Home >Documents >WordPress Security – Managing Risks Sagely Security - Managing Risks... · WordPress Security –...

WordPress Security – Managing Risks Sagely Security - Managing Risks... · WordPress Security –...

Date post:15-Jun-2020
Category:
View:1 times
Download:0 times
Share this document with a friend
Transcript:
  • WordPress Security –Managing Risks Sagely

    Today’s Cool New Features are Tomorrow’s Security Risks

    1

    Presented by Elyse NielsenOctober 11, 2014

  • Presentation Purpose

    The purpose for sharing this information provides an opportunity for you to:

    1. Raise your risk awareness regarding your WordPress site.

    2. Share security practices which are used to mitigate risk.

    3. Provide some basic security tactics to manage risk.

    2

  • A Bit about Me

    3

    Portfolio Manager with Ascension Information Services with IT Organizational Excellence. Managed the establishment of the Security Service Delivery Line for Ascension. I formerly worked as a Director of Information Services at Albany Medical Center in Upstate, NY. Which all culminates in extensive experience in technology & project management.

    Certified Project Management Professional (PMP) by the Project Management Institute and a Certified Professional in Healthcare Information Management Systems (CPHIMS) by HIMSS.

    Working with WordPress since 2007. Blogging since 2003.

    Best WordPress Site Established – Back in 2005 implemented a site for a family to share the outcomes of a child with leukemia.

    Recent Work is more a passionate hobby (might be a business according to IRS).

  • Interesting Jeopardy

    4

    • About how many websites exist on the internet today?

    AnonGhost’s mark on SaratogaCountyNY.com on August 9th this year.

    • What percentage do you think is WordPress?

    • How are most attacks accomplished?

    • What are you most worried about?

  • Your Website

    5

    Scripting

    Database

    Web Server

    Application

    Application Tools

    Operating System

    Network

    Your Website The first

    impression to build trust with your customers

  • OutsideThreat

    Linux

    Database

    Applications

    Plugins & Themes

    Swiss Cheese Risk Assessment

    6

  • 1Recon

    Gather Information on Target

    Define Target

    2Scan

    Determine critical

    vulnerabilities

    Gather Offsite InfoGoogle – Social Media

    Harvest Onsite Info(Host –Emails – Authors)

    Scan Vulnerabilities(wpscan – port scan)

    )

    Target Vulnerabilities(Passwords – Gain Access)

    Map Vulnerabilities(older legacy wp – plugins)

    4MaintainAccessImplement Back Doors,

    Erase Evidence

    Increase Privileges (Owner, Barriers, Action Steps)

    3Exploit

    Determine how to

    leverage weakness in

    security

    Leverage Position(other hosts, systems, databases)

    Evaluate Info(Type, Programs Effected)

    Zero Entry Hacking Methodology from Penetration Testing casts a wide net which brings about a focused attack upon the weaknesses. The objective of this methodology is basically the old quote knowledge is power. By evaluating the vulnerabilities, opportunities to expand the exposure are explored..

    Zero Entry Hacking

    7

    A BAD EXPOSURE IS LIKE A VAMPIRE, IT COMES BACK TO BITE YOU IN THE NECK

  • Interception of client credit card numbers

    Unauthorized access to the WordPress application

    Changing your website to offer “Mythical and Mystical Pharma”

    Overloading your website so it is not available any more. (DOS)

    Corrupting your customer membership data.

    Changing your website to show it can be hacked.

    Sessions are hijacked and orders are placed for which you can’t recoup.

    Your backend database doesn’t have any tables any more.

    Your admin password does not work.8

    Potential Security “Land Mines”

  • The complexities of managing and maintaining a website for business growth through content marketing is time-consuming. Business owners are hard pressed to find additional time to focus upon security issues. How can we be more proactive in our approach to security as the website is transitioned to the business owner?

    The strategy is to have security managed by resources with the right skill set and to assure all employees are a are of the security concerns to protect our data. Security management will help to establish guidelines and practices to manage risks according complexity and impact.

    ConfidentialityOur ability to protect our data and information from those who are not authorized to view it.

    IntegrityOur ability to prevent our data and information from being changed in a less than desirable manner

    Key Security Concepts around protecting information

    How do we assess security risks and

    manage them sagely?

    9

    Situation Assessment

    AvailabilityOur ability to access our data at our convenience when needed.

