SlideShare a Scribd company logo

Website Security (WordPress) - It's About the Basics

Download as PPTX, PDF
Tony Perez
Tony Perez
InternetTechnology
1 of 52
It’s About The Basics Website Security (WordPress)
@PEREZBOX • Sucuri, Inc. – @sucuri_security – @perezbox • Specialization: – Website Security – Incident Handling • Special Interests: – Brazilian JiuJitsu 5/17/2014 Tony Perez | @perezbox | @sucuri_security 2
• Website Security Company • Global Operations • Platform Agnostic (i.e., WordPress, Joomla, etc..) • Scan 2M Unique Domains a Month • Block 4M web attacks a Month • Remediate 400 – 500 websites a day • Signature / Heuristic Based • 24/7 operations 5/17/2014 Tony Perez | @perezbox | @sucuri_security 3
Statistics 5/17/2014 Tony Perez | @perezbox | @sucuri_security 4
2013 – Year of the Mega Breach Data Breaches (Millions) 2011 2013 5/17/2014 Tony Perez | @perezbox | @sucuri_security 5
Anatomy of Malicious Websites Malicious Websites Legitimate Websites 5/17/2014 Tony Perez | @perezbox | @sucuri_security 6
Legitimate Websites Not-Exploitable Exploitable 5/17/2014 Tony Perez | @perezbox | @sucuri_security 7 1 in 8 - Critical Vulnerability
Ransomware Explosion Ransomware 2012 2013 5/17/2014 Tony Perez | @perezbox | @sucuri_security 8
Malware Distribution 26% 19% 16% 14% 11% 4% 10% Remote iFrame Includes Remote JavaScript Includes SPAM Injections Obfuscated / Encoded JavaScript Conditional Redirects Defacements Other 5/17/2014 Tony Perez | @perezbox | @sucuri_security 9
Understanding Hackers 5/17/2014 Tony Perez | @perezbox | @sucuri_security 10
Anatomy of Website Attacks 5/17/2014 Tony Perez | @perezbox | @sucuri_security 11  Use for malware?  Pat of a zombie network?  Data breach? What kind of website do you have?
Five Stages of an Attack 5/17/2014 Tony Perez | @perezbox | @sucuri_security 12
Automated Attacks 5/17/2014 Tony Perez | @perezbox | @sucuri_security 13  Exploiting Access Control
Distribution Mechanism 5/17/2014 Tony Perez | @perezbox | @sucuri_security 14
There’s a Tool for that • Malware as a Service (MaaS) – Yes, pay someone to hack for you • Different tools to break in and generate payloads – Brute force and vulnerability exploits Malware Payloads 5/17/2014 Tony Perez | @perezbox | @sucuri_security 15
Why? 5/17/2014 Tony Perez | @perezbox | @sucuri_security 16
Impacts To You 5/17/2014 Tony Perez | @perezbox | @sucuri_security 17
Beyond The Application Layer • Going Deeper than the application layer, targeting the server. • Server Polymorphism – a.k.a highly adaptive / sophistication 5/17/2014 Tony Perez | @perezbox | @sucuri_security 18 Darkleech Cdork (Apache) Ebury (SSH) Email Server (SPAM) Heartbleed (OpenSSL)
Phishing Lures 5/17/2014 Tony Perez | @perezbox | @sucuri_security 19
Exploiting Forms • Stick With Reputable Sources • Generating SPAM emails, resource hogs • IP blacklisting 5/17/2014 Tony Perez | @perezbox | @sucuri_security 20
Search Engine Poisoning (SEP) • Pharmacy • Payday Loans 5/17/2014 Tony Perez | @perezbox | @sucuri_security 21
Blacklisting 5/17/2014 Tony Perez | @perezbox | @sucuri_security 22
Drive By Downloads 5/17/2014 Tony Perez | @perezbox | @sucuri_security 23
Brute Force Attacks 5/17/2014 Tony Perez | @perezbox | @sucuri_security 24
Denial of Service (DOS) 5/17/2014 Tony Perez | @perezbox | @sucuri_security 25
Brute Force vs Denial of Service 5/17/2014 Tony Perez | @perezbox | @sucuri_security 26
Trust Erosion 5/17/2014 Tony Perez | @perezbox | @sucuri_security 27
Free is not always Free • http://blog.sucuri.net/2014/03/unmasking-free-premium- wordpress-plugins.html 5/17/2014 Tony Perez | @perezbox | @sucuri_security 28 - SEOPresser - Payload located: wp-content/plugins/seo-pressor(gratuit) - File: central.class.php - Flat Skins Pack Extension - Payload located: wp-content/restrict-content-pro/includes/ - File: sidebar.php - Restrict Content Pro - Paylaod located: wp-content/ubermenu-skins-flat
Don’t Worry, Everyone is a “Target” 5/17/2014 Tony Perez | @perezbox | @sucuri_security 29
Defenses 5/17/2014 Tony Perez | @perezbox | @sucuri_security 30
Biggest Weakness / Vulnerability 5/17/2014 Tony Perez | @perezbox | @sucuri_security 31
