WP Engine, profile picture
Uploaded byWP Engine
PDF, PPTX237 views

Securing your web infrastructure

The webinar covers essential aspects of securing web infrastructure, highlighting common security threats like application vulnerabilities, account takeover, and denial of service (DoS) attacks. It emphasizes the importance of proactive measures such as SSL encryption, using managed web application firewalls, and maintaining updated software to mitigate risks. Participants will also have access to Q&A sessions and additional resources post-webinar.

Embed presentation

Download as PDF, PPTX
#wpewebinar Michael Tremante, Cloudflare Will West & Rob Hock, WP Engine Securing Your Web Infrastructure: What, When, Why and How.
#wpewebinar What You’ll Learn ● Types of common security threat types ● Potential impact if you’re compromised ● How to mitigate these threats for your business ● Steps to help you better secure your digital footprint & customer data ● Q&A
#wpewebinar Ask questions as we go. We’ll answer as many questions as we can after the presentation Slides and recording will be made available shortly after the webinar Use the “Questions” pane throughout the webinar
#wpewebinar Solutions Engineer Cloudflare Michael Tremante ● Recently moved to Bay Area ● Has pen tested many sites ● Initially hoped for a career in windsurfing... Product Manager WP Engine Rob Hock ● 20 years in IT Ops ● Still misses carrying a pager ● Breakfast taco connoisseur Security Architect WP Engine Will West ● Height: 2 Meters ● Knew PIC16F84A Assembler ● Bikes to work
#wpewebinar Types of common security threats
#wpewebinar Security Threats Security threats often overlap and go hand in hand. Today we will talk about the following: ● Application Vulnerabilities ● Account Takeover ● Denial of Service (DoS & DDoS) ● Man in the middle ● Data Theft There are many bad players on the internet, some are real individuals but most are very sophisticated bots (programs) looking for vulnerabilities in your applications. How do you recognise them?
#wpewebinar Bugs in libraries, frameworks, plugins, extensions, themes, logic OWASP Top 10 / SANS Top 25 Application Vulnerabilities
#wpewebinar Phishing Credential Stuffing Brute Force Account Takeover
#wpewebinar DoS: Denial of Service DDoS: Distributed Denial of Service DoS/DDoS ● Aim - disable your application so that your users cannot access it ● How - your choice ● Why - retaliation, extortion, distraction
#wpewebinar DoS/DDoS (2) Recently we were DDoS-ing Neteller: https://twitter.com/neteller/status/583363894665715712 Yes, our attacks are powerful. So, it’s your turn! Your site is going under attack unless you pay 40 Bitcoin. Pay to 17PxcnK84x98B9TdEbUvuCeivM7yaH1x4Q Please note that it will not be easy to mitigate our attack, because our current UDP flood power is 400-500 Gbps, so don't even bother. At least, don't expect cheap services like CloudFlare or Incapsula to help...but you can try. :) Right now we are running small demonstrative attack. Don't worry, it will not be that hard (it shouldn't crash your site) and it will stop in 1 hour. It's just to prove that we are serious.We are aware that you probably don't have 40 BTC at the moment, so we are giving you 24 hours. Current price of 1 BTC is about 230 USD, so we are cheap, at the moment. But if you ignore us, price will increase. IMPORTANT: You don’t even have to reply. Just pay 40 BTC to 17PxcnK84x98B9TdEbUvuCeivM7yaH1x4Q – we will know it’s you and you will never hear from us again. We say it because for big companies it's usually the problem as they don't want that there is proof that they cooperated. If you need to contact us, feel free to use some free email service. Or contact us via Bitmessage: BM-NC1jRewNdHxX3jHrufjxDsRWXGdNisY5 But if you ignore us, and don't pay us within a given time, long term attack will start, price to stop will go to 100 BTC and will keep increasing for every hour of attack. IMPORTANT: It’s a one-time payment. Pay and you will not hear from us ever again! We do bad things, but we keep our word.
#wpewebinar DoS/DDoS (3) Normally (D)DoS attacks aim to overload either the network or computational resources: ● Saturate the bandwidth available ● Overload the number of “packets” the operating system can handle ● Overload a particularly expensive query on your application (e.g. an inventory search)
