Website Hacked Trend Report Q1/2016

Tony Perez & Daniel Cid – Sucuri Co-Founders

TONY

Hey guys! How are you? My name is Tony Perez. Some of you guys remember me from previous webinars, when we talked about the impacts of compromises and how hacks happen. And with me today I have our founder, and my business partner and friend, Daniel Cid. (Hey guys) I want everybody to welcome him. This is his first public speaking in a while, and we’re not even public. We’re in private. Just you and I. This is progress my friend. He’s going to be kind of walking us through some of the data we’ve collected and analyzed over the first quarter. I think this is really exciting. We’ve kind of tried this back in 2012, didn’t quite get the momentum but now we’re kind of ready, we’re positioned better. We have better telemetry data to be able to work with. So with that, I’d like to turn it over to you DANIEL to kind of start walking us through this.

DANIEL

Sure. Hey guys, Thanks for joining us here for our first hacked report webinar. I’m personally really excited to be here and share these stats which takes days of work, years we’ve been doing for the last few years and I’m mostly behind the scenes type of guy. This is my first webinar so if i screw up, when I screw up, just be nice to me, Tony will help me and…

TONY

We promise not to get physical in this interaction.

DANIEL

No, no, no, no. It’s probably going to be my last webinar anyways…So I will not duplicate what we said in the document. So if you haven’t read please read after we finish here, the link over there in the white please read the report, please read it after we finish here. So what I will try to do is share important takeaways, and insight of what we learn from this data. Tony I think the pieces or what we think is most important for website owners. I think it’s important that they get into the document and read the details. They’ll pull their own insights from that. But this is specific to things like we thought were high level enough. Things they could mix and match, and maybe some of our own opinions from thoughts.

DANIEL

And we will give you some homework in the end.

TONY

You know people don’t like homework, right?

DANIEL

Everyone likes homework. Anyway, to get started, first we want to clarify what are these reports about. Here at Sucuri we do incident response for thousands of websites every single month. Incident response is just a system for website cleanup. Most of our sites come to us when they are infected. They’re blocklisted, they have a spam issue, they have whatever. And they come to us for help. So this data is based on these sites, and we work across all major websites – CMSs, web servers, industry types, website types and we have a really good visibility on what’s really happening on the overall market share of compromised sites and that’s why we decided to help share this report. To help the individual process what is going on.

TONY

That’s an important point right. This telemetry is specifically based on our audience and the data that we collected. It isn’t necessarily maybe sync up 1:1 with the market share and how the platform fits in the larger scheme of the internet. But it is enough data that provides us good potential correlation data of this is interesting, why is this happening and provide some thoughts on that.

DANIEL

And hopefully when you look at the data between the compromised sites you see the similarities, what behaviors all these webmasters did to cause their sites to be hacked,

TONYThis is true.

DANIELAnd if you can follow them you’re probably in a good place security-wise

TONY

And I think a lot of emphasis should be placed on the CMSs like the Drupals, the Magento’s of the world, WordPress and Joomla’s. And they’ll probably be able to take the most from this.

DANIEL

And before I start, I want to give credit to where the credit is due. This is our remediation group. These are the guys that do the hundreds of cleanups every single day and work 24/7 cleaning up sites for you guys.

TONY

I think the picture is a little misleading. They actually do like their job. You know what I mean?

DANIEL

They’re smiling.

TONY

They’re smiling yeah. Hey tell us a little bit about the remediation team. How are they configured?

DANIEL

Their major team is kind of divided into two main groups – one are the researchers and the other incident responders. They actually go to your site and clean it up. They work side by side analyzing malware trends, analyzing issues and make sure together that we can clean the websites as fast as possible in a way that won’t be reinfected.

TONY

Got it. So you’ve got that this incident response team are working with the customer day to day. Engaging with them, collaborating, fixing their security issues, whether it’s infections or not. And they kind of work hand-in-hand with the researchers, together they kind of stay ahead of emerging threats. It kind of drives the information we’ve collected, as well as the kind of information we disseminate. Via things like our blogs and social and kind of all that malware research and labs.

DANIEL

So if you haven’t read our blog, check it out.

TONY

Yeah for sure.

DANIEL

There’s a lot of insight of what we’ve been learning in this journey through the last few years. So now we’re ready to get started… The first number that I want to point out is that we clean up thousands of websites every month during the first part of the year we cleaned up around 15,000 sites, but we only took only 11,000 of them that we had enough data, enough organized data that we could go deep to see what was going on during the time of the compromise, and that’s where these numbers come from. That 78% of all the compromised sites we worked on were using WordPress; 14% were running Joomla, 5% Magento, 2% Drupal. That is an interesting number to think about – 78% WordPress, 14% Joomla, 5% Magento, 2% Drupal. I want you to think about them because I want you to compare them to the overall market share of CMSs. You see, when you look at the data provided by BuiltWith, WordPress has about 50% of the market. Drupal has 6, Blogger 4, Joomla has 4. Even if we look at DopplerTech a company who uses the same to track CMS users and other things like that, they give WordPress 58%, Joomla at 6, Drupal at 4. But when you compare these numbers to the overall share of compromised sites, WordPress has 70 something percent, Joomla has 16.

