Open Source Powered Websites: Protect Your Enterprise and Yourself - Chris Davis, Firehost
1. Open Source Websites : Protection
Chris Davis
Director of Security and Compliance
1
2. Open Source Websites : Protection
Open Source Powered Websites
Protect Your Enterprise and Yourself
2
3. Open Source Websites : Protection
This is not a
DISCLAIMER
• Learn from our findings and
apply to your environment
• This is a very serious problem
and it’s only getting worse
Sales Pitch
3
4. Open Source Websites : Protection
HOW BAD IS IT?
82% of Websites have at least one security issue
63% have issues of high, critical or urgent severity
70% of the top 100 most
popular web sites either hosted
malicious content or contained a
masked redirect
to malicious sites
WhiteHat Security, 2008
Websense, 2009
4
5. Open Source Websites : Protection
Verizon / United States Secret Service Data Breach Investigation Report, 2010
54% of attacks are on the web application layer
92% of web application attacks resulted in over 90% of record access
WEB APPLICATIONS – THE LARGEST THREAT
7. Open Source Websites : Protection
THE GAME HAS CHANGED
• Web, HTTPS (SSL) &
XML Vulnerabilities
• SQL Injection
• Session Hijacking
• Cross Site Scripting (XSS)
• Form Field Tampering
• Known Worms
• Zero Day Web Worms
• Buffer Overflow
• Cookie Poisoning
• Denial of Service
• Web Server & Operating
System Attacks
• Directory Traversal
• Anonymous Proxy
• Open Source Vulnerabilities
• OS Command Injection
• Cross-Site Request Forgery
• Google Hacking
• Remote File Inclusion
• Illegal Encoding
• Malicious Robots
• Parameter Tampering
• Brute Force Login
• Malicious Encoding
• Site Recon
• Illegal Encoding
• Credit Card Exposure
• Patient Data Disclosure
• Phishing
• Data Destruction
• US SSN Leakage
Rise in Application Level Attacks
(Port 80 and 443 – Unblocked by Firewalls)
Strict Compliance Requirements
(U.S. and Abroad)
U.S. Department of Health & Human Services
Policy of Responding to Breaches of Personally Identifiable Information (PII)
HHS-OCIO-2008-0001.002 – April 15, 2008
7
8. Open Source Websites : Protection
HACKER PROFILES (Two Types)
Egomaniac CriminalTHE THE
8
10. Open Source Websites : Protection
• TextPattern CMS
• Co-wrote book on
Textpattern = No Rookie
• SEO Bots = “Spammy” Links
• Users = Normal but with
display:none list of links
NATHAN SMITH
Static & CMS-Powered Website Hacked on Cloud Hosting
10
12. Open Source Websites : Protection
• WordPress CMS - Hacked
• During Migration we gained
access to over 1000 Websites
• Yes…
we had Karl report the hack
KARL SWEDBERG
WordPress Hacked
12
14. Open Source Websites : Protection
SECURITY IS ABOUT THE ECOSYSTEM
Network Routers / Firewalls
Operating Systems Windows / Linux / OS X
Applications Open Source / Commercial
Database Oracle / MySQL / MS SQL
Web Server Apache / Microsoft IIS
3rd Party Web Applications Open Source / Commercial
Custom Web Applications PHP / ASP.NET / Java
Physical / Virtual Access / Social Engineering
Responsibility Solution
Managed
Hosting Responsibility
Yours or
FireHost
Firewall,
Virus Protection,
Patches, IDS, etc.
App Level or
WAF
14
16. Open Source Websites : Protection
WHAT CAN YOU DO?
• Security isn’t convenient
• Choose only leading CMS platforms
• Stay up-to-date with core updates
• Decent security plug-ins out there
• Use a secure hosting provider
Be Smart About It
16
17. Open Source Websites : Protection
THE REALITIES OF MODULES/PLUGINS
Keep Them Under Control
17
18. Open Source Websites : Protection
LOVE YOUR MODULES
Website Enhancements
• Only download from trusted sources
• Check bug reports
• Only activate one at a time
• Three dirty letters – DEV
• Don’t install unless it supports
your core version or higher
• Search “x hacked” first and read results
18
19. Open Source Websites : Protection
YOU AND YOUR ADMIN
Don’t Be Afraid
• SSL – It’s not just for shopping carts
• Configure .htaccess or IIS security
on admin directory
Don’t worry about changing the directory name
• Don’t trust your connection
Especially WiFi
ARP Poisoning is easy
19
20. Open Source Websites : Protection
THE DATABASE
What Are You Exposing?
• Logins
MySQL UN/PW different from Root Login
• Sharing
Do not share your database with other apps
• Change Table Prefixes
Obfuscate table names to something unknown
only to you
• Non-Public
Remove DB from public access
• Segment
Segment where appropriate to limit scope of access
• Back Up!
Not much to say here
20