building a better security posture

https://www.sucuri.net https://blog.sucuri.net

Who are we?● Globally distributed website security

team

● Website Antivirus + Firewall

● Clean hundreds of websites per day

● Protect against countless attacks

● Platform agnostic

Who am I?● Ben Martin @rngdmstrben

● Remediation Lead and malware slaya' at Sucuri

● Hails from Victoria BC

● ~2 years at the company cleaning websites

● Security / online privacy geek

● Music Producer & cat enthusiest

Building a Better Security Posture

● Security matters: All websites get attacked!

● Responsibility & safety

● Attackers go after low hanging fruit

● Peace of Mind

Security can be complicated but the principles are actually very simple :)

What is 'Security Posture'?● Security is not just a service or

software that can be purchased

● Security is an attitude

● Development of good habits

● Critical thinking + wee bit of healthy paranoia

There are NO silver bullet security solutions!

Be Proactive Not Reactive

● “We are intuitive. We drink water before we become dehydrated. We sleep before we become overtired. Most of the time, we automatically defend ourselves from germs and viruses, because we have consciously (and unconsciously) focused on preventative maintenance for our bodies and minds...Spend more time preventing problems and less time fixing issues that result from a compromise”

David L. Prowse

Common Myth!

● “Bob must have gone to some website that he shouldn't have!”

● All types of websites get attacked/compromised regardless of content

● You don't have to go to “sketchy” websites to find malware

Popular CMS = Targeted CMS

● WP is more than 20% of the Internet!

● Common targets for attackers

● Vulnerable plugins + themes are a big problem

Why would someone want to hack ME!?● Automation – targeted attacks are

usually reserved for big companies

● Same thing that motivates most bad behaviour: Money! $$$

● Phishing, malicious redirects, drive by downloads, blackhat SEO

● Defacements / Hacktivism

Security is a Priority● We all want our websites to have excellent content, look

nice and be easy to use. Add security to that list!

● You are responsible as a site owner

● Check up on your site security every time you log in – familiarize yourself with your environment

● Learn to recognize when something is out of place

What is POOR Security Posture?● Avoiding plugin, theme & core

updates

● Using “freemium” (pirated) plugins, themes or other software

● Lumping multiple websites/subdomains into the same hosting account

● Relying on the assumption that you won't be hacked because it is unlikely (?)

Responsibility● Responsibility to protect your

site visitors & yourself

● Protect your reputation & hard work! “Is this site safe?”

● Consider security a priority from day one

● Your visitors trust you & your website

Plugins● Out of date / vulnerable software is leading

cause of website infection

● Less is more

● Decrease the attack surface

● Avoid old plugins and update update update!!!

● Also helps speed/memory of site

Passwords● Other leading cause of infection

● Pass123 = no bueno

● Automated password attacks

● Reusing passwords = no buneo

● Use secure, encrypted protocols like SFTP or FTPS

Backups

● Backup your website. Always. ALWAYS.

● Your best friend on a rainy day

● Store them offline in a safe place

● Learn how to restore via FTP & database – this goes a long way

Practical Steps to Take

● UPDATE UPDATE UPDATE!!!

● Don't keep old software on your server

● Use a security plugin (Sucuri Scanner, Wordfence, iThemes, etc)

● Consider a firewall – paid & free options available

Practical Steps to Take pt. 2● Default settings are inherantly

unsafe for all software/hardware!

● Exercise least privilege

● define( 'DISALLOW_FILE_EDIT', true );

● Verify your file permissions and ownership ( 644, 755 )

Lock Down /wp-admin

● Don't use admin name 'admin'

● Employ the use of a CAPTCHA

● Restrict access by IP address

● Don't forget to monitor who's logging in

Sucuri Scanner WP Plugin (free)

● Security activity auditing

● File integrity monitoring

● Remote malware scanning

● Website hardening

What if I get HACKED!?!?1● This is when you really

appreciate being proactive

● Website compromises are stressful but don't panic!

● Every problem has a solution

● Not a bad idea to disclose to your visitors

Protect Yourself Online● All this talk about malware, how do I stay safe!?

● Antivirus obviously (yes even if you have a Mac)

● Practice good / responsible browsing habits

● Security browser extensions – NoScript, AdBlock, HTTPS Everywhere

● Web browser security is can be annoying & inconvenient but is very important

visitorTracker_isMob( ){● Very aggressive campaign

targeting multiple vulnerabilities

● Ultimate goal is to redirect users to Nuclear Exploit Kit (Ransomeware, Cryptolocker, other exploits)

● Many thousands of websites infected + blacklisted