#wpewebinar DoS/DDoS - Impact Most famous DDoS attack in the last couple of years is the Dyn attack (October 2016) during which a number of large web properties went offline including Twitter, AirBnB, BBC and others for large areas of the US. What does it mean for you? Downtime is bad… ● Lost revenue (e.g. black Friday) ● Brand reputation DDoS attacks are a cat and mouse game. You need to be prepared for the worst case scenario.
#wpewebinar You don’t own the network between you and your users. What if someone is listening? Man in the middle attacks (MITM) An entity in an advantageous position on the network (a man in the middle) may be able to observe your traffic. ● Owns the network (ISPs, network providers, government) ● Runs an internet hotspot (airports, internet cafes) ● Tries to “listen” to your WiFi connection We have mathematical tools to help us with this problem: How do Alice and Bob speak to each other secretly with Mallory in the room?
#wpewebinar Man in the middle attacks (MITM) - Impact If an attacker has access to network unencrypted traffic, he can: ● View user username and password; ● View user details that are being transmitted over the network; ● Reverse engineer application logic; ● …. Essentially he sees everything Check how well your application scores with the SSL test tool from Qualys. If you perform transactions on your application you will be required to pass PCI audit. There are strict requirements around encryption.
#wpewebinar Not an attack per se, but rather the end result that is achieved by other attack methods, for example: Data Theft/Breach Type Description DNS Spoofing Send users to a fake website Snooping data in transit E.g. MITM attacks Brute force login attempts E.g. account takeovers or forcing credentials from previously stolen user databases Malicious payload exploits Via Application vulnerabilities User data leaks are probably number 1 worst scenarios for IT companies… the potential reputational damage is difficult to predict and will vary based on what is leaked.
#wpewebinar How to mitigate these threats for your business
#wpewebinar + Authenticity + Confidentiality - MITM Even better - add HSTS HTTPS
#wpewebinar Faster recovery Offline forensics Backups
#wpewebinar Even with non-security releases - Old vulnerabilities - Dealing with many changes all at once - Avoid EOL components Stay Current
#wpewebinar Review users and permissions for appropriate settings + Onboard + Offboard + Role Change + Process Change Review extensions for active use Periodic Review
#wpewebinar + SSO + MFA / 2FA + Password managers + Unique passwords Secure Login
#wpewebinar Global Edge Security 22 Managed Web Application Firewall (WAF) WAF rule sets tailored and managed to protect WordPress by mitigating threats at the edge, and automatically updated to respond to emerging threats SSL/TLS Encryption with certificates terminated at the edge for improved performance Advanced DDoS Mitigation Global edge network with capacity more than 15x greater than the largest DDOS attack and protections built throughout our network at the DNS, layers 3, 4 & 7 Full Page CDN Sends all traffic through CDN, across an edge network of 120 datacenters to accelerate security and site performance at global level
#wpewebinar How advanced security works HTTP request Web crawlers & bots Attackers Origin Server (contains original version of site) Response Inspects HTTPS requests to detect and block attacks before they can reach the origin server; resolves requests to Cloudflare IP CDN pulls new content from the origin Visitor/ Client Filters out bad bots Cloudflare’s Globally Distributed Edge Network (caches content at the edge) Blocks spambots, spammer postings Comment Spam
#wpewebinar Inquiring minds want to know. Questions and Answers. * Slides, recording and resources will be made available within the next several days
#wpewebinar 15 Ways to Harden the Security of Your WordPress Site Resources. Have I been pwned? SSL Server Test from Qualys Enterprise-Grade WordPress Security on WP Engine How to Convince Clients WordPress is More Secure than They Think WPScan Vulnerability Database
#wpewebinar How helpful? How to improve? Future topics? Help us get better. How helpful? How to improve? Future topics?
#wpewebinar Thank You.

