SlideShare a Scribd company logo

Website Security - It Begins With Good Posture

Download as PPTX, PDF
Tony Perez
Tony Perez
TechnologyNews & Politics
1 of 49
It Starts With Good Posture Website Security (WordPress)
@PEREZBOX • Sucuri, Inc. – @sucuri_security – @sucurisupport – @sucurilabs – @perezbox • Specialization: – Website Security – Incident Handling • Special Interests: – Brazilian JiuJitsu 6/9/2014 Tony Perez | @perezbox | @sucuri_security 2
• Website Security Company • Global Operations • Platform Agnostic (i.e., WordPress, Joomla, etc..) • Scan 2M Unique Domains a Month • Block 4M web attacks a Month • Remediate 400 – 500 websites a day • Signature / Heuristic Based • 24/7 operations 6/9/2014 Tony Perez | @perezbox | @sucuri_security 3
Statistics 6/9/2014 Tony Perez | @perezbox | @sucuri_security 4
Anatomy of Malicious Websites Malicious Websites Legitimate Websites 6/9/2014 Tony Perez | @perezbox | @sucuri_security 5
Legitimate Websites Not-Exploitable Exploitable 6/9/2014 Tony Perez | @perezbox | @sucuri_security 6 1 in 8 - Critical Vulnerability
Hacks Affecting Users 6/9/2014 Tony Perez | @perezbox | @sucuri_security 7
Top 4 Symptoms 6/9/2014 Tony Perez | @perezbox | @sucuri_security 8 • Malicious Redirects (i.e., abuse your traffic) • Backdoors (i.e., Bypass Access Controls) • Phishing (i.e., Spear Phishing Campaigns) • Search Engine Poisoning (i.e., Pharma, etc…) ….. Obviously many more, but these are the most prevalent…
Malicious Redirect @perezbox | @sucuri_security
Malicious Redirects • Easy / Medium to Detect – Be mindful of conditionals • Looking for Integrity Issues – Has something been modified? • Common location[s]: – .htaccess – Index.php – Footer.php – Header.php • Biggest Issue – Redirectors are becoming highly complex – Employing heavy conditional elements @perezbox | @sucuri_security
Phishing @perezbox | @sucuri_security
Phishing, Cntd.. • Difficult to Detect Remotely • Looking for Integrity Issues – Is something somewhere it doesn’t belong? • Common location[s]: – WP-Includes – Theme Directories • Biggest Issue – It can be anywhere – Fully contained @perezbox | @sucuri_security
Backdoors @perezbox | @sucuri_security
Backdoors, cntd… • Can’t detect remotely, only locally • Looking for Integrity Issues – Is something somewhere it doesn’t belong? • Common location[s]: – WP-Includes – Root Directory • Biggest Issue – Allows attacker to bypass your access controls – Provides full control of the environment @perezbox | @sucuri_security • Common terms: – Is_bot – Eval – Base64_decode – Fopen – Fclose – readfile – Edoced_46esad – Exec – System – Shell_exec – Gzuncompress – popen – FilesMan grep -RPl --include=*.{php} "(system|exec|passthru|shell_exec|base64_decode|eval|) *(" /var/www
Example of Complexity @perezbox | @sucuri_security
Search Engine Poisoning @perezbox | @sucuri_security
Search Engine Poisoning, cntd.. • Targets Search Engines (i.e., Google, Bing, Yahoo) • Looking for Integrity Issues – Have your posts / pages been modified? • Common location[s]: – Index.php (root, theme, plugins, etc..) – Header.php – Footer.php – Embedded in Database (Posts / Pages) • Biggest Issue – Continuous to evolve – Highly conditional – Not within visible range – often offscreen @perezbox | @sucuri_security
Indicators of a Hack Search Engines have gotten pretty good at detecting issues – Google blacklists over 10 thousand websites a day. @perezbox | @sucuri_security
Anatomy of Attacks 6/9/2014 Tony Perez | @perezbox | @sucuri_security 19
Phase of an Attack 6/9/2014 Tony Perez | @perezbox | @sucuri_security 20  Use for malware?  Pat of a zombie network?  Data breach? What kind of website do you have?
Automated Attacks 6/9/2014 Tony Perez | @perezbox | @sucuri_security 21  Exploiting Access Control
Distribution Mechanism 6/9/2014 Tony Perez | @perezbox | @sucuri_security 22
There’s a Tool for that • Malware as a Service (MaaS) – Yes, pay someone to hack for you • Different tools to break in and generate payloads – Brute force and vulnerability exploits Malware Payloads 6/9/2014 Tony Perez | @perezbox | @sucuri_security 23
Why? 6/9/2014 Tony Perez | @perezbox | @sucuri_security 24
Happening To Everyone 6/9/2014 Tony Perez | @perezbox | @sucuri_security 25
It’s About Posture 6/9/2014 Tony Perez | @perezbox | @sucuri_security 26
Begins with Posture 6/9/2014 Tony Perez | @perezbox | @sucuri_security 27 Posture Risk “Risk will never be zero, but it can be reduced”
It’s About Good Posture 6/9/2014 Tony Perez | @perezbox | @sucuri_security 28
Layered Defenses 6/9/2014 Tony Perez | @perezbox | @sucuri_security 29 Protection Auditing Detection Sustainment
Defense in Depth “…a concept in which multiple layers of security controls (defenses) are placed throughout an information technology (IT) system. Its intent is to provide redundancy in the event a security control fails or a vulnerability is exploited…” 6/9/2014 Tony Perez | @perezbox | @sucuri_security 30
Access – P@ssw0rd • Passwords 6/9/2014 Tony Perez | @perezbox | @sucuri_security 31 Complex – Long - Unique
Enforce Strong Credentials 6/9/2014 Tony Perez | @perezbox | @sucuri_security 32
Auditing (Monitor Activity) 6/9/2014 Tony Perez | @perezbox | @sucuri_security 33
Auditing Questions 6/9/2014 Tony Perez | @perezbox | @sucuri_security | #JoomlaDayAtlanta 34 • Understand what is going on at all time – Who is logging in? – Who is trying to log in? – What files are changing? – Has a post been created? – Has a page been created? – Are there any integrity issues?
Principle of Least Privileged “requires that in a particular abstraction layer of a computing environment, every module (such as a process, a user or a program depending on the subject) must be able to access only the information and resources that are necessary for its legitimate purpose.” 6/9/2014 Tony Perez | @perezbox | @sucuri_security 35
Understand Your Roles 6/9/2014 Tony Perez | @perezbox | @sucuri_security 36
Hardening – Kill PHP 6/9/2014 Tony Perez | @perezbox | @sucuri_security 37  PHP Execution, disable it:  /wp-includes  /wp-content ▪ /themes ▪ /plugins ▪ /uploads <Files *.php> Deny from all </Files>
Disable Plugin / Theme Editor • WP-CONFIG File Modification #Disable Plugin / Theme Editor Define(‘DISALLOW_FILE_EDIT’,true); 6/9/2014 Tony Perez | @perezbox | @sucuri_security 38
Brute Force Attacks 6/9/2014 Tony Perez | @perezbox | @sucuri_security 39
Backups – It’s Your Safety Net 6/9/2014 Tony Perez | @perezbox | @sucuri_security 40
Software Vulnerabilities • Stay current with the latest vulnerabilities: – Secure - http://wordpress.org/plugins/secure/ 6/9/2014 Tony Perez | @perezbox | @sucuri_security 41
Stay Current (Update) 6/9/2014 Tony Perez | @perezbox | @sucuri_security 42
Website Firewalls 6/9/2014 Tony Perez | @perezbox | @sucuri_security 43 • Stay ahead of Software Vulnerabilities
Ensure Integrity of Connection 6/9/2014 Tony Perez | @perezbox | @sucuri_security 44 • https://www.getcloak.com/ | @getcloak
Google Webmaster 6/9/2014 Tony Perez | @perezbox | @sucuri_security 45
Simple Steps to Reduce Risk 1. Employ Website Firewall 2. Don’t let WordPress write to itself 3. Filter Access by IP 4. Use a dedicated server / VPS 5. Monitor all Activity (Logging) 6. Enable SSL for transactions 7. Keep environment current (patched) 8. No Soup Kitchen Servers 6/9/2014 Tony Perez | @perezbox | @sucuri_security 46 1. Connect Securely – SFTP / SSH 2. Authentication Keys / wp- config 3. Use Trusted Sources 4. Use a local Antivirus – MAC too 5. Permissions - D 755 | F 644 6. Least Privileged Principles 7. Accountability 8. Backups – Include Database Ideal implementations:The Bare Minimum:
Notable Resources Name Tool Sucuri Blog http://blog.sucuri.net Sucuri TV http://sucuri.tv Malware Scanner http://sitecheck.sucuri.net Malware Scanner http://unmaskparasites.com Badware Busters https://badwarebusters.org Google Forums http://productforums.google.com/forum/#!categories/webmasters/malware--hacked- sites Google Webmaster Tools http://support.google.com/webmasters/bin/answer.py?hl=en&answer=163633 Secunia Security Advisories http://secunia.com/community/advisories/search/?search=wordpress Exploit-DB http://www.exploit- db.com/search/?action=search&filter_description=Wordpress&filter_platform=31 WordPress Hacked FAQ http://codex.wordpress.org/FAQ_My_site_was_hacked WordPress Hardening http://codex.wordpress.org/Hardening_WordPress 6/9/2014 Tony Perez | @perezbox | @sucuri_security 47
Dealing with a Hack 6/9/2014 Tony Perez | @perezbox | @sucuri_security 48 Dealing with Malware http://blog.sucuri.net/2012/10/dealing-with-todays- wordpress-malware.html Leveraging Google Webmaster Tools http://www.unmaskparasites.com/malware- warning-guide/ Google Webmaster Tools (Hacked) http://www.google.com/webmasters/hacked/ Understanding Google’s Blacklists http://blog.sucuri.net/2013/11/understanding- googles-blacklist-cleaning-your-hacked-website-and- removing-from-blacklist.html Clearing Your Website with Free Scanner http://blog.sucuri.net/2013/10/cleaning-up-your- wordpress-site-with-the-free-sucuri-plugin.html WordPress Tips & Tricks http://blog.sucuri.net/2012/07/website-malware- removal-wordpress-tips-tricks.html
Sucuri, Inc. Tony Perez http://sucuri.net http://blog.sucuri.net @perezbox | @sucuri_security @sucurilabs | @sucurisupport 6/9/2014 Tony Perez | @perezbox | @sucuri_security 49

