This presentation focuses on three elements - Trends, Threats and Defenses. It leverages the latests data from some of the top Information Security companies out there (i.e., Symantec, Websense, etc..). It does not go over the typical 10 things, instead it focuses on broad Information Security concepts and principles that many website owners don't account for.
26. Explosion in the Malware
as a Service (MaaS) trade
Yes, pay someone to hack
for you
Different tools to break
in and generate payloads
Brute force and
vulnerability exploits
Malware Payloads
Blackhole ExploitAuthor
Arrested
5/17/2014 Tony Perez | @perezbox | @sucuri_security 27
39. Brand Reputation
Legal Implications
Impact to Sales
Blacklisted by Search
Engines
Blacklisted by Payment
processors
Worst Day Of your Life
5/17/2014 Tony Perez | @perezbox | @sucuri_security 40
41. Sucuri properties
suffer:
~125,000 web based
attacks a month on
average
~4,000 attacks a day
▪ This spikes on occasion
Doesn’t include server
level attacks
All flavors of attacks
5/17/2014 Tony Perez | @perezbox | @sucuri_security 42
42. Principles
Access Control
Vulnerabilities
5/17/2014 Tony Perez | @perezbox | @sucuri_security 43
43. “It’s about risk reduction… risk will never be
zero…”
5/17/2014 Tony Perez | @perezbox | @sucuri_security 44
44. “…a concept in which multiple layers of security
controls (defenses) are placed throughout an
information technology (IT) system. Its intent is
to provide redundancy in the event a security
control fails or a vulnerability is exploited…”
5/17/2014 Tony Perez | @perezbox | @sucuri_security 45
49. “requires that in a particular abstraction layer
of a computing environment, every module
(such as a process, a user or a program
depending on the subject) must be able to
access only the information and resources that
are necessary for its legitimate purpose.”
5/17/2014 Tony Perez | @perezbox | @sucuri_security 50
50. 5/17/2014 Tony Perez | @perezbox | @sucuri_security 51
PHP Execution, disable it:
/wp-includes
/wp-content
/themes
/plugins
/uploads
<Files *.php>
Deny from all
</Files>
55. Stay current with the latest vulnerabilities:
Secure - http://wordpress.org/plugins/secure/
5/17/2014 Tony Perez | @perezbox | @sucuri_security 56
56. Local Protection
https://bruteprotect.com/ | @BruteProtect
5/17/2014 Tony Perez | @perezbox | @sucuri_security 57
57. 5/17/2014 Tony Perez | @perezbox | @sucuri_security 58
• Stay ahead of SoftwareVulnerabilities
59. 5/17/2014 Tony Perez | @perezbox | @sucuri_security 60
1. Employ Website Firewall
2. Don’t let WordPress write to
itself
3. Filter Access by IP
4. Use a dedicated server / VPS
5. Monitor all Activity (Logging)
6. Enable SSL for transactions
7. Keep environment current
(patched)
8. No Soup Kitchen Servers
Ideal implementations:
1. Connect Securely – SFTP /
SSH
2. Authentication Keys / wp-
config
3. Use Trusted Sources
4. Use a local Antivirus – MAC
too
5. Permissions - D 755 | F 644
6. Least Privileged Principles
7. Accountability
8. Backups – Include Database
The Bare Minimum:
60. 1. Fix index.php file and assume all is fine.
1. Panic your way into WordPress Forums after hack.
1. Don’t worry about updating.
1. Trust third-party extensions.
1. Apply all upgrades on live site.
1. Install and forget, all is well with your new site.
1. Use the same username and password for everything.
1. Don’t waste time making security adjustments to PHP and settings.
1. No regular backups required.
1. Use the cheapest host.
5/17/2014 Tony Perez | @perezbox | @sucuri_security 61