TONY

It doesn’t seem to make sense. Your market share is fundamentally there for them. The distribution we’re finding in our telemetry data of people who are coming to us for support.

DANIEL

We wouldn’t expect them to match.

TONY

Similar, close.

DANIEL

unless one CMS is easier to hack than the other. So does this data tell us that maybe WordPress is more insecure than the others and that Joomla is probably the most insecure of them all. We have two times the data of our compromised sites than we have in our overall market share.

TONY

I’m going to keep an open mind on this one. See where you’re going with it.

DANIEL

I would say that maybe yes, I think that they are more insecure, that Joomla and WordPress are more insecure than they’re supposed to be, but is that really true?

TONY

Okay

DANIEL

Because insecurity is a very indirect term. What’s really secure? When you look at the core code of WordPress, Joomla, Drupal they’re really really secure, the developers behind these platforms really know about security and they’re responsive and they patch things quickly. They’re thought and mindset is on security a lot of times. What they do makes a lot of sense so why would that happen though? What I want to say is that generally what add the insecurity is not the core of the CMS. You don’t see insecurity on the core of the CMS. You don’t see insecurity on the WordPress core or on the Joomla core a lot – I think the problem is at a higher level, a little bit higher level, is how the websites are being deployed, how they’re being managed and how people extend the CMS.

TONY

Okay okay, I see where you’re going with this. I think you have a lot of people on the webinar right now probably holding their breath. What did he just say? I can already see them on Twitter bashing us…these guys…I think I kind of understand where you’re going with it. I think what you’re trying to say is that from a holistic standpoint insecurity doesn’t necessarily mean development or web administration but as a whole there’s a problem. Because I think at a core perspective, from a development perspective, the platform and the development process there is security and a lot of emphasis on security and the platforms themselves are secure, but either the way it gets distributed, the way it gets managed, the way it gets maintained, the way it’s communicated and marketed to an audience says that’s what makes the platform insecure. This actually becomes really interesting when you look at different platforms, like for instance WordPress, and the market they target they predominantly market a lot of DIY’ers, end users, it’s about how quickly can we get up and running. You know they have this infamous five-minute install. And that kind of talks to your point specifically, right? The messaging, the marketing more specifically around platforms is. Hey get online quickly and continue to see how open source changes the landscape of online websites.

DANIEL

Absolutely. And that goes to what Tony is saying. Jon Watson from CloudProxy he tweeted something very interesting. He said “All I’m saying is that it takes a lot longer than the famous ‘5 minutes’ to install WordPress properly. And by that I mean hardened” that goes to what you’re saying, WordPress is secure, but to deploy WordPress securely, it takes a lot longer.

TONY

Yeah you can’t draw a line. You can’t say from a developer standpoint, I’m set, I’m secure, the rest is on you, the enduser. As communities, regardless of what platform you have, we have a responsibility to the larger ecosystem, right? And we have to ensure security applies across proper stacks. And we’re communicating. It’s not about 5 minute install, but it’s a continuous process. Just think about it.

DANIEL

The code is a small piece of the overall picture.

TONY

Absolutely. I love 140 characters. They kind of restrict you to allow you to get a point across.

DANIEL

And that moves us to the second number I want to share. Out of all the websites we work on, 77% of them are WordPress, out of those WordPress sites, for example, 56% of them were outdated and that’s the core of WordPress outdated, in Joomla it was 85%, Magento 97%, Drupal 81%. That’s a lot of outdated sites that we are dealing with.

TONY

You know, this is a really interesting insight, when we were first talking about it. It kind of makes you wonder what’s happening because if WordPress for instance, where we have the most telemetry data for it still runs at about 56-60% out of date, and they have auto updates and force updates

DANIEL

They have auto updates, force updates and just really simple one click updates. Tony Absolutely, they’ve placed a lot of emphasis on backless compatibility compared to some of the other platforms, and their process for updating is easy. You have a lot of managed host environments and those are quicker to patch and even then, they made up of 77% of the customers or the websites who came through our environment infected. Still 66% it begs the question, what happens to the other platforms. Especially when you think of Magento and Drupal that target fundamentally different audiences. Drupal for instance, we see them a lot in the enterprise organizations. What do we have in those organizations? We have pretty stringent governing that dictates how things get put into production. Right. If we’re suffering at this scale, it makes you wonder what are the other impacts we could be making to address the problem.

DANIEL

And when we look at these numbers, what it really tells me is that we’re really bad at website management because the easiest part of your website management, if you have insight, the easiest thing to do on your site of anything you could be doing is update. Because the update process is simple. Just click. For most it’s simple and they’re still not doing that.

