Impacts of a Website Compromise

Date aired: March 31, 2016

Sucuri Co-Founder, Tony Perez, brings awareness and education to website owners about the risks, impacts, and threats to their online properties. Learn why a website hack can be devastating to your business or web project, including a few key points you might not have considered.

Tony & Daniel - Webinar Profile

Tony Perez and Daniel Cid

Sucuri Co-Founders

Sucuri Co-Founder, Tony Perez, brings awareness and education to website owners about the risks, impacts, and threats to their online properties. Learn why a website hack can be devastating to your business or web project, including a few key points you might not have considered.

Questions & Answers

Question #1: What is the legal responsibility for not securing their site and they get hacked? Would be nice to explain to clients 2 convince

Answer:The legal ramifications depend on your industry and country of origin. There currently isn’t a USA-specific law to the compromise of a website, but there are a number (depending on your state) on the breaches that revolve around personal information. A good resource for the breach notification laws you can reference this article for the latest statues by state.

If you’re an ecommerce website, while you don’t have legal responsibility, you do have to comply with the Payment Card Industry Data Security Standard (PCI DSS). PCI DSS was formed in 2006 in collaboration with the major credit card brands (e.g., Visa, MasterCard, Discover, JCB and American Express). The latest guidance can be found in version 3.1; the new version, 3.2, is expected to be released April 2016.

Question #2: Could something be written that would infect the hacker, so they would not want to touch your site!

Answer: It is always possible, but you walk a very delicate line and it may be illegal to do so. The attacker might be proxying through networks, which may lead you to attack another one of his victims.

Question #3: Are there any hosting providers that you recommend?

Answer: The hosting market is highly competitive and you have very good options out there. We would need more information on the requirements to give a better answer. If you are technical and can manage your own server, you have many options from Amazon AWS, Google Compute Engine, OVH, Linode, Digital Ocean, etc. If you prefer someone to manage your server for you, look at anaged platforms, which there are also many available. If your site and budget is small,you can also look at shared hosts, which start at a much lower price. Before we can help much more, you have to look at your budget, the time you want to spend managing the site/server and the latform your site is on. Once you have that in mind, the decision on where to host becomes a lot easier.

Question #4: Do we must use CloudProxy or we can also use something like Cloudflare and still get max protection?

Answer: Sucuri’s Firewall (aka CloudProxy) provides a complete security solution with a CDN on top of it. So you do not need CloudFlare on top of our Firewall, but if you still want to use both, we are compatible and a few of our clients do use both for a variety of reasons.

Question #5: What is the difference between @sucurisecurity and @wordfence?

Answer: Wordfence is a great application-level security utility plugin for the WordPress platform. Sucuri is a global Software as a Service (SaaS) technology that sits at the edge, beyond the application. Sucuri is also platform agnostic, allowing it to work in any open / closed source environment. Sucuri supports all platforms, including, but not limited to: Custom Site, WordPress, Joomla!, Magento, osCommerce, vBulletin, Drupal, .NET.

Question #6: Will @sucurisecurity come to Drupal CMS?

Answer: Sucuri already supports the Drupal CMS on all of our products. 🙂 Please ping us at info@sucuri.net and we’ll provide more information.

Question #7: Many clients don’t always understand what a SSL is and is not. May be useful to explain.

Answer: Secure Socket Layer (SSL) is now a deprecated encryption protocol that has been replaced with Transport Layer Security (TLS) version 1.1 and higher. It was however the encryption protocol that supported the HTTPS protocol for close to 30 years, as such, SSL is used interchangeably with TLS. The “SSL” protocol secures data in transit, between browser and web server; it does nothing for the security of the website itself I’m sharing an article in which I go into more details that should help address your concern.

Question #8: Why should we use your hosted DNS vs just changing the a records?

Answer: Our hosted DNS is configured on an Anycast network, providing reliability, speed, and performance. Additionally, it’s part of our complete security stack. It provides our team the flexibility in the event of a security incident that requires traffic to be rerouted for any reason.

Question #9: You going to be releasing a Joomla extension like you do for WordPress?

Answer: Not currently on the roadmap.

Question #10: Do you offer pen testing

Answer: We do offer custom services for pentesting, but it’s determined on a case-by-case basis

Question #11: One of our sites received a defacement while under CloudProxy. Why?

Answer: This is not easy to answer without more context. There could be a number of reasons, the most prevalent is a concept known as cross-site contamination. We wrote an article on the subject a few years that might help understand what happened. The other possibility is always around authentication / authorization. CloudProxy is designed to stop external attacks, but if something like username / passwords are compromised there is little it can do if the admin panels are open to the world. Here is an article I wrote on access control that you might find helpful. Again though, without more information on the specific case it’s hard to give you a good answer. If you can send us the details, we’d love to investigate and see if we can’t provide a better answer.

Question #12: Do you offer pen testing

Answer: The best way to stay current with the latest issues is to subscribe to our Blog. We pride ourselves in staying ahead of the latest and emerging threats. There are specific outlets depending on your platform, but you should always subscribe to the CMS and extensions you’re leveraging.

Question #13: Can I use a backup to fix my hacked site?

Answer: You can use a backup to restore a hacked website, but it doesn’t necessarily do much for you in the realm of “fixing.” Fixing is something that would be accomplished by identifying the attack vector, and patching it. A backup just kicks the proverbial can down the road, bound to be an issue again sooner or later.

Question #14: Do you offer pen testing

Answer: Your host handles the security of the server and their network, not of your website. I wrote a pretty extensive article on the subject that you might find insightful. Some hosts do leverage things like ModSecurity and put forward good effort in proactively defending attacks Security however is often not their core focus, and their proactiveness is limited to their resources, often finding themselves being more reactive to disclosures.

Question #15: Why do website reinfections happen?

Answer: Website reinfections happen for a number of reasons. The most common reason is that you likely removed the malware, but did not patch the original vulnerability that allowed the site to be hacked in the first place. Second, attackers might have left backdoors that were used to reinfect the site. That was actually the reason why we built our Sucuri Firewall (CloudProxy) initially, to protect sites against reinfections by virtually patching vulnerabilities and blocking backdoors. It could also be related to cross-site contamination. The harsh reality is that reinfections happen because website owners rarely take the time to apply the necessary changes post-compromise. Whether that’s patching identified vulnerabilities, hardening specific sections of the websites or the basics of updating all user credentials.

