious! By the summer of 2013 I had ballooned to 270+ pounds. I was living large! Something funny happened that put me in control of my health, and it happened in an odd way. They opened a Carlson Gracie Jiu Jitsu school two miles from the house. Tony who was coming off some injuries told me he was signing up and again I laughed a bit and kindly declined…. Interestingly enough, timing was odd, but around that same week, my oldest daughter Hallie tells me she wants to fight MMA like Ronda Rousey. Yeah, Ronda Rousey!
- Remember spectator sport...oh boy I told her look that’s interesting and if it’s something she wanted to do I would like it if she explored learning her ground defense first. I told her that her uncle Tony had began Jiu Jitsu at the new school and if she wanted to go check it out, we could. She said sure. We go over there and met with the professor and watched as Tony and the students drilled and sparred. I saw this look in Hallie’s eye that concerned me…. I asked her what she thought, and without a second of delay she says to me, “Dad, I want to join…..but I will only do it…..of you do it too!”.... This picture isn’t all inclusive. Folks I have 5 daughters. Yes, 5 daughters. Not only did Hallie convince me to start BJJ, but 3 out of her 4 other sisters followed suit. All for at least 1yr and each competed. The little one is starting in January! As for me…..
- Spectator sport… Who knows Jiu Jitsu?
- A history of BJJ and where it started and why. Japanese Jiu-Jitsu (practiced as Judo) was introduced to the Gracie family in Brazil around 1914 by Esai Maeda, who was also known as Conde Koma. Maeda was a champion of Jiu-Jitsu and a direct student of Kano, at the Kodokan in Japan. He was born in 1878, and became a student of Judo (Kano's Jiu-Jitsu) in 1897. The overall fighting strategy of Brazilian Jiu Jitsu is designed to equip a physically smaller or weaker individual with an effective method of defending against a larger and stronger attacker. When applying BJJ techniques, leverage is paramount, as leverage is the secret to the amplification and most efficient use of force. BJJ also has the most developed methods of fighting while on one's back, a position weaker fighters will often find themselves when attacked. “Jiu-jitsu” translates from the Japanese as “the gentle art.”
- Before I continue my long winded stories, let me introduce myself. I’m Dre Armeda, CISSP. Co-Founder of Sucuri. Before Sucuri, I was CEO and Founder of a small Website development agency agency, and most recently I served at CMO at WebDevStudios, an agency that created sustainable web applications and websites for companies like Microsoft, Discovery Channel, and Campbell’s Soup. I started BJJ about 3.5yrs ago. Many years after I started working in security or making websites. I also spent 12yrs in the US Navy before venturing into the civilian sector and Co-Founding Sucuri. I even got my CISSP….. well before I earned my blue belt in Jitz, both are big milestones in my life. -- LOOK Folks Website security shouldn’t be a spectator sport, it’s a journey! You can’t just lay on the couch and think things are gonna be OK. It’s not gonna work!
- The reason I told you that story is because I think there are some important connections that can be made between Jiu Jitsu and website security. My goal by the end of this talk is two fold. I want you to have a better grasp of how you should be thinking about website security I want you to Tweet me to tell me that you started training Jiu Jitsu Alright! So here we are….anyone want to spar? Let me start with a breakdown of the current state of affairs as well as some things to consider when thinking about security. I’ll try to tie it back into jitz, hopefully you go check it out.
- I always like to sharing with my audience different statistics to help provide better context on why we should be having this conversation and how it applies to us all... … I do this because its important to understand the scale we’re working with and where we, and our web properties fit... As of last week, we were right at about 1.1 Billion active websites according to Internet Live Stats. The 1B club was first reached in September of 2014, as confirmed by NetCraft in its October 2014 Web Server Survey.
- Of the 1.1 Billion, about 33% are powered by some form of CMS - open or closed.
- CMS powered websites Lets divide that further, 73% of that 33% are powered by four platforms Drupal, WordPress, Magento and Joomla! ALMOST 80% of all CMS’s are open source.
