Website Security - Latest and Greatest (WordPress 2014)Tony Perez
This presentation focuses on three elements - Trends, Threats and Defenses. It leverages the latests data from some of the top Information Security companies out there (i.e., Symantec, Websense, etc..). It does not go over the typical 10 things, instead it focuses on broad Information Security concepts and principles that many website owners don't account for.
Joomla! Day Atlanta 2014 - Website Security - The BasicsTony Perez
There are many posts, links, sources for website security, we unfortunately look over the basics as if somehow it were no longer important. The fact of the matter is that the basics will often save website owners a lot of headaches. This presentation hopes to go back to the basics and provide a foundation from which all website owners, specifically Joomla ones, can build from. A lot of the concepts though are applicable across all platforms and can found to be very platform agnostic.
For more information contact us at http://sucuri.net
PressBooks launched as a SAAS offering in 2011 to facilitate the easy creation and publishing of ‘electronic first’ books (epub, mobi, etc) that can also be printed (traditionally and on demand).
In February 2013, an open source version was released further democratizing the creation and publishing of ebooks and print-on-demand publishing.
We’ll cover how to install PressBooks OS, pros and cons of the hosted vs. open source version, and how to publish your first book using the tool.
Plugin Monetization Options
Presented by Nick Ciske in General Track
So you’ve released a free plugin, or want to release a paid plugin/add-on — what are your monetization options, and what are the pros/cons of each?
I’ll cover my own experiences with sponsored plugins, building premium plugins (while running a consultancy), working for a premium plugin shop, and other lessons gleaned from the WordPress community.
Website Security - Latest and Greatest (WordPress 2014)Tony Perez
This presentation focuses on three elements - Trends, Threats and Defenses. It leverages the latests data from some of the top Information Security companies out there (i.e., Symantec, Websense, etc..). It does not go over the typical 10 things, instead it focuses on broad Information Security concepts and principles that many website owners don't account for.
Joomla! Day Atlanta 2014 - Website Security - The BasicsTony Perez
There are many posts, links, sources for website security, we unfortunately look over the basics as if somehow it were no longer important. The fact of the matter is that the basics will often save website owners a lot of headaches. This presentation hopes to go back to the basics and provide a foundation from which all website owners, specifically Joomla ones, can build from. A lot of the concepts though are applicable across all platforms and can found to be very platform agnostic.
For more information contact us at http://sucuri.net
PressBooks launched as a SAAS offering in 2011 to facilitate the easy creation and publishing of ‘electronic first’ books (epub, mobi, etc) that can also be printed (traditionally and on demand).
In February 2013, an open source version was released further democratizing the creation and publishing of ebooks and print-on-demand publishing.
We’ll cover how to install PressBooks OS, pros and cons of the hosted vs. open source version, and how to publish your first book using the tool.
Plugin Monetization Options
Presented by Nick Ciske in General Track
So you’ve released a free plugin, or want to release a paid plugin/add-on — what are your monetization options, and what are the pros/cons of each?
I’ll cover my own experiences with sponsored plugins, building premium plugins (while running a consultancy), working for a premium plugin shop, and other lessons gleaned from the WordPress community.
2017 WHD - Bridging the Divide Between Behavior and SecurityTony Perez
As an industry of service providers we have a greater responsibility to the larger internet security ecosystem. We rely on off setting security ownership to our customers, but in many ways we're the responsible ones. We're also the ones best suited to help solve the problem. In this talk I try to broach the subject of responsibility by looking at the real challenge we're faced with - human behavior.
Accounting for Website Security in Higher EducationTony Perez
Online threats against web applications are growing at an exponential rate and is estimated to continue to grow in the coming years. Higher education finds itself in a precarious position trying to balance the need to provide services like external websites to it's various business units, while working to stay ahead of such threats. This is further exasperated by the adoption and deployment of open-source CMS applications like WordPress and Drupal.
In this talk, I explore the latest tactics, techniques and procedures being employed by cyber criminals, their threats to Higher Education institutions and provide a security framework from which organizations can expand on within their own organizations.
Building a Security Framework for WebsitesTony Perez
We live in an age where the threats against our website are real, and their impacts have the potential to be devastating. As open-source CMS applications continue to become a staple in our infrastructure stack, organizations are faced with the challenges of accounting for this new attack vector. With limited resources and knowledge, organization need a streamlined approach to managing their websites. In the talk below I share some thoughts on how to think about security more holistically by thinking through an attackers TTPs and using that to help build a repeatable framework applicable to all website owners, regardless of organization size.
The year is 2015, there are a little over a billion websites online, they range in size, complexity and popularity and yet they all share a common denominator – the threat of a security incident.
