Dashboard SCORE Website Security Presentation · Best Buy says some customers could be affected by data breach of third-party vendor Sears and Delta also said the vendor, [24]7.ai,

SCORE Website Cybersecurity Presentation

DASHBOARD INTERACTIVE

• Digital Marketing Firm that emphasizes Website Security

• Founded in January of 2006

• 13 Team Members

• Work with Small and Medium Sized Businesses and Agencies

• Google Certified Partner

• Focus: Digital Marketing, Website Development, Website Cybersecurity, Google Penalty Removal

WHAT MAKES DASHBOARD UNIQUE

Website

Cybersecurity

Expertise

Website

Expertise

Certified

Cybersecurity

Expertise

Certified

Google

Expertise

Dashboard Interactive is one of a handful of Agencies in the U.S. that has Certified Cybersecurity, Google and Website Expertise.

DID YOU KNOW THAT…

• 32,000 Websites are Hacked Every Day

• As of July 1, 2018, Google deemed 821,549 websites as dangerous due to Phishing

• As of July 1, 2018 Google deemed 284,375 websites as dangerous due to Malware

• That there are only 500, Fortune 500 companies and only 1,000 Fortune 1,000 companies…– That leaves a lot of Small and Medium Sized Business with Websites that Have

Security Issues• And in many cases, the business owner, website developer and hosting provider is

unaware that a problem exist.

INFECTED WEBSITE PLATFORM

QUESTIONS OF THE DAY

• If your website was down, how might that impact your business?

• If your website was down, and your competitors websites were up, might you be at a competitive disadvantage?

• And what if your website is down, and your competitors websites are up, (when potential customers were about to make a buying decision)– Would your company be viewed favorably?

POTENTIAL ADDITIONAL RAMIFICATIONS OF A HACK

• Significant Unexpected Costs to cover the Resolution of the Hack

• Need to Reallocate financial resources to cover the costs of Cleanup

• Impact the ability to pay some existing outstanding commitments, on time– Sometimes companies obtain credit to help cover costs

• If its an eCommerce site or site that heavily relies on Google to generate sales leads, revenue generation is severely impacted.

• Lawsuits

• Reputation suffers

• Occasional Bankruptcy

CASE STUDY – MANUFACTURING CO.

• Platform: WordPress

• Problems:

– Outdated theme

– PHP vs current WordPress platform PHP

– Security plug in not compatible with the canvas theme was being used

– Plug ins not updated in over a year

– No manual monitoring of the code or the server system

– No human level inspection

– Server config from 2008 was adapted, then a new server update occurred and the aged windows system was

not updated (not keeping up with server technology)

– Older windows server configuration

– Shared Server – non secured

– Misconfigured SSL – cheap 3rd party SSL

– Server was the target. All sites on the server were most likely impacted

• Website was about to get flagged – didn't take it serious. Google then flagged the

website.

• Challenges: Hosting provider, Developer, Company relationship with IT

What you need to know

WEBSITE CYBERSECURITY

• Cybersecurity in the News

• The Facts

CYBERSECURITY IN THE NEWS…

Unpatched WordPress Flaw Gives Attackers Full Control Over Your SiteDiscovered by researchers at RIPS Technologies GmbH, the "authenticated arbitrary file deletion" vulnerability was reported 7 months ago to the WordPress security team but remains unpatched and affects all versions of WordPress, including the current 4.9.6

Ticketmaster Suffers Security Breach – Personal and Payment Data StolenGlobal entertainment ticketing service Ticketmaster has admitted that the company has suffered a security breach

Gandcrab Ransomware Exploits Website VulnerabilitiesResearchers find campaigns distributing Gandcrab by hosting malware on legitimate websites with poor security measures.

Attacker Dwell Time Still Too Long, Research ShowsNew DBIR and M-Trends reports show the window between compromise and discovery are still way too long

2.6 Billion-Plus Data Records Breached Last YearMost exposed data records caused by human error.

Google 'Distrust Dates' Are Coming Fast

All the tools are in place for the migration of SSL digital certificates on a scale that is unprecedented for the certificate authority industry. Are you ready?

Number of Sites Hosting Cryptocurrency Miners Surges 725% in 4 MonthsThe dramatic increase in cryptocurrency prices, especially for Monero, is behind the sudden explosive growth, says Cyren.

Millions of Office 365 Accounts Hit with Password Stealers

Phishing emails disguised as tax-related alerts aim to trick users into handing attackers theirusernames and passwords.


Facebook Suspends 200 AppsThousands of apps have been investigated as Facebook determines which had access to large amounts of user data before its 2014 policy changes.

