Product Support Analyst
Jen has been providing support to Sucuri customers via chat, email, and phone for nearly four years! When not glued to a computer screen for work or gaming purposes, she can be found camping, dining out, or watching terrible movies with friends on beautiful Vancouver Island, Canada.
Question #1: How would you recommend we send credentials to people who needs access to our sites (e.g. web developers)?
Answer: Password managers commonly allow sharing between users of the same password manager service. This is likely going to be the simplest option if you’re already using a password manager. Alternately, you could consider an encrypted messaging platform. For situations where the password is related to a specific user account, you could also consider just asking the user to follow available password recovery steps to set a new password for themselves without the need to transmit that info between individuals at all.
Question #2: How to protect XMLRPC from brute Force POST attacks? without losing its functionality/working?
Answer: Our blog contains a post about just that subject here! The recommendations there are still relevant—block access to xmlrpc.php if at all possible. If you’re using a plugin that requires access, consider blocking system.multicall requests instead. As you posed the question in a way that suggests you’ve tried a few things (without success) it’s also worth noting that there are a few plugins that will make that change for you. It’s also worth mentioning that many firewall services will block those actions automatically without requiring any changes to your site files.
Question #3: My site uses managed hosting, do I still need to be concerned about security?
Answer: Managed hosting platforms (like Managed WP) eliminate several access points for you, but you’ll need to speak with your hosting provider to fully understand what is secured and updated for you. It’s still going to be important to be conscious of password security and general online security regardless.
Question #4: Can you speak to reasons why a site might be a target?
Answer: If it’s on the internet and it has any vulnerabilities, it may be a target. Malware distribution methods don’t typically sort sites based on size, visitor numbers, or business objective. Directly targeted attacks can and do occur, but they’re much more rare than automated exploit attempts. Your site security level and the risks of you being targeted are directly related.
Question #5: Do you have any recommendations for a good firewall plugin?
Answer:In general we try to avoid making specific recommendations, but personally I would really recommend a web application firewall (WAF) over any sort of plugin offering! A plugin is applied to your files, and “protects” the site by creating some internal rules to control access, but a WAF stands between your site and visitors to block access. WAFs will nearly always have a cost, but if you’re going to spend on only one security element a web application firewall would be my recommended pick.
See all Questions & AnswersExpand
Tony Perez – Sucuri Co-Founder
Jen Fisher:Today we’re going to be talking about how to keep your website clean. I’m coming to you from Victoria, BC and I can actually see Washington, the US, from my window here. So if you’re joining us from America, hello, we’ll wave to you. What we’re gonna be discussing today is going to be pretty broad. For a lot of these subjects we could do an entire webinar on just a few elements, so check out our other webinars or the Sucuri blog if you want more information. But we’re aiming today to approach website security for those who either aren’t very familiar or are just getting their feet wet and want a few more tips. I’ve been with Sucuri for four and a half years, thereabouts. I think a little longer actually. So I’ve been dealing with front facing email chat and phone support. I have a lot of experience with, let’s say customer awareness levels. Oftentimes there’s a big discrepancy between what people think websites security means and what it is when it’s actually applied. As well as what the responsibilities of the website owner might be. We’re going to discuss what website security is and how to approach the subject when making a plan for your own site. We’re going to talk about the various access points that most websites have. Simple ways to approach website security. Excuse me. These are free, easy to use, pretty easy to set up. They’re elements that everyone can apply to elevate their website security in very simple ways. We’re also gonna discuss some intermediate ways to approach website security and though I love the technical elements and I don’t want to disappoint anyone here, we’re not going to get into how to apply too many things to your code because not all of these elements are going to be usable with all websites. Every website is a little unique and I don’t want to arm you with information and have you go off and end up getting 403 errors on your site or something based on a code change. So do check out our other content if you’re interested in how to secure your code further. But today we’re going to talk pretty broadly about the security subject. We’re also going to discuss a few ways to increase your general security online. The web is an environment, every user is a part of that, and if you can elevate your own personal security when you’re accessing the internet, that’s going to help to reduce your risk and reduce the spread of infection and the general security of that website environment. So why is website security important? You’re here, so you probably know that it’s at least interesting to you. In 2018 WordPress sites comprise roughly a third of the Internet. They’d been holding steady on that point for a number of years. But also in 2018, 90% of the many, many thousands of sites that Sucuri cleaned were WordPress sites. A lot of CMS options, content management system like WordPress options, are very user friendly. They provide a user interface that allows users to easily set up and manage a lot of content, but that means there’s a lot going on in the back end that people don’t see or don’t interact with in their daily interactions with their website.