Question #16: How do we get one of those cool shirts?

Answer: Which ones? The polo? Send an email to marketing@sucuri.net , let’s see what they can do.. 🙂

Question #17: Lower pricing for eastern europe small agencies? 🙂

Answer: Have you already engaged with our Sales Consultant team? We work very hard to make the pricing affordable, but as you might imagine localizing is always going to be a challenge. I am sure however with enough volume the team would work really hard to make something work. 🙂

Question #18: Our site was developed with quite a bit of custom coding and plugins (WordPress) which break upon WordPress updates, unless manually patched – which can be time consuming. How can we protect our site between WordPress security alerts/releases and the time it takes our web development to apply patches on custom code and plugins?

Answer: Honestly, the easiest approach would be to leverage something like Website Application Firewall (WAF) / Intrusion Prevention System (IPS). Something like the Sucuri Firewall (a.k.a CloudProxy) . It’s honestly the most effective approach to working in an environment such as the one you described. Other alternatives include deploying your own, via technologies likeModSecurity and others.

Question #19: I am very curious about what sort of security is offered by website builders like Squarespace, Wix, Weebly, etc. Especially in the context of selling my WordPress dev services against those options. What would you say? My typical customer wants to keep things simple and their eyes dart everywhere when I start to tell them about security concerns and the need to be proactive and vigilant. They want to trust Weebly et al and think it will be simpler for them.

Answer: The biggest thing these closed environments offer is that they maintain a highly locked down environment. They take away a lot of the risk that today’s CMS introduce, specifically those that revolve around how much access and flexibility an end user has. While I’m a big fan of the open-source community, I can definitely see how these closed-environments offer a better solution for some business owners. I don’t work with any of them, but from what I see they offer a great solution for website owners, especially when it comes to security.

Question #20: Is WordPress the most vulnerable CMS? (vs joomla and drupal)

Answer: Not sure how to answer this question. All CMS applications have vulnerabilities, WordPress is larger so it’s a more attractive target. More bang for your buck.

With that in mind, it’s not that WordPress is more vulnerable but that their market is much bigger. Today’s issues rarely revolve around issues within the core of the CMS, but rather it’s extensible components (i.e., plugins, themes, etc..).

The same is true however for all other CMS applications.Their market is bigger, so I’d say there are more issues in the ecosystem but proportionally it makes sense.

Question #21: Will the slide deck be something we can share with our own customers to help explain why they need security?

Answer: Of course, that’s why we’re preparing it. Both the slide deck and video are things we want everyone to share and consume.

Question #22: Is there a way to have the quality of my website code “”audited”” to know more about vulnerability and ease of fixing?

Answer: There are a few services out there that offer different forms of auditing, but they can be expensive. If you have something specific you want reviewed, send us the case to info@sucuri.net and we’ll see if it makes sense within our review services or if there is something else you can leverage. Be clear though that reviews are not inexpensive. They require a budget of some kind -whether to leverage a tool to do the reviews, or pay someone to make the fixes. Investing in a vulnerability management program is not for the faint of heart.

Question #23: Does Installing Google Tag Manager Compromise Server/website Security?

Answer: We have to look at security holistically. Anything you add into your environment that allows someone to circumvent an existing security control is something worth identifying as a potential issue. With that in mind, if you have a tag manager pixel on your site and someone can inject code into your website, I’d say that’s a concern. You’ve now extended your perimeter to an environment you can’t control. Google or not. It’s a new access point. We don’t use it for this exact reason

Question #24: Should I have my domains under private registration with my registerer?

Answer: If you have a business website, it is best to register under your company name and address. Use a generic role ( admin@domain.com or tech@domain.com ) instead of someone’s name. For a personal site, private registration is easier and safer, as you wouldn’t want to leak your personal address or phone number.

Question #25: How difficult is it to install / activate subscription securi? I have very little technical ability and worry if I will be able to handle it.

Answer: We find it fairly straightforward, but that is of course very relative. Good news though, if you need someone, our team is available to help. All we need to do is communicate the problem. 🙂

Question #26: Can you please elaborate on how these hackers scan for vulnerable websites? When a client gets hacked, they always ask “why me?”. They feel that they were specifically targeted.

Answer: So in the future, you can point your clients to this article I wrote, in it I speak specifically to this. Additionally, youcan point them to this article in which I talk specifically to automation and how that is the makeup of most of today’s attacks.

Question #27: When downloading a JQuery script how do I know if it’s safe to use?

Answer: I would recommend to always stick to to the official repository provided by JQuery.

Question #28: Are there any wordpress plugins that you know to be highly compromised (or can be easily compromised) that you would recommend users stay away from?

Answer: Oh my, this is a big question. If we knew they were highly compromised, they wouldn’t be anymore.. 🙂 I’d recommend subscribing to the WPScan Vulnerability Database to stay abreast of the latest vulnerabilities.

Question #29: Why isn’t possible to build an anti-virus/anti-malware software to protect the website, similar to what is done for local environments, like Windows? Will this happen in the future?

Answer: Windows doesn’t have one AntiVirus / AntiMalware solution, they have dozens of vendors. There is no such thing as a “silver bullet” which is what is being asked here. Everyone does things a little differently than the other, which leads to different success rates. But there is no single solution for Windows, or any other system. It’s unlikely this will ever happen for the desktop or for websites. The environments are too complex.

Question #30: How well does Sucuri “”play”” with CloudFlare?

Answer: Sucuri Firewall integrates perfectly with CloudFlare. Most users don’t have to leverage CloudFlare once in our environment, as our technology offers them a CDN with performance improvements as well

Question #31: How do I make sure all my client web site are (most of them using wordpress) are secure? DO you have any tool that crawl server?

Answer: You should really considering deploying the Sucuri Firewall on each of them. Instead of crawling and looking for vulnerabilities then patching, leverage the solution to virtually patch and harden the environments.