TONY

It kind of goes to what I was saying right? In security or larger organizations, we understand that the importance of patch management and vulnerability management. How do we convey this to the end user? And that’s the real challenge. It’s easy for us as from the development standpoint to, just update? Tell that to the end user who has the website that fully depends…

DANIEL

And he doesn’t want it to break, if it’s working, don’t touch it

TONY

You know how they say, oh less than 1% of the websites break. But are you okay to be that one collateral? A small percentage. I can assure you they don’t want to be that percentage.

DANIEL

So I want to go back to our question. We ask about, for example is WordPress or Joomla core more insecure because percentage wise they have more in the compromised sites (right) back than it it has on the overall market share. And I will tell you the answer is no, the core is not insecure. But are they being used insecurely? This data tells us yes. They’re using their websites and managing their websites in an insecure way.

TONY

It kind of goes to the root cause and why it’s getting infected.

DANIEL

And outdated CMSs, they are not the problem, they are just the consequence. The results are bad website management, again, people are not managing their sites properly. That’s why we see so many outdated. That’s why they don’t take security on any part of the site’s lifecycle which starts with deployment, management, and it is extended.

TONY

And you kind of mentioned a very interesting point, right. Are the results for lack of management a lot of organizations just don’t have some sort of inventory or understand what they have. I’ve talked to large organizations, as you have, and we’d love to help you, how many websites do you have? And they say, I have no idea. I really have no idea what I have. How is the organization meant to design it…and these are organizations with good governance in place. How is the everyday website owner supposed to do that? It’s one of those things we like to say in security, you can’t secure what you don’t know you have. But then we start to look at the applications themselves and the extent of modules, plugins and components. So we start thinking, we haven’t even moved into that yet. We’ve only been talking about the core of the app. What happens when we look at the extensibility of the app?

DANIEL

That’s next and that’s even scarier. When I look at these numbers, and that is the other set of numbers that I really want to show you, guys, is that out of the overall number of WordPress, let’s just dip down to WordPress. When you look at WordPress and look at the outdated sites, 25% were split into just 3 places: TimThumb, RevSlider and GravityForms. About 70% of all compromised sites are running TimThumb How is that possible, this thing happened 4 years ago.

TONY

That’s crazy though. And they’re still contributors. And I think the important thing to emphasis is that just that these plugins are out of date, these are plugins that have no known vulnerabilities. Patching is designed to patch a number of things, including vulnerabilities. But these, 25% of them had an out of date vulnerable version of either the script or the plugins.

DANIEL

And TimThumb is part of it years ago. That was spread everywhere. Every other company is vulnerable to that and still people have it outdated.

TONY

And we have a challenge here. We just talked about the challenges at the core of the application. Now we look at some of these scripts, RevSlider, Gravity Forms, right. RevSlider is one of those platforms for instance…

DANIEL

Two years ago.

TONY

Yeah, it was two years ago, but it was embedded into themes and frameworks…how many organizations come to us with a compromise, this is the vector, oh, I didn’t even know I had it.

DANIEL

And the developers of Gravity Forms, Revslider, they did everything right. They patched it quickly. They warned all the users. They posted about it on their blogs, we posted about it in our blogs. We told everyone to patch an issue and still users are not listening. But are they not listening or they really don’t know.

TONY

I think it’s a combination of things right. I think they don’t know, or maybe it’s an instance like Gravity Forms. I spent a lot of time talking Carl Hancock, the owner of Gravity Forms, and what he told me was, what are we supposed to do as an organization? At this point we can’t get the information out to the website owner. What if it’s not apart of our maintenance plan. At what point as a business do we just hey, give it away for free, but what does that do for the economics of your business when you depend on a sustainability license but people don’t want to pay for that. It’s a big challenge and I think organizations have to look for alternative solutions to address this.

DANIEL

At the end, the security of your website is your responsibility. Not anybody else.

TONY

I think a classic example of this is in ecommerce right. A lot of organizations misinterpret what PCI means. And if you for instance have an ecommerce, or we have an ecommerce issue, and a credit card gets stolen, that Visa and Mastercard, like us are a service provider.

DANIEL

It’s your responsibility and that goes back to how do you fix this website management problem? There’s a lot of things that can be done. But I want to start off with something simple. And that’s going to be the homework for the day. Just a little task. Because a lot of these issues happen because I think people don’t know what they have on their sites, what sites they have and what’s going on with their environment. So, to start, I really would like for us to create an asset list with all your sites.

TONY

Pretty simple.

DANIEL

How many sites do you have? Simple instructions. You list all the sites you have one-by-one. Like your GoDaddy account, other domains list all of them. Which ones are currently active. Which ones shouldn’t be active. Which ones are you still using. List there. Which ones should not be pointed to? List there. And then you go to the second step. You list all the necessary plugins and modules that you need to be running on each one. Which ones do you really need to be running right now? And you add it to your spreadsheet. And then you go a little bit deeper and talk about who is supposed to have access to each one of these sites. Site one should be distributors, should be developers, administrator. Just list each one of them. And after you do that, what else do you want to do? You remove everything else that you don’t need.

