Web And Information Security Archives

Analyzing Sucuri’s 2017 Hacked Website Trend Report

Published in Security on April 6, 2018

The Sucuri team just released their first annual security report that looks at telemetry from hacked websites – Hacked Website Report 2017. It uses a representative sample of infected websites from the Sucuri customer base to better understand end-user behavior and bad-actor tactics.

It specifically focuses on 34,371 infected websites, aggregating data from two distinct groups – Remediation and Research Teams. These are the teams that work side-by-side with the owners of infected websites on a daily basis, and are also the same team members that generate a lot of the research shared on the Sucuri Blog.

In this post I will expand on the analysis shared, and add my own observations.

Diving Into the Dark Web and Understanding the Economy Powering Cyber Attacks

Published in Security on March 20, 2018

This morning, Armor, a cloud security provider, released a great report into the cyber crime black market. Armor was formerly known as as FireHost – they were one of the leading hosts boasting security first and have dramatically evolved over the years. This report was put together by the Armor Threat Resistance Unit (TRU), whom extrapolated data from a number of dark web sources; focusing specifically on the fourth Quarter of 2017 (2017/Q4).

The report strives to give us a view into an otherwise elusive world, specifically highlighting the economic foundation of cyber crime. Understanding the criminal economy is critical to understanding the ease of use, motivations and behaviors of bad actors.

Effective security takes more than technology; it requires realtime knowledge of the threat landscape and risks to your data. – The Black Market Report

Phishing and Ransomware Leads Security Concerns for Organizations

Published in Security on August 22, 2017

The SANS Institute recently released their 2017 Threat Landscape Survey: User on the Front Line in which they interviewed 263 IT and security professional on the things that keep them up at night. Survey was conducted in May / June of 2017, it’s no surprise Ransomware was top of mind (e.g., WanaCry and Petya dominated the media). I am constantly amazed at the continued impact of Phishing threats.

This survey helps provide a deeper appreciation for what the security domain is faced with, while also providing insights into what the SMB market should be aware of (but are often not). This specific audience is technically capable, with a vested in interest in security as it’s their job (i.e., security / IT professionals), and it stands in stark contrast to the SMB market.

Google Begins Campaign Warning Forms Not Using HTTPS Protocol

Published in Security on August 17, 2017

August 2014, Google released an article sharing their thoughts on how they planned to focus on their “HTTPS everywhere” campaign (originally initiated at their Google I/O event).

The premise of the idea was that every website, regardless of what it was doing, should be communicating securely between point A and point B. To help motivate users, it went right for the carotid artery by making it a ranking factor in search.

December 2015, Google adjusted their crawlers to start start prioritizing and indexing HTTPS pages by default. If you had HTTP / HTTPS, they would start giving more weight to your HTTPS pages.

Password Management

Published in Security on June 27, 2017

The year is 2017 and we continue to give advice on the process of creating passwords. This must stop. The phrase “These are the tips to creating a secure password” should be stricken from all presentations, articles, tips and side-bar conversations.

Managing passwords has never been more streamlined. Organizations have invested countless hours and resources into building solutions that seamlessly integrate into our habits, and every business owner, and individual, should invest energy into integrating password managers into their overarching security program. So ask yourself, why are you, or your organization, not employing the tools designed to help you from yourself?

We Must Improve the HTTPS Message

Published in Security on December 4, 2016

HTTPS is as important today as it has ever been. If you are transferring sensitive data you should use HTTPS to encrypt data in transit, that is not up for debate. Understand though that it is but one piece of a larger security conversation, and that’s where the message falls flat on it’s face.

I shared my thoughts last year on how HTTPS does not secure websites, and in the time since the message has only grown as to be expected. You’ve seen exponential growth of the LetsEncrypt initiative which we fully support at Sucuri (making us one of the first cloud CDN / Firewall solutions to do so). Additionally, organizations of all sizes have been adamantly pushing the importance of SSL, including both hosting and service providers alike. The WordPress Foundation, the organization spearheading the growth of the WordPress platform (currently at 27% market share of all websites), also recently announced that it would only be promoting hosting companies that offer SSL by default:

Google Introduces new Repeat Offender Blacklist

Published in Security on November 9, 2016

On November 8th, 2016, Google introduced a new feature to Chrome that would blacklist repeat offenders.