Question #32: Is there a standard set of plugins or suggested setup actions sucuri would recommend for any WP site?

Answer: From a security perspective they should leverage the Free Sucuri Security plugin for WordPress. I would also recommend they enable 2FA on the login panel, and think seriously about employing some form of WAF/IPS solution.

Question #33: I find any OLD dbase website is at risk and gets hacked almost 100% of the time whereas some of thehtml sites never seem to be hacked

Answer: Well if it’s an old database (depending on how it’s maintained) it’s likely a SQLi issue. It sounds though that the issue is exploitation of vulnerabilities within those environments. The threat landscape for a static html website and a website that uses a database is very different.

Question #34: Is there a training webinar that goes into detail on all the settings in the Firewall dashboard?

Answer: Not yet, but it’s coming. 🙂

Question #35:I have the Sucuri cloudproxy firewall running on several WordPress sites. I don’t have the budget to run the full sucuri Monitoring/Clean-Up service. If I find one of my sites victim to attack, would I still be able to employ your clean-up services after the fact?

Answer: Sounds like you might want to look at our Agency configuration where you can subscribe to have ad-hoc cleanup fees

Question #36: Joomla has documentation that suggests cleanup through a fresh installation & re-installing extensions, then copying site data into the new site’s database. Is there a way to analyze or check a database for exploits?

Answer: Yeah, that’s always the trickiest bit. There is no all-encompassing script for all variations. In situations like this I’d recommend having a professional service go through the database where they can employ their toolsets. You won’t really find those freely available unfortunately

Question #37: If we follow the recognized guidelines for user responsible security measures, re: changing passwords, etc. and we use Sucuri, how safe are we? If the owner does their bit and Sucuri does their bit, can we ever really feel safe?

Answer: Security is a continuous process, not a static state. If everyone does their part, I would say that their confidence level should be very high that they are secure. They of course will never be 100%. It’s just not a reality in the world of security. They will be able to sleep good at night though. 🙂

Question #38: Does it help to implement httpS on the entire site?

Answer: If you are implementing HTTPS, you have to implement it on the whole site. A partial HTTPS implementation saves you very little in terms of resources and opens the doors to downgrade attacks.

Question #39: Are there some plugins that we should stay away from ? or beware of

Answer: Please reference question #30 – subscribe to WPScan Vulnerability Database.

Question #40: Do you feel like its worth the effort to change the wp-admin login URL? Once you realize a page is wordpress, you can get to the gate pretty easy when the user login in a default www.website.com/wp-admin. Thoughts?

Answer: We don’t feel it is worth it to change the wp-login URL, because we actually recommend everyone to lock it down only to allowlist IP addresses. Our Sucuri Firewall will do that by default and restrict access to wp-admin, wp-login and other popular CMS login pages only to allowlisted IP addresses.

Question #41: A website visitor recently told us that his workplace firewall has been blocking our site, listing it as pornography or gambling. What can a website owner do to fix this issue?

Answer: It sounds like a misclassification of the website. These can be tricky. The best course of action is to identify what the warning is and who the provider is. You’ll then need to navigate the process, identifying the right group for the provider to see how to go about getting reclassified. Often it’d be done by the networks NOC / SOC team.

Question #42: I would love a webinar, geared to those working in the website security field, on how to fix a site when hacked. We manage 85+ WP sites on a monthly basis.

Answer: Cool, will look into it

Question #43: We had a joomla and a wordpress website defaced at the same time on the same shared server… The wordpress website was behind the sucuri WAF but not the Joomla website… can this indicate deeper vulnerabilities at the server level? do you have any server side security services?

Answer: Actually, what this is likely due to is a contamination event. I wouldn’t jump the gun and say it’s a server-level issue. I’d first work to make sure all websites on the same server are treated the same way. If you protect one, protect them both. If you don’t care about one, remove it off the server. That’s where I would start.

Question #44: We were hacked (backdoor installed), we’ve cleaned up the server, but how can we fully understand HOW we were hacked? Does Sucuri offer any services that can help with the identification of how a previous hack occurred/what was exploited?

Answer: Possibly, but it would depend on the data available. Often the issue is not knowing how to get the answer, but the data available to do the forensics. If you want more information, you can engage us via sales@sucuri.net and we’ll work to see if we can help.

Question #45: Hi, Is it possible to block anybody from accessing the wp admin except if they log in from a specific country, ie South Africa ?

Answer: Oh yes, you’re talking about Geo blocking. We actually recommend being more paranoid and blocking everyone except if they come from an authorized IP address. Our Sucuri Firewall allows you to do that easily (country blocking & IP address restrictions)

Question #46: One of the big emerging threats is Ransomware, such as the Linux Encoder malware. Does Sucuri protect from this type of attack and How does Sucuri keep up with protection from this type of attack on an ongoing basis?

Answer: Ransomware has been around for a long time. It’s only now resurfacing and taking center stage. I wrote about thepotential for ransomware affecting websites in 2012. In 2016 we wrote about how we had started seeing it affect websites specifically. So there are a couple of things happening here. First there is the effect of ransomware on websites, then there is affect of ransomware being distributed via websites and affecting local environments. To your specific question on Linux.Encoder malware, a lot of those attacks are occurring through the exploitation of software vulnerabilities in websites. So yes, we’d be able to mitigate these attacks via our SaaS based WAF / IPS technology. If the attacker uses a different means of attack, say they exploit a vulnerability in the servers software, then that’d be a different discussion.

Question #47: How does the layer of security provided by Sucuri impact the performance of the website insofar as the website visitor is concerned.

Answer: It improves your performance and speeds up the load time for your visitors. So it has a positive impact to your performance.

Question #48: I use Htpasswd to protect my admin directory for wordpress. I also use a plugin called limit login attempts. That seems to work for me what do you think?

Answer: Great start. It won’t help you against software vulnerabilities, but does protect you against brute force attempts.

Question #49: One of our website got hacked in in 2 days once it was released. No person or any search engines knew the website URL. How did it happen?

Answer: I have no idea, I’d need more information like the logs and details of the compromise to give you a more definitive answer.

Question #50: How can a mere mortal ever get on top of all this?

