This talk, presented by Krystle Herbdrandson at WordCamp Boston 2016, is designed to break down website security at its most fundamental level and understand that there is no 100% solution out there, there never will be.
Security is about technology, processes, and people, and we need to know how to mitigate risk in these areas.
DevoxxFR 2024 Reproducible Builds with Apache Maven
Website Security Frustrations and How Sites Get Hacked
1. The Frustrations with Website Security
Krystle Herbrandson| @kherbrandson #WCBOSKrystle Herbrandson| @kherbrandson #WCBOS
2. The Frustrations with Website Security
Krystle Herbrandson| @kherbrandson #WCBOSKrystle Herbrandson| @kherbrandson #WCBOS
WHAT YOU’RE IN STORE FOR?
• Creating a security risk posture for your website
• Understand Hosting and its role in security
• How to differentiate Security Firewalls
• Dispelling the myth of “Why would anyone hack me?”
• Understanding how websites get hacked
• WP security essentials, tools and resources
Slides Available here: http://goo.gl/ShzPcL
3. The Frustrations with Website Security
Krystle Herbrandson| @kherbrandson #WCBOSKrystle Herbrandson| @kherbrandson #WCBOS
59.6%
26.5%
Websites Powered By
CMS Market Share Owned
Source: W3Tech
Site upgraded to version 4.0+
87.5%
4. The Frustrations with Website Security
Krystle Herbrandson| @kherbrandson #WCBOSKrystle Herbrandson| @kherbrandson #WCBOS
Hosting Environment
• Shared Servers: Popular choice in hosting for its cost-savings. Multiple sites
sharing memory and processing power from one server.
• Virtual Private Servers (VPS): VS provides protected and set amount of
memory and processing power. Physical server partitioned into multiple VPS.
• Dedicated Servers: Most expensive option, provides full capacity of a physical
server’s resources. Highly customizable with added benefits of control.
• Recommendation: Isolate site groups from one another to help mitigate the
risk of infection across all properties.
5. The Frustrations with Website Security
Krystle Herbrandson| @kherbrandson #WCBOSKrystle Herbrandson| @kherbrandson #WCBOS
Differentiating Security
Firewalls
Resource: https://blog.sucuri.net/2016/04/ask-sucuri-differentiate-security-firewalls.html
6. The Frustrations with Website Security
Krystle Herbrandson| @kherbrandson #WCBOSKrystle Herbrandson| @kherbrandson #WCBOS
7. The Frustrations with Website Security
Krystle Herbrandson| @kherbrandson #WCBOSKrystle Herbrandson| @kherbrandson #WCBOS
8. The Frustrations with Website Security
Krystle Herbrandson| @kherbrandson #WCBOSKrystle Herbrandson| @kherbrandson #WCBOS
9. The Frustrations with Website Security
Krystle Herbrandson| @kherbrandson #WCBOSKrystle Herbrandson| @kherbrandson #WCBOS
Dispel the Myth
“Why would anyone Hack
me?”
Resource: https://blog.sucuri.net/2015/02/why-websites-get-hacked.html
10. The Frustrations with Website Security
Krystle Herbrandson| @kherbrandson #WCBOSKrystle Herbrandson| @kherbrandson #WCBOS
July 2016 – 1.05 Billion Websites
Source: Internet Live Stats
11. The Frustrations with Website Security
Krystle Herbrandson| @kherbrandson #WCBOSKrystle Herbrandson| @kherbrandson #WCBOS
Targeted Attacks Attacks of Opportunity
Occurs .001% of the time
There is a specific “target”
How the attack will happen is unknown
The exploit is unknown, defined by what is found
There is enough motivation and return
Automated / Manual
High-level of skill / expertise
Personal (i.e., political, competitor, hatred)
Method of attack for organizations
Occurs 99.99% of the time
Don’t have a specific “target”
The attack is known
The exploit is known, low-hanging fruit
The motivation and return is dependent on mass affect
Mostly automated
Low-mid level skill / expertise
Not-Personal (i.e., wrong place, wrong time)
Method of attack for websites
12. The Frustrations with Website Security
Krystle Herbrandson| @kherbrandson #WCBOSKrystle Herbrandson| @kherbrandson #WCBOS
Automation
• Key in today’s attacks, making it the most effective way to affect 10’s of
thousands of websites at the same time (i.e., maximum exposure and
increased potential for success)
• Introduces efficiency and effectiveness into the attack sequence, enabling less
skill adversaries (i.e., new breed of script kiddies)