It’s About Good Posture 5/17/2014 Tony Perez | @perezbox | @sucuri_security 32
Starts With Expectations “It’s about risk reduction… risk will never be zero…” 5/17/2014 Tony Perez | @perezbox | @sucuri_security 33 Posture Risk
Defense in Depth “…a concept in which multiple layers of security controls (defenses) are placed throughout an information technology (IT) system. Its intent is to provide redundancy in the event a security control fails or a vulnerability is exploited…” 5/17/2014 Tony Perez | @perezbox | @sucuri_security 34
Layered Defenses 5/17/2014 Tony Perez | @perezbox | @sucuri_security 35 Protection Detection Auditing Sustainment
Access – P@ssw0rd • Passwords 5/17/2014 Tony Perez | @perezbox | @sucuri_security 36 Complex – Long - Unique
Enforce Strong Credentials 5/17/2014 Tony Perez | @perezbox | @sucuri_security 37
Push the Access Boundaries 5/17/2014 Tony Perez | @perezbox | @sucuri_security 38 • https://getclef.com/ | @getclef
Principle of Least Privileged “requires that in a particular abstraction layer of a computing environment, every module (such as a process, a user or a program depending on the subject) must be able to access only the information and resources that are necessary for its legitimate purpose.” 5/17/2014 Tony Perez | @perezbox | @sucuri_security 39
Understand Your Roles 5/17/2014 Tony Perez | @perezbox | @sucuri_security 40
Hardening – Kill PHP 5/17/2014 Tony Perez | @perezbox | @sucuri_security 41  PHP Execution, disable it:  /wp-includes  /wp-content ▪ /themes ▪ /plugins ▪ /uploads <Files *.php> Deny from all </Files>
Disable Plugin / Theme Editor • WP-CONFIG File Modification #Disable Plugin / Theme Editor Define(‘DISALLOW_FILE_EDIT’,true); 5/17/2014 Tony Perez | @perezbox | @sucuri_security 42
Brute Force Attacks 5/17/2014 Tony Perez | @perezbox | @sucuri_security 43
Please Backup 5/17/2014 Tony Perez | @perezbox | @sucuri_security 44
Software Vulnerabilities • Stay current with the latest vulnerabilities: – Secure - http://wordpress.org/plugins/secure/ 5/17/2014 Tony Perez | @perezbox | @sucuri_security 45
Brute Force Protection • Local Protection – https://bruteprotect.com/ | @BruteProtect 5/17/2014 Tony Perez | @perezbox | @sucuri_security 46
Stay Current (Update) 5/17/2014 Tony Perez | @perezbox | @sucuri_security 47
Website Firewalls 5/17/2014 Tony Perez | @perezbox | @sucuri_security 48 • Stay ahead of Software Vulnerabilities
Ensure Integrity of Connection 5/17/2014 Tony Perez | @perezbox | @sucuri_security 49 • https://www.getcloak.com/ | @getcloak
Simple Steps to Reduce Risk 1. Employ Website Firewall 2. Don’t let WordPress write to itself 3. Filter Access by IP 4. Use a dedicated server / VPS 5. Monitor all Activity (Logging) 6. Enable SSL for transactions 7. Keep environment current (patched) 8. No Soup Kitchen Servers 5/17/2014 Tony Perez | @perezbox | @sucuri_security 50 1. Connect Securely – SFTP / SSH 2. Authentication Keys / wp- config 3. Use Trusted Sources 4. Use a local Antivirus – MAC too 5. Permissions - D 755 | F 644 6. Least Privileged Principles 7. Accountability 8. Backups – Include Database Ideal implementations:The Bare Minimum:
Notable Resources Name Tool Sucuri Blog http://blog.sucuri.net Sucuri TV http://sucuri.tv Malware Scanner http://sitecheck.sucuri.net Malware Scanner http://unmaskparasites.com Badware Busters https://badwarebusters.org Google Forums http://productforums.google.com/forum/#!categories/webmasters/malware--hacked- sites Google Webmaster Tools http://support.google.com/webmasters/bin/answer.py?hl=en&answer=163633 Secunia Security Advisories http://secunia.com/community/advisories/search/?search=wordpress Exploit-DB http://www.exploit- db.com/search/?action=search&filter_description=Wordpress&filter_platform=31 WordPress Hacked FAQ http://codex.wordpress.org/FAQ_My_site_was_hacked WordPress Hardening http://codex.wordpress.org/Hardening_WordPress 5/17/2014 Tony Perez | @perezbox | @sucuri_security 51
Sucuri, Inc. Tony Perez http://sucuri.net http://blog.sucuri.net @perezbox | @sucuri_security http://www.slideshare.net/perezbox/website-security- wordpress-its-about-the-basics 5/17/2014 Tony Perez | @perezbox | @sucuri_security 52