When Russian hackers targeted the U.S. election infrastructure (60 Minutes)Russian operatives launched a widespread cyberattack against state voting systems during the 2016 presidential election.

Sears & Delta Airlines Are Latest Victims of Third-Party Security BreachAn insecure ecosystem of third parties connected to an enterprise network poses a growing risk, security analysts say.

Best Buy says some customers could be affected by data breach of third-party vendorSears and Delta also said the vendor, [24]7.ai, might have exposed their customers' data.

Criminals Targeting Magento Sites with Brute-Force Password AttacksFlashpoint says it is aware of at least 1,000 sites using Magento's e-commerce platform that have been recently compromised.

Panera Bread Leaves Millions of Customer Records Exposed OnlinePersonal information exposed in plain text for months on Panerabread.com and the company's response failed to rise to the challenge.

Hudson's Bay Brands Hacked, 5 Million Credit Card Accounts StolenThe infamous Carbanak/FIN7 cybercrime syndicate breached Saks and Lord & Taylor and is now selling some of the stolen credit card accounts on the Dark Web.


Under Armour App Breach Exposes 150 Million RecordsA breach in a database for MyFitnessPal exposes information on 150 million users.

Baltimore Hit with Hack on 911 SystemAn attack took down part of Baltimore's 911 system for 17 hours over the weekend, and details are still in short supply.

City of Atlanta Hit with Ransomware AttackFBI investigating computer outages in the city's network possibly tied to Samsam-type ransomware variant. Atlanta hit with cyberattack demanding ransom for access to files

Cybercriminals Launder Up to $200B in Profit Per Year Cybercrime funds make up 8-10% of all illegal profits laundered and amount to $80-200 billion each year.

Trump Administration Slaps Sanctions on Russian Hackers, Operatives A two-pronged and mostly symbolic strategy names and shames Russia for US election-tampering and hacking of critical infrastructure.

77% of Businesses Lack Proper Incident Response PlansNew research shows security leaders have false confidence in their ability to respond to security incidents.

Equifax Finds 2.4 Million Additional US Victims of its Data BreachTotal of victims now at 147.9 million customers.

CYBERSECURITY FACTS

• Hackers Attack Every 39 Seconds http://www.securitymagazine.com/articles/87787-hackers-attack-every-39-seconds

• More than 70% of attacks target small businesses. https://www.inc.com/thomas-koulopoulos/the-

biggest-risk-to-your-business-cant-be-eliminated-heres-how-you-can-survive-i.html

• 64% of companies have experienced web-based attacks. 62% experienced phishing & social engineering attacks. 59% of companies experienced malicious code and botnets and 51% experienced denial of service attackshttps://nudatasecurity.com/blog/scary-cyber-halloween/

• More than 4,000 ransomware attacks have occurred every day since the beginning of 2016 https://blog.barkly.com/cyber-security-statistics-2017

…MORE CYBERSECURITY FACTS

• The median number of days that attackers stay dormant within a network before detection is over 200 https://swimlane.com/10-hard-hitting-cyber-security-statistics/

• Average time to detect a malicious or criminal attack by a global study sample of organizations was 170 days https://heimdalsecurity.com/blog/10-surprising-cyber-security-facts-that-may-

affect-your-online-safety/

• Unfilled cybersecurity jobs will reach 1.5 million by 2019 http://www.streetinsider.com/Press+Releases/Cybersecurity+Jobs+Report%3A+Workforce+Shortage+to+Reach+1.5+million+by+2019/11145582.html

• Only 38 percent of global organizations claim they are prepared to handle a sophisticated cyberattack https://swimlane.com/10-hard-hitting-cyber-security-statistics/

The Realities


• The mind of the Hacker

• Ease of hacking a website

WHY HACKERS DO WHAT THEY DO…

• Money: Hackers sell confidential contact information, email addresses, access payment portals, etc.

• Looking for a Challenge: Hackers practice their craft. Once Hackers attain a certain level of proficiency, they go after bigger fish, but they practice on smaller targets first.

• To Paralyze Geographic Areas: The purpose here is to strike fear or panic in the public. Many ransomware attacks are targeted to medical, financial, and utilities in order to have the largest impact with the least amount of effort.

• Power and Control: Hold websites hostage, in exchange for payment. Shut down services and data access such as the Microsoft Wanna Cry Ransomware Attack in 2017. This ransomware attack showed that even the most powerful server systems can be breached.

A FEW WAYS HACKERS ACCESS WEBSITES

How this impacts your business


• Is Your Website a Target?

