+ All Categories
Home > Documents > WordPress Security – Managing Risks Sagely Security - Managing Risks... · WordPress Security –...

WordPress Security – Managing Risks Sagely Security - Managing Risks... · WordPress Security –...

Date post: 15-Jun-2020
Category:
Upload: others
View: 4 times
Download: 0 times
Share this document with a friend
36
WordPress Security – Managing Risks Sagely Today’s Cool New Features are Tomorrow’s Security Risks 1 Presented by Elyse Nielsen October 11, 2014
Transcript
Page 1: WordPress Security – Managing Risks Sagely Security - Managing Risks... · WordPress Security – Managing Risks Sagely Today’s Cool New Features are Tomorrow’s Security Risks

WordPress Security –Managing Risks Sagely

Today’s Cool New Features are Tomorrow’s Security Risks

1

Presented by Elyse NielsenOctober 11, 2014

Page 2: WordPress Security – Managing Risks Sagely Security - Managing Risks... · WordPress Security – Managing Risks Sagely Today’s Cool New Features are Tomorrow’s Security Risks

Presentation Purpose

The purpose for sharing this information provides an opportunity for you to:

1. Raise your risk awareness regarding your WordPress site.

2. Share security practices which are used to mitigate risk.

3. Provide some basic security tactics to manage risk.

2

Page 3: WordPress Security – Managing Risks Sagely Security - Managing Risks... · WordPress Security – Managing Risks Sagely Today’s Cool New Features are Tomorrow’s Security Risks

A Bit about Me

3

Portfolio Manager with Ascension Information Services with IT Organizational Excellence. Managed the establishment of the Security Service Delivery Line for Ascension. I formerly worked as a Director of Information Services at Albany Medical Center in Upstate, NY. Which all culminates in extensive experience in technology & project management.

Certified Project Management Professional (PMP) by the Project Management Institute and a Certified Professional in Healthcare Information Management Systems (CPHIMS) by HIMSS.

Working with WordPress since 2007. Blogging since 2003.

Best WordPress Site Established – Back in 2005 implemented a site for a family to share the outcomes of a child with leukemia.

Recent Work is more a passionate hobby (might be a business according to IRS).

Page 4: WordPress Security – Managing Risks Sagely Security - Managing Risks... · WordPress Security – Managing Risks Sagely Today’s Cool New Features are Tomorrow’s Security Risks

Interesting Jeopardy

4

• About how many websites exist on the internet today?

AnonGhost’s mark on SaratogaCountyNY.com on August 9th this year.

• What percentage do you think is WordPress?

• How are most attacks accomplished?

• What are you most worried about?

Page 5: WordPress Security – Managing Risks Sagely Security - Managing Risks... · WordPress Security – Managing Risks Sagely Today’s Cool New Features are Tomorrow’s Security Risks

Your Website

5

Scripting

Database

Web Server

Application

Application Tools

Operating System

Network

Your Website The first

impression to build trust with your customers

Page 6: WordPress Security – Managing Risks Sagely Security - Managing Risks... · WordPress Security – Managing Risks Sagely Today’s Cool New Features are Tomorrow’s Security Risks

OutsideThreat

Linux

Database

Applications

Plugins & Themes

Swiss Cheese Risk Assessment

6

Page 7: WordPress Security – Managing Risks Sagely Security - Managing Risks... · WordPress Security – Managing Risks Sagely Today’s Cool New Features are Tomorrow’s Security Risks

1Recon

Gather Information on Target

Define Target

2Scan

Determine critical

vulnerabilities

Gather Offsite InfoGoogle – Social Media

Harvest Onsite Info(Host –Emails – Authors)

Scan Vulnerabilities(wpscan – port scan)

)

Target Vulnerabilities(Passwords – Gain Access)

Map Vulnerabilities(older legacy wp – plugins)

4MaintainAccessImplement Back Doors,

Erase Evidence

Increase Privileges (Owner, Barriers, Action Steps)

3Exploit

Determine how to

leverage weakness in

security

Leverage Position(other hosts, systems, databases)

Evaluate Info(Type, Programs Effected)

Zero Entry Hacking Methodology from Penetration Testing casts a wide net which brings about a focused attack upon the weaknesses. The objective of this methodology is basically the old quote knowledge is power. By evaluating the vulnerabilities, opportunities to expand the exposure are explored..

