Navigating the Security Landscape
Tony Perez | @perezbox #DrupalCon #AskSucuri Tony Perez | @perezbox #DrupalCon #AskSucuri
#AskSucuri
Navigating the Security Landscape
Navigating the Security Landscape
Tony Perez | @perezbox #DrupalCon #AskSucuri Tony Perez | @perezbox #DrupalCon #AskSucuri
TONY PEREZ@perezbox
Tony Perez | @perezbox
Navigating the Security Landscape
Tony Perez | @perezbox #DrupalCon #AskSucuri Tony Perez | @perezbox #DrupalCon #AskSucuri
WHO IS THIS TALK FOR?• Curious about website security
• Establishing a security risk posture for websites
• Currently or have experienced an infection
• Intrigued by the psychology of attackers
• Weighing the potential impacts of a compromise
• System Integrator and Engineers
• Website owners / Functional Units
Navigating the Security Landscape
Tony Perez | @perezbox #DrupalCon #AskSucuri Tony Perez | @perezbox #DrupalCon #AskSucuri
May 2016 – 1.02 Billion Websites
Source: W3Tech
Navigating the Security Landscape
Tony Perez | @perezbox #DrupalCon #AskSucuri Tony Perez | @perezbox #DrupalCon #AskSucuri
73%33%CMS Powered Websites CMS Market Share
Source: W3Tech
Navigating the Security Landscape
Tony Perez | @perezbox #DrupalCon #AskSucuri Tony Perez | @perezbox #DrupalCon #AskSucuri
4.9%2.2%Websites Powered By CMS Market Share Owned
Source: W3Tech
Navigating the Security Landscape
Tony Perez | @perezbox #DrupalCon #AskSucuri Tony Perez | @perezbox #DrupalCon #AskSucuri
Drupal 8 brought about amazing changesin terms of security!!
“Security by Default”
Navigating the Security Landscape
Tony Perez | @perezbox #DrupalCon #AskSucuri Tony Perez | @perezbox #DrupalCon #AskSucuri
Source: https://dev.acquia.com/blog/drupal-8/10-ways-drupal-8-will-be-more-secure/2015/08/27/6621 via Peter Wolan
Twig Templates for HTML generation
Removed PHP input filter and the use PHP as a configuration import format
Site configuration exportable, manageable as code, and versionable
User content entry and filtering improved
Hardened user session and session ID handling
Automated CSRF token protection in route definitions
Trust host patterns enforced for requests
PDO MySQL limited to executing single statements
Clickjacking protection enabled by default
Core JS Compatible with CSP
Navigating the Security Landscape
Tony Perez | @perezbox #DrupalCon #AskSucuri Tony Perez | @perezbox #DrupalCon #AskSucuri
Drupal 8 released November 19, 2015
Source: Drupal.org
Navigating the Security Landscape
Tony Perez | @perezbox #DrupalCon #AskSucuri Tony Perez | @perezbox #DrupalCon #AskSucuri
Month 7.x
May 2016 1,000,741
April 2016
March 2016
February 2016
1,016,267
1,016,251
1,097,240
January 2016 1,046,312
70,719
74,866
56,612
67,827
64,061
8.x6.x
101,335
103,997
105,027
115,531
110,812
Source: Drupal.org
Navigating the Security Landscape
Tony Perez | @perezbox #DrupalCon #AskSucuri Tony Perez | @perezbox #DrupalCon #AskSucuri
6%
Drupal websites upgraded to version 8.0
Source: Drupal.org
Navigating the Security Landscape
Tony Perez | @perezbox #DrupalCon #AskSucuri Tony Perez | @perezbox #DrupalCon #AskSucuri
25
Total Number of Vulnerabilities Found in the Mossack Fonseca (Panama Papers 2016) client portal,
built on Drupal:
Source: W3Tech
Navigating the Security Landscape
Tony Perez | @perezbox #DrupalCon #AskSucuri Tony Perez | @perezbox #DrupalCon #AskSucuri
81%
Drupal websites that were out-of-date when infected:
Source: Sucuri Labs
Navigating the Security Landscape
Tony Perez | @perezbox #DrupalCon #AskSucuri Tony Perez | @perezbox #DrupalCon #AskSucuri
Patch / Vulnerability management is hard, no matter the organization size or industry type. Ironically, exploitation of software
vulnerabilities is the leading cause of website compromises.