Answer: The honest answer is to employ the help of professionals. There is a reason there are subject matter experts in every field. From developers to designers to hosts to system administrators, security is no different. I can change the oil in my car, but I’m not very good at it and if I want it to last I take it to the mechanic. When it comes to this stuff, I’d employ the help of organizations like Sucuri to be there and have your back when you need it most.

Question #51: Do you offer services to change web configurations on IIS? For example, I need to have TLS 1.2 turned off on my web server. Can I hire you to do it?

Answer: Sorry, no we won’t do that kind of consultative service.

Question #52: Can you be hired to implement the sucuri WAF for my server?

Answer: Definitely, please ping our sales team sales@sucuri.net and we’ll be happy to engage you on your deployment.

Question #53: What are the 3 top must-dos to secure your WordPress website?

Answer: I personally stay away from 3 must-dos because they are the wrong mindset. I always tell people to think about how people log in, how you account for security vulnerabilities, and what do you do in the event of a compromise. Thinking in this way helps you determine what you should be doing.

Question #54: If the WAF can fully protect my site while the plugins and coding are being patched, why do I need to devote time to updating the plugins at all?

Answer: It’s generally best practice to keep everything up to date. While WAF / IPS technologies can be highly effective, it’s always about risk management. There are no 100% solutions, it’s all the things you do combined that improve your overall security posture.

Question #55: Can you tell us about WPScan project?

Answer: It’s a great black box penetration testing toolset designed for WordPress. It’s great for testing your environment to identify potential weaknesses in either access control or known vulnerabilities. I’d encourage you to give it a try. We wrote a multi-part series on our blog, I’d check it out.

Question #56: Can hackers do a group attack where they are targeting a group of people with the same wordpress settings and executing the same malicious actions?

Answer: Yes, this is often what happens when we speak of automated attacks. Assume for instance an attacker (or group) wants to target all WordPress users on version 2.0. The tools are updated to target that specific configuration. The same can be seen in plugins. Great examples of this was TimThumb in 2011, still relevant today, and Revslider in 2014 / 2015 (still relevant today).

Question #57: Is there a way for my web development team to identify which plugins are vulnerable, pirated, or not actively being used?

Answer: Having a vulnerability management program is important. There are different types of reviews you can do which include things like static and dynamic code analysis, as well as peer reviews. There are some tools you can leverage, but not all developers are the same. Builders and breakers think very differently. It’s not as simple as looking at a piece of code and saying that’s a vulnerability. Sometimes it’s daisy chaining a number of issues to create a security vulnerability. There are a few different vulnerability scanning tools, but it really comes down to what you’re trying to achieve. I would recommend doing some research online.

Question #58: ICan you explain how hackers execute brute force attacks on your login and password?

Answer: This is a very big question, which is why we’ve written a series of articles talking to Brute Force attacks. I’d recommend spending some time going through those articles to gain a better understanding of how Brute Force works. The short answer is that bad actors are able to pass a series of username / password combinations to your CMS administrator panel. They compile a large list of both values and try every combination until they find the right combination. It’s not the quickest, but it can be the most effective. Some amplification techniques allow them to be much more effective.

Question #59: Does regular updates to the WordPress plug-ins and themes the best way to prevent malicious code injections?

Answer: It honestly depends on what you’re doing with your site. I don’t recommend it for all websites.

Question #60: Would you recommend https for all sites?

Answer: It honestly depends on what you’re doing with your site. I don’t recommend it for all websites.

Question #61: Does regular updates to the WordPress plug-ins and themes the best way to prevent malicious code injections?

Answer: Regular updates to plugins and themes will keep the environment current, fixing bugs that may include securityissues. If you’re looking for a preventive solution though, you’ll want to start placing your focus on technologies like Website Application Firewalls (WAF) and Intrusion Prevention Systems (IPS)

Question #62: Can you explain quarantine? i see a quarantine directory on the server – do i keep that dir or delete it? or is it actually still being used?

Answer: I assume you’re referring to the quarantine folder we create on your server post-cleanup. If you can confirm that the site is fully operational, then yes, you should be able to remove it. That folder is there for our team to reference in the event something goes terribly wrong. We take snapshots of every file we touch and save it just in case

Question #63: CIf someone was to approach security from a DIY perspective, what are three things that every website owner should prioritize in terms of security?

Answer: When working with website security I always recommend you focus on: Access Control, Software Vulnerabilities, and Backups.

Question #64:I have a website that has nothing on it. Why do people try to break into a website with nothing on it? What are they trying to get?

Answer: I’d encourage you to read this article on Why Websites Get Hacked. It addresses your question directly. It’s not about what they are trying to get, as much as what they might be trying to do. Remember that it’s rarely a personal thing, it’s just luck of the draw. You were an easy target, and the automated systems picked it up as a target. Read more for more insight.

Question #65:Where can I register or look for the next webinars in this series?

Answer: Great question! Right now as long as you registered for this first one you’ll continue to get notifications of future ones.

Question #66: If my site is hacked can the hackers get into my computer and take files (images)?

Answer: If your website is hacked, and by computer you mean the web server, then of course. If by computer you mean your local desktop / notebook, then it just depends on what the attacker does on the website. If they’re able to install something locally to your machine, then possibly. It just depends.

Question #67: Is there a way to determine whether or not a plugin is actually being used in a site? Like a plugin audit? Other than deactivating each one by one and seeing what breaks…

Answer: If your website is hacked, and by computer you mean the web server, then of course. If by computer you mean your local desktop / notebook, then it just depends on what the attacker does on the website. If they’re able to install something locally to your machine, then possibly. It just depends.

Question #68: Do you recommend one WordPress host over another? I realize that the host isn’t responsible for the actual website security, but the host is a part of the whole equation. I’m looking for a good partner I can rely on.

Answer: Unfortunately, reliability in hosts is very subjective. My recommendation, if you’re looking for a managed environment, would be WPEngine or if you’re looking for a different kind of host, SiteGround. This is not to say the others are not good, these are just the ones I have personal relationships with.

Question #69: My website was hacked on 4 separate occasions. These attacks happened within hours of a spat in an estate battle. what are the chances that this was my siblings?

