Security for Web Agencies

Date aired: July 26th, 2017

Website security is challenging, especially with a large network of sites. We want to help you understand how you can create a security plan and reduce the risk of a hack or security incident. In this session Dana covers the implications of a security breach and why security should be important to your agency. Dana shows you a tiered approach to website security that you can implement on your own.

Dana Dickeson

Sales Consultant

I work with agency and enterprise clients to find an effective security strategy and have a passion for security and technology. I am a black belt in Brazilian Jiu-Jitsu and an avid guitar player.

Questions & Answers

Question #1: What about a stakeholder who needs admin level access but is also the weakest link? How to educate them?

Answer:One way to approach this is to put controls in place such as 2FA or Captcha. Education on creating strong passwords is also key. All stakeholders must understand their role in security.

Question #2: Why do I need to protect all sites in an environment?

Answer: When a hosting environment has multiple sites then there is a risk of cross-contamination. This means if one site gets infected then it can easily spread to other sites on the server. Therefore, one unprotected site can pose a risk to other sites, even if they are protected. Learn More

Question #3: What about websites that get little traffic?

Answer: Most attacks are random and the size/traffic on the site is not a factor, they can still be attacked.

Question #4: How should I handle security for clients I am just building the site for?

Answer: You can introduce them to the concept and value of security. Then, find a vendor that they can work with directly to provide them the right tools. :

Question #5: What do I say to clients that I can't sell on investing on security?

Answer:All you can do is educate them and convey the value. Sometimes folks will learn the hard way.

Question #6: If I'm just starting out and don't have the income to invest in security, what can I do?

Answer:One possibility is to refer clients to a security company and they can fund it themselves. Your biggest responsibility is to educate them and help them have a plan on how to approach security.

Question #7: What about if I'm managing multiple sites across different hosting platforms? Can Sucuri still handle that?

Answer:Yes, Sucuri is completely remote so the hosting environment is not important. As long as you have access to the DNS A record to point to the Sucuri Firewall. Our platforms also work with any CMS.

Question #8: What about the customers who say they do not need security because nobody ever attacked their sites?

Answer:The risk of a site being attacked is real but not everyone is going to be willing to take a proactive approach. If you have educated the client on the risks then it is up to them to act. The best thing you can do is have a plan to react if they do have an issue in the future.

Question #9: As a Web hosting and Web Development Company, how do we apply for the partner program and what is the financial gain for us?

Answer:To learn more you can reach out to us via chat, fill out our web form, or reach out to me directly at dana@sucuri.net. The financial gain is tough for us to define as it depends on your business model and what approach fits best.

Question #10: Great webinar, thanks Dana!! During the "Detect" portion of the talk, you mentioned "measuring file integrity." Do you have any specific tips or tools for that process?

Answer:Yes, for sure. The risk of cross-contamination comes from multiple sites sharing a hosting environment. Learn More

Question #11: At this moment, I have a lot of websites already online, so you think it’s a good idea to convince customers to invest in security? How would you propose that?

Answer:Education is the most important step. If the clients understand the risk then it will be easier to propose a solution. Also, think about the risk to you and your company if the sites are hacked. What are the costs to you if this happens.

Question #12: How does the Sucuri firewall stack up against services like Cloudflare?

Answer:The Sucuri firewall is similar in some ways but our approach to Malware is what really sets us apart. Other vendors tend to address only the OWASP top 10 vulnerabilities. Sucuri uses a virtual patching system and application profiles to protect against known threats as well as uncovering and patching emerging threats. This is crucial when it comes to open source CMS.

Question #13: What should be done with each new site?

Answer:One step is to engage with a security solution provider, like Sucuri, to put tools in place such as a Firewall and Detection. Also, there are several things you can do to increase the security posture of a site, check this out: Learn More

Question #14: What are best practices to harden new sites for clients when built?

Answer:This article will give you a good start: .

Question #15: One thing we struggle with is CloudProxy + CloudFlare. We don't use CloudProxy because we're unclear on the setup of them together. Would be nice if Sucuri had better/more specific docs on that setup.

Answer:That is a good suggestion. If you are interested in using our Firewall please reach out to me directly and I can help you with the set up. Dana@sucuri.net

Question #15: I haven't used the Sucuri Firewall because many of our clients are using https. My site for example uses a Comodo certificate, and I would have to upgrade my plan for the firewall to work with it. Any solution here?