More Related Content

PDF
Security and Privacy on the Web in 2015
byFrancois Marier
 
PPTX
Unexpected Impacts of DDoS Attacks and How to Stop Them
byCaitlin Magat
 
PDF
The WordPress Hosting experience - Bought cheaply and paid dearly? - Jan Löf...
byJan Löffler
 
PDF
What is Nginx and Why You Should to Use it with Wordpress Hosting
byWPSFO Meetup Group
 
PDF
Are we security yet
byCristian Vat
 
PPTX
Latest Trends in Web Application Security
byCloudflare
 
PDF
Overview of SSL: choose the option that's right for you
byCloudflare
 
PPTX
Flawless Application Delivery with NGINX Plus
byPeter Guagenti
 
Security and Privacy on the Web in 2015
byFrancois Marier
 
Unexpected Impacts of DDoS Attacks and How to Stop Them
byCaitlin Magat
 
The WordPress Hosting experience - Bought cheaply and paid dearly? - Jan Löf...
byJan Löffler
 
What is Nginx and Why You Should to Use it with Wordpress Hosting
byWPSFO Meetup Group
 
Are we security yet
byCristian Vat
 
Latest Trends in Web Application Security
byCloudflare
 
Overview of SSL: choose the option that's right for you
byCloudflare
 
Flawless Application Delivery with NGINX Plus
byPeter Guagenti
 

What's hot

PPTX
What’s New at Cloudflare: New Product Launches
byCloudflare
 
PDF
Hardening Microservices Security: Building a Layered Defense Strategy
byCloudflare
 
PPTX
ModSecurity 3.0 and NGINX: Getting Started - EMEA
byNGINX, Inc.
 
PPTX
Crypto Miners in the Cloud
by2nd Sight Lab
 
PDF
Naxsi, an open source WAF for Nginx
byPositive Hack Days
 
PDF
Cloudflare Load Balancing for Monitoring Origin Server Health and Automatic F...
byCloudflare
 
PPTX
Cloudflare
byFadi Abdulwahab
 
PPTX
Keeping a Secret with HashiCorp Vault
byMitchell Pronschinske
 
PDF
What You Should Know Before The Next DDoS Attack
byCloudflare
 
PDF
Active Https Cookie Stealing
bySecurityTube.Net
 
PDF
Rails security: above and beyond the defaults
byMatias Korhonen
 
PPTX
Botconf ppt
byCloudflare
 
PPTX
HTTPS @Scale
byArvind Mani
 
PDF
Sullivan heartbleed-defcon22 2014
byCloudflare
 
PPTX
Automated Intrusion Detection and Response on AWS
by2nd Sight Lab
 
PPTX
Red Team vs Blue Team on AWS - RSA 2018
by2nd Sight Lab
 
PDF
DockerCon Live 2020 - Securing Your Containerized Application with NGINX
byKevin Jones
 
PPTX
NGINX for Application Delivery & Acceleration
byNGINX, Inc.
 
PDF
Lcu14 Lightning Talk- NGINX
byLinaro
 
PDF
Monitoring Highly Dynamic and Distributed Systems with NGINX Amplify
byNGINX, Inc.
 
What’s New at Cloudflare: New Product Launches
byCloudflare
 
Hardening Microservices Security: Building a Layered Defense Strategy
byCloudflare
 
ModSecurity 3.0 and NGINX: Getting Started - EMEA
byNGINX, Inc.
 
Crypto Miners in the Cloud
by2nd Sight Lab
 
Naxsi, an open source WAF for Nginx
byPositive Hack Days
 
Cloudflare Load Balancing for Monitoring Origin Server Health and Automatic F...
byCloudflare
 
Cloudflare
byFadi Abdulwahab
 
Keeping a Secret with HashiCorp Vault
byMitchell Pronschinske
 
What You Should Know Before The Next DDoS Attack
byCloudflare
 
Active Https Cookie Stealing
bySecurityTube.Net
 
Rails security: above and beyond the defaults
byMatias Korhonen
 
Botconf ppt
byCloudflare
 
HTTPS @Scale
byArvind Mani
 
Sullivan heartbleed-defcon22 2014
byCloudflare
 
Automated Intrusion Detection and Response on AWS
by2nd Sight Lab
 
Red Team vs Blue Team on AWS - RSA 2018
by2nd Sight Lab
 
DockerCon Live 2020 - Securing Your Containerized Application with NGINX
byKevin Jones
 
NGINX for Application Delivery & Acceleration
byNGINX, Inc.
 
