Upload
spiceworks
View
1.345
Download
1
Embed Size (px)
DESCRIPTION
Open Source Powered Websites: Protect Your Enterprise and Yourself - Chris Davis, Founder & CEO, Firehost
Citation preview
1
Open Source Websites : Protection
Chris DavisDirector of Security and Compliance
2
Open Source Websites : Protection
Open Source Powered WebsitesProtect Your Enterprise and Yourself
3
Open Source Websites : Protection
This is not aDISCLAIMER
• Learn from our findings and apply to your environment
• This is a very serious problem and it’s only getting worse
Sales Pitch
4
Open Source Websites : Protection
HOW BAD IS IT?
82% of Websites have at least one security issue
63% have issues of high, critical or urgent severity
70% of the top 100 most
popular web sites either hosted malicious content or contained a masked redirectto malicious sites
WhiteHat Security, 2008
Websense, 2009
Open Source Websites : Protection
Verizon / United States Secret Service Data Breach Investigation Report, 2010
54% of attacks are on the web application layer
92% of web application attacks resulted in over 90% of record access
WEB APPLICATIONS – THE LARGEST THREAT
6
Open Source Websites : Protection
OPEN SOURCE ON THE RISE
7
Open Source Websites : Protection
THE GAME HAS CHANGED
•Web, HTTPS (SSL) & XML Vulnerabilities•SQL Injection•Session Hijacking•Cross Site Scripting (XSS)•Form Field Tampering•Known Worms•Zero Day Web Worms•Buffer Overflow•Cookie Poisoning•Denial of Service
•Web Server & Operating System Attacks•Directory Traversal•Anonymous Proxy•Open Source Vulnerabilities•OS Command Injection•Cross-Site Request Forgery•Google Hacking•Remote File Inclusion•Illegal Encoding•Malicious Robots
•Parameter Tampering•Brute Force Login•Malicious Encoding•Site Recon•Illegal Encoding•Credit Card Exposure•Patient Data Disclosure•Phishing•Data Destruction•US SSN Leakage
Rise in Application Level Attacks(Port 80 and 443 – Unblocked by Firewalls)
Strict Compliance Requirements(U.S. and Abroad)
U.S. Department of Health & Human ServicesPolicy of Responding to Breaches of Personally Identifiable Information (PII)HHS-OCIO-2008-0001.002 – April 15, 2008
8
Open Source Websites : Protection
HACKER PROFILES (Two Types)
Egomaniac CriminalTHE THE
9
Open Source Websites : Protection
10
Open Source Websites : Protection
•TextPattern CMS
•Co-wrote book on Textpattern = No Rookie
•SEO Bots = “Spammy” Links
•Users = Normal but with display:none list of links
NATHAN SMITH
Static & CMS-Powered Website Hacked on Cloud Hosting
11
Open Source Websites : Protection
12
Open Source Websites : Protection
•WordPress CMS - Hacked
•During Migration we gained access to over 1000 Websites
•Yes… we had Karl report the hack
KARL SWEDBERG
WordPress Hacked
13
Open Source Websites : Protection
14
Open Source Websites : Protection
SECURITY IS ABOUT THE ECOSYSTEM
Network Routers / Firewalls
Operating Systems Windows / Linux / OS X
Applications Open Source / Commercial
Database Oracle / MySQL / MS SQL
Web Server Apache / Microsoft IIS
3rd Party Web Applications Open Source / Commercial
Custom Web Applications PHP / ASP.NET / Java
Physical / Virtual Access / Social Engineering
Responsibility Solution
ManagedHosting
Responsibility
Yours or FireHost
Firewall,Virus Protection, Patches, IDS, etc.
App Level orWAF
15
Open Source Websites : Protection
HumansThe Biggest Security Vulnerability
16
Open Source Websites : Protection
WHAT CAN YOU DO?
•Security isn’t convenient
•Choose only leading CMS platforms
•Stay up-to-date with core updates
•Decent security plug-ins out there
•Use a secure hosting provider
Be Smart About It
17
Open Source Websites : Protection
THE REALITIES OF MODULES/PLUGINS
Keep Them Under Control
18
Open Source Websites : Protection
LOVE YOUR MODULES
Website Enhancements•Only download from trusted sources
•Check bug reports
•Only activate one at a time
•Three dirty letters – DEV
•Don’t install unless it supports your core version or higher
•Search “x hacked” first and read results
19
Open Source Websites : Protection
YOU AND YOUR ADMIN
Don’t Be Afraid•SSL – It’s not just for shopping carts
•Configure .htaccess or IIS security on admin directory Don’t worry about changing the directory name
•Don’t trust your connection Especially WiFi ARP Poisoning is easy
20
Open Source Websites : Protection
THE DATABASE
What Are You Exposing?•Logins MySQL UN/PW different from Root Login
•Sharing Do not share your database with other apps
•Change Table Prefixes Obfuscate table names to something unknown only to you
•Non-Public Remove DB from public access
•Segment Segment where appropriate to limit scope of access
•Back Up! Not much to say here
21
Open Source Websites : Protection
• Network Firewalls
• VPN Access
• Anti-Virus
• SSL Certificates
• Isolated Environments (Web/DB – Prod/Dev)
• Web Application Firewalls
• Two-Factor Authentication
• Vulnerability Monitoring
• Intrusion Detection
• Log Management
• Scrubbing Centers
• Disk Encryption
YOUR HOSTING ENVIRONMENT
22
Open Source Websites : Protection
Thank YouQuestions?
Email [email protected]
Twitter twitter.com/davischrism
Chris Davis