Answer:Yes, for sure. Our professional plans include the ability to add your cert/key to the firewall dashboard. If you are using the basic plan, we can create a certificate at the firewall. Once it propagates and you fix any mixed content warnings, you will have full https.

Question #16: What about sites already public when activating Sucuri WAF, so that hackers have already mapped the IP address, they can bypass the firewall. How can you harden and prevent attacks ?

Answer:We recommend a htaccess update to prevent firewall bypass.Learn More

See all Questions & Answers

Expand

Transcript

Dana Dickeson - Sales Consultant

Well, thank you very much, Val. Thank you everybody for stopping by today and having a listen to what we have to share. Before we get started, I just want to tell you a little bit about myself. Like Val mentioned, my name is Dana Dickeson. I’m actually speaking to you from Fredericton, New Brunswick, in the very east coast of Canada. Small, little city here that ... very near the Atlantic Ocean, and for my U.S. attendees, I’m about a 45-minute drive from the main border to give you some perspective.

I’ve been working with Sucuri for a couple of years now, and I, like Val mentioned, I really work pretty much exclusively in the agency market as well as the enterprise market. Agencies are very important to us, and we understand that security’s very important to you, so that’s why we wanted to share this.

A little bit about myself outside of Sucuri. Security’s really a part of who I am. I’m former police officer, so it was physical security back then and now virtual security. I’m an avid guitar player. I love to play guitar, and if you’re watching on the web cam, you can see I’m never very far from at least a couple of guitars. Also, big into martial arts. Brazilian jiu-jitsu black belt, and a little Brazilian jiu-jitsu plug. It’s a grappling martial art. If you don’t know what it is, check it out. It’s awesome. Anyway, without further ado, let’s jump into the content.

I wanted to offer a bit of a disclaimer before we ... or maybe we’ll call it a qualifier, before we really kick off. Security’s a huge conversation, and security in itself and security around a website is a big conversation, and then how can an agency or someone who’s involved in websites implement security on a large scale? That’s an even bigger conversation. I can’t give you all that information in a 30-minute talk, so that’s something to keep in mind that we’re really just gonna scratch the surface today of this conversation.

Also, some of the information I’m gonna provide is general. It might not fit to you specifically, but I have two specific goals that I’d like to accomplish today, and if you can walk away with these things checked off, then that’s gonna make me feel like I did what I wanted to do. The first is to help understand the risks, the implications, and what it means and what effect security can have. The other thing, and the most important thing, is to start to think about a plan.

My mother always used to tell me, “If you fail to plan, then you can plan to fail.” I draw from my mother’s -isms a lot, but that’s something that stuck with me, and I think it’s true when it’s related to security.

So the first question I want to address is who should be concerned with web security? First and foremost is obviously the website owner. It falls to the owner of the website to take that responsibility, but also it’s people like the attendees here today, which I’m guessing are developers and agencies, SEO firms, marketing, hosts, managed service providers. Really we could say anyone who has a hand in the website or is responsible for a website, then you need to be concerned with security.

As a web agency, you have a really unique role, because in many instances you are the trusted party by the website, and much of what the client learns about web technology and security specifically is going to be from you. Because of that, you really have the ability to have an effect on the overall state of web security. It’s incumbent upon us to provide that advocacy and not only deliver our core services, but provide advocacy for security, build sites that are safe and secure, and provide secure practices to our clients. We really don’t have the ability to just ignore security, because it has such a big effect on what we do, what you do and the overall ecosystem.

One of the challenges really, and I have conversations on a daily basis with different stakeholders in web agencies, and I use that term broadly, but we know that that can include a whole bunch of people who manage websites. How do you introduce security? And at first this slide said, “How do I introduce security to my clients?” But as I thought about it, you’re really not trying to just introduce security to your clients, but you also have to introduce security to your coworkers, to your employees, to your employers, to the other stakeholders in the company, so there’s more than just the client involved, and how do we do that? How do we get the message out there?

The first thing is communication. We need to start to talk about the problem. Talk about the risk. Talk about the implications, and talk about the value of implementing a security approach. How do you find out that information? It’s through education, so the first step is to educate yourself. The second step is to communicate that education to those stakeholders, to those clients, to the employees, coworkers, employers.