Jen Fisher:It’s also important to note that only 11% in 2018 of sites that were infected were flagged by blacklisting agencies. So just because your site looks safe, it doesn’t necessarily mean that it is. And we like to avoid fear here at Sucuri whenever possible, but it is important to not rely on other companies to tell you when your site is safe. It’s also important just to touch on the point that malware is on the rise. Malware distribution. It’s sort of an arms race. As security elements get more intricate, those who are looking to compromise websites also increase their approaches and the sophistication of those approaches. So, it’s important to secure your site and start at the ground level while you’re able to. And as things advance, you can then advance with them. So what is website security? Again, we could do a number of presentations on any couple of these points, but we’re going to be pretty broad here. Website security is applied very functionally to your site content via restrictions. Either permissions or access code or .htaccess code restrictions, things like that. It’s also environmental. It relates to the security of the devices and panels that are connected to your website. For instance, your home computer or your hosting server. It’s tangential in the sense that it’s related as well to the security of things that can access those panels. Like if you have WordPress or any other CMS, you probably have password recovery options. So we need to consider securing things like email accounts. It’s also flexible and I don’t want to tell you that failing to secure website won’t cause any problems for you. It is very important to to take some of these things into account. But there’s sort of a Venn diagram to be imagined where website security your interest in applying that to your site, maybe you have a blog and it doesn’t really matter to you if you’re hacked, and the amount of time you have to dedicate to that, comes together in the center to form what websites security will mean for your own website. It’s also active. We at Sucuri know this more than anyone maybe. It’s a matter of being aware of what you’re clicking on, how safe you’re being when you’re sending information. Just considering every action that you’re taking in the lens of security to ensure that you’re taking as few risks as possible. So can’t I just buy a service? I wanted to approach this subject because when I started with Sucuri, while we were growing, my team was the team that handled a lot of those very difficult conversations. Someone pays a lot of money, in some cases, or whatever their approached to the finances are, for website security and thinks that their site is just going to be safe. And in our realistic world, that’s just not the case. There are a lot of elements that paid services can secure for you, but there are some elements that are just going to be your responsibility as a site owner or administrator. There is room still, though, for the discussion about paid services in this conversation and website security paid services might be for you if you don’t have a lot of time to dedicate to the matter, but it’s still very important to you. That’s gonna elevate where you have to start taking responsibility for your own site.
Jen Fisher:It might also be for you with brand reputation management is very, very important. If you’re a company that sells security services or really sells anything online and can’t stand to have your users’ information compromised, a paid service is really going to help to both elevate where you start from and give you assistance quickly and simply if anything does happen. A paid service might also be something to consider if you’re just starting with the subject, if it’s important to you and you want a company behind you that’s going to be able to have conversations about your site and what security needs to mean for you and give you tips and support along the way. So with that being said, we’re going to approach the subject assuming you haven’t purchased a service. Most websites have multiple points of access that we need to consider. The CMS panel is one of them. CMS is our content management system, like WP admin. We need to also consider access securing through the hosting account, the control panel, if you have that set up. We need to manage connections like SFTP or SSH accountants and usage. We also need to consider that access by the Internet publicly might be a concern. So if I have a very secure site from the perspective of my content management panel, but there are some elements in the backend that I don’t know about or haven’t taken the time to secure, that might also be exploitable. In addition to these points of access, we also need to consider the ways that those elements can be potentially accessed. For instance, email for password recovery purposes. We need to secure our accounts and use strong passwords on those panels. Your computer device and the security there, these are again tangential, but if my computer’s infected and I’m working on website files, there is a potential for malware to spread between even platforms. We need to consider the browser used on your computer device. This isn’t going to secure your website content, but it’s going to ensure that your environments are kept safe. We also need to look at the way data’s being sent. That’s something that not a lot of people consider very often. Encryption is important when you’re sending logins or passwords and just generally for your users. If anyone’s using your site in an unencrypted fashion, you want to apply something to fix that. So we’ll discuss that. The security of the server on which your content is stored is also important and most often your hosting company is going to take care of this for you. But it’s worthwhile to note that a conversation might be in order just so you can understand what they’re applying and what your responsibilities are from their perspective. The number one cause of a hacked sites, compromises, is a lack of updates. When security releases are provided, those are analyzed by the people looking to compromise websites and they can find the security holes and then target your site. So updating is important, but it’s not only important to update your CMS, your WordPress version. We also need to consider updating plugins, themes, extensions, and any server side platforms insecurity. It might sound a little simplistic, but often people neglect, don’t even know what’s in place. So making note of those and ensuring that everything’s updated every month or a couple months, whatever’s appropriate for your site is a good idea. It’s also worth noting that even if your site is updated, there may be elements, as we discussed in the backend, that you’re not aware of or not using often that are potential risks. So keeping a clean site environment and monitoring access is going to be very important. We want to avoid pirated plugins and themes. Anything you install on your website needs to be from a reputable source. It’s also possible to connect with malicious or ad networks serving malicious content, so you want to be careful of those as well. Remove content that isn’t in use. Quite often, every day, many times a day, we connect to websites to clean things up and there’s a lot of files there that aren’t active on the website at all. It’s also more likely if something is not in use on your site that you won’t think.
