Navigating the Security Landscape

Navigating the Security Landscape

Tony Perez | @perezbox #DrupalCon #AskSucuri Tony Perez | @perezbox #DrupalCon #AskSucuri

#AskSucuri




TONY PEREZ@perezbox

Tony Perez | @perezbox



WHO IS THIS TALK FOR?• Curious about website security

• Establishing a security risk posture for websites

• Currently or have experienced an infection

• Intrigued by the psychology of attackers

• Weighing the potential impacts of a compromise

• System Integrator and Engineers

• Website owners / Functional Units



May 2016 – 1.02 Billion Websites

Source: W3Tech



73%33%CMS Powered Websites CMS Market Share

Source: W3Tech



4.9%2.2%Websites Powered By CMS Market Share Owned

Source: W3Tech



Drupal 8 brought about amazing changesin terms of security!!

“Security by Default”



Source: https://dev.acquia.com/blog/drupal-8/10-ways-drupal-8-will-be-more-secure/2015/08/27/6621 via Peter Wolan

Twig Templates for HTML generation

Removed PHP input filter and the use PHP as a configuration import format

Site configuration exportable, manageable as code, and versionable

User content entry and filtering improved

Hardened user session and session ID handling

Automated CSRF token protection in route definitions

Trust host patterns enforced for requests

PDO MySQL limited to executing single statements

Clickjacking protection enabled by default

Core JS Compatible with CSP

https://dev.acquia.com/blog/drupal-8/10-ways-drupal-8-will-be-more-secure/2015/08/27/6621





Drupal 8 released November 19, 2015

Source: Drupal.org



Month 7.x

May 2016 1,000,741

April 2016

March 2016

February 2016

1,016,267

1,016,251

1,097,240

January 2016 1,046,312

70,719

74,866

56,612

67,827

64,061

8.x6.x

101,335

103,997

105,027

115,531

110,812

Source: Drupal.org



6%

Drupal websites upgraded to version 8.0

Source: Drupal.org



25

Total Number of Vulnerabilities Found in the Mossack Fonseca (Panama Papers 2016) client portal,

built on Drupal:

Source: W3Tech



81%

Drupal websites that were out-of-date when infected:

Source: Sucuri Labs



Patch / Vulnerability management is hard, no matter the organization size or industry type. Ironically, exploitation of software

vulnerabilities is the leading cause of website compromises.



In the Enterprise alone…



33%

Companies that have no process for identifying, Tracking or remediating known open source

vulnerabilities

Source: 2016 Future of Open Source Study by Northbridge



47%

Companies that are not trackingopen source code




50%

Companies that have no one responsible for identifying and remediating

vulnerabilities in open-source code




Consumers are suffering from security fatigue and possibly indifference.



Complex Environment



Environment

Local Machine Local Network User

Attack Surface



Domain Threat Landscape

Environment Devices (i.e., Desktop, Notebooks, Tablets) Networks (i.e., Public Wifi, Insecure Networks) End-users (i.e., Poor administration /

maintenance)

Application

Server

Infrastructure

CMS (i.e., WordPress, Joomla!, Magento, Drupal, etc..) Non-CMS Applications (i.e,. Plesk, WHCMS, Cpanel,

etc..) Multi-function environments (i.e., email / file servers,

etc…) Web Server (i.e., Apache, NGINX, Varnish, IIS, etc…) Operating Systems (i.e., Linux, Windows, etc…) Languages (i.e., PHP, .NET, Node.js, etc…) Server Daemons (i.,e FTP, SFTP, SSH, etc...)

Hosting companies Physical servers Hardware peripherals (i.e., Routers, Switches)



Application Server InfrastructureEnvironment

Security Chain



Types of Attacks



Targeted Attacks Attacks of Opportunity

Occurs .001% of the time

There is a specific “target”

How the attack will happen is unknown

The exploit is unknown, defined by what is found

There is enough motivation and return

Automated / Manual

High-level of skill / expertise

Personal (i.e., political, competitor, hatred)

Modus operandi for organizations

Occurs 99.99% of the time

Don’t have a specific “target”

The attack is known

The exploit is known, low-hanging fruit

The motivation and return is dependent on mass affect

Mostly automated

Low-mid level skill / expertise

Not-Personal (i.e., wrong place, wrong time)

Modus operandi for website attacks



Attack Flow



Automation

• Key in today’s attacks, making it the most effective way to affect 10’s of thousands of websites at the same time (i.e., maximum exposure and increased potential for success)