Recommended

WordPress Security Begins With Good Posture
WordPress Security Begins With Good PostureWordPress Security Begins With Good Posture
WordPress Security Begins With Good PostureTony Perez
 
Hacked - What do you do now?
Hacked - What do you do now?Hacked - What do you do now?
Hacked - What do you do now?Tony Perez
 
WordPress Security - Learning From Hacks
WordPress Security - Learning From HacksWordPress Security - Learning From Hacks
WordPress Security - Learning From HacksTony Perez
 
WordPress Security 2014 - The Basics of Security
WordPress Security 2014 - The Basics of SecurityWordPress Security 2014 - The Basics of Security
WordPress Security 2014 - The Basics of SecurityTony Perez
 
Steps to Keep Your Site Clean
Steps to Keep Your Site CleanSteps to Keep Your Site Clean
Steps to Keep Your Site CleanSucuri
 
Navigating Online Threats - Website Security for Everyday Website Owners
Navigating Online Threats - Website Security for Everyday Website OwnersNavigating Online Threats - Website Security for Everyday Website Owners
Navigating Online Threats - Website Security for Everyday Website OwnersTony Perez
 
TBEX - North America 2014 - 5 Tips to Keep Your Content and Users Safe
TBEX - North America 2014 - 5 Tips to Keep Your Content and Users SafeTBEX - North America 2014 - 5 Tips to Keep Your Content and Users Safe
TBEX - North America 2014 - 5 Tips to Keep Your Content and Users SafeTony Perez
 
Sucuri Webinar: What is SEO Spam and How to Fight It
Sucuri Webinar: What is SEO Spam and How to Fight ItSucuri Webinar: What is SEO Spam and How to Fight It
Sucuri Webinar: What is SEO Spam and How to Fight ItSucuri
 

Recommended

WordPress Security Begins With Good Posture
WordPress Security Begins With Good PostureWordPress Security Begins With Good Posture
WordPress Security Begins With Good PostureTony Perez
 
Hacked - What do you do now?
Hacked - What do you do now?Hacked - What do you do now?
Hacked - What do you do now?Tony Perez
 
WordPress Security - Learning From Hacks
WordPress Security - Learning From HacksWordPress Security - Learning From Hacks
WordPress Security - Learning From HacksTony Perez
 
WordPress Security 2014 - The Basics of Security
WordPress Security 2014 - The Basics of SecurityWordPress Security 2014 - The Basics of Security
WordPress Security 2014 - The Basics of SecurityTony Perez
 
Steps to Keep Your Site Clean
Steps to Keep Your Site CleanSteps to Keep Your Site Clean
Steps to Keep Your Site CleanSucuri
 
Navigating Online Threats - Website Security for Everyday Website Owners
Navigating Online Threats - Website Security for Everyday Website OwnersNavigating Online Threats - Website Security for Everyday Website Owners
Navigating Online Threats - Website Security for Everyday Website OwnersTony Perez
 
TBEX - North America 2014 - 5 Tips to Keep Your Content and Users Safe
TBEX - North America 2014 - 5 Tips to Keep Your Content and Users SafeTBEX - North America 2014 - 5 Tips to Keep Your Content and Users Safe
TBEX - North America 2014 - 5 Tips to Keep Your Content and Users SafeTony Perez
 
Sucuri Webinar: What is SEO Spam and How to Fight It
Sucuri Webinar: What is SEO Spam and How to Fight ItSucuri Webinar: What is SEO Spam and How to Fight It
Sucuri Webinar: What is SEO Spam and How to Fight ItSucuri
 
Sucuri Webinar: Website Security Primer for Digital Marketers
Sucuri Webinar: Website Security Primer for Digital MarketersSucuri Webinar: Website Security Primer for Digital Marketers
Sucuri Webinar: Website Security Primer for Digital MarketersSucuri
 
Sucuri Webinar: WAF (Firewall) and CDN Feature Benefit Guide
Sucuri Webinar: WAF (Firewall) and CDN Feature Benefit GuideSucuri Webinar: WAF (Firewall) and CDN Feature Benefit Guide
Sucuri Webinar: WAF (Firewall) and CDN Feature Benefit GuideSucuri
 
Why Do Hackers Hack?
Why Do Hackers Hack?Why Do Hackers Hack?
Why Do Hackers Hack?Sucuri
 
Sucuri Webinar: How Websites Get Hacked
Sucuri Webinar: How Websites Get HackedSucuri Webinar: How Websites Get Hacked
Sucuri Webinar: How Websites Get HackedSucuri
 
