SlideShare ist ein Scribd-Unternehmen logo

Website Security (WordPress) - It's About the Basics

Als PPTX, PDF herunterladen
Tony Perez
Tony Perez
InternetTechnologie
1 von 52
It’s About The Basics Website Security (WordPress)
@PEREZBOX • Sucuri, Inc. – @sucuri_security – @perezbox • Specialization: – Website Security – Incident Handling • Special Interests: – Brazilian JiuJitsu 5/17/2014 Tony Perez | @perezbox | @sucuri_security 2
• Website Security Company • Global Operations • Platform Agnostic (i.e., WordPress, Joomla, etc..) • Scan 2M Unique Domains a Month • Block 4M web attacks a Month • Remediate 400 – 500 websites a day • Signature / Heuristic Based • 24/7 operations 5/17/2014 Tony Perez | @perezbox | @sucuri_security 3
Statistics 5/17/2014 Tony Perez | @perezbox | @sucuri_security 4
2013 – Year of the Mega Breach Data Breaches (Millions) 2011 2013 5/17/2014 Tony Perez | @perezbox | @sucuri_security 5
Anatomy of Malicious Websites Malicious Websites Legitimate Websites 5/17/2014 Tony Perez | @perezbox | @sucuri_security 6
Legitimate Websites Not-Exploitable Exploitable 5/17/2014 Tony Perez | @perezbox | @sucuri_security 7 1 in 8 - Critical Vulnerability
Ransomware Explosion Ransomware 2012 2013 5/17/2014 Tony Perez | @perezbox | @sucuri_security 8
Malware Distribution 26% 19% 16% 14% 11% 4% 10% Remote iFrame Includes Remote JavaScript Includes SPAM Injections Obfuscated / Encoded JavaScript Conditional Redirects Defacements Other 5/17/2014 Tony Perez | @perezbox | @sucuri_security 9
Understanding Hackers 5/17/2014 Tony Perez | @perezbox | @sucuri_security 10
Anatomy of Website Attacks 5/17/2014 Tony Perez | @perezbox | @sucuri_security 11  Use for malware?  Pat of a zombie network?  Data breach? What kind of website do you have?
Five Stages of an Attack 5/17/2014 Tony Perez | @perezbox | @sucuri_security 12
Automated Attacks 5/17/2014 Tony Perez | @perezbox | @sucuri_security 13  Exploiting Access Control
Distribution Mechanism 5/17/2014 Tony Perez | @perezbox | @sucuri_security 14
There’s a Tool for that • Malware as a Service (MaaS) – Yes, pay someone to hack for you • Different tools to break in and generate payloads – Brute force and vulnerability exploits Malware Payloads 5/17/2014 Tony Perez | @perezbox | @sucuri_security 15
Why? 5/17/2014 Tony Perez | @perezbox | @sucuri_security 16
Impacts To You 5/17/2014 Tony Perez | @perezbox | @sucuri_security 17
Beyond The Application Layer • Going Deeper than the application layer, targeting the server. • Server Polymorphism – a.k.a highly adaptive / sophistication 5/17/2014 Tony Perez | @perezbox | @sucuri_security 18 Darkleech Cdork (Apache) Ebury (SSH) Email Server (SPAM) Heartbleed (OpenSSL)
Phishing Lures 5/17/2014 Tony Perez | @perezbox | @sucuri_security 19
Exploiting Forms • Stick With Reputable Sources • Generating SPAM emails, resource hogs • IP blacklisting 5/17/2014 Tony Perez | @perezbox | @sucuri_security 20
Search Engine Poisoning (SEP) • Pharmacy • Payday Loans 5/17/2014 Tony Perez | @perezbox | @sucuri_security 21
Blacklisting 5/17/2014 Tony Perez | @perezbox | @sucuri_security 22
Drive By Downloads 5/17/2014 Tony Perez | @perezbox | @sucuri_security 23
Brute Force Attacks 5/17/2014 Tony Perez | @perezbox | @sucuri_security 24
Denial of Service (DOS) 5/17/2014 Tony Perez | @perezbox | @sucuri_security 25
Brute Force vs Denial of Service 5/17/2014 Tony Perez | @perezbox | @sucuri_security 26
Trust Erosion 5/17/2014 Tony Perez | @perezbox | @sucuri_security 27
Free is not always Free • http://blog.sucuri.net/2014/03/unmasking-free-premium- wordpress-plugins.html 5/17/2014 Tony Perez | @perezbox | @sucuri_security 28 - SEOPresser - Payload located: wp-content/plugins/seo-pressor(gratuit) - File: central.class.php - Flat Skins Pack Extension - Payload located: wp-content/restrict-content-pro/includes/ - File: sidebar.php - Restrict Content Pro - Paylaod located: wp-content/ubermenu-skins-flat
Don’t Worry, Everyone is a “Target” 5/17/2014 Tony Perez | @perezbox | @sucuri_security 29
Defenses 5/17/2014 Tony Perez | @perezbox | @sucuri_security 30
Biggest Weakness / Vulnerability 5/17/2014 Tony Perez | @perezbox | @sucuri_security 31
