Website Security is about Passwords?
Perhaps the thing that annoys me the most when I hear security being shared with end users is when they get the information wrong or overemphasis on things they don’t understand or can’t support. This is the problem in the way we communicate, especially in the WordPress community. This is applicable to all communities though, regardless of platform.
To be clear, in case the title was misleading, this sentiment is wrong and we should do a better job at communicating security.
It All Lies Within the World of Passwords
Most of the nonsense I hear around this comes from folks with a very small perspective into the world of security, and as of late seems to stem from the access control guys (those that are fighting the password game).
The reality however is that this vector, while important, makes up for a very small percentage of compromises on the consumer side. When you look through the data we compile at Sucuri, 83% of the websites we work on actually have very strong passwords. Rarely are they using the admin user and the source of the compromise is being attributed less every day to access control and more to software vulnerabilities in the stack. Yet the number of infections continue to rise.
Here is another nugget of data. A very high percentage of the infected websites are also coming from up-to-date WordPress installs (versions 3.9. and 4.x). This of course is not so much the case with our Joomla! friends, out-of-date software is their biggest achilles heel. Just look at the latest Drupal issue. They just released a post yesterday saying if the user had not patched within 7 hours to consider their environments compromised.
Using simple words and pretty pictures does the security space no value, and more importantly does little for the end users. I won’t argue that it attracts people, because it’s pretty. Who doesn’t love a beautifully wrapped package?
Here is an illustration of what i mean by oversimplification.
I was at a conference recently in which the presenter spoke about this magical army of zombie machines; this army that has somehow converted the way the security works.
In this journey, attackers grew smarter and realize, “Hey, why waste energy on the big guys, when I can focus on the little guys?” And so the army shifted its focus on the little guys, and as they infected one person, they continued on their march to conquer the little guys, all with the grand objective of conquering the big company.
And so as the small businesses were infected, they were refocused to target all these big bad companies via massive Brute Force attacks.
These attacks have shifted the landscape of website security and introduced a new issue that enterprises just aren’t ready to face. As such, the simplest solution, and the key to security is simple. We have to do away with passwords. We have to implement a solution that addresses this evil and outdated access control issue known as Passwords.
They went on to explain how via the communities engagement, 0% of the space was affected by the Heartbleed vulnerability. This statement shocked me, but what are you to do? Now thousands of people are thinking – wow that’s so awesome we stopped that – when it’s the furthest thing from reality for a number of reasons (that’s a post in and of itself). This is pure naiveness. Heartbleed was a vulnerability that is used to extract and leak information. How in the world do you measure who was and wasn’t affected? Here is an example of 900 SINs stolen from the CRA website due to Heartbleed.
In the words of one of my latino brothers, Chris Lema – Cool Story, Bro. Then again, everyone loves a good story.
What the World Really Looks Like
As fascinating a story as this is, it’s very far from the truth. Here are a couple clarifying points:
- Botnets are a problem, but not a Brute Force problem for enterprise environments.
- Botnets are in fact used for Brute Force events, but they are also employed for a variety of issues.
- The Brute Force issue is more impactful to the everyday end user. At the enterprise levels proper configurations are implemented where the Brute Force issues is null and void.
- The bigger problem with the small company being infected are for a thing known as Waterhole Attacks – where the attacker is able to distribute malware via the infected website, affect the visiting user, and from there, leapfrog into larger environments. This is the dilemma that enterprises face, similar to the Bring Your Own Device (BYOD) issues.
- These environments are also be used heavily for things known as Phishing lures.
- There is also the issue of massive email spam campaigns abusing compromised web servers.
While I appreciate the simplicity of a nice story, I personally prefer honesty and accuracy. Yet the problem is that most will be none the wiser, and silly things like this will continue to be promoted because they are nicer and easier to absorb.
Here’s what I categorize to be simple, basing these discussions on security around facts, not pretty stories, fear, or oversimplification. If the facts scare, they scare. If they make people feel warm and fuzzy inside, so be it. But just lay it out correctly.
It is funny how folks like to focus on the easy, believing “all I need is a 50 digit password” to remain secure.
Who doesn’t agree password security is important, but at the end of the day, “it’s all about the layers baby…”
Strong Password – check!
Now only 10 more security layers to “check”
I believe there’s an opportunity for a security focused gamification app to help train folks on security “layering.” I’m not referring to another PCI checklist (geez!). A couple of security plugins have tried, issuing points for locking things down (though then the points are meaningless because the high score is not evaluated or in competition with anyone). Anyway, got me rambling on the subject, so that’s something…
That’s actually a very interesting idea.. gamification seems to be the “thing” these days..
That’s because gamification is AWESOME. We all love apps, stats, rewards, and encouragement!
Plus, gaming is all about frustration – security is, for all it’s charm, is frustrating…
It can be simple games too, for example, I set a rule that redirects my brute-force login notification emails to a folder. I can just watch the “score” go up over time, at a glance, and note if it’s unusually high. It’s my own personal way of making that aspect of monitoring a bit more fun.
Also I didn’t wait to disable them but they were kind of jamming up my inbox.