Lcu14 Lightning Talk- NGINX
byLinaro
 
Monitoring Highly Dynamic and Distributed Systems with NGINX Amplify
byNGINX, Inc.
 

Similar to Securing your web infrastructure

PPTX
UNIT 5 (2).pptx
byjanani603976
 
PPTX
week2-cybersecurityOverview of social engineering attacks.pptx
bychristianaolusegun22
 
PPTX
types of cyber attack by taufiqurrahman.pptx
bytaufiq463421
 
PPTX
Malware attack Social engineering attack
bytaufiq463421
 
PPTX
Fundamentals of Network security
byAPNIC
 
PPT
Introduction to Web Server Security
byJITENDRA KUMAR PATEL
 
PPTX
Security concepts
byartisriva
 
PDF
Invited Talk - Cyber Security and Open Source
byhack33
 
PPTX
Network security
bymustafa aadel
 
PDF
Security from the Start: Optimizing Your Acquia Experience with Acquia Cloud...
byRachel Wandishin
 
PDF
Insecurity-In-Security version.1 (2010)
byAbhishek Kumar
 
PPTX
News Bytes - December 2015
byn|u - The Open Security Community
 
PPTX
Devnexus 2017 Cybercrime and the Developer: How do you make a difference?
bySteve Poole
 
PPTX
bhumi verma dentition in mammals -aman.pptxhhdbshdbsbdhsdbhdbhs
bysarasdivyansh1608
 
PPTX
What is the Cybersecurity plan for tomorrow?
bySamvel Gevorgyan
 
PDF
The evolving threat in the face of increased connectivity
byAPNIC
 
PDF
Webinar: Security Mindset for WordPress
byWP Engine
 
PDF
Security for Data Scientists
byDavid Arcos
 
PPTX
Word camp orange county 2012 enduser security
byTony Perez
 
PPTX
Cybercrime and the Developer: How to Start Defending Against the Darker Side
bySteve Poole
 
UNIT 5 (2).pptx
byjanani603976
 
week2-cybersecurityOverview of social engineering attacks.pptx
bychristianaolusegun22
 
types of cyber attack by taufiqurrahman.pptx
bytaufiq463421
 
Malware attack Social engineering attack
bytaufiq463421
 
Fundamentals of Network security
byAPNIC
 
Introduction to Web Server Security
byJITENDRA KUMAR PATEL
 
Security concepts
byartisriva
 
Invited Talk - Cyber Security and Open Source
byhack33
 
Network security
bymustafa aadel
 
Security from the Start: Optimizing Your Acquia Experience with Acquia Cloud...
byRachel Wandishin
 
Insecurity-In-Security version.1 (2010)
byAbhishek Kumar
 
News Bytes - December 2015
byn|u - The Open Security Community
 
Devnexus 2017 Cybercrime and the Developer: How do you make a difference?
bySteve Poole
 
bhumi verma dentition in mammals -aman.pptxhhdbshdbsbdhsdbhdbhs
bysarasdivyansh1608
 
What is the Cybersecurity plan for tomorrow?
bySamvel Gevorgyan
 
The evolving threat in the face of increased connectivity
byAPNIC
 
Webinar: Security Mindset for WordPress
byWP Engine
 
Security for Data Scientists
byDavid Arcos
 
Word camp orange county 2012 enduser security
byTony Perez
 
Cybercrime and the Developer: How to Start Defending Against the Darker Side
bySteve Poole
 

More from WP Engine

PDF
Building WordPress eCommerce at Scale .pdf
byWP Engine
 
PDF
Site Monitoring: The Intersection of Product, UX Design & Research .pdf
byWP Engine
 
PDF
Modern Theming & The Future of WordPress- Working with Full Site Editing and ...
byWP Engine
 