It’s About Good Posture 5/17/2014 Tony Perez | @perezbox | @sucuri_security 32
Starts With Expectations “It’s about risk reduction… risk will never be zero…” 5/17/2014 Tony Perez | @perezbox | @sucuri_security 33 Posture Risk
Defense in Depth “…a concept in which multiple layers of security controls (defenses) are placed throughout an information technology (IT) system. Its intent is to provide redundancy in the event a security control fails or a vulnerability is exploited…” 5/17/2014 Tony Perez | @perezbox | @sucuri_security 34
Layered Defenses 5/17/2014 Tony Perez | @perezbox | @sucuri_security 35 Protection Detection Auditing Sustainment
Access – P@ssw0rd • Passwords 5/17/2014 Tony Perez | @perezbox | @sucuri_security 36 Complex – Long - Unique
Enforce Strong Credentials 5/17/2014 Tony Perez | @perezbox | @sucuri_security 37
Push the Access Boundaries 5/17/2014 Tony Perez | @perezbox | @sucuri_security 38 • https://getclef.com/ | @getclef
Principle of Least Privileged “requires that in a particular abstraction layer of a computing environment, every module (such as a process, a user or a program depending on the subject) must be able to access only the information and resources that are necessary for its legitimate purpose.” 5/17/2014 Tony Perez | @perezbox | @sucuri_security 39
Understand Your Roles 5/17/2014 Tony Perez | @perezbox | @sucuri_security 40
Hardening – Kill PHP 5/17/2014 Tony Perez | @perezbox | @sucuri_security 41  PHP Execution, disable it:  /wp-includes  /wp-content ▪ /themes ▪ /plugins ▪ /uploads <Files *.php> Deny from all </Files>
Disable Plugin / Theme Editor • WP-CONFIG File Modification #Disable Plugin / Theme Editor Define(‘DISALLOW_FILE_EDIT’,true); 5/17/2014 Tony Perez | @perezbox | @sucuri_security 42
Brute Force Attacks 5/17/2014 Tony Perez | @perezbox | @sucuri_security 43
Please Backup 5/17/2014 Tony Perez | @perezbox | @sucuri_security 44
Software Vulnerabilities • Stay current with the latest vulnerabilities: – Secure - http://wordpress.org/plugins/secure/ 5/17/2014 Tony Perez | @perezbox | @sucuri_security 45
Brute Force Protection • Local Protection – https://bruteprotect.com/ | @BruteProtect 5/17/2014 Tony Perez | @perezbox | @sucuri_security 46
Stay Current (Update) 5/17/2014 Tony Perez | @perezbox | @sucuri_security 47
Website Firewalls 5/17/2014 Tony Perez | @perezbox | @sucuri_security 48 • Stay ahead of Software Vulnerabilities
Ensure Integrity of Connection 5/17/2014 Tony Perez | @perezbox | @sucuri_security 49 • https://www.getcloak.com/ | @getcloak
Simple Steps to Reduce Risk 1. Employ Website Firewall 2. Don’t let WordPress write to itself 3. Filter Access by IP 4. Use a dedicated server / VPS 5. Monitor all Activity (Logging) 6. Enable SSL for transactions 7. Keep environment current (patched) 8. No Soup Kitchen Servers 5/17/2014 Tony Perez | @perezbox | @sucuri_security 50 1. Connect Securely – SFTP / SSH 2. Authentication Keys / wp- config 3. Use Trusted Sources 4. Use a local Antivirus – MAC too 5. Permissions - D 755 | F 644 6. Least Privileged Principles 7. Accountability 8. Backups – Include Database Ideal implementations:The Bare Minimum:
Notable Resources Name Tool Sucuri Blog http://blog.sucuri.net Sucuri TV http://sucuri.tv Malware Scanner http://sitecheck.sucuri.net Malware Scanner http://unmaskparasites.com Badware Busters https://badwarebusters.org Google Forums http://productforums.google.com/forum/#!categories/webmasters/malware--hacked- sites Google Webmaster Tools http://support.google.com/webmasters/bin/answer.py?hl=en&answer=163633 Secunia Security Advisories http://secunia.com/community/advisories/search/?search=wordpress Exploit-DB http://www.exploit- db.com/search/?action=search&filter_description=Wordpress&filter_platform=31 WordPress Hacked FAQ http://codex.wordpress.org/FAQ_My_site_was_hacked WordPress Hardening http://codex.wordpress.org/Hardening_WordPress 5/17/2014 Tony Perez | @perezbox | @sucuri_security 51
Sucuri, Inc. Tony Perez http://sucuri.net http://blog.sucuri.net @perezbox | @sucuri_security http://www.slideshare.net/perezbox/website-security- wordpress-its-about-the-basics 5/17/2014 Tony Perez | @perezbox | @sucuri_security 52