I liked GI Joe when I was a kid, and he always used to say, “Now you know, and knowing is half the battle,” and I think that’s a big part. You don’t know what you don’t know, and your clients don’t know what they don’t know, so it’s incumbent upon us to help inform those website owners of the risks.

One strategy that I’ve been able to identify, and something we wanted to talk about, is starting to account for security early in the project life cycle. Let’s just take a really ... a look at a really basic project life cycle: discovery, design, development, deployment. All too often, what we find is that the security conversation comes in at the end when the site’s already deployed, and now there’s this afterthought of security. What we propose is that security should be part of the discussion from the very beginning, right from your first conversation when this client is still just a prospect for your firm.

This is the time to start to build that expectation and help involve the client in planning for a secure website, and that’s really going to help. How can we do that? We have to start to convey the risks, so the question we pose is, “Why is security important?” Some of these might be pretty obvious. Definitely the brand reputation is a big thing. The brand is made up of the users’ experience, and your design, your content, your product, your service, what the website is there to promote, that is the brand. And if that’s disrupted or people don’t trust that, then they’re gonna be less likely to support the brand.

The second is economic. If business is lost, then whether that’s an e-commerce site, maybe there’s advertising dollars that are lost. Even just a brochure site that drives business to a physical location, if that’s not there for the customer, then they’re gonna have losses regarding that.

And the final thing is the economic stress. This is something that ... there’s anxiety involved. We deal with people who have hacked websites all the time, and we see firsthand the level of anxiety. Nothing can be done quick enough. There’s confusion. There’s no plan on how to move forward. They’re not sure what to do or how to handle these incidences. They might be angry, and some of that might be directed towards you, because I’m guessing that one of the first phone calls they make is to you.

From the technical side, we have the ... there’s definitely implications here. Blacklisting ... it’s a big problem. It can take days to remedy a blacklisted site. There’s impacts to SEO that need to be repaired, and then there’s the risk of visitor compromise and personal information being compromised or stolen. These risks ... to the client, but there’s also risks and costs towards the agency. One thing I’ve really come to understand is that you guys are really the first line of support for clients who build websites for ...

I had a conversation not long ago with someone who developed a website for someone three years ago, and ... no maintenance, no ongoing, not even communication with the client, but when that website was hacked, this person was getting phone calls and emails. Luckily they had a plan on how to respond. What are the real costs for you to respond?

There’s the allocation of resources, so taking away from your core services and putting people, developers or whoever in jobs now cleaning websites and trying to fix these problems. The additional strains on customer support, dealing with that customer frustration and who knows? If worse comes to worst, it could be the loss of that current business or the loss of future business, so the implications and why security’s important, they fall to you as well.

Here we are. We understand some of the risks. Now, we’re going to start to communicate with our clients and prospects early, and we’re gonna educate them on security, but what do I do? How do I approach this whole thing? What you’re seeing here in this graphic ... I’m drawing this from a great article that was recently published by Tony Perez. Tony is the Product VP here at Sucuri. You can find this article on Perezbox.com. I really recommend you read it. There’s a reference slide at the end here. You’ll be able to find everything I reference through this presentation.

But what he talks about here is a basic website security framework. This is an example of how you can plan to mitigate the risks and respond to issues. We start with identification, protection, detection, response and recovery. I’m gonna take a high-level look at each of these areas, and this is something that we’re gonna continue to flush out and to enrich and offer some more content as we go, so something to keep an eye out for as well.

What is identification? And really, when we’re talking about an agency, we can look at this in a couple of different ways. The first is identifying your client’s security needs. These clients are not all the same, so they each have individual needs and if you understand those pain points and those specific risks, then it’s going to help you create a value proposition that’s going to resonate with that particular client.

Take these few examples. If you have an e-commerce site, then there’s PCI compliance. If you have a social platform, there’s data security. There’s personal and private information that is at risk. Even brochureware. It runs a risk of being blacklisted, so understanding your client’s needs and having, for lack of a better term, a pitch or a value proposition for each of those typical scenarios that you see will really help you in relating to that client.

The second part of identifying is actually having a physical inventory, and especially with some of the larger clients I’ve dealt with, this has been a real issue. Do you know where all the domains are? How many domains are you actually responsible for? What about sub-domains? How about all the plug-ins and the themes that are being used now that are not being used any longer, but that are still maybe posing a risk to the environment?

