The document provides security tips from Tony Perez of Sucuri Inc. to help save content and keep readers. Some key tips include employing defense in depth concepts like maintaining systems, being aware of online habits and access control, and registering websites with search engines. The document emphasizes the importance of security maintenance and best practices. It encourages reaching out to professionals if other tips fail to improve a website's security posture and understanding of the ongoing security cycle.
TBEX North America 2016; What Family Travelers Need: How the Industry Can Res...
5 Security Tips to Save Content and Keep Readers Engaged
1. Security Tips
⎯ That Will ⎯
5
Save Your Content
&Keep Your Readers
Presented by: Tony Perez
2. Tony Perez?
• Own and Operate Sucuri Inc.
• Entrepreneur | Website Security
Professional
• Website Security Blogger
• BJJ Practitioner and Competitor Blogger
3. Sucuri?
We secure your site so you don’t have to
• Mitigating 35 million+ attacks
a month
• Scanning 3 million+ unique
domains a month
• Remediation for over 400
websites a day
• Securing 250,000+ websites
26. What next?
• Register your websites with search
engines
• Access control is perhaps one of the
most important access points
• Get smarter about our online habits
• Don’t forget the importance of good /
active administration
• Improve your posture with knowledge
of the cycle of security
27. If all else fails,
enlist the help of
professionals
28. Get in touch
Let’s get social:
•Twitter: https://twitter.com/perezbox
•Twitter: https://twitter.com/sucuri_security
•Facebook:
https://www.facebook.com/SucuriSec
Read what I write:
•http://blog.sucuri.net
•http://tonyonsecurity.com
Editor's Notes
Imagine for a moment… after years of traveling and writing, paying out of your own pocket, you have finally achieved your goal of a sponsorship. One of the most recognizable authorities in the industry has invited you to travel to Mongolia… You will be on site for 3 days… your goals are simple.. Travel and visit the various nomadic tribes in the area… the key being a 2,000 word post about the country and your travels every 24 hours.. You land in the capital, Ulaanbaatar, and after hours / maybe a day or so of travel, you connect to the internet to write your first post of the trip…
You connect, complain to yourself perhaps at the pace of the connection.. As you wait for the browser to return your website… you sip on a little water and reflect on your trip so far… As you stare off at the landing planes, you notice the browser has responded via your peripheral vision.. You bring your eyes to focus on your browser and panic sets in… you know, that feeling where you get when you’re not quite sure what is going on… that moment where you feel your gut drop to the floor..
This has to be a mistake…
You click refresh… you retype your domain.. You leverage a different browser…
Nothing.
You have been hacked. When your visitors visit your website they now see that you are supporting the ISIS cause in Syria and Iraq and all they see is the gruesome pictures of some of their atrocities…
My name is Tony Perez, and I will be talking to you today about website security…
To provide context to what we’ll be talking about…
Here is a little bit of our background as an organization and where our insights come from…
Background Discussion points:
It’s hard to do anything these days without the security discussion working it’s way into the dialog. Many of us have heard about some of the largest compromises in recent history, compromises like those that have impacted organizations like Google, Facebook, Target and ofcourse, how can we forget our favorite technologists, Apple, and the iCloud debacle in which a 100 or so celebrities had their nude pictures leaked. Don’t even get me started on the NSA and the challenges we have with our online presence…
Never in recent history has the advent of security been so forward in the conscious of the consumer.
It is actually a very nice change for us security types.
You see, we’ve all subscribed to what feels like an impossible industry. We struggle with communicating the trends and threats in ways that can resonate and really encourage website owners to take action. It’s an industry in which the issue is not that end-users do not understand the issue, on the contrary, it’s an industry in which consumers understand it, it’s just not important enough…
Security has been something that was for that the other guy, for that large organization with something of value..
Never has this been more true than the last 12 hours.. As I spend time mingling last night at the awesome display of Mexican culture and history and learning about this awesome Travel blogging industry that I realize how important it is that I spend the time required to continue to educate and bring awareness to website security…
The common trend being… [next slide]
Why this matters to you (you have value and ability to influence)
Your value is your audience, your reach
Website like yours contribute to some of the largest breaches today – a.k.a., “Waterhole attacks”
Your website is part of a larger chain of events in the security world – we have a responsibility
How would we feel if our parents or kids lost everything because they were on our website
What is the impact
Attacks are multi-faceted and often very complex, but many are simple
Abuse comes in many forms – e.g., malware distribution, web server abuses, email spam, phishing lures
85% of websites used in today’s attacks come from websites like yours
Cyber security is not just a problem for the enterprise, it’s for everyone on the web
Example of defacement
Not happy with this language, we’re saying here are things available to you
The beautiful thing about the online world is that there is always a resource for something and if there isn’t, someone is always eager to create one. Google is one of those resources, as are tools like Analytics and SEO tools.