Navigating the Security Landscape
Tony Perez | @perezbox #DrupalCon #AskSucuri Tony Perez | @perezbox #DrupalCon #AskSucuri
In the Enterprise alone…
Navigating the Security Landscape
Tony Perez | @perezbox #DrupalCon #AskSucuri Tony Perez | @perezbox #DrupalCon #AskSucuri
33%
Companies that have no process for identifying, Tracking or remediating known open source
vulnerabilities
Source: 2016 Future of Open Source Study by Northbridge
Navigating the Security Landscape
Tony Perez | @perezbox #DrupalCon #AskSucuri Tony Perez | @perezbox #DrupalCon #AskSucuri
47%
Companies that are not trackingopen source code
Source: 2016 Future of Open Source Study by Northbridge
Navigating the Security Landscape
Tony Perez | @perezbox #DrupalCon #AskSucuri Tony Perez | @perezbox #DrupalCon #AskSucuri
50%
Companies that have no one responsible for identifying and remediating
vulnerabilities in open-source code
Source: 2016 Future of Open Source Study by Northbridge
Navigating the Security Landscape
Tony Perez | @perezbox #DrupalCon #AskSucuri Tony Perez | @perezbox #DrupalCon #AskSucuri
Consumers are suffering from security fatigue and possibly indifference.
Navigating the Security Landscape
Tony Perez | @perezbox #DrupalCon #AskSucuri Tony Perez | @perezbox #DrupalCon #AskSucuri
Complex Environment
Navigating the Security Landscape
Tony Perez | @perezbox #DrupalCon #AskSucuri Tony Perez | @perezbox #DrupalCon #AskSucuri
Environment
Local Machine Local Network User
Attack Surface
Navigating the Security Landscape
Tony Perez | @perezbox #DrupalCon #AskSucuri Tony Perez | @perezbox #DrupalCon #AskSucuri
Domain Threat Landscape
Environment Devices (i.e., Desktop, Notebooks, Tablets) Networks (i.e., Public Wifi, Insecure Networks) End-users (i.e., Poor administration /
maintenance)
Application
Server
Infrastructure
CMS (i.e., WordPress, Joomla!, Magento, Drupal, etc..) Non-CMS Applications (i.e,. Plesk, WHCMS, Cpanel,
etc..) Multi-function environments (i.e., email / file servers,
etc…) Web Server (i.e., Apache, NGINX, Varnish, IIS, etc…) Operating Systems (i.e., Linux, Windows, etc…) Languages (i.e., PHP, .NET, Node.js, etc…) Server Daemons (i.,e FTP, SFTP, SSH, etc...)
Hosting companies Physical servers Hardware peripherals (i.e., Routers, Switches)
Navigating the Security Landscape
Tony Perez | @perezbox #DrupalCon #AskSucuri Tony Perez | @perezbox #DrupalCon #AskSucuri
Application Server InfrastructureEnvironment
Security Chain
Navigating the Security Landscape
Tony Perez | @perezbox #DrupalCon #AskSucuri Tony Perez | @perezbox #DrupalCon #AskSucuri
Types of Attacks
Navigating the Security Landscape
Tony Perez | @perezbox #DrupalCon #AskSucuri Tony Perez | @perezbox #DrupalCon #AskSucuri
Targeted Attacks Attacks of Opportunity
Occurs .001% of the time
There is a specific “target”
How the attack will happen is unknown
The exploit is unknown, defined by what is found
There is enough motivation and return
Automated / Manual
High-level of skill / expertise
Personal (i.e., political, competitor, hatred)
Modus operandi for organizations
Occurs 99.99% of the time
Don’t have a specific “target”
The attack is known
The exploit is known, low-hanging fruit
The motivation and return is dependent on mass affect
Mostly automated
Low-mid level skill / expertise
Not-Personal (i.e., wrong place, wrong time)
Modus operandi for website attacks
Navigating the Security Landscape
Tony Perez | @perezbox #DrupalCon #AskSucuri Tony Perez | @perezbox #DrupalCon #AskSucuri
Attack Flow
Navigating the Security Landscape
Tony Perez | @perezbox #DrupalCon #AskSucuri Tony Perez | @perezbox #DrupalCon #AskSucuri
Automation
