The most intriguing debate to come out of last weeks security conferences in Vegas stems from a presentation by FTC Chief Technologist Lorrie Cranor at PasswordsCon 2016, part of the BSides security conference in Las Vegas. Dan Gooding, with ARS Technica, summarized the discussion well; the gist of the presentation seems to question why we should change passwords at some frequency, or aims to challenge the old model of forcing password expirations in systems. We’ve had others in the community like Bruce Schneier agree and Troy Hunt implies agreement in his tweet. In my mind though, I struggle with the idea that it’s in some way bad or ill-advised and that it’s time to do away with it.
Thoughts On Security
Security is in a constant evolving state and keeping up with the various changes can be heard. As my journey continues in the security industry, I will share thoughts and opinions based on personal experiences. Thoughts are mostly around website security, sprinkled with general security concepts as well, but all tailored to the everyday enduser.
Regardless of the size of your organization, the security challenges with open-source Content Management Systems (CMS) security are the same. In the enterprise the issue stems not from the technology or existing processes, but the fact that security is slipping through our fingers. We’ve made it too difficult for our counter parts in marketing and sales, and where there is a problem new solutions step in to solve them. We see this being enabled by the explosion of cloud platforms like Platform as a Service (PaaS), Software as a Service (SaaS) and technologies that easily work in those environments like open-source CMS applications.
As a community we have to do something about this. These activities stem from the perception that IT / Security is always going to say “no” or “make my life too hard” and I can’t help but think there is a better way to handle this. To do this, we have to be prepared to embrace technologies like open-source CMS application and be willing to silence our personal biases towards them (i.e., WordPress is insecure, which is grossly untrue). A good first steps is better understanding how these technologies might fit into existing governance and their associated security policies and tools.
Accounting for Website Security in The Enterprise
Open-source CMS web applications are no different than any other applications enterprise security teams are responsible for. The principles like Defense in Depth still apply, and integrating things like Prevention, Detection and Response solutions are just as critical. The difference being that in the enterprise, these aren’t new concepts, yet when it comes to open-source CMS applications they’re dismissed.
Compromises within the open-source CMS domain are achieved through two key areas: access control and exploitation of software vulnerabilities. Here are a few tips to help enterprises think through the security challenges they face:
The threats of a compromise are real, and are not specific to operating an online store. Attackers find value in a number of things, some of which include your audience and resources. In this webinar I spend some time exploring a number of the impacts we should all be aware of as website owners.
I recently gave a webinar at Sucuri in which I discuss the impacts hacks have on you as website owners. In this session I dive into three core areas:
- Psychology of the Attackers.
- Things they can do if successful.
- Impacts to you as a website owner.
If you are currently infected, or know of someone that is, I encourage you to learn more about Sucuri and how they can help!
Recently I spoke at WordCamp US 2015 on the topic WordPress Security — Navigating Today’s Website Threats!!
WordPress is one of the most recognized website CMS platform available in the market. Dominating over 25% of the websites on the web, and over 50% of the CMS-based websites, it’s no surprise that it’s the preferred technology by marketers, sales professionals, small and large business alike, and those intent on nefarious actions.
Open-source CMS applications are no stranger to the battle they face with security. The size of the organizations adopting the platform also has little to do with it – from bloggers to mom and pop shops to Fortune 500 companies; the concern is the same. Can open-source CMS applications be deployed securely within their respective stacks?
There are those that look at open-source and have a general distrust for it. The idea that people can see the code and submit patches makes them uneasy. There are also those who can’t get their head around the general ambiguity of open-source, in which the code belongs to no-one and everyone. What they don’t realize is that most open-source projects have a stringent commit process.
The security perception is still a very real problem for the open-source CMS industry, and many feel it’s unattainble.
Over the past couple of years we’ve been reminded time and time again of how susceptible our communication mediums are to prying eyes. Classic examples of its susceptibility can be seen in the very public disclosure of General Petraeus affair in 2012, the release of over 170,000 emails after the Sony compromise in 2014, to the recent Ashley Madison compromise in which the CEO’s emails were shared publicly in 2015.
In either case, the information gleaned from these emails were damaging at best, and destructive at worst. In either case, what we should take away from it is that how and what we say, even if in what we perceive to be secure, is not necessarily the case.