Jen Fisher:To update it, or manage security for it. So, in the hosting environment the only things we want to have there is what needs to be active to make the site function in the way that it’s currently running. Everything else can be backed up. You can still keep your files, but it doesn’t need to be in that hosting environment where it can be accessed publicly. Limit, monitor and audit access regularly. If you have FTP accounts out for eight people, but only two of them need to be using those accounts this month, or this year remove the other points of access. Every individual that has access to your site is also going to pose a potential security risk. Not that they’re going to be irresponsible necessarily, but there’s really no reason to have access available to people who don’t need to use it in the moment, or in the week, whatever timeframe it is that you’re working with. Use two factor authentication wherever possible. I’m a big proponent of two factor authentication. For any one of those tangential elements that we’re talking about: email accounts, cPanels, if two factor authentication is available to you I recommend using it. That’s going to place an extra layer of verification between yourself and the login panel, and ensure that even if your passwords are leaked, or stolen, intercepted that they can’t be used because only those who have been verified and have a time sensitive code are going to be able to proceed to the login panel. Strong random passwords. Please, I love our client base, but this is one point that I have seen probably more than any other in the course of the day at Sucuri. Passwords should be strong. I use 16 character passwords, but anywhere from 9 to 12 characters would probably do the trick. We also want to vary the characters that we’re using, letters, numbers, and special characters. It’s also important to note that, if at all possible, you should not be using words within your passwords. The more randomized the better. It’s also ideal to use different passwords for every single panel, and that’s where a discussion about password managers comes into place. Maybe you’re using one, you’re already on board, but a password manager is a fault in which you can keep all of your passwords, and access it through only one password. So, there’s not a lot to remember, but it’s going to allow you to use strong random passwords for everything without having to remember them all. Password managers are also going to be helpful in allowing you to share passwords securely, revoke access securely, update passwords with just a few clicks, and auto fill pages that you need those passwords on, if you want to use that. One security plug-in, please. When I was working, before Sucuri, with a company that dealt with computer malware quite often we would log into someone’s computer … they would purchase our service and think that they were safe, but get infected. Then, of course, we’re to blame, we have to figure it out. When we connected you find that they have not one, but maybe two, or three, or four antivirus programs with active protection. Website security plug-ins are going to be a similar subject there. If there are multiple elements vying for control of who’s getting access they can render each other useless, so one security plug-in, if you’re going to use that option, is going to help keep your site safe. Multiple plug-ins will not keep your site safer. Nonstandard usernames. Another one we see quite often at Sucuri. Admin is probably not your best choice, use something relevant to you that’s going to be difficult to guess. Applying an SSL is also something that’s really important and free. Let’s Encrypt is something we use at Sucuri. You can get a free SSL for your website, and that’s not going to protect your files, but it’s going to insure that any data transferred to and from your website like email addresses, contact details are secured for your users. The other completely free, and very approachable thing that you can do for your website security is have a Plan B. I am all too familiar with the level of surprise, and stress that comes with being compromised, dealing with customers who were in that situation many, many, many, many times. Most people don’t anticipate that not only is a website hack going to be frustrating for you in dealing with the hack there’s also a lot of fallout to consider. Your users might have complaints. They might want to know what you’re going to do to secure the site. There might be frustration if login information or, forbid, credit card details have been stolen, so it’s important to consider in advance with a clear head what your plan will be, and then if there’s even a hint of a security concern you can take the necessary steps to secure your site and ensure that everything’s okay in as stress-free an environment as possible.
Jen Fisher:We want to consider all the points of access that your particular website has. We want to list individuals who have access, how you’re going to update all the passwords. When your site is compromised it’s very important to do that. We at Sucuri would do that after the cleanup, but if you’re dealing with things on your own you want to update passwords as soon as possible. Updated passwords are going to be sent to anyone who’s working with you securely. If you have someone who’s available to help with the compromise getting the information over to them safely on encrypted channels is going to be something to think about. Backups are always a good idea. A website backup might not save your site in this situation, but sometimes if malicious code is injected and you have a backup you can just revert to the state before the hack, and your site may be okay. On the subject of backups I recommend keeping them off the hosting server, if at all possible. That’s going to ensure that you have a redundancy if the hosting server is impacted, or maybe the hosting server is unavailable you’re going to have the backup somewhere else. If you have to keep backups on the hosting server it’s important to keep them in a directory that is not obviously a backup because those are often targeted and exploited. Keep it outside of your root directory in a folder that you’ve named uniquely, maybe not just ‘backups.’ If you can’t revert the site to a backup to fix things what will you do? What are your resources? Is that the point where you’ll contract a paid service? Are there any any other resources available to you who you can reach out to for help with that. At this point, I want to also recommend our other webinars. We have quite a few on how to deal with hacks, so check those out in advance, if at all possible know what your course of action is going to be there. Those are the very simple ways, everyone can and should be doing those elements. We’ll also discuss some intermediate options here. I don’t want to give anyone information that’s going to harm their site, so if you consider applying these, and I really do encourage that everyone at least try them out, it’s really valuable to apply. Please be sure to that you’re applying them to folders … or, sorry, files that are backed up, so you can revert if a change causes an issue for your site. Also, make a note of the changes that you’ve made just so you know what to reverse if something goes wrong. We can consider disallowing PHP execution via .htaccess or permissions. Quite often malware is executable, a PHP file. Disallow file editing in wp_config through .htaccess. That is not a file that the public would need to be editing from a public vantage point. The Sucuri plug-in is also going to do some of the things for you. It’s completely free. It’s available in the WordPress repository, so consider checking that out, if you want to do some hardening to your files in this way, but don’t really want to toy around with them. IP-based limitations are also incredibly useful. If, for instance, you can contact your Internet service provider and get the range of IPs that you’re working from you can lockdown access to certain directories or pages based on just those IPs. If they change, obviously, you’ll need to update them, but that means that if your password is leaked nobody’s going to be able to access those pages even if they have all the right information if they’re not coming to the page from an IP in that list. I also recommend limiting access to wp_includes images and uploads folders. Quite often permissions are not what they should be on those areas, so check them out if you can. Restricting upload capabilities, I know from Sucuri’s perspective sometimes this can be a bit of a hassle. We don’t accept uploads in any of our support channels. Why? Because malware can be updated, and shared in that way either intentionally or unintentionally. Sometimes the files that you’re sharing might have malware on them and you might not be aware of that. Uploading is also not, typically, necessary for most websites. If you’re going to allow uploads consider allowing only the uploads that you might need … sorry, the file types that you might need. If you’re going to allow uploads consider encouraging people to use a link sharing service. You can often share any type of document through like Google Drive, or an image sharing service without the need to actually get files. It’s going to reduce risk for you. Avoid renaming extensions to void your security protocols. This is something that came up when I was talking with our remediation supervisor in advance of this presentation. If you have put PHP based limitations on something, if you’re pretty secure but, for instance, in this example if you rename your wp_config.php to a .bak extension, for instance, in the name of trying to edit some of these things you are going to void the PHP file extension therefore voiding any PHP based restrictions that you have on that file. So, just be conscious even when you’re doing things in the name of security what ramifications changing your file names might have. We’ll go back, again, to the very general to discuss Internet security as a whole. Everyone can and should be doing these things. They’re easy to apply, so I would encourage you to try them out. Script blockers, used every single day at Sucuri. We joke that script blockers save lives. When you access a webpage a lot of content is loading. A script blocker is going to allow you to manage what you allow to run, essentially. So, it’s going to tell you, “Well, these are the scripts that are running. Do you want to allow them,” and you can choose, if you so wish. A script blocker is going to be a little bit … not difficult, but for the first little while you might notice that webpages aren’t loading, and have to think why, and the script blocker might be the cause, but you can then choose to allow those scripts to have everything load correctly.