Sucuri Webinar: How Caching Options Can Impact Your Website Speed
Sucuri Webinar: How Caching Options Can Impact Your Website SpeedSucuri Webinar: How Caching Options Can Impact Your Website Speed
Sucuri Webinar: How Caching Options Can Impact Your Website SpeedSucuri
 
Sucuri Webinar: How to clean hacked WordPress sites
Sucuri Webinar: How to clean hacked WordPress sitesSucuri Webinar: How to clean hacked WordPress sites
Sucuri Webinar: How to clean hacked WordPress sitesSucuri
 
Sucuri Webinar: Simple Steps To Secure Your Online Store
Sucuri Webinar: Simple Steps To Secure Your Online StoreSucuri Webinar: Simple Steps To Secure Your Online Store
Sucuri Webinar: Simple Steps To Secure Your Online StoreSucuri
 
The 7 Deadly Sins of WordPress Security
The 7 Deadly Sins of WordPress SecurityThe 7 Deadly Sins of WordPress Security
The 7 Deadly Sins of WordPress SecurityJoseph Herbrandson
 
Sucuri Webinar: Leveraging Sucuri's API
Sucuri Webinar: Leveraging Sucuri's APISucuri Webinar: Leveraging Sucuri's API
Sucuri Webinar: Leveraging Sucuri's APISucuri
 
What Are the Most Common Types of Hacks?
What Are the Most Common Types of Hacks?What Are the Most Common Types of Hacks?
What Are the Most Common Types of Hacks?Sucuri
 
The Razors Edge - Cutting your TLS Baggage
The Razors Edge - Cutting your TLS BaggageThe Razors Edge - Cutting your TLS Baggage
The Razors Edge - Cutting your TLS BaggageJan Schaumann
 
Online Privacy: A Customer's Perspective
Online Privacy: A Customer's PerspectiveOnline Privacy: A Customer's Perspective
Online Privacy: A Customer's Perspectivekumar641
 
Webinar: Personal Online Privacy - Sucuri Security
Webinar: Personal Online Privacy - Sucuri SecurityWebinar: Personal Online Privacy - Sucuri Security
Webinar: Personal Online Privacy - Sucuri SecuritySucuri
 
DevSecOps - a 2 year journey of success & failure!
DevSecOps - a 2 year journey of success & failure!DevSecOps - a 2 year journey of success & failure!
DevSecOps - a 2 year journey of success & failure!Stu Hirst
 
Building a Security culture at Skyscanner 2016
Building a Security culture at Skyscanner 2016Building a Security culture at Skyscanner 2016
Building a Security culture at Skyscanner 2016Stu Hirst
 
Word camp orange county 2012 enduser security
Word camp orange county 2012 enduser securityWord camp orange county 2012 enduser security
Word camp orange county 2012 enduser securityTony Perez
 
WP Security - Master Class #SMWLagos2014
WP Security - Master Class #SMWLagos2014WP Security - Master Class #SMWLagos2014
WP Security - Master Class #SMWLagos2014sabinovates
 
Anastasiia Vixentael: 10 things you need to know before implementing cryptogr...
Anastasiia Vixentael: 10 things you need to know before implementing cryptogr...Anastasiia Vixentael: 10 things you need to know before implementing cryptogr...
Anastasiia Vixentael: 10 things you need to know before implementing cryptogr...mdevtalk
 
WCEU 2016 - 10 tips to sleep better at night
WCEU 2016 - 10 tips to sleep better at nightWCEU 2016 - 10 tips to sleep better at night
WCEU 2016 - 10 tips to sleep better at nightMaurizio Pelizzone
 
WPSecurity best practices of securing a word press website
WPSecurity best practices of securing a word press websiteWPSecurity best practices of securing a word press website
WPSecurity best practices of securing a word press websiteDeola Kayode
 
Slowcooked wp
Slowcooked wpSlowcooked wp
Slowcooked wpjoshfeck
 
Wcoc preso
Wcoc presoWcoc preso
Wcoc presoAlex Vasquez
 

More Related Content

What's hot

Sucuri Webinar: Website Security Primer for Digital Marketers
Sucuri Webinar: Website Security Primer for Digital MarketersSucuri Webinar: Website Security Primer for Digital Marketers
Sucuri Webinar: Website Security Primer for Digital MarketersSucuri
 
Sucuri Webinar: WAF (Firewall) and CDN Feature Benefit Guide
Sucuri Webinar: WAF (Firewall) and CDN Feature Benefit GuideSucuri Webinar: WAF (Firewall) and CDN Feature Benefit Guide
Sucuri Webinar: WAF (Firewall) and CDN Feature Benefit GuideSucuri
 
Why Do Hackers Hack?
Why Do Hackers Hack?Why Do Hackers Hack?
Why Do Hackers Hack?Sucuri
 
Sucuri Webinar: How Websites Get Hacked
Sucuri Webinar: How Websites Get HackedSucuri Webinar: How Websites Get Hacked
Sucuri Webinar: How Websites Get HackedSucuri
 
Sucuri Webinar: How Caching Options Can Impact Your Website Speed
Sucuri Webinar: How Caching Options Can Impact Your Website SpeedSucuri Webinar: How Caching Options Can Impact Your Website Speed
Sucuri Webinar: How Caching Options Can Impact Your Website SpeedSucuri
 
Sucuri Webinar: How to clean hacked WordPress sites
Sucuri Webinar: How to clean hacked WordPress sitesSucuri Webinar: How to clean hacked WordPress sites
Sucuri Webinar: How to clean hacked WordPress sitesSucuri
 
Sucuri Webinar: Simple Steps To Secure Your Online Store
Sucuri Webinar: Simple Steps To Secure Your Online StoreSucuri Webinar: Simple Steps To Secure Your Online Store
Sucuri Webinar: Simple Steps To Secure Your Online StoreSucuri
 
The 7 Deadly Sins of WordPress Security
The 7 Deadly Sins of WordPress SecurityThe 7 Deadly Sins of WordPress Security
The 7 Deadly Sins of WordPress SecurityJoseph Herbrandson
 
Sucuri Webinar: Leveraging Sucuri's API
Sucuri Webinar: Leveraging Sucuri's APISucuri Webinar: Leveraging Sucuri's API
Sucuri Webinar: Leveraging Sucuri's APISucuri
 
What Are the Most Common Types of Hacks?
What Are the Most Common Types of Hacks?What Are the Most Common Types of Hacks?
What Are the Most Common Types of Hacks?Sucuri
 
The Razors Edge - Cutting your TLS Baggage
The Razors Edge - Cutting your TLS BaggageThe Razors Edge - Cutting your TLS Baggage
The Razors Edge - Cutting your TLS BaggageJan Schaumann
 
Online Privacy: A Customer's Perspective
Online Privacy: A Customer's PerspectiveOnline Privacy: A Customer's Perspective
Online Privacy: A Customer's Perspectivekumar641
 
Webinar: Personal Online Privacy - Sucuri Security
Webinar: Personal Online Privacy - Sucuri SecurityWebinar: Personal Online Privacy - Sucuri Security
Webinar: Personal Online Privacy - Sucuri SecuritySucuri
 
DevSecOps - a 2 year journey of success & failure!
DevSecOps - a 2 year journey of success & failure!DevSecOps - a 2 year journey of success & failure!
DevSecOps - a 2 year journey of success & failure!Stu Hirst
 
