This document discusses WordPress security and outlines a security lifecycle approach including best practices, maintenance, protection, detection, and response. It emphasizes implementing defense in depth with layered defenses, principle of least privilege, and function isolation. Key aspects of maintenance include user management, backups, account management and software management. Protection involves stopping attacks through measures like denial of service protection, brute force protection, and application hardening. Detection identifies security events through activity monitoring, security scanning, and indicators of compromise. Response addresses incidents through handling and considering business impacts. The document promotes the importance of security for audiences and businesses.
6. “As a species, we are risk adverse when it
comes to gains, but risk seeking when it
comes to loss…”
- Bruce Schneider, BlackHat 2014
State of Incident Response
#wceu @perezbox | @sucuri_security
7. Why should I
worry about
security?
#wceu @perezbox | @sucuri_security
17. “The biggest weakness we face as a
community in security is also it’s greatest
strength as a platform – its extensibility and
ease of use.”
- Tony Perez
#wceu @perezbox | @sucuri_security
18. Diving into the WordPress
Security LifeCycle
#wceu @perezbox | @sucuri_security
19. Best Practice /
Principles
The Foundation
#wceu @perezbox | @sucuri_security
20. Best Practice/Principles
• Defense in Depth
– Layered Defenses
• Principle of Least Privileged
– 20 admins?
• Function Isolation (Production vs
Staging vs Testing)
– Soup Kitchen Servers
#wceu @perezbox | @sucuri_security
27. Response
How do you address
the problem?
#wceu @perezbox | @sucuri_security
28. Response
• Incident Handling
• What’s an Incident?
• Brand / Business Impacts
#wceu @perezbox | @sucuri_security
29. The WordPress
security plugin
ecosystem
http://blog.sucuri.net/2014/09/understand
ing-the-wordpress-security-plugin-ecosystem.
html
#wceu @perezbox | @sucuri_security
30. Access Control –
Login
33% of infected
websites come from
poor credentials and user
management
#wceu @perezbox | @sucuri_security
31. Access Control
• Whitelisting Access
• Two Factor Authentication
• Password Managers
#wceu @perezbox | @sucuri_security
32. Online Habits
Your security goes
beyond just the
application
#wceu @perezbox | @sucuri_security
33. Online Habits
• Local AntiVirus – Mac / Windows
• Personal Virtual Private Network’s
• Auto Play / Enabled JS
#wceu @perezbox | @sucuri_security
34. When all else fails,
enlist the help of
professionals
#wceu @perezbox | @sucuri_security
35. Get in touch
Let’s get social:
• Twitter: @perezbox
• Twitter: @sucuri_security
• Facebook: /SucuriSec
Read what I write:
• http://blog.sucuri.net
• http://tonyonsecurity.com
#wceu @perezbox | @sucuri_security
Editor's Notes
You open your window and you take a moment to take in the magnificent views Amsterdam has to offer… you’re midway through a week long trip that has taken you from the comforts of home to far off lands where you will engaging with the community you love, but in a region you have never been.. You’re excited, you’ve brought your team with you, everything that appears to be a priority is in place and ready…
Take a moment to feel what it’s like to know something is wrong. Take a moment to feel vulnerable, out of control. I want you to feel the lump in your throat, to feel the heat in your face as the blood rises and you feel yourself slowly get angry…
Now imagine the feelings you get as you stare at this serene picture of Amsterdam. Look at the beauty in the picture, the reflections of the light on the water, the calmness in the air, you can almost feel the state of mind as you stare at this beautiful picture..
Bing…
You have just received an email… It reads, “I think something is wrong… I think we’ve been hacked…”
You’ve been hacked…it impacts your users and you have no choice but to disclose… There is perhaps no worse experience for a website owner today… the emotional response within the first 24 / 48 hours is like nothing you have experience…
What do you do? What do you say? How do you say it? What went wrong? How could this happen?