Recommended

WordCamp Minneapolis 2014 - Website Security Presentation - Sucuri Security
WordCamp Minneapolis 2014 - Website Security Presentation - Sucuri SecurityWordCamp Minneapolis 2014 - Website Security Presentation - Sucuri Security
WordCamp Minneapolis 2014 - Website Security Presentation - Sucuri Security
Tony Perez
 
Joomla! Day Atlanta 2014 - Website Security - The Basics
Joomla! Day Atlanta 2014 - Website Security - The BasicsJoomla! Day Atlanta 2014 - Website Security - The Basics
Joomla! Day Atlanta 2014 - Website Security - The Basics
Tony Perez
 
Piketty twitlog _4-14
Piketty twitlog _4-14Piketty twitlog _4-14
Piketty twitlog _4-14
Macropru Reader
 
let's talk web standards
let's talk web standardslet's talk web standards
let's talk web standards
Zi Bin Cheah
 
50+ tools to enhance your social media strategy
50+ tools to enhance your social media strategy50+ tools to enhance your social media strategy
50+ tools to enhance your social media strategy
Jeremy Blanton
 
Building a Security Framework for Websites
Building a Security Framework for WebsitesBuilding a Security Framework for Websites
Building a Security Framework for Websites
Tony Perez
 
Web application security: how to start?
Web application security: how to start?Web application security: how to start?
Web application security: how to start?
Antonio Fontes
 
Website Security - Latest and Greatest (WordPress 2014)
Website Security - Latest and Greatest (WordPress 2014)Website Security - Latest and Greatest (WordPress 2014)
Website Security - Latest and Greatest (WordPress 2014)
Tony Perez
 

Recommended

WordCamp Minneapolis 2014 - Website Security Presentation - Sucuri Security
WordCamp Minneapolis 2014 - Website Security Presentation - Sucuri SecurityWordCamp Minneapolis 2014 - Website Security Presentation - Sucuri Security
WordCamp Minneapolis 2014 - Website Security Presentation - Sucuri Security
Tony Perez
 
Joomla! Day Atlanta 2014 - Website Security - The Basics
Joomla! Day Atlanta 2014 - Website Security - The BasicsJoomla! Day Atlanta 2014 - Website Security - The Basics
Joomla! Day Atlanta 2014 - Website Security - The Basics
Tony Perez
 
Piketty twitlog _4-14
Piketty twitlog _4-14Piketty twitlog _4-14
Piketty twitlog _4-14
Macropru Reader
 
let's talk web standards
let's talk web standardslet's talk web standards
let's talk web standards
Zi Bin Cheah
 
50+ tools to enhance your social media strategy
50+ tools to enhance your social media strategy50+ tools to enhance your social media strategy
50+ tools to enhance your social media strategy
Jeremy Blanton
 
Building a Security Framework for Websites
Building a Security Framework for WebsitesBuilding a Security Framework for Websites
Building a Security Framework for Websites
Tony Perez
 
Web application security: how to start?
Web application security: how to start?Web application security: how to start?
Web application security: how to start?
Antonio Fontes
 
Website Security - Latest and Greatest (WordPress 2014)
Website Security - Latest and Greatest (WordPress 2014)Website Security - Latest and Greatest (WordPress 2014)
Website Security - Latest and Greatest (WordPress 2014)
Tony Perez
 
Website Security - It Begins With Good Posture
Website Security - It Begins With Good PostureWebsite Security - It Begins With Good Posture
Website Security - It Begins With Good Posture
Tony Perez
 
WordPress Website Security - Trends, Threats, Defenses
WordPress Website Security - Trends, Threats, DefensesWordPress Website Security - Trends, Threats, Defenses
WordPress Website Security - Trends, Threats, Defenses
Tony Perez
 
Word press website security
Word press website securityWord press website security
Word press website security
Tony Perez
 
WordPress Security 2014 - The Basics of Security
WordPress Security 2014 - The Basics of SecurityWordPress Security 2014 - The Basics of Security
WordPress Security 2014 - The Basics of Security
Tony Perez
 
Navigating the Security Landscape
Navigating the Security LandscapeNavigating the Security Landscape
Navigating the Security Landscape
Sucuri
 
Hacked - What do you do now?
Hacked - What do you do now?Hacked - What do you do now?
Hacked - What do you do now?
Tony Perez
 
The Platform Revolution: Making Online Work Happen
The Platform Revolution: Making Online Work HappenThe Platform Revolution: Making Online Work Happen
The Platform Revolution: Making Online Work Happen
Crowdsourcing Week
 
A Practical Security Framework for Website Owners
A Practical Security Framework for Website OwnersA Practical Security Framework for Website Owners
A Practical Security Framework for Website Owners
Tony Perez
 