Building a Security culture at Skyscanner 2016
Building a Security culture at Skyscanner 2016Building a Security culture at Skyscanner 2016
Building a Security culture at Skyscanner 2016Stu Hirst
 
Word camp orange county 2012 enduser security
Word camp orange county 2012 enduser securityWord camp orange county 2012 enduser security
Word camp orange county 2012 enduser securityTony Perez
 
WP Security - Master Class #SMWLagos2014
WP Security - Master Class #SMWLagos2014WP Security - Master Class #SMWLagos2014
WP Security - Master Class #SMWLagos2014sabinovates
 
Anastasiia Vixentael: 10 things you need to know before implementing cryptogr...
Anastasiia Vixentael: 10 things you need to know before implementing cryptogr...Anastasiia Vixentael: 10 things you need to know before implementing cryptogr...
Anastasiia Vixentael: 10 things you need to know before implementing cryptogr...mdevtalk
 
WCEU 2016 - 10 tips to sleep better at night
WCEU 2016 - 10 tips to sleep better at nightWCEU 2016 - 10 tips to sleep better at night
WCEU 2016 - 10 tips to sleep better at nightMaurizio Pelizzone
 
WPSecurity best practices of securing a word press website
WPSecurity best practices of securing a word press websiteWPSecurity best practices of securing a word press website
WPSecurity best practices of securing a word press websiteDeola Kayode
 

What's hot (20)

Sucuri Webinar: Website Security Primer for Digital Marketers
Sucuri Webinar: Website Security Primer for Digital MarketersSucuri Webinar: Website Security Primer for Digital Marketers
Sucuri Webinar: Website Security Primer for Digital Marketers
 
Sucuri Webinar: WAF (Firewall) and CDN Feature Benefit Guide
Sucuri Webinar: WAF (Firewall) and CDN Feature Benefit GuideSucuri Webinar: WAF (Firewall) and CDN Feature Benefit Guide
Sucuri Webinar: WAF (Firewall) and CDN Feature Benefit Guide
 
Why Do Hackers Hack?
Why Do Hackers Hack?Why Do Hackers Hack?
Why Do Hackers Hack?
 
Sucuri Webinar: How Websites Get Hacked
Sucuri Webinar: How Websites Get HackedSucuri Webinar: How Websites Get Hacked
Sucuri Webinar: How Websites Get Hacked
 
Sucuri Webinar: How Caching Options Can Impact Your Website Speed
Sucuri Webinar: How Caching Options Can Impact Your Website SpeedSucuri Webinar: How Caching Options Can Impact Your Website Speed
Sucuri Webinar: How Caching Options Can Impact Your Website Speed
 
Sucuri Webinar: How to clean hacked WordPress sites
Sucuri Webinar: How to clean hacked WordPress sitesSucuri Webinar: How to clean hacked WordPress sites
Sucuri Webinar: How to clean hacked WordPress sites
 
Sucuri Webinar: Simple Steps To Secure Your Online Store
Sucuri Webinar: Simple Steps To Secure Your Online StoreSucuri Webinar: Simple Steps To Secure Your Online Store
Sucuri Webinar: Simple Steps To Secure Your Online Store
 
The 7 Deadly Sins of WordPress Security
The 7 Deadly Sins of WordPress SecurityThe 7 Deadly Sins of WordPress Security
The 7 Deadly Sins of WordPress Security
 
Sucuri Webinar: Leveraging Sucuri's API
Sucuri Webinar: Leveraging Sucuri's APISucuri Webinar: Leveraging Sucuri's API
Sucuri Webinar: Leveraging Sucuri's API
 
What Are the Most Common Types of Hacks?
What Are the Most Common Types of Hacks?What Are the Most Common Types of Hacks?
What Are the Most Common Types of Hacks?
 
The Razors Edge - Cutting your TLS Baggage
The Razors Edge - Cutting your TLS BaggageThe Razors Edge - Cutting your TLS Baggage
The Razors Edge - Cutting your TLS Baggage
 
Online Privacy: A Customer's Perspective
Online Privacy: A Customer's PerspectiveOnline Privacy: A Customer's Perspective
Online Privacy: A Customer's Perspective
 
Webinar: Personal Online Privacy - Sucuri Security
Webinar: Personal Online Privacy - Sucuri SecurityWebinar: Personal Online Privacy - Sucuri Security
Webinar: Personal Online Privacy - Sucuri Security
 
DevSecOps - a 2 year journey of success & failure!
DevSecOps - a 2 year journey of success & failure!DevSecOps - a 2 year journey of success & failure!
DevSecOps - a 2 year journey of success & failure!
 
Building a Security culture at Skyscanner 2016
Building a Security culture at Skyscanner 2016Building a Security culture at Skyscanner 2016
Building a Security culture at Skyscanner 2016
 
Word camp orange county 2012 enduser security
Word camp orange county 2012 enduser securityWord camp orange county 2012 enduser security
Word camp orange county 2012 enduser security
 
WP Security - Master Class #SMWLagos2014
WP Security - Master Class #SMWLagos2014WP Security - Master Class #SMWLagos2014
WP Security - Master Class #SMWLagos2014
 
Anastasiia Vixentael: 10 things you need to know before implementing cryptogr...
Anastasiia Vixentael: 10 things you need to know before implementing cryptogr...Anastasiia Vixentael: 10 things you need to know before implementing cryptogr...
Anastasiia Vixentael: 10 things you need to know before implementing cryptogr...
 
WCEU 2016 - 10 tips to sleep better at night
WCEU 2016 - 10 tips to sleep better at nightWCEU 2016 - 10 tips to sleep better at night
WCEU 2016 - 10 tips to sleep better at night
 
WPSecurity best practices of securing a word press website
WPSecurity best practices of securing a word press websiteWPSecurity best practices of securing a word press website
WPSecurity best practices of securing a word press website
 

Viewers also liked

Slowcooked wp
Slowcooked wpSlowcooked wp
Slowcooked wpjoshfeck
 
BuddyPress Presentation - WCPhilly
BuddyPress Presentation - WCPhillyBuddyPress Presentation - WCPhilly
BuddyPress Presentation - WCPhillyTimothy F McKenna
 
Take the next step with git
Take the next step with gitTake the next step with git
Take the next step with gitKarin Taliga
 
CSI: WordPress -- Getting Into the Guts
CSI: WordPress -- Getting Into the GutsCSI: WordPress -- Getting Into the Guts
CSI: WordPress -- Getting Into the GutsDougal Campbell
 
Ten Things You Should Know About WordPress
Ten Things You Should Know About WordPressTen Things You Should Know About WordPress
Ten Things You Should Know About WordPresssereedmedia
 
Maintaining Retainers as a WordPress Developer
Maintaining Retainers as a WordPress DeveloperMaintaining Retainers as a WordPress Developer
Maintaining Retainers as a WordPress DeveloperDevinVinson
 
Word Camp Philly 2014: Good Content
Word Camp Philly 2014: Good ContentWord Camp Philly 2014: Good Content
Word Camp Philly 2014: Good ContentVicki Boykis
 
Scoping and Estimating WordPress Projects as an Agency
Scoping and Estimating WordPress Projects as an AgencyScoping and Estimating WordPress Projects as an Agency
Scoping and Estimating WordPress Projects as an AgencyKara Hansen
 
Design and Development Techniques for Accessibility: WordCamp Tampa 2015
Design and Development Techniques for Accessibility: WordCamp Tampa 2015Design and Development Techniques for Accessibility: WordCamp Tampa 2015
Design and Development Techniques for Accessibility: WordCamp Tampa 2015Robert Jolly
 
