website security - it begins with good posture
TRANSCRIPT
![Page 1: Website Security - It Begins With Good Posture](https://reader035.vdocument.in/reader035/viewer/2022070313/554bcbf6b4c9058f6c8b473f/html5/thumbnails/1.jpg)
It Starts With Good Posture
Website Security (WordPress)
![Page 2: Website Security - It Begins With Good Posture](https://reader035.vdocument.in/reader035/viewer/2022070313/554bcbf6b4c9058f6c8b473f/html5/thumbnails/2.jpg)
04/11/2023
@PEREZBOX
• Sucuri, Inc.– @sucuri_security– @sucurisupport– @sucurilabs– @perezbox
• Specialization:– Website Security– Incident Handling
• Special Interests:– Brazilian JiuJitsu
Tony Perez | @perezbox | @sucuri_security 2
![Page 3: Website Security - It Begins With Good Posture](https://reader035.vdocument.in/reader035/viewer/2022070313/554bcbf6b4c9058f6c8b473f/html5/thumbnails/3.jpg)
04/11/2023
• Website Security Company
• Global Operations
• Platform Agnostic (i.e., WordPress, Joomla, etc..)
• Scan 2M Unique Domains a Month
• Block 4M web attacks a Month
• Remediate 400 – 500 websites a day
• Signature / Heuristic Based
• 24/7 operations
Tony Perez | @perezbox | @sucuri_security 3
![Page 4: Website Security - It Begins With Good Posture](https://reader035.vdocument.in/reader035/viewer/2022070313/554bcbf6b4c9058f6c8b473f/html5/thumbnails/4.jpg)
04/11/2023
Statistics
Tony Perez | @perezbox | @sucuri_security 4
![Page 5: Website Security - It Begins With Good Posture](https://reader035.vdocument.in/reader035/viewer/2022070313/554bcbf6b4c9058f6c8b473f/html5/thumbnails/5.jpg)
04/11/2023
Anatomy of Malicious Websites
Malicious WebsitesLegitimate Websites
Tony Perez | @perezbox | @sucuri_security 5
85%
![Page 6: Website Security - It Begins With Good Posture](https://reader035.vdocument.in/reader035/viewer/2022070313/554bcbf6b4c9058f6c8b473f/html5/thumbnails/6.jpg)
04/11/2023
Legitimate Websites
Not-ExploitableExploitable
77%
Tony Perez | @perezbox | @sucuri_security 6
1 in 8 - Critical Vulnerability
![Page 7: Website Security - It Begins With Good Posture](https://reader035.vdocument.in/reader035/viewer/2022070313/554bcbf6b4c9058f6c8b473f/html5/thumbnails/7.jpg)
04/11/2023
Hacks Affecting Users
Tony Perez | @perezbox | @sucuri_security 7
![Page 8: Website Security - It Begins With Good Posture](https://reader035.vdocument.in/reader035/viewer/2022070313/554bcbf6b4c9058f6c8b473f/html5/thumbnails/8.jpg)
04/11/2023
Top 4 Symptoms
Tony Perez | @perezbox | @sucuri_security 8
• Malicious Redirects (i.e., abuse your traffic)• Backdoors (i.e., Bypass Access Controls)• Phishing (i.e., Spear Phishing Campaigns)• Search Engine Poisoning (i.e., Pharma, etc…)
….. Obviously many more, but these are the most prevalent…
![Page 9: Website Security - It Begins With Good Posture](https://reader035.vdocument.in/reader035/viewer/2022070313/554bcbf6b4c9058f6c8b473f/html5/thumbnails/9.jpg)
@perezbox | @sucuri_security
Malicious Redirect
![Page 10: Website Security - It Begins With Good Posture](https://reader035.vdocument.in/reader035/viewer/2022070313/554bcbf6b4c9058f6c8b473f/html5/thumbnails/10.jpg)
@perezbox | @sucuri_security
Malicious Redirects• Easy / Medium to Detect
– Be mindful of conditionals• Looking for Integrity Issues
– Has something been modified?