Emails are a treasure trove of information, and as such we should all be spending a bit more time thinking of not only what we say, but how we keep what we say safe from prying eyes.
I work in the field of Information Security (InfoSec), specifically website security. With that in mind, it’s but one very small piece of a very large pie. Security is complex, even at the 50,000 foot level; within each specific area of the industry, it can get even more complex. It’s no wonder it can feel overwhelming.
I have to remind myself that Security, regardless of which domain you’re focused on, always comes down to three basic elements working in conjunction with one another:
Spent the better part of the past week in Albuquerque, New Mexico at the National Association of Government Web Professionals (NAGW) conference. A conference designed to bring together web professionals from federal / state / local municipalities in an effort to help organize, educate and otherwise collaborate. It was a great event in helping to understand how municipalities work, but it also helped to reaffirm some of my thoughts around the challenges facing website security across all industries.
Regardless of industry, there are common points shared by each that are overly familiar when speaking to website security:
- Lack of ownership
- Lack of understanding and knowledge
- Lack of appreciation for impact
Website Security Challenges Defined
Interestingly enough, the greatest challenges the website security industry faces has little to do with the technology, evolution in attacks, hosting environments, development habits, open source, or anything in between. No, the challenges are more at the core of the mindset of the web, not just amongst the web users, but those that are deploying and managing these environments.
It revolves around two very simple, yet overly complex points, for me:
- Education and Awareness.
- Webmasters, or the lack there of.
The world of hosting is complex, it’s further complicated when you throw security into the mix. A few months back I wrote an article on the delicate line between where the hosts security responsibility begins, and where yours, as the website owner, is required. That however did not address one key question – Which hosting environment is more secure? This is one of the most common questions I get asked.
The response, as you might imagine, is not as simple as the question itself. This question is often confused with misinformation and bias and the responses are often grossly inaccurate. I will spend some time thinking through the various points, applying insight where possible, in the hopes of helping you making a more informed decision on the type of hosting environments, and which ones make the most sense for you.
Ever since Google made their announcement that they were exploring the idea of using HTTPS as a Ranking Signal for your SEO, the web has gone nuts for HTTPS. For a number of security professionals it’s generated groans and a heightened level of annoyance and consternation at what has become an over abundance of irrational thought, perspective and improper guidance and insight.
To be clear, I’m not against HTTPS. I believe it’s a critical technology that should be employed when needed, but what I dislike greatly is when it’s used in the context of securing your website.
What is HTTPS?
I don’t know about you, but as a business owner that offers a service to clients in which they instill their trust in us, there is nothing that worries me more than the idea of getting hacked. Enough so that it keeps me up most nights, but it’s likely amplified being it’s a security company.
I know what they say – it’s inevitable and you must be prepared to account for it. While I realize it’s reality, I can’t help but think there are things that we should all be doing as business owners to help minimize the potential of such a hack.
While I often speak to website security, today I want to spend some time talking about things that we can each be doing to improve the security posture for our businesses.
This week was a particularly tough week for those that depend and promote the use of password managers. Unfortunately, not because of the compromise itself, but because of the loss of faith in such technologies that it undoubtedly introduced into the market. The sad reality is that the only reason it’s news is for no other reason than the fact it was a very popular service – LastPass – and had the words compromise and hack in the title.
Yes – LastPass was Compromised
The impacts however are not as severe, all things considered, as it might appear at face value.
Almost five years ago, Joost started the company Yoast, offering website reviews and free plugins. Yoast’s core business was, and is, sharing knowledge and making it easier to create usable websites. Five years later Yoast has turned into one of the biggest WordPress plugin providers with 21 employees (and counting)!
To celebrate reaching five years, awesome growth, and much success, Yoast celebrated with a conference: YoastCon!
The conference was held in de Lindenberg in Nijmegen, with myself, Chris Lema, Marcus Tandler, Karl Gilis, and Joost de Valk speaking, and Marieke van de Rakt, Thijs de Valk, and Taco Verdonschot giving workshops.
The State of WordPress Security
My talk was on the current state of WordPress security. There is no denying that WordPress, powering over 23.5% of the top websites in the world, has become the platform of choice for bloggers and businesses alike.
With this fame however, WordPress has become a target, making it the top targeted platform on the web by malicious actors with ill intent.