• Key in today’s attacks, making it the most effective way to affect 10’s of thousands of websites at the same time (i.e., maximum exposure and increased potential for success)
• Introduces efficiency and effectiveness into the attack sequence, enabling less skill adversaries (i.e., new breed of script kiddies)
• Allows bad actors to be faster to the draw targeting new software vulnerabilities
• Enabled by the development and expansion of global bot networks (botnets)
Navigating the Security Landscape
Tony Perez | @perezbox #DrupalCon #AskSucuri Tony Perez | @perezbox #DrupalCon #AskSucuri
Reconnaissance
Identification
Exploitation
Sustainment
Compromise
Cleanup
AutomatedTargeted
Navigating the Security Landscape
Tony Perez | @perezbox #DrupalCon #AskSucuri Tony Perez | @perezbox #DrupalCon #AskSucuri
Phase Targeted
Reconnaissance Scanning a specific environment
Identification
Exploitation
Sustainment
Identify the potential attack vectors on the network
Exploit a specific weakness based on services in environment
Ensure attacker can continue to get into environment
Compromise
Cleanup
Accomplish the objective
Reduce odds of detection, cover tracks
Scanning the web for a specific issue
Occurs in Reconnaissance phase
Exploit known weakness
Ensure attacker can continue to get into environment
Accomplish the objective
N/A
Opportunity
Navigating the Security Landscape
Tony Perez | @perezbox #DrupalCon #AskSucuri Tony Perez | @perezbox #DrupalCon #AskSucuri
Phase Considerations
ReconnaissanceHow are you reducing your attack surface?
Identification
Exploitation
Sustainment
How do you know what vulnerabilities exist?
How are you mitigating exploitation attempts?
How do you know there are no backdoors?
Compromise
Cleanup
How do you know if you’re currently compromised?
Are you retaining all activity remotely?
Disable unused services, ports, applications
Vulnerability management program (i.e., wpscan, joomlascan, cmsmap, droopescan, nessus, w3af )
Employ cloud-based WAF / IPS
Employ IDS technology designed to detect these issues
Employ IDS technology designed to report Indicators of Compromise (IoC) and integrity issues
Employ an auditing / remote retention mechanism
Security Controls
Navigating the Security Landscape
Tony Perez | @perezbox #DrupalCon #AskSucuri Tony Perez | @perezbox #DrupalCon #AskSucuri
Availability• Availability describes your websites uptime, or accessibility, to your
audience.• Some hacks don’t intend on compromising the website or it’s
resources, instead they are content with overwhelming resources and disrupting it’s availability
• Known as Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks.
• Attackers are able to overwhelm resources on a network, drastically affects shard hosts and small web servers, can lead to websites being disabled to save the network
Navigating the Security Landscape
Tony Perez | @perezbox #DrupalCon #AskSucuri Tony Perez | @perezbox #DrupalCon #AskSucuri
Attack Vectors
Navigating the Security Landscape
Tony Perez | @perezbox #DrupalCon #AskSucuri Tony Perez | @perezbox #DrupalCon #AskSucuri
How Websites Get Hacked
Access Control Software Vulnerabilities
Cross-site Contamination
Third-PartyIntegrations Hosting
Navigating the Security Landscape
Tony Perez | @perezbox #DrupalCon #AskSucuri Tony Perez | @perezbox #DrupalCon #AskSucuri
Access Control
• Refers to how access is restricted to specific areas, places, or things. • Websites access control extends to all applications that provide some
form of access to the web environment:• CMS Administration panel• Hosting Administration Panel• Server Access Nodes (i.e., FTP, SFTP, SSH)
• When thinking about access control, think beyond the website. application.
• Attacks to access control come in he form of Brute Force attacks.