Empfohlen

WordCamp Minneapolis 2014 - Website Security Presentation - Sucuri Security
WordCamp Minneapolis 2014 - Website Security Presentation - Sucuri SecurityWordCamp Minneapolis 2014 - Website Security Presentation - Sucuri Security
WordCamp Minneapolis 2014 - Website Security Presentation - Sucuri SecurityTony Perez
 
Joomla! Day Atlanta 2014 - Website Security - The Basics
Joomla! Day Atlanta 2014 - Website Security - The BasicsJoomla! Day Atlanta 2014 - Website Security - The Basics
Joomla! Day Atlanta 2014 - Website Security - The BasicsTony Perez
 
Piketty twitlog _4-14
Piketty twitlog _4-14Piketty twitlog _4-14
Piketty twitlog _4-14Macropru Reader
 
let's talk web standards
let's talk web standardslet's talk web standards
let's talk web standardsZi Bin Cheah
 
50+ tools to enhance your social media strategy
50+ tools to enhance your social media strategy50+ tools to enhance your social media strategy
50+ tools to enhance your social media strategyJeremy Blanton
 
Building a Security Framework for Websites
Building a Security Framework for WebsitesBuilding a Security Framework for Websites
Building a Security Framework for WebsitesTony Perez
 
Web application security: how to start?
Web application security: how to start?Web application security: how to start?
Web application security: how to start?Antonio Fontes
 
Website Security - Latest and Greatest (WordPress 2014)
Website Security - Latest and Greatest (WordPress 2014)Website Security - Latest and Greatest (WordPress 2014)
Website Security - Latest and Greatest (WordPress 2014)Tony Perez
 

Empfohlen

WordCamp Minneapolis 2014 - Website Security Presentation - Sucuri Security
WordCamp Minneapolis 2014 - Website Security Presentation - Sucuri SecurityWordCamp Minneapolis 2014 - Website Security Presentation - Sucuri Security
WordCamp Minneapolis 2014 - Website Security Presentation - Sucuri SecurityTony Perez
 
Joomla! Day Atlanta 2014 - Website Security - The Basics
Joomla! Day Atlanta 2014 - Website Security - The BasicsJoomla! Day Atlanta 2014 - Website Security - The Basics
Joomla! Day Atlanta 2014 - Website Security - The BasicsTony Perez
 
Piketty twitlog _4-14
Piketty twitlog _4-14Piketty twitlog _4-14
Piketty twitlog _4-14Macropru Reader
 
let's talk web standards
let's talk web standardslet's talk web standards
let's talk web standardsZi Bin Cheah
 
50+ tools to enhance your social media strategy
50+ tools to enhance your social media strategy50+ tools to enhance your social media strategy
50+ tools to enhance your social media strategyJeremy Blanton
 
Building a Security Framework for Websites
Building a Security Framework for WebsitesBuilding a Security Framework for Websites
Building a Security Framework for WebsitesTony Perez
 
Web application security: how to start?
Web application security: how to start?Web application security: how to start?
Web application security: how to start?Antonio Fontes
 
Website Security - Latest and Greatest (WordPress 2014)
Website Security - Latest and Greatest (WordPress 2014)Website Security - Latest and Greatest (WordPress 2014)
Website Security - Latest and Greatest (WordPress 2014)Tony Perez
 
Website Security - It Begins With Good Posture
Website Security - It Begins With Good PostureWebsite Security - It Begins With Good Posture
Website Security - It Begins With Good PostureTony Perez
 
WordPress Website Security - Trends, Threats, Defenses
WordPress Website Security - Trends, Threats, DefensesWordPress Website Security - Trends, Threats, Defenses
WordPress Website Security - Trends, Threats, DefensesTony Perez
 
Word press website security
Word press website securityWord press website security
Word press website securityTony Perez
 
WordPress Security 2014 - The Basics of Security
WordPress Security 2014 - The Basics of SecurityWordPress Security 2014 - The Basics of Security
WordPress Security 2014 - The Basics of SecurityTony Perez
 
Navigating the Security Landscape
Navigating the Security LandscapeNavigating the Security Landscape
Navigating the Security LandscapeSucuri
 
Hacked - What do you do now?
Hacked - What do you do now?Hacked - What do you do now?
Hacked - What do you do now?Tony Perez
 
The Platform Revolution: Making Online Work Happen
The Platform Revolution: Making Online Work HappenThe Platform Revolution: Making Online Work Happen
The Platform Revolution: Making Online Work HappenCrowdsourcing Week
 
A Practical Security Framework for Website Owners
A Practical Security Framework for Website OwnersA Practical Security Framework for Website Owners
A Practical Security Framework for Website OwnersTony Perez
 
2017 WHD - Bridging the Divide Between Behavior and Security
2017 WHD - Bridging the Divide Between Behavior and Security2017 WHD - Bridging the Divide Between Behavior and Security
2017 WHD - Bridging the Divide Between Behavior and SecurityTony Perez
 
Accounting for Website Security in Higher Education
Accounting for Website Security in Higher EducationAccounting for Website Security in Higher Education
Accounting for Website Security in Higher EducationTony Perez
 