  • Managing Risk

    10

  • 1IdentifyRisks

    Examine the Application and

    Technology

    Define Risk Context(Risk Management Plan)

    2AnalyzeRisks

    Assess likelihood, overall impact anddetermine criticality

    Elicit Risks(Interviews - SWOT – Reviews)

    Describe Risks(Cause - Risk – Impact)

    Assess Risks(Consequences - Likelihood)

    Determine Approach(Consider Secondary Risk Impacts)

    Qualify Risks(Category - Criticality)

    4MonitorRisks

    Re-AssessingMonthly Risk

    Review

    Document Response(Owner, Barriers, Action Steps)

    3ManageRisks

    Determine how to handle and approved response

    Determine Urgency(Action Window, Impact Window)

    Ascertain Impact Span(Type, Programs Effected)

    Risk management is key where interdependencies exist between technologies or when the risks from one technology raises other risks. The objective of risk management for your website is to have the right amount of risk intolerance to mitigate the circumstances which make the vulnerability exist.

    Risk Management Approach

    11

  • EFFECTIVE SECURITY MANAGEMENT

    FRAMEWORK EMPLOYEES

    Having the right processes interwoven to ensure effective

    and efficient security management

    STRUCTURE

    Having the right people execute their roles effectivelyEstablishing the rules of the game

    clearly and upfront

    ENGAGE TRAINPROCESS PRACTICEPOLICY CONTROLS

    Security Management

    12

  • Gain Agreement on a security management plan with a standard tool set. Assure within policy and controls there is a transparent monitor of risks and escalations as needed.

    Key Actions:

    Conduct Business Impact Assessments for business online presence.

    Develop and Gain Agreement on a Business Continuity Plan for your Web Site

    Develop and Authorize a Security Policy

    Determine Security Oversight Process

    Develop a Security Management Plan

    Assure all critical risks have mitigation approaches

    Policy and Controls

    13

    Security Management Framework

  • Implement a Security Management Process for the crucial services which would have the most impact if they were sabotaged. Have risks assessed for all technologies and potential business impacts.

    Key Actions:

    Assign an Accountable Leader manage the critical risks.

    Audit the website

    Conduct a Disaster Recovery Test

    Implement processes to support security policy

    Conduct Risk Assessments with periodic reviews.

    Assign Risk Ownership and Accountability to empowered leaders and have written risk acceptance.

    Establish Quarterly Major Risk Reviews and Monthly Minor Risk Reviews

    Purchase Tools and Services to alleviate and manage critical risks.

    Process and Practice

    14

    Security Management Structure

  • Train our employees to have risk awareness. Assure employees have a similar toolset and vocabulary for security management.

    Key Actions:

    Implement a formal Security Management Training Program

    – Offer a Training Webinar

    – Conduct Brown Bag Question and Answer Sessions. Share discussions with other leaders

    – Provide an escalation path for concern

    Develop Security Management Communications and Awareness Program

    15

    Security Management for Employees

    Engage and Train

  • 16

    The consensus is that these four pillars of Security Management address risks and offer appropriate levels of management given

    the vulnerability of the exposure.

    TechnologyManagement

    Assessing how much technology management and administration is going to need to be done. Planning which services are to be done inhousevs outsourced. Planning for that mode and support.

    Release Management

    Staying Current on updates is critical. WordPress has an automatic upgrade, several plug-ins do not. After an update has been applied also have a standard test plan which checks form processing, design and content

    r

    Security Tools

    Currently in the WordPress Market Space there are two main types of tools – Back Ups- Intrusion

    Detection Systems

    - Intrusion Prevention Systems

    - Spam Prevention- Two-Factor

    Authentication

    Having appropriate safeguards for accessing crucial resources. Assure there is a good business process to elevate privileges and a review process at least twice a year to check on accounts and access.

    Access Management

    Security Management Tactics

  • Shared Hosting

    Technology Management - Hosting

    Scripting

    Database

    Web Server

    Application

    Application Tools

    Linux Network

    Managed Hosting

    Scripting

    Database

    Web Server

    Application

    Application Tools

    Linux

    Dedicated Hosting

    Scripting

    Database

    Web Server

    Application

    Application Tools

    Linux

  • 18

    Technology Management -Backups

    Backups should be an automated process covering your files and databases. The backup should not be stored on the website.

    Key Actions:

    Determine how much you trust your host

    Conduct a test restore of some files with your host (particularly the wp-content folder)

    If there is a concern, consider another 3rd party solution

    What should I back up and When?

  • Stay Current on Software Releases

  • 20

    Security Tools of the Trade

    Brute Protect is a network counterforce against Botnets. Once a malicious IP address is caught on one website. It is blocked from that Website and all websites under the protection of Brute Protect.

    Clef enables you to log in to WP via your phone. By lining up the barcode on your iphone with the barcodes on the screen. It also offers two-factor authentication.

  • 21

    Security Tools of the Trade

    iThemes Security runs a diagnostic check on your website and provides a list of actions to take to harden your WordPress security.

    Akismet is anti-comment spam solution constructed by the Automattic team. It stops comment spam.

  • 22

    Security Tools of the Trade

    WordFence Security helps prevent denial of service attacks. It will scan your site and share vulnerabilities. It can block ips for overly accessing admin, password-reset, 404 pages. You can also block countries.