2017 WHD - Bridging the Divide Between Behavior and Security
2017 WHD - Bridging the Divide Between Behavior and Security2017 WHD - Bridging the Divide Between Behavior and Security
2017 WHD - Bridging the Divide Between Behavior and Security
Tony Perez
 
Accounting for Website Security in Higher Education
Accounting for Website Security in Higher EducationAccounting for Website Security in Higher Education
Accounting for Website Security in Higher Education
Tony Perez
 
Navigating Online Threats - Website Security for Everyday Website Owners
Navigating Online Threats - Website Security for Everyday Website OwnersNavigating Online Threats - Website Security for Everyday Website Owners
Navigating Online Threats - Website Security for Everyday Website Owners
Tony Perez
 
Business of People - Lessons Learned Building a Remote Workforce
Business of People - Lessons Learned Building a Remote WorkforceBusiness of People - Lessons Learned Building a Remote Workforce
Business of People - Lessons Learned Building a Remote Workforce
Tony Perez
 
WordPress Security Begins With Good Posture
WordPress Security Begins With Good PostureWordPress Security Begins With Good Posture
WordPress Security Begins With Good Posture
Tony Perez
 
TBEX - North America 2014 - 5 Tips to Keep Your Content and Users Safe
TBEX - North America 2014 - 5 Tips to Keep Your Content and Users SafeTBEX - North America 2014 - 5 Tips to Keep Your Content and Users Safe
TBEX - North America 2014 - 5 Tips to Keep Your Content and Users Safe
Tony Perez
 
WordPress Security - Learning From Hacks
WordPress Security - Learning From HacksWordPress Security - Learning From Hacks
WordPress Security - Learning From Hacks
Tony Perez
 
WordPress Security - Dealing With Today's Hacks
WordPress Security - Dealing With Today's HacksWordPress Security - Dealing With Today's Hacks
WordPress Security - Dealing With Today's Hacks
Tony Perez
 
WordPress Security - The "No-BS" Version
WordPress Security - The "No-BS" VersionWordPress Security - The "No-BS" Version
WordPress Security - The "No-BS" Version
Tony Perez
 
Word camp orange county 2012 enduser security
Word camp orange county 2012 enduser securityWord camp orange county 2012 enduser security
Word camp orange county 2012 enduser security
Tony Perez
 
Bug Bounty Blueprint : A Beginner's Guide
Bug Bounty Blueprint : A Beginner's GuideBug Bounty Blueprint : A Beginner's Guide
Bug Bounty Blueprint : A Beginner's Guide
Varun Mithran
 
GOOGLE Io 2024 At takes center stage.pdf
GOOGLE Io 2024 At takes center stage.pdfGOOGLE Io 2024 At takes center stage.pdf
GOOGLE Io 2024 At takes center stage.pdf
Arihant Webtech Pvt. Ltd
 
Cyber Security Services Unveiled: Strategies to Secure Your Digital Presence
Cyber Security Services Unveiled: Strategies to Secure Your Digital PresenceCyber Security Services Unveiled: Strategies to Secure Your Digital Presence
Cyber Security Services Unveiled: Strategies to Secure Your Digital Presence
PC Doctors NET
 
Statistical Analysis of DNS Latencies.pdf
Statistical Analysis of DNS Latencies.pdfStatistical Analysis of DNS Latencies.pdf
Statistical Analysis of DNS Latencies.pdf
OndejSur
 

More Related Content

Similar to Website Security (WordPress) - It's About the Basics

Website Security - It Begins With Good Posture
Website Security - It Begins With Good PostureWebsite Security - It Begins With Good Posture
Website Security - It Begins With Good Posture
Tony Perez
 
WordPress Website Security - Trends, Threats, Defenses
WordPress Website Security - Trends, Threats, DefensesWordPress Website Security - Trends, Threats, Defenses
WordPress Website Security - Trends, Threats, Defenses
Tony Perez
 
Word press website security
Word press website securityWord press website security
Word press website security
Tony Perez
 
WordPress Security 2014 - The Basics of Security
WordPress Security 2014 - The Basics of SecurityWordPress Security 2014 - The Basics of Security
WordPress Security 2014 - The Basics of Security
Tony Perez
 

Similar to Website Security (WordPress) - It's About the Basics (7)

Website Security - It Begins With Good Posture
Website Security - It Begins With Good PostureWebsite Security - It Begins With Good Posture
Website Security - It Begins With Good Posture
 
WordPress Website Security - Trends, Threats, Defenses
WordPress Website Security - Trends, Threats, DefensesWordPress Website Security - Trends, Threats, Defenses
WordPress Website Security - Trends, Threats, Defenses
 
Word press website security
Word press website securityWord press website security
Word press website security
 
WordPress Security 2014 - The Basics of Security
WordPress Security 2014 - The Basics of SecurityWordPress Security 2014 - The Basics of Security
WordPress Security 2014 - The Basics of Security
 
Navigating the Security Landscape
Navigating the Security LandscapeNavigating the Security Landscape
Navigating the Security Landscape
 
Hacked - What do you do now?
Hacked - What do you do now?Hacked - What do you do now?
Hacked - What do you do now?
 
