Open Source Powered Websites: Protect Your Enterprise and Yourself - Chris Davis, Firehost

1

Open Source Websites : Protection

Chris DavisDirector of Security and Compliance

2


Open Source Powered WebsitesProtect Your Enterprise and Yourself

3


This is not aDISCLAIMER

• Learn from our findings and apply to your environment

• This is a very serious problem and it’s only getting worse

Sales Pitch

4


HOW BAD IS IT?

82% of Websites have at least one security issue

63% have issues of high, critical or urgent severity

70% of the top 100 most

popular web sites either hosted malicious content or contained a masked redirectto malicious sites

WhiteHat Security, 2008

Websense, 2009


Verizon / United States Secret Service Data Breach Investigation Report, 2010

54% of attacks are on the web application layer

92% of web application attacks resulted in over 90% of record access

WEB APPLICATIONS – THE LARGEST THREAT

6


OPEN SOURCE ON THE RISE

7


THE GAME HAS CHANGED

•Web, HTTPS (SSL) & XML Vulnerabilities•SQL Injection•Session Hijacking•Cross Site Scripting (XSS)•Form Field Tampering•Known Worms•Zero Day Web Worms•Buffer Overflow•Cookie Poisoning•Denial of Service

•Web Server & Operating System Attacks•Directory Traversal•Anonymous Proxy•Open Source Vulnerabilities•OS Command Injection•Cross-Site Request Forgery•Google Hacking•Remote File Inclusion•Illegal Encoding•Malicious Robots

•Parameter Tampering•Brute Force Login•Malicious Encoding•Site Recon•Illegal Encoding•Credit Card Exposure•Patient Data Disclosure•Phishing•Data Destruction•US SSN Leakage

Rise in Application Level Attacks(Port 80 and 443 – Unblocked by Firewalls)

Strict Compliance Requirements(U.S. and Abroad)

U.S. Department of Health & Human ServicesPolicy of Responding to Breaches of Personally Identifiable Information (PII)HHS-OCIO-2008-0001.002 – April 15, 2008

8


HACKER PROFILES (Two Types)

Egomaniac CriminalTHE THE

9


10


•TextPattern CMS

•Co-wrote book on Textpattern = No Rookie

•SEO Bots = “Spammy” Links

•Users = Normal but with display:none list of links

NATHAN SMITH

Static & CMS-Powered Website Hacked on Cloud Hosting

11


12


•WordPress CMS - Hacked

•During Migration we gained access to over 1000 Websites

•Yes… we had Karl report the hack

KARL SWEDBERG

WordPress Hacked

13


14


SECURITY IS ABOUT THE ECOSYSTEM

Network Routers / Firewalls

Operating Systems Windows / Linux / OS X

Applications Open Source / Commercial

Database Oracle / MySQL / MS SQL

Web Server Apache / Microsoft IIS

3rd Party Web Applications Open Source / Commercial

Custom Web Applications PHP / ASP.NET / Java

Physical / Virtual Access / Social Engineering

Responsibility Solution

ManagedHosting

Responsibility

Yours or FireHost

Firewall,Virus Protection, Patches, IDS, etc.

App Level orWAF

15


HumansThe Biggest Security Vulnerability

16


WHAT CAN YOU DO?

•Security isn’t convenient

•Choose only leading CMS platforms

•Stay up-to-date with core updates

•Decent security plug-ins out there

•Use a secure hosting provider

Be Smart About It

17


THE REALITIES OF MODULES/PLUGINS

Keep Them Under Control

18


LOVE YOUR MODULES

Website Enhancements•Only download from trusted sources

•Check bug reports

•Only activate one at a time

•Three dirty letters – DEV

•Don’t install unless it supports your core version or higher

•Search “x hacked” first and read results

19


YOU AND YOUR ADMIN

Don’t Be Afraid•SSL – It’s not just for shopping carts

•Configure .htaccess or IIS security on admin directory Don’t worry about changing the directory name

•Don’t trust your connection Especially WiFi ARP Poisoning is easy

20


THE DATABASE

What Are You Exposing?•Logins MySQL UN/PW different from Root Login

•Sharing Do not share your database with other apps

•Change Table Prefixes Obfuscate table names to something unknown only to you

•Non-Public Remove DB from public access

•Segment Segment where appropriate to limit scope of access

•Back Up! Not much to say here

21


• Network Firewalls

• VPN Access

• Anti-Virus

• SSL Certificates

• Isolated Environments (Web/DB – Prod/Dev)

• Web Application Firewalls

• Two-Factor Authentication

• Vulnerability Monitoring

• Intrusion Detection

• Log Management

• Scrubbing Centers

• Disk Encryption

YOUR HOSTING ENVIRONMENT

22


Thank YouQuestions?

Email [email protected]

Twitter twitter.com/davischrism

Chris Davis

Technology

Open Source Powered Websites: Protect Your Enterprise and Yourself - Chris Davis, Firehost