Top Banner
Website Security via Sucuri Navigating The Online Security Landscape Roadmap to a Safe User Experience
58

Navigating Online Threats - Website Security for Everyday Website Owners

Jul 16, 2015

Download

Technology

Tony Perez
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: Navigating Online Threats - Website Security for Everyday Website Owners

Website Security via Sucuri

Navigating The Online Security Landscape

Roadmap to a Safe User

Experience

Page 2: Navigating Online Threats - Website Security for Everyday Website Owners

Tony Perez

@perezbox | @sucuri_security | http://perezbox.com | http://tonyonsecurity.com

Page 3: Navigating Online Threats - Website Security for Everyday Website Owners

@sucuri_security | https://sucuri.net

Who are we?

• Mitigate 50 million+ attacks a month.

• Scan over 3 million+ domains

• Respond to 500 + security incidents

• Secure 300,000 + websites like yours.

We clean and protect

websites, so you don't have

to.

Page 4: Navigating Online Threats - Website Security for Everyday Website Owners

Who am I?

❖ Work at Sucuri

❖ Website Security Professional

❖ Security blogger

❖ Business blogger

❖ Technology blogger

❖ and..

Page 5: Navigating Online Threats - Website Security for Everyday Website Owners
Page 6: Navigating Online Threats - Website Security for Everyday Website Owners

“As website owners we have a responsibility to 1)ensure that those that interact with our websites have a safe online experience and 2) to be good stewards of the internet by ensuring our websites

aren’t abusing it’s resources. ”

Tony Perez | Sucuri

Page 7: Navigating Online Threats - Website Security for Everyday Website Owners

Let’s build the foundation

from which we will understand

today’s threats.

Page 8: Navigating Online Threats - Website Security for Everyday Website Owners

Let’s Start With a Website

Page 9: Navigating Online Threats - Website Security for Everyday Website Owners

Environment

Page 10: Navigating Online Threats - Website Security for Everyday Website Owners

❖ Regardless of where the website lives, the environments

are complex.

❖ There are a number of interconnecting components that

make your website operate.

❖ It’s a combination of hardware and software, meshed

together, that brings it to life.

Page 11: Navigating Online Threats - Website Security for Everyday Website Owners

Your Blog

Page 12: Navigating Online Threats - Website Security for Everyday Website Owners

The Platform that Powers Your Blog

(e.g., WordPress, Joomla, Blogger)

Page 13: Navigating Online Threats - Website Security for Everyday Website Owners

The Web Server that Runs Your Platform

(e.g., Apache, NGINX, IIS)

Page 14: Navigating Online Threats - Website Security for Everyday Website Owners

Everything That Powers Your Web Server

(e.g., Linux, Windows, ASP, PHP, Databases)

Page 15: Navigating Online Threats - Website Security for Everyday Website Owners

Complexity does not begin to describe the various components required to

keep your website functional.

Page 16: Navigating Online Threats - Website Security for Everyday Website Owners

Granted not all things are equal…

Page 17: Navigating Online Threats - Website Security for Everyday Website Owners

Managed Environments

vs

Self-Hosted Environments

Page 18: Navigating Online Threats - Website Security for Everyday Website Owners

Types of Configurations

MANAGED

❖ wordpress.com

❖ squarespace.com

❖ wix.com

❖ tumbler.com

❖ rainmaker.com

SELF-HOSTED

❖ wordpress.org

❖ godaddy.com

❖ bluehost.com

❖ joomla.org

❖ dreamhost.com

Page 19: Navigating Online Threats - Website Security for Everyday Website Owners

Threats exist regardless of which approach you take. The difference, like most things in security, comes down to

your personal risk posture.

Page 20: Navigating Online Threats - Website Security for Everyday Website Owners

Website Attack Vectors

MANAGED

❖ Access Control

SELF-HOSTED

❖ Acces Control

❖ Exploitation of software

vulnerabilities

❖ Exploitation of web server

environment

Page 21: Navigating Online Threats - Website Security for Everyday Website Owners

Today’s Online Threats

Page 22: Navigating Online Threats - Website Security for Everyday Website Owners

The online landscape is diverse, and our websites are a critical piece of

that diversity.