• What can be done to minimize the risk

• Website Security Audit

• Words of Wisdom

ARE YOU A TARGET? YOU MAY BE IF…

• Your website is used for customer data management or connects to a subdomain that houses confidential and sensitive information (employment, financial, and medical records)

• Your server system has not been updated or upgraded in the last 3 years. This gives the hackers a practice platform to prepare for breaching an updated system

• You use a large number of plugins in your WordPress site? If so, lack of third-party updates or support can make them vulnerable to attack.

• Your SSL has expired or if a non-compliant version was installed. Google, Microsoft, and Yahoo have all blacklisted certain types of SSL certificates due to their inability to keep out modern, known bugs.

OR IF…

• Your website is being hosted by a small or medium sized hosting provider with minimal cybersecurity expertise

• Your website analytics reveal unusual spikes in website traffic

• Your website has not had regular maintenance for the last three years– You support agreement does not target

website security

• Your website is on a Shared Server or NJINX Server with outdated PHP

A FEW STEPS YOU CAN TAKE TO PROTECT YOUR

SITE AND YOUR BUSINESS

• Update Your Plugins: Check to see if you have Compromised Hacked Plugins, or

Plugins that are non-compatible with theme code.

• Check to see if you have Bad Website Themes. This is dynamic as theme

developers work to stay a step ahead. A theme can go from stable, to vulnerable,

to stable again in the period of a month since once a breach has occurred.

• Check to see if your current Server type is highly susceptible to security breaches. This is dynamic as well since large numbers of third-party resellers fail to take

action when the server provider updates or hardens their systems.

Microsoft itself failed to maintain hardening at a fast-enough pace and thus is the source of the Wanna Cry

Ransomware attack. Once Microsoft applied the patch at their level, many of the smaller, third party hosting resellers

failed to follow suit immediately leaving their clients susceptible and breached.

CONTINUED…

• Check to see if your SSL is over 3 years old and on autorenewal – (Please note that your SSL is valid for a 3-year timeframe max as security environment

needs to be reevaluated.)

• Ensure that your website is on a Dedicated Server or have a Dedicated IP with a server that supports HSTS transport. Server has to support SHA-2 encryption level with properly configured SSL.

• Ensure that the HTML language declaration in header of the website is set properly

• Obtain a Website Security Audit from a Non-Biased, third party website cybersecurity professionals

WEBSITE CYBERSECURITY AUDIT

Its important to know if you site is clean. – If not, your business could be in for trouble up the road and a plan needs to be developed to resolve

the issues now. – If so, there is the associated peace of mind to focus on other areas.

Dashboard Interactive offers Website Security Assessments and we look at the following components and more.

– CSS– JavaScript– HTML– PHP– Server Configuration– Shared Server Risks– SSL Certificates– Malicious Code– Plug-Ins– Modules– Theme Files– Images – Links – Website Redirects

Obtain a Third Party Website Security Audit from a Trained Website Cybersecurity Expert

SECURE WEBSITE BUILDING BLOCKS

Personnel

Analytics Support

24 Hour Monitoring

Quality SSL

Top Notch Website Development Support

Quality Hosting Provider

Clean Website

WORDS OF WISDOM

Understand that your Website Developer is most likely NOT a Website Cybersecurity Expert.

Securi Hacked Website Report 2017The one constant you’ll find in this report is the issues pertaining to poorly trained website administrators (i.e., webmasters) and their effect on websites.

Understand that most Small and Medium Sized Hosting Providers have very limited website cybersecurity expertise.

Understand that Your IT Provider may have limited website cybersecurity expertise. They often partner with cybersecurity firms.

Each is skilled at what they do, but when it comes to a cyber attack on your website, you need website cybersecurity expertise.

We occasionally find breaches that some of the website cybersecurity software companies are unaware of and notify them of the issues.

NEVER BRING A KNIFE TO A GUNFIGHT…

This happens when you rely on developers, designers and other non-certified

resources for cybersecurity expertise.

If your site has been hacked, revenue, reputation, etc. are at stake…

What’s Google got to do with it…


• Google

WHAT’S GOOGLE GOT TO DO WITH IT?

• Google’s goal is to provide website searchers with the best possible search experience.

• Google owns the highway and they make the rules. They can flag your site as hacked or remove it from the Google index.

WHAT DOES GOOGLE SHOW…

GOOGLE WARNING EXAMPLES

SALES PROCESS

SALES PROCESS WITH HACK IDENTIFIED

Real World Examples


• Case Studies

CASE STUDY – CLOUD SOFTWARE CO.