• Common location[s]:– .htaccess– Index.php– Footer.php– Header.php
• Biggest Issue– Redirectors are becoming highly complex– Employing heavy conditional elements
![Page 11: Website Security - It Begins With Good Posture](https://reader035.vdocument.in/reader035/viewer/2022070313/554bcbf6b4c9058f6c8b473f/html5/thumbnails/11.jpg)
@perezbox | @sucuri_security
Phishing
![Page 12: Website Security - It Begins With Good Posture](https://reader035.vdocument.in/reader035/viewer/2022070313/554bcbf6b4c9058f6c8b473f/html5/thumbnails/12.jpg)
@perezbox | @sucuri_security
Phishing, Cntd..
• Difficult to Detect Remotely• Looking for Integrity Issues
– Is something somewhere it doesn’t belong?
• Common location[s]:– WP-Includes– Theme Directories
• Biggest Issue– It can be anywhere– Fully contained
![Page 13: Website Security - It Begins With Good Posture](https://reader035.vdocument.in/reader035/viewer/2022070313/554bcbf6b4c9058f6c8b473f/html5/thumbnails/13.jpg)
@perezbox | @sucuri_security
Backdoors
![Page 14: Website Security - It Begins With Good Posture](https://reader035.vdocument.in/reader035/viewer/2022070313/554bcbf6b4c9058f6c8b473f/html5/thumbnails/14.jpg)
@perezbox | @sucuri_security
Backdoors, cntd…• Can’t detect remotely, only locally
• Looking for Integrity Issues – Is something somewhere it doesn’t
belong?
• Common location[s]:– WP-Includes– Root Directory
• Biggest Issue– Allows attacker to bypass your
access controls– Provides full control of the
environment
• Common terms:– Is_bot– Eval– Base64_decode– Fopen– Fclose– readfile– Edoced_46esad– Exec– System– Shell_exec– Gzuncompress– popen– FilesMan
grep -RPl --include=*.{php} "(system|exec|passthru|shell_exec|base64_decode|eval|) *\(" /var/www
![Page 15: Website Security - It Begins With Good Posture](https://reader035.vdocument.in/reader035/viewer/2022070313/554bcbf6b4c9058f6c8b473f/html5/thumbnails/15.jpg)
@perezbox | @sucuri_security
Example of Complexity
![Page 16: Website Security - It Begins With Good Posture](https://reader035.vdocument.in/reader035/viewer/2022070313/554bcbf6b4c9058f6c8b473f/html5/thumbnails/16.jpg)
@perezbox | @sucuri_security
Search Engine Poisoning
![Page 17: Website Security - It Begins With Good Posture](https://reader035.vdocument.in/reader035/viewer/2022070313/554bcbf6b4c9058f6c8b473f/html5/thumbnails/17.jpg)
@perezbox | @sucuri_security
Search Engine Poisoning, cntd.. • Targets Search Engines (i.e., Google, Bing, Yahoo)
• Looking for Integrity Issues – Have your posts / pages been modified?
• Common location[s]:– Index.php (root, theme, plugins, etc..)– Header.php– Footer.php– Embedded in Database (Posts / Pages)
• Biggest Issue– Continuous to evolve– Highly conditional– Not within visible range – often offscreen
![Page 18: Website Security - It Begins With Good Posture](https://reader035.vdocument.in/reader035/viewer/2022070313/554bcbf6b4c9058f6c8b473f/html5/thumbnails/18.jpg)
@perezbox | @sucuri_security
Indicators of a HackSearch Engines have gotten pretty good at detecting issues –
Google blacklists over 10 thousand websites a day.
![Page 19: Website Security - It Begins With Good Posture](https://reader035.vdocument.in/reader035/viewer/2022070313/554bcbf6b4c9058f6c8b473f/html5/thumbnails/19.jpg)
04/11/2023
Anatomy of Attacks
Tony Perez | @perezbox | @sucuri_security 19
![Page 20: Website Security - It Begins With Good Posture](https://reader035.vdocument.in/reader035/viewer/2022070313/554bcbf6b4c9058f6c8b473f/html5/thumbnails/20.jpg)
04/11/2023
Phase of an Attack
Recon Identify Attack Decisions Sustain
Tony Perez | @perezbox | @sucuri_security 20
Use for malware? Pat of a zombie network? Data breach?
What kind of website do you have?