PDF
Gutenberg and Headless WordPress.pdf
byWP Engine
 
PDF
Blueprints and Other Local Features for Agencies.pdf
byWP Engine
 
PDF
2022 – Year of the WordPress Developer.pdf
byWP Engine
 
PDF
Debunking The Myths of Migration.pdf
byWP Engine
 
PDF
Headless 101 for WordPress Developers.pdf
byWP Engine
 
PDF
Why the Edge Isn't an Edge Case.pdf
byWP Engine
 
PDF
More Dev. Less Drama.pdf
byWP Engine
 
PDF
Front End: Building Future-Proof eCommerce Sites.pdf
byWP Engine
 
PDF
Keeping Your WordPress Sites Safe Amidst A Rise in Global Cyberattacks.pdf
byWP Engine
 
PDF
Using WooCommerce to Scale Your Store
byWP Engine
 
PDF
Best Practices for Site Deployment With Local.pdf
byWP Engine
 
PDF
6 WooCommerce Dev Tricks for Building Fast eCommerce Websites.pdf
byWP Engine
 
PDF
Be the Change: The Future of WordPress with WP Engine's Developer Relations Team
byWP Engine
 
PDF
An Atlas of Atlas.pdf
byWP Engine
 
PDF
When to Choose Headless for Clients.pdf
byWP Engine
 
PDF
Post eCommerce Site Launch- Optimizing Your Conversion Rate.pdf
byWP Engine
 
PDF
Demo - New Features for Atlas.pdf
byWP Engine
 
Building WordPress eCommerce at Scale .pdf
byWP Engine
 
Site Monitoring: The Intersection of Product, UX Design & Research .pdf
byWP Engine
 
Modern Theming & The Future of WordPress- Working with Full Site Editing and ...
byWP Engine
 
Gutenberg and Headless WordPress.pdf
byWP Engine
 
Blueprints and Other Local Features for Agencies.pdf
byWP Engine
 
2022 – Year of the WordPress Developer.pdf
byWP Engine
 
Debunking The Myths of Migration.pdf
byWP Engine
 
Headless 101 for WordPress Developers.pdf
byWP Engine
 
Why the Edge Isn't an Edge Case.pdf
byWP Engine
 
More Dev. Less Drama.pdf
byWP Engine
 
Front End: Building Future-Proof eCommerce Sites.pdf
byWP Engine
 
Keeping Your WordPress Sites Safe Amidst A Rise in Global Cyberattacks.pdf
byWP Engine
 
Using WooCommerce to Scale Your Store
byWP Engine
 
Best Practices for Site Deployment With Local.pdf
byWP Engine
 
6 WooCommerce Dev Tricks for Building Fast eCommerce Websites.pdf
byWP Engine
 
Be the Change: The Future of WordPress with WP Engine's Developer Relations Team
byWP Engine
 
An Atlas of Atlas.pdf
byWP Engine
 
When to Choose Headless for Clients.pdf
byWP Engine
 
Post eCommerce Site Launch- Optimizing Your Conversion Rate.pdf
byWP Engine
 
Demo - New Features for Atlas.pdf
byWP Engine
 

Recently uploaded

PPTX
Creating content that converts into leads.
bySEONutri
 
PDF
5 Best FREE Anti-Detect Browsers in 2026
byRakeshChauhan821593
 
PDF
Parallel and Distributed Databases NOTES.pdf
bywrushabsirsat
 
PDF
action man.pdf album sa slicicama panini...
byStefanFilipovic9
 
PDF
The Role of Micro-interactions in Modern Web Design
bydigitalcrafters0810
 
PDF
anastasia panini album.pdf album sa slicicama
byStefanFilipovic9
 
PDF
alfred jonatan kvak panini album.pdf slicice
byStefanFilipovic9
 
PDF
album panini Evoksi.pdf panini album slicice
byStefanFilipovic9
 
PDF
Tour & Travel App Development Explained- Features, Costs, and Technologies Us...
byMike Brown
 
PDF
11 Best Sites for Buying Aged Reddit Accounts with Karma.pdf
byallseoit 143
 
Creating content that converts into leads.
bySEONutri
 
5 Best FREE Anti-Detect Browsers in 2026
byRakeshChauhan821593
 
Parallel and Distributed Databases NOTES.pdf
bywrushabsirsat
 
action man.pdf album sa slicicama panini...
byStefanFilipovic9
 
The Role of Micro-interactions in Modern Web Design
bydigitalcrafters0810
 
anastasia panini album.pdf album sa slicicama
byStefanFilipovic9
 
alfred jonatan kvak panini album.pdf slicice
byStefanFilipovic9
 
album panini Evoksi.pdf panini album slicice
byStefanFilipovic9
 
Tour & Travel App Development Explained- Features, Costs, and Technologies Us...
byMike Brown
 
