Sucuri Webinar: Website Security for Web Agencies
•Als PPTX, PDF herunterladen•
1 gefällt mir•956 views
Are you working with a Web Agency? Is your company responsible for the websites of other businesses? In this webinar we covered the implications of a security breach and why security should be important to your Web Agency. After seeing this material you will be able to answer the question: “What can I do to reduce the risk to our business and our clients” by exploring a 3 tiered approach to web security: Prevention, Detection, Response
Empfohlen
Empfohlen
Weitere ähnliche Inhalte
Was ist angesagt?
Was ist angesagt? (20)
Ähnlich wie Sucuri Webinar: Website Security for Web Agencies
Ähnlich wie Sucuri Webinar: Website Security for Web Agencies (20)
Mehr von Sucuri
Mehr von Sucuri (20)
Kürzlich hochgeladen
Kürzlich hochgeladen (15)
Sucuri Webinar: Website Security for Web Agencies
- 5. • • •
- 7. • • • • • •
- 8. • •
- 15. What is the cost to the agency? • • • • • •
- 17. IDENTIFY PROTECT DETECT RESPOND RECOVER
- 18. IDENTIFY PROTECT DETECT RESPOND RECOVER • • • • •
- 19. IDENTIFY PROTECT DETECT RESPOND RECOVER
- 20. IDENTIFY PROTECT DETECT RESPOND RECOVER • • • Access Control
- 21. IDENTIFY PROTECT DETECT RESPOND RECOVER • • • Access Control • • • Hosting
- 22. IDENTIFY PROTECT DETECT RESPOND RECOVER • • • Access Control • • • Hosting • • • • Software Vulnerabilities
- 23. IDENTIFY PROTECT DETECT RESPOND RECOVER • • • • • • • •
- 24. IDENTIFY PROTECT DETECT RESPOND RECOVER • • • • • • •
- 25. IDENTIFY PROTECT DETECT RESPOND RECOVER • • •
- 26. • • • •
- 27. • • •
- 28. • • •
- 33. • https://perezbox.com/2017/05/website-security-framework-intro • https://blog.sucuri.net/2017/07/cross-site-contamination-and-how- to-prevent-it.html • https://perezbox.com/2017/06/password-management/ • https://perezbox.com/2015/08/security-and-hosting- environments
Hinweis der Redaktion
- Survey Questions -- Next
- Fredericton, New Brunswick, Canada Security is a part of who I am
- 1 – We can only scratch the surface today. This is a big conversation. 2 – This information is general and may not fit or apply to you. Everyone has different needs.
- The agency is the trusted party by the website owner Much of what the client learns about web technology will be from you The agency has the ability to drastically effect the state of website security Provide advocacy in not only core services but security The sites contribute to the overall issues Responsibility to Educate them on providing a safe experience We do not have the ability to turn a blind eye -
- Communicate - Open us a dialogue with your clients, employees, coworkers, stakeholders Educate on the risks, implications, and the value of implementing your recommended Security approach As GI Joe used to say: “Now you know, and knowing is half the battle”
- When?
- Example Project Life Cycle
- Security is often introduced at the end of the cycle
- Should be part of the discussion from the beginning and throughout the process.
- Brand Reputation- Your brand is made up of the unique user experience you offer through your design, content, product offering and service Your website, and the experience your audience has plays a critical part in the reputation of that brand Tolerance is the highest it’s ever been around website compromises, so reputation is recoverable Loss of trust in your brand can drive your audience to look for alternatives to your brand Economic Our research has shown a little over 90% drop in traffic immediately following a compromise, that number goes up if a website gets blacklisted Whether your website leverages ads, static content, or sells product, it directly or indirectly helps your business generate some form of revenue / exposure Costs associated with post-compromise services, to include time / money spent on tools, education and consultation Emotional Distress Anxiety – nothing ever goes fast enough Confusion – unclear what steps to take, who to talk to, where to start Anger – you want to reach across the matrix and shake someone Sadness – a general feeling of feeling overwhelmed, exhausted.. Distrust – an erosion of trust in technology, internet, people Website Blacklisting The most impactful in that it has the ability deter people from reaching your website and it’s content / product / services SEO The ability to control or manipulate what Search Engines see when they crawl your website, leading to dirty Search Engine Result Pages (SERP), impacts to your Domain Authority and Value Directly tied to the creditability of the website, and potentially affects the blacklisting of your website with search engines like Google, Bing, and others. Visitor Compromise Malware distribution can include various forms of “Drive by Download” attempts that look to install nefarious applications on your visitors machines (i.e., rogue AntiVirus systems)
- So, here we are. We understand the risks, we are going communicate with our clients and prospects and educate them on Security…. Now, how to I approach security. Drawing from Tony Perez’s article on perezbox.com – “basic website security framework”
- Principle of Least Priviledged User This principle is about: - Using the minimal set of privileges on a system in order to perform an action. - Granting those privileges only for the time the action is necessary. Passwords – Complex + Long + Random Leverage Password Management tools User Authentication 2FA Captcha
- Shared hosting has a bad rep due to the earlier days when there were major exploitations due to poor sys admin VPS, requires more advance sys admin skills The issue is more with the number of sites associated to a hosting account - Cross contamination Cross-site contamination is when a site is negatively affected by neighboring sites within the same server due to poor isolation on the server or account configuration. This phenomenon is one of the greatest contributors to the VPS/Dedicated/Shared hosting secure or insecure debate. The greatest contributor to cross-site contamination is what I call soup-kitchen servers. Soup-kitchen servers are those environments riddled with every installation and configuration known to man. It might include 10’s or 100’s of different sites or different platforms (i.e., Drupal, Joomla, WordPress, etc.). The problem isn’t the quantity. They might also include sites in different phases of their lives – development, staging, production. The biggest culprits of these configurations are agencies, freelance developers, and aspiring hosts. 1 – If you are using an external FW, use it on all sites and be sure direct access to the server (hosting IP) is restricted 2 -
- Shared hosting has a bad rep due to the earlier days when there were major exploitations due to poor sys admin VPS, requires more advance sys admin skills The issue is more with the number of sites associated to a hosting account - Cross contamination Cross-site contamination is when a site is negatively affected by neighboring sites within the same server due to poor isolation on the server or account configuration. This phenomenon is one of the greatest contributors to the VPS/Dedicated/Shared hosting secure or insecure debate. The greatest contributor to cross-site contamination is what I call soup-kitchen servers. Soup-kitchen servers are those environments riddled with every installation and configuration known to man. It might include 10’s or 100’s of different sites or different platforms (i.e., Drupal, Joomla, WordPress, etc.). The problem isn’t the quantity. They might also include sites in different phases of their lives – development, staging, production. The biggest culprits of these configurations are agencies, freelance developers, and aspiring hosts. 1 – If you are using an external FW, use it on all sites and be sure direct access to the server (hosting IP) is restricted 2 -
- Thank you and we’re ready for questions