Zero Entry Hacking

7

A BAD EXPOSURE IS LIKE A VAMPIRE, IT COMES BACK TO BITE YOU IN THE NECK

Page 8: WordPress Security – Managing Risks Sagely Security - Managing Risks... · WordPress Security – Managing Risks Sagely Today’s Cool New Features are Tomorrow’s Security Risks

Interception of client credit card numbers

Unauthorized access to the WordPress application

Changing your website to offer “Mythical and Mystical Pharma”

Overloading your website so it is not available any more. (DOS)

Corrupting your customer membership data.

Changing your website to show it can be hacked.

Sessions are hijacked and orders are placed for which you can’t recoup.

Your backend database doesn’t have any tables any more.

Your admin password does not work.8

Potential Security “Land Mines”

Page 9: WordPress Security – Managing Risks Sagely Security - Managing Risks... · WordPress Security – Managing Risks Sagely Today’s Cool New Features are Tomorrow’s Security Risks

The complexities of managing and maintaining a website for business growth through content marketing is time-consuming. Business owners are hard pressed to find additional time to focus upon security issues. How can we be more proactive in our approach to security as the website is transitioned to the business owner?

The strategy is to have security managed by resources with the right skill set and to assure all employees are a are of the security concerns to protect our data. Security management will help to establish guidelines and practices to manage risks according complexity and impact.

ConfidentialityOur ability to protect our data and information from those who are not authorized to view it.

IntegrityOur ability to prevent our data and information from being changed in a less than desirable manner

Key Security Concepts around protecting information

How do we assess security risks and

manage them sagely?

9

Situation Assessment

AvailabilityOur ability to access our data at our convenience when needed.

Page 10: WordPress Security – Managing Risks Sagely Security - Managing Risks... · WordPress Security – Managing Risks Sagely Today’s Cool New Features are Tomorrow’s Security Risks

Managing Risk

10

Page 11: WordPress Security – Managing Risks Sagely Security - Managing Risks... · WordPress Security – Managing Risks Sagely Today’s Cool New Features are Tomorrow’s Security Risks

1IdentifyRisks

Examine the Application and

Technology

Define Risk Context(Risk Management Plan)

2AnalyzeRisks

Assess likelihood, overall impact anddetermine criticality

Elicit Risks(Interviews - SWOT – Reviews)

Describe Risks(Cause - Risk – Impact)

Assess Risks(Consequences - Likelihood)

Determine Approach(Consider Secondary Risk Impacts)

Qualify Risks(Category - Criticality)

4MonitorRisks

Re-AssessingMonthly Risk

Review

Document Response(Owner, Barriers, Action Steps)

3ManageRisks

Determine how to handle and approved response

Determine Urgency(Action Window, Impact Window)

Ascertain Impact Span(Type, Programs Effected)

Risk management is key where interdependencies exist between technologies or when the risks from one technology raises other risks. The objective of risk management for your website is to have the right amount of risk intolerance to mitigate the circumstances which make the vulnerability exist.

Risk Management Approach

11

Page 12: WordPress Security – Managing Risks Sagely Security - Managing Risks... · WordPress Security – Managing Risks Sagely Today’s Cool New Features are Tomorrow’s Security Risks

EFFECTIVE SECURITY MANAGEMENT

FRAMEWORK EMPLOYEES

Having the right processes interwoven to ensure effective

and efficient security management

STRUCTURE

Having the right people execute their roles effectivelyEstablishing the rules of the game

clearly and upfront

ENGAGE TRAINPROCESS PRACTICEPOLICY CONTROLS

Security Management

12

Page 13: WordPress Security – Managing Risks Sagely Security - Managing Risks... · WordPress Security – Managing Risks Sagely Today’s Cool New Features are Tomorrow’s Security Risks

Gain Agreement on a security management plan with a standard tool set. Assure within policy and controls there is a transparent monitor of risks and escalations as needed.