Jen Fisher:Antivirus programs with active protection, on all devices. Just one on each device. Active protection is going to ensure that if you do click a link, or a malicious site, and something has attempted to download to your computer it’s going to block that for you. Two factor authentication and password managers, we already talked to. These are valuable for every account. Email accounts, whatever, social media accounts, if at all possible. Both of these elements are going to just be, generally, helpful online. Be aware of social engineering and phishing risks. This is something we at Sucuri are very aware of. Links, downloads, it’s important to be aware of what you’re clicking on, and ensure that it’s from a trusted source. There are options online that are going to let you scan URLs, scan files to ensure that they’re safe. I would recommend doing that before you click on anything from a source that you’re not already trusting. It’s also important to note that things like bank accounts never enter your login information online via a solicited email without verifying that the organization you’re connecting to has actually sent you that email. Discuss your security requirements. If you have all of these great things in place, and you yourself are very secure, your site is very secure, but you’re working with others who may not be aware of those requirements those are points of potential risk. Having conversations with other people who are connected with your site, or who might be working with your files is just going to ensure that everyone’s on the same page. Send info securely, we’ve already touched on this a bit, but sending anything over non-encrypted channels is going to be a risk. You can do it, you might be fine, but you might not, so why take the chance? And, if you’re ever unsure ask. Come to sucuri.net, and we’d love to chat with you about questions. Any good company that you’re going to connect with online is going to be interested in having conversations with you to elevate your own awareness of security because that’s in the best interest of everyone. The more I can help to educate our customers about what their responsibilities or needs might be the easier it is for them, and then the less support we have to provide, which we never mind providing, by the way. Ask your questions to our team, to your hosting provider, anyone who’s available to you and we have an opportunity now to answer questions, if you have any. Nikki?
Nikki Gerren:Yeah, great job. Okay, we have time for just a few, so let’s start here. “My site uses managed hosting, do I still need to be concerned about security?”
Jen Fisher:The answer there is … well, yes, you do. Managed hosting, like one of Sucuri’s or another paid service, is just going to elevate the point from which you need to take over, but security is still something to consider especially when we’re dealing with passwords, securing those tangential accounts, but each managed hosting provider might be a little bit different, so you’re going to want to just have a conversation with them about what your responsibilities are and what they recommend.
Nikki Gerren:Sounds good. Let’s see. Also, we have, “Can you speak to reasons why a site might be a target?”
Jen Fisher:We get this all the time. I blame CSI. A lot of people get hacked and think that they have been targeted personally for some specific reason. It is possible, actually, for your site to be targeted if you’re a large corporation. You may be a direct target for some reason if you’re a company that has very specific views that other organizations, or groups don’t agree with. It is possible for you to be targeted directly. But, I can’t give you a figure because I don’t know the exact number, but in the majority of cases sites are targeted because they’re vulnerable. It’s not about you. You could be a blogger, you could be a bank, if you have the same vulnerabilities you’re in the same pool of risk, unfortunately, so just try and keep your site safe, and you’ll be a lot better off online.
Nikki Gerren:Great. Okay, I like that answer. Also, we have … well, this one had Stephanie named to it. “How would you recommend we send credentials to people who need access to our sites? For example, like web developers?”
Jen Fisher:Again, password managers are going to let you do this, typically. LastPass is a really popular one that I know has this option. Any login info that you have set there you could usually click on that and choose the option to share the information with a specific email recipient. There’s some question about how secure the password is because LastPass sometimes, I think, does include that, but it’s going to be a lot safer than sending things directly through email or text. You can also use encrypted text services actually. A lot of them provide that option, but I don’t want to get too dicey there. It’s important to consider the politics of those services as well. Like WhatsApp is encrypted, but it’s also connected with Facebook, and there’s some concern there. I recommend using the password manager option if that’s available to you at all.
Nikki Gerren:Like LastPass, you said, or …?
Jen Fisher:Yeah. There’s a lot of them out there. Choose one that works for you. Most of them are free or very inexpensive for a yearly period. LastPass is just quite popular, so start there. You can check others out if you don’t like the features.
Nikki Gerren:Yeah, I like that one. Finally, let’s do this one, “Do you have any recommendations for a good firewall plug-in?”
Jen Fisher:Actually, I’ll need to look into this for you. So, we might [inaudible 00:30:10] content on that but, again, in this webinar I don’t want to make any recommendations for site code just because your site might be the anomaly where our general recommendations would not apply, or would break something, so I’d love to get that answer to you afterwards here just so we can ensure that all of the considerations are covered.
Nikki Gerren:Well, that wrap things up. That’s the amount of questions we can kind of get to. We appreciate everybody for attending, and Jen thank you, again, for … this was your second webinar, right?
Jen Fisher:Yeah. Yes.
Nikki Gerren:I think so. So, thanks again for taking time out of your day. We look forward to seeing everyone next month. We have our webinar, that’s June 18th, I believe, and it’s on what are the most common types of hacks, so hope to see you all there, and have a good day.
Jen Fisher:Thank you!
See Full TranscriptCollapse
I want to thank everyone for joining us. This is a really exciting period for us to sit down and chat with you on a number of security topics. I want to specifically start on what happens once an attacker is successful, and I think this is an important way to start. I think often we focus too much energy on what are the things we should be doing, but we don’t necessarily know what it is we’re trying to achieve. So a common theme you hear in my conversation – it’s all about mindset.