![Page 21: Website Security - It Begins With Good Posture](https://reader035.vdocument.in/reader035/viewer/2022070313/554bcbf6b4c9058f6c8b473f/html5/thumbnails/21.jpg)
04/11/2023
Automated Attacks
WP-ADMIN
Themes / Plugins Payload
Tony Perez | @perezbox | @sucuri_security 21
Exploiting Access Control
![Page 22: Website Security - It Begins With Good Posture](https://reader035.vdocument.in/reader035/viewer/2022070313/554bcbf6b4c9058f6c8b473f/html5/thumbnails/22.jpg)
04/11/2023
Distribution Mechanism
Malicious Links
Social Media
Email Links Website
Text Messages
Tony Perez | @perezbox | @sucuri_security 22
![Page 23: Website Security - It Begins With Good Posture](https://reader035.vdocument.in/reader035/viewer/2022070313/554bcbf6b4c9058f6c8b473f/html5/thumbnails/23.jpg)
04/11/2023
There’s a Tool for that
• Malware as a Service (MaaS) – Yes, pay someone to
hack for you
• Different tools to break in and generate payloads– Brute force and
vulnerability exploits Malware Payloads
Tony Perez | @perezbox | @sucuri_security 23
![Page 24: Website Security - It Begins With Good Posture](https://reader035.vdocument.in/reader035/viewer/2022070313/554bcbf6b4c9058f6c8b473f/html5/thumbnails/24.jpg)
04/11/2023
Why?
Tony Perez | @perezbox | @sucuri_security 24
![Page 25: Website Security - It Begins With Good Posture](https://reader035.vdocument.in/reader035/viewer/2022070313/554bcbf6b4c9058f6c8b473f/html5/thumbnails/25.jpg)
04/11/2023
Happening To Everyone
Tony Perez | @perezbox | @sucuri_security 25
![Page 26: Website Security - It Begins With Good Posture](https://reader035.vdocument.in/reader035/viewer/2022070313/554bcbf6b4c9058f6c8b473f/html5/thumbnails/26.jpg)
04/11/2023
It’s About Posture
Tony Perez | @perezbox | @sucuri_security 26
![Page 27: Website Security - It Begins With Good Posture](https://reader035.vdocument.in/reader035/viewer/2022070313/554bcbf6b4c9058f6c8b473f/html5/thumbnails/27.jpg)
04/11/2023
Begins with Posture
Tony Perez | @perezbox | @sucuri_security 27
Posture
Risk
“Risk will never be zero, but it can be reduced”
![Page 28: Website Security - It Begins With Good Posture](https://reader035.vdocument.in/reader035/viewer/2022070313/554bcbf6b4c9058f6c8b473f/html5/thumbnails/28.jpg)
04/11/2023
It’s About Good Posture
Tony Perez | @perezbox | @sucuri_security 28
Security Posture
Principles
Access
Vulnerabilities
![Page 29: Website Security - It Begins With Good Posture](https://reader035.vdocument.in/reader035/viewer/2022070313/554bcbf6b4c9058f6c8b473f/html5/thumbnails/29.jpg)
04/11/2023
Layered Defenses
Tony Perez | @perezbox | @sucuri_security 29
Protection Auditing
Detection Sustainment
![Page 30: Website Security - It Begins With Good Posture](https://reader035.vdocument.in/reader035/viewer/2022070313/554bcbf6b4c9058f6c8b473f/html5/thumbnails/30.jpg)
04/11/2023
Defense in Depth
“…a concept in which multiple layers of security controls (defenses) are placed throughout an
information technology (IT) system. Its intent is to provide redundancy in the event a security control fails or a vulnerability is exploited…”
Tony Perez | @perezbox | @sucuri_security 30
![Page 31: Website Security - It Begins With Good Posture](https://reader035.vdocument.in/reader035/viewer/2022070313/554bcbf6b4c9058f6c8b473f/html5/thumbnails/31.jpg)
04/11/2023
Access – P@ssw0rd
• Passwords
Tony Perez | @perezbox | @sucuri_security 31
Complex – Long - Unique
![Page 32: Website Security - It Begins With Good Posture](https://reader035.vdocument.in/reader035/viewer/2022070313/554bcbf6b4c9058f6c8b473f/html5/thumbnails/32.jpg)
04/11/2023
Enforce Strong Credentials
Tony Perez | @perezbox | @sucuri_security 32
![Page 33: Website Security - It Begins With Good Posture](https://reader035.vdocument.in/reader035/viewer/2022070313/554bcbf6b4c9058f6c8b473f/html5/thumbnails/33.jpg)
04/11/2023
Auditing (Monitor Activity)
Tony Perez | @perezbox | @sucuri_security 33
![Page 34: Website Security - It Begins With Good Posture](https://reader035.vdocument.in/reader035/viewer/2022070313/554bcbf6b4c9058f6c8b473f/html5/thumbnails/34.jpg)
04/11/2023
Auditing Questions
Tony Perez | @perezbox | @sucuri_security | #JoomlaDayAtlanta 34
• Understand what is going on at all time– Who is logging in?– Who is trying to log in?– What files are changing?– Has a post been created?– Has a page been created?– Are there any integrity issues?
