WordPress Security –Managing Risks Sagely
Today’s Cool New Features are Tomorrow’s Security Risks
1
Presented by Elyse NielsenOctober 11, 2014
Presentation Purpose
The purpose for sharing this information provides an opportunity for you to:
1. Raise your risk awareness regarding your WordPress site.
2. Share security practices which are used to mitigate risk.
3. Provide some basic security tactics to manage risk.
2
A Bit about Me
3
Portfolio Manager with Ascension Information Services with IT Organizational Excellence. Managed the establishment of the Security Service Delivery Line for Ascension. I formerly worked as a Director of Information Services at Albany Medical Center in Upstate, NY. Which all culminates in extensive experience in technology & project management.
Certified Project Management Professional (PMP) by the Project Management Institute and a Certified Professional in Healthcare Information Management Systems (CPHIMS) by HIMSS.
Working with WordPress since 2007. Blogging since 2003.
Best WordPress Site Established – Back in 2005 implemented a site for a family to share the outcomes of a child with leukemia.
Recent Work is more a passionate hobby (might be a business according to IRS).
Interesting Jeopardy
4
• About how many websites exist on the internet today?
AnonGhost’s mark on SaratogaCountyNY.com on August 9th this year.
• What percentage do you think is WordPress?
• How are most attacks accomplished?
• What are you most worried about?
Your Website
5
Scripting
Database
Web Server
Application
Application Tools
Operating System
Network
Your Website The first
impression to build trust with your customers
OutsideThreat
Linux
Database
Applications
Plugins & Themes
Swiss Cheese Risk Assessment
6
1Recon
Gather Information on Target
Define Target
2Scan
Determine critical
vulnerabilities
Gather Offsite InfoGoogle – Social Media
Harvest Onsite Info(Host –Emails – Authors)
Scan Vulnerabilities(wpscan – port scan)
)
Target Vulnerabilities(Passwords – Gain Access)
Map Vulnerabilities(older legacy wp – plugins)
4MaintainAccessImplement Back Doors,
Erase Evidence
Increase Privileges (Owner, Barriers, Action Steps)
3Exploit
Determine how to
leverage weakness in
security
Leverage Position(other hosts, systems, databases)
Evaluate Info(Type, Programs Effected)
Zero Entry Hacking Methodology from Penetration Testing casts a wide net which brings about a focused attack upon the weaknesses. The objective of this methodology is basically the old quote knowledge is power. By evaluating the vulnerabilities, opportunities to expand the exposure are explored..
Zero Entry Hacking
7
A BAD EXPOSURE IS LIKE A VAMPIRE, IT COMES BACK TO BITE YOU IN THE NECK
Interception of client credit card numbers
Unauthorized access to the WordPress application
Changing your website to offer “Mythical and Mystical Pharma”
Overloading your website so it is not available any more. (DOS)
Corrupting your customer membership data.
Changing your website to show it can be hacked.
Sessions are hijacked and orders are placed for which you can’t recoup.
Your backend database doesn’t have any tables any more.
Your admin password does not work.8
Potential Security “Land Mines”
The complexities of managing and maintaining a website for business growth through content marketing is time-consuming. Business owners are hard pressed to find additional time to focus upon security issues. How can we be more proactive in our approach to security as the website is transitioned to the business owner?
The strategy is to have security managed by resources with the right skill set and to assure all employees are a are of the security concerns to protect our data. Security management will help to establish guidelines and practices to manage risks according complexity and impact.
ConfidentialityOur ability to protect our data and information from those who are not authorized to view it.
IntegrityOur ability to prevent our data and information from being changed in a less than desirable manner
Key Security Concepts around protecting information
How do we assess security risks and
manage them sagely?
9
Situation Assessment
AvailabilityOur ability to access our data at our convenience when needed.
Managing Risk
10
1IdentifyRisks
Examine the Application and
Technology
Define Risk Context(Risk Management Plan)
2AnalyzeRisks
Assess likelihood, overall impact anddetermine criticality
Elicit Risks(Interviews - SWOT – Reviews)
Describe Risks(Cause - Risk – Impact)
Assess Risks(Consequences - Likelihood)
Determine Approach(Consider Secondary Risk Impacts)
Qualify Risks(Category - Criticality)
4MonitorRisks
Re-AssessingMonthly Risk
Review
Document Response(Owner, Barriers, Action Steps)
3ManageRisks
Determine how to handle and approved response
Determine Urgency(Action Window, Impact Window)
Ascertain Impact Span(Type, Programs Effected)
Risk management is key where interdependencies exist between technologies or when the risks from one technology raises other risks. The objective of risk management for your website is to have the right amount of risk intolerance to mitigate the circumstances which make the vulnerability exist.
