The document presents insights on website security from Sucuri, highlighting the importance of ensuring a safe online experience for users and the complexities of website environments. It outlines various attack vectors, the motivations behind hacking, and the potential impacts on a website's reputation and functionality. The author emphasizes the necessity of adopting a risk management approach to security, advocating for good administrative practices and professional help where needed.

1. Website Security via Sucuri
Navigating The
Online Security
Landscape
Roadmap to a Safe User
Experience

2. Tony Perez
@perezbox | @sucuri_security | http://perezbox.com | http://tonyonsecurity.com

3. @sucuri_security | https://sucuri.net
Who are we?
• Mitigate 50 million+ attacks a month.
• Scan over 3 million+ domains
• Respond to 500 + security incidents
• Secure 300,000 + websites like yours.
We clean and protect
websites, so you don't have
to.

4. Who am I?
❖ Work at Sucuri
❖ Website Security Professional
❖ Security blogger
❖ Business blogger
❖ Technology blogger
❖ and..

6. “As website owners we have a responsibility to
1)ensure that those that interact with our websites
have a safe online experience and 2) to be good
stewards of the internet by ensuring our websites
aren’t abusing it’s resources. ”
Tony Perez | Sucuri

7. Let’s build the foundation
from which we will understand
today’s threats.

8. Let’s Start With a Website

9. Environment

10. ❖ Regardless of where the website lives, the environments
are complex.
❖ There are a number of interconnecting components that
make your website operate.
❖ It’s a combination of hardware and software, meshed
together, that brings it to life.

11. Your Blog

12. The Platform that Powers Your Blog
(e.g., WordPress, Joomla, Blogger)

13. The Web Server that Runs Your Platform
(e.g., Apache, NGINX, IIS)

14. Everything That Powers Your Web Server
(e.g., Linux, Windows, ASP, PHP, Databases)

15. Complexity does not begin to describe
the various components required to
keep your website functional.

16. Granted not all things are
equal…

17. Managed Environments
vs
Self-Hosted Environments

18. Types of Configurations
MANAGED
❖ wordpress.com
❖ squarespace.com
❖ wix.com
❖ tumbler.com
❖ rainmaker.com
SELF-HOSTED
❖ wordpress.org
❖ godaddy.com
❖ bluehost.com
❖ joomla.org
❖ dreamhost.com

19. Threats exist regardless of which
approach you take. The difference, like
most things in security, comes down to
your personal risk posture.

20. Website Attack Vectors
MANAGED
❖ Access Control
SELF-HOSTED
❖ Acces Control
❖ Exploitation of software
vulnerabilities
❖ Exploitation of web server
environment

21. Today’s Online Threats

22. The online landscape is diverse, and
our websites are a critical piece of
that diversity.

23. Behavior

25. Why would
anyone hack my
website?
Your Audience !
Your Readers !
Your Resources!
Your Ranking!

26. 1 - Economic Gain

27. 2 - Hacktivism

28. 3 - Boredom

29. Impacts to your
Website / Your Brand

30. Search Engine Poisoning

31. Search Engine Result
Pages (SERP) are our
prized possessions as
content creators.
It takes months, if not
years to build good
ranking. Yet, minutes to
lose and months to rebuild.

32. Drive By Downloads

34. Blacklisting

36. Defacements

38. What can we do?

39. Let’s Talk Security

40. “As a species, we are risk adverse when it comes to gain,
but risk seeking when it comes to loss…”
- Bruce Scheier (BlackHat 2014)

41. Security is about risk
management; specifically
risk reduction not risk
elimination.

42. Security Begins
with Good
Posture

43. 1 - Defense in Depth

47. 2 - Access Control

49. 3 - Software Vulnerabilities

50. Software vulnerabilities are
beyond most of our abilities.
Leverage a Website Firewall
(WAF).

51. 4 - Good Administration

52. Good administration is so much
more than updates, but let’s start
there.

53. Security Model

54. Confidentiality
Integrity Availability
Data kept private
Data not modified Systems Available
Model designed to help
you think about your
own security posture.
How much security
should you consider?

55. Managing the security of your website
is not a Do It Yourself (DIY) project. If
what was discussed here is foreign to
you, then it’s a good time to seek
professional help.

56. “Security is not a singular event or action, but
rather a series of events and actions. It begins
with good posture and the responsibility begins
and stops with you.
- Tony Perez | Sucuri

57. Thank You

58. @perezbox | @sucuri_security | http://perezbox.com
Tony Perez