TONY

I just please want to back up. The last thing we want people to do is say I removed everything you said and deleted the data, you know.

DANIEL

But you remove every test account. I don’t want to see any test plugins. I don’t want to see any demo sites, test sites.

TONY

Which happens all the time right?

DANIEL

Happens all the time.

TONY

And I think that’s by design by the hosts. They allow you create multiple sites and people are allowed to install whatever they want. Happens all the time. Cross-site contamination. A lot of lateral movement within the accounts. It’s a challenge.

DANIEL

And after that what do you do? You upgrade everything that’s left. All the plugins. All the sites. And you repeat every month. Microsoft has an interesting concept. Every second Tuesday of the month they do their patch on Tuesdays. Every Windows administrator knows it’s patch Tuesday, I have to patch. It becomes this process, and they know that when this patch will be available, they have to patch. So maybe we can create this patch Tuesday for websites, or the last Friday of the month for websites, when you go to your asset list or inventory. You add any new sites that you created. You add any new plugins. If a developer left your company, you remove him from there and go remove in your website and you update everything that’s left.

TONY

I think this is a really interesting idea.

DANIEL

That’s a very very simple way to start. Fixing the website management problem. There’s a lot more stuff to do. Don’t get me wrong. Maybe we can talk about it in our next webinar. We can go deep, deep and deep in what to do. I just want to say that it is simple stuff. That is what it is.

TONY

And I think this would allow for not just for the basic maintenance, but say an organization partnered with an agency. Or maybe they partnered with a service provider and maintained that commerce that allowed to manage the environment. They communicate with them and say – hey, this is what I have. Right now a lot of these organizations will go to their service providers and say – hey, I just took care of it, but they have no visibility…what should be active, what shouldn’t be active, what should we be maintaining.

DANIEL

If you are an industry provider and you manage your client website. You have to monitor all your sites every time. I hope you do. And if you do monitor your sites, that is the perfect time to add all your sites to monitoring to make sure you are planning for any problem, both time and security issues. Because I know most of you have more than one site and so do your own clients. The majority of them have at least a dozen of domains, some disabled, some enabled, some are just test, and a very few they really care about, but guess which ones always get hacked first? It’s the one that they forget about.

TONY

Oh yeah for sure. What happens if they don’t do this? And what are the implications of this?

DANIEL

Then, we move to the next stage, it is the malware family distribution. Your websites get hacked and they get injected with malware. And I want to talk about the first one here, it is backdoors. Almost 70% of every site we clean has a backdoor of some kind, injected in them. And you know when we go deep analyzing this backdoor, and we find the command control that the hackers are using, we analyze then we see they have this list of all the sites they hacked, site 1, 2, 3, 4, 5, and they have how to access the backdoor, backdoor 1, 2, 3, 4, 5.

TONY

So what you’re telling me is that the hackers are implementing good asset management.

DANIEL

They manage the sites they own because when they hack a site, they use this term own the websites. They manage the sites they own really well. The asset list they have is kind of nice, the site, the host, the php version, the patched version, when they were installed. They do everything. In the infection last year on Joomla, we were seeing the text that was hacking the site with the Joomla vulnerability and patching the site for you…You know what? Because they own the site and they want to keep their property themselves.

TONY

You know what it reminds me of is when you have a little brother and you beat up on your little brother. And then someone else tries to beat up on your little brother and you’re like – whoa, whoa, whoa this is my little brother. I beat him up, not you. Same exact thing. I get it.

DANIEL

So if you don’t do the proper management of your site, and the asset management, the attackers will do for you. But what you do is that they will inject whatever they want, they will inject backdoor, the first one, then 60% have malware, which is the drive-by-downloads, that try to compromise your visitors, or SPAM SEO, which is actually what I want to talk about know. This number has been growing year over year over year. You see more and more sites with spam SEO. And that is one of the things that don’t really affect your users. Your users will probably never notice. You will probably never notice, until you go to Google and search for your site and you find Viagra, Cialis, Nike shoes, or Casinos.

TONY

I think one of the biggest drivers for spam SEOs is pharma hacks. Back in the day you know.

DANIEL

That’s how it started.

TONY

Three years ago, there was a good study done by a university. I forgot their name but they estimated that the pharmaceutical affiliate program generated close to 20-30 million dollars a year for this space, because it was compression based. There was a lot of incentive for blackhats to give it a go. In fact, what is really curious about this is when you look at the statistics around blocklist, whether it’s on AVs or search engines, this isn’t accounted for. The only thing they account for are the things that have a nefarious effect on the end user. Because they’re caring about the endpoint.