So having an inventory of the web properties, and then the second piece is understanding where are all of these things hosted. There’s so many different hosting options, and some agencies have dedicated environments for themselves. Others let the client look after that, so understanding that or even the combination of those things and having an inventory and knowing where those sites are located and hosting is gonna really help you when the time comes to react to any issues.

Moving on to protection. I’ll just grab a quick drink of water. When we’re talking about protection, what we’re talking about the things that you can do, the processes and the tools you can implement to protect the site, to mitigate the risk of a site being affected by malware. We always use that term mitigate the risk, because you can’t really eliminate the risk. It’s a difficult thing to do in security, so you try and minimalize the risk, and then have a plan to respond in the worst-case scenario.

We can identify three key areas or attack vectors that pose a risk to a website. The first is access control. The second is hosting, and the third are software vulnerabilities. When we’re talking about access control, we’re really looking at how can we effectively control the access to ... in most cases, we’re talking about either WordPress admins or the admin panel. It could be FTP. It could be SSH, but your credentials and the access to your site ...

The first principle, the first thing that you can do and the idea that you can start to think about is sensible user access. Really, what we talk about at Sucuri is the principle of the least privileged user. So what is that all about? Well, it’s using a minimal set of privileges on the system in order to perform the action. People are only getting the privilege that they need for the time they need it, and that’s a really great principle. It’s something that’s gonna help you reduce the risk of granting permissions to people, and one of the big issues is not just the permissions that you grant, but it’s not taking those permissions away when the work is done. It’s something to think about, user access.

The other piece of that is ... are passwords. I did some research leading up to this webinar, and I read a study and the link is in the references as well, but they mention that they study thousands of websites and ... or rather passwords, and they found that the most common password today is still 1-2-3-4-5, and the second most common password is 1-2-3-4-5-6-7-8. And they found that one in five people in their study were using one of the top five most-used passwords. So passwords are still a really big problem.

What can you do? Well, passwords need to be complex. They need to be long, and they need to be random. So complex, using different characters and capitals, non-capitalized, numbers, long, 12 characters or longer, and random. If you can ... nothing that indicates a pattern. That’s difficult and I understand that, and I know that acutely, ‘cause I have a lot of complex passwords to a lot of different systems. I don’t use the same password twice, so I have to remember a lot.

That’s why I leverage a password management tool, so that’s something you can think about. I use something called LastPass. It’s something you can introduce to your clients. You can introduce to your company, a tool like that, and then you only have to remember one complex password. There’s a risk associated to that. There’s a trade-off to everything. That risk is relatively small, but it’s something to consider.

The other piece of access control is controlling user authentication, so employing something like two-factor authentication or CAPTCHA. Those tools work. They can have an effect on the user experience, so again it’s ... there’s about ... balancing out the rewards with the cost.

As far as hosting goes, this is an interesting conversation, and I’m not gonna talk about sysadministration, because that’s not really our wheelhouse, but one thing that we hear a lot is the bad rap that shared hosting gets. But that really relates back to a time when there was poor sysadministration at these large companies, and there were mass exploitations. What we’ve identified as a big issue is less the hosting environment. It’s more about the number of sites that are associated to a hosting account. In a single cPanel, for instance, hosting 20 sites, or even in a VPS or a dedicated server, if those sites are not isolated ... or one site one container, that type of principle, then there’s the risk of this cross contamination.

And cross contamination is a problem we see often because of this, and it really is when one site can negatively affect the others in the same server, and it has to do with poor isolation of the site. So one site gets infected and that infection spreads through the databases and into the other sites. It can take a small problem and become a big problem really, really quickly.

The final piece, software vulnerabilities ... and if you’re developing on open-source CMS platforms, this is one of the greatest risks that you’re faced with. Really, three categories of attacks, and again these are really broad, but I don’t want to get into the weeds on these specific types of attacks. If you’re interested in learning more about any of these things, visit our blog. We have lots of great information there.

We’re gonna look at brute-force attacks, which are a password and user name combinations and flooded with different combinations trying to compromise access, and that’s where that access control becomes very important. The second, DDoS attacks, volume-based attacks. The ... flood your server with requests and try and either disrupt the performance of the site or bring the site down altogether. And then the final piece is that exploitation of software vulnerabilities, and really that comes from the code of the CMS software.