Navigating Online Threats - Website Security for Everyday Website Owners
Navigating Online Threats - Website Security for Everyday Website OwnersNavigating Online Threats - Website Security for Everyday Website Owners
Navigating Online Threats - Website Security for Everyday Website OwnersTony Perez
 
Business of People - Lessons Learned Building a Remote Workforce
Business of People - Lessons Learned Building a Remote WorkforceBusiness of People - Lessons Learned Building a Remote Workforce
Business of People - Lessons Learned Building a Remote WorkforceTony Perez
 
WordPress Security Begins With Good Posture
WordPress Security Begins With Good PostureWordPress Security Begins With Good Posture
WordPress Security Begins With Good PostureTony Perez
 
TBEX - North America 2014 - 5 Tips to Keep Your Content and Users Safe
TBEX - North America 2014 - 5 Tips to Keep Your Content and Users SafeTBEX - North America 2014 - 5 Tips to Keep Your Content and Users Safe
TBEX - North America 2014 - 5 Tips to Keep Your Content and Users SafeTony Perez
 
WordPress Security - Learning From Hacks
WordPress Security - Learning From HacksWordPress Security - Learning From Hacks
WordPress Security - Learning From HacksTony Perez
 
WordPress Security - Dealing With Today's Hacks
WordPress Security - Dealing With Today's HacksWordPress Security - Dealing With Today's Hacks
WordPress Security - Dealing With Today's HacksTony Perez
 
WordPress Security - The "No-BS" Version
WordPress Security - The "No-BS" VersionWordPress Security - The "No-BS" Version
WordPress Security - The "No-BS" VersionTony Perez
 
Word camp orange county 2012 enduser security
Word camp orange county 2012 enduser securityWord camp orange county 2012 enduser security
Word camp orange county 2012 enduser securityTony Perez
 
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...Sheetaleventcompany
 
Call Girls In Ashram Chowk Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Ashram Chowk Delhi 💯Call Us 🔝8264348440🔝Call Girls In Ashram Chowk Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Ashram Chowk Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
AWS Community DAY Albertini-Ellan Cloud Security (1).pptx
AWS Community DAY Albertini-Ellan Cloud Security (1).pptxAWS Community DAY Albertini-Ellan Cloud Security (1).pptx
AWS Community DAY Albertini-Ellan Cloud Security (1).pptxellan12
 
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...Neha Pandey
 

Weitere ähnliche Inhalte

Ähnlich wie Website Security (WordPress) - It's About the Basics

Website Security - It Begins With Good Posture
Website Security - It Begins With Good PostureWebsite Security - It Begins With Good Posture
Website Security - It Begins With Good PostureTony Perez
 
WordPress Website Security - Trends, Threats, Defenses
WordPress Website Security - Trends, Threats, DefensesWordPress Website Security - Trends, Threats, Defenses
WordPress Website Security - Trends, Threats, DefensesTony Perez
 
Word press website security
Word press website securityWord press website security
Word press website securityTony Perez
 
WordPress Security 2014 - The Basics of Security
WordPress Security 2014 - The Basics of SecurityWordPress Security 2014 - The Basics of Security
WordPress Security 2014 - The Basics of SecurityTony Perez
 
Navigating the Security Landscape
Navigating the Security LandscapeNavigating the Security Landscape
Navigating the Security LandscapeSucuri
 
Hacked - What do you do now?
Hacked - What do you do now?Hacked - What do you do now?
Hacked - What do you do now?Tony Perez
 
The Platform Revolution: Making Online Work Happen
The Platform Revolution: Making Online Work HappenThe Platform Revolution: Making Online Work Happen
The Platform Revolution: Making Online Work HappenCrowdsourcing Week
 

Ähnlich wie Website Security (WordPress) - It's About the Basics (7)

Website Security - It Begins With Good Posture
Website Security - It Begins With Good PostureWebsite Security - It Begins With Good Posture
Website Security - It Begins With Good Posture
 
WordPress Website Security - Trends, Threats, Defenses
WordPress Website Security - Trends, Threats, DefensesWordPress Website Security - Trends, Threats, Defenses
WordPress Website Security - Trends, Threats, Defenses
 
Word press website security
Word press website securityWord press website security
Word press website security
 
WordPress Security 2014 - The Basics of Security
WordPress Security 2014 - The Basics of SecurityWordPress Security 2014 - The Basics of Security
WordPress Security 2014 - The Basics of Security
 
Navigating the Security Landscape
Navigating the Security LandscapeNavigating the Security Landscape
Navigating the Security Landscape
 
Hacked - What do you do now?
Hacked - What do you do now?Hacked - What do you do now?
Hacked - What do you do now?
 
