Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Open Source Websites : Protection
Chris Davis
Director of Security and Compliance
1
Open Source Websites : Protection
Open Source Powered Websites
Protect Your Enterprise and Yourself
2
Open Source Websites : Protection
This is not a
DISCLAIMER
• Learn from our findings and
apply to your environment
• This ...
Open Source Websites : Protection
HOW BAD IS IT?
82% of Websites have at least one security issue
63% have issues of high,...
Open Source Websites : Protection
Verizon / United States Secret Service Data Breach Investigation Report, 2010
54% of att...
Open Source Websites : Protection
OPEN SOURCE ON THE RISE
6
Open Source Websites : Protection
THE GAME HAS CHANGED
• Web, HTTPS (SSL) &
XML Vulnerabilities
• SQL Injection
• Session ...
Open Source Websites : Protection
HACKER PROFILES (Two Types)
Egomaniac CriminalTHE THE
8
Open Source Websites : Protection
9
Open Source Websites : Protection
• TextPattern CMS
• Co-wrote book on
Textpattern = No Rookie
• SEO Bots = “Spammy” Links...
Open Source Websites : Protection
11
Open Source Websites : Protection
• WordPress CMS - Hacked
• During Migration we gained
access to over 1000 Websites
• Yes...
Open Source Websites : Protection
13
Open Source Websites : Protection
SECURITY IS ABOUT THE ECOSYSTEM
Network Routers / Firewalls
Operating Systems Windows / ...
Open Source Websites : Protection
Humans
The Biggest Security Vulnerability
15
Open Source Websites : Protection
WHAT CAN YOU DO?
• Security isn’t convenient
• Choose only leading CMS platforms
• Stay ...
Open Source Websites : Protection
THE REALITIES OF MODULES/PLUGINS
Keep Them Under Control
17
Open Source Websites : Protection
LOVE YOUR MODULES
Website Enhancements
• Only download from trusted sources
• Check bug ...
Open Source Websites : Protection
YOU AND YOUR ADMIN
Don’t Be Afraid
• SSL – It’s not just for shopping carts
• Configure ...
Open Source Websites : Protection
THE DATABASE
What Are You Exposing?
• Logins
MySQL UN/PW different from Root Login
• Sha...
Open Source Websites : Protection
• Network Firewalls
• VPN Access
• Anti-Virus
• SSL Certificates
• Isolated Environments...
Open Source Websites : Protection
Thank You
Questions?
Email chris.davis@firehost.com
Twitter twitter.com/davischrism
Chri...
Upcoming SlideShare
Loading in …5
×

0

Share

Download to read offline

Open Source Powered Websites: Protect Your Enterprise and Yourself - Chris Davis, Firehost

Download to read offline

Open Source Powered Websites: Protect Your Enterprise and Yourself - Chris Davis, Founder & CEO, Firehost

Related Books

Free with a 30 day trial from Scribd

See all

Related Audiobooks

Free with a 30 day trial from Scribd

See all
  • Be the first to like this

Open Source Powered Websites: Protect Your Enterprise and Yourself - Chris Davis, Firehost