• Allows bad actors to be faster to the draw targeting new software vulnerabilities
• Enabled by the development and expansion of global bot networks (botnets)
13. The Frustrations with Website Security
Krystle Herbrandson| @kherbrandson #WCBOSKrystle Herbrandson| @kherbrandson #WCBOS
Motivations
14. The Frustrations with Website Security
Krystle Herbrandson| @kherbrandson #WCBOSKrystle Herbrandson| @kherbrandson #WCBOS
REVENUE
• Make money off your website or
it’s resources
• Earning potential could be based on
stealing information (i.e., data
exfiltration)
• Impression based affiliate
marketing schemes
• Criminal enterprises
15. The Frustrations with Website Security
Krystle Herbrandson| @kherbrandson #WCBOSKrystle Herbrandson| @kherbrandson #WCBOS
AUDIENCE
• Make money off your audience
• Extremely valuable to attackers
• Ability to take advantage of the trust
you’ve built with your followers /
customers
16. The Frustrations with Website Security
Krystle Herbrandson| @kherbrandson #WCBOSKrystle Herbrandson| @kherbrandson #WCBOS
RESOURCES
• Make money off your resources
• Abuse of the infrastructure supporting
your website
• Integrated into larger criminal networks
(a.k.a botnets)
17. The Frustrations with Website Security
Krystle Herbrandson| @kherbrandson #WCBOSKrystle Herbrandson| @kherbrandson #WCBOS
LULZ
• It’s not about the money
• Bored, why not?
• If it allows me to access it, why wouldn’t
I?
• Badge of honor amongst peers!
• Hacktivism
18. The Frustrations with Website Security
Krystle Herbrandson| @kherbrandson #WCBOSKrystle Herbrandson| @kherbrandson #WCBOS
How do Websites Get Hacked?
https://blog.sucuri.net/2015/05/website-security-how-do-websites-get-hacked.html
19. The Frustrations with Website Security
Krystle Herbrandson| @kherbrandson #WCBOSKrystle Herbrandson| @kherbrandson #WCBOS
How Websites Get Hacked
Access Control Software Vulnerabilities
Cross-site
Contamination
Third-Party
Integrations
Hosting
20. The Frustrations with Website Security
Krystle Herbrandson| @kherbrandson #WCBOSKrystle Herbrandson| @kherbrandson #WCBOS
Access Control
• Refers to how access is restricted to specific areas, places, or things.
• Websites access control extends to all applications that provide some form of
access to the web environment:
• How do you log into your WP-Admin?
• How do you log into your Hosting Administration Panel?
• How do you log into your Server? (i.e., FTP, SFTP, SSH)
• How do you log into your Computer?
• When thinking about access control, think beyond the website application.
• Attacks to access control come many times in the form of Brute Force attacks.
21. The Frustrations with Website Security
Krystle Herbrandson| @kherbrandson #WCBOSKrystle Herbrandson| @kherbrandson #WCBOS
Software Vulnerabilities
• Refers to bugs in code that can be abused to perform nefarious acts. They
include things like:
• SQL Injection (SQLi), Cross-Site Scripting (XSS), Remote Code Execution (RCE), Remote File Inclusion (RFI), etc.…
• Familiarize yourself with the Open Web Application Security Project (OWASP),
specifically the OWASP Top 10.
• CMS applications struggle with vulnerabilities in their extensible parts (i.e.,
plugins, themes, extension, modules, etc…)
22. The Frustrations with Website Security
Krystle Herbrandson| @kherbrandson #WCBOSKrystle Herbrandson| @kherbrandson #WCBOS
Cross-site Contamination
• Refers to the lateral movement an attacker makes once in the web server.
• This is referred to as an internal attack, not an external one. An attacker is able
to gain entry into the web server via a vulnerable site, then use that to leap frog
into all other websites on the web server.
• It’s often the contributing factor to a number of reinfections, website owners
focus on the website affected and the symptoms, but spend little time looking at
the websites that show no external signs of compromise.
• Rampant in environments that do not employ functional isolation on the web
server, and employ improper permissions and configurations.
23. The Frustrations with Website Security
Krystle Herbrandson| @kherbrandson #WCBOSKrystle Herbrandson| @kherbrandson #WCBOS
Third-Party Integrations
• Third-party integration refer to a number of things, the most prevalent affecting
security is the integration of ads and their associated ad networks.