DANIEL

Because all this blocklists, they care about the endpoint. So, when you go to visit a site, if the site has a chance of compromising you, then they might blocklist the site, but if it is just spam SEO, they won’t affect you as a visitor, they don’t care. However, Google, Bing and all the major search engines, they will see the SEO, and that will hurt you a bit.

TONY

Unlike some of the other infection types, as you were saying, spam SEO is one of those things that affects the business owner and the website. And the webmaster. Because this will affect your search engine, your rankings, your result pages. You’ll lose ranking. And you’ll lose your domain authority. It has an adverse effect on them economically and potentially in other ways as well.

DANIEL

And most of the hacking really hurt the tech, because they are conditional injectors, where they only display the spam when it comes from Google, or when it is coming from Bing. If you visit, and you do a view source, it looks good. I think it is a mistake.

TONY

It’s always a mistake.

DANIEL

But when you actually go to Google Webmaster Tools and you check your site, all this stuff is coming. What is going on? TONY Because they’re targeting Google. And it’s actually interesting, so we’ve seen spam SEO grow but we have actually seen the inverse of that in other platforms…or other infections

DANIEL

…defacements. Defacements are actually one of the things we are seeing going down. Five years ago, I remember every time I saw a site was hacked, the hackers would add a defacement. I just hacked your site, your security sucks! That is the type of message they do. And now we rarely see that anymore. And the main reason I think is that before a lot of the hacking was just for political or personal reasons. I want to show off my skills, that I hacked whatever.

TONY

You’re not talking from experience are you?

DANIEL

No.

TONY

Oh ok

DANIEL

But now it is all about…money.

TONY

Yeah, I think that’s exactly right. If we think back maybe 5-10 years, it was just about…the environment was fundamentally different. Now we have things like booter service, now we have malware service, of the industry is much higher. There’s incentive to go after this stuff.

DANIEL

And specially because the other thing about defacements they actually tell the webmasters that they have been hacked.

TONY

That’s exactly right.

DANIEL

So, as soon as they visit their site, they see they got hacked, they want to clean that up. Now, when you look at Spam SEO, they try to hide it from the webmasters. A lot of the new drive-by-downloads, they actually try to hide from the webmasters.

TONY

Because of malware advertising…attack where you don’t necessarily compromise the website…distribute an ad and using it in a way to generate revenue. It’s impossible to replicate some of these instances.

DANIEL

Their goal is to maximize the time they can stay in your site and also maximize what they can do. For example, if you look at these numbers of the malware trends year over year, you see that they don’t add up to 100%. It means that when someone hacks your site and inject spam SEO, they don’t just inject spam SEO, they also use it for phishing, for mailer, maybe to DDoS others.

TONY

That’s interesting. So it’s not mutually exclusive. So just because you have a backdoor doesn’t mean you don’t have phishing or doesn’t mean have seo spam, in fact, the inverse of that. You can actually expect 70% of websites to have a backdoor that allow them to bypass your controls while still distributing malware or potentially being used to phish, spear phishing attempts to get entry to an environment or some kind of information. They kind of try and combine that information together.

DANIEL

Because not only do they inject stuff , they do proper asset management, they also really utilize the resources. So if they own a resource, they are going to really fully utilize that. And that is what this number tells us. And, as you can see, year after year, things have been pretty consistent.

TONY

Yep. In some areas for instance, if we look at spam SEO we kind of see growth there and actually the biggest growth is in the last year. And I think that talks to the economic return. We’ve also seen the reverse of that happening on the defacements. Everything else has been pretty consistent. In fact, malware can be looked at increasing from 40% to 60% of malware distribution. That talks to the web, and the website specifically, are still the number one distribution mechanism for things like that, like downloads.

DANIEL

And that is pretty much it that I want to share. It is this key point that I want to share with you, Guys. And what I really want you to think about and do your homework now is to start with your asset list. What do you do when you think about website management? What do you do when you think about security appliance? But to start, I want to think about the asset list. You create an asset list for your site. Start by that. And probably on the next webinars we will be adding more and more to it.

TONY

You know what might be interesting is seeing who might be listening and see if they could send us their information and we can take a look at it.

DANIEL

We would love to review it for you, Guys.

TONY

And we’re not talking complicated. Maybe a simple spreadsheet. Maybe basic questions and if it’s valuable and we’re seeing this over and over again, we’ll send more information and how to continue from that.

DANIEL

When you think about complex security, you fail in very complex ways. When you do things simple, they just work.

TONY

Perfect. Well thank you so much. I think this is great. I think the only homework I would add is to encourage everyone to go read the report, ask us any questions and share it and get that information out. Because for us it’s all about education and awareness. And then I kind of want to dive in on ways to maybe think of security. How do I take the information that Daniel just shared and make something actionable out of it? Or how should I be thinking about security? I guess and the first place I like to start is, security is a continuous process. It’s not a static state.

