Navigating the Security Landscape

Navigating the Security Landscape
Tony Perez | @perezbox #DrupalCon #AskSucuriTony Perez | @perezbox #DrupalCon #AskSucuri
#AskSucuri
Navigating the Security
Landscape

TONY PEREZ
@perezbox
Tony Perez | @perezbox

WHO IS THIS TALK FOR?
• Curious about website security
• Establishing a security risk posture for websites
• Currently or have experienced an infection
• Intrigued by the psychology of attackers
• Weighing the potential impacts of a compromise
• System Integrator and Engineers
• Website owners / Functional Units

May 2016 – 1.02 Billion Websites
Source: W3Tech

73%33%
CMS Powered Websites CMS Market Share
Source: W3Tech

4.9%2.2%
Websites Powered By CMS Market Share Owned
Source: W3Tech

Drupal 8 brought about amazing changes
in terms of security!!
“Security by Default”

Source: https://dev.acquia.com/blog/drupal-8/10-ways-drupal-8-will-be-more-secure/2015/08/27/6621 via Peter Wolan
 Twig Templates for HTML generation
 Removed PHP input filter and the use PHP as a configuration import format
 Site configuration exportable, manageable as code, and versionable
 User content entry and filtering improved
 Hardened user session and session ID handling
 Automated CSRF token protection in route definitions
 Trust host patterns enforced for requests
 PDO MySQL limited to executing single statements
 Clickjacking protection enabled by default
 Core JS Compatible with CSP

Drupal 8 released November 19, 2015
Source: Drupal.org

Month 7.x
May 2016 1,000,741
April 2016
March 2016
February 2016
1,016,267
1,016,251
1,097,240
January 2016
1,046,312
70,719
74,866
56,612
67,827
64,061
8.x6.x
101,335
103,997
105,027
115,531
110,812
Source: Drupal.org

6%
Drupal websites upgraded to version 8.0
Source: Drupal.org

25
Total Number of Vulnerabilities Found in the
Mossack Fonseca (Panama Papers 2016) client portal,
built on Drupal:
Source: W3Tech

81%
Drupal websites that were out-of-date
when infected:
Source: Sucuri Labs

Patch / Vulnerability management is hard,
no matter the organization size or industry
type. Ironically, exploitation of software
vulnerabilities is the leading cause of
website compromises.

In the Enterprise alone…

33%
Companies that have no process for identifying,
Tracking or remediating known open source
vulnerabilities
Source: 2016 Future of Open Source Study by Northbridge

47%
Companies that are not tracking
open source code

50%
Companies that have no one responsible
for identifying and remediating
vulnerabilities in open-source code

Consumers are suffering from security
fatigue and possibly indifference.

Complex Environment

Environment
Local Machine Local Network User
Attack Surface

Domain Threat Landscape
Environment
 Devices (i.e., Desktop, Notebooks, Tablets)
 Networks (i.e., Public Wifi, Insecure Networks)
 End-users (i.e., Poor administration / maintenance)
Application
Server
Infrastructure
 CMS (i.e., WordPress, Joomla!, Magento, Drupal, etc..)
 Non-CMS Applications (i.e,. Plesk, WHCMS, Cpanel, etc..)
 Multi-function environments (i.e., email / file servers, etc…)
 Web Server (i.e., Apache, NGINX, Varnish, IIS, etc…)
 Operating Systems (i.e., Linux, Windows, etc…)
 Languages (i.e., PHP, .NET, Node.js, etc…)
 Server Daemons (i.,e FTP, SFTP, SSH, etc...)
 Hosting companies
 Physical servers
 Hardware peripherals (i.e., Routers, Switches)

Application Server InfrastructureEnvironment
Security Chain

Types of Attacks

Targeted Attacks Attacks of Opportunity
 Occurs .001% of the time
 There is a specific “target”
 How the attack will happen is unknown
 The exploit is unknown, defined by what is found
 There is enough motivation and return
 Automated / Manual
 High-level of skill / expertise
 Personal (i.e., political, competitor, hatred)
 Modus operandi for organizations
 Occurs 99.99% of the time
 Don’t have a specific “target”
 The attack is known
 The exploit is known, low-hanging fruit
 The motivation and return is dependent on mass affect
 Mostly automated
 Low-mid level skill / expertise
 Not-Personal (i.e., wrong place, wrong time)
 Modus operandi for website attacks

Attack Flow

Automation
• Key in today’s attacks, making it the most effective way to affect 10’s of
thousands of websites at the same time (i.e., maximum exposure and
increased potential for success)
• Introduces efficiency and effectiveness into the attack sequence, enabling less
skill adversaries (i.e., new breed of script kiddies)
• Allows bad actors to be faster to the draw targeting new software vulnerabilities
• Enabled by the development and expansion of global bot networks (botnets)