• Platform: Concrete 5

• Problems:– Outdated PHP– Copied and pasted open source 3rd party code found on Github – Outdated server configuration – Modules required by the web platform that are not in use or updated – Lack of manual monitoring – Unsecured open port on the Server – Server was out of date – Poor hosting provider

• Hacked in using a remote server using a mobile Apple device

• Fix – Completed the cleanup and provided clean files. Rebuilt the website database. Prepared for their IT department to complete

• Challenges – Inexperienced Developer, Company IT personnel

CASE STUDY – HOME SERVICES CO.


• Identified the breach via consistent analysis of clients Digital Marketing strategy and performance

• Problems:

– Outdated host level PHP on the server - Host Gator

– Different versions of PHP

– Link pointing to a malicious website

– Blog post with questionable link

– Incompatible plugin

– Zero day

• Fix: Cleanup, New Host, Site Rebuild. Updated Secure Server. Update of Foundational

Code, Rebuild, Replace Abandoned Plugins, added 24 Hour Monitoring

• Challenge – Hacker kept coming in after we were cleaning and re-adding files

CASE STUDY – MARINE PARTS MFG. CO.

• Platform: X-Cart 1.4

• Identified Website Server vulnerabilities in February of 2017. Fixes delayed due to developer lack of cybersecurity knowledge. Hack occurred in October of 2017 via outdated server. Google penalty removed Google Shopping ads from Google and

flagged the site as dangerous. Site removed from search console.

• Problems:– Outdated host level PHP on the server

– Different versions of PHP

– Heartbleed Bug

– Improperly Configured SSL with Incomplete Validation– Hosting Provider

– Cookies Stolen Through Shopping Cart (identifying information about the user – identity theft)

– Project delayed due to developer experience and relationship with the client (opinion over fact)

• Fix: New Host, Site Rebuild in current PHP, Updated Secure Server. Update of Foundational Code, Building Code by Hand, added 24 Hour Monitoring

• Challenge – Website Developer and Hosting Provider. Time to Launch

CASE STUDY – STAFFING FIRM

• Platform: Drupal and (2) Portals

• Contacted to provide a third party opinion regarding the security of the primary website as it incorporated two 3rd Party portals. Client not confident in the security expertise of the Portal providers. Looking for an independent source to investigate and oversee web related security initiatives. Websites developed by large website development firm.

• Problems:– Every employee had access to sensitive client data – 2 different injection types with 1 and 6 locations in the site respectively – 9 PUT files (from remote servers), and 1 possible XML Injection– Identified a huge vulnerability called BREACH (Browser Reconnaissance & Exfiltration via Adaptive

Compression of Hypertext)– 21 instances of Cross-Site Request Forgery (CSRF, or XSRF) - a vulnerability wherein an attacker tricks a victim

into making a request the victim did not intend to make. Therefore, with CSRF, an attacker abuses the trust a web application has with a victim's browser

– Unstable website theme, at least partially, in the site

• Fix: Detail Website and Portal Security Audit

• Challenge – Website Developer and Portal Developer

CASE STUDY – HEALTHCARE CONSULTING


• Identified the breach via Dashboard onboarding process for new website design and development client

• Problems:– 2 SSL Certificates installed on the site– Wrong SSL Installed on Wrong Site, Improperly configured– Old Open Source Code from 2014– Site was not Maintained– Host provided an unsecure C-Panel– Poor server management

• Fix: Expedite New Site Development and Build Temporary Mini Site

• Challenge – Time to Launch

Q&A

IN SUMMARY

• The Threat of a Website Cyberattack is real – 70% of cyberattacks target small businesses.

• Experienced hackers are good at what they do and there are more Hackers than Cybersecurity Experts. They are also Highly Motivated.

• Most Website Developers, SMB Hosting Providers and some IT professionals have little or very limited expertise in Website Security.

• Google is in control of the Internet and they want Google searches to have a positive experience. They will flag or deindex a website if they deem it to be a threat.

• Take the steps needed to minimize the likelihood of a breach or a reinfection, if the site has been breached.

• Consider obtaining a Website Security audit from an experienced Website Security expert. If your site has been breached, its important to know and address. If the site is clean, you have peace of mind.

THANK YOU

Duane ColemanDashboard Interactive763-242-2454duane@dashboardinteractive.comwww.dashboardinteractive.com

• Like Dashboard Interactive on Facebook• Like Dashboard Interactive on LinkedIn• Send me a LinkedIn invite

Documents

Dashboard SCORE Website Security Presentation · Best Buy says some customers could be affected by data breach of third-party vendor Sears and Delta also said the vendor, [24]7.ai,