DANIEL

That is what I told you.

TONY

Exactly. It’s a continuous process. And it’s hard, right? Because as a business owner, you always have challenges. Marketing is a continuous process, sales is a continuous process. Well guess what? Security is no different. How you update your design is the same way how you update your security. The threats continue to evolve.

DANIEL

Think about creating a site and not writing any content.

TONY

Exactly! I created a website with no pricing changes, no product changes, no changing of the demographics to someone else. Same thing. And the other thing to think about is that our attack service is much bigger than the application we’re running. Whether it’s WordPress, Joomla, whatever the case may be. And in fact it’s more complicated if you look at, it’s not just about the environment on which it sits, but it’s also about the environment and how you engage the web, right? We see this in PCI for instance.

DANIEL

PCI is really interesting, because PCI is focused on e-commerce, the sites that pass credit card data, and when you go to the PCI requirements, they cover everything. They talk about your physical security, they talk about your networking, they talk about your servers, and they talk about your applications, and they also talk about how to connect them.

TONY

Your habits.

DANIEL

So even your laptop that connects to the CVE, which is the credit card data environment, should be on compliance as well. And you cannot just ask for one security, because it is a chain of security. If one thing breaks, you break the chain….You need both.

TONY

And I think that’s an important thing for every website owner to understand. Everything is interconnected, right? You may have the best configuration at the server level, or at the application level. But that doesn’t necessarily mean that you’re secure locally. Maybe you’re running a Windows XP box with no antivirus…

DANIEL

I hope no one does that.

TONY

…and you spend the evenings surfing bad websites on God knows what, right. And then you wake up in the morning and it’s like the gift that keeps on giving. And so I think a good way to think about this is like a fight prong approach. And in security we always have this debate between protection and detection, which one is better than the other. And we like to think of it as all encompassing. It’s not one or the other. How are you protecting your environment? How are you detecting in the event that the protection fails or some other indicator occurs that may lead you to know that something is happening and just how complex that change is. And then of course what’s going to be your response solution from this. And this is very common in the security world, and it could more common in the website world, but we like to extend that and include in that maintenance administration. And the reason we emphasize this is because for the everyday website owner they normally don’t place any emphasis on this. We talks about this at finding a baseline, and no one really talks about business administration because it’s not sexy. It doesn’t generate sales. Know what I mean? But then we talk about best practices like – hey, every website visitor is not an administrator role. Well I highly doubt they’re all administering that website.Things like least privileged and defense in depth. Those are really important concepts.

DANIEL

The things that operate the system security will be the aim of that, to get better. Nobody logs in, I hope nobody logs into your Linux service root, you log in as a user, if you need to run administrator commands, you type sudo, you do sudo. Now, when you go to WordPress, I see every single user logs in as admin, even with a different username, but you add the administrator role.

TONY

You gotta think right. We’ve been at this 20 years or more for instances. But when you look how young the web ecosystem is, specifically open-source CMSs, and the Drupals and Joomlas and Magentos and WordPresses, it’s fundamentally different. Know what I mean?

DANIEL

I usually joke that the current state of CMSs, how people use them, is kind of like the way we used Windows 95. Everybody is at administrator level, everybody uses the terminal. We just have to change this mindset that is what is important.

TONY

I think a good place to start is to stop looking at technology as that silver bullet or that easy buy, you know. It’s like – if I just install this plugin, or if I just install all these ten things I’m safe I’m secure. It’s not necessarily like that right, because security is a lot more complex involved process. It’s people process and technology working together harmoniously to get the information out.

DANIEL

You know, we clean a lot of websites, like you saw, and the majority of them have a security plugin installed

TONY

All of them do.

DANIEL

Well, few of them run it. And they still get hacked because the webmaster just thought about maybe if I installed these plugins, I will fix my security, but they forget about the process, the people and everything else that is around security.

TONY

I always like to joke it’s like going and buying a piece of hardware firewall into my network and saying – hey, i bought this firewall, I put it into my network, I plugged it in, I turned it on and I left and I said I’m secure. And yet you have allowed everything in the world, you haven’t configured anything…I don’t understand, all you’ve essentially done is put on a very fancy door but the door is wide open.

DANIEL

We had a user a few years back that bought a plan, didn’t add sites, didn’t configure anything…

TONY

Didn’t communicate with us. He just purchased.

DANIEL

And said who come I got hacked? I purchased an account and you didn’t do anything. Well, but I bought your service. I said, you have to use it.

TONY

Buying, using, and configuring are fundamentally different. And so we like to remind everyone that security is not a do-it-yourself project. Contrary to the platform you’re using and what you’re communicating, it just isn’t. And we’re seeing this more and more and I think this data accurately reflects that and says – hey, this definitely is not. And so here at Sucuri, what we focus on is providing a comprehensive package where we work in conjunction with the website owners. It’s not a matter of come to us and you never have to think about security; it’s work with us, let us be your complimentary source and we’ll provide you three core pieces of it.