Reconnaissance
Identification
Exploitation
Sustainment
Compromise
Cleanup
AutomatedTargeted

Phase Targeted
Reconnaissance Scanning a specific environment
Identification
Exploitation
Sustainment
Identify the potential attack vectors
on the network
Exploit a specific weakness
based on services in
environment
Ensure attacker can continue
to get into environment
Compromise
Cleanup
Accomplish the objective
Reduce odds of detection,
cover tracks
Scanning the web for a specific
issue
Occurs in Reconnaissance phase
Exploit known weakness
Ensure attacker can continue
to get into environment
Accomplish the objective
N/A
Opportunity

Phase Considerations
Reconnaissance
How are you reducing your attack
surface?
Identification
Exploitation
Sustainment
How do you know what
vulnerabilities exist?
How are you mitigating
exploitation attempts?
How do you know there are no
backdoors?
Compromise
Cleanup
How do you know if you’re
currently compromised?
Are you retaining all activity
remotely?
 Disable unused services, ports,
applications
 Vulnerability management program
(i.e., wpscan, joomlascan, cmsmap,
droopescan, nessus, w3af )
 Employ cloud-based WAF / IPS
 Employ IDS technology designed to
detect these issues
 Employ IDS technology designed to
report Indicators of Compromise (IoC)
and integrity issues
 Employ an auditing / remote retention
mechanism
Security Controls

Availability
• Availability describes your websites uptime, or accessibility, to your audience.
• Some hacks don’t intend on compromising the website or it’s resources, instead
they are content with overwhelming resources and disrupting it’s availability
• Known as Denial of Service (DoS) and Distributed Denial of Service (DDoS)
attacks.
• Attackers are able to overwhelm resources on a network, drastically affects
shard hosts and small web servers, can lead to websites being disabled to save
the network

Attack Vectors

How Websites Get Hacked
Access Control Software Vulnerabilities
Cross-site
Contamination
Third-Party
Integrations
Hosting

Access Control
• Refers to how access is restricted to specific areas, places, or things.
• Websites access control extends to all applications that provide some form of
access to the web environment:
• CMS Administration panel
• Hosting Administration Panel
• Server Access Nodes (i.e., FTP, SFTP, SSH)
• When thinking about access control, think beyond the website. application.
• Attacks to access control come in he form of Brute Force attacks.

Software Vulnerabilities
• Refers to bugs in code that can be abused to perform nefarious acts. They
include things like:
• SQL Injection (SQLi), Cross-Site Scripting (XSS), Remote Code Execution (RCE), Remote File Inclusion (RFI), etc.…
• Familiarize yourself with the Open Web Application Security Project (OWASP),
specifically the OWASP Top 10.
• CMS applications struggle with vulnerabilities in their extensible parts (i.e.,
plugins, themes, extension, modules, etc…)

Cross-site Contamination
• Refers to the lateral movement an attacker makes once in the web server.
• This is referred to as an internal attack, not an external one. An attacker is able
to gain entry into the web server via a vulnerable site, then use that to leap frog
into all other websites on the web server.
• It’s often the contributing factor to a number of reinfections, website owners
focus on the website affected and the symptoms, but spend little time looking at
the websites that show no external signs of compromise.
• Rampant in environments that do not employ functional isolation on the web
server, and employ improper permissions and configurations.

Third-Party Integrations
• Third-party integration refer to a number of things, the most prevalent affecting
security is the integration of ads and their associated ad networks.
• These integrations are introducing a weak link into the security chain, where ad
networks are attacked and used to penetrate unsuspecting websites -
malvertising
• Malvertising is the act of manipulate ads to distribute malware, often in the form
of malicious redirects and drive-by-downloads
• Exceptionally difficult to detect because of their conditional nature, and the fact
that they are outside of the website environment

Hosting
• It’s been a long time since there has been a mass-compromise of a large
shared-hosting provider (circa 2011)
• The issues with hosts today revolve around hosts that aren’t really hosts;
organizations that try to offer a complete solution – marketing / development /
security / hosting / SEO, etc..
• Inexperienced service providers that introduce confusion and noise to an already crowded
marketplace
• They know enough to be dangerous, but rarely house the in-house skills or knowledge
• Contribute to a number of cross-site contamination issues due to poor configurations

Motivations

REVENUE
• Make money off your website or
it’s resources
• Earning potential could be based on
stealing information (i.e., data
exfiltration)
• Impression based affiliate
marketing schemes
• Criminal enterprises

AUDIENCE
• Make money off your audience
• Extremely valuable to attackers
• Ability to take advantage of the trust
you’ve built with your followers /
customers

RESOURCES
• Make money off your resources
• Abuse of the infrastructure supporting
your website
• Integrated into larger criminal networks
(a.k.a botnets)

LULZ
• Not about making money (Finally!!)
• Bored, why not?
• If it allows me to access it, why wouldn’t
I?
• Badge of honor amongst peers!
• Likely one of our kids!!!