Answer: I couldn’t even begin to speculate. Sorry.

See all Questions & Answers

Expand

Transcript

Tony Perez – Sucuri Co-Founder

I want to thank everyone for joining us. This is a really exciting period for us to sit down and chat with you on a number of security topics. I want to specifically start on what happens once an attacker is successful, and I think this is an important way to start. I think often we focus too much energy on what are the things we should be doing, but we don’t necessarily know what it is we’re trying to achieve. So a common theme you hear in my conversation – it’s all about mindset.

Before I get started talking about the impacts of a compromise, I want to give a little background. My name is Tony, as Michael just mentioned. I’ve been working here at Sucuri since our early days, since our inception, side by side with my business partner Daniel, and one of the biggest these we’ve always placed emphasis on as an organization is understanding what the problem is and trying to address that problem. Everything we’ve ever done is about, “How do we fix the problem of websites being compromised” – not for the large enterprise, not for the small business, but for any website. We don’t discriminate against industry, we don’t discriminate against size. We feel that website is non-discriminatory and we want to be the same way, and so some of the information I provide passes over all these industries. So on behalf of Daniel and I, we’re both very excited to be able to start delivering these very hopefully valuable and actionable presentations.

With that, I want to set the tone a little bit for what you’re going to hear. This presentation focuses on the back end or more of a bottoms-up approach of saying, “This is what happens after a compromise.” So the audience is more … You’ve likely been infected, you’ve likely experienced something that’s been infected, or you’re just generally curious on how you should be thinking about security and you want to take more of a proactive mindset and say, “What are the things I’m trying to protect against?” Maybe you’re curious what can an attacker do. Maybe you’re trying to weigh the risks, trying to figure out where security fits into your overall business plan or your online presence, and hopefully you’ll get some of those answers here in this presentation.

With that, whenever I talk about compromises, I always like to talk a little bit about psychology of the attacker or really the motivators of the attackers. Why do they hack? If we can sit down and take a moment to understand why they do the things they do, you can start taking away some of the personal pressures we put ourselves of, “Why did somebody hack me?” And when I do that, I always break things out into four distinct domains. I don’t talk about the “who” here, I talk about the “why.” Because if we were talking about the “who,” we’d be talking about, “This is the demographic of this type of attacker, and this is a criminal organization or this is a nation-state.” That’s not necessarily what I’m saying here. What I’m saying is, “What motivates them?”

And of course we start off with revenue. That’s perhaps the easiest thing for people to understand: the ability to make money on your website. That comes in various forms, whether that’s data exfiltration, which is what we’ve seen with thing like Target and Home Depot, stealing credit cards. Then the next very obvious response is, “But I don’t have any credit card information.” But there’s other ways to generate revenue from that, whether it’s affiliate-based campaigns – we see that a lot in pharma hacks – the bottom line is attackers have a way to make money on your website and the associated resources with that website, and so of course there’s enough motivation. And what we’ve learned over time is that, with enough motivation, with enough time, anything can be penetrated, and if you make yourself a susceptible target, you will get penetrated.

Then we move into the audience. This is for that target market that says, “Well, I don’t necessarily have anything of value.” But what we forget is that you do have something of value. Everyone of us that have an online presence has what we call audience. We have people that come to our website, read our articles, maybe they purchase our products or services, and that audience is valuable. That audience allows them to generate revenue for some form or another. But also, it allows them to be engaged, not just from you as a website owner, but from the attacker’s perspective. Maybe I want to target them and I want to distribute some form of desktop malware. Maybe I want to encrypt their environment. Maybe I want to download some kind of Trojan in their environment and steal their financial data. It’s not just about what they see on your website, but what your website can do to your audience.

Thirdly, we have resources. I have found that when talking to website owners, we think very one-dimensionally. We think, “Okay, I am running WordPress. I am running Joomla! and that’s all I care about, but in fact we have a responsibility to the environment as a whole in which that website resides – things like their server. And that server is very valuable because that server has other components on that server, whether maybe you’re using it as a mail server. Maybe you’re using it as a file server or some other server of some type that can be abused, whether it’s to send out e-mail spam. Maybe it’s integrated into a larger network, otherwise known as botnets. Or maybe it’s used to attack other websites, so that the attacker can use your resources and they never get in trouble, but then you in turn get affected because of their nefarious acts. So we have to think once we’re online, we’re part of a much larger ecosystem, and our responsibilities extend beyond the website itself.

Lastly, and perhaps the most annoying of the motivators is just “why not?,” right? Maybe I graduated high school, my mom’s working, my mom and dad are working, I’m sitting at home and I have nothing better to do, I saw this awesome webinar from Sucuri talking about websites getting hacked and now I’m curious how websites get hacked. They go online, the find a little script, and, “Oh my gosh, look, via some Google [inaudible 00:05:30] I’m able to identify somebody running an outdated version of some open source CMS or closed source CMS” – whatever it may be – “and boom, I’m in. And so now it’s a matter of telling my friends, ‘Look what I did. Look how awesome I am. Look at me, I’m [inaudible 00:05:43]'” And that happens all the time, right?

Unfortunately, it’s probably the most frustrating thing because what’s going through their mind is simply doing something for fun or amusement, with little consideration into the impacts that that may have to you as a website owner, whether that’s affecting your ability to support your family or support your business or support your employees – whatever the case may be. The last thing we want is to get affected because of something like that. And some of the impacts can be severe on the lulz side because on the lulz side they have no motivation of revenue or audience, so they could easily log into your environment and delete your entire directory. And those with an improper security posture – no backups, no maintenance – often find themselves on the bad side of a short stick.

So we understand their motivators. We understand that they may want to log in and abuse our environment and they may have motivations to do that. But what exactly can they do?

And when I talk about this, I always like to start and say, “Let’s remember that when we’re working with infections, what we see is only what the attacker wants us to see.” In often cases, it’s actually a much more complicated problem, and what you see is only a fraction of the problem. Often, similar to an iceberg, a lot of the problems reside in the things that you cannot see. So, if I log into a site and I see that it’s distributing some kind of malware, that’s great, but we need to be thinking beyond that. I say, “Okay, if they’re distributing malware and it’s part of a larger network, the odds are is that they have other things in that environment that are gonna insure that they can continue to access that environment – things like backdoors. Or maybe they’ve added this environment to their larger networks, so maybe we need to be looking for any other server-level scripts that might allow to do that – might allow them to, not only distribute malware via your site or do some kind of spam campaign, but also allow it to attack other sites part of a larger network. So we want to be looking at the things that we see as well as the things that we don’t see.