The Platform Revolution: Making Online Work Happen
The Platform Revolution: Making Online Work HappenThe Platform Revolution: Making Online Work Happen
The Platform Revolution: Making Online Work Happen
 

More from Tony Perez

Accounting for Website Security in Higher Education
Accounting for Website Security in Higher EducationAccounting for Website Security in Higher Education
Accounting for Website Security in Higher Education
Tony Perez
 
Navigating Online Threats - Website Security for Everyday Website Owners
Navigating Online Threats - Website Security for Everyday Website OwnersNavigating Online Threats - Website Security for Everyday Website Owners
Navigating Online Threats - Website Security for Everyday Website Owners
Tony Perez
 
WordPress Security Begins With Good Posture
WordPress Security Begins With Good PostureWordPress Security Begins With Good Posture
WordPress Security Begins With Good Posture
Tony Perez
 
WordPress Security - Learning From Hacks
WordPress Security - Learning From HacksWordPress Security - Learning From Hacks
WordPress Security - Learning From Hacks
Tony Perez
 
WordPress Security - Dealing With Today's Hacks
WordPress Security - Dealing With Today's HacksWordPress Security - Dealing With Today's Hacks
WordPress Security - Dealing With Today's Hacks
Tony Perez
 
Word camp orange county 2012 enduser security
Word camp orange county 2012 enduser securityWord camp orange county 2012 enduser security
Word camp orange county 2012 enduser security
Tony Perez
 

More from Tony Perez (11)

A Practical Security Framework for Website Owners
A Practical Security Framework for Website OwnersA Practical Security Framework for Website Owners
A Practical Security Framework for Website Owners
 
2017 WHD - Bridging the Divide Between Behavior and Security
2017 WHD - Bridging the Divide Between Behavior and Security2017 WHD - Bridging the Divide Between Behavior and Security
2017 WHD - Bridging the Divide Between Behavior and Security
 
Accounting for Website Security in Higher Education
Accounting for Website Security in Higher EducationAccounting for Website Security in Higher Education
Accounting for Website Security in Higher Education
 
Navigating Online Threats - Website Security for Everyday Website Owners
Navigating Online Threats - Website Security for Everyday Website OwnersNavigating Online Threats - Website Security for Everyday Website Owners
Navigating Online Threats - Website Security for Everyday Website Owners
 
Business of People - Lessons Learned Building a Remote Workforce
Business of People - Lessons Learned Building a Remote WorkforceBusiness of People - Lessons Learned Building a Remote Workforce
Business of People - Lessons Learned Building a Remote Workforce
 
WordPress Security Begins With Good Posture
WordPress Security Begins With Good PostureWordPress Security Begins With Good Posture
WordPress Security Begins With Good Posture
 
TBEX - North America 2014 - 5 Tips to Keep Your Content and Users Safe
TBEX - North America 2014 - 5 Tips to Keep Your Content and Users SafeTBEX - North America 2014 - 5 Tips to Keep Your Content and Users Safe
TBEX - North America 2014 - 5 Tips to Keep Your Content and Users Safe
 
WordPress Security - Learning From Hacks
WordPress Security - Learning From HacksWordPress Security - Learning From Hacks
WordPress Security - Learning From Hacks
 
WordPress Security - Dealing With Today's Hacks
WordPress Security - Dealing With Today's HacksWordPress Security - Dealing With Today's Hacks
WordPress Security - Dealing With Today's Hacks
 
WordPress Security - The "No-BS" Version
WordPress Security - The "No-BS" VersionWordPress Security - The "No-BS" Version
WordPress Security - The "No-BS" Version
 
Word camp orange county 2012 enduser security
Word camp orange county 2012 enduser securityWord camp orange county 2012 enduser security
Word camp orange county 2012 enduser security
 

Recently uploaded

Production 2024 sunderland culture final - Copy.pptx
Production 2024 sunderland culture final - Copy.pptxProduction 2024 sunderland culture final - Copy.pptx
Production 2024 sunderland culture final - Copy.pptx
ChloeMeadows1
 
audience research (emma) 1.pptxkkkkkkkkkkkkkkkkk
audience research (emma) 1.pptxkkkkkkkkkkkkkkkkkaudience research (emma) 1.pptxkkkkkkkkkkkkkkkkk
audience research (emma) 1.pptxkkkkkkkkkkkkkkkkk
lolsDocherty
 

Recently uploaded (16)