Before I get started talking about the impacts of a compromise, I want to give a little background. My name is Tony, as Michael just mentioned. I’ve been working here at Sucuri since our early days, since our inception, side by side with my business partner Daniel, and one of the biggest these we’ve always placed emphasis on as an organization is understanding what the problem is and trying to address that problem. Everything we’ve ever done is about, “How do we fix the problem of websites being compromised” – not for the large enterprise, not for the small business, but for any website. We don’t discriminate against industry, we don’t discriminate against size. We feel that website is non-discriminatory and we want to be the same way, and so some of the information I provide passes over all these industries. So on behalf of Daniel and I, we’re both very excited to be able to start delivering these very hopefully valuable and actionable presentations.
With that, I want to set the tone a little bit for what you’re going to hear. This presentation focuses on the back end or more of a bottoms-up approach of saying, “This is what happens after a compromise.” So the audience is more … You’ve likely been infected, you’ve likely experienced something that’s been infected, or you’re just generally curious on how you should be thinking about security and you want to take more of a proactive mindset and say, “What are the things I’m trying to protect against?” Maybe you’re curious what can an attacker do. Maybe you’re trying to weigh the risks, trying to figure out where security fits into your overall business plan or your online presence, and hopefully you’ll get some of those answers here in this presentation.
With that, whenever I talk about compromises, I always like to talk a little bit about psychology of the attacker or really the motivators of the attackers. Why do they hack? If we can sit down and take a moment to understand why they do the things they do, you can start taking away some of the personal pressures we put ourselves of, “Why did somebody hack me?” And when I do that, I always break things out into four distinct domains. I don’t talk about the “who” here, I talk about the “why.” Because if we were talking about the “who,” we’d be talking about, “This is the demographic of this type of attacker, and this is a criminal organization or this is a nation-state.” That’s not necessarily what I’m saying here. What I’m saying is, “What motivates them?”
And of course we start off with revenue. That’s perhaps the easiest thing for people to understand: the ability to make money on your website. That comes in various forms, whether that’s data exfiltration, which is what we’ve seen with thing like Target and Home Depot, stealing credit cards. Then the next very obvious response is, “But I don’t have any credit card information.” But there’s other ways to generate revenue from that, whether it’s affiliate-based campaigns – we see that a lot in pharma hacks – the bottom line is attackers have a way to make money on your website and the associated resources with that website, and so of course there’s enough motivation. And what we’ve learned over time is that, with enough motivation, with enough time, anything can be penetrated, and if you make yourself a susceptible target, you will get penetrated.
Then we move into the audience. This is for that target market that says, “Well, I don’t necessarily have anything of value.” But what we forget is that you do have something of value. Everyone of us that have an online presence has what we call audience. We have people that come to our website, read our articles, maybe they purchase our products or services, and that audience is valuable. That audience allows them to generate revenue for some form or another. But also, it allows them to be engaged, not just from you as a website owner, but from the attacker’s perspective. Maybe I want to target them and I want to distribute some form of desktop malware. Maybe I want to encrypt their environment. Maybe I want to download some kind of Trojan in their environment and steal their financial data. It’s not just about what they see on your website, but what your website can do to your audience.
Thirdly, we have resources. I have found that when talking to website owners, we think very one-dimensionally. We think, “Okay, I am running WordPress. I am running Joomla! and that’s all I care about, but in fact we have a responsibility to the environment as a whole in which that website resides – things like their server. And that server is very valuable because that server has other components on that server, whether maybe you’re using it as a mail server. Maybe you’re using it as a file server or some other server of some type that can be abused, whether it’s to send out e-mail spam. Maybe it’s integrated into a larger network, otherwise known as botnets. Or maybe it’s used to attack other websites, so that the attacker can use your resources and they never get in trouble, but then you in turn get affected because of their nefarious acts. So we have to think once we’re online, we’re part of a much larger ecosystem, and our responsibilities extend beyond the website itself.
Lastly, and perhaps the most annoying of the motivators is just “why not?,” right? Maybe I graduated high school, my mom’s working, my mom and dad are working, I’m sitting at home and I have nothing better to do, I saw this awesome webinar from Sucuri talking about websites getting hacked and now I’m curious how websites get hacked. They go online, the find a little script, and, “Oh my gosh, look, via some Google [inaudible 00:05:30] I’m able to identify somebody running an outdated version of some open source CMS or closed source CMS” – whatever it may be – “and boom, I’m in. And so now it’s a matter of telling my friends, ‘Look what I did. Look how awesome I am. Look at me, I’m [inaudible 00:05:43]'” And that happens all the time, right?
Unfortunately, it’s probably the most frustrating thing because what’s going through their mind is simply doing something for fun or amusement, with little consideration into the impacts that that may have to you as a website owner, whether that’s affecting your ability to support your family or support your business or support your employees – whatever the case may be. The last thing we want is to get affected because of something like that. And some of the impacts can be severe on the lulz side because on the lulz side they have no motivation of revenue or audience, so they could easily log into your environment and delete your entire directory. And those with an improper security posture – no backups, no maintenance – often find themselves on the bad side of a short stick.
So we understand their motivators. We understand that they may want to log in and abuse our environment and they may have motivations to do that. But what exactly can they do?
And when I talk about this, I always like to start and say, “Let’s remember that when we’re working with infections, what we see is only what the attacker wants us to see.” In often cases, it’s actually a much more complicated problem, and what you see is only a fraction of the problem. Often, similar to an iceberg, a lot of the problems reside in the things that you cannot see. So, if I log into a site and I see that it’s distributing some kind of malware, that’s great, but we need to be thinking beyond that. I say, “Okay, if they’re distributing malware and it’s part of a larger network, the odds are is that they have other things in that environment that are gonna insure that they can continue to access that environment – things like backdoors. Or maybe they’ve added this environment to their larger networks, so maybe we need to be looking for any other server-level scripts that might allow to do that – might allow them to, not only distribute malware via your site or do some kind of spam campaign, but also allow it to attack other sites part of a larger network. So we want to be looking at the things that we see as well as the things that we don’t see.