Some things that you can do and things that I’m sure all of you are aware of, but ... updating the sites. There’s no question that a large majority of the sites that we deal with that are hacked, they are out of date, not all of them, but a good portion of them. So updating, updating, updating is something that you can do to make things safer for you. Other things like changing default CMS settings ... so some CMS applications are writable by the user, so they allow the user to install extensions, for instance, so changing those configurations.

Leveraging things like server configuration files to restrict permissions ... another useful thing, and just generally choosing extensions carefully. Look at the age of the extension, the number of installs and downloads that this has, and use legitimate sources, although those things can help offset the risk.

Moving on to detection. Now you’re in a place where you’re addressing security from a protection standpoint, and there still becomes an issue or there’s an issue that you need to be able to identify. What do we need to look for, and what does detection mean, and what does monitoring mean? There’s really some areas that you need to address. First is being able to scan the core files and compare those against an up-to-date signature database for malware. Being able to identify malware in a timely fashion is going to help you respond quickly before an issue gets out of hand.

Another thing, and a way of helping to deal with the unknowns or maybe malware that the signature’s not familiar at this point, is looking at file integrity. Having a baseline of the files, and then being able to see changes that are made that maybe they’re outside of the rule set, or there are changes that should not happen ... to headers, for instance. Measuring file integrity. The other thing that we identify are some indicators of compromise, so some things that can point to a problem ... so downtime. If the site is down, it could point to a malware problem.

Changes that were not initiated by a valid source to the DNS or to the WHOIS ... really important things to look at. The other thing is monitoring blacklist agencies and making sure that if your site appears on a blacklist, that you have visibility into that. Detection could also be called visibility. You need to have the visibility into what’s going on in the back end.

The next piece is the response, and response can be one of the most challenging things. Malware’s complex and it tends to spread and get worse over time. Let’s just say that you’ve been able to identify an issue. Now what could a typical response to that look like? One, you need to isolate the site. Remove malicious code. Clean up the databases. You need to submit to Google or whoever to have it removed from the blacklist.

Then you want to go through and verify all of those user accounts to make sure that there’s not illegitimate accounts in there. Change all of the passwords, all of the accesses, so you really need to have people ready to respond. Training people and having them ready to deal with these types of issues when they are found is going to help you react quickly, and be able to get the problem solved.

The last piece, and the final phase of this framework is recovery. Recovery is a combination of things, but one, it’s ... can you identify how the site was infected in the first place? The forensics and identifying what caused the infection. What caused the issue, and then being able to harden or patch those vulnerabilities, rebuilding SEO and repairing customer relationships. That can be something that could be a factor. If the client’s frustrated, maybe they’re placing their blame, even though it doesn’t belong towards the agency, it often gets directed there. Handling those relationships can be a part of the recovery process.

That’s sums up the framework, but I want to give you another look, and this slide I titled it, “How to Deliver Security to my Clients.” And I really break things down into two different approaches. The first, and the preferable, is the proactive approach. If we were to go back to the framework, we would really say that being proactive is more to do with the first two steps, identification and protection. In this proactive approach, security is part of your conversation with your clients. It’s part of your process, and it’s part of your ongoing maintenance for the site.

You may be leveraging third-party security tools and providing those as a managed service to your client. You’re providing ongoing guidance and education to the client, especially on security practices and things that they can do to mitigate the risks. I understand that managed service and maintenance is not in everybody’s business model, so even just having a third-party that is prepared to deal with those incidences ... and that can be your plan. It can be as simple as that, just knowing, “Hey, if someone comes to me and there’s an issue or they want to prevent these types of malware attacks, then I know where I’m gonna send them,” and it can be as simple as that.

The second type of approach is the reactive approach, and ... back to my mom. She always used to say ... It gets kinda funny when I’m quoting my mom, but, she always used to say that, “An ounce of prevention is worth a pound of cure.” And I think that that’s true when it comes to security, so reacting is less ideal and it’s typically more expensive. What is a reactive approach? It’s when you respond when the issue comes up. No matter what, you can have the best product, the best service and you can explain it with impeccable detail why your client should follow these security practices, and not all of them are going to.