Navigating the Security Landscape
Tony Perez | @perezbox #DrupalCon #AskSucuri Tony Perez | @perezbox #DrupalCon #AskSucuri
Software Vulnerabilities
• Refers to bugs in code that can be abused to perform nefarious acts. They include things like:• SQL Injection (SQLi), Cross-Site Scripting (XSS), Remote Code Execution (RCE), Remote File Inclusion
(RFI), etc.…
• Familiarize yourself with the Open Web Application Security Project (OWASP), specifically the OWASP Top 10.
• CMS applications struggle with vulnerabilities in their extensible parts (i.e., plugins, themes, extension, modules, etc…)
Navigating the Security Landscape
Tony Perez | @perezbox #DrupalCon #AskSucuri Tony Perez | @perezbox #DrupalCon #AskSucuri
Cross-site Contamination
• Refers to the lateral movement an attacker makes once in the web server.
• This is referred to as an internal attack, not an external one. An attacker is able to gain entry into the web server via a vulnerable site, then use that to leap frog into all other websites on the web server.
• It’s often the contributing factor to a number of reinfections, website owners focus on the website affected and the symptoms, but spend little time looking at the websites that show no external signs of compromise.
• Rampant in environments that do not employ functional isolation on the web server, and employ improper permissions and configurations.
Navigating the Security Landscape
Tony Perez | @perezbox #DrupalCon #AskSucuri Tony Perez | @perezbox #DrupalCon #AskSucuri
Third-Party Integrations
• Third-party integration refer to a number of things, the most prevalent affecting security is the integration of ads and their associated ad networks.
• These integrations are introducing a weak link into the security chain, where ad networks are attacked and used to penetrate unsuspecting websites - malvertising
• Malvertising is the act of manipulate ads to distribute malware, often in the form of malicious redirects and drive-by-downloads
• Exceptionally difficult to detect because of their conditional nature, and the fact that they are outside of the website environment
Navigating the Security Landscape
Tony Perez | @perezbox #DrupalCon #AskSucuri Tony Perez | @perezbox #DrupalCon #AskSucuri
Hosting
• It’s been a long time since there has been a mass-compromise of a large shared-hosting provider (circa 2011)
• The issues with hosts today revolve around hosts that aren’t really hosts; organizations that try to offer a complete solution – marketing / development / security / hosting / SEO, etc.. • Inexperienced service providers that introduce confusion and noise to an already
crowded marketplace• They know enough to be dangerous, but rarely house the in-house skills or
knowledge• Contribute to a number of cross-site contamination issues due to poor
configurations
Navigating the Security Landscape
Tony Perez | @perezbox #DrupalCon #AskSucuri Tony Perez | @perezbox #DrupalCon #AskSucuri
Motivations
Navigating the Security Landscape
Tony Perez | @perezbox #DrupalCon #AskSucuri Tony Perez | @perezbox #DrupalCon #AskSucuri
Navigating the Security Landscape
Tony Perez | @perezbox #DrupalCon #AskSucuri Tony Perez | @perezbox #DrupalCon #AskSucuri
REVENUE• Make money off your website or
it’s resources
• Earning potential could be based on stealing information (i.e., data exfiltration)
• Impression based affiliate marketing schemes
• Criminal enterprises
Navigating the Security Landscape
Tony Perez | @perezbox #DrupalCon #AskSucuri Tony Perez | @perezbox #DrupalCon #AskSucuri
AUDIENCE
• Make money off your audience
• Extremely valuable to attackers
• Ability to take advantage of the trust you’ve built with your followers / customers
Navigating the Security Landscape
Tony Perez | @perezbox #DrupalCon #AskSucuri Tony Perez | @perezbox #DrupalCon #AskSucuri
RESOURCES
• Make money off your resources
• Abuse of the infrastructure supporting your website
• Integrated into larger criminal networks (a.k.a botnets)
Navigating the Security Landscape
Tony Perez | @perezbox #DrupalCon #AskSucuri Tony Perez | @perezbox #DrupalCon #AskSucuri
LULZ
• Not about making money (Finally!!)
• Bored, why not? • If it allows me to access it, why
wouldn’t I?