Once Safe Browsing has designated a site as a Repeat Offender, the webmaster will be unable to request additional reviews via the Search Console. Repeat Offender status persists for 30 days, after which the webmaster will be able to request a review.

The feature was introduced to address an issue where they noticed a trend where websites would remove infections long enough to have warnings removed, only to return once removed. They go on to say that this won’t affect websites that have been hacked. In other words, it’s built to affect intentional misuse versus unintentional.

Please note that websites that are hacked will not be classified as Repeat Offenders; only sites that purposefully post harmful content will be subject to the policy.

I can’t help but ask myself – how are they going to differentiate between intentional and unintentional misuse?

Defense in Depth And Website Security

Published in Security on October 23, 2016

The concept of Defense in Depth is not new. It’s been leveraged in the InfoSec domain for a long time, and has it’s roots deeply embedded in military strategy and tactics. That however doesn’t mean that even those in the InfoSec domain explain or implement it correctly. To fully appreciate the idea of Defense in Depth you have to subscribe to a very simple idea:

There is no single solution capable of providing 100% protection against any environment.

I recently wrote an article on the Sucuri blog sharing some thoughts on how I feel we should think about the concept, and how we should go about deploying it within our technology stacks and organizations. I expanded my thoughts this past weekend at the BadCamp Hack The Planet summit in Berkeley where I shared some of the challenges we face in the website security domain pertaining to the subject.

The idea of Defense in Depth is simple: employ as many complementary defensive controls as makes sense for you and your organization. The optimal word being “complementary”. It’s based on the idea that every tool has a weakness, so find tools that help address them and that work in unison with one another. This does not mean you deploy every tool available, instead you must strategically map out the threats that you are most concerned with, that pose the biggest impact to your organization, and prioritize your defensive posture.

Today’s threats are evolving at a faster clip than any one solution or team can account for. It’s not a matter of finding the 100% solution, but about deploying the things we need to help reduce the growing risk. This has never been truer than in the website security domain. If employed correctly we should be better prepared to quickly identify issues, mitigate the threats and respond to incidents if so required. Attackers only need to win once. As defenders, we have to win every time.

DrupalCon Europe 2016 – Building a Security Framework for Your Websites

Published in Security on October 4, 2016

Last week I spent a few days in beautiful Dublin, Ireland for DrupalCon Europe 2016. I had the opportunity to present a new presentation in which I try to introduce an approach to building a security framework that anyone can build and deploy.

We live in an age where the threats against our website are real, and their impacts have the potential to be devastating. As open-source CMS applications continue to become a staple in our infrastructure stack, organizations are faced with the challenges of accounting for this new attack vector. With limited resources and knowledge, organization need a streamlined approach to managing their websites. In the talk below I share some thoughts on how to think about security more holistically by thinking through an attackers TTPs and using that to help build a repeatable framework applicable to all website owners, regardless of organization size.

How To Protect Your Business Data

Published in Security on September 17, 2016

It’s impossible to go a week without seeing some reference to a data breach, whether it’s a write up on what happened years ago, or updates on breaches that are still happening. The two breaches I found most interesting where a treasure trove of business data (not credit card data) was exfiltrated, and subsequently released would have to be the 2014 Sony Hack and more recently the Panama Papers hack. With this in mind, there has never been a better time for more discussion around how we think about data protection in our businesses than now.

I am partial to these hacks because as a business owner, especially one in the website security industry, the threat of a compromise is very real. We work under the guise that someone is always watching and the fact that a compromise is inevitable. As such, a lot of what we do is about minimizing the exposure and impact when it happens. There are many ways to do this as well as many areas to focus on, but one particular domain for us is the protection of the data that keeps our company going.