But a fraction of the questions going through your mind…
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
It doesn’t hit you at first.. But eventually it does and the gravity of the situation becomes a very real thing… “You’ve been Hacked” a “Vulnerability has been Found in your code”
There is no denying that the next couple of hours will be the hardest you have ever experienced.. Everything will be amplified.. The emotions will be raw… the media will not be your friend, the online trolls will grasp at your misfortunes in ways that you’d never expect…
This, this is the harsh reality of security.. This is the side of security that we don’t talk about, but that I live daily… Whether you write content or sell products… the emotions are the same, they’re just relative to your environment but they aren’t any less or more important…
My name is Tony Perez, and today we’re going to talk about Posture and how it relates to WordPress Security
I have only 25 minutes to wow you with the details that make up the complex world of security so if I go to fast, I apologize now… I will cramp, as effectively as I can, the most pertinent pieces of the domain.
As for who I am, I own and operate a website security company called Sucuri. I am a website security blogger and professional. My life revolves around my family, website security, business and BJJ, if you want to talk about any of those things let’s definitely catch up..
At Sucuri we take our work very serious.. We mitigate a little over 40 million attacks a month these days and remediate over 400 websites a day.. Website of all caliber, from WordPress, to custom ASP sites.. It’s indifferent to us…
Our passion is the evolution and state of website security across the entire spectrum…
I give a lot of talks on website security, and there is one constant… always provide the audience context… it helps answer the very real and serious questions that every website owners asks themselves when it comes to Security…
All of a sudden panic sets in.. You email and phone pinged, you check and it’s from your sys admin.. You’re staring at it as if in disbelief.. You find yourself looking at the words as if they were written in Chinese and you realize the inevitable has happened…
The last thing you ever considered is now a reality… your stomach is in a knot… and you feel like throwing up….
When I talk to this I talk to three key elements that should impact every website owner.. Your Audience, Your Business, and Your Responsibility.
Yes, I know they said it was going to be easy. All you had to do was deploy your new WordPress site using the infamous 5 minute install, set it and forget it.. In minutes you would be on your way to delivering content around the world.
What they likely didn’t tell you though that like the process of writing content, management and administration of your website were just as important.
What they likely didn’t tell you is that you build an audience, as you build your business your responsibility to ensure the integrity of your website increases exponentially.
Intuition is simple, one user is boring, 1,000,000 user is more exciting… the more people in the network, the more valuable it is.. Think the WordPress ecosystem..
Think 23% ownership of the web space, think what happens as that number continues to grow to 25%, 30%, 50%... The value of the platform and user network grows exponentially and that growth attracks more attention, and in security that equates to attacks and compromises.. And so we have to adjust our way of thinking and really appreciate the security domain of WordPress Security more professionally and recognize the entire process in a more holistic stand point…
Cyber crime has matured as an industry, today you find established Demand / Supply chains
It’s because of this that you must understand that attacks come in various forms, in various “payloads”
We often hear of the term “Malware” – also known as “Malicious Software” what we don’t realize however is that it’s used as a generic, catch all term, but often there are various other non-malware related infections that you should be mindful of.
Remember also that what you see is often but 10% of the problem, only a tip of the ice berg…
You have to be mindful of malware distribution, but also abuses on your web server resources, things like email spam, phishing lures, DDOS scripts, IRC bots and several other infections / attacks.
And so to achieve this I think it’s time we start changing the way we talk about security, especially WordPress Security.
We have to start evolving our thoughts from the “Top 10 Things You must Do” to something that is a bit more encompassing..
To do this you must first begin by appreciating what Security is truly about, and that is risk management.
It’s not a domain of absolutes, your risk of a compromise will never be zero but that is why there are well established security protocols and processes defined to help you.
These protocols and practices are all things that talk to your security posture.. And as that posture increases in strength, your risk reduces to a manageable level
And so let’s take a look at the traditional Security Wheel in Information Security.. What you see here is a process relationship between the three pillars of Protection, Detection and Response.. This model exists because as security professionals we know and understand that no one piece of the wheel is a 100% solution, yet as a community we fail to grasp this concept and we tune our brain to understand security as a linear process that can be achieved via X, Y and Z changes…
This wheel though makes a number of assumptions that are widely recognized across the Information Technology stack but something that we have lost perspective online as we focus heavily on this concept of oversimplification…
Oversimplification in the way we code. Oversimplification in the way explain the platform. Oversimplification on t he responsibilities associated with website management and administration.