• These integrations are introducing a weak link into the security chain, where ad
networks are attacked and used to penetrate unsuspecting websites -
malvertising
• Malvertising is the act of manipulate ads to distribute malware, often in the form
of malicious redirects and drive-by-downloads
• Exceptionally difficult to detect because of their conditional nature, and the fact
that they are outside of the website environment
24. The Frustrations with Website Security
Krystle Herbrandson| @kherbrandson #WCBOSKrystle Herbrandson| @kherbrandson #WCBOS
Hosting
• Its been a long time since there has been a mass-compromise of a large
shared-hosting provider (circa 2011)
• The issues with hosts today revolve around hosts that aren’t really hosts;
organizations that try to offer a complete solution – marketing / development /
security / hosting / SEO, etc..
• Inexperienced service providers that introduce confusion and noise to an already crowded
marketplace
• They know enough to be dangerous, but rarely house the in-house skills or knowledge
• Contribute to a number of cross-site contamination issues due to poor configurations
25. The Frustrations with Website Security
Krystle Herbrandson| @kherbrandson #WCBOSKrystle Herbrandson| @kherbrandson #WCBOS
Malware Distribution Search Engine Poisoning Spam EmailPhishing Lures
Infection Types
Defacement DDoS/Bots/Backdoors Ransomware
26. The Frustrations with Website Security
Krystle Herbrandson| @kherbrandson #WCBOSKrystle Herbrandson| @kherbrandson #WCBOS
Type Description Motivation Association
Malware Distribution
Drive-by-Downloads
End-points are the target
Revenue
Audience
Search Engine Poisoning (SEP)
Search Engine Result Pages (SERP)
Pharma / Casino / Luxury Goods
Revenue
Audience
Phishing Lures
Email / Social Phishing campaigns
Financial / Credential Theft
Spam Email
Email spam campaigns
Leverage your server / IP / domain
Revenue
Audience
Resource
Defacement Hacktivism Lulz
DDoS/Bot Scripts/Backdoors
Server level scripts
Abuse resources / access control
Revenue
Resource
Ransomware
Hold you hostage
How your audience hostage
Revenue
Audience
Data Exfiltration
Steal data from your environment
E-Commerce / PCI
Resource
Audience
Revenue
Audience
27. The Frustrations with Website Security
Krystle Herbrandson| @kherbrandson #WCBOSKrystle Herbrandson| @kherbrandson #WCBOS
Thinking Website Security
How to improve your WordPress security posture
28. The Frustrations with Website Security
Krystle Herbrandson| @kherbrandson #WCBOSKrystle Herbrandson| @kherbrandson #WCBOS
THE IMPACTS OF COMPROMISE
Brand Website Blacklisting
Emotional Distress
Economic
Business
Visitor Compromise
Technical
SEO Impacts
29. The Frustrations with Website Security
Krystle Herbrandson| @kherbrandson #WCBOSKrystle Herbrandson| @kherbrandson #WCBOS
Business Impacts EconomicBrand Emotional Distress
Brand Reputation
• Your brand is made up of the unique user experience you offer through your
design, content, product offering and services
• Your website, and the experience your audience has plays a critical part in the
reputation of that brand
• Tolerance is the highest its ever been around website compromises, so
reputation is recoverable
• Loss of trust in your brand can drive your audience to look for alternatives to
your brand
30. The Frustrations with Website Security
Krystle Herbrandson| @kherbrandson #WCBOSKrystle Herbrandson| @kherbrandson #WCBOS
Economic Impacts
• Our research has shown a little over 90% drop in traffic immediately following a
compromise, that number goes up if a website gets blacklisted
• Whether your website leverages ads, static content, or sells product, it directly
or indirectly helps your business generate some form of revenue / exposure
• Costs associated with post-compromise services, to include time / money spent
on tools, education and consultation
Business Impacts EconomicBrand Emotional Distress
31. The Frustrations with Website Security
Krystle Herbrandson| @kherbrandson #WCBOSKrystle Herbrandson| @kherbrandson #WCBOS
Emotional Distress
• Anxiety – nothing ever goes fast enough
• Confusion – unclear what steps to take, who to talk to, where to start
• Anger – you want to reach across the matrix and shake someone
• Sadness – a general feeling of feeling overwhelmed, exhausted
• Distrust – an erosion of trust in technology, internet, people
Business Impacts EconomicBrand Emotional Distress
32. The Frustrations with Website Security
Krystle Herbrandson| @kherbrandson #WCBOSKrystle Herbrandson| @kherbrandson #WCBOS
Website Blacklisting
• The most impactful in that it has the ability deter people from reaching your
website and its content / product / services
• Blacklists extend beyond search engines like Google and Bing, but can be
found in end-point AntiVirus Solutions like Malwarebytes, Norton, EST, McAfee
and so many others.