Open-Source CMS Security In The Enterprise

Published in Security on April 20, 2016

Regardless of the size of your organization, the security challenges with open-source Content Management Systems (CMS) security are the same. In the enterprise the issue stems not from the technology or existing processes, but the fact that security is slipping through our fingers. We’ve made it too difficult for our counter parts in marketing and sales, and where there is a problem new solutions step in to solve them. We see this being enabled by the explosion of cloud platforms like Platform as a Service (PaaS), Software as a Service (SaaS) and technologies that easily work in those environments like open-source CMS applications.

As a community we have to do something about this. These activities stem from the perception that IT / Security is always going to say “no” or “make my life too hard” and I can’t help but think there is a better way to handle this. To do this, we have to be prepared to embrace technologies like open-source CMS application and be willing to silence our personal biases towards them (i.e., WordPress is insecure, which is grossly untrue). A good first steps is better understanding how these technologies might fit into existing governance and their associated security policies and tools.

Accounting for Website Security in The Enterprise

Open-source CMS web applications are no different than any other applications enterprise security teams are responsible for. The principles like Defense in Depth still apply, and integrating things like Prevention, Detection and Response solutions are just as critical. The difference being that in the enterprise, these aren’t new concepts, yet when it comes to open-source CMS applications they’re dismissed.

Compromises within the open-source CMS domain are achieved through two key areas: access control and exploitation of software vulnerabilities. Here are a few tips to help enterprises think through the security challenges they face:

Impacts of a Website Compromise

Published in Security on April 15, 2016

The threats of a compromise are real, and are not specific to operating an online store. Attackers find value in a number of things, some of which include your audience and resources. In this webinar I spend some time exploring a number of the impacts we should all be aware of as website owners.

I recently gave a webinar at Sucuri in which I discuss the impacts hacks have on you as website owners. In this session I dive into three core areas:

Psychology of the Attackers.
Things they can do if successful.
Impacts to you as a website owner.

If you are currently infected, or know of someone that is, I encourage you to learn more about Sucuri and how they can help!

Security In Open-Source CMS Applications

Published in Security on February 12, 2016

Open-source CMS applications are no stranger to the battle they face with security. The size of the organizations adopting the platform also has little to do with it – from bloggers to mom and pop shops to Fortune 500 companies; the concern is the same. Can open-source CMS applications be deployed securely within their respective stacks?

There are those that look at open-source and have a general distrust for it. The idea that people can see the code and submit patches makes them uneasy. There are also those who can’t get their head around the general ambiguity of open-source, in which the code belongs to no-one and everyone. What they don’t realize is that most open-source projects have a stringent commit process.

The security perception is still a very real problem for the open-source CMS industry, and many feel it’s unattainble.

Website Security is Not an Absolute

Published in Security on October 31, 2015

I work in the field of Information Security (InfoSec), specifically website security. With that in mind, it’s but one very small piece of a very large pie. Security is complex, even at the 50,000 foot level; within each specific area of the industry, it can get even more complex. It’s no wonder it can feel overwhelming.

I have to remind myself that Security, regardless of which domain you’re focused on, always comes down to three basic elements working in conjunction with one another:

People
Process
Technology

Two Critical Challenges Facing Website Security

Published in Security on September 25, 2015

Spent the better part of the past week in Albuquerque, New Mexico at the National Association of Government Web Professionals (NAGW) conference. A conference designed to bring together web professionals from federal / state / local municipalities in an effort to help organize, educate and otherwise collaborate. It was a great event in helping to understand how municipalities work, but it also helped to reaffirm some of my thoughts around the challenges facing website security across all industries.

Regardless of industry, there are common points shared by each that are overly familiar when speaking to website security:

Lack of ownership
Lack of understanding and knowledge
Lack of appreciation for impact

Website Security Challenges Defined

Interestingly enough, the greatest challenges the website security industry faces has little to do with the technology, evolution in attacks, hosting environments, development habits, open source, or anything in between. No, the challenges are more at the core of the mindset of the web, not just amongst the web users, but those that are deploying and managing these environments.