WordCamp Milwaukee 2012: Learning from the WordPress sites
WordCamp Milwaukee 2012: Learning from the WordPress sitesWordCamp Milwaukee 2012: Learning from the WordPress sites
WordCamp Milwaukee 2012: Learning from the WordPress sitesMichael McCallister
 
WordPress End-User Security - WordCamp Las Vegas 2011
WordPress End-User Security - WordCamp Las Vegas 2011WordPress End-User Security - WordCamp Las Vegas 2011
WordPress End-User Security - WordCamp Las Vegas 2011Dre Armeda
 
Reduzindo Tempo de Resposta do Servidor - WordCamp BH 2014
Reduzindo Tempo de Resposta do Servidor - WordCamp BH 2014Reduzindo Tempo de Resposta do Servidor - WordCamp BH 2014
Reduzindo Tempo de Resposta do Servidor - WordCamp BH 2014Celso Fernandes
 
Acessibilidade Web agora é obrigatória. Estamos preparados?
Acessibilidade Web agora é obrigatória. Estamos preparados?Acessibilidade Web agora é obrigatória. Estamos preparados?
Acessibilidade Web agora é obrigatória. Estamos preparados?Hans Mösl
 
WordPress Security & Backups 101
WordPress Security & Backups 101WordPress Security & Backups 101
WordPress Security & Backups 101Maeve Lander
 
Writing Your First Plugin - WordCamp Milwaukee 2012
Writing Your First Plugin - WordCamp Milwaukee 2012Writing Your First Plugin - WordCamp Milwaukee 2012
Writing Your First Plugin - WordCamp Milwaukee 2012bradparbs
 
WordPress per giornalisti freelance
WordPress per giornalisti freelance WordPress per giornalisti freelance
WordPress per giornalisti freelance GGDBologna
 
Como oferecer boas experiências online com a criação de sites de qualidade - ...
Como oferecer boas experiências online com a criação de sites de qualidade - ...Como oferecer boas experiências online com a criação de sites de qualidade - ...
Como oferecer boas experiências online com a criação de sites de qualidade - ...Keyla Silva
 
Website Performance, Engagement, and Leads
Website Performance, Engagement, and LeadsWebsite Performance, Engagement, and Leads
Website Performance, Engagement, and LeadsTrust EMedia
 
WordCamp Milwaukee 2012 - Contributing to Open Source
WordCamp Milwaukee 2012 - Contributing to Open SourceWordCamp Milwaukee 2012 - Contributing to Open Source
WordCamp Milwaukee 2012 - Contributing to Open Sourcejclermont
 

Viewers also liked (20)

Slowcooked wp
Slowcooked wpSlowcooked wp
Slowcooked wp
 
Wcoc preso
Wcoc presoWcoc preso
Wcoc preso
 
BuddyPress Presentation - WCPhilly
BuddyPress Presentation - WCPhillyBuddyPress Presentation - WCPhilly
BuddyPress Presentation - WCPhilly
 
Take the next step with git
Take the next step with gitTake the next step with git
Take the next step with git
 
CSI: WordPress -- Getting Into the Guts
CSI: WordPress -- Getting Into the GutsCSI: WordPress -- Getting Into the Guts
CSI: WordPress -- Getting Into the Guts
 
Ten Things You Should Know About WordPress
Ten Things You Should Know About WordPressTen Things You Should Know About WordPress
Ten Things You Should Know About WordPress
 
Maintaining Retainers as a WordPress Developer
Maintaining Retainers as a WordPress DeveloperMaintaining Retainers as a WordPress Developer
Maintaining Retainers as a WordPress Developer
 
Word Camp Philly 2014: Good Content
Word Camp Philly 2014: Good ContentWord Camp Philly 2014: Good Content
Word Camp Philly 2014: Good Content
 
Scoping and Estimating WordPress Projects as an Agency
Scoping and Estimating WordPress Projects as an AgencyScoping and Estimating WordPress Projects as an Agency
Scoping and Estimating WordPress Projects as an Agency
 
Design and Development Techniques for Accessibility: WordCamp Tampa 2015
Design and Development Techniques for Accessibility: WordCamp Tampa 2015Design and Development Techniques for Accessibility: WordCamp Tampa 2015
Design and Development Techniques for Accessibility: WordCamp Tampa 2015
 
WordCamp Milwaukee 2012: Learning from the WordPress sites
WordCamp Milwaukee 2012: Learning from the WordPress sitesWordCamp Milwaukee 2012: Learning from the WordPress sites
WordCamp Milwaukee 2012: Learning from the WordPress sites
 
WordPress End-User Security - WordCamp Las Vegas 2011
WordPress End-User Security - WordCamp Las Vegas 2011WordPress End-User Security - WordCamp Las Vegas 2011
WordPress End-User Security - WordCamp Las Vegas 2011
 
Reduzindo Tempo de Resposta do Servidor - WordCamp BH 2014
Reduzindo Tempo de Resposta do Servidor - WordCamp BH 2014Reduzindo Tempo de Resposta do Servidor - WordCamp BH 2014
Reduzindo Tempo de Resposta do Servidor - WordCamp BH 2014
 
Acessibilidade Web agora é obrigatória. Estamos preparados?
Acessibilidade Web agora é obrigatória. Estamos preparados?Acessibilidade Web agora é obrigatória. Estamos preparados?
Acessibilidade Web agora é obrigatória. Estamos preparados?
 
WordPress Security & Backups 101
WordPress Security & Backups 101WordPress Security & Backups 101
WordPress Security & Backups 101
 
Writing Your First Plugin - WordCamp Milwaukee 2012
Writing Your First Plugin - WordCamp Milwaukee 2012Writing Your First Plugin - WordCamp Milwaukee 2012
Writing Your First Plugin - WordCamp Milwaukee 2012
 
WordPress per giornalisti freelance
WordPress per giornalisti freelance WordPress per giornalisti freelance
WordPress per giornalisti freelance
 
Como oferecer boas experiências online com a criação de sites de qualidade - ...
Como oferecer boas experiências online com a criação de sites de qualidade - ...Como oferecer boas experiências online com a criação de sites de qualidade - ...
Como oferecer boas experiências online com a criação de sites de qualidade - ...
 
Website Performance, Engagement, and Leads
Website Performance, Engagement, and LeadsWebsite Performance, Engagement, and Leads
Website Performance, Engagement, and Leads
 
WordCamp Milwaukee 2012 - Contributing to Open Source
WordCamp Milwaukee 2012 - Contributing to Open SourceWordCamp Milwaukee 2012 - Contributing to Open Source
WordCamp Milwaukee 2012 - Contributing to Open Source
 

Similar to Website Security - It Begins With Good Posture

WordCamp Minneapolis 2014 - Website Security Presentation - Sucuri Security
WordCamp Minneapolis 2014 - Website Security Presentation - Sucuri SecurityWordCamp Minneapolis 2014 - Website Security Presentation - Sucuri Security
WordCamp Minneapolis 2014 - Website Security Presentation - Sucuri SecurityTony Perez
 
Website Security (WordPress) - It's About the Basics
Website Security (WordPress) - It's About the BasicsWebsite Security (WordPress) - It's About the Basics
Website Security (WordPress) - It's About the BasicsTony Perez
 
Website Security - Latest and Greatest (WordPress 2014)
Website Security - Latest and Greatest (WordPress 2014)Website Security - Latest and Greatest (WordPress 2014)
Website Security - Latest and Greatest (WordPress 2014)Tony Perez
 