Key Actions:

Conduct Business Impact Assessments for business online presence.

Develop and Gain Agreement on a Business Continuity Plan for your Web Site

Develop and Authorize a Security Policy

Determine Security Oversight Process

Develop a Security Management Plan

Assure all critical risks have mitigation approaches

Policy and Controls

13

Security Management Framework

Page 14: WordPress Security – Managing Risks Sagely Security - Managing Risks... · WordPress Security – Managing Risks Sagely Today’s Cool New Features are Tomorrow’s Security Risks

Implement a Security Management Process for the crucial services which would have the most impact if they were sabotaged. Have risks assessed for all technologies and potential business impacts.

Key Actions:

Assign an Accountable Leader manage the critical risks.

Audit the website

Conduct a Disaster Recovery Test

Implement processes to support security policy

Conduct Risk Assessments with periodic reviews.

Assign Risk Ownership and Accountability to empowered leaders and have written risk acceptance.

Establish Quarterly Major Risk Reviews and Monthly Minor Risk Reviews

Purchase Tools and Services to alleviate and manage critical risks.

Process and Practice

14

Security Management Structure

Page 15: WordPress Security – Managing Risks Sagely Security - Managing Risks... · WordPress Security – Managing Risks Sagely Today’s Cool New Features are Tomorrow’s Security Risks

Train our employees to have risk awareness. Assure employees have a similar toolset and vocabulary for security management.

Key Actions:

Implement a formal Security Management Training Program

– Offer a Training Webinar

– Conduct Brown Bag Question and Answer Sessions. Share discussions with other leaders

– Provide an escalation path for concern

Develop Security Management Communications and Awareness Program

15

Security Management for Employees

Engage and Train

Page 16: WordPress Security – Managing Risks Sagely Security - Managing Risks... · WordPress Security – Managing Risks Sagely Today’s Cool New Features are Tomorrow’s Security Risks

16

The consensus is that these four pillars of Security Management address risks and offer appropriate levels of management given

the vulnerability of the exposure.

TechnologyManagement

Assessing how much technology management and administration is going to need to be done. Planning which services are to be done inhousevs outsourced. Planning for that mode and support.

Release Management

Staying Current on updates is critical. WordPress has an automatic upgrade, several plug-ins do not. After an update has been applied also have a standard test plan which checks form processing, design and content

r

Security Tools

Currently in the WordPress Market Space there are two main types of tools – Back Ups- Intrusion

Detection Systems

- Intrusion Prevention Systems

- Spam Prevention- Two-Factor

Authentication

Having appropriate safeguards for accessing crucial resources. Assure there is a good business process to elevate privileges and a review process at least twice a year to check on accounts and access.

Access Management

Security Management Tactics

Page 17: WordPress Security – Managing Risks Sagely Security - Managing Risks... · WordPress Security – Managing Risks Sagely Today’s Cool New Features are Tomorrow’s Security Risks

Shared Hosting

Technology Management - Hosting

Scripting

Database

Web Server

Application

Application Tools

Linux Network

Managed Hosting

Scripting

Database

Web Server

Application

Application Tools

Linux

Dedicated Hosting

Scripting

Database

Web Server

Application

Application Tools

Linux

Page 18: WordPress Security – Managing Risks Sagely Security - Managing Risks... · WordPress Security – Managing Risks Sagely Today’s Cool New Features are Tomorrow’s Security Risks

18

Technology Management -Backups

Backups should be an automated process covering your files and databases. The backup should not be stored on the website.

Key Actions:

Determine how much you trust your host

Conduct a test restore of some files with your host (particularly the wp-content folder)

If there is a concern, consider another 3rd party solution

What should I back up and When?

Page 19: WordPress Security – Managing Risks Sagely Security - Managing Risks... · WordPress Security – Managing Risks Sagely Today’s Cool New Features are Tomorrow’s Security Risks

Stay Current on Software Releases

Page 20: WordPress Security – Managing Risks Sagely Security - Managing Risks... · WordPress Security – Managing Risks Sagely Today’s Cool New Features are Tomorrow’s Security Risks

20

Security Tools of the Trade

Brute Protect is a network counterforce against Botnets. Once a malicious IP address is caught on one website. It is blocked from that Website and all websites under the protection of Brute Protect.

