How We Think About Website Security
I recently attended WordCamp San Francisco (WCSF) where Matt Mullenweg, founder of the WordPress project and CEO of Automattic, gave his annual State of the Word.
WordCamps are informal, community-organized events that are put together by WordPress users like you. Everyone from casual users to core developers participate, share ideas, and get to know each other.
As I sat there and listened to the various accomplishments the platform had achieved, one common theme continued to pop in my head around security. It’s a theme that plagues all platforms, not just WordPress. It’s something that my business partner and I struggle with on a daily basis — it’s the biggest vulnerability every website and CMS faces, it’s users.
Over the years, the one thing I found to be true is human fallibility – no matter how much money you spend, how many times you audit code, no matter what you do, there will always be a problem in there somewhere.
I wrote about such a thing back in 2012 where I spoke to the True Vulnerability within WordPress. This holds true to all websites, software, infrastructure, etc… and what we have to remember is that security has never been about just one thing, but a combination of people, processes, and technology.
This however seems to be lost, forgotten or just not known to most people. We have grown too accustomed to Plug-n-Play (PnP) solutions, whether they are traditional Intrusion Detection Systems (IDS) or Intrusion Prevention Systems (IPS). We have become monkeys in the wheel. This goes to all of security, not just websites, but is especially noticeable in the Website domain.
Indicators of Compromised Behavior (IoCd-B)
There used to be a time when System Administrators and Website Administrators was a real function. The cost of running a website was obnoxiously high because of 1) infrastructure and 2) the human requirement. Both however have been destroyed with the development and introduction of platforms like WordPress, Joomla!, Drupal and so many others.
The desire to free publishing has translated to destroying entire markets and in the process destroying the value and importance of things like administration and security. What I’m coming to a realization about is that tide is a difficult one to combat, a difficult one to change. Yet, it all comes back to that one point – human fallibility.
For the longest time my business partner, Daniel, and I have talked about this idea of thinking beyond the traditional security and what that really means. I’ve alluded to it in presentations and posts. Today he wrote this article Indicators of Compromised Behavior (IoCd-B) in which he talks to the idea that what we have forgotten is that security was never meant to be something you forget, but rather we must remember the people element.
He talks to the need to compliment our existing processes with a better understanding of our environment. His example is simple, yet profound if put into practice. Today it’s not enough to think solely about the attacks or if the effects of an attack is successful, but we have to think bigger than that. We have to think about the indicators that we know make up an incident.
It’s funny, I lurk in a number of groups across the web, a lot of them end-users and there is always a common theme in the type of questions:
- I keep getting notifications of Brute Force attempts, can you show me how to make them stop?
- I deployed this tool, why am I still getting attacked?
- I applied this configuration, yet I still got hacked, help, please…
There used to be a time when System Administrators and Website Administrators was a real function. The cost of running a website was obnoxiously high because of 1) infrastructure and 2) the human requirement. Both however have been destroyed with the development and introduction of platforms like WordPress, Joomla!, Drupal and so many other platforms.
Each carry with them the same lack of understanding and appreciation for what security is about, and the responses they receive are even less helpful. We provide blanket responses that are specific one scenario, for every scenario, because it’s what worked for that person or what we found on Google.
Most fail to realize that if they would only place a little more effort into being a system or website administrator, and followed basic administration steps they would improve their security posture. When you do this, and you become an active administrator, you realize how much you see.
If we take Daniel’s thoughts and expand them to website security we find that we can ask ourselves some very interesting questions:
- What times should people be able to access your website?
- What times should people be allowed to log into your website?
- Should people be able allowed to initiate Post requests? or will Get requests suffice?
- Who is logging into your environment? Where should they be logging in?
- What is changing on your website? Should that article, post, page have changed?
Yes, this will require additional effort on your part as the website owner. Yes, this is likely contrary to what they told you you’d be responsible for when you purchased and configured the website, but it will pay dividends in the long run.
These examples however only account for the user. What about your web servers that support your website?
- What is the benchmark performance for your server?
- What does memory / disk usage look like on a weekly / daily basis? What constitutes an abnormal event?
- Do you run disparate processes on the same production box? If so, what? and how does that perform?
- What is leaving your box? We often focus on the incoming, but what about the outgoing?
Today’s platforms extend well beyond the thing you touch, they extend into various layers (network, data, application, etc…) and each have their own requirements and potential behaviors. Things that you should have some awareness about.
Changing the Way We Think
I listen to a lot of talks on security, go figure, and I always find myself in a conundrum when I think about end-users.
- You hear security people talk about security to security professionals and it’s to the point and more importantly, on point. Everyone understands the problem, they all live and breathe it.
- You hear people talk about security to end-users and it’s about not hurting feelings, or making things pretty. You quickly realize how little is understood about security and the realities of what the space look like today.
Somewhere in the process, security people became bad.
They are profiting off misfortunes seems to be the tune, we must crush the enemy. What it really comes down to however is a deflection of the problem and the responsibility of being a website owner.
We must ask ourselves, where does the problem lie? What are we doing as individuals to address the problem? Are we accounting for the Indicators of Compromised Behavior (IoCd-B)?