Upload
tony-perez
View
1.217
Download
2
Embed Size (px)
Citation preview
It Starts With Good Posture
Website Security (WordPress)
04/11/2023
@PEREZBOX
• Sucuri, Inc.– @sucuri_security– @sucurisupport– @sucurilabs– @perezbox
• Specialization:– Website Security– Incident Handling
• Special Interests:– Brazilian JiuJitsu
Tony Perez | @perezbox | @sucuri_security 2
04/11/2023
• Website Security Company
• Global Operations
• Platform Agnostic (i.e., WordPress, Joomla, etc..)
• Scan 2M Unique Domains a Month
• Block 4M web attacks a Month
• Remediate 400 – 500 websites a day
• Signature / Heuristic Based
• 24/7 operations
Tony Perez | @perezbox | @sucuri_security 3
04/11/2023
Statistics
Tony Perez | @perezbox | @sucuri_security 4
04/11/2023
Anatomy of Malicious Websites
Malicious WebsitesLegitimate Websites
Tony Perez | @perezbox | @sucuri_security 5
85%
04/11/2023
Legitimate Websites
Not-ExploitableExploitable
77%
Tony Perez | @perezbox | @sucuri_security 6
1 in 8 - Critical Vulnerability
04/11/2023
Hacks Affecting Users
Tony Perez | @perezbox | @sucuri_security 7
04/11/2023
Top 4 Symptoms
Tony Perez | @perezbox | @sucuri_security 8
• Malicious Redirects (i.e., abuse your traffic)• Backdoors (i.e., Bypass Access Controls)• Phishing (i.e., Spear Phishing Campaigns)• Search Engine Poisoning (i.e., Pharma, etc…)
….. Obviously many more, but these are the most prevalent…
@perezbox | @sucuri_security
Malicious Redirect
@perezbox | @sucuri_security
Malicious Redirects• Easy / Medium to Detect
– Be mindful of conditionals• Looking for Integrity Issues
– Has something been modified?
• Common location[s]:– .htaccess– Index.php– Footer.php– Header.php
• Biggest Issue– Redirectors are becoming highly complex– Employing heavy conditional elements
@perezbox | @sucuri_security
Phishing
@perezbox | @sucuri_security
Phishing, Cntd..
• Difficult to Detect Remotely• Looking for Integrity Issues
– Is something somewhere it doesn’t belong?
• Common location[s]:– WP-Includes– Theme Directories
• Biggest Issue– It can be anywhere– Fully contained
@perezbox | @sucuri_security
Backdoors
@perezbox | @sucuri_security
Backdoors, cntd…• Can’t detect remotely, only locally
• Looking for Integrity Issues – Is something somewhere it doesn’t
belong?
• Common location[s]:– WP-Includes– Root Directory
• Biggest Issue– Allows attacker to bypass your
access controls– Provides full control of the
environment
• Common terms:– Is_bot– Eval– Base64_decode– Fopen– Fclose– readfile– Edoced_46esad– Exec– System– Shell_exec– Gzuncompress– popen– FilesMan
grep -RPl --include=*.{php} "(system|exec|passthru|shell_exec|base64_decode|eval|) *\(" /var/www
@perezbox | @sucuri_security
Example of Complexity
@perezbox | @sucuri_security
Search Engine Poisoning
@perezbox | @sucuri_security
Search Engine Poisoning, cntd.. • Targets Search Engines (i.e., Google, Bing, Yahoo)
• Looking for Integrity Issues – Have your posts / pages been modified?
• Common location[s]:– Index.php (root, theme, plugins, etc..)– Header.php– Footer.php– Embedded in Database (Posts / Pages)
• Biggest Issue– Continuous to evolve– Highly conditional– Not within visible range – often offscreen
@perezbox | @sucuri_security
Indicators of a HackSearch Engines have gotten pretty good at detecting issues –
Google blacklists over 10 thousand websites a day.
04/11/2023
Anatomy of Attacks
Tony Perez | @perezbox | @sucuri_security 19
04/11/2023
Phase of an Attack
Recon Identify Attack Decisions Sustain
Tony Perez | @perezbox | @sucuri_security 20
Use for malware? Pat of a zombie network? Data breach?
What kind of website do you have?
04/11/2023
Automated Attacks
WP-ADMIN
Themes / Plugins Payload
Tony Perez | @perezbox | @sucuri_security 21
Exploiting Access Control
04/11/2023
Distribution Mechanism
Malicious Links
Social Media
Email Links Website
Text Messages
Tony Perez | @perezbox | @sucuri_security 22
04/11/2023
There’s a Tool for that
• Malware as a Service (MaaS) – Yes, pay someone to
hack for you
• Different tools to break in and generate payloads– Brute force and
vulnerability exploits Malware Payloads
Tony Perez | @perezbox | @sucuri_security 23
04/11/2023
Why?