It revolves around two very simple, yet overly complex points, for me:

Education and Awareness.
Webmasters, or the lack there of.

VPS vs Shared Hosting – Which is more secure?

Published in Security on August 19, 2015

The world of hosting is complex, it’s further complicated when you throw security into the mix. A few months back I wrote an article on the delicate line between where the hosts security responsibility begins, and where yours, as the website owner, is required. That however did not address one key question – Which hosting environment is more secure? This is one of the most common questions I get asked.

The response, as you might imagine, is not as simple as the question itself. This question is often confused with misinformation and bias and the responses are often grossly inaccurate. I will spend some time thinking through the various points, applying insight where possible, in the hopes of helping you making a more informed decision on the type of hosting environments, and which ones make the most sense for you.

The Dynamic and Complicated Online Threats

Published in Security on June 1, 2015

This May I was thrilled to travel to Prague, Czech Republic as a keynote speaker for J And Beyond 2015, An International Joomla Conference to deliver the talk The Dynamic and Complicated Online Threats (Challenges Website Owners Face). I was also thrilled to have my company, Sucuri, sponsor the event.

After investing the better part of five years analyzing and assessing the state of security within the realm of websites, I travel the world engaging website owners in an effort to address the security challenges webmasters face today through education and awareness. The website landscape continues to evolve, affecting website owners around the world. We have to take a minute to look at the website landscape, appreciate the nuances that the end-users are struggling with and look forward at what the future holds for us.

The purpose of the talk is a high level orientation of the existing threat landscape affecting all website-owners, especially those leveraging CMS applications like Joomla!

Check out the video of my presentation below:

Website Access Control and Security

Published in Security on January 23, 2015

Website security has become a hot bed over the past few years. More and more companies are joining the game in hopes of capitalizing on what they perceive to be huge opportunities. The one vector that seems to be all the rave is Access Control.

When I talk to access control, I specifically talk to mechanisms in place to restrict access to a resource. Think how you connect to your website. Are you using WordPress, Joomla, Magento or some vBulletin? Maybe it’s a custom PHP, HTML, ASP website?

Regardless of the platform, you have some form of access vector you employ daily.

If you’re a WordPress user, you’re likely leveraging /wp-admin. If you’re on Joomla, you’re using /administrator, and so on and so on — each platform providing its own means for connection. Access vectors don’t stop there. They extend well beyond the application itself. Think about things like File Transfer Protocol (FTP), Secure File Transfer Protocol (SFTP) and Secure Shell (SSH). These are transfer protocols that are still part of your website access vectors.

This can be extended further when you think about things like your hosting panels and database log in panels, additional forms of access vectors. But now we start diving into a very deep rabbit hole.

Website Security and Auto-Updates

Published in Security on November 27, 2014

If we could only auto-update our applications when vulnerabilities are identified, then we’d surely be safe… that seems to be today’s mindset. To a certain extent, that’s true, but it’s also false.

The idea of auto-updates is not new, it’s been around for a while. It’s all the rave as of late when we talk about websites. It only makes sense, if you know that the weakest link in the chain is the end-user (whom for whatever reason is unable to update) then remove the weakest link, and remove the choice.

The Challenges of Auto Updates in Website Security

There are however a few challenges that come to mind when I think about Auto-Updates, specifically how they relate to Website Security:

Does little against Unknowns
Introduces an unmanageable access point
Goes against best practices
Requires applications to write to itself

How Hosts Manage Your Website Security

Published in Security on November 7, 2014

Hosts are concerned with the security of their infrastructure, not with your website.

This is a distinction that most website owners fail to make, and it’s made more evident to me every day. This same misunderstanding however puts hosts in a precarious situation where clients expect security, and to some extent get it, but on the other it’s not the type that matters nor will it address today’s challenges. This is all compounded by the economics that drives the hosting ecosystem.

I should probably clarify however that this is probably not a blanket statement for hosts. But for a majority of today’s Shared hosts that deal specifically with end-user websites, it’s very much the case.