With that in mind, I always like to break things up infection types, and I look at seven distinct infection types. Now, these are not mutually exclusive, so just because you have malware distribution doesn’t necessarily mean you won’t have search engine poisoning or you won’t have phishing lures. In fact, what we see a lot is, once an environment has been penetrated, you can actually expect to see probably a little bit of everything. They kind of just open up Pandora’s box and they’re like, “Awesome. I have access” and they kind of just dump it in your website and they’re like, “Sweet, let’s see what works.” Obviously that’s not always the case, but that is often the case.

When we look at the relationship between the types of infections and the motivations, this is kind of what we look at. So when I talk about malware distribution, what I’m talking about is really the distribution of drive-by download attempts. For instance, what we’ve heard of that is, you open a website and, unbeknownst to you, the website pops up a little dialogue in your desktop and it says, “Please clean your PC” or “Your anti-virus is out of date. Click here to update.” A lot of individuals won’t make the relationship between the activity that’s happening right on the desktop and the activity that’s happening on their website and understand that the trigger’s actually happening from the website. They simply see it as a desktop. They’re like, “Oh okay, perfect.” And the click on it. And they don’t believe it to be the website because they trust that website.

Then you have things like search engine poisoning. As the name implies, it’s the method in which attackers are able to abuse how search engines view and interact with your site. So maybe they go to PerezBox and they pull up PerezBox and I like to talk about business and security, but instead you go to Google and you find that I’m actually talking about Viagra and Cialis and maybe I’m selling you the latest Gucci bags. And that’s obviously not a good thing.

Then we have phishing lures. Phishing lures is where we use a website of a known environment – say your Facebook or your PayPal or your Wells Fargo – and we try to trick you into giving us some sensitive information, whether that’s credit card information, whether that’s your login credentials, whatever that may be. Say you get an e-mail from Wells Fargo that says, “Please, this is your 90 day username and password check. We need you to log in and provide us with your … update your password.” And so you go through the process, you click on the link because it says “Wells Fargo Home” and you click on it, it goes to your browser, we open it and it says, “Okay, username, password,” the whole nine yards, “Oh, and we need you to confirm your address and your mother’s maiden name and your birthdate and your favorite pet” and the rest is history. And then all that information gets captured and gets sent back to what’s known as a command-and-control environment and then that happens to thousands and thousands of people. Now, how horrible would we feel if that’s being facilitated through our websites? And it happens every day. It gets embedded in very discreet locations on your server and then it’s added to e-mail campaigns and it’s kind of all interrelated.

We have things like spam e-mail, where your servers are distributing this span on a continuous basis, maybe part of marketing campaigns, and this ensures that the attackers can continue to do this at scale without their campaigns being affected. We shut off one server – that’s okay because I have ten more servers part of my network.

We have things like defacements, and that’s simply you log into an environment, next thing you know you’re pro-ISIS or you’re pro some activity that you’re against, or whatever the case may be. Especially a lot of Israeli-Palestinian activities, you’ll see a lot of that pop up – “Oh, we’re pro-Palestinian,” “We’re pro-Israeli.” Whatever the case may be, it’s all about … A lot of hacktivism is a lot of pursuing other activities, things like that.

DDos scripts and backdoors: I briefly talked on that, and that’s where the attackers are able to implement scripts at the server level that look to abuse the resources. The backdoors look to abuse your access control – maybe you’re using WordPress and you have you have IP allowlisting, et cetera on WP admin, but now through a backdoor the attacker is able to bypass all those controls and simply access the environment without going the normal avenue that you’ve defined. Bot scripts, being part of larger botnets, or even DDos attacks being able to use your environment to attack other environments, or being part of a larger network.

Of course there’s ransomware as well. That’s something that’s been coming to forefront as of late, which is twofold, right? They can log into your environment and they can hold your website hostage. They encrypt your entire directory and, if you don’t have a backup, now you find yourself in a situation where the only way to decrypt that information is to either pay the attackers in bitcoin or have to rebuild the entire website. And it just kind of depends on what your preference is.

Data exfiltration is kind of what we often hear about in large scale, “60 million credit cards stolen from Target, 20 million stolen from Home Depot,” whatever the case is. But that actually happens at smaller scales as well, and doesn’t necessarily always happen in large scale. It could happen with small businesses with just a few hundred customers. Data extends beyond credit cards and goes into information like personal identifiable information and I’ll talk about that.

So this is just kind of a very very high, rudimentary explanation of some of the types. Again, this is not an exhaustive list, but this perhaps the top seven that we see affecting websites of all sizes – large organizations, small organizations, blogs. So with that understanding, I like to think of the impacts. When I think of impacts, I like to break them out into two distinct domains. I look at it from a business perspective – how does it affect me? – and then from a technical perspective – how does it affect me there? And I think that’s really important because every one of us has a little bit of different perspective. On the business I’m concerned about one thing, but on the technical side I need to know how to address that. So we’ll approach from that perspective.

When you think about the business impact, first and foremost is obviously the brand. If we have an online presence – I really don’t care if it’s a blog, if it’s a static page, if it’s a commerce site – whatever it is, it was built and deployed for a reason. Even if it was only to target a hundred people, we still focused on building some kind of brand and we have some responsibility to that brand, not just to ourselves, but to our audience. And one of the things that we’ve learned is that no matter how much someone says that, “Oh, that website is of no value to us,” they quickly find out how valuable it is when, all of a sudden, even the hundred people that were going to it are no longer going to it. Right? And it’s critical to the reputation of that brand.