DANIEL

If any company tells you otherwise, run…

TONY

They are lying. If somebody says we will keep you 100% secure and you have to do absolutely nothing – they’re full of shit right. It’s not gonna happen right because it’s a collaborative process. We can do a lot of stuff, but we can’t do everything. So we’ll provide protection while we’re trying to mitigate, exploitation attempts against vulnerabilities. We have a continuous monitoring or detection engine that looking for potential threats, if there’s a compromise. We also provide a professional incident response team where we go in and address the actual issue.

DANIEL

Our goal is to give you all the tools you need to have a secure site. The tools are there and if you install them and configure them, and we will help you configure, we will help you install.

TONY

We just require communication. And it has to be some level of understanding from the website owner themselves. And so with that, a reminder that we’re providing a discount for anyone that’s up to 20% through Friday. And if you have any questions, I’d like to turn it over to you Kristen and see if we can answer anyone’s burning questions.

KRISTEN

We have a lot of burning questions so we’ll give a few to you so that you can respond. So first let’s go to this one. How was it that my hosting company was unable to detect my site being hacked, but I, and Google were able to locate it. Then after the hosting did a site test run, they were still unable to detect it.

DANIEL

The first thing is that hosts are not security companies. They know hosting really well, so they do not know security really well. Specially when you go deep in your website, they are not an antivirus company that clean and scan all the things, so them missing a malware or missing an infection is actually common, right?

TONY

And a lot of them actually use server-level scanners like Plan A/B…absolutely, They will find server level malware but they won’t necessarily find web-based malware which is essentially why companies like us, exist. With that being said, we have to understand the intent of organizations. For instance, a host. A host’s intent from a security standpoint is for the perimeter and the environment. Which is why they provide you an account. One of the biggest challenges that web hosts have is how do we address the end user though? Because if I give you an account, and I allow you to do anything you want because that’s what you paid us for, how do I address that problem? It’s been a long time since we’ve since mass compromises in shared hosts. What we see is compromises in accounts, on shared hosts. So if I purchase a site on BlueHost and I install 150 different sites on there, and then I get infected. So…

DANIEL

That is not BlueHost fault, because they give you physical security, they give you the server security, they give you the space. What happens within your space is your responsibility, never push the blame to anybody else. So, for example, if you have a desktop on the network , and you are on ComCast, and you have a virus on your desktop, that is not ComCast. That is your fault. They are giving you the network and the bandwidth.

TONY

And in terms of your specific question – why it couldn’t be detected. We have to stop thinking in absolute. Security is not an absolute. So for instance, it depends, what was the infection? So for instance, if Google detected it as SEO spam, we just talked about SEO spam. We even talked about how difficult it is to detect. A lot of these organizations again, focus on the systems, the administration, providing you the environment yet they’re not a security companies. They’re not designed to target the stuff. And Google’s resources dwarfs everyone else’s. And remember, we talked about conditional payloads, malware specifically designed to target Google, so Google may see something that nobody else is going to see.

DANIEL

A lot of malware try to hide. They are heavily coded, they are heavily obfuscated, so.

TONY

And I can assure you, that the $399 that you paid that month is not paying enough overhead to provide you the security services that you might have been expecting. You may have been unaware of but unexpected nonetheless because of just not knowing. With that person, so what’s the next question?

KRISTEN

Alright, next question. Do you know the percentages of hacks…that happened in Q1 were targeted attacks, meaning targeted to a particular business or website or how many were just automated from the platforms and plugins being targeted?

TONY

That’s actually a very good question. We’re going to be providing more information in the future on attacks, and how they happen. But for those who attended the last webinar where we talked about how hacks happen, we would say what, greater than 95% of the attacks we see are automated. Very rarely do we see targeted attacks, and those targeted attacks are usually a big brand, big enterprise. It’s very rare…

DANIEL

Often they happen against Sucuri

TONY

Of course like Sucuri, we have a lot of targeted attacks because a lot of blackhats don’t like us for a variety of reasons but I can assure you that a majority of the websites and the owners out there don’t suffer from target attacks.Most of them are like, hey…TimThumb is a perfect example.

DANIEL

They are vulnerability based. The attacker has a known vulnerability they want to exploit, or a collection of vulnerabilities. Most of them have multiple vulnerabilities. They have TimThumb, RevSlider, Gravity Forms, they have a big list and they go against every website they can trying each one of them.

TONY

They have crowders…

DANIEL

So, even if you protect against the top 995, if you miss one, they are going to hack you because of that. Next question KRISTEN.

KRISTEN

Alright, next question is a theme hack the same as SEO spamming? We used a theme hack and customized it but discovered years later that the theme was not updated. What does that mean?

TONY

Ask the first part of the question again?

KRISTEN

the first part of the question was hacking a theme the same as SEO spamming.