The Platform Revolution: Making Online Work Happen
The Platform Revolution: Making Online Work HappenThe Platform Revolution: Making Online Work Happen
The Platform Revolution: Making Online Work Happen
 

Mehr von Tony Perez

A Practical Security Framework for Website Owners
A Practical Security Framework for Website OwnersA Practical Security Framework for Website Owners
A Practical Security Framework for Website OwnersTony Perez
 
2017 WHD - Bridging the Divide Between Behavior and Security
2017 WHD - Bridging the Divide Between Behavior and Security2017 WHD - Bridging the Divide Between Behavior and Security
2017 WHD - Bridging the Divide Between Behavior and SecurityTony Perez
 
Accounting for Website Security in Higher Education
Accounting for Website Security in Higher EducationAccounting for Website Security in Higher Education
Accounting for Website Security in Higher EducationTony Perez
 
Navigating Online Threats - Website Security for Everyday Website Owners
Navigating Online Threats - Website Security for Everyday Website OwnersNavigating Online Threats - Website Security for Everyday Website Owners
Navigating Online Threats - Website Security for Everyday Website OwnersTony Perez
 
Business of People - Lessons Learned Building a Remote Workforce
Business of People - Lessons Learned Building a Remote WorkforceBusiness of People - Lessons Learned Building a Remote Workforce
Business of People - Lessons Learned Building a Remote WorkforceTony Perez
 
WordPress Security Begins With Good Posture
WordPress Security Begins With Good PostureWordPress Security Begins With Good Posture
WordPress Security Begins With Good PostureTony Perez
 
TBEX - North America 2014 - 5 Tips to Keep Your Content and Users Safe
TBEX - North America 2014 - 5 Tips to Keep Your Content and Users SafeTBEX - North America 2014 - 5 Tips to Keep Your Content and Users Safe
TBEX - North America 2014 - 5 Tips to Keep Your Content and Users SafeTony Perez
 
WordPress Security - Learning From Hacks
WordPress Security - Learning From HacksWordPress Security - Learning From Hacks
WordPress Security - Learning From HacksTony Perez
 
WordPress Security - Dealing With Today's Hacks
WordPress Security - Dealing With Today's HacksWordPress Security - Dealing With Today's Hacks
WordPress Security - Dealing With Today's HacksTony Perez
 
WordPress Security - The "No-BS" Version
WordPress Security - The "No-BS" VersionWordPress Security - The "No-BS" Version
WordPress Security - The "No-BS" VersionTony Perez
 
Word camp orange county 2012 enduser security
Word camp orange county 2012 enduser securityWord camp orange county 2012 enduser security
Word camp orange county 2012 enduser securityTony Perez
 

Mehr von Tony Perez (11)

A Practical Security Framework for Website Owners
A Practical Security Framework for Website OwnersA Practical Security Framework for Website Owners
A Practical Security Framework for Website Owners
 
2017 WHD - Bridging the Divide Between Behavior and Security
2017 WHD - Bridging the Divide Between Behavior and Security2017 WHD - Bridging the Divide Between Behavior and Security
2017 WHD - Bridging the Divide Between Behavior and Security
 
Accounting for Website Security in Higher Education
Accounting for Website Security in Higher EducationAccounting for Website Security in Higher Education
Accounting for Website Security in Higher Education
 
Navigating Online Threats - Website Security for Everyday Website Owners
Navigating Online Threats - Website Security for Everyday Website OwnersNavigating Online Threats - Website Security for Everyday Website Owners
Navigating Online Threats - Website Security for Everyday Website Owners
 
Business of People - Lessons Learned Building a Remote Workforce
Business of People - Lessons Learned Building a Remote WorkforceBusiness of People - Lessons Learned Building a Remote Workforce
Business of People - Lessons Learned Building a Remote Workforce
 
WordPress Security Begins With Good Posture
WordPress Security Begins With Good PostureWordPress Security Begins With Good Posture
WordPress Security Begins With Good Posture
 
TBEX - North America 2014 - 5 Tips to Keep Your Content and Users Safe
TBEX - North America 2014 - 5 Tips to Keep Your Content and Users SafeTBEX - North America 2014 - 5 Tips to Keep Your Content and Users Safe
TBEX - North America 2014 - 5 Tips to Keep Your Content and Users Safe
 
WordPress Security - Learning From Hacks
WordPress Security - Learning From HacksWordPress Security - Learning From Hacks
WordPress Security - Learning From Hacks
 
WordPress Security - Dealing With Today's Hacks
WordPress Security - Dealing With Today's HacksWordPress Security - Dealing With Today's Hacks
WordPress Security - Dealing With Today's Hacks
 
WordPress Security - The "No-BS" Version
WordPress Security - The "No-BS" VersionWordPress Security - The "No-BS" Version
WordPress Security - The "No-BS" Version
 
Word camp orange county 2012 enduser security
Word camp orange county 2012 enduser securityWord camp orange county 2012 enduser security
Word camp orange county 2012 enduser security
 

Kürzlich hochgeladen

Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...Sheetaleventcompany
 
Call Girls In Ashram Chowk Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Ashram Chowk Delhi 💯Call Us 🔝8264348440🔝Call Girls In Ashram Chowk Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Ashram Chowk Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
AWS Community DAY Albertini-Ellan Cloud Security (1).pptx
AWS Community DAY Albertini-Ellan Cloud Security (1).pptxAWS Community DAY Albertini-Ellan Cloud Security (1).pptx
AWS Community DAY Albertini-Ellan Cloud Security (1).pptxellan12
 