  1. 1. Open Source Websites : Protection Chris Davis Director of Security and Compliance 1
  2. 2. Open Source Websites : Protection Open Source Powered Websites Protect Your Enterprise and Yourself 2
  3. 3. Open Source Websites : Protection This is not a DISCLAIMER • Learn from our findings and apply to your environment • This is a very serious problem and it’s only getting worse Sales Pitch 3
  4. 4. Open Source Websites : Protection HOW BAD IS IT? 82% of Websites have at least one security issue 63% have issues of high, critical or urgent severity 70% of the top 100 most popular web sites either hosted malicious content or contained a masked redirect to malicious sites WhiteHat Security, 2008 Websense, 2009 4
  5. 5. Open Source Websites : Protection Verizon / United States Secret Service Data Breach Investigation Report, 2010 54% of attacks are on the web application layer 92% of web application attacks resulted in over 90% of record access WEB APPLICATIONS – THE LARGEST THREAT
  6. 6. Open Source Websites : Protection OPEN SOURCE ON THE RISE 6
  7. 7. Open Source Websites : Protection THE GAME HAS CHANGED • Web, HTTPS (SSL) & XML Vulnerabilities • SQL Injection • Session Hijacking • Cross Site Scripting (XSS) • Form Field Tampering • Known Worms • Zero Day Web Worms • Buffer Overflow • Cookie Poisoning • Denial of Service • Web Server & Operating System Attacks • Directory Traversal • Anonymous Proxy • Open Source Vulnerabilities • OS Command Injection • Cross-Site Request Forgery • Google Hacking • Remote File Inclusion • Illegal Encoding • Malicious Robots • Parameter Tampering • Brute Force Login • Malicious Encoding • Site Recon • Illegal Encoding • Credit Card Exposure • Patient Data Disclosure • Phishing • Data Destruction • US SSN Leakage Rise in Application Level Attacks (Port 80 and 443 – Unblocked by Firewalls) Strict Compliance Requirements (U.S. and Abroad) U.S. Department of Health & Human Services Policy of Responding to Breaches of Personally Identifiable Information (PII) HHS-OCIO-2008-0001.002 – April 15, 2008 7
  8. 8. Open Source Websites : Protection HACKER PROFILES (Two Types) Egomaniac CriminalTHE THE 8
  9. 9. Open Source Websites : Protection 9
  10. 10. Open Source Websites : Protection • TextPattern CMS • Co-wrote book on Textpattern = No Rookie • SEO Bots = “Spammy” Links • Users = Normal but with display:none list of links NATHAN SMITH Static & CMS-Powered Website Hacked on Cloud Hosting 10
  11. 11. Open Source Websites : Protection 11
  12. 12. Open Source Websites : Protection • WordPress CMS - Hacked • During Migration we gained access to over 1000 Websites • Yes… we had Karl report the hack  KARL SWEDBERG WordPress Hacked 12
  13. 13. Open Source Websites : Protection 13
  14. 14. Open Source Websites : Protection SECURITY IS ABOUT THE ECOSYSTEM Network Routers / Firewalls Operating Systems Windows / Linux / OS X Applications Open Source / Commercial Database Oracle / MySQL / MS SQL Web Server Apache / Microsoft IIS 3rd Party Web Applications Open Source / Commercial Custom Web Applications PHP / ASP.NET / Java Physical / Virtual Access / Social Engineering Responsibility Solution Managed Hosting Responsibility Yours or FireHost Firewall, Virus Protection, Patches, IDS, etc. App Level or WAF 14
  15. 15. Open Source Websites : Protection Humans The Biggest Security Vulnerability 15
  16. 16. Open Source Websites : Protection WHAT CAN YOU DO? • Security isn’t convenient • Choose only leading CMS platforms • Stay up-to-date with core updates • Decent security plug-ins out there • Use a secure hosting provider Be Smart About It 16
  17. 17. Open Source Websites : Protection THE REALITIES OF MODULES/PLUGINS Keep Them Under Control 17
  18. 18. Open Source Websites : Protection LOVE YOUR MODULES Website Enhancements • Only download from trusted sources • Check bug reports • Only activate one at a time • Three dirty letters – DEV • Don’t install unless it supports your core version or higher • Search “x hacked” first and read results 18
  19. 19. Open Source Websites : Protection YOU AND YOUR ADMIN Don’t Be Afraid • SSL – It’s not just for shopping carts • Configure .htaccess or IIS security on admin directory Don’t worry about changing the directory name • Don’t trust your connection Especially WiFi ARP Poisoning is easy 19
  20. 20. Open Source Websites : Protection THE DATABASE What Are You Exposing? • Logins MySQL UN/PW different from Root Login • Sharing Do not share your database with other apps • Change Table Prefixes Obfuscate table names to something unknown only to you • Non-Public Remove DB from public access • Segment Segment where appropriate to limit scope of access • Back Up! Not much to say here 20
  21. 21. Open Source Websites : Protection • Network Firewalls • VPN Access • Anti-Virus • SSL Certificates • Isolated Environments (Web/DB – Prod/Dev) • Web Application Firewalls • Two-Factor Authentication • Vulnerability Monitoring • Intrusion Detection • Log Management • Scrubbing Centers • Disk Encryption YOUR HOSTING ENVIRONMENT 21
  22. 22. Open Source Websites : Protection Thank You Questions? Email chris.davis@firehost.com Twitter twitter.com/davischrism Chris Davis 22

Open Source Powered Websites: Protect Your Enterprise and Yourself - Chris Davis, Founder & CEO, Firehost

Views

Total views

1,412

On Slideshare

0

From embeds

0

Number of embeds

3

Actions

Downloads

9

Shares

0

Comments

0

Likes

0

×