DANIEL

So, hacking the theme can be used for a variety of things. They can hack your theme to inject SEO SPAM, they can hack you theme to inject drive-by-downloads or even put phishing. So, hacking the theme is just where it is, it is not the action.

TONY

Exactly. The way we’re thinking about it, we’re thinking about it incorrectly. Whether they hack the theme, or the core, or the plugin, a hack is a hack. It’s what they did once they were successful whether they distributed SEO spam or maybe they did phishing or maybe they did malware, and they took some action of distribution of something regardless of what they hacked. The theme just so happened to make sense because they probably adjusted the function, or the header file or the footer file. It would just load every time the theme loads.

DANIEL

And there is a lot of malware that even hides in the htaccess which is below the load, or they even hack your dns instance. It is before you can even see what is going on the php level or the WordPress level.

TONY

I think the important thing here to take away is that SEO spam is the result of what they did once they successfully compromised the environment. The same as malware distribution or phishing. It’s all a part of the same malware families. But it doesn’t necessarily matter what they ended up hacking – themes, plugins, environment. Whatever the case may be.

KRISTEN

Okay. The next question is, when a website is compromised, in your experience, does the attacker routinely log in to install additional software, manage it, create other users etc or is this an automated system strictly distributed through bots and other means.

DANIEL

It is mostly automated. All the malware, when they do, for example, if you look even at the GravityForms, RevSlider and TimThumb, they do, the first thing they do is upload the backdoor and from there is actually where they do the compromise, to the backdoor they inject the payload to the SEO SPAM, the drive-by-downloads, but then the first step is always the backup. And they use it for whatever they have to do.

TONY

The thing I would add to that. While the attack themselves are automated, you can also say that attackers have a tendency to install either users, plugins or themes. But the fundamental difference here is that they don’t necessarily do it manually. They automate it. So it’s the same exact thing. So we’ve seen attackers where they log in say from a platforms admin panel and then we can see the logs immediately in half a second they’ve already modified the post, they’ve modified this.

DANIEL

That is automated.

TONY

It’s automated. You don’t see someone clicking that fast. It’s practically impossible.

DANIEL

And the majority of them, when they look, they have thousands of websites hacked. It is not feasible for them to do it manually, one by one.

TONY

They are mostly automated and yes. They do install users, they do install plugins. They do make configuration changes. But again, all automated.

KRISTEN

Okay now we’re going to take our last question and it is that most clients don’t want to pay for security management. What do we do?

TONY

We wait until they get compromised. Then they’ll pay.

DANIEL

No, not really. But you can start with the simple ways, for example, the asset management. You can do a lot of this stuff for free if you don’t want to pay. You can install the asset management, track on a spreadsheet, you can install log security, which is open source and free on your server and you can install Snork (?) , you can do a lot of this stuff for free. You can do monitoring with the free open source OSSEC. There is a lot of stuff you can do for free if you know how to do it. If you are technical enough, you understand how to manage your server, you understand how to install and configure your automated security updates, then you are fine, you don’t have to pay for anything. You can do it yourself. But if you are not technical enough, and you don’t know how to do these things, if you try, you will make mistakes, and you will probably make things even worse.

TONY

Absolutely. I’m a bit facetious when I say wait to get compromised but that’s the actual reality. There are a lot of things they can do. They can go and read articles and configure all these tools but the fact is a lot of organizations are not going to do that. They’re not going to invest that kind of time. There has to come a balance. The organization has to weigh the risks and say, okay, I’m not going to pay. In my experience what I’ve found is at least when we talk to end users on our websites is that they usually recognize the value of it once they feel the pain. It’s very difficult to convey the impact if they haven’t felt it themselves. Oh I’ve had my website for ten years and I’ve never been hacked. Well, the landscape has changed a lot in ten years.

DANIEL

If you own a house and something breaks, if you are handy and know how to do stuff you can fix it yourself, and you will do great. If you are like me, you will have to hire someone, because every time I try I make it even worse. I spend money and time doing, then I have to spend money and time hiring someone to fix it.

TONY

And remember right, it’s not a static process. It’s not a static thing, it’s a continuous process. Configuring the tools and applying the tools are but what piece of the pie. Now you have to stay ahead of all the threats and continue to make changes to the configuration as the environment changes so don’t pay if you don’t like. That’s fine. Hopefully it’ll work out perfectly. If not, you’ll find yourself in a predicament where youll be suffering a lot of anxiety and stress because of an action that could’ve been addressed prior. So with that, no more questions, right Kristen?

KRISTEN

That was our last question so that brings us to the close of our webinar. I want to thank everyone for their participation. Are you guys going to go to Twitter and take some more questions?

TONY

Yeah, for sure. We’re always on Twitter so come add the hastag #asksucuri . We will continue to answer the best we can and like Kristen said we will be responding to the questions the best we can the next couple of days. Be mindful that it is actually Daniel and I responding so it might take us a little bit of time.