• Badge of honor amongst peers!
• Likely one of our kids!!!
Navigating the Security Landscape
Tony Perez | @perezbox #DrupalCon #AskSucuri Tony Perez | @perezbox #DrupalCon #AskSucuri
Tactics Employed
Navigating the Security Landscape
Tony Perez | @perezbox #DrupalCon #AskSucuri Tony Perez | @perezbox #DrupalCon #AskSucuri
Navigating the Security Landscape
Tony Perez | @perezbox #DrupalCon #AskSucuri Tony Perez | @perezbox #DrupalCon #AskSucuri
Malware Distribution
Search Engine Poisoning
Spam Email
Phishing Lures
Infection Types
Defacement
DDoS/Bots/Backdoors
Ransomware
Navigating the Security Landscape
Tony Perez | @perezbox #DrupalCon #AskSucuri Tony Perez | @perezbox #DrupalCon #AskSucuri
Type Description Motivation Association
Malware Distribution Drive-by-DownloadsEnd-points are the target
RevenueAudience
Search Engine Poisoning (SEP)
Search Engine Result Pages (SERP)
Pharma / Casino / Luxury GoodsRevenueAudience
Phishing Lures Email / Social Phishing campaignsFinancial / Credential Theft
Spam Email Email spam campaignsLeverage your server / ip / domain
ResourceAudienceResource
Defacement Hacktivism Lulz
DDoS/Bot Scripts/Backdoors
Server level scriptsAbuse resources / access control
RevenueResource
Ransomware Hold you hostageHow your audience hostage
RevenuAudience
Data Exfiltration Steal data from your environmentE-Commerce / PII
ResourceAudience
RevenueAudience
Navigating the Security Landscape
Tony Perez | @perezbox #DrupalCon #AskSucuri Tony Perez | @perezbox #DrupalCon #AskSucuri
THE IMPACTS OF COMPROMISE
Brand Website Blacklisting
Emotional Distress
Economic
Business
Visitor Compromise
Technical
SEO Impacts
Navigating the Security Landscape
Tony Perez | @perezbox #DrupalCon #AskSucuri Tony Perez | @perezbox #DrupalCon #AskSucuri
Business Impacts EconomicBrand Emotional Distress
Brand Reputation• Your brand is made up of the unique user experience you offer
through your design, content, product offering and service• Your website, and the experience your audience has plays a critical
part in the reputation of that brand• Tolerance is the highest it’s ever been around website compromises,
so reputation is recoverable • Loss of trust in your brand can drive your audience to look for
alternatives to your brand
Navigating the Security Landscape
Tony Perez | @perezbox #DrupalCon #AskSucuri Tony Perez | @perezbox #DrupalCon #AskSucuri
Economic Impacts• Our research has shown a little over 90% drop in traffic immediately
following a compromise, that number goes up if a website gets blacklisted
• Whether your website leverages ads, static content, or sells product, it directly or indirectly helps your business generate some form of revenue / exposure
• Costs associated with post-compromise services, to include time / money spent on tools, education and consultation
Business Impacts EconomicBrand Emotional Distress
Navigating the Security Landscape
Tony Perez | @perezbox #DrupalCon #AskSucuri Tony Perez | @perezbox #DrupalCon #AskSucuri
Emotional Distress• Anxiety – nothing ever goes fast enough• Confusion – unclear what steps to take, who to talk to, where to start• Anger – you want to reach across the matrix and shake someone • Sadness – a general feeling of feeling overwhelmed, exhausted..• Distrust – an erosion of trust in technology, internet, people
Business Impacts EconomicBrand Emotional Distress
Navigating the Security Landscape
Tony Perez | @perezbox #DrupalCon #AskSucuri Tony Perez | @perezbox #DrupalCon #AskSucuri
Website Blacklisting• The most impactful in that it has the ability deter people from
reaching your website and it’s content / product / services• Blacklists extend beyond search engines like Google and Bing, but
can be found in end-point AntiVirus Solutions like Malwarebytes, Norton, EST, McAfee and so many others.