Bug Bounty Blueprint : A Beginner's Guide
Bug Bounty Blueprint : A Beginner's GuideBug Bounty Blueprint : A Beginner's Guide
Bug Bounty Blueprint : A Beginner's Guide
 
GOOGLE Io 2024 At takes center stage.pdf
GOOGLE Io 2024 At takes center stage.pdfGOOGLE Io 2024 At takes center stage.pdf
GOOGLE Io 2024 At takes center stage.pdf
 
Cyber Security Services Unveiled: Strategies to Secure Your Digital Presence
Cyber Security Services Unveiled: Strategies to Secure Your Digital PresenceCyber Security Services Unveiled: Strategies to Secure Your Digital Presence
Cyber Security Services Unveiled: Strategies to Secure Your Digital Presence
 
Statistical Analysis of DNS Latencies.pdf
Statistical Analysis of DNS Latencies.pdfStatistical Analysis of DNS Latencies.pdf
Statistical Analysis of DNS Latencies.pdf
 
Production 2024 sunderland culture final - Copy.pptx
Production 2024 sunderland culture final - Copy.pptxProduction 2024 sunderland culture final - Copy.pptx
Production 2024 sunderland culture final - Copy.pptx
 
Premier Mobile App Development Agency in USA.pdf
Premier Mobile App Development Agency in USA.pdfPremier Mobile App Development Agency in USA.pdf
Premier Mobile App Development Agency in USA.pdf
 
Reggie miller choke t shirtsReggie miller choke t shirts
Reggie miller choke t shirtsReggie miller choke t shirtsReggie miller choke t shirtsReggie miller choke t shirts
Reggie miller choke t shirtsReggie miller choke t shirts
 
audience research (emma) 1.pptxkkkkkkkkkkkkkkkkk
audience research (emma) 1.pptxkkkkkkkkkkkkkkkkkaudience research (emma) 1.pptxkkkkkkkkkkkkkkkkk
audience research (emma) 1.pptxkkkkkkkkkkkkkkkkk
 
TORTOGEL TELAH MENJADI SALAH SATU PLATFORM PERMAINAN PALING FAVORIT.
TORTOGEL TELAH MENJADI SALAH SATU PLATFORM PERMAINAN PALING FAVORIT.TORTOGEL TELAH MENJADI SALAH SATU PLATFORM PERMAINAN PALING FAVORIT.
TORTOGEL TELAH MENJADI SALAH SATU PLATFORM PERMAINAN PALING FAVORIT.
 
How Do I Begin the Linksys Velop Setup Process?
How Do I Begin the Linksys Velop Setup Process?How Do I Begin the Linksys Velop Setup Process?
How Do I Begin the Linksys Velop Setup Process?
 
Pvtaan Social media marketing proposal.pdf
Pvtaan Social media marketing proposal.pdfPvtaan Social media marketing proposal.pdf
Pvtaan Social media marketing proposal.pdf
 
Development Lifecycle.pptx for the secure development of apps
Development Lifecycle.pptx for the secure development of appsDevelopment Lifecycle.pptx for the secure development of apps
Development Lifecycle.pptx for the secure development of apps
 
The Use of AI in Indonesia Election 2024: A Case Study
The Use of AI in Indonesia Election 2024: A Case StudyThe Use of AI in Indonesia Election 2024: A Case Study
The Use of AI in Indonesia Election 2024: A Case Study
 
iThome_CYBERSEC2024_Drive_Into_the_DarkWeb
iThome_CYBERSEC2024_Drive_Into_the_DarkWebiThome_CYBERSEC2024_Drive_Into_the_DarkWeb
iThome_CYBERSEC2024_Drive_Into_the_DarkWeb
 
I’ll See Y’All Motherfuckers In Game 7 Shirt
I’ll See Y’All Motherfuckers In Game 7 ShirtI’ll See Y’All Motherfuckers In Game 7 Shirt
I’ll See Y’All Motherfuckers In Game 7 Shirt
 
Thank You Luv I’ll Never Walk Alone Again T shirts
Thank You Luv I’ll Never Walk Alone Again T shirtsThank You Luv I’ll Never Walk Alone Again T shirts
Thank You Luv I’ll Never Walk Alone Again T shirts
 

