11. Anatomy of Website Attacks
5/17/2014
Tony Perez | @perezbox |
@sucuri_security
11
Use for malware?
Pat of a zombie network?
Data breach?
What kind of website do you have?
12. Five Stages of an Attack
5/17/2014
Tony Perez | @perezbox |
@sucuri_security
12
15. There’s a Tool for that
• Malware as a Service
(MaaS)
– Yes, pay someone to
hack for you
• Different tools to break
in and generate
payloads
– Brute force and
vulnerability exploits
Malware Payloads
5/17/2014
Tony Perez | @perezbox |
@sucuri_security
15
32. It’s About Good Posture
5/17/2014
Tony Perez | @perezbox |
@sucuri_security
32
33. Starts With Expectations
“It’s about risk reduction… risk will never be
zero…”
5/17/2014
Tony Perez | @perezbox |
@sucuri_security
33
Posture
Risk
34. Defense in Depth
“…a concept in which multiple layers of security
controls (defenses) are placed throughout an
information technology (IT) system. Its intent is
to provide redundancy in the event a security
control fails or a vulnerability is exploited…”
5/17/2014
Tony Perez | @perezbox |
@sucuri_security
34
38. Push the Access Boundaries
5/17/2014
Tony Perez | @perezbox |
@sucuri_security
38
• https://getclef.com/ | @getclef
39. Principle of Least Privileged
“requires that in a particular abstraction layer
of a computing environment, every module
(such as a process, a user or a program
depending on the subject) must be able to
access only the information and resources that
are necessary for its legitimate purpose.”
5/17/2014
Tony Perez | @perezbox |
@sucuri_security
39
49. Ensure Integrity of Connection
5/17/2014
Tony Perez | @perezbox |
@sucuri_security
49
• https://www.getcloak.com/ | @getcloak
50. Simple Steps to Reduce Risk
1. Employ Website Firewall
2. Don’t let WordPress write to
itself
3. Filter Access by IP
4. Use a dedicated server / VPS
5. Monitor all Activity (Logging)
6. Enable SSL for transactions
7. Keep environment current
(patched)
8. No Soup Kitchen Servers
5/17/2014
Tony Perez | @perezbox |
@sucuri_security
50
1. Connect Securely – SFTP /
SSH
2. Authentication Keys / wp-
config
3. Use Trusted Sources
4. Use a local Antivirus – MAC
too
5. Permissions - D 755 | F 644
6. Least Privileged Principles
7. Accountability
8. Backups – Include Database
Ideal implementations:The Bare Minimum:
51. Notable Resources
Name Tool
Sucuri Blog http://blog.sucuri.net
Sucuri TV http://sucuri.tv
Malware Scanner http://sitecheck.sucuri.net
Malware Scanner http://unmaskparasites.com
Badware Busters https://badwarebusters.org
Google Forums http://productforums.google.com/forum/#!categories/webmasters/malware--hacked-
sites
Google Webmaster Tools http://support.google.com/webmasters/bin/answer.py?hl=en&answer=163633
Secunia Security Advisories http://secunia.com/community/advisories/search/?search=wordpress
Exploit-DB http://www.exploit-
db.com/search/?action=search&filter_description=Wordpress&filter_platform=31
WordPress Hacked FAQ http://codex.wordpress.org/FAQ_My_site_was_hacked
WordPress Hardening http://codex.wordpress.org/Hardening_WordPress
5/17/2014
Tony Perez | @perezbox |
@sucuri_security
51