The past two years have been especially challenging for most businesses; this talk will provide a holistic overview of the challenges and threats website owners face. These insights will come from years of research and analysis, but more importantly from the experiences of 100’s of thousands of website owners like you. We will share the latest threats website owners face, but deliver them in a meaningful way that provides each attendee actionable take-aways. Lastly, the talk will place emphasis on the responsibility that each of us have as online stewards, to our brand, our users and the internet as a whole.
The most effective toolset we have at our disposal is knowledge, and so this presentation focuses on education.
Business of People - Lessons Learned Building a Remote WorkforceTony Perez
Business is complex, and it undoubtedly depends on people to be successful. Whether engineers, support agents, marketing, etc.. The dynamics of managing people, while fulfilling, can be very complex. In this presentation I touch on a number of things we've learned at Sucuri as we've grown from a small team to one that is distributed around the world in 20 different countries.
This presentation by Morris Kleiner (University of Minnesota), was made during the discussion “Competition and Regulation in Professions and Occupations” held at the Working Party No. 2 on Competition and Regulation on 10 June 2024. More papers and presentations on the topic can be found out at oe.cd/crps.
This presentation was uploaded with the author’s consent.
Sharpen existing tools or get a new toolbox? Contemporary cluster initiatives...Orkestra
UIIN Conference, Madrid, 27-29 May 2024
James Wilson, Orkestra and Deusto Business School
Emily Wise, Lund University
Madeline Smith, The Glasgow School of Art
Have you ever wondered how search works while visiting an e-commerce site, internal website, or searching through other types of online resources? Look no further than this informative session on the ways that taxonomies help end-users navigate the internet! Hear from taxonomists and other information professionals who have first-hand experience creating and working with taxonomies that aid in navigation, search, and discovery across a range of disciplines.
2017 WHD - Bridging the Divide Between Behavior and SecurityTony Perez
As an industry of service providers we have a greater responsibility to the larger internet security ecosystem. We rely on off setting security ownership to our customers, but in many ways we're the responsible ones. We're also the ones best suited to help solve the problem. In this talk I try to broach the subject of responsibility by looking at the real challenge we're faced with - human behavior.
Accounting for Website Security in Higher EducationTony Perez
Online threats against web applications are growing at an exponential rate and is estimated to continue to grow in the coming years. Higher education finds itself in a precarious position trying to balance the need to provide services like external websites to it's various business units, while working to stay ahead of such threats. This is further exasperated by the adoption and deployment of open-source CMS applications like WordPress and Drupal.
In this talk, I explore the latest tactics, techniques and procedures being employed by cyber criminals, their threats to Higher Education institutions and provide a security framework from which organizations can expand on within their own organizations.
Building a Security Framework for WebsitesTony Perez
We live in an age where the threats against our website are real, and their impacts have the potential to be devastating. As open-source CMS applications continue to become a staple in our infrastructure stack, organizations are faced with the challenges of accounting for this new attack vector. With limited resources and knowledge, organization need a streamlined approach to managing their websites. In the talk below I share some thoughts on how to think about security more holistically by thinking through an attackers TTPs and using that to help build a repeatable framework applicable to all website owners, regardless of organization size.
The year is 2015, there are a little over a billion websites online, they range in size, complexity and popularity and yet they all share a common denominator – the threat of a security incident.
The past two years have been especially challenging for most businesses; this talk will provide a holistic overview of the challenges and threats website owners face. These insights will come from years of research and analysis, but more importantly from the experiences of 100’s of thousands of website owners like you. We will share the latest threats website owners face, but deliver them in a meaningful way that provides each attendee actionable take-aways. Lastly, the talk will place emphasis on the responsibility that each of us have as online stewards, to our brand, our users and the internet as a whole.
The most effective toolset we have at our disposal is knowledge, and so this presentation focuses on education.
Business of People - Lessons Learned Building a Remote WorkforceTony Perez
Business is complex, and it undoubtedly depends on people to be successful. Whether engineers, support agents, marketing, etc.. The dynamics of managing people, while fulfilling, can be very complex. In this presentation I touch on a number of things we've learned at Sucuri as we've grown from a small team to one that is distributed around the world in 20 different countries.
This presentation by Morris Kleiner (University of Minnesota), was made during the discussion “Competition and Regulation in Professions and Occupations” held at the Working Party No. 2 on Competition and Regulation on 10 June 2024. More papers and presentations on the topic can be found out at oe.cd/crps.
This presentation was uploaded with the author’s consent.