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...Neha Pandey
 
WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)
WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)
WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)Delhi Call girls
 
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...tanu pandey
 
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark WebGDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark WebJames Anderson
 
Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort ServiceEnjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort ServiceDelhi Call girls
 
Russian Call girl in Ajman +971563133746 Ajman Call girl Service
Russian Call girl in Ajman +971563133746 Ajman Call girl ServiceRussian Call girl in Ajman +971563133746 Ajman Call girl Service
Russian Call girl in Ajman +971563133746 Ajman Call girl Servicegwenoracqe6
 
(+971568250507 ))# Young Call Girls in Ajman By Pakistani Call Girls in ...
(+971568250507 ))# Young Call Girls in Ajman By Pakistani Call Girls in ...(+971568250507 ))# Young Call Girls in Ajman By Pakistani Call Girls in ...
(+971568250507 ))# Young Call Girls in Ajman By Pakistani Call Girls in ...Escorts Call Girls
 
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service AvailableCall Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service AvailableSeo
 
All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445
All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445
All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445ruhi
 
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Service
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine ServiceHot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Service
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Servicesexy call girls service in goa
 
Hot Call Girls |Delhi |Hauz Khas ☎ 9711199171 Book Your One night Stand
Hot Call Girls |Delhi |Hauz Khas ☎ 9711199171 Book Your One night StandHot Call Girls |Delhi |Hauz Khas ☎ 9711199171 Book Your One night Stand
Hot Call Girls |Delhi |Hauz Khas ☎ 9711199171 Book Your One night Standkumarajju5765
 

Kürzlich hochgeladen (20)

Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
 
Call Girls In Ashram Chowk Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Ashram Chowk Delhi 💯Call Us 🔝8264348440🔝Call Girls In Ashram Chowk Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Ashram Chowk Delhi 💯Call Us 🔝8264348440🔝
 
AWS Community DAY Albertini-Ellan Cloud Security (1).pptx
AWS Community DAY Albertini-Ellan Cloud Security (1).pptxAWS Community DAY Albertini-Ellan Cloud Security (1).pptx
AWS Community DAY Albertini-Ellan Cloud Security (1).pptx
 
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
 
WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)
WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)
WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)
 
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
 
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark WebGDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
 
Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝
 
valsad Escorts Service ☎️ 6378878445 ( Sakshi Sinha ) High Profile Call Girls...
valsad Escorts Service ☎️ 6378878445 ( Sakshi Sinha ) High Profile Call Girls...valsad Escorts Service ☎️ 6378878445 ( Sakshi Sinha ) High Profile Call Girls...
valsad Escorts Service ☎️ 6378878445 ( Sakshi Sinha ) High Profile Call Girls...
 
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort ServiceEnjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
 
(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7
(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7
(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7
 
Russian Call girl in Ajman +971563133746 Ajman Call girl Service
Russian Call girl in Ajman +971563133746 Ajman Call girl ServiceRussian Call girl in Ajman +971563133746 Ajman Call girl Service
Russian Call girl in Ajman +971563133746 Ajman Call girl Service
 
(+971568250507 ))# Young Call Girls in Ajman By Pakistani Call Girls in ...
(+971568250507 ))# Young Call Girls in Ajman By Pakistani Call Girls in ...(+971568250507 ))# Young Call Girls in Ajman By Pakistani Call Girls in ...
(+971568250507 ))# Young Call Girls in Ajman By Pakistani Call Girls in ...
 
Call Girls in Prashant Vihar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
Call Girls in Prashant Vihar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort ServiceCall Girls in Prashant Vihar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
Call Girls in Prashant Vihar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
 
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service AvailableCall Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
 
All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445
All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445
All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445
 
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
 
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Service
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine ServiceHot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Service
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Service
 
Low Sexy Call Girls In Mohali 9053900678 🥵Have Save And Good Place 🥵
Low Sexy Call Girls In Mohali 9053900678 🥵Have Save And Good Place 🥵Low Sexy Call Girls In Mohali 9053900678 🥵Have Save And Good Place 🥵
Low Sexy Call Girls In Mohali 9053900678 🥵Have Save And Good Place 🥵
 
Hot Call Girls |Delhi |Hauz Khas ☎ 9711199171 Book Your One night Stand
Hot Call Girls |Delhi |Hauz Khas ☎ 9711199171 Book Your One night StandHot Call Girls |Delhi |Hauz Khas ☎ 9711199171 Book Your One night Stand
Hot Call Girls |Delhi |Hauz Khas ☎ 9711199171 Book Your One night Stand
 

