Navigating Online Threats - Website Security for Everyday Website Owners

Website Security via Sucuri

Navigating The Online Security Landscape

Roadmap to a Safe User

Experience

Tony Perez

@perezbox | @sucuri_security | http://perezbox.com | http://tonyonsecurity.com

@sucuri_security | https://sucuri.net

Who are we?

• Mitigate 50 million+ attacks a month.

• Scan over 3 million+ domains

• Respond to 500 + security incidents

• Secure 300,000 + websites like yours.

We clean and protect

websites, so you don't have

to.

Who am I?

❖ Work at Sucuri

❖ Website Security Professional

❖ Security blogger

❖ Business blogger

❖ Technology blogger

❖ and..

“As website owners we have a responsibility to 1)ensure that those that interact with our websites have a safe online experience and 2) to be good stewards of the internet by ensuring our websites

aren’t abusing it’s resources. ”

Tony Perez | Sucuri

Let’s build the foundation

from which we will understand

today’s threats.

Let’s Start With a Website

Environment

❖ Regardless of where the website lives, the environments

are complex.

❖ There are a number of interconnecting components that

make your website operate.

❖ It’s a combination of hardware and software, meshed

together, that brings it to life.

Your Blog

The Platform that Powers Your Blog

(e.g., WordPress, Joomla, Blogger)

The Web Server that Runs Your Platform

(e.g., Apache, NGINX, IIS)

Everything That Powers Your Web Server

(e.g., Linux, Windows, ASP, PHP, Databases)

Complexity does not begin to describe the various components required to

keep your website functional.

Granted not all things are equal…

Managed Environments

vs

Self-Hosted Environments

Types of Configurations

MANAGED

❖ wordpress.com

❖ squarespace.com

❖ wix.com

❖ tumbler.com

❖ rainmaker.com

SELF-HOSTED

❖ wordpress.org

❖ godaddy.com

❖ bluehost.com

❖ joomla.org

❖ dreamhost.com

Threats exist regardless of which approach you take. The difference, like most things in security, comes down to

your personal risk posture.

Website Attack Vectors

MANAGED

❖ Access Control

SELF-HOSTED

❖ Acces Control

❖ Exploitation of software

vulnerabilities

❖ Exploitation of web server

environment

Today’s Online Threats

The online landscape is diverse, and our websites are a critical piece of

that diversity.

Behavior

Why would anyone hack my website?

Your Audience !

Your Readers !

Your Resources!

Your Ranking!

1 - Economic Gain

2 - Hacktivism

3 - Boredom

Impacts to your

Website / Your Brand

Search Engine Poisoning

Search Engine Result

Pages (SERP) are our

prized possessions as

content creators.

It takes months, if not

years to build good

ranking. Yet, minutes to

lose and months to rebuild.

Drive By Downloads

Blacklisting

Defacements

What can we do?

Let’s Talk Security

“As a species, we are risk adverse when it comes to gain, but risk seeking when it comes to loss…”

- Bruce Scheier (BlackHat 2014)

Security is about risk

management; specifically

risk reduction not risk

elimination.

Security Begins with Good Posture

1 - Defense in Depth

2 - Access Control

3 - Software Vulnerabilities

Software vulnerabilities are

beyond most of our abilities.

Leverage a Website Firewall

(WAF).

4 - Good Administration

Good administration is so much

more than updates, but let’s start

there.

Security Model

Confidentiality

Integrity Availability

Data kept private

Data not modified Systems Available

Model designed to help

you think about your

own security posture.

How much security

should you consider?

Managing the security of your website is not a Do It Yourself (DIY) project. If what was discussed here is foreign to

you, then it’s a good time to seek professional help.

“Security is not a singular event or action, but rather a series of events and actions. It begins with good posture and the responsibility begins

and stops with you.

- Tony Perez | Sucuri

Thank You

@perezbox | @sucuri_security | http://perezbox.com

Tony Perez