WordPress Website Security - Trends, Threats, Defenses
WordPress Website Security - Trends, Threats, DefensesWordPress Website Security - Trends, Threats, Defenses
WordPress Website Security - Trends, Threats, DefensesTony Perez
 
Navigating the Security Landscape
Navigating the Security LandscapeNavigating the Security Landscape
Navigating the Security LandscapeSucuri
 
Joomla! Day Atlanta 2014 - Website Security - The Basics
Joomla! Day Atlanta 2014 - Website Security - The BasicsJoomla! Day Atlanta 2014 - Website Security - The Basics
Joomla! Day Atlanta 2014 - Website Security - The BasicsTony Perez
 
Word press website security
Word press website securityWord press website security
Word press website securityTony Perez
 
ApacheCon 2015: Community building the open source way
ApacheCon 2015: Community building the open source wayApacheCon 2015: Community building the open source way
ApacheCon 2015: Community building the open source wayRikki Endsley
 
NIC 2017 - Attack and detection in Windows Environments
NIC 2017 - Attack and detection in Windows EnvironmentsNIC 2017 - Attack and detection in Windows Environments
NIC 2017 - Attack and detection in Windows EnvironmentsOddvar Moe
 
Top 18 azure security fails and how to avoid them
Top 18 azure security fails and how to avoid themTop 18 azure security fails and how to avoid them
Top 18 azure security fails and how to avoid themKarl Ots
 
The New Normal: Managing the constant stream of new vulnerabilities
The New Normal: Managing the constant stream of new vulnerabilitiesThe New Normal: Managing the constant stream of new vulnerabilities
The New Normal: Managing the constant stream of new vulnerabilitiesMajor Hayden
 
Add Security Testing Tools to Your Delivery Pipeline
Add Security Testing Tools to Your Delivery PipelineAdd Security Testing Tools to Your Delivery Pipeline
Add Security Testing Tools to Your Delivery PipelineGene Gotimer
 
Delivery Patterns for Rapid and Reliable Releases @ JAX DevOps London (May 2019)
Delivery Patterns for Rapid and Reliable Releases @ JAX DevOps London (May 2019)Delivery Patterns for Rapid and Reliable Releases @ JAX DevOps London (May 2019)
Delivery Patterns for Rapid and Reliable Releases @ JAX DevOps London (May 2019)Manuel Pais
 
Rv defcon25 osint tactics on source code intelligence - simon roses
Rv defcon25 osint tactics on source code intelligence - simon rosesRv defcon25 osint tactics on source code intelligence - simon roses
Rv defcon25 osint tactics on source code intelligence - simon rosesreconvillage
 
Privacy. Winter School on “Topics in Digital Trust”. IIT Bombay
Privacy. Winter School on “Topics in Digital Trust”. IIT BombayPrivacy. Winter School on “Topics in Digital Trust”. IIT Bombay
Privacy. Winter School on “Topics in Digital Trust”. IIT BombayIIIT Hyderabad
 
Delivery patterns for rapid and reliable releases (All Day DevOps 2018)
Delivery patterns for rapid and reliable releases (All Day DevOps 2018)Delivery patterns for rapid and reliable releases (All Day DevOps 2018)
Delivery patterns for rapid and reliable releases (All Day DevOps 2018)Manuel Pais
 
Good Help is Hard to Find
Good Help is Hard to FindGood Help is Hard to Find
Good Help is Hard to FindElaine Meyer
 
Social Media for Academic Research
Social Media for Academic ResearchSocial Media for Academic Research
Social Media for Academic ResearchADEIL / FSB
 
Practical White Hat Hacker Training - Passive Information Gathering(OSINT)
Practical White Hat Hacker Training - Passive Information Gathering(OSINT)Practical White Hat Hacker Training - Passive Information Gathering(OSINT)
Practical White Hat Hacker Training - Passive Information Gathering(OSINT)PRISMA CSI
 
2018 Hacked Website Trends
2018 Hacked Website Trends2018 Hacked Website Trends
2018 Hacked Website TrendsSucuri
 

Similar to Website Security - It Begins With Good Posture (20)

WordCamp Minneapolis 2014 - Website Security Presentation - Sucuri Security
WordCamp Minneapolis 2014 - Website Security Presentation - Sucuri SecurityWordCamp Minneapolis 2014 - Website Security Presentation - Sucuri Security
WordCamp Minneapolis 2014 - Website Security Presentation - Sucuri Security
 
Website Security (WordPress) - It's About the Basics
Website Security (WordPress) - It's About the BasicsWebsite Security (WordPress) - It's About the Basics
Website Security (WordPress) - It's About the Basics
 
Website Security - Latest and Greatest (WordPress 2014)
Website Security - Latest and Greatest (WordPress 2014)Website Security - Latest and Greatest (WordPress 2014)
Website Security - Latest and Greatest (WordPress 2014)
 
WordPress Website Security - Trends, Threats, Defenses
WordPress Website Security - Trends, Threats, DefensesWordPress Website Security - Trends, Threats, Defenses
WordPress Website Security - Trends, Threats, Defenses
 
Navigating the Security Landscape
Navigating the Security LandscapeNavigating the Security Landscape
Navigating the Security Landscape
 
Joomla! Day Atlanta 2014 - Website Security - The Basics
Joomla! Day Atlanta 2014 - Website Security - The BasicsJoomla! Day Atlanta 2014 - Website Security - The Basics
Joomla! Day Atlanta 2014 - Website Security - The Basics
 
Word press website security
Word press website securityWord press website security
Word press website security
 
ApacheCon 2015: Community building the open source way
ApacheCon 2015: Community building the open source wayApacheCon 2015: Community building the open source way
ApacheCon 2015: Community building the open source way
 
NIC 2017 - Attack and detection in Windows Environments
NIC 2017 - Attack and detection in Windows EnvironmentsNIC 2017 - Attack and detection in Windows Environments
NIC 2017 - Attack and detection in Windows Environments
 
Top 18 azure security fails and how to avoid them
Top 18 azure security fails and how to avoid themTop 18 azure security fails and how to avoid them
Top 18 azure security fails and how to avoid them
 
The New Normal: Managing the constant stream of new vulnerabilities
The New Normal: Managing the constant stream of new vulnerabilitiesThe New Normal: Managing the constant stream of new vulnerabilities
The New Normal: Managing the constant stream of new vulnerabilities
 
Add Security Testing Tools to Your Delivery Pipeline
Add Security Testing Tools to Your Delivery PipelineAdd Security Testing Tools to Your Delivery Pipeline
Add Security Testing Tools to Your Delivery Pipeline
 
Delivery Patterns for Rapid and Reliable Releases @ JAX DevOps London (May 2019)
Delivery Patterns for Rapid and Reliable Releases @ JAX DevOps London (May 2019)Delivery Patterns for Rapid and Reliable Releases @ JAX DevOps London (May 2019)
Delivery Patterns for Rapid and Reliable Releases @ JAX DevOps London (May 2019)
 
Rv defcon25 osint tactics on source code intelligence - simon roses
Rv defcon25 osint tactics on source code intelligence - simon rosesRv defcon25 osint tactics on source code intelligence - simon roses
Rv defcon25 osint tactics on source code intelligence - simon roses
 
Privacy. Winter School on “Topics in Digital Trust”. IIT Bombay
Privacy. Winter School on “Topics in Digital Trust”. IIT BombayPrivacy. Winter School on “Topics in Digital Trust”. IIT Bombay
Privacy. Winter School on “Topics in Digital Trust”. IIT Bombay
 