    Sucuri.net will scan your site and remediate any malware or viruses if found.

  • 1970

    2000

    2010

    • Packet Switching Networks• First Mobile Phone Call Placed• Unix Created• TRS 80s released

    • Linux Created• Windows 3.11 • PHP Introduced• Apple Newton• JavaScript• Client/Server Computing

    • WordPress• Apple iPhone• y2K doom• Rails• x86 Hypervisor

    • Apple ipad introduced• Raspberry Pi A released

    1980

    1990

    • TCP/IP Introduced• DNS/BIND created• DOS developed• WordPerfect introduced• Commodore 64 released

    Passwords are in their Fifties

    Fernando Corbató, the 87-year-old inventor of the password says it's 'become kind of a nightmare'

    The computer password was invented in the 1960s so it's definitely out of date

  • 24

    Access Management – Top Passwords

    1. 123456

    2. password

    3. 12345678

    4. qwerty

    5. abc123

    6. 123456789

    7. 111111

    8. 1234567

    9. Iioveyou

    10. adobe123

    How to get a good Password

    1. Don’t use passwords have another method – thumbprint, two-factor authentication.

    2. Have a complicated password.WordPress allows for PassPhrases.

    3. Have a way to vet the user to the password when resetting.

  • 25

    Access Management – Privileges

    Let’s make better mistakes tomorrow!

    With Great Power comes Great Responsibility.

  • 26

    Security Management – Checklist

    Every time a website goes out the door, have a Security “Czar” who reviews and assures there is limited exposure.

    Key Benefits:

    Quality Review Process

    Sales Tactic

    Provides an opportunity to incorporate learnings

    1. Have a Security Checklist

  • 27

    Security Management – Checklist

    Its really a matter of education and discussion to determine what works for your client.

    2. Provide a Security Policy

    Key Benefits:

    Increase Understanding of risk and exposure.

    Key Discussion on what security tools to incorporate – Backups, IDS, IPS

    Establishes a business practice.

    Guidance for user roles and practical usage of editors, authors, and admins.

  • 28

    Security Management – Checklist

    Turn off the development/test server and run through a planned and free form testing. Remove Developer Accounts.

    Key Benefits:

    Quality Review Process

    Assures there are not remaining

    links as you are handing the keys

    to the business owners.

    3. Remove Developer Left-Overs

  • 29

    Security Management – Checklist

    Establish a backup strategy and implement it. Also provide a physical USB copy of the website.

    4. Setup Backups

    Key Benefits:

    Establishes trust with the non-twitter generation.

    Performs the Last Mile of customer service.

  • 30

    Security Management – Checklist

    Install WordFence, Sucuri or iThemes and configure it.

    5. Consider an Intrusion Detection System

    Key Benefits:

    Establishes trust with the non-twitter generation.

    Performs the Last Mile of customer service.

  • 31

    Security Management – Checklist

    Get VIP Plugin Scanner on GitHub. The plugin itself is the library allows you to create arbitrary "Checks" (e.g. UndefinedFunctionCheck), group them together as Reviews (WordPress.org Theme Review), and run them against themes, plugins, directories, single files, and even diffs

    Key Steps:

    Checks out the files for you.

    Have someone do a code review.

    Check for large blocks of encoding

    6. Check Plug-ins for “Holes”

  • 32

    Security Management – Checklist

    Review the Security Checkpoints to assure the installation was completed.

    Key Steps:

    Update the wp-config Security Keys

    Validate the DB Prefix is NOT wp

    Enable SSL Login

    Enable auto-update for WordPress Minor Release Updates.

    Set File Permissions to 644 or 640.

    Set Folder Permissions to 755 or 750

    Place the wp-config file wisely based upon hosting choice.

    7. Assure Initialization Finishing Touches

  • 33

    Security Management – Checklist

    Review robots.txt and .htaccess to assure what needs to be open is open, and what does not need to be open is closed.

    Key Steps:

    Is it appropriate to lock down wp-admin?

    What should bots view in robot.txt

    Block access to wp-files in .htaccess

    8. Viewing is a privilege

  • 34

    Security Management – Checklist

    Walk through an audit on the user accounts and why they are needed.

    Key Steps:

    Walk through who has access

    Confirm with site owner access is appropriate.

    9. Audit User Accounts

  • 35

    Security Management – Checklist

    See ahead of time the vulnerabilities

    Key Steps:

    Hire a consultant

    D-I-Y (Kali and WordScan)

    10. Conduct a Penetration Test

  • In Closing

    36

    Key Take Away Points

    • Pay it forward and share the knowledge• Discern what works for the situation• Invest the time upfront proactively

    What possibilities does this open up?

    Elyse Nielsen• [email protected]• Insight Matters – Feedback

    welcomed.• http://www.anticlue.net

Click here to load reader

Reader Image
Embed Size (px)
Recommended