• This can lead to your website being flagged globally in large networks (i.e., cisco, websense, etc… )
Technical Impacts SEOBlacklisting Visitor Compromise
Navigating the Security Landscape
Tony Perez | @perezbox #DrupalCon #AskSucuri Tony Perez | @perezbox #DrupalCon #AskSucuri
SEO Impact• The ability to control or manipulate what Search Engines see when
they crawl your website, leading to dirty Search Engine Result Pages (SERP), impacts to your Domain Authority and Value
• Injection of keywords and phrases that might be contrary to your brand, inclusion of things like: Viagra, Cialis, Casinos, Gucci, and use those references to redirect your website to other sites
• Directly tied to the creditability of the website, and potentially affects the blacklisting of your website with search engines like Google, Bing, and others.
Technical Impacts SEOBlacklisting Visitor Compromise
Navigating the Security Landscape
Tony Perez | @perezbox #DrupalCon #AskSucuri Tony Perez | @perezbox #DrupalCon #AskSucuri
Visitor Compromise• Malware distribution can include various forms of “Drive by
Download” attempts that look to install nefarious applications on your visitors machines (i.e., rogue AntiVirus systems)
• Websites can be used to attack browser plugins like Java, Flash, Adobe and others technologies. Can also be used to attack other websites within the same browser.
• Compromise include the distribution malware like Ransomware that can encrypt local environments, making them unusable until the user pays a fine.
Technical Impacts SEOBlacklisting Visitor Compromise
Navigating the Security Landscape
Tony Perez | @perezbox #DrupalCon #AskSucuri Tony Perez | @perezbox #DrupalCon #AskSucuri
Thinking Website Security
How to improve your website security posture
Navigating the Security Landscape
Tony Perez | @perezbox #DrupalCon #AskSucuri Tony Perez | @perezbox #DrupalCon #AskSucuri
Security is not a static state, it’s a continuous process.
Navigating the Security Landscape
Tony Perez | @perezbox #DrupalCon #AskSucuri Tony Perez | @perezbox #DrupalCon #AskSucuri
Navigating the Security Landscape
Tony Perez | @perezbox #DrupalCon #AskSucuri Tony Perez | @perezbox #DrupalCon #AskSucuri
Technology will never replace your responsibility as a website owner.
Navigating the Security Landscape
Tony Perez | @perezbox #DrupalCon #AskSucuri Tony Perez | @perezbox #DrupalCon #AskSucuri
Navigating the Security Landscape
Tony Perez | @perezbox #DrupalCon #AskSucuri Tony Perez | @perezbox #DrupalCon #AskSucuri
Security is not a Do It Yourself (DIY) project.
Navigating the Security Landscape
Tony Perez | @perezbox #DrupalCon #AskSucuri Tony Perez | @perezbox #DrupalCon #AskSucuri
Drupal Modules – Application Security Utilities Paranoia
Security Review
Security Kit
Automated Logout | Login Security | Session Limit
Username Enumeration Prevention
Encrypt | Key
Honeypot | CAPTCHA/reCAPTCHA
Password Policy
Secure Permissions | Permission Watchdog | Permissions Lock
Hacked! | File Integrity Check
Navigating the Security Landscape
Tony Perez | @perezbox #DrupalCon #AskSucuri Tony Perez | @perezbox #DrupalCon #AskSucuri
Cloud-based Security Technologies Website Application Firewalls (IPS)
Intrusion Prevention Systems (IPS)
Website-specific Intrusion Detection Systems (IDS)
Incident Response Team
Remote backups
Log aggregation and retention
Navigating the Security Landscape
Tony Perez | @perezbox #DrupalCon #AskSucuri Tony Perez | @perezbox #DrupalCon #AskSucuri
Navigating the Security Landscape
Tony Perez | @perezbox #DrupalCon #AskSucuri Tony Perez | @perezbox #DrupalCon #AskSucuri
Q & A Tweet us @SucuriSecurity using #AskSucuri
Navigating the Security Landscape
Tony Perez | @perezbox #DrupalCon #AskSucuri Tony Perez | @perezbox #DrupalCon #AskSucuri
THANK YOU!
Top Related