Clef enables you to log in to WP via your phone. By lining up the barcode on your iphone with the barcodes on the screen. It also offers two-factor authentication.

Page 21: WordPress Security – Managing Risks Sagely Security - Managing Risks... · WordPress Security – Managing Risks Sagely Today’s Cool New Features are Tomorrow’s Security Risks

21

Security Tools of the Trade

iThemes Security runs a diagnostic check on your website and provides a list of actions to take to harden your WordPress security.

Akismet is anti-comment spam solution constructed by the Automattic team. It stops comment spam.

Page 22: WordPress Security – Managing Risks Sagely Security - Managing Risks... · WordPress Security – Managing Risks Sagely Today’s Cool New Features are Tomorrow’s Security Risks

22

Security Tools of the Trade

WordFence Security helps prevent denial of service attacks. It will scan your site and share vulnerabilities. It can block ips for overly accessing admin, password-reset, 404 pages. You can also block countries.

Sucuri.net will scan your site and remediate any malware or viruses if found.

Page 23: WordPress Security – Managing Risks Sagely Security - Managing Risks... · WordPress Security – Managing Risks Sagely Today’s Cool New Features are Tomorrow’s Security Risks

1970

2000

2010

• Packet Switching Networks• First Mobile Phone Call Placed• Unix Created• TRS 80s released

• Linux Created• Windows 3.11 • PHP Introduced• Apple Newton• JavaScript• Client/Server Computing

• WordPress• Apple iPhone• y2K doom• Rails• x86 Hypervisor

• Apple ipad introduced• Raspberry Pi A released

1980

1990

• TCP/IP Introduced• DNS/BIND created• DOS developed• WordPerfect introduced• Commodore 64 released

Passwords are in their Fifties

Fernando Corbató, the 87-year-old inventor of the password says it's 'become kind of a nightmare'

The computer password was invented in the 1960s so it's definitely out of date

Page 24: WordPress Security – Managing Risks Sagely Security - Managing Risks... · WordPress Security – Managing Risks Sagely Today’s Cool New Features are Tomorrow’s Security Risks

24

Access Management – Top Passwords

1. 123456

2. password

3. 12345678

4. qwerty

5. abc123

6. 123456789

7. 111111

8. 1234567

9. Iioveyou

10. adobe123

How to get a good Password

1. Don’t use passwords have another method – thumbprint, two-factor authentication.

2. Have a complicated password.WordPress allows for PassPhrases.

3. Have a way to vet the user to the password when resetting.

Page 25: WordPress Security – Managing Risks Sagely Security - Managing Risks... · WordPress Security – Managing Risks Sagely Today’s Cool New Features are Tomorrow’s Security Risks

25

Access Management – Privileges

Let’s make better mistakes tomorrow!

With Great Power comes Great Responsibility.

Page 26: WordPress Security – Managing Risks Sagely Security - Managing Risks... · WordPress Security – Managing Risks Sagely Today’s Cool New Features are Tomorrow’s Security Risks

26

Security Management – Checklist

Every time a website goes out the door, have a Security “Czar” who reviews and assures there is limited exposure.

Key Benefits:

Quality Review Process

Sales Tactic

Provides an opportunity to incorporate learnings

1. Have a Security Checklist

Page 27: WordPress Security – Managing Risks Sagely Security - Managing Risks... · WordPress Security – Managing Risks Sagely Today’s Cool New Features are Tomorrow’s Security Risks

27

Security Management – Checklist

Its really a matter of education and discussion to determine what works for your client.

2. Provide a Security Policy

Key Benefits:

Increase Understanding of risk and exposure.

Key Discussion on what security tools to incorporate – Backups, IDS, IPS

Establishes a business practice.

Guidance for user roles and practical usage of editors, authors, and admins.