- Want to know what one of things that suck about websites? Vulnerability management through things like upgrades and updates are generally ineffective. This frankly should not be news to most of us. Not because they don't work, but because they never get done. So the question for me becomes why, why is this the case.. What are the challenges contributing to this challenge… This led us to an interesting study by Northbridge in which they analyzed a bunch of organizations and how they work with open-source technologies...
- Oddly enough 33% might sound familiar here. Just like CMS market share Northbridge noticed that approximately 33% of companies had no process identifying, tracking or remediating known vulnerabilities..
- 47% of those same companies didn’t even know what open-source technologies they were responsible for tracking.
- 50% of the companies had no one responsible for the open-source vulnerabilities. Think about that for a moment. Do you draw any similarities between that study and your own organization? How about that study and the organizations you support? Your clients? How many of you in this room, whether agency or consumer, developer or just happy beer drinking geek really know…. or even have a grasp on the technologies you’re deploying? Think beyond Joomla here folks. How many of you have someone that you can hold accountable for when it comes to security?
- Perhaps the biggest reason I can find as to why these problems exist is because of a fundamental lack of understanding of security. In most security conversations we try to hone in on the "real" problem as if it's new. We constantly look for the "quick fix" to the problem. There is this overemphasis on finding the latest tool to satisfy a check box… and less time spent trying to understand what the tool is meant do. What problem its meant solve or more importantly, how that tool aligns with your specific security objective. Security is much more than a tool or configuration. It’s a mindset. It’s a process.
- It’s a continuous process! Security is built on three core pillars - People Process Technology. None of these pillars are meant to exist on their own. The are meant to work in unison. Deploying only the technology without having a process in place….. or the people to manage it is setting you up for failure. Look, I’m a blue belt. It’s like me going out and trying to compete against a brown belt, or black belt. All I want to do is throw in an arm bar and by the time I realize it ain’t gonna happen, It’s too late. The ref’s picking up my legs and waking me up from a nap! QUEUE
- Just like on the mat, attackers are looking for opportunity. The reality of most website attacks is they are automated and opportunistic.
- This makes their tactics highly effective. There’s a huge footprint for attack. Websites get compromised in mass through automation. There are “targeted attacks” but the ones affecting 95% of website owners are what we’d consider to be “targets of opportunity” When I look at the vectors an attacker might abuse, I divide them into three distinct groups:
- When I look at the vectors an attacker might abuse, I divide them into three distinct groups: External Attacks Internal Attacks Reflective Attacks External attacks are those we’re probably most familiar with. An attacker exploits a vulnerability remotely, think a SQLi / RCE type vulnerability. While an internal attack might refer to the concept of cross-site contamination in which an attacker is able to move laterally within your environment. Reflective attacks is not exactly the most appropriate name, but is mean to describe attacks that are able to abuse your website resources without compromising it. Think malvertising or abusing a third party integration like JQuery. Ultimately, attackers have an objective
- Actions on objective refer to the things an attacker might want to do with your web property. The impacts of each will vary greatly on your organization and audience. The most common in people’s mind is the distribution of malware, using your website as a distribution mechanism. But attackers are smart and have found a number of uses for your websites, uses that are sometimes difficult to detect and many instances have greater impacts. They range from leveraging your infrastructure resources to maliciously to attack other properties (think DDoS) to using it in Spear Phishing campaigns against organizations around the world. Once successful, what the attackers are able to do with your site varies greatly. The web is actually still the number one distribution mechanism for malware. But there are many other actions attackers take once successfully in your environment. Things like SEP attacks, which I’ll get into a bit more, using the site as part of Spear phishing campaigns, using the system for email spam campaigns, defacements, and other nefarious actions like abusing the system resources.
- The one I will call your attention to though is SEP attacks. It’s the fastest growing to date (currently at about 38% in the infections we work on) is what is known as Search Engine Poisoning (SEP) attacks.
- To that same point, over 60% of the infected sites we work on have some backdoor embedded within the system. These backdoors ensure the attacker is able to retain access to the environment even after an infection is removed. Not removing these can prove detrimental and bring about a lot of anxiety as reinfections will continue.