Page 23: Navigating Online Threats - Website Security for Everyday Website Owners

Behavior

Page 24: Navigating Online Threats - Website Security for Everyday Website Owners
Page 25: Navigating Online Threats - Website Security for Everyday Website Owners

Why would anyone hack my website?

Your Audience !

Your Readers !

Your Resources!

Your Ranking!

Page 26: Navigating Online Threats - Website Security for Everyday Website Owners

1 - Economic Gain

Page 27: Navigating Online Threats - Website Security for Everyday Website Owners

2 - Hacktivism

Page 28: Navigating Online Threats - Website Security for Everyday Website Owners

3 - Boredom

Page 29: Navigating Online Threats - Website Security for Everyday Website Owners

Impacts to your

Website / Your Brand

Page 30: Navigating Online Threats - Website Security for Everyday Website Owners

Search Engine Poisoning

Page 31: Navigating Online Threats - Website Security for Everyday Website Owners

Search Engine Result

Pages (SERP) are our

prized possessions as

content creators.

It takes months, if not

years to build good

ranking. Yet, minutes to

lose and months to rebuild.

Page 32: Navigating Online Threats - Website Security for Everyday Website Owners

Drive By Downloads

Page 33: Navigating Online Threats - Website Security for Everyday Website Owners
Page 34: Navigating Online Threats - Website Security for Everyday Website Owners

Blacklisting

Page 35: Navigating Online Threats - Website Security for Everyday Website Owners
Page 36: Navigating Online Threats - Website Security for Everyday Website Owners

Defacements

Page 37: Navigating Online Threats - Website Security for Everyday Website Owners
Page 38: Navigating Online Threats - Website Security for Everyday Website Owners

What can we do?

Page 39: Navigating Online Threats - Website Security for Everyday Website Owners

Let’s Talk Security

Page 40: Navigating Online Threats - Website Security for Everyday Website Owners

“As a species, we are risk adverse when it comes to gain, but risk seeking when it comes to loss…”

- Bruce Scheier (BlackHat 2014)

Page 41: Navigating Online Threats - Website Security for Everyday Website Owners

Security is about risk

management; specifically

risk reduction not risk

elimination.

Page 42: Navigating Online Threats - Website Security for Everyday Website Owners

Security Begins with Good Posture

Page 43: Navigating Online Threats - Website Security for Everyday Website Owners

1 - Defense in Depth

Page 44: Navigating Online Threats - Website Security for Everyday Website Owners
Page 45: Navigating Online Threats - Website Security for Everyday Website Owners
Page 46: Navigating Online Threats - Website Security for Everyday Website Owners
Page 47: Navigating Online Threats - Website Security for Everyday Website Owners

2 - Access Control

Page 48: Navigating Online Threats - Website Security for Everyday Website Owners
Page 49: Navigating Online Threats - Website Security for Everyday Website Owners

3 - Software Vulnerabilities

Page 50: Navigating Online Threats - Website Security for Everyday Website Owners

Software vulnerabilities are

beyond most of our abilities.

Leverage a Website Firewall

(WAF).

Page 51: Navigating Online Threats - Website Security for Everyday Website Owners

4 - Good Administration

Page 52: Navigating Online Threats - Website Security for Everyday Website Owners

Good administration is so much

more than updates, but let’s start

there.

Page 53: Navigating Online Threats - Website Security for Everyday Website Owners

Security Model

Page 54: Navigating Online Threats - Website Security for Everyday Website Owners

Confidentiality

Integrity Availability

Data kept private

Data not modified Systems Available

Model designed to help

you think about your

own security posture.

How much security

should you consider?

Page 55: Navigating Online Threats - Website Security for Everyday Website Owners

Managing the security of your website is not a Do It Yourself (DIY) project. If what was discussed here is foreign to

you, then it’s a good time to seek professional help.

Page 56: Navigating Online Threats - Website Security for Everyday Website Owners

“Security is not a singular event or action, but rather a series of events and actions. It begins with good posture and the responsibility begins

and stops with you.

- Tony Perez | Sucuri

Page 57: Navigating Online Threats - Website Security for Everyday Website Owners

Thank You

Page 58: Navigating Online Threats - Website Security for Everyday Website Owners

@perezbox | @sucuri_security | http://perezbox.com

Tony Perez