• Introduces efficiency and effectiveness into the attack sequence, enabling less skill adversaries (i.e., new breed of script kiddies)

• Allows bad actors to be faster to the draw targeting new software vulnerabilities

• Enabled by the development and expansion of global bot networks (botnets)



Reconnaissance

Identification

Exploitation

Sustainment

Compromise

Cleanup

AutomatedTargeted



Phase Targeted

Reconnaissance Scanning a specific environment

Identification

Exploitation

Sustainment

Identify the potential attack vectors on the network

Exploit a specific weakness based on services in environment

Ensure attacker can continue to get into environment

Compromise

Cleanup

Accomplish the objective

Reduce odds of detection, cover tracks

Scanning the web for a specific issue

Occurs in Reconnaissance phase

Exploit known weakness

Ensure attacker can continue to get into environment

Accomplish the objective

N/A

Opportunity



Phase Considerations

ReconnaissanceHow are you reducing your attack surface?

Identification

Exploitation

Sustainment

How do you know what vulnerabilities exist?

How are you mitigating exploitation attempts?

How do you know there are no backdoors?

Compromise

Cleanup

How do you know if you’re currently compromised?

Are you retaining all activity remotely?

Disable unused services, ports, applications

Vulnerability management program (i.e., wpscan, joomlascan, cmsmap, droopescan, nessus, w3af )

Employ cloud-based WAF / IPS

Employ IDS technology designed to detect these issues

Employ IDS technology designed to report Indicators of Compromise (IoC) and integrity issues

Employ an auditing / remote retention mechanism

Security Controls



Availability• Availability describes your websites uptime, or accessibility, to your

audience.• Some hacks don’t intend on compromising the website or it’s

resources, instead they are content with overwhelming resources and disrupting it’s availability

• Known as Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks.

• Attackers are able to overwhelm resources on a network, drastically affects shard hosts and small web servers, can lead to websites being disabled to save the network



Attack Vectors



How Websites Get Hacked

Access Control Software Vulnerabilities

Cross-site Contamination

Third-PartyIntegrations Hosting



Access Control

• Refers to how access is restricted to specific areas, places, or things. • Websites access control extends to all applications that provide some

form of access to the web environment:• CMS Administration panel• Hosting Administration Panel• Server Access Nodes (i.e., FTP, SFTP, SSH)

• When thinking about access control, think beyond the website. application.

• Attacks to access control come in he form of Brute Force attacks.



Software Vulnerabilities

• Refers to bugs in code that can be abused to perform nefarious acts. They include things like:• SQL Injection (SQLi), Cross-Site Scripting (XSS), Remote Code Execution (RCE), Remote File Inclusion

(RFI), etc.…

• Familiarize yourself with the Open Web Application Security Project (OWASP), specifically the OWASP Top 10.

• CMS applications struggle with vulnerabilities in their extensible parts (i.e., plugins, themes, extension, modules, etc…)



Cross-site Contamination

• Refers to the lateral movement an attacker makes once in the web server.

• This is referred to as an internal attack, not an external one. An attacker is able to gain entry into the web server via a vulnerable site, then use that to leap frog into all other websites on the web server.

• It’s often the contributing factor to a number of reinfections, website owners focus on the website affected and the symptoms, but spend little time looking at the websites that show no external signs of compromise.

• Rampant in environments that do not employ functional isolation on the web server, and employ improper permissions and configurations.



Third-Party Integrations

• Third-party integration refer to a number of things, the most prevalent affecting security is the integration of ads and their associated ad networks.

• These integrations are introducing a weak link into the security chain, where ad networks are attacked and used to penetrate unsuspecting websites - malvertising

• Malvertising is the act of manipulate ads to distribute malware, often in the form of malicious redirects and drive-by-downloads

• Exceptionally difficult to detect because of their conditional nature, and the fact that they are outside of the website environment



Hosting

• It’s been a long time since there has been a mass-compromise of a large shared-hosting provider (circa 2011)

• The issues with hosts today revolve around hosts that aren’t really hosts; organizations that try to offer a complete solution – marketing / development / security / hosting / SEO, etc.. • Inexperienced service providers that introduce confusion and noise to an already

crowded marketplace• They know enough to be dangerous, but rarely house the in-house skills or

knowledge• Contribute to a number of cross-site contamination issues due to poor

configurations



Motivations



REVENUE• Make money off your website or

it’s resources

• Earning potential could be based on stealing information (i.e., data exfiltration)

• Impression based affiliate marketing schemes

• Criminal enterprises



AUDIENCE

• Make money off your audience

• Extremely valuable to attackers

• Ability to take advantage of the trust you’ve built with your followers / customers



RESOURCES

• Make money off your resources

• Abuse of the infrastructure supporting your website

• Integrated into larger criminal networks (a.k.a botnets)



LULZ

• Not about making money (Finally!!)