That’s not on you, but it’s on them, but you still need to have a way to respond. Have a plan for these people. Have a plan for this reactive approach so that you know, “Okay, if this happens, I’m ready to deal with it.” But more importantly, look at that as an opportunity to create value in a proactive approach. There’s no better time to say, “Hey, here’s how we can prevent this from happening again. Now, you didn’t listen to me the first time. Now that you’ve seen the consequences, maybe you need to revisit that.” It can become an opportunity for you, and a business opportunity.

We’re not gonna spend a lot of time on this. It’s not intended to be a promotion for Sucuri specifically, but I want to talk about working with a third-party security provider. I’m gonna use Sucuri as my example here in the next few slides, but there are lots of choices out there and you need to do your research. When you’re gonna purchase something or make an investment, then do your research. Test the platforms. We always encourage people to test in your environment before you go live so you can work out any issues. Implementing new technology, there can always be speed bumps along the way.

But most importantly, understand what you and your clients need and then find the right match. Find the company that matches up with your needs, whether those are your financial needs, your security needs, your process needs. Determine your needs, and find someone who matches up well.

Using Sucuri as my example, this is how we approach security. You can see now that this graphic is exactly like the framework, and it’s no coincidence because the principles are the same for our approach, and we use that framework ourselves. We really provide three distinct platforms to our clients. The first is a web application firewall, and then intrusion prevention system. It’s cloud-based, and it’s meant to mitigate the risk of a successful attack, whether that’s DDoS or brute-force or software vulnerabilities.

The second platform is a detection and monitoring platform where we’re scanning server side. We’re monitoring file integrity. We’re looking at front end issues, and we’re also monitoring those indicators of compromise. The third piece for us is incident response, and that’s cleaning a website. All of those tasks that we talked about, how do you clean a website? That’s what we do, and we do that manually for our clients. Overarching all of these areas is our team and our support, because it’s one thing ...

I always say technology is not enough. It has to be paired up with the proper level of support, so you need to have people that have the skills and abilities and expertise to make sure your technical configuration is right, provide you with tips and advice on how to implement secure practices, provide you with valuable materials that you can educate yourself or educate your clients. That’s how we approach security, and that’s what I mean. There’s different looks out there, and every vendor has a different approach, so this is how we do it and we find it creates really good relationships, particularly with our agency customers.

I’ve basically covered this information. This just talks about our platforms a little bit more, but I don’t really want to get into the weeds. If you want more information about how we actually provide our technology, then that would be great and we can certainly have that conversation. One important thing is, and one of our real strengths I think is, that we’re able to partner with anyone whether that’s just a simple referral, whether you’re using our consumer plans for those clients that need us when they need us or whether you’re following a managed service model and covering everything in your environment. If you’re interested in working with us, then there is a way.

That wraps up my content. I’m going to open it up for questions now, and I really appreciate you taking the time to listen.

See Full Transcript

Expand

Resources

In the website security community, our name is known for fast site hack cleanup and responsible vulnerability disclosure. As thought leaders in website security, we are committed to sharing what we know. Follow our concise and helpful website security guides and tutorials so you can learn how to clean and secure your website.

Resources

Webinar - Sucuri Introduces the Sales Enablement Department

During this webinar, you will meet our Sales Enablement team and preview the marketing information packages we have created for web agencies.....

Webinar - Fire Chat: Reactive and Proactive Protection for Web Agencies

In this fire chat, we're looking to find answers to some of the questions web agencies have been asking us for years, in hopes of shedding more light into how you, as an agency, need to respond to security threats your customers face.....

Webinar - Security for Web Agencies

Website security is challenging, especially with a large network of sites. We want to help you understand how you can create a security plan and reduce the risk of a hack or security incident. In this session Dana covers the implications of a security breach and why security should be important to your agency. Dana shows you a tiered approach to we....

Webinar - Beginner's Guide to CDN's

All content is not created equally. Reducing the time it takes for each piece of data to travel from the host server to the client will provide lower latency and a more optimized user experience. Ultimately, this helps avoid dropoffs in users as a result of extended load times.....

Webinar - How to Optimize Your Website for Best Performance

Attention spans are getting shorter, and search engines are favoring websites with faster loading times and lower bounce rates. By optimizing your website performance, you can rank higher in search results, increase and retain your traffic and create an optimal user experience.....