Now, the on the thing we have noticed, however, is that, unlike 2010, 2011, the tolerance is evolving. There seems to be more tolerance to compromises of some kind as long as we as businesses work to articulate that problem to our audience, explain to them what has happened, and you often seem to recover. It takes a little bit of time, and so it really comes down to you. Are you willing to accept this as a risk? Are you willing to have your brand potentially tarnished and are you okay with an impact for, say, 48 hours, three weeks, a month, whatever that may be. And only you can really define that.

Of course, that leads us into the economic impacts. This is perhaps the most obvious, right? If we get blocklisted or someone is unable to access the environment or your audience loses faith in what you’re providing them, then you don’t generate new traffic, you don’t have any new growth, maybe nobody’s purchasing your products or your services, and of course there’s an economic impact there. But I want you to think beyond the ability to generate revenue, but also think about what you spend. And your spend isn’t necessarily always monetary. A good percentage of it is, but it’s also your time. How much time are you willing to invest to get back up? Is it something that you should be doing, or is it something that you want to be focusing on the business? And then how are you going to feel moving forward? What software and technologies and personnel and training to do you need to invest in post compromise to try to ensure that doesn’t happen again, and are you okay with that happening again? Of course there’s gonna be financial implications of that as well.

Lastly, the one thing I want to emphasize is the emotional distress. This probably isn’t discussed as often, but it’s actually really important. Over the years, I’ve had a lot of conversations with customers and I’ve had customers crying on the phone, saying, “I cannot believe this happened,” and there’s a tremendous amount of anxiety. At that point when a compromise happens, I can tell you right now that nothing will ever move fast enough. “God, my stupid host doesn’t know what’s happening.” Right? “Oh, the security guys are lost. They don’t know what’s going on. I could have done that myself.” You know? “I can’t believe this. It takes so long. It’s been 45 minutes since someone’s responded to me.” For you, it can feel like the end of the world and it’s a combination of not knowing what’s happening and just pure frustration and anxiety to the problem.

Of course there’s also confusion. “What do I do now? Okay, so Google blocklisted me. Who do I talk to? I go to my host and my host says, ‘I’m only responsible for the network. I’m not responsible for your website,’ and I cannot believe that. Why wasn’t that in large print?” Things like that. And then that leads to a lot of anger. Now you’re mad, you’re upset. “I cannot believe!” You just wanna reach through the matrix and shake somebody and be like, “Why would you have done this to me? Do you not know that my website’s so important to me?” And I can tell you right now that hacks almost always happen at the most critical point. You’re about to launch your latest post. You’re about to push the latest product. You’re about to have a thousand visitors to your site in 25 minutes. It’s just crazy stuff, and now of course it’ll happen at that moment.

And then you go through this phase of sadness, of despair. We’ve worked with customers and it’s like, “We’ve been working this for three weeks. We don’t know what’s happening. We’re just so infuriated. We’re so mad and sad. It’s ruined me. I haven’t been eating for days.” Things like that.

And then you go through this phase of just distrust. “Why would I give anybody access to my environment again? How do I even know what plugins to use or what extensions to leverage? How do I know that this is a good host?” You start asking yourself all these whys and never really find the answers and that leads to what I like to call an erosion of trust in technology, in internet, in people, and it just leads for a very bad feeling.

When we move into the technical impacts, there are obviously a lot of technical impacts. First and foremost that I like to start with is website blocklisting. This is perhaps the ones that can affect you the biggest or the most and that’s because what that means is that somebody has the ability to stop people from accessing your environment. And it extends beyond search engines. So yes, Google, Bing, and a couple other search engines will make it so that when somebody goes to your website and, if it’s been infected, they will actually kill anybody’s ability to access it. And it’ll show them a big red screen – “This site may be distributing malware, maybe have issues, you may not want to go to this site” – and that can be very devastating for a website owner and it can actually kill all the engagement with that traffic.

But it also extends to you IP, it extends to your domain with mail servers, and it extends to network firewalls – say, like the Websenses of the world, where if you get categorized for pornography, all of a sudden somebody from a specific network won’t be able to access it. And that can extend to AT&T or your cell providers. That can extend to airport providers, the whole nine yards. So we want to be careful of that.

Of course there’s the SEO impact. This kinda goes without saying. An attacker can go and attack your search engine result pages. They can attack your SEO, and from a market perspective, from a business perspective, that could be a nightmare, but from a technical perspective, it could also be a nightmare, because what we know is once these are the analytics, takes a very long time to clear that up. It dirties your analytics. You have to try to decipher the information. Is that legitimate or is it not? And then of course, what are the impacts to my search engines? Maybe I go from a ranking of one and now I’m a ranking of fifteen. One of the things that we know is that the search engines are really fast to take away ranking but they’re really slow to give it back. So you want to be conscious of that.

Lastly is the compromise to our visitors. I personally feel a huge responsibility for anybody that may go to my web properties and I would hope that anybody, at least that’s attending this webinar, feels the same way. Talking to brand and reputation and trust, I feel that when somebody comes to one of our properties, it’s our responsibility to ensure that we’re providing them a safe and secure environment. That’s part of our contributions to the internet as a whole, and I think we should all be doing that because I think that the last thing I want is my mom visiting one of my websites and then my mom calling me the next day and saying, “You know, Tony, you know what’s really weird? I logged into my bank and now all of my life savings is gone.” To know that my site could have had a contributing factor to that would just be devastating. And I think we all need to be thinking in that kind of mindset as well as like, “Are we okay with somebody calling us and saying they cannot log into their environments anymore because they’ve been hacked or they no longer have their finances because they were hacked because of something that our website distributed?” That would be devastating. The same way that we’d feel devastated if credit card information was stolen.

So with that in mind, I want to take a few minutes to broach the subject of website security and how to think about it. I don’t necessarily want to tell you what to do because there’s a lot of information on that, but I think that security always starts with good posture and the right mindset. And so when we talk about security, I want you to think of one very important facet, which is: security is not a static state. And I think this is one of the biggest mistakes we do as website owners, or just IT in general – if I find this technology, if I find this person, if I find this process, it’ll stop the entire process. It’s not. It’s a continuous process that you’re constantly evolving. The attacks don’t just say, “Oh, they’re blocking this. I’m okay now. Let me know just walk away and you’ll be good,” when in reality we need to be looking at a process that includes different facets. How are we protecting our environment? How are we detecting, in the event our protection fails, but also do we have a response protocol in the event something terrible goes wrong? Who do I touch base with? Who do I talk to? Who’s it gonna be that can help me?