This May I was thrilled to travel to Prague, Czech Republic as a keynote speaker for J And Beyond 2015, An International Joomla Conference to deliver the talk The Dynamic and Complicated Online Threats (Challenges Website Owners Face). I was also thrilled to have my company, Sucuri, sponsor the event.
After investing the better part of five years analyzing and assessing the state of security within the realm of websites, I travel the world engaging website owners in an effort to address the security challenges webmasters face today through education and awareness. The website landscape continues to evolve, affecting website owners around the world. We have to take a minute to look at the website landscape, appreciate the nuances that the end-users are struggling with and look forward at what the future holds for us.
The purpose of the talk is a high level orientation of the existing threat landscape affecting all website-owners, especially those leveraging CMS applications like Joomla!
Check out the video of my presentation below:
Website security has become a hot bed over the past few years. More and more companies are joining the game in hopes of capitalizing on what they perceive to be huge opportunities. The one vector that seems to be all the rave is Access Control.
When I talk to access control, I specifically talk to mechanisms in place to restrict access to a resource. Think how you connect to your website. Are you using WordPress, Joomla, Magento or some vBulletin? Maybe it’s a custom PHP, HTML, ASP website?
Regardless of the platform, you have some form of access vector you employ daily.
If you’re a WordPress user, you’re likely leveraging /wp-admin. If you’re on Joomla, you’re using /administrator, and so on and so on — each platform providing its own means for connection. Access vectors don’t stop there. They extend well beyond the application itself. Think about things like File Transfer Protocol (FTP), Secure File Transfer Protocol (SFTP) and Secure Shell (SSH). These are transfer protocols that are still part of your website access vectors.
This can be extended further when you think about things like your hosting panels and database log in panels, additional forms of access vectors. But now we start diving into a very deep rabbit hole.
When I think about blogging, there is perhaps no more important feature or concern than impacts to SEO. It’s perhaps one of the biggest concerns many will likely experience when performing a migration to the Ghost blogging platform.
As you might expect, it’s had it’s up’s and down’s, much like when I first got started with WordPress. Needless to say, I’ve been making my way through it over the past few days. I’ve learned a number of things, and one such thing pertains to permalinks.
I recently wrote of the migration from WordPress to Ghost. In this post I want to share with you the installation workflow I used. I plan to go cradle to grave through the process.
I’ve tested it a number times, and it works every time, so even if you’re a novice you should be able to get it going. Just follow the steps:
Assumption: You have a clean install of Centos 7.0. For my scenario I’m using a droplet from Digital Ocean. What’s really awesome is that Digital Ocean actually provides a preconfigured Droplet for those that want to leverage Ghost. I believe it’s built on Ubuntu. I personally prefer Centos.
It’s only been recently that I have come to the realization that I fit into the blogger category. In doing so, I have started to place more emphasis on the technologies I’m employing to get my work done.
Ghost: Just a Blogging Platform
For the better part of 5 years I have been an adamant WordPress user. Not sure if you would say I was a power user, but I definitely employed it in my day to day activities, whether at work or at home. In that time frame I have witnessed the evolution of the platform.
If we could only auto-update our applications when vulnerabilities are identified, then we’d surely be safe… that seems to be today’s mindset. To a certain extent, that’s true, but it’s also false.
The idea of auto-updates is not new, it’s been around for a while. It’s all the rave as of late when we talk about websites. It only makes sense, if you know that the weakest link in the chain is the end-user (whom for whatever reason is unable to update) then remove the weakest link, and remove the choice.
The Challenges of Auto Updates in Website Security
There are however a few challenges that come to mind when I think about Auto-Updates, specifically how they relate to Website Security:
- Does little against Unknowns
- Introduces an unmanageable access point
- Goes against best practices
- Requires applications to write to itself
Hosts are concerned with the security of their infrastructure, not with your website.
This is a distinction that most website owners fail to make, and it’s made more evident to me every day. This same misunderstanding however puts hosts in a precarious situation where clients expect security, and to some extent get it, but on the other it’s not the type that matters nor will it address today’s challenges. This is all compounded by the economics that drives the hosting ecosystem.
I should probably clarify however that this is probably not a blanket statement for hosts. But for a majority of today’s Shared hosts that deal specifically with end-user websites, it’s very much the case.