With that in mind, I always like to break things up infection types, and I look at seven distinct infection types. Now, these are not mutually exclusive, so just because you have malware distribution doesn’t necessarily mean you won’t have search engine poisoning or you won’t have phishing lures. In fact, what we see a lot is, once an environment has been penetrated, you can actually expect to see probably a little bit of everything. They kind of just open up Pandora’s box and they’re like, “Awesome. I have access” and they kind of just dump it in your website and they’re like, “Sweet, let’s see what works.” Obviously that’s not always the case, but that is often the case.
When we look at the relationship between the types of infections and the motivations, this is kind of what we look at. So when I talk about malware distribution, what I’m talking about is really the distribution of drive-by download attempts. For instance, what we’ve heard of that is, you open a website and, unbeknownst to you, the website pops up a little dialogue in your desktop and it says, “Please clean your PC” or “Your anti-virus is out of date. Click here to update.” A lot of individuals won’t make the relationship between the activity that’s happening right on the desktop and the activity that’s happening on their website and understand that the trigger’s actually happening from the website. They simply see it as a desktop. They’re like, “Oh okay, perfect.” And the click on it. And they don’t believe it to be the website because they trust that website.
Then you have things like search engine poisoning. As the name implies, it’s the method in which attackers are able to abuse how search engines view and interact with your site. So maybe they go to PerezBox and they pull up PerezBox and I like to talk about business and security, but instead you go to Google and you find that I’m actually talking about Viagra and Cialis and maybe I’m selling you the latest Gucci bags. And that’s obviously not a good thing.
Then we have phishing lures. Phishing lures is where we use a website of a known environment – say your Facebook or your PayPal or your Wells Fargo – and we try to trick you into giving us some sensitive information, whether that’s credit card information, whether that’s your login credentials, whatever that may be. Say you get an e-mail from Wells Fargo that says, “Please, this is your 90 day username and password check. We need you to log in and provide us with your … update your password.” And so you go through the process, you click on the link because it says “Wells Fargo Home” and you click on it, it goes to your browser, we open it and it says, “Okay, username, password,” the whole nine yards, “Oh, and we need you to confirm your address and your mother’s maiden name and your birthdate and your favorite pet” and the rest is history. And then all that information gets captured and gets sent back to what’s known as a command-and-control environment and then that happens to thousands and thousands of people. Now, how horrible would we feel if that’s being facilitated through our websites? And it happens every day. It gets embedded in very discreet locations on your server and then it’s added to e-mail campaigns and it’s kind of all interrelated.
We have things like spam e-mail, where your servers are distributing this span on a continuous basis, maybe part of marketing campaigns, and this ensures that the attackers can continue to do this at scale without their campaigns being affected. We shut off one server – that’s okay because I have ten more servers part of my network.
We have things like defacements, and that’s simply you log into an environment, next thing you know you’re pro-ISIS or you’re pro some activity that you’re against, or whatever the case may be. Especially a lot of Israeli-Palestinian activities, you’ll see a lot of that pop up – “Oh, we’re pro-Palestinian,” “We’re pro-Israeli.” Whatever the case may be, it’s all about … A lot of hacktivism is a lot of pursuing other activities, things like that.
DDos scripts and backdoors: I briefly talked on that, and that’s where the attackers are able to implement scripts at the server level that look to abuse the resources. The backdoors look to abuse your access control – maybe you’re using WordPress and you have you have IP whitelisting, et cetera on WP admin, but now through a backdoor the attacker is able to bypass all those controls and simply access the environment without going the normal avenue that you’ve defined. Bot scripts, being part of larger botnets, or even DDos attacks being able to use your environment to attack other environments, or being part of a larger network.
Of course there’s ransomware as well. That’s something that’s been coming to forefront as of late, which is twofold, right? They can log into your environment and they can hold your website hostage. They encrypt your entire directory and, if you don’t have a backup, now you find yourself in a situation where the only way to decrypt that information is to either pay the attackers in bitcoin or have to rebuild the entire website. And it just kind of depends on what your preference is.
Data exfiltration is kind of what we often hear about in large scale, “60 million credit cards stolen from Target, 20 million stolen from Home Depot,” whatever the case is. But that actually happens at smaller scales as well, and doesn’t necessarily always happen in large scale. It could happen with small businesses with just a few hundred customers. Data extends beyond credit cards and goes into information like personal identifiable information and I’ll talk about that.
So this is just kind of a very very high, rudimentary explanation of some of the types. Again, this is not an exhaustive list, but this perhaps the top seven that we see affecting websites of all sizes – large organizations, small organizations, blogs. So with that understanding, I like to think of the impacts. When I think of impacts, I like to break them out into two distinct domains. I look at it from a business perspective – how does it affect me? – and then from a technical perspective – how does it affect me there? And I think that’s really important because every one of us has a little bit of different perspective. On the business I’m concerned about one thing, but on the technical side I need to know how to address that. So we’ll approach from that perspective.
When you think about the business impact, first and foremost is obviously the brand. If we have an online presence – I really don’t care if it’s a blog, if it’s a static page, if it’s a commerce site – whatever it is, it was built and deployed for a reason. Even if it was only to target a hundred people, we still focused on building some kind of brand and we have some responsibility to that brand, not just to ourselves, but to our audience. And one of the things that we’ve learned is that no matter how much someone says that, “Oh, that website is of no value to us,” they quickly find out how valuable it is when, all of a sudden, even the hundred people that were going to it are no longer going to it. Right? And it’s critical to the reputation of that brand.