Delivery patterns for rapid and reliable releases (All Day DevOps 2018)
Delivery patterns for rapid and reliable releases (All Day DevOps 2018)Delivery patterns for rapid and reliable releases (All Day DevOps 2018)
Delivery patterns for rapid and reliable releases (All Day DevOps 2018)
 
Good Help is Hard to Find
Good Help is Hard to FindGood Help is Hard to Find
Good Help is Hard to Find
 
Social Media for Academic Research
Social Media for Academic ResearchSocial Media for Academic Research
Social Media for Academic Research
 
Practical White Hat Hacker Training - Passive Information Gathering(OSINT)
Practical White Hat Hacker Training - Passive Information Gathering(OSINT)Practical White Hat Hacker Training - Passive Information Gathering(OSINT)
Practical White Hat Hacker Training - Passive Information Gathering(OSINT)
 
2018 Hacked Website Trends
2018 Hacked Website Trends2018 Hacked Website Trends
2018 Hacked Website Trends
 

More from Tony Perez

A Practical Security Framework for Website Owners
A Practical Security Framework for Website OwnersA Practical Security Framework for Website Owners
A Practical Security Framework for Website OwnersTony Perez
 
2017 WHD - Bridging the Divide Between Behavior and Security
2017 WHD - Bridging the Divide Between Behavior and Security2017 WHD - Bridging the Divide Between Behavior and Security
2017 WHD - Bridging the Divide Between Behavior and SecurityTony Perez
 
Accounting for Website Security in Higher Education
Accounting for Website Security in Higher EducationAccounting for Website Security in Higher Education
Accounting for Website Security in Higher EducationTony Perez
 
Building a Security Framework for Websites
Building a Security Framework for WebsitesBuilding a Security Framework for Websites
Building a Security Framework for WebsitesTony Perez
 
Business of People - Lessons Learned Building a Remote Workforce
Business of People - Lessons Learned Building a Remote WorkforceBusiness of People - Lessons Learned Building a Remote Workforce
Business of People - Lessons Learned Building a Remote WorkforceTony Perez
 
WordPress Security - Dealing With Today's Hacks
WordPress Security - Dealing With Today's HacksWordPress Security - Dealing With Today's Hacks
WordPress Security - Dealing With Today's HacksTony Perez
 
WordPress Security - The "No-BS" Version
WordPress Security - The "No-BS" VersionWordPress Security - The "No-BS" Version
WordPress Security - The "No-BS" VersionTony Perez
 

More from Tony Perez (7)

A Practical Security Framework for Website Owners
A Practical Security Framework for Website OwnersA Practical Security Framework for Website Owners
A Practical Security Framework for Website Owners
 
2017 WHD - Bridging the Divide Between Behavior and Security
2017 WHD - Bridging the Divide Between Behavior and Security2017 WHD - Bridging the Divide Between Behavior and Security
2017 WHD - Bridging the Divide Between Behavior and Security
 
Accounting for Website Security in Higher Education
Accounting for Website Security in Higher EducationAccounting for Website Security in Higher Education
Accounting for Website Security in Higher Education
 
Building a Security Framework for Websites
Building a Security Framework for WebsitesBuilding a Security Framework for Websites
Building a Security Framework for Websites
 
Business of People - Lessons Learned Building a Remote Workforce
Business of People - Lessons Learned Building a Remote WorkforceBusiness of People - Lessons Learned Building a Remote Workforce
Business of People - Lessons Learned Building a Remote Workforce
 
WordPress Security - Dealing With Today's Hacks
WordPress Security - Dealing With Today's HacksWordPress Security - Dealing With Today's Hacks
WordPress Security - Dealing With Today's Hacks
 
WordPress Security - The "No-BS" Version
WordPress Security - The "No-BS" VersionWordPress Security - The "No-BS" Version
WordPress Security - The "No-BS" Version
 

Recently uploaded

DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embeddingZilliz
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesZilliz
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfSeasiaInfotech2
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 

Recently uploaded (20)

DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embedding
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector Databases
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdf
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 