Risk Management Approach
11
EFFECTIVE SECURITY MANAGEMENT
FRAMEWORK EMPLOYEES
Having the right processes interwoven to ensure effective
and efficient security management
STRUCTURE
Having the right people execute their roles effectivelyEstablishing the rules of the game
clearly and upfront
ENGAGE TRAINPROCESS PRACTICEPOLICY CONTROLS
Security Management
12
Gain Agreement on a security management plan with a standard tool set. Assure within policy and controls there is a transparent monitor of risks and escalations as needed.
Key Actions:
Conduct Business Impact Assessments for business online presence.
Develop and Gain Agreement on a Business Continuity Plan for your Web Site
Develop and Authorize a Security Policy
Determine Security Oversight Process
Develop a Security Management Plan
Assure all critical risks have mitigation approaches
Policy and Controls
13
Security Management Framework
Implement a Security Management Process for the crucial services which would have the most impact if they were sabotaged. Have risks assessed for all technologies and potential business impacts.
Key Actions:
Assign an Accountable Leader manage the critical risks.
Audit the website
Conduct a Disaster Recovery Test
Implement processes to support security policy
Conduct Risk Assessments with periodic reviews.
Assign Risk Ownership and Accountability to empowered leaders and have written risk acceptance.
Establish Quarterly Major Risk Reviews and Monthly Minor Risk Reviews
Purchase Tools and Services to alleviate and manage critical risks.
Process and Practice
14
Security Management Structure
Train our employees to have risk awareness. Assure employees have a similar toolset and vocabulary for security management.
Key Actions:
Implement a formal Security Management Training Program
– Offer a Training Webinar
– Conduct Brown Bag Question and Answer Sessions. Share discussions with other leaders
– Provide an escalation path for concern
Develop Security Management Communications and Awareness Program
15
Security Management for Employees
Engage and Train
16
The consensus is that these four pillars of Security Management address risks and offer appropriate levels of management given
the vulnerability of the exposure.
TechnologyManagement
Assessing how much technology management and administration is going to need to be done. Planning which services are to be done inhousevs outsourced. Planning for that mode and support.
Release Management
Staying Current on updates is critical. WordPress has an automatic upgrade, several plug-ins do not. After an update has been applied also have a standard test plan which checks form processing, design and content
r
Security Tools
Currently in the WordPress Market Space there are two main types of tools – Back Ups- Intrusion
Detection Systems
- Intrusion Prevention Systems
- Spam Prevention- Two-Factor
Authentication
Having appropriate safeguards for accessing crucial resources. Assure there is a good business process to elevate privileges and a review process at least twice a year to check on accounts and access.
Access Management
Security Management Tactics
Shared Hosting
Technology Management - Hosting
Scripting
Database
Web Server
Application
Application Tools
Linux Network
Managed Hosting
Scripting
Database
Web Server
Application
Application Tools
Linux
Dedicated Hosting
Scripting
Database
Web Server
Application
Application Tools
Linux
18
Technology Management -Backups
Backups should be an automated process covering your files and databases. The backup should not be stored on the website.
Key Actions:
Determine how much you trust your host
Conduct a test restore of some files with your host (particularly the wp-content folder)
If there is a concern, consider another 3rd party solution
What should I back up and When?
Stay Current on Software Releases
20
Security Tools of the Trade
Brute Protect is a network counterforce against Botnets. Once a malicious IP address is caught on one website. It is blocked from that Website and all websites under the protection of Brute Protect.
Clef enables you to log in to WP via your phone. By lining up the barcode on your iphone with the barcodes on the screen. It also offers two-factor authentication.
21
Security Tools of the Trade
iThemes Security runs a diagnostic check on your website and provides a list of actions to take to harden your WordPress security.
Akismet is anti-comment spam solution constructed by the Automattic team. It stops comment spam.
22
Security Tools of the Trade
WordFence Security helps prevent denial of service attacks. It will scan your site and share vulnerabilities. It can block ips for overly accessing admin, password-reset, 404 pages. You can also block countries.