Page 28: WordPress Security – Managing Risks Sagely Security - Managing Risks... · WordPress Security – Managing Risks Sagely Today’s Cool New Features are Tomorrow’s Security Risks

28

Security Management – Checklist

Turn off the development/test server and run through a planned and free form testing. Remove Developer Accounts.

Key Benefits:

Quality Review Process

Assures there are not remaining

links as you are handing the keys

to the business owners.

3. Remove Developer Left-Overs

Page 29: WordPress Security – Managing Risks Sagely Security - Managing Risks... · WordPress Security – Managing Risks Sagely Today’s Cool New Features are Tomorrow’s Security Risks

29

Security Management – Checklist

Establish a backup strategy and implement it. Also provide a physical USB copy of the website.

4. Setup Backups

Key Benefits:

Establishes trust with the non-twitter generation.

Performs the Last Mile of customer service.

Page 30: WordPress Security – Managing Risks Sagely Security - Managing Risks... · WordPress Security – Managing Risks Sagely Today’s Cool New Features are Tomorrow’s Security Risks

30

Security Management – Checklist

Install WordFence, Sucuri or iThemes and configure it.

5. Consider an Intrusion Detection System

Key Benefits:

Establishes trust with the non-twitter generation.

Performs the Last Mile of customer service.

Page 31: WordPress Security – Managing Risks Sagely Security - Managing Risks... · WordPress Security – Managing Risks Sagely Today’s Cool New Features are Tomorrow’s Security Risks

31

Security Management – Checklist

Get VIP Plugin Scanner on GitHub. The plugin itself is the library allows you to create arbitrary "Checks" (e.g. UndefinedFunctionCheck), group them together as Reviews (WordPress.org Theme Review), and run them against themes, plugins, directories, single files, and even diffs

Key Steps:

Checks out the files for you.

Have someone do a code review.

Check for large blocks of encoding

6. Check Plug-ins for “Holes”

Page 32: WordPress Security – Managing Risks Sagely Security - Managing Risks... · WordPress Security – Managing Risks Sagely Today’s Cool New Features are Tomorrow’s Security Risks

32

Security Management – Checklist

Review the Security Checkpoints to assure the installation was completed.

Key Steps:

Update the wp-config Security Keys

Validate the DB Prefix is NOT wp

Enable SSL Login

Enable auto-update for WordPress Minor Release Updates.

Set File Permissions to 644 or 640.

Set Folder Permissions to 755 or 750

Place the wp-config file wisely based upon hosting choice.

7. Assure Initialization Finishing Touches

Page 33: WordPress Security – Managing Risks Sagely Security - Managing Risks... · WordPress Security – Managing Risks Sagely Today’s Cool New Features are Tomorrow’s Security Risks

33

Security Management – Checklist

Review robots.txt and .htaccess to assure what needs to be open is open, and what does not need to be open is closed.

Key Steps:

Is it appropriate to lock down wp-admin?

What should bots view in robot.txt

Block access to wp-files in .htaccess

8. Viewing is a privilege

Page 34: WordPress Security – Managing Risks Sagely Security - Managing Risks... · WordPress Security – Managing Risks Sagely Today’s Cool New Features are Tomorrow’s Security Risks

34

Security Management – Checklist

Walk through an audit on the user accounts and why they are needed.

Key Steps:

Walk through who has access

Confirm with site owner access is appropriate.

9. Audit User Accounts

Page 35: WordPress Security – Managing Risks Sagely Security - Managing Risks... · WordPress Security – Managing Risks Sagely Today’s Cool New Features are Tomorrow’s Security Risks

35

Security Management – Checklist

See ahead of time the vulnerabilities

Key Steps:

Hire a consultant

D-I-Y (Kali and WordScan)

10. Conduct a Penetration Test

Page 36: WordPress Security – Managing Risks Sagely Security - Managing Risks... · WordPress Security – Managing Risks Sagely Today’s Cool New Features are Tomorrow’s Security Risks

In Closing

36

Key Take Away Points

• Pay it forward and share the knowledge• Discern what works for the situation• Invest the time upfront proactively

What possibilities does this open up?

Elyse Nielsen• [email protected]• Insight Matters – Feedback

welcomed.• http://www.anticlue.net


Recommended