Website Security - It Begins With Good Posture

  • 1. It Starts With Good Posture Website Security (WordPress)
  • 2. @PEREZBOX • Sucuri, Inc. – @sucuri_security – @sucurisupport – @sucurilabs – @perezbox • Specialization: – Website Security – Incident Handling • Special Interests: – Brazilian JiuJitsu 6/9/2014 Tony Perez | @perezbox | @sucuri_security 2
  • 3. • Website Security Company • Global Operations • Platform Agnostic (i.e., WordPress, Joomla, etc..) • Scan 2M Unique Domains a Month • Block 4M web attacks a Month • Remediate 400 – 500 websites a day • Signature / Heuristic Based • 24/7 operations 6/9/2014 Tony Perez | @perezbox | @sucuri_security 3
  • 4. Statistics 6/9/2014 Tony Perez | @perezbox | @sucuri_security 4
  • 5. Anatomy of Malicious Websites Malicious Websites Legitimate Websites 6/9/2014 Tony Perez | @perezbox | @sucuri_security 5
  • 6. Legitimate Websites Not-Exploitable Exploitable 6/9/2014 Tony Perez | @perezbox | @sucuri_security 6 1 in 8 - Critical Vulnerability
  • 7. Hacks Affecting Users 6/9/2014 Tony Perez | @perezbox | @sucuri_security 7
  • 8. Top 4 Symptoms 6/9/2014 Tony Perez | @perezbox | @sucuri_security 8 • Malicious Redirects (i.e., abuse your traffic) • Backdoors (i.e., Bypass Access Controls) • Phishing (i.e., Spear Phishing Campaigns) • Search Engine Poisoning (i.e., Pharma, etc…) ….. Obviously many more, but these are the most prevalent…
  • 10. Malicious Redirects • Easy / Medium to Detect – Be mindful of conditionals • Looking for Integrity Issues – Has something been modified? • Common location[s]: – .htaccess – Index.php – Footer.php – Header.php • Biggest Issue – Redirectors are becoming highly complex – Employing heavy conditional elements @perezbox | @sucuri_security
  • 12. Phishing, Cntd.. • Difficult to Detect Remotely • Looking for Integrity Issues – Is something somewhere it doesn’t belong? • Common location[s]: – WP-Includes – Theme Directories • Biggest Issue – It can be anywhere – Fully contained @perezbox | @sucuri_security
  • 14. Backdoors, cntd… • Can’t detect remotely, only locally • Looking for Integrity Issues – Is something somewhere it doesn’t belong? • Common location[s]: – WP-Includes – Root Directory • Biggest Issue – Allows attacker to bypass your access controls – Provides full control of the environment @perezbox | @sucuri_security • Common terms: – Is_bot – Eval – Base64_decode – Fopen – Fclose – readfile – Edoced_46esad – Exec – System – Shell_exec – Gzuncompress – popen – FilesMan grep -RPl --include=*.{php} "(system|exec|passthru|shell_exec|base64_decode|eval|) *(" /var/www
  • 15. Example of Complexity @perezbox | @sucuri_security
  • 16. Search Engine Poisoning @perezbox | @sucuri_security
  • 17. Search Engine Poisoning, cntd.. • Targets Search Engines (i.e., Google, Bing, Yahoo) • Looking for Integrity Issues – Have your posts / pages been modified? • Common location[s]: – Index.php (root, theme, plugins, etc..) – Header.php – Footer.php – Embedded in Database (Posts / Pages) • Biggest Issue – Continuous to evolve – Highly conditional – Not within visible range – often offscreen @perezbox | @sucuri_security
  • 18. Indicators of a Hack Search Engines have gotten pretty good at detecting issues – Google blacklists over 10 thousand websites a day. @perezbox | @sucuri_security
  • 19. Anatomy of Attacks 6/9/2014 Tony Perez | @perezbox | @sucuri_security 19
  • 20. Phase of an Attack 6/9/2014 Tony Perez | @perezbox | @sucuri_security 20  Use for malware?  Pat of a zombie network?  Data breach? What kind of website do you have?
  • 21. Automated Attacks 6/9/2014 Tony Perez | @perezbox | @sucuri_security 21  Exploiting Access Control
  • 22. Distribution Mechanism 6/9/2014 Tony Perez | @perezbox | @sucuri_security 22
  • 23. There’s a Tool for that • Malware as a Service (MaaS) – Yes, pay someone to hack for you • Different tools to break in and generate payloads – Brute force and vulnerability exploits Malware Payloads 6/9/2014 Tony Perez | @perezbox | @sucuri_security 23
  • 24. Why? 6/9/2014 Tony Perez | @perezbox | @sucuri_security 24
  • 25. Happening To Everyone 6/9/2014 Tony Perez | @perezbox | @sucuri_security 25
  • 26. It’s About Posture 6/9/2014 Tony Perez | @perezbox | @sucuri_security 26
  • 27. Begins with Posture 6/9/2014 Tony Perez | @perezbox | @sucuri_security 27 Posture Risk “Risk will never be zero, but it can be reduced”
  • 28. It’s About Good Posture 6/9/2014 Tony Perez | @perezbox | @sucuri_security 28
  • 29. Layered Defenses 6/9/2014 Tony Perez | @perezbox | @sucuri_security 29 Protection Auditing Detection Sustainment
  • 30. Defense in Depth “…a concept in which multiple layers of security controls (defenses) are placed throughout an information technology (IT) system. Its intent is to provide redundancy in the event a security control fails or a vulnerability is exploited…” 6/9/2014 Tony Perez | @perezbox | @sucuri_security 30
  • 31. Access – P@ssw0rd • Passwords 6/9/2014 Tony Perez | @perezbox | @sucuri_security 31 Complex – Long - Unique
  • 32. Enforce Strong Credentials 6/9/2014 Tony Perez | @perezbox | @sucuri_security 32
  • 33. Auditing (Monitor Activity) 6/9/2014 Tony Perez | @perezbox | @sucuri_security 33
  • 34. Auditing Questions 6/9/2014 Tony Perez | @perezbox | @sucuri_security | #JoomlaDayAtlanta 34 • Understand what is going on at all time – Who is logging in? – Who is trying to log in? – What files are changing? – Has a post been created? – Has a page been created? – Are there any integrity issues?
  • 35. Principle of Least Privileged “requires that in a particular abstraction layer of a computing environment, every module (such as a process, a user or a program depending on the subject) must be able to access only the information and resources that are necessary for its legitimate purpose.” 6/9/2014 Tony Perez | @perezbox | @sucuri_security 35
  • 36. Understand Your Roles 6/9/2014 Tony Perez | @perezbox | @sucuri_security 36
  • 37. Hardening – Kill PHP 6/9/2014 Tony Perez | @perezbox | @sucuri_security 37  PHP Execution, disable it:  /wp-includes  /wp-content ▪ /themes ▪ /plugins ▪ /uploads <Files *.php> Deny from all </Files>
  • 38. Disable Plugin / Theme Editor • WP-CONFIG File Modification #Disable Plugin / Theme Editor Define(‘DISALLOW_FILE_EDIT’,true); 6/9/2014 Tony Perez | @perezbox | @sucuri_security 38
  • 39. Brute Force Attacks 6/9/2014 Tony Perez | @perezbox | @sucuri_security 39
  • 40. Backups – It’s Your Safety Net 6/9/2014 Tony Perez | @perezbox | @sucuri_security 40
  • 41. Software Vulnerabilities • Stay current with the latest vulnerabilities: – Secure - http://wordpress.org/plugins/secure/ 6/9/2014 Tony Perez | @perezbox | @sucuri_security 41
  • 42. Stay Current (Update) 6/9/2014 Tony Perez | @perezbox | @sucuri_security 42
  • 43. Website Firewalls 6/9/2014 Tony Perez | @perezbox | @sucuri_security 43 • Stay ahead of Software Vulnerabilities
  • 44. Ensure Integrity of Connection 6/9/2014 Tony Perez | @perezbox | @sucuri_security 44 • https://www.getcloak.com/ | @getcloak
  • 45. Google Webmaster 6/9/2014 Tony Perez | @perezbox | @sucuri_security 45
  • 46. Simple Steps to Reduce Risk 1. Employ Website Firewall 2. Don’t let WordPress write to itself 3. Filter Access by IP 4. Use a dedicated server / VPS 5. Monitor all Activity (Logging) 6. Enable SSL for transactions 7. Keep environment current (patched) 8. No Soup Kitchen Servers 6/9/2014 Tony Perez | @perezbox | @sucuri_security 46 1. Connect Securely – SFTP / SSH 2. Authentication Keys / wp- config 3. Use Trusted Sources 4. Use a local Antivirus – MAC too 5. Permissions - D 755 | F 644 6. Least Privileged Principles 7. Accountability 8. Backups – Include Database Ideal implementations:The Bare Minimum:
  • 47. Notable Resources Name Tool Sucuri Blog http://blog.sucuri.net Sucuri TV http://sucuri.tv Malware Scanner http://sitecheck.sucuri.net Malware Scanner http://unmaskparasites.com Badware Busters https://badwarebusters.org Google Forums http://productforums.google.com/forum/#!categories/webmasters/malware--hacked- sites Google Webmaster Tools http://support.google.com/webmasters/bin/answer.py?hl=en&answer=163633 Secunia Security Advisories http://secunia.com/community/advisories/search/?search=wordpress Exploit-DB http://www.exploit- db.com/search/?action=search&filter_description=Wordpress&filter_platform=31 WordPress Hacked FAQ http://codex.wordpress.org/FAQ_My_site_was_hacked WordPress Hardening http://codex.wordpress.org/Hardening_WordPress 6/9/2014 Tony Perez | @perezbox | @sucuri_security 47
  • 48. Dealing with a Hack 6/9/2014 Tony Perez | @perezbox | @sucuri_security 48 Dealing with Malware http://blog.sucuri.net/2012/10/dealing-with-todays- wordpress-malware.html Leveraging Google Webmaster Tools http://www.unmaskparasites.com/malware- warning-guide/ Google Webmaster Tools (Hacked) http://www.google.com/webmasters/hacked/ Understanding Google’s Blacklists http://blog.sucuri.net/2013/11/understanding- googles-blacklist-cleaning-your-hacked-website-and- removing-from-blacklist.html Clearing Your Website with Free Scanner http://blog.sucuri.net/2013/10/cleaning-up-your- wordpress-site-with-the-free-sucuri-plugin.html WordPress Tips & Tricks http://blog.sucuri.net/2012/07/website-malware- removal-wordpress-tips-tricks.html
  • 49. Sucuri, Inc. Tony Perez http://sucuri.net http://blog.sucuri.net @perezbox | @sucuri_security @sucurilabs | @sucurisupport 6/9/2014 Tony Perez | @perezbox | @sucuri_security 49