The security experts from Cloudflare and WP Engine help you navigate the security landscape for your web infrastructure.
Register to watch the on-demand webinar: https://hs.wpengine.com/webinar-securing-web-infrastructure
2. #wpewebinar
What You’ll Learn
● Types of common security threat types
● Potential impact if you’re compromised
● How to mitigate these threats for your business
● Steps to help you better secure your digital footprint & customer data
● Q&A
3. #wpewebinar
Ask questions as we go.
We’ll answer as many questions as we can after
the presentation
Slides and recording will be
made available shortly after
the webinar
Use the “Questions” pane
throughout the webinar
4. #wpewebinar
Solutions Engineer
Cloudflare
Michael Tremante
● Recently moved to Bay Area
● Has pen tested many sites
● Initially hoped for a career in
windsurfing...
Product Manager
WP Engine
Rob Hock
● 20 years in IT Ops
● Still misses carrying a pager
● Breakfast taco connoisseur
Security Architect
WP Engine
Will West
● Height: 2 Meters
● Knew PIC16F84A Assembler
● Bikes to work
6. #wpewebinar
Security Threats
Security threats often overlap and go hand in
hand. Today we will talk about the following:
● Application Vulnerabilities
● Account Takeover
● Denial of Service (DoS & DDoS)
● Man in the middle
● Data Theft
There are many bad players on the internet,
some are real individuals but most are very
sophisticated bots (programs) looking for
vulnerabilities in your applications. How do you
recognise them?
7. #wpewebinar
Bugs in libraries, frameworks, plugins, extensions, themes, logic
OWASP Top 10 / SANS Top 25
Application Vulnerabilities
9. #wpewebinar
DoS: Denial of Service
DDoS: Distributed Denial of Service
DoS/DDoS
● Aim - disable your application so that
your users cannot access it
● How - your choice
● Why - retaliation, extortion,
distraction
10. #wpewebinar
DoS/DDoS (2)
Recently we were DDoS-ing Neteller:
https://twitter.com/neteller/status/583363894665715712
Yes, our attacks are powerful.
So, it’s your turn!
Your site is going under attack unless you pay 40 Bitcoin.
Pay to 17PxcnK84x98B9TdEbUvuCeivM7yaH1x4Q
Please note that it will not be easy to mitigate our attack, because our current UDP flood power is 400-500 Gbps, so don't even
bother. At least, don't expect cheap services like CloudFlare or Incapsula to help...but you can try. :)
Right now we are running small demonstrative attack. Don't worry, it will not be that hard (it shouldn't crash your site) and it will
stop in 1 hour. It's just to prove that we are serious.We are aware that you probably don't have 40 BTC at the moment, so we are
giving you 24 hours. Current price of 1 BTC is about 230 USD, so we are cheap, at the moment. But if you ignore us, price will
increase.
IMPORTANT: You don’t even have to reply. Just pay 40 BTC to 17PxcnK84x98B9TdEbUvuCeivM7yaH1x4Q – we will know it’s you and you will
never hear from us again. We say it because for big companies it's usually the problem as they don't want that there is proof that
they cooperated. If you need to contact us, feel free to use some free email service. Or contact us via Bitmessage:
BM-NC1jRewNdHxX3jHrufjxDsRWXGdNisY5
But if you ignore us, and don't pay us within a given time, long term attack will start, price to stop will go to 100 BTC and will
keep increasing for every hour of attack.
IMPORTANT: It’s a one-time payment. Pay and you will not hear from us ever again!
We do bad things, but we keep our word.
11. #wpewebinar
DoS/DDoS (3)
Normally (D)DoS attacks aim to overload either the network or computational resources:
● Saturate the bandwidth available
● Overload the number of “packets” the operating system can handle
● Overload a particularly expensive query on your application (e.g. an inventory search)
12. #wpewebinar
DoS/DDoS - Impact
Most famous DDoS attack in the last couple of years is the Dyn attack (October 2016) during which a
number of large web properties went offline including Twitter, AirBnB, BBC and others for large areas of
the US.
What does it mean for you? Downtime is bad…
● Lost revenue (e.g. black Friday)
● Brand reputation
DDoS attacks are a cat and mouse game.
You need to be prepared for the worst case scenario.
13. #wpewebinar
You don’t own the network between you and your users. What if someone is listening?
Man in the middle attacks (MITM)
An entity in an advantageous position on the network (a man in
the middle) may be able to observe your traffic.
● Owns the network (ISPs, network providers, government)
● Runs an internet hotspot (airports, internet cafes)
● Tries to “listen” to your WiFi connection
We have mathematical tools to help us with this problem:
How do Alice and Bob speak to each other secretly with
Mallory in the room?
14. #wpewebinar
Man in the middle attacks (MITM) - Impact
If an attacker has access to network unencrypted traffic, he can:
● View user username and password;
● View user details that are being transmitted over the
network;
● Reverse engineer application logic;
● …. Essentially he sees everything
Check how well your application scores with the SSL test tool from
Qualys.
If you perform transactions on your
application you will be required to
pass PCI audit. There are strict
requirements around encryption.
15. #wpewebinar
Not an attack per se, but rather the end result that is achieved by other attack methods, for example:
Data Theft/Breach
Type Description
DNS Spoofing Send users to a fake website
Snooping data in transit E.g. MITM attacks
Brute force login attempts E.g. account takeovers or forcing credentials from
previously stolen user databases
Malicious payload exploits Via Application vulnerabilities
User data leaks are probably number 1 worst scenarios for IT companies… the potential
reputational damage is difficult to predict and will vary based on what is leaked.
19. #wpewebinar
Even with non-security releases
- Old vulnerabilities
- Dealing with many changes all at once
- Avoid EOL components
Stay Current
20. #wpewebinar
Review users and permissions for appropriate settings
+ Onboard
+ Offboard
+ Role Change
+ Process Change
Review extensions for active use
Periodic Review
22. #wpewebinar
Global Edge Security
22
Managed Web Application Firewall (WAF)
WAF rule sets tailored and managed to protect
WordPress by mitigating threats at the edge, and
automatically updated to respond to emerging
threats
SSL/TLS
Encryption with certificates terminated at the
edge for improved performance
Advanced DDoS Mitigation
Global edge network with capacity more than 15x
greater than the largest DDOS attack and
protections built throughout our network at the
DNS, layers 3, 4 & 7
Full Page CDN
Sends all traffic through CDN, across an edge
network of 120 datacenters to accelerate security
and site performance at global level
23. #wpewebinar
How advanced security works
HTTP request
Web crawlers
& bots
Attackers
Origin
Server (contains
original version of site)
Response
Inspects HTTPS requests to detect and block
attacks before they can reach the origin server;
resolves requests to Cloudflare IP
CDN pulls new
content from the
origin
Visitor/ Client
Filters out bad
bots
Cloudflare’s Globally
Distributed Edge Network
(caches content at the edge)
Blocks spambots,
spammer postings
Comment
Spam
24. #wpewebinar
Inquiring minds want to know.
Questions and Answers.
* Slides, recording and resources will be made available within
the next several days
25. #wpewebinar
15 Ways to Harden the Security of Your WordPress Site
Resources.
Have I been pwned?
SSL Server Test from Qualys
Enterprise-Grade WordPress Security on WP Engine
How to Convince Clients WordPress is More Secure than They Think
WPScan Vulnerability Database