Website Security (WordPress) - It's About the Basics

  • 1. It’s About The Basics Website Security (WordPress)
  • 2. @PEREZBOX • Sucuri, Inc. – @sucuri_security – @perezbox • Specialization: – Website Security – Incident Handling • Special Interests: – Brazilian JiuJitsu 5/17/2014 Tony Perez | @perezbox | @sucuri_security 2
  • 3. • Website Security Company • Global Operations • Platform Agnostic (i.e., WordPress, Joomla, etc..) • Scan 2M Unique Domains a Month • Block 4M web attacks a Month • Remediate 400 – 500 websites a day • Signature / Heuristic Based • 24/7 operations 5/17/2014 Tony Perez | @perezbox | @sucuri_security 3
  • 4. Statistics 5/17/2014 Tony Perez | @perezbox | @sucuri_security 4
  • 5. 2013 – Year of the Mega Breach Data Breaches (Millions) 2011 2013 5/17/2014 Tony Perez | @perezbox | @sucuri_security 5
  • 6. Anatomy of Malicious Websites Malicious Websites Legitimate Websites 5/17/2014 Tony Perez | @perezbox | @sucuri_security 6
  • 7. Legitimate Websites Not-Exploitable Exploitable 5/17/2014 Tony Perez | @perezbox | @sucuri_security 7 1 in 8 - Critical Vulnerability
  • 8. Ransomware Explosion Ransomware 2012 2013 5/17/2014 Tony Perez | @perezbox | @sucuri_security 8
  • 9. Malware Distribution 26% 19% 16% 14% 11% 4% 10% Remote iFrame Includes Remote JavaScript Includes SPAM Injections Obfuscated / Encoded JavaScript Conditional Redirects Defacements Other 5/17/2014 Tony Perez | @perezbox | @sucuri_security 9
  • 10. Understanding Hackers 5/17/2014 Tony Perez | @perezbox | @sucuri_security 10
  • 11. Anatomy of Website Attacks 5/17/2014 Tony Perez | @perezbox | @sucuri_security 11  Use for malware?  Pat of a zombie network?  Data breach? What kind of website do you have?
  • 12. Five Stages of an Attack 5/17/2014 Tony Perez | @perezbox | @sucuri_security 12
  • 13. Automated Attacks 5/17/2014 Tony Perez | @perezbox | @sucuri_security 13  Exploiting Access Control
  • 14. Distribution Mechanism 5/17/2014 Tony Perez | @perezbox | @sucuri_security 14
  • 15. There’s a Tool for that • Malware as a Service (MaaS) – Yes, pay someone to hack for you • Different tools to break in and generate payloads – Brute force and vulnerability exploits Malware Payloads 5/17/2014 Tony Perez | @perezbox | @sucuri_security 15
  • 16. Why? 5/17/2014 Tony Perez | @perezbox | @sucuri_security 16
  • 17. Impacts To You 5/17/2014 Tony Perez | @perezbox | @sucuri_security 17
  • 18. Beyond The Application Layer • Going Deeper than the application layer, targeting the server. • Server Polymorphism – a.k.a highly adaptive / sophistication 5/17/2014 Tony Perez | @perezbox | @sucuri_security 18 Darkleech Cdork (Apache) Ebury (SSH) Email Server (SPAM) Heartbleed (OpenSSL)
  • 19. Phishing Lures 5/17/2014 Tony Perez | @perezbox | @sucuri_security 19
  • 20. Exploiting Forms • Stick With Reputable Sources • Generating SPAM emails, resource hogs • IP blacklisting 5/17/2014 Tony Perez | @perezbox | @sucuri_security 20
  • 21. Search Engine Poisoning (SEP) • Pharmacy • Payday Loans 5/17/2014 Tony Perez | @perezbox | @sucuri_security 21
  • 22. Blacklisting 5/17/2014 Tony Perez | @perezbox | @sucuri_security 22
  • 23. Drive By Downloads 5/17/2014 Tony Perez | @perezbox | @sucuri_security 23
  • 24. Brute Force Attacks 5/17/2014 Tony Perez | @perezbox | @sucuri_security 24
  • 25. Denial of Service (DOS) 5/17/2014 Tony Perez | @perezbox | @sucuri_security 25
  • 26. Brute Force vs Denial of Service 5/17/2014 Tony Perez | @perezbox | @sucuri_security 26
  • 27. Trust Erosion 5/17/2014 Tony Perez | @perezbox | @sucuri_security 27
  • 28. Free is not always Free • http://blog.sucuri.net/2014/03/unmasking-free-premium- wordpress-plugins.html 5/17/2014 Tony Perez | @perezbox | @sucuri_security 28 - SEOPresser - Payload located: wp-content/plugins/seo-pressor(gratuit) - File: central.class.php - Flat Skins Pack Extension - Payload located: wp-content/restrict-content-pro/includes/ - File: sidebar.php - Restrict Content Pro - Paylaod located: wp-content/ubermenu-skins-flat
  • 29. Don’t Worry, Everyone is a “Target” 5/17/2014 Tony Perez | @perezbox | @sucuri_security 29
  • 30. Defenses 5/17/2014 Tony Perez | @perezbox | @sucuri_security 30
  • 31. Biggest Weakness / Vulnerability 5/17/2014 Tony Perez | @perezbox | @sucuri_security 31