Sucuri.net will scan your site and remediate any malware or viruses if found.
1970
2000
2010
• Packet Switching Networks• First Mobile Phone Call Placed• Unix Created• TRS 80s released
• Linux Created• Windows 3.11 • PHP Introduced• Apple Newton• JavaScript• Client/Server Computing
• WordPress• Apple iPhone• y2K doom• Rails• x86 Hypervisor
• Apple ipad introduced• Raspberry Pi A released
1980
1990
• TCP/IP Introduced• DNS/BIND created• DOS developed• WordPerfect introduced• Commodore 64 released
Passwords are in their Fifties
Fernando Corbató, the 87-year-old inventor of the password says it's 'become kind of a nightmare'
The computer password was invented in the 1960s so it's definitely out of date
24
Access Management – Top Passwords
1. 123456
2. password
3. 12345678
4. qwerty
5. abc123
6. 123456789
7. 111111
8. 1234567
9. Iioveyou
10. adobe123
How to get a good Password
1. Don’t use passwords have another method – thumbprint, two-factor authentication.
2. Have a complicated password.WordPress allows for PassPhrases.
3. Have a way to vet the user to the password when resetting.
25
Access Management – Privileges
Let’s make better mistakes tomorrow!
With Great Power comes Great Responsibility.
26
Security Management – Checklist
Every time a website goes out the door, have a Security “Czar” who reviews and assures there is limited exposure.
Key Benefits:
Quality Review Process
Sales Tactic
Provides an opportunity to incorporate learnings
1. Have a Security Checklist
27
Security Management – Checklist
Its really a matter of education and discussion to determine what works for your client.
2. Provide a Security Policy
Key Benefits:
Increase Understanding of risk and exposure.
Key Discussion on what security tools to incorporate – Backups, IDS, IPS
Establishes a business practice.
Guidance for user roles and practical usage of editors, authors, and admins.
28
Security Management – Checklist
Turn off the development/test server and run through a planned and free form testing. Remove Developer Accounts.
Key Benefits:
Quality Review Process
Assures there are not remaining
links as you are handing the keys
to the business owners.
3. Remove Developer Left-Overs
29
Security Management – Checklist
Establish a backup strategy and implement it. Also provide a physical USB copy of the website.
4. Setup Backups
Key Benefits:
Establishes trust with the non-twitter generation.
Performs the Last Mile of customer service.
30
Security Management – Checklist
Install WordFence, Sucuri or iThemes and configure it.
5. Consider an Intrusion Detection System
Key Benefits:
Establishes trust with the non-twitter generation.
Performs the Last Mile of customer service.
31
Security Management – Checklist
Get VIP Plugin Scanner on GitHub. The plugin itself is the library allows you to create arbitrary "Checks" (e.g. UndefinedFunctionCheck), group them together as Reviews (WordPress.org Theme Review), and run them against themes, plugins, directories, single files, and even diffs
Key Steps:
Checks out the files for you.
Have someone do a code review.
Check for large blocks of encoding
6. Check Plug-ins for “Holes”
32
Security Management – Checklist
Review the Security Checkpoints to assure the installation was completed.
Key Steps:
Update the wp-config Security Keys
Validate the DB Prefix is NOT wp
Enable SSL Login
Enable auto-update for WordPress Minor Release Updates.
Set File Permissions to 644 or 640.
Set Folder Permissions to 755 or 750
Place the wp-config file wisely based upon hosting choice.
7. Assure Initialization Finishing Touches
33
Security Management – Checklist
Review robots.txt and .htaccess to assure what needs to be open is open, and what does not need to be open is closed.
Key Steps:
Is it appropriate to lock down wp-admin?
What should bots view in robot.txt
Block access to wp-files in .htaccess
8. Viewing is a privilege
34
Security Management – Checklist
Walk through an audit on the user accounts and why they are needed.
Key Steps:
Walk through who has access
Confirm with site owner access is appropriate.
9. Audit User Accounts
35
Security Management – Checklist
See ahead of time the vulnerabilities
Key Steps:
Hire a consultant
D-I-Y (Kali and WordScan)
10. Conduct a Penetration Test
In Closing
36
Key Take Away Points
• Pay it forward and share the knowledge• Discern what works for the situation• Invest the time upfront proactively
What possibilities does this open up?
Elyse Nielsen• [email protected]• Insight Matters – Feedback
welcomed.• http://www.anticlue.net