• This can lead to your website being flagged globally in large networks (i.e.,
cisco, websense, etc… )
Technical Impacts SEOBlacklisting Visitor Compromise
33. The Frustrations with Website Security
Krystle Herbrandson| @kherbrandson #WCBOSKrystle Herbrandson| @kherbrandson #WCBOS
SEO Impact
• The ability to control or manipulate what Search Engines see when they crawl
your website, leading to dirty Search Engine Result Pages (SERP), impacts to
your Domain Authority and Value
• Injection of keywords and phrases that might be contrary to your brand,
inclusion of things like: Viagra, Cialis, Casinos, Gucci, and use those references
to redirect your website to other sites
• Directly tied to the creditability of the website, and potentially affects the
blacklisting of your website with search engines like Google, Bing, and others.
Technical Impacts SEOBlacklisting Visitor Compromise
34. The Frustrations with Website Security
Krystle Herbrandson| @kherbrandson #WCBOSKrystle Herbrandson| @kherbrandson #WCBOS
Visitor Compromise
• Malware distribution can include various forms of “Drive by Download” attempts
that look to install nefarious applications on your visitors machines (i.e., rogue
AntiVirus systems)
• Websites can be used to attack browser plugins like Java, Flash, Adobe and
others technologies. Can also be used to attack other websites within the same
browser.
• Compromise include the distribution malware like Ransomware that can encrypt
local environments, making them unusable until the user pays a fine.
Technical Impacts SEOBlacklisting Visitor Compromise
35. The Frustrations with Website Security
Krystle Herbrandson| @kherbrandson #WCBOSKrystle Herbrandson| @kherbrandson #WCBOS
Technology will never replace your
responsibility as a website owner.
36. The Frustrations with Website Security
Krystle Herbrandson| @kherbrandson #WCBOSKrystle Herbrandson| @kherbrandson #WCBOS
Tips For Managing Website Security
1. Employ Defense in Depth Principles – layers like an onion. Complement your tools, one may fail
and so it’s important to have a next step. Example having a firewall in conjunction with
continuous monitoring and detection.
2. Leverage best practices like Least Privilege – not everyone needs administrative privileges.
3. Place emphasis on how people access your website, leveraging things like Multi-Factor and
Two-Factor Authentication.
4. Protect yourself against the exploitation of software vulnerabilities through use of a Website
Firewall – focus on Known and Unknown Attacks.
5. Backups are your friends – your safety net – try to have at least 60 days available.
6. Register your website with Search Engines – Google and Bing have Webmaster Tools, leverage
their infrastructure to tell you the health of your website.
37. The Frustrations with Website Security
Krystle Herbrandson| @kherbrandson #WCBOSKrystle Herbrandson| @kherbrandson #WCBOS
Tools to Help Mitigate Online Risk
INFOSEC Institute WP Security Plugins: http://resources.infosecinstitute.com/7-best-wordpress-security-plugins/
PCMag Password Managers- My pick LastPass: http://www.pcmag.com/article2/0,2817,2407168,00.asp
Backups- WPBeginner Pros & Cons: http://www.wpbeginner.com/plugins/7-best-wordpress-backup-plugins-compared-pros-and-
cons/
How did my WP Site get Hacked- A Tutorial: https://blog.sucuri.net/2015/08/ask-sucuri-how-did-my-wordpress-website-get-
hacked-a-tutorial.html
WPScan- How to install WP vulnerability scanner: https://blog.sucuri.net/2015/10/install-wpscan-wordpress-vulnerability-
scan.html
WP-CLI Series- Secure WordPress Management: https://blog.sucuri.net/2015/07/wp-cli-guide-connect-to-wordpress-via-ssh-
intro.html
39. The Frustrations with Website Security
Krystle Herbrandson| @kherbrandson #WCBOSKrystle Herbrandson| @kherbrandson #WCBOS
Q & A
Tweet us @SucuriSecurity using #AskSucuri
40. The Frustrations with Website Security
Krystle Herbrandson| @kherbrandson #WCBOSKrystle Herbrandson| @kherbrandson #WCBOS
THANK YOU!