Now, the on the thing we have noticed, however, is that, unlike 2010, 2011, the tolerance is evolving. There seems to be more tolerance to compromises of some kind as long as we as businesses work to articulate that problem to our audience, explain to them what has happened, and you often seem to recover. It takes a little bit of time, and so it really comes down to you. Are you willing to accept this as a risk? Are you willing to have your brand potentially tarnished and are you okay with an impact for, say, 48 hours, three weeks, a month, whatever that may be. And only you can really define that.
Of course, that leads us into the economic impacts. This is perhaps the most obvious, right? If we get blacklisted or someone is unable to access the environment or your audience loses faith in what you’re providing them, then you don’t generate new traffic, you don’t have any new growth, maybe nobody’s purchasing your products or your services, and of course there’s an economic impact there. But I want you to think beyond the ability to generate revenue, but also think about what you spend. And your spend isn’t necessarily always monetary. A good percentage of it is, but it’s also your time. How much time are you willing to invest to get back up? Is it something that you should be doing, or is it something that you want to be focusing on the business? And then how are you going to feel moving forward? What software and technologies and personnel and training to do you need to invest in post compromise to try to ensure that doesn’t happen again, and are you okay with that happening again? Of course there’s gonna be financial implications of that as well.
Lastly, the one thing I want to emphasize is the emotional distress. This probably isn’t discussed as often, but it’s actually really important. Over the years, I’ve had a lot of conversations with customers and I’ve had customers crying on the phone, saying, “I cannot believe this happened,” and there’s a tremendous amount of anxiety. At that point when a compromise happens, I can tell you right now that nothing will ever move fast enough. “God, my stupid host doesn’t know what’s happening.” Right? “Oh, the security guys are lost. They don’t know what’s going on. I could have done that myself.” You know? “I can’t believe this. It takes so long. It’s been 45 minutes since someone’s responded to me.” For you, it can feel like the end of the world and it’s a combination of not knowing what’s happening and just pure frustration and anxiety to the problem.
Of course there’s also confusion. “What do I do now? Okay, so Google blacklisted me. Who do I talk to? I go to my host and my host says, ‘I’m only responsible for the network. I’m not responsible for your website,’ and I cannot believe that. Why wasn’t that in large print?” Things like that. And then that leads to a lot of anger. Now you’re mad, you’re upset. “I cannot believe!” You just wanna reach through the matrix and shake somebody and be like, “Why would you have done this to me? Do you not know that my website’s so important to me?” And I can tell you right now that hacks almost always happen at the most critical point. You’re about to launch your latest post. You’re about to push the latest product. You’re about to have a thousand visitors to your site in 25 minutes. It’s just crazy stuff, and now of course it’ll happen at that moment.
And then you go through this phase of sadness, of despair. We’ve worked with customers and it’s like, “We’ve been working this for three weeks. We don’t know what’s happening. We’re just so infuriated. We’re so mad and sad. It’s ruined me. I haven’t been eating for days.” Things like that.
And then you go through this phase of just distrust. “Why would I give anybody access to my environment again? How do I even know what plugins to use or what extensions to leverage? How do I know that this is a good host?” You start asking yourself all these whys and never really find the answers and that leads to what I like to call an erosion of trust in technology, in internet, in people, and it just leads for a very bad feeling.
When we move into the technical impacts, there are obviously a lot of technical impacts. First and foremost that I like to start with is website blacklisting. This is perhaps the ones that can affect you the biggest or the most and that’s because what that means is that somebody has the ability to stop people from accessing your environment. And it extends beyond search engines. So yes, Google, Bing, and a couple other search engines will make it so that when somebody goes to your website and, if it’s been infected, they will actually kill anybody’s ability to access it. And it’ll show them a big red screen – “This site may be distributing malware, maybe have issues, you may not want to go to this site” – and that can be very devastating for a website owner and it can actually kill all the engagement with that traffic.
But it also extends to you IP, it extends to your domain with mail servers, and it extends to network firewalls – say, like the Websenses of the world, where if you get categorized for pornography, all of a sudden somebody from a specific network won’t be able to access it. And that can extend to AT&T or your cell providers. That can extend to airport providers, the whole nine yards. So we want to be careful of that.
Of course there’s the SEO impact. This kinda goes without saying. An attacker can go and attack your search engine result pages. They can attack your SEO, and from a market perspective, from a business perspective, that could be a nightmare, but from a technical perspective, it could also be a nightmare, because what we know is once these are the analytics, takes a very long time to clear that up. It dirties your analytics. You have to try to decipher the information. Is that legitimate or is it not? And then of course, what are the impacts to my search engines? Maybe I go from a ranking of one and now I’m a ranking of fifteen. One of the things that we know is that the search engines are really fast to take away ranking but they’re really slow to give it back. So you want to be conscious of that.
Lastly is the compromise to our visitors. I personally feel a huge responsibility for anybody that may go to my web properties and I would hope that anybody, at least that’s attending this webinar, feels the same way. Talking to brand and reputation and trust, I feel that when somebody comes to one of our properties, it’s our responsibility to ensure that we’re providing them a safe and secure environment. That’s part of our contributions to the internet as a whole, and I think we should all be doing that because I think that the last thing I want is my mom visiting one of my websites and then my mom calling me the next day and saying, “You know, Tony, you know what’s really weird? I logged into my bank and now all of my life savings is gone.” To know that my site could have had a contributing factor to that would just be devastating. And I think we all need to be thinking in that kind of mindset as well as like, “Are we okay with somebody calling us and saying they cannot log into their environments anymore because they’ve been hacked or they no longer have their finances because they were hacked because of something that our website distributed?” That would be devastating. The same way that we’d feel devastated if credit card information was stolen.