![Page 35: Website Security - It Begins With Good Posture](https://reader035.vdocument.in/reader035/viewer/2022070313/554bcbf6b4c9058f6c8b473f/html5/thumbnails/35.jpg)
04/11/2023
Principle of Least Privileged
“requires that in a particular abstraction layer of a computing environment, every module
(such as a process, a user or a program depending on the subject) must be able to
access only the information and resources that are necessary for its legitimate purpose.”
Tony Perez | @perezbox | @sucuri_security 35
![Page 36: Website Security - It Begins With Good Posture](https://reader035.vdocument.in/reader035/viewer/2022070313/554bcbf6b4c9058f6c8b473f/html5/thumbnails/36.jpg)
04/11/2023
Understand Your Roles
Tony Perez | @perezbox | @sucuri_security 36
![Page 37: Website Security - It Begins With Good Posture](https://reader035.vdocument.in/reader035/viewer/2022070313/554bcbf6b4c9058f6c8b473f/html5/thumbnails/37.jpg)
04/11/2023
Hardening – Kill PHP
Tony Perez | @perezbox | @sucuri_security 37
PHP Execution, disable it:
/wp-includes /wp-content▪ /themes▪ /plugins▪ /uploads
<Files *.php>Deny from all</Files>
![Page 38: Website Security - It Begins With Good Posture](https://reader035.vdocument.in/reader035/viewer/2022070313/554bcbf6b4c9058f6c8b473f/html5/thumbnails/38.jpg)
04/11/2023
Disable Plugin / Theme Editor
• WP-CONFIG File Modification
#Disable Plugin / Theme EditorDefine(‘DISALLOW_FILE_EDIT’,true);
Tony Perez | @perezbox | @sucuri_security 38
![Page 39: Website Security - It Begins With Good Posture](https://reader035.vdocument.in/reader035/viewer/2022070313/554bcbf6b4c9058f6c8b473f/html5/thumbnails/39.jpg)
04/11/2023
Brute Force Attacks
Tony Perez | @perezbox | @sucuri_security 39
![Page 40: Website Security - It Begins With Good Posture](https://reader035.vdocument.in/reader035/viewer/2022070313/554bcbf6b4c9058f6c8b473f/html5/thumbnails/40.jpg)
04/11/2023
Backups – It’s Your Safety Net
Tony Perez | @perezbox | @sucuri_security 40
![Page 41: Website Security - It Begins With Good Posture](https://reader035.vdocument.in/reader035/viewer/2022070313/554bcbf6b4c9058f6c8b473f/html5/thumbnails/41.jpg)
04/11/2023
Software Vulnerabilities
• Stay current with the latest vulnerabilities:– Secure - http://wordpress.org/plugins/secure/
Tony Perez | @perezbox | @sucuri_security 41
![Page 42: Website Security - It Begins With Good Posture](https://reader035.vdocument.in/reader035/viewer/2022070313/554bcbf6b4c9058f6c8b473f/html5/thumbnails/42.jpg)
04/11/2023
Stay Current (Update)
Tony Perez | @perezbox | @sucuri_security 42
![Page 43: Website Security - It Begins With Good Posture](https://reader035.vdocument.in/reader035/viewer/2022070313/554bcbf6b4c9058f6c8b473f/html5/thumbnails/43.jpg)
04/11/2023
Website Firewalls
Tony Perez | @perezbox | @sucuri_security 43
• Stay ahead of Software Vulnerabilities
![Page 44: Website Security - It Begins With Good Posture](https://reader035.vdocument.in/reader035/viewer/2022070313/554bcbf6b4c9058f6c8b473f/html5/thumbnails/44.jpg)
04/11/2023
Ensure Integrity of Connection
Tony Perez | @perezbox | @sucuri_security 44
• https://www.getcloak.com/ | @getcloak