• Bored, why not? • If it allows me to access it, why

wouldn’t I?

• Badge of honor amongst peers!

• Likely one of our kids!!!



Tactics Employed



Malware Distribution

Search Engine Poisoning

Spam Email

Phishing Lures

Infection Types

Defacement

DDoS/Bots/Backdoors

Ransomware



Type Description Motivation Association

Malware Distribution Drive-by-DownloadsEnd-points are the target

RevenueAudience

Search Engine Poisoning (SEP)

Search Engine Result Pages (SERP)

Pharma / Casino / Luxury GoodsRevenueAudience

Phishing Lures Email / Social Phishing campaignsFinancial / Credential Theft

Spam Email Email spam campaignsLeverage your server / ip / domain

ResourceAudienceResource

Defacement Hacktivism Lulz

DDoS/Bot Scripts/Backdoors

Server level scriptsAbuse resources / access control

RevenueResource

Ransomware Hold you hostageHow your audience hostage

RevenuAudience

Data Exfiltration Steal data from your environmentE-Commerce / PII

ResourceAudience

RevenueAudience



THE IMPACTS OF COMPROMISE

Brand Website Blacklisting

Emotional Distress

Economic

Business

Visitor Compromise

Technical

SEO Impacts



Business Impacts EconomicBrand Emotional Distress

Brand Reputation• Your brand is made up of the unique user experience you offer

through your design, content, product offering and service• Your website, and the experience your audience has plays a critical

part in the reputation of that brand• Tolerance is the highest it’s ever been around website compromises,

so reputation is recoverable • Loss of trust in your brand can drive your audience to look for

alternatives to your brand



Economic Impacts• Our research has shown a little over 90% drop in traffic immediately

following a compromise, that number goes up if a website gets blacklisted

• Whether your website leverages ads, static content, or sells product, it directly or indirectly helps your business generate some form of revenue / exposure

• Costs associated with post-compromise services, to include time / money spent on tools, education and consultation




Emotional Distress• Anxiety – nothing ever goes fast enough• Confusion – unclear what steps to take, who to talk to, where to start• Anger – you want to reach across the matrix and shake someone • Sadness – a general feeling of feeling overwhelmed, exhausted..• Distrust – an erosion of trust in technology, internet, people




Website Blacklisting• The most impactful in that it has the ability deter people from

reaching your website and it’s content / product / services• Blacklists extend beyond search engines like Google and Bing, but

can be found in end-point AntiVirus Solutions like Malwarebytes, Norton, EST, McAfee and so many others.

• This can lead to your website being flagged globally in large networks (i.e., cisco, websense, etc… )

Technical Impacts SEOBlacklisting Visitor Compromise



SEO Impact• The ability to control or manipulate what Search Engines see when

they crawl your website, leading to dirty Search Engine Result Pages (SERP), impacts to your Domain Authority and Value

• Injection of keywords and phrases that might be contrary to your brand, inclusion of things like: Viagra, Cialis, Casinos, Gucci, and use those references to redirect your website to other sites

• Directly tied to the creditability of the website, and potentially affects the blacklisting of your website with search engines like Google, Bing, and others.




Visitor Compromise• Malware distribution can include various forms of “Drive by

Download” attempts that look to install nefarious applications on your visitors machines (i.e., rogue AntiVirus systems)

• Websites can be used to attack browser plugins like Java, Flash, Adobe and others technologies. Can also be used to attack other websites within the same browser.

• Compromise include the distribution malware like Ransomware that can encrypt local environments, making them unusable until the user pays a fine.




Thinking Website Security

How to improve your website security posture



Security is not a static state, it’s a continuous process.



Technology will never replace your responsibility as a website owner.



Security is not a Do It Yourself (DIY) project.



Cloud-based Security Technologies Website Application Firewalls (IPS)

Intrusion Prevention Systems (IPS)

Website-specific Intrusion Detection Systems (IDS)

Incident Response Team

Remote backups

Log aggregation and retention



Q & A Tweet us @SucuriSecurity using #AskSucuri



THANK YOU!

Navigating the Security Landscape

Internet

Transcript of Navigating the Security Landscape