11 Best Sites for Buying Aged Reddit Accounts with Karma.pdf
byallseoit 143
 

Securing your web infrastructure

  • 1.
    #wpewebinar Michael Tremante, Cloudflare WillWest & Rob Hock, WP Engine Securing Your Web Infrastructure: What, When, Why and How.
  • 2.
    #wpewebinar What You’ll Learn ●Types of common security threat types ● Potential impact if you’re compromised ● How to mitigate these threats for your business ● Steps to help you better secure your digital footprint & customer data ● Q&A
  • 3.
    #wpewebinar Ask questions aswe go. We’ll answer as many questions as we can after the presentation Slides and recording will be made available shortly after the webinar Use the “Questions” pane throughout the webinar
  • 4.
    #wpewebinar Solutions Engineer Cloudflare Michael Tremante ●Recently moved to Bay Area ● Has pen tested many sites ● Initially hoped for a career in windsurfing... Product Manager WP Engine Rob Hock ● 20 years in IT Ops ● Still misses carrying a pager ● Breakfast taco connoisseur Security Architect WP Engine Will West ● Height: 2 Meters ● Knew PIC16F84A Assembler ● Bikes to work
  • 5.
  • 6.
    #wpewebinar Security Threats Security threatsoften overlap and go hand in hand. Today we will talk about the following: ● Application Vulnerabilities ● Account Takeover ● Denial of Service (DoS & DDoS) ● Man in the middle ● Data Theft There are many bad players on the internet, some are real individuals but most are very sophisticated bots (programs) looking for vulnerabilities in your applications. How do you recognise them?
  • 7.
    #wpewebinar Bugs in libraries,frameworks, plugins, extensions, themes, logic OWASP Top 10 / SANS Top 25 Application Vulnerabilities
  • 8.
  • 9.
    #wpewebinar DoS: Denial ofService DDoS: Distributed Denial of Service DoS/DDoS ● Aim - disable your application so that your users cannot access it ● How - your choice ● Why - retaliation, extortion, distraction
  • 10.
    #wpewebinar DoS/DDoS (2) Recently wewere DDoS-ing Neteller: https://twitter.com/neteller/status/583363894665715712 Yes, our attacks are powerful. So, it’s your turn! Your site is going under attack unless you pay 40 Bitcoin. Pay to 17PxcnK84x98B9TdEbUvuCeivM7yaH1x4Q Please note that it will not be easy to mitigate our attack, because our current UDP flood power is 400-500 Gbps, so don't even bother. At least, don't expect cheap services like CloudFlare or Incapsula to help...but you can try. :) Right now we are running small demonstrative attack. Don't worry, it will not be that hard (it shouldn't crash your site) and it will stop in 1 hour. It's just to prove that we are serious.We are aware that you probably don't have 40 BTC at the moment, so we are giving you 24 hours. Current price of 1 BTC is about 230 USD, so we are cheap, at the moment. But if you ignore us, price will increase. IMPORTANT: You don’t even have to reply. Just pay 40 BTC to 17PxcnK84x98B9TdEbUvuCeivM7yaH1x4Q – we will know it’s you and you will never hear from us again. We say it because for big companies it's usually the problem as they don't want that there is proof that they cooperated. If you need to contact us, feel free to use some free email service. Or contact us via Bitmessage: BM-NC1jRewNdHxX3jHrufjxDsRWXGdNisY5 But if you ignore us, and don't pay us within a given time, long term attack will start, price to stop will go to 100 BTC and will keep increasing for every hour of attack. IMPORTANT: It’s a one-time payment. Pay and you will not hear from us ever again! We do bad things, but we keep our word.
  • 11.
    #wpewebinar DoS/DDoS (3) Normally (D)DoSattacks aim to overload either the network or computational resources: ● Saturate the bandwidth available ● Overload the number of “packets” the operating system can handle ● Overload a particularly expensive query on your application (e.g. an inventory search)
  • 12.
    #wpewebinar DoS/DDoS - Impact Mostfamous DDoS attack in the last couple of years is the Dyn attack (October 2016) during which a number of large web properties went offline including Twitter, AirBnB, BBC and others for large areas of the US. What does it mean for you? Downtime is bad… ● Lost revenue (e.g. black Friday) ● Brand reputation DDoS attacks are a cat and mouse game. You need to be prepared for the worst case scenario.