Website Security (WordPress) - It's About the Basics

  • 1. It’s About The Basics Website Security (WordPress)
  • 2. @PEREZBOX • Sucuri, Inc. – @sucuri_security – @perezbox • Specialization: – Website Security – Incident Handling • Special Interests: – Brazilian JiuJitsu 5/17/2014 Tony Perez | @perezbox | @sucuri_security 2
  • 3. • Website Security Company • Global Operations • Platform Agnostic (i.e., WordPress, Joomla, etc..) • Scan 2M Unique Domains a Month • Block 4M web attacks a Month • Remediate 400 – 500 websites a day • Signature / Heuristic Based • 24/7 operations 5/17/2014 Tony Perez | @perezbox | @sucuri_security 3
  • 4. Statistics 5/17/2014 Tony Perez | @perezbox | @sucuri_security 4
  • 5. 2013 – Year of the Mega Breach Data Breaches (Millions) 2011 2013 5/17/2014 Tony Perez | @perezbox | @sucuri_security 5
  • 6. Anatomy of Malicious Websites Malicious Websites Legitimate Websites 5/17/2014 Tony Perez | @perezbox | @sucuri_security 6
  • 7. Legitimate Websites Not-Exploitable Exploitable 5/17/2014 Tony Perez | @perezbox | @sucuri_security 7 1 in 8 - Critical Vulnerability
  • 8. Ransomware Explosion Ransomware 2012 2013 5/17/2014 Tony Perez | @perezbox | @sucuri_security 8
  • 9. Malware Distribution 26% 19% 16% 14% 11% 4% 10% Remote iFrame Includes Remote JavaScript Includes SPAM Injections Obfuscated / Encoded JavaScript Conditional Redirects Defacements Other 5/17/2014 Tony Perez | @perezbox | @sucuri_security 9
  • 10. Understanding Hackers 5/17/2014 Tony Perez | @perezbox | @sucuri_security 10
  • 11. Anatomy of Website Attacks 5/17/2014 Tony Perez | @perezbox | @sucuri_security 11  Use for malware?  Pat of a zombie network?  Data breach? What kind of website do you have?
  • 12. Five Stages of an Attack 5/17/2014 Tony Perez | @perezbox | @sucuri_security 12
  • 13. Automated Attacks 5/17/2014 Tony Perez | @perezbox | @sucuri_security 13  Exploiting Access Control
  • 14. Distribution Mechanism 5/17/2014 Tony Perez | @perezbox | @sucuri_security 14
  • 15. There’s a Tool for that • Malware as a Service (MaaS) – Yes, pay someone to hack for you • Different tools to break in and generate payloads – Brute force and vulnerability exploits Malware Payloads 5/17/2014 Tony Perez | @perezbox | @sucuri_security 15
  • 16. Why? 5/17/2014 Tony Perez | @perezbox | @sucuri_security 16
  • 17. Impacts To You 5/17/2014 Tony Perez | @perezbox | @sucuri_security 17
  • 18. Beyond The Application Layer • Going Deeper than the application layer, targeting the server. • Server Polymorphism – a.k.a highly adaptive / sophistication 5/17/2014 Tony Perez | @perezbox | @sucuri_security 18 Darkleech Cdork (Apache) Ebury (SSH) Email Server (SPAM) Heartbleed (OpenSSL)
  • 19. Phishing Lures 5/17/2014 Tony Perez | @perezbox | @sucuri_security 19
  • 20. Exploiting Forms • Stick With Reputable Sources • Generating SPAM emails, resource hogs • IP blacklisting 5/17/2014 Tony Perez | @perezbox | @sucuri_security 20
  • 21. Search Engine Poisoning (SEP) • Pharmacy • Payday Loans 5/17/2014 Tony Perez | @perezbox | @sucuri_security 21
  • 22. Blacklisting 5/17/2014 Tony Perez | @perezbox | @sucuri_security 22
  • 23. Drive By Downloads 5/17/2014 Tony Perez | @perezbox | @sucuri_security 23
  • 24. Brute Force Attacks 5/17/2014 Tony Perez | @perezbox | @sucuri_security 24
  • 25. Denial of Service (DOS) 5/17/2014 Tony Perez | @perezbox | @sucuri_security 25
  • 26. Brute Force vs Denial of Service 5/17/2014 Tony Perez | @perezbox | @sucuri_security 26
  • 27. Trust Erosion 5/17/2014 Tony Perez | @perezbox | @sucuri_security 27
  • 28. Free is not always Free • http://blog.sucuri.net/2014/03/unmasking-free-premium- wordpress-plugins.html 5/17/2014 Tony Perez | @perezbox | @sucuri_security 28 - SEOPresser - Payload located: wp-content/plugins/seo-pressor(gratuit) - File: central.class.php - Flat Skins Pack Extension - Payload located: wp-content/restrict-content-pro/includes/ - File: sidebar.php - Restrict Content Pro - Paylaod located: wp-content/ubermenu-skins-flat
  • 29. Don’t Worry, Everyone is a “Target” 5/17/2014 Tony Perez | @perezbox | @sucuri_security 29
  • 30. Defenses 5/17/2014 Tony Perez | @perezbox | @sucuri_security 30
  • 31. Biggest Weakness / Vulnerability 5/17/2014 Tony Perez | @perezbox | @sucuri_security 31