First we have to expand the wheel with the concept of maintenance… and
Finalize the security wheel with Best Practices and Principles….
What you should realize as you look at the wheel above is that it is not a linear process… it’s not something you do and forget…
Each one of these categories, these domains are complex and could make up their own series of presentations but let’s take a minute to dive into each as succinctly as possible..
And this is an issue that extends beyond just WordPress.. It’s something that all of today’s popular applications / frameworks suffer from, some more than others ofcourse.
So let’s take the few minutes we have to quickly dive through the various facets of the lifecycle and see if we can’t better appreciate how thing fit…
Many don’t realize how much risk they can reduce with basic concepts like Defense in Defense and Principles of least privileged.
Defense in Defense being a principle that talks to layered defenses in which you understand and realize that it’s a series of tools and process that make up your security posture, not any single thing. And where least privileged talks specifically to the administration of user accounts – should be asking yourself, does everyone need to be an admin?
This last one is one I can’t stress enough, I also call it soup kitchen servers. Soup kitchen servers lead to something known as Cross-Site Contamination, a concept where attackers can leap frog from site to site in your own environment. I bundle it though into a much larger category of function isolation.. Too often we see organizations, large and small, mixing functions.. Email servers with web servers, web servers with file servers.. Etc.. Isolate each function and categorize them appropriately – production vs staging vs testing.. Each having their own security protocols..
This slide alone could be broken into several presentations, several hours each.
When we think maintenance we have to appreciate how complex a process this, and with it you’ll find a number of basic administration tasks – things like basic user management, to ensuring you have adequate backups and you’re keeping your software stack current (in other words updating).
How can you have a security talk these days without spending some time talking to the various security incidents over the past few months. Granted Sucuri has been at the fore front of most of these disclosures..
It is however a peak into the reality we live every day. Brute force and Denial of Service attacks are at all time highs, and it’s likely that today’s highs will be tomorrow’s normal. This explosion is in large part to the formation of a vey mature business ecosystem for bad actors (hackers).
Similar to the predecessors of websites, desktop and infrastructure, we have to start thinking of ways to proactively stop these attacks from penetrating your websites. The more common technique has always been application level hardening, but it leaves much to be desired and does very little for things like exploitation of software vulnerabilities.
There is a concept known as Indicators of Compromise. It’s not as common as many would like it to be, but it talks to the focus required on the various events that make up a compromise. Most often focus solely on the event itself, but when you analyze and understand the attack in its entirety you gain a much deeper appreciation for those indicators.
Remember that your Detection category is tightly coupled with your Protection category. Many like to ask, well if I have protection, why do I need detection..
That is the wrong question to ask…
What you should be asking is:
What should I be looking as a possible indicator in the event my protection fails?
There is perhaps no more devastating event to your business than when you realize you have been hacked.
How do you get the word out?
What do you say?
How much do you disclose?
We know we all love to throw stones from our own glass houses…
What is your protocol in the event of an incident? Are you naïve to think it will never happen to you? What about your clients? How do you assure them that in the event of an incident they have a way out?
What does an incident look like? ToS violation, Host disables your website, Google Blacklists your website, Users can’t access your website because it’s being blocked.. We have seen sites go from 40,000 visits a day to 400 after a compromise.. Think of the impacts that could have to your brand to your business…
With that being said, instead of giving you a list of security plugins and tools.. I prefer to help you think of security plugins a bit differently..
Too often I see recommendations for various tools, but we often don’t fully grasp or understand how they fit in the spectrum of WordPress Security. I wrote an article about it, it’d take too long to go through it here.. So take some time to read it…
Trustwave reports in their analysis that 33% of the compromises they see today are attributed to access control exploits – in short, poor access control management leading to compromises. This number is too high..
We need to d a better job… we need to