  • 13.
    #wpewebinar You don’t ownthe network between you and your users. What if someone is listening? Man in the middle attacks (MITM) An entity in an advantageous position on the network (a man in the middle) may be able to observe your traffic. ● Owns the network (ISPs, network providers, government) ● Runs an internet hotspot (airports, internet cafes) ● Tries to “listen” to your WiFi connection We have mathematical tools to help us with this problem: How do Alice and Bob speak to each other secretly with Mallory in the room?
  • 14.
    #wpewebinar Man in themiddle attacks (MITM) - Impact If an attacker has access to network unencrypted traffic, he can: ● View user username and password; ● View user details that are being transmitted over the network; ● Reverse engineer application logic; ● …. Essentially he sees everything Check how well your application scores with the SSL test tool from Qualys. If you perform transactions on your application you will be required to pass PCI audit. There are strict requirements around encryption.
  • 15.
    #wpewebinar Not an attackper se, but rather the end result that is achieved by other attack methods, for example: Data Theft/Breach Type Description DNS Spoofing Send users to a fake website Snooping data in transit E.g. MITM attacks Brute force login attempts E.g. account takeovers or forcing credentials from previously stolen user databases Malicious payload exploits Via Application vulnerabilities User data leaks are probably number 1 worst scenarios for IT companies… the potential reputational damage is difficult to predict and will vary based on what is leaked.
  • 16.
    #wpewebinar How to mitigatethese threats for your business
  • 17.
    #wpewebinar + Authenticity + Confidentiality -MITM Even better - add HSTS HTTPS
  • 18.
  • 19.
    #wpewebinar Even with non-securityreleases - Old vulnerabilities - Dealing with many changes all at once - Avoid EOL components Stay Current
  • 20.
    #wpewebinar Review users andpermissions for appropriate settings + Onboard + Offboard + Role Change + Process Change Review extensions for active use Periodic Review
  • 21.
    #wpewebinar + SSO + MFA/ 2FA + Password managers + Unique passwords Secure Login
  • 22.
    #wpewebinar Global Edge Security 22 ManagedWeb Application Firewall (WAF) WAF rule sets tailored and managed to protect WordPress by mitigating threats at the edge, and automatically updated to respond to emerging threats SSL/TLS Encryption with certificates terminated at the edge for improved performance Advanced DDoS Mitigation Global edge network with capacity more than 15x greater than the largest DDOS attack and protections built throughout our network at the DNS, layers 3, 4 & 7 Full Page CDN Sends all traffic through CDN, across an edge network of 120 datacenters to accelerate security and site performance at global level
  • 23.
    #wpewebinar How advanced securityworks HTTP request Web crawlers & bots Attackers Origin Server (contains original version of site) Response Inspects HTTPS requests to detect and block attacks before they can reach the origin server; resolves requests to Cloudflare IP CDN pulls new content from the origin Visitor/ Client Filters out bad bots Cloudflare’s Globally Distributed Edge Network (caches content at the edge) Blocks spambots, spammer postings Comment Spam
  • 24.
    #wpewebinar Inquiring minds wantto know. Questions and Answers. * Slides, recording and resources will be made available within the next several days
  • 25.
    #wpewebinar 15 Ways toHarden the Security of Your WordPress Site Resources. Have I been pwned? SSL Server Test from Qualys Enterprise-Grade WordPress Security on WP Engine How to Convince Clients WordPress is More Secure than They Think WPScan Vulnerability Database
  • 26.
    #wpewebinar How helpful? How toimprove? Future topics? Help us get better. How helpful? How to improve? Future topics?
  • 27.