![Page 45: Website Security - It Begins With Good Posture](https://reader035.vdocument.in/reader035/viewer/2022070313/554bcbf6b4c9058f6c8b473f/html5/thumbnails/45.jpg)
04/11/2023
Google Webmaster
Tony Perez | @perezbox | @sucuri_security 45
![Page 46: Website Security - It Begins With Good Posture](https://reader035.vdocument.in/reader035/viewer/2022070313/554bcbf6b4c9058f6c8b473f/html5/thumbnails/46.jpg)
04/11/2023
Simple Steps to Reduce Risk
1. Employ Website Firewall2. Don’t let WordPress write to
itself3. Filter Access by IP 4. Use a dedicated server / VPS5. Monitor all Activity (Logging)6. Enable SSL for transactions7. Keep environment current
(patched)8. No Soup Kitchen Servers
Tony Perez | @perezbox | @sucuri_security 46
1. Connect Securely – SFTP / SSH
2. Authentication Keys / wp-config
3. Use Trusted Sources4. Use a local Antivirus – MAC
too5. Permissions - D 755 | F 6446. Least Privileged Principles7. Accountability8. Backups – Include Database
Ideal implementations:The Bare Minimum:
![Page 47: Website Security - It Begins With Good Posture](https://reader035.vdocument.in/reader035/viewer/2022070313/554bcbf6b4c9058f6c8b473f/html5/thumbnails/47.jpg)
04/11/2023
Notable ResourcesName Tool
Sucuri Blog http://blog.sucuri.net
Sucuri TV http://sucuri.tv
Malware Scanner http://sitecheck.sucuri.net
Malware Scanner http://unmaskparasites.com
Badware Busters https://badwarebusters.org
Google Forums http://productforums.google.com/forum/#!categories/webmasters/malware--hacked-sites
Google Webmaster Tools http://support.google.com/webmasters/bin/answer.py?hl=en&answer=163633
Secunia Security Advisories http://secunia.com/community/advisories/search/?search=wordpress
Exploit-DB http://www.exploit-db.com/search/?action=search&filter_description=Wordpress&filter_platform=31
WordPress Hacked FAQ http://codex.wordpress.org/FAQ_My_site_was_hacked
WordPress Hardening http://codex.wordpress.org/Hardening_WordPress
Tony Perez | @perezbox | @sucuri_security 47
![Page 48: Website Security - It Begins With Good Posture](https://reader035.vdocument.in/reader035/viewer/2022070313/554bcbf6b4c9058f6c8b473f/html5/thumbnails/48.jpg)
04/11/2023
Dealing with a Hack
Tony Perez | @perezbox | @sucuri_security 48
Dealing with Malware http://blog.sucuri.net/2012/10/dealing-with-todays-wordpress-malware.html
Leveraging Google Webmaster Tools http://www.unmaskparasites.com/malware-warning-guide/
Google Webmaster Tools (Hacked) http://www.google.com/webmasters/hacked/
Understanding Google’s Blacklists http://blog.sucuri.net/2013/11/understanding-googles-blacklist-cleaning-your-hacked-website-and-removing-from-blacklist.html Clearing Your Website with Free
Scannerhttp://blog.sucuri.net/2013/10/cleaning-up-your-wordpress-site-with-the-free-sucuri-plugin.html
WordPress Tips & Tricks http://blog.sucuri.net/2012/07/website-malware-removal-wordpress-tips-tricks.html
![Page 49: Website Security - It Begins With Good Posture](https://reader035.vdocument.in/reader035/viewer/2022070313/554bcbf6b4c9058f6c8b473f/html5/thumbnails/49.jpg)
04/11/2023
Sucuri, Inc.
Tony Perez
http://sucuri.nethttp://blog.sucuri.net
@perezbox | @sucuri_security
@sucurilabs | @sucurisupport
Tony Perez | @perezbox | @sucuri_security 49