- What we need to remember is that whether we see value in our own web properties, for attackers the value is great. Your website is another connected device that can be added to a larger botnet, be used to disseminate some traffic or otherwise used to abuse or confuse every day online visitors. They are becoming more innovative in the tactics they are employing.
- I want to share a few examples to help illustrate their ingenuity. This specific example talks to attackers that are targeting the checkout pages on ecommerce sites. In this attack, the attacker is tricking the user by infecting the checkout page where they redirect the user to a malicious site (that looks and feels the same) but is designed to steal the buyers credit card information. In this example the business owner loses customers, loses revenue, and faces potentials fines from regulatory bodies. https://blog.sucuri.net/2016/07/phishing-attacks-target-ecommerce-checkout-pages.html
- In this example, the attacker was able to malicious redirect a sites traffic by add a name server to a sites DNS records. Doing this made it exceptionally difficult to identify the hack because it wasn’t the actual site, it was a specific condition that would redirect the user. https://blog.sucuri.net/2016/07/fake-freedns-used-to-redirect-traffic-to-malicious-sites.html
- Going to talk about cross-site contamination so being able to show an image that shows tunnelling between different sites on the same server.. :) https://blog.sucuri.net/2016/09/hacking-wordpress-sites-shared-servers.html
- The thing with risk however is it can get out of control very fast. We have to be sure to: Clearly defining scope – What are your objectives, applicable restrictions or specific conditions and the outcomes required; Recognize that risk will never be zero and Understand that it is a continuous process Understand that clearly identifying your risk tolerance will help you prioritize your security activities. You can’t do everything, and in many cases it’s unattainable and / or unsustainable.
- There is no single unique solution capable of providing 100% protection.
- Implement complementary overlapping defensive controls designed to identify and mitigate attacks.
- These examples hopefully help provide some perspective into the complex world that we’re living in today when it comes to website security and goes to show you why in security we subscribe to a very simple concept known as Defense in Depth. It’s the idea that we deploy a series of overlapping defense controls across our stack, all designed to work in unison with one another. We must also not only look at the depth of the controls we deploy, but the breadth of the attack surface we’re working with and the various security domains that exist.
- In my Jiu Jitsu journey I have tried to apply the same principles. It’s very different today from when I first started training, or even competing. I have learned that building a strategy….a game plan with various layers of defense gives me the best opportunity to dominate my opponent, big or small! For those of you that know BJJ you understand that the fresh white belt goes about 100 miles per hour and during a 5 minute sparring session may turn green and vomit. It’s hard at first, but eventually you learn to conserve your energy. You learn what moves are important, and which ones are just unsustainable. You slow down and you start to understand the risks you’re dealing with on the mat. You start to implement the appropriate controls to mitigate those risks. Jiu Jitsu is a continuous journey. You honestly never stop learning. Like security, there are impacts to you on the mat. Mainly getting put to sleep or getting an arm broken if you’re caught with your guard down. Impacts none the less.
- There can be significant impacts to you if you don’t take security to heart. If thinking that it doesn’t apply to you, or that you’re too small to think about this I’d highly encourage you to reconsider. Compromises happen to organizations of all sizes and the impacts are real. We categorize these into two distinct groups: Business Brand Economic Emotional Liability Technical Blacklisting SEO Impacts Visitor Compromise Network Tunneling
- I hope this discussion was helpful for you. I hope that you have learned that being proactive with your website security can put you in a better position to reduce risk. Don’t wait for the attackers, trust you me, they are already coming for you. Be aggressive and calculated. Build a game plan and think beyond just your toolset Layer your defenses And close out the match Get off the couch and don’t be a spectator
- After 3+ years on the mat, I am now on the verge of promoting to purple belt which is exciting. More exciting is the fact that I lost 70lbs training jiu jitsu and it has become a sort of therapy that I never would have found standing on the sidelines. . Immerse yourself. Learn to intellligently defend your self. Reach your podium. Be a champion for website security. and who knows, maybe you too will play the Gentle Art.