So with that in mind, I want to take a few minutes to broach the subject of website security and how to think about it. I don’t necessarily want to tell you what to do because there’s a lot of information on that, but I think that security always starts with good posture and the right mindset. And so when we talk about security, I want you to think of one very important facet, which is: security is not a static state. And I think this is one of the biggest mistakes we do as website owners, or just IT in general – if I find this technology, if I find this person, if I find this process, it’ll stop the entire process. It’s not. It’s a continuous process that you’re constantly evolving. The attacks don’t just say, “Oh, they’re blocking this. I’m okay now. Let me know just walk away and you’ll be good,” when in reality we need to be looking at a process that includes different facets. How are we protecting our environment? How are we detecting, in the event our protection fails, but also do we have a response protocol in the event something terrible goes wrong? Who do I touch base with? Who do I talk to? Who’s it gonna be that can help me?
Then of course, what kind of maintenance am I doing in the environment? What kind of administration, updates, backups? How am I monitoring and providing visibility into what’s occurring in the environment? Because all those are huge assets to providing us good indicators of compromise or potential compromise.
Then of course lastly is our best practices and principles, right? Things like Defense in Depth, very similar to the processes that I just discussed now, and even principles like least privileged access and things like that.
The last thing I want to touch on is technology will never replace our responsibility of website owners, and I think this is really important because I see this across all the various communities that I work in, is this desire to find the silver bullet. If I find this right plugin, if I find this right configuration, all this will stop, but in reality this is what the world looks like. Security was never designed just around the people or just around the process or just around the technology. Instead, it’s a symbiotic relationship between the three components. Technology in and of itself is of no value if the people aren’t there to configure it correctly. We see this all the time in IT, where they take a firewall, they deploy the firewall, and they’re saying, “I’m secure. I have a firewall,” but then you look at the configuration and they have “allow all.” And it’s like all you did was put hardware right in between the attacker and you, and you spent a lot of money doing it, and it’s doing absolutely nothing for you. It’s when the people come in, they analyze your traffic, they understand what’s good and what’s bad, they do the configurations, they block out the right ports – that in itself is what’s going to help you, it’s not the default settings.
And then of course having a process of maintenance, going through the process, updating it, monitoring. I log in every morning and I look at my logs and I say, “Who’s logged in?” I don’t have a lot of people logging into my site, so I know that if somebody from China at 2 A.M. logged into my environment using my credentials, that’s obviously a problem. That’s not acceptable. Obviously I have to look in to see what’s happening, because they may have not done anything in the environment at the time, they just simply verified that they can log in. So we want to think about this. It’s people, process, and technology. Those are the things that gives us a very good security posture.
And then of course lastly, my personal opinion and our opinion is that security is not a do-it-yourself project. It never has been and it shouldn’t be. Just because the platforms we leverage may be DIY doesn’t mean every facet of that platform, of how we build websites, is DIY.
So with that, again I want to thank you for joining me here at Sucuri. Here at Sucuri, we’ve built a comprehensive security stack for websites designed for business owners or website owners that just want to get back to do doing what they do, whether that’s running a business, whether that’s marketing, whether that’s sales. I can tell you for a fact that nobody really like security. Only a very select few do and we should let those people focus on it and let us get back to doing our business. So in our approach, we have a hybrid relationship where we focus on protection, detection, and response for the website owner, but we also work with the website owners to help improve their overall maintenance, their overall best practices and we try to give that guidance. So if there’s anything we can do to help, please let us know. Contact our team and we’ll be more than happy to engage.
See Full TranscriptExpand
In the website security community, our name is known for fast site hack cleanup and responsible vulnerability disclosure. As thought leaders in website security, we are committed to sharing what we know. Follow our concise and helpful website security guides and tutorials so you can learn how to clean and secure your website.
In our latest webinar, we'll describe action items that can improve the security state of internet-connected devices we all use every day. These devices will include common household staples such as: WiFi Routers, iOS/Android devices, and personal computers.
Join us as we delve into the minds of hackers to explain targeted attacks, random attack, and SEO attacks. Find out why bad actors target websites.
A feature benefit guide for our agencies and end users. Why use our firewall? What kind of protection does it offer? How does it affect the efficiency and speed of my site? Will it affect my server's resources? Find out the answers to these questions and more in our webinar…..
Cross-site contamination happens when one hacked site infects other sites on a shared server. This webinar is for beginners and web professionals to understand cross-site contamination and how to prevent it…..
If you're considering security for your site or are new to our services, this webinar will guide you through Sucuri's simple setup processes. Potential notifications, support options for various scenarios, and ways that you can also work to keep your site malware-free will be discussed…..
Learn how you or your agency can account for security with your client projects. Presented by Sucuri Co-Founder, Dre Armeda, this webinar shows how you can get involved and help clients who are not aware of some of the security risks involved with managing a website…..
It's a move we've seen coming since early 2017. Chrome HTTP sites are now officially being marked as 'not secure'. With Chrome dominating 62.85% of the browser market space as of last month means that even small changes can have a big impact on website owners if ignored…..
In this fire chat, we're looking to find answers to some of the questions web agencies have been asking us for years, in hopes of shedding more light into how you, as an agency, need to respond to security threats your customers face…..
Website security is challenging, especially with a large network of sites. We want to help you understand how you can create a security plan and reduce the risk of a hack or security incident. In this session Dana covers the implications of a security breach and why security should be important to your agency. Dana shows you a tiered approach to we….
In today's complex security landscape, web applications pose a significant risk to Mid-Market and Enterprise organizations. This webinar will introduce the concept of the WAF, and the benefits of web application security in the cloud…..