  • 32. It’s About Good Posture 5/17/2014 Tony Perez | @perezbox | @sucuri_security 32
  • 33. Starts With Expectations “It’s about risk reduction… risk will never be zero…” 5/17/2014 Tony Perez | @perezbox | @sucuri_security 33 Posture Risk
  • 34. Defense in Depth “…a concept in which multiple layers of security controls (defenses) are placed throughout an information technology (IT) system. Its intent is to provide redundancy in the event a security control fails or a vulnerability is exploited…” 5/17/2014 Tony Perez | @perezbox | @sucuri_security 34
  • 35. Layered Defenses 5/17/2014 Tony Perez | @perezbox | @sucuri_security 35 Protection Detection Auditing Sustainment
  • 36. Access – P@ssw0rd • Passwords 5/17/2014 Tony Perez | @perezbox | @sucuri_security 36 Complex – Long - Unique
  • 37. Enforce Strong Credentials 5/17/2014 Tony Perez | @perezbox | @sucuri_security 37
  • 38. Push the Access Boundaries 5/17/2014 Tony Perez | @perezbox | @sucuri_security 38 • https://getclef.com/ | @getclef
  • 39. Principle of Least Privileged “requires that in a particular abstraction layer of a computing environment, every module (such as a process, a user or a program depending on the subject) must be able to access only the information and resources that are necessary for its legitimate purpose.” 5/17/2014 Tony Perez | @perezbox | @sucuri_security 39
  • 40. Understand Your Roles 5/17/2014 Tony Perez | @perezbox | @sucuri_security 40
  • 41. Hardening – Kill PHP 5/17/2014 Tony Perez | @perezbox | @sucuri_security 41  PHP Execution, disable it:  /wp-includes  /wp-content ▪ /themes ▪ /plugins ▪ /uploads <Files *.php> Deny from all </Files>
  • 42. Disable Plugin / Theme Editor • WP-CONFIG File Modification #Disable Plugin / Theme Editor Define(‘DISALLOW_FILE_EDIT’,true); 5/17/2014 Tony Perez | @perezbox | @sucuri_security 42
  • 43. Brute Force Attacks 5/17/2014 Tony Perez | @perezbox | @sucuri_security 43
  • 44. Please Backup 5/17/2014 Tony Perez | @perezbox | @sucuri_security 44
  • 45. Software Vulnerabilities • Stay current with the latest vulnerabilities: – Secure - http://wordpress.org/plugins/secure/ 5/17/2014 Tony Perez | @perezbox | @sucuri_security 45
  • 46. Brute Force Protection • Local Protection – https://bruteprotect.com/ | @BruteProtect 5/17/2014 Tony Perez | @perezbox | @sucuri_security 46
  • 47. Stay Current (Update) 5/17/2014 Tony Perez | @perezbox | @sucuri_security 47
  • 48. Website Firewalls 5/17/2014 Tony Perez | @perezbox | @sucuri_security 48 • Stay ahead of Software Vulnerabilities
  • 49. Ensure Integrity of Connection 5/17/2014 Tony Perez | @perezbox | @sucuri_security 49 • https://www.getcloak.com/ | @getcloak
  • 50. Simple Steps to Reduce Risk 1. Employ Website Firewall 2. Don’t let WordPress write to itself 3. Filter Access by IP 4. Use a dedicated server / VPS 5. Monitor all Activity (Logging) 6. Enable SSL for transactions 7. Keep environment current (patched) 8. No Soup Kitchen Servers 5/17/2014 Tony Perez | @perezbox | @sucuri_security 50 1. Connect Securely – SFTP / SSH 2. Authentication Keys / wp- config 3. Use Trusted Sources 4. Use a local Antivirus – MAC too 5. Permissions - D 755 | F 644 6. Least Privileged Principles 7. Accountability 8. Backups – Include Database Ideal implementations:The Bare Minimum:
  • 51. Notable Resources Name Tool Sucuri Blog http://blog.sucuri.net Sucuri TV http://sucuri.tv Malware Scanner http://sitecheck.sucuri.net Malware Scanner http://unmaskparasites.com Badware Busters https://badwarebusters.org Google Forums http://productforums.google.com/forum/#!categories/webmasters/malware--hacked- sites Google Webmaster Tools http://support.google.com/webmasters/bin/answer.py?hl=en&answer=163633 Secunia Security Advisories http://secunia.com/community/advisories/search/?search=wordpress Exploit-DB http://www.exploit- db.com/search/?action=search&filter_description=Wordpress&filter_platform=31 WordPress Hacked FAQ http://codex.wordpress.org/FAQ_My_site_was_hacked WordPress Hardening http://codex.wordpress.org/Hardening_WordPress 5/17/2014 Tony Perez | @perezbox | @sucuri_security 51
  • 52. Sucuri, Inc. Tony Perez http://sucuri.net http://blog.sucuri.net @perezbox | @sucuri_security http://www.slideshare.net/perezbox/website-security- wordpress-its-about-the-basics 5/17/2014 Tony Perez | @perezbox | @sucuri_security 52