53

A Practical Security Framework for Website Owners

Embed Size (px)

Citation preview

Page 1: A Practical Security Framework for Website Owners
Page 2: A Practical Security Framework for Website Owners

Tony Perezperezbox

VP of Product ManagementGoDaddy Security Business

Sucuri Co-Founder

Page 3: A Practical Security Framework for Website Owners

US Department of Homeland Security

GRIZZLY STEEPE

2016 Joint Analysis Report (JAR)

Page 4: A Practical Security Framework for Website Owners

Spring of 2016Summer of 2015

EmailWebsite

Delivery Mechanisms

Page 5: A Practical Security Framework for Website Owners

They could use websites as an attack vector

via a technique known as water-hole attack.

They could depend on our curiosity as

humans to click on something. (links are meant to be

clicked, attachments opened)

Attackers in both scenarios knew…

Page 6: A Practical Security Framework for Website Owners

There is an exponential growth

event expected in the world

of websites.

Facilitated by the emphasis

being placed by platforms to

make the process of getting

online even simpler.

Page 7: A Practical Security Framework for Website Owners

Process simplification

simplifies the process of

getting online, but lowers

the technical aptitude.

The lower the technical

aptitude the more security

issues we can expect.

Page 8: A Practical Security Framework for Website Owners

“Give a person a tool, secure them today; teach a person to think, secure them tomorrow."

Page 9: A Practical Security Framework for Website Owners
Page 10: A Practical Security Framework for Website Owners

website owners

Page 11: A Practical Security Framework for Website Owners

SALES

MARKETING

PRODUCT

SECURITY

Page 12: A Practical Security Framework for Website Owners
Page 13: A Practical Security Framework for Website Owners

We must look at not introducing a new security approach, but rather improving

our approach.

Page 14: A Practical Security Framework for Website Owners

“Attackers are successful not because we’re technically incapable, but because we are behaviorally weak."

Page 15: A Practical Security Framework for Website Owners

A Layered Approach to Security

Page 16: A Practical Security Framework for Website Owners

Defense in Depth

Page 17: A Practical Security Framework for Website Owners

“Defense in Depth subscribes to the ideology that there is no single solution that

ensures 100% protection."

Page 18: A Practical Security Framework for Website Owners

The layout and designOf Beaumaris Castle, 1295.

Early employment of a Defense in Depth strategy.

Beaumaris Castle Map

Page 19: A Practical Security Framework for Website Owners
Page 20: A Practical Security Framework for Website Owners
Page 21: A Practical Security Framework for Website Owners

Access ControlWe like to use a Blacklist approach

because we believe it to be more convenient.

All IPs

Adding Deny Rules

for latest batch of Bad IPs

Bad IP Blacklisted

Page 22: A Practical Security Framework for Website Owners

Access Control

Non-Whitelisted IPs

Verified IPs

All IPs

Alternatively, we employ a Whitelist approach.Instead of focusing on all the bad, we focus on the good.

Page 23: A Practical Security Framework for Website Owners

Understanding Threats

Page 24: A Practical Security Framework for Website Owners

Cyber Criminal Trifecta

• Highly motivated

• Technology that exponentially

improves their success rate

• Criminal supply chain where

information can be shared,

exchanged and sold amongst

themselves.

Page 25: A Practical Security Framework for Website Owners

Top 5 Threats

Weak Credentials Software Vulnerability

Poorly Configured Environment

Third-Party Integrations Site Availability

Page 26: A Practical Security Framework for Website Owners

Weak Credentials

• Creatures of habit.

• Same credentials across all systems.

• Don’t update their passwords.

• Never think it’ll happen to them.

• Think of themselves as being unique.

Page 27: A Practical Security Framework for Website Owners

Software Vulnerability

• Do not update.

• Not capable of keeping up with all

the attack vectors.

• Do not maintain or administer their

web environments.

• Resources are limited.

Page 28: A Practical Security Framework for Website Owners

Poorly Configured Environment

• Manage soup kitchen servers.

• Do not employ functional isolation.

• Do not leverage least privilege principles.

• Employ configurations that are most

convenient for themselves.