Then of course, what kind of maintenance am I doing in the environment? What kind of administration, updates, backups? How am I monitoring and providing visibility into what’s occurring in the environment? Because all those are huge assets to providing us good indicators of compromise or potential compromise.

Then of course lastly is our best practices and principles, right? Things like Defense in Depth, very similar to the processes that I just discussed now, and even principles like least privileged access and things like that.

The last thing I want to touch on is technology will never replace our responsibility of website owners, and I think this is really important because I see this across all the various communities that I work in, is this desire to find the silver bullet. If I find this right plugin, if I find this right configuration, all this will stop, but in reality this is what the world looks like. Security was never designed just around the people or just around the process or just around the technology. Instead, it’s a symbiotic relationship between the three components. Technology in and of itself is of no value if the people aren’t there to configure it correctly. We see this all the time in IT, where they take a firewall, they deploy the firewall, and they’re saying, “I’m secure. I have a firewall,” but then you look at the configuration and they have “allow all.” And it’s like all you did was put hardware right in between the attacker and you, and you spent a lot of money doing it, and it’s doing absolutely nothing for you. It’s when the people come in, they analyze your traffic, they understand what’s good and what’s bad, they do the configurations, they block out the right ports – that in itself is what’s going to help you, it’s not the default settings.

And then of course having a process of maintenance, going through the process, updating it, monitoring. I log in every morning and I look at my logs and I say, “Who’s logged in?” I don’t have a lot of people logging into my site, so I know that if somebody from China at 2 A.M. logged into my environment using my credentials, that’s obviously a problem. That’s not acceptable. Obviously I have to look in to see what’s happening, because they may have not done anything in the environment at the time, they just simply verified that they can log in. So we want to think about this. It’s people, process, and technology. Those are the things that gives us a very good security posture.

And then of course lastly, my personal opinion and our opinion is that security is not a do-it-yourself project. It never has been and it shouldn’t be. Just because the platforms we leverage may be DIY doesn’t mean every facet of that platform, of how we build websites, is DIY.

So with that, again I want to thank you for joining me here at Sucuri. Here at Sucuri, we’ve built a comprehensive security stack for websites designed for business owners or website owners that just want to get back to do doing what they do, whether that’s running a business, whether that’s marketing, whether that’s sales. I can tell you for a fact that nobody really like security. Only a very select few do and we should let those people focus on it and let us get back to doing our business. So in our approach, we have a hybrid relationship where we focus on protection, detection, and response for the website owner, but we also work with the website owners to help improve their overall maintenance, their overall best practices and we try to give that guidance. So if there’s anything we can do to help, please let us know. Contact our team and we’ll be more than happy to engage.

See Full Transcript

Expand

Similar Past Webinars

In the website security community, our name is known for fast site hack cleanup and responsible vulnerability disclosure. As thought leaders in website security, we are committed to sharing what we know. Follow our concise and helpful website security guides and tutorials so you can learn how to clean and secure your website.

Resources

Picture of presenter of 2022 Website Threat Report Webinar

Webinar – 2022 Website Threat Report Webinar

Join us on April 5th as we cover the latest findings from our 2022 Hacked Website Threat Report. We’ll shed light on some of the most common tactics and techniques we saw within compromised website environments.

Picture of presenter of Virtual Patching Webinar

Webinar – Virtual Patching Webinar

All software has bugs – but some bugs can lead to serious security vulnerabilities that can impact your website and traffic. In this webinar, we dive into the steps you can take to migrate risk from infection and virtually patch known vulnerabilities in your website’s environment.

Picture of presenter of Hacked Website Threat Report 2021

Webinar – Hacked Website Threat Report 2021

The threat landscape is constantly shifting. As attackers continue to hone their tools and exploit new vulnerabilities, our team works diligently to identify and analyze threats posed to webmasters. Join us on July 6th as we cover the latest findings from our Hacked Website Threat Report for 2021.

Picture of presenter of Logs: Understanding Them to Better Manage Your  WordPress Site

Webinar – Logs: Understanding Them to Better Manage Your WordPress Site

In this webinar we will highlight the various activity, access, and error logs WordPress site administrators have at their fingertips. Plus, learn how logs can best be used to manage, troubleshoot, and most importantly, secure your sites.

Picture of presenter of Personal Online Privacy

Webinar – Personal Online Privacy

In our latest webinar, we'll describe action items that can improve the security state of internet-connected devices we all use every day. These devices will include common household staples such as: WiFi Routers, iOS/Android devices, and personal computers.

Picture of presenter of Why Do Hackers Hack?

Webinar – Why Do Hackers Hack?

Join us as we delve into the minds of hackers to explain targeted attacks, random attack, and SEO attacks. Find out why bad actors target websites.

Picture of presenter of WAF (Firewall) and CDN Feature Benefit Guide

Webinar – WAF (Firewall) and CDN Feature Benefit Guide

A feature benefit guide for our agencies and end users. Why use our firewall? What kind of protection does it offer? How does it affect the efficiency and speed of my site? Will it affect my server's resources? Find out the answers to these questions and more in our webinar…..

Picture of presenter of Preventing Cross-Site Contamination for Beginners

Webinar – Preventing Cross-Site Contamination for Beginners

Cross-site contamination happens when one hacked site infects other sites on a shared server. This webinar is for beginners and web professionals to understand cross-site contamination and how to prevent it…..

Picture of presenter of Getting Started with Sucuri!

Webinar – Getting Started with Sucuri!

If you're considering security for your site or are new to our services, this webinar will guide you through Sucuri's simple setup processes. Potential notifications, support options for various scenarios, and ways that you can also work to keep your site malware-free will be discussed…..

Picture of presenter of How to Account for Security with Customer Projects

Webinar – How to Account for Security with Customer Projects

Learn how you or your agency can account for security with your client projects. Presented by Sucuri Co-Founder, Dre Armeda, this webinar shows how you can get involved and help clients who are not aware of some of the security risks involved with managing a website…..