Sharpen existing tools or get a new toolbox? Contemporary cluster initiatives...Orkestra
UIIN Conference, Madrid, 27-29 May 2024
James Wilson, Orkestra and Deusto Business School
Emily Wise, Lund University
Madeline Smith, The Glasgow School of Art
Have you ever wondered how search works while visiting an e-commerce site, internal website, or searching through other types of online resources? Look no further than this informative session on the ways that taxonomies help end-users navigate the internet! Hear from taxonomists and other information professionals who have first-hand experience creating and working with taxonomies that aid in navigation, search, and discovery across a range of disciplines.
Acorn Recovery: Restore IT infra within minutesIP ServerOne
Introducing Acorn Recovery as a Service, a simple, fast, and secure managed disaster recovery (DRaaS) by IP ServerOne. A DR solution that helps restore your IT infra within minutes.
0x01 - Newton's Third Law: Static vs. Dynamic AbusersOWASP Beja
f you offer a service on the web, odds are that someone will abuse it. Be it an API, a SaaS, a PaaS, or even a static website, someone somewhere will try to figure out a way to use it to their own needs. In this talk we'll compare measures that are effective against static attackers and how to battle a dynamic attacker who adapts to your counter-measures.
About the Speaker
===============
Diogo Sousa, Engineering Manager @ Canonical
An opinionated individual with an interest in cryptography and its intersection with secure software development.
This presentation, created by Syed Faiz ul Hassan, explores the profound influence of media on public perception and behavior. It delves into the evolution of media from oral traditions to modern digital and social media platforms. Key topics include the role of media in information propagation, socialization, crisis awareness, globalization, and education. The presentation also examines media influence through agenda setting, propaganda, and manipulative techniques used by advertisers and marketers. Furthermore, it highlights the impact of surveillance enabled by media technologies on personal behavior and preferences. Through this comprehensive overview, the presentation aims to shed light on how media shapes collective consciousness and public opinion.
25. Explosion in the Malware
as a Service (MaaS) trade
Yes, pay someone to hack
for you
Different tools to break
in and generate payloads
Brute force and
vulnerability exploits
Malware Payloads
Blackhole ExploitAuthor
Arrested
4/29/2014 Tony Perez | @perezbox | @sucuri_security 27
38. Brand Reputation
Legal Implications
Impact to Sales
Blacklisted by Search
Engines
Blacklisted by Payment
processors
Worst Day Of your Life
4/29/2014 Tony Perez | @perezbox | @sucuri_security 40
40. Sucuri properties
suffer:
~125,000 web based
attacks a month on
average
~4,000 attacks a day
▪ This spikes on occasion
Doesn’t include server
level attacks
All flavors of attacks
4/29/2014 Tony Perez | @perezbox | @sucuri_security 42
41. Principles
Access Control
Vulnerabilities
4/29/2014 Tony Perez | @perezbox | @sucuri_security 43
42. “It’s about risk reduction… risk will never be
zero…”
4/29/2014 Tony Perez | @perezbox | @sucuri_security 44
43. “…a concept in which multiple layers of security
controls (defenses) are placed throughout an
information technology (IT) system. Its intent is
to provide redundancy in the event a security
control fails or a vulnerability is exploited…”
4/29/2014 Tony Perez | @perezbox | @sucuri_security 45
45. “requires that in a particular abstraction layer
of a computing environment, every module
(such as a process, a user or a program
depending on the subject) must be able to
access only the information and resources that
are necessary for its legitimate purpose.”
4/29/2014 Tony Perez | @perezbox | @sucuri_security 47
46. 4/29/2014 Tony Perez | @perezbox | @sucuri_security 48
PHP Execution, disable it:
/wp-includes
/wp-content
/themes
/plugins
/uploads
<Files *.php>
Deny from all
</Files>
52. 4/29/2014 Tony Perez | @perezbox | @sucuri_security 54
1. Employ Website Firewall
2. Don’t let WordPress write to
itself
3. Filter Access by IP
4. Use a dedicated server / VPS
5. Monitor all Activity (Logging)
6. Enable SSL for transactions
7. Keep environment current
(patched)
8. No Soup Kitchen Servers
Ideal implementations:
1. Connect Securely – SFTP /
SSH
2. Authentication Keys / wp-
config
3. Use Trusted Sources
4. Use a local Antivirus – MAC
too
5. Permissions - D 755 | F 644
6. Least Privileged Principles
7. Accountability
8. Backups – Include Database
The Bare Minimum:
53. 1. Fix index.php file and assume all is fine.
1. Panic your way into WordPress Forums after hack.
1. Don’t worry about updating.
1. Trust third-party extensions.
1. Apply all upgrades on live site.
1. Install and forget, all is well with your new site.
1. Use the same username and password for everything.
1. Don’t waste time making security adjustments to PHP and settings.
1. No regular backups required.
1. Use the cheapest host.
4/29/2014 Tony Perez | @perezbox | @sucuri_security 55