Page 29: A Practical Security Framework for Website Owners

Third-Party Integrations

Page 30: A Practical Security Framework for Website Owners

Site Availability

Page 31: A Practical Security Framework for Website Owners

“Today’s attacks are automated and target low-hanging fruit. Don’t be low-hanging fruit."

Page 32: A Practical Security Framework for Website Owners
Page 33: A Practical Security Framework for Website Owners

A Practical Approach to SecurityInstead of focusing on every possible scenario, we focus on

the ones that are most important to us as an organization.

Page 34: A Practical Security Framework for Website Owners

IF EVERYTHING

IS IMPORTANT,

Page 35: A Practical Security Framework for Website Owners

Checklist Mentality

Page 36: A Practical Security Framework for Website Owners

Never use a Checklist MentalityIt’s not about doing x, y, and z.

Page 37: A Practical Security Framework for Website Owners

Risk ManagementIt’s about risk reduction, not risk elimination.

Page 38: A Practical Security Framework for Website Owners

Three Risk Considerations

We must Clearly

Define Scope

Risk willNEVER be Zero

Risk is aContinuous Process

Page 39: A Practical Security Framework for Website Owners

Risk Management

Page 40: A Practical Security Framework for Website Owners

5 Risk Mitigation Options:

Options Association

Website owner decides that this risk is too high with storing credit cards, decide to discontinue

storing card information locally. Avoids risk.

Website owner deploys security controls to mitigate risks; deploy a firewall to combat exploit attempts,

patch out of date software, etc... Remediates risk.

Website owner chooses a third-party to collect and process credit card

information. Transfers risk to third-party.

Website owner acknowledges a vulnerability exists, but it’s low severity and only exploitable if the

user is an admin. Decides to accept risk.

Risk Avoidance

Risk Remediation

Risk Transference

Risk Acceptance

Page 41: A Practical Security Framework for Website Owners

Brochure Site Social Platform Health Application Ecommerce

• Ensuring they protect their

brand is important

• Probably don’t want to get

blacklisted by Google if SEO

is the game.

• Availability is probably very

important.

• Ensuring a safe experience

for your users is high on the

list of requirements.

• Want to ensure their user

information is safe.

• Encryption at rest and in

transit are very important.

• Safe keeping of health

information is high on the

list.

• Regulations like HIPPA are

of the utmost importance.

• Encryption at rest and in

transit are very important.

• Safe keeping of the payment

flow and payment data is

very important.

• Safe keeping of the

customer data is high on the

list of requirements.

• Your site being available is

probably pretty important.

• Regulations like PCI are of

utmost importance.

A Risk Thought Exercise

Page 42: A Practical Security Framework for Website Owners
Page 43: A Practical Security Framework for Website Owners

IDENTIFY

Category

Subcategory

Asset Inventory & Management

• Web Properties

• Web servers / infrastructure

• Modules / extensions

• Third-party integration / services

• Access points / nodes

Page 44: A Practical Security Framework for Website Owners

PROTECT

Category

Subcategory

Protective Technologies

• Cloud-based Firewall

• Application-level Firewall

• Server / Application Hardening

Page 45: A Practical Security Framework for Website Owners

DETECT

Category

Subcategory

Continuous Monitoring

• Server level monitoring

• Application level monitoring

• User access monitoring

• Change and integrity monitoring

Page 46: A Practical Security Framework for Website Owners

RESPOND

Category

Subcategory

Analysis & Mitigation

• Deploy an incident response team

• Develop an incident response report

• Mitigate effects of an event

Page 47: A Practical Security Framework for Website Owners

RECOVER

Category

Subcategory

Recovery Planning

• Review the output of all phases, document,

and deploy updates to the processes.

• Team review of all findings.

Page 48: A Practical Security Framework for Website Owners
Page 49: A Practical Security Framework for Website Owners
Page 50: A Practical Security Framework for Website Owners

A Framework for Websites, built on NIST

Page 51: A Practical Security Framework for Website Owners

Leverage aSensible Framework

Create an Inventoryof Your Assets

ImplementSecurity Controls

Revisit theProcess Repeatedly

Actively Administerand Manage

Page 52: A Practical Security Framework for Website Owners

Security is a Continuous Process

Page 53: A Practical Security Framework for Website Owners

Thank You!I’d be happy to take your questions.