But it can also come from clients and others not affiliated with our product. Here is an example of what it looks like when Google flags your website as being hacked. Google has various warnings, in this instance, when they say “This site may be hacked” it often means they have found you to be distributing malware.
This continues to be a really big problem in the world of web security. While I often reserve this for PC / Notebook end-users, it’s something that many of you as bloggers have to be mindful of. It’s been around for a while, but over the past 12 months it’s becoming a bigger problem. As an PC / Notebook end-user you have to be careful because you are the target. As you click on an ad, it not only takes you to a page you’re interested in, but it also attempts to download and infect your environment.
Why this is dangerous for you as a travel blogger is many of you might depend on ads as a source of income. The thought that many have when they integrate a third-party ad network is they presume the environment to be safe, especially when it’s an entity like Yahoo. But did you know that in December of 2013 the Yahoo ad network was breached and was used to spread malware to thousands of unsuspecting websites?
As an example of what I mean, let’s take a look at the Fathom Way to Go blog. Here you see they list out the top 24 travel blogs, first up is the Classe Touriste blog and just below the social links you find this awesome Add that encourages you to hit the road.. This is an example of an ad that you might ad to your own blog, it’s often a source of good income for bloggers such as yourself.
The challenge we face however is it’s not one of those things we can just stop integrating, it’s how many depend on your income. It is however important to talk to your ad networks about their security practice and what happens in the event of a compromise. What mechanisms are in place for you to engage them in the event you suspect there to be a compromise of their network?
I would categorize this as probably the number one thing affecting bloggers like you. This is a very common these days, many probably don’t recognize it as a SEP attack, but might have heard of things like Dirty SERPs (Search Engine Result Pages), or Dirty SEO..
Remember the discussion on why your blogs are so key to attackers? The part where we talk to audience? Audience extends well beyond those that actually read your blog daily, weekly, monthly, etc.. But it extends to the personas that find your blog on search engines.
One more bubble here with Best Practices / Principles
One more bubble here with Best Practices / Principles
Would like to use those sample website images from your other presentation, plus a transparent PNG copy of your logo instead of the word
The concept of defense in depth is simple, it’s the idea that it’s a through a series of things that you improve your security. You don’t count on one solution, but a series to ensure you are best prepared. It’s why we have this security lifecycle.
[I just took a quick screen shot, but update with the new one with best practice etc….]
There is no one single solution to security, it’s a process and tools were built to help you in that process:
Who is logging into your account? When are they logging in?
Exploitation of software vulnerabilities is one of the leading issues today – can’t stress the importance of updates
Are you logging activity on your website? What is changing? Why is it changing?
How do you connect when on public WiFi’s? Do you use a private VPN when traveling?
Do you have JavaScript enabled by default on all your browsers?
Do you play objects in your browsers by default? Like video?
Rephrase to be more of a tip and not a stat
Access Control is how you log in.. /wp-admin and /administrator on the two most popular Content Management Systems (CMS) – WordPress and Joomla
Look to whitelist IP’s if possible.. Leads into point 4
Employ things like Two Factor Authentication..
Be mindful of brute force attacks against your administrative access points
Can’t stress the importance of unique passwords across all your online access points
33% of website hacks are a result of poor access control
Placeholder images in place on all slides, waiting on approval before purchase
Need a better image (moving forward)
Some sort of collection of graphics representing your services here
I actually like this Shield a lot..
Hiring professionals is always an interesting experience. I remember a time when I used to attempt at fixing my car. Every time I would go to the store, buy a new book or ping my buddy, the mechanic. We’d set off to tinkering. Pop the hood, start taking things apart and before you knew it we were too far in, and whether it be the alcohol or the heat, we always just ended up with a big mess on our hands. Granted at that time, we’d always figure something out and the car would start running again. Not after hours, if not days though.
Today tough, things are different. I have learned the value of my time and what my strengths are. Attempting at being a mechanic just isn’t one of those. Do I understand the basics of working on them? Sure. Can I look something up and try to figure it out? Sure. The reality of is I’m not good at it, and I much prefer to spend my time running my business, spending time with my family or training for a competition.
I assume this is something that many of you prefer as well. Why pack your bags, travel to a new destination, only to be met a hack of some sort because you forgot to create a strong password, or because you forgot to upgrade your website? Nobody wants to spend their time in Cancun in their hotel room, rummaging through a server for hours, trying to find the problem. If you do, good on you and wish you luck, but for the rest – understand the basics of security and if you know nothing about it, leverage a professional.
I deal with thousands of website owners like you on a weekly basis. The final points are always the same – 1) I’m in over my head, 2) I’ve made a bigger mess than when I started, or 3) I just want this all to go away
Some sort of collection of graphics representing your services here