Tony Perez | @perezbox | @sucuri_security 24
04/11/2023
Happening To Everyone
Tony Perez | @perezbox | @sucuri_security 25
04/11/2023
It’s About Posture
Tony Perez | @perezbox | @sucuri_security 26
04/11/2023
Begins with Posture
Tony Perez | @perezbox | @sucuri_security 27
Posture
Risk
“Risk will never be zero, but it can be reduced”
04/11/2023
It’s About Good Posture
Tony Perez | @perezbox | @sucuri_security 28
Security Posture
Principles
Access
Vulnerabilities
04/11/2023
Layered Defenses
Tony Perez | @perezbox | @sucuri_security 29
Protection Auditing
Detection Sustainment
04/11/2023
Defense in Depth
“…a concept in which multiple layers of security controls (defenses) are placed throughout an
information technology (IT) system. Its intent is to provide redundancy in the event a security control fails or a vulnerability is exploited…”
Tony Perez | @perezbox | @sucuri_security 30
04/11/2023
Access – P@ssw0rd
• Passwords
Tony Perez | @perezbox | @sucuri_security 31
Complex – Long - Unique
04/11/2023
Enforce Strong Credentials
Tony Perez | @perezbox | @sucuri_security 32
04/11/2023
Auditing (Monitor Activity)
Tony Perez | @perezbox | @sucuri_security 33
04/11/2023
Auditing Questions
Tony Perez | @perezbox | @sucuri_security | #JoomlaDayAtlanta 34
• Understand what is going on at all time– Who is logging in?– Who is trying to log in?– What files are changing?– Has a post been created?– Has a page been created?– Are there any integrity issues?
04/11/2023
Principle of Least Privileged
“requires that in a particular abstraction layer of a computing environment, every module
(such as a process, a user or a program depending on the subject) must be able to
access only the information and resources that are necessary for its legitimate purpose.”
Tony Perez | @perezbox | @sucuri_security 35
04/11/2023
Understand Your Roles
Tony Perez | @perezbox | @sucuri_security 36
04/11/2023
Hardening – Kill PHP
Tony Perez | @perezbox | @sucuri_security 37
PHP Execution, disable it:
/wp-includes /wp-content▪ /themes▪ /plugins▪ /uploads
<Files *.php>Deny from all</Files>
04/11/2023
Disable Plugin / Theme Editor
• WP-CONFIG File Modification
#Disable Plugin / Theme EditorDefine(‘DISALLOW_FILE_EDIT’,true);
Tony Perez | @perezbox | @sucuri_security 38
04/11/2023
Brute Force Attacks
Tony Perez | @perezbox | @sucuri_security 39
04/11/2023
Backups – It’s Your Safety Net
Tony Perez | @perezbox | @sucuri_security 40
04/11/2023
Software Vulnerabilities
• Stay current with the latest vulnerabilities:– Secure - http://wordpress.org/plugins/secure/
Tony Perez | @perezbox | @sucuri_security 41
04/11/2023
Stay Current (Update)
Tony Perez | @perezbox | @sucuri_security 42
04/11/2023
Website Firewalls
Tony Perez | @perezbox | @sucuri_security 43
• Stay ahead of Software Vulnerabilities
04/11/2023
Ensure Integrity of Connection
Tony Perez | @perezbox | @sucuri_security 44
• https://www.getcloak.com/ | @getcloak
04/11/2023
Google Webmaster
Tony Perez | @perezbox | @sucuri_security 45
04/11/2023
Simple Steps to Reduce Risk
1. Employ Website Firewall2. Don’t let WordPress write to
itself3. Filter Access by IP 4. Use a dedicated server / VPS5. Monitor all Activity (Logging)6. Enable SSL for transactions7. Keep environment current
(patched)8. No Soup Kitchen Servers
Tony Perez | @perezbox | @sucuri_security 46
1. Connect Securely – SFTP / SSH
2. Authentication Keys / wp-config
3. Use Trusted Sources4. Use a local Antivirus – MAC
too5. Permissions - D 755 | F 6446. Least Privileged Principles7. Accountability8. Backups – Include Database
Ideal implementations:The Bare Minimum:
04/11/2023
Notable ResourcesName Tool
Sucuri Blog http://blog.sucuri.net
Sucuri TV http://sucuri.tv
Malware Scanner http://sitecheck.sucuri.net
Malware Scanner http://unmaskparasites.com
Badware Busters https://badwarebusters.org
Google Forums http://productforums.google.com/forum/#!categories/webmasters/malware--hacked-sites
Google Webmaster Tools http://support.google.com/webmasters/bin/answer.py?hl=en&answer=163633
Secunia Security Advisories http://secunia.com/community/advisories/search/?search=wordpress
Exploit-DB http://www.exploit-db.com/search/?action=search&filter_description=Wordpress&filter_platform=31
WordPress Hacked FAQ http://codex.wordpress.org/FAQ_My_site_was_hacked
WordPress Hardening http://codex.wordpress.org/Hardening_WordPress
Tony Perez | @perezbox | @sucuri_security 47
04/11/2023
Dealing with a Hack
Tony Perez | @perezbox | @sucuri_security 48
Dealing with Malware http://blog.sucuri.net/2012/10/dealing-with-todays-wordpress-malware.html
Leveraging Google Webmaster Tools http://www.unmaskparasites.com/malware-warning-guide/
Google Webmaster Tools (Hacked) http://www.google.com/webmasters/hacked/
Understanding Google’s Blacklists http://blog.sucuri.net/2013/11/understanding-googles-blacklist-cleaning-your-hacked-website-and-removing-from-blacklist.html Clearing Your Website with Free
Scannerhttp://blog.sucuri.net/2013/10/cleaning-up-your-wordpress-site-with-the-free-sucuri-plugin.html
WordPress Tips & Tricks http://blog.sucuri.net/2012/07/website-malware-removal-wordpress-tips-tricks.html
04/11/2023
Sucuri, Inc.
Tony Perez
http://sucuri.nethttp://blog.sucuri.net
@perezbox | @sucuri_security
@sucurilabs | @sucurisupport
Tony Perez | @perezbox | @sucuri_security 49