  • 32. It’s About Good Posture 5/17/2014 Tony Perez | @perezbox | @sucuri_security 32
  • 33. Starts With Expectations “It’s about risk reduction… risk will never be zero…” 5/17/2014 Tony Perez | @perezbox | @sucuri_security 33 Posture Risk
  • 34. Defense in Depth “…a concept in which multiple layers of security controls (defenses) are placed throughout an information technology (IT) system. Its intent is to provide redundancy in the event a security control fails or a vulnerability is exploited…” 5/17/2014 Tony Perez | @perezbox | @sucuri_security 34
  • 35. Layered Defenses 5/17/2014 Tony Perez | @perezbox | @sucuri_security 35 Protection Detection Auditing Sustainment
  • 36. Access – P@ssw0rd • Passwords 5/17/2014 Tony Perez | @perezbox | @sucuri_security 36 Complex – Long - Unique
  • 37. Enforce Strong Credentials 5/17/2014 Tony Perez | @perezbox | @sucuri_security 37
  • 38. Push the Access Boundaries 5/17/2014 Tony Perez | @perezbox | @sucuri_security 38 • https://getclef.com/ | @getclef
  • 39. Principle of Least Privileged “requires that in a particular abstraction layer of a computing environment, every module (such as a process, a user or a program depending on the subject) must be able to access only the information and resources that are necessary for its legitimate purpose.” 5/17/2014 Tony Perez | @perezbox | @sucuri_security 39
  • 40. Understand Your Roles 5/17/2014 Tony Perez | @perezbox | @sucuri_security 40
  • 41. Hardening – Kill PHP 5/17/2014 Tony Perez | @perezbox | @sucuri_security 41  PHP Execution, disable it:  /wp-includes  /wp-content ▪ /themes ▪ /plugins ▪ /uploads <Files *.php> Deny from all </Files>
  • 42. Disable Plugin / Theme Editor • WP-CONFIG File Modification #Disable Plugin / Theme Editor Define(‘DISALLOW_FILE_EDIT’,true); 5/17/2014 Tony Perez | @perezbox | @sucuri_security 42
  • 43. Brute Force Attacks 5/17/2014 Tony Perez | @perezbox | @sucuri_security 43
  • 44. Please Backup 5/17/2014 Tony Perez | @perezbox | @sucuri_security 44
  • 45. Software Vulnerabilities • Stay current with the latest vulnerabilities: – Secure - http://wordpress.org/plugins/secure/ 5/17/2014 Tony Perez | @perezbox | @sucuri_security 45
  • 46. Brute Force Protection • Local Protection – https://bruteprotect.com/ | @BruteProtect 5/17/2014 Tony Perez | @perezbox | @sucuri_security 46
  • 47. Stay Current (Update) 5/17/2014 Tony Perez | @perezbox | @sucuri_security 47
  • 48. Website Firewalls 5/17/2014 Tony Perez | @perezbox | @sucuri_security 48 • Stay ahead of Software Vulnerabilities
  • 49. Ensure Integrity of Connection 5/17/2014 Tony Perez | @perezbox | @sucuri_security 49 • https://www.getcloak.com/ | @getcloak
  • 50. Simple Steps to Reduce Risk 1. Employ Website Firewall 2. Don’t let WordPress write to itself 3. Filter Access by IP 4. Use a dedicated server / VPS 5. Monitor all Activity (Logging) 6. Enable SSL for transactions 7. Keep environment current (patched) 8. No Soup Kitchen Servers 5/17/2014 Tony Perez | @perezbox | @sucuri_security 50 1. Connect Securely – SFTP / SSH 2. Authentication Keys / wp- config 3. Use Trusted Sources 4. Use a local Antivirus – MAC too 5. Permissions - D 755 | F 644 6. Least Privileged Principles 7. Accountability 8. Backups – Include Database Ideal implementations:The Bare Minimum:
  • 51. Notable Resources Name Tool Sucuri Blog http://blog.sucuri.net Sucuri TV http://sucuri.tv Malware Scanner http://sitecheck.sucuri.net Malware Scanner http://unmaskparasites.com Badware Busters https://badwarebusters.org Google Forums http://productforums.google.com/forum/#!categories/webmasters/malware--hacked- sites Google Webmaster Tools http://support.google.com/webmasters/bin/answer.py?hl=en&answer=163633 Secunia Security Advisories http://secunia.com/community/advisories/search/?search=wordpress Exploit-DB http://www.exploit- db.com/search/?action=search&filter_description=Wordpress&filter_platform=31 WordPress Hacked FAQ http://codex.wordpress.org/FAQ_My_site_was_hacked WordPress Hardening http://codex.wordpress.org/Hardening_WordPress 5/17/2014 Tony Perez | @perezbox | @sucuri_security 51
  • 52. Sucuri, Inc. Tony Perez http://sucuri.net http://blog.sucuri.net @perezbox | @sucuri_security http://www.slideshare.net/perezbox/website-security- wordpress-its-about-the-basics 5/17/2014 Tony Perez | @perezbox | @sucuri_security 52