Tactics Employed

Malware Distribution Search Engine Poisoning Spam EmailPhishing Lures
Infection Types
Defacement DDoS/Bots/Backdoors Ransomware

Type Description Motivation Association
Malware Distribution
Drive-by-Downloads
End-points are the target
Revenue
Audience
Search Engine Poisoning (SEP)
Search Engine Result Pages (SERP)
Pharma / Casino / Luxury Goods
Revenue
Audience
Phishing Lures
Email / Social Phishing campaigns
Financial / Credential Theft
Spam Email
Email spam campaigns
Leverage your server / ip / domain
Resource
Audience
Resource
Defacement Hacktivism Lulz
DDoS/Bot Scripts/Backdoors
Server level scripts
Abuse resources / access control
Revenue
Resource
Ransomware
Hold you hostage
How your audience hostage
Revenu
Audience
Data Exfiltration
Steal data from your environment
E-Commerce / PII
Resource
Audience
Revenue
Audience

THE IMPACTS OF COMPROMISE
Brand Website Blacklisting
Emotional Distress
Economic
Business
Visitor Compromise
Technical
SEO Impacts

Business Impacts EconomicBrand Emotional Distress
Brand Reputation
• Your brand is made up of the unique user experience you offer through your
design, content, product offering and service
• Your website, and the experience your audience has plays a critical part in the
reputation of that brand
• Tolerance is the highest it’s ever been around website compromises, so
reputation is recoverable
• Loss of trust in your brand can drive your audience to look for alternatives to
your brand

Economic Impacts
• Our research has shown a little over 90% drop in traffic immediately following a
compromise, that number goes up if a website gets blacklisted
• Whether your website leverages ads, static content, or sells product, it directly
or indirectly helps your business generate some form of revenue / exposure
• Costs associated with post-compromise services, to include time / money spent
on tools, education and consultation

Emotional Distress
• Anxiety – nothing ever goes fast enough
• Confusion – unclear what steps to take, who to talk to, where to start
• Anger – you want to reach across the matrix and shake someone
• Sadness – a general feeling of feeling overwhelmed, exhausted..
• Distrust – an erosion of trust in technology, internet, people

Website Blacklisting
• The most impactful in that it has the ability deter people from reaching your
website and it’s content / product / services
• Blacklists extend beyond search engines like Google and Bing, but can be
found in end-point AntiVirus Solutions like Malwarebytes, Norton, EST, McAfee
and so many others.
• This can lead to your website being flagged globally in large networks (i.e.,
cisco, websense, etc… )
Technical Impacts SEOBlacklisting Visitor Compromise

SEO Impact
• The ability to control or manipulate what Search Engines see when they crawl
your website, leading to dirty Search Engine Result Pages (SERP), impacts to
your Domain Authority and Value
• Injection of keywords and phrases that might be contrary to your brand,
inclusion of things like: Viagra, Cialis, Casinos, Gucci, and use those references
to redirect your website to other sites
• Directly tied to the creditability of the website, and potentially affects the
blacklisting of your website with search engines like Google, Bing, and others.

Visitor Compromise
• Malware distribution can include various forms of “Drive by Download” attempts
that look to install nefarious applications on your visitors machines (i.e., rogue
AntiVirus systems)
• Websites can be used to attack browser plugins like Java, Flash, Adobe and
others technologies. Can also be used to attack other websites within the same
browser.
• Compromise include the distribution malware like Ransomware that can encrypt
local environments, making them unusable until the user pays a fine.

Thinking Website Security
How to improve your website security posture

Security is not a static state,
it’s a continuous process.

Technology will never replace your
responsibility as a website owner.

Security is not a Do It Yourself (DIY) project.

Cloud-based Security Technologies
 Website Application Firewalls (IPS)
 Intrusion Prevention Systems (IPS)
 Website-specific Intrusion Detection Systems (IDS)
 Incident Response Team
 Remote backups
 Log aggregation and retention

Q & A
Tweet us @SucuriSecurity using #AskSucuri

THANK YOU!

Navigating the Security Landscape

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (20)

Similar to Navigating the Security Landscape

Similar to Navigating the Security Landscape (20)

More from Sucuri

More from Sucuri (20)

Recently uploaded

Recently uploaded (20)

Navigating the Security Landscape