e open for business… …not open to be hacked...sucuri: website hacked trend report 2016 - q1...
TRANSCRIPT
Be open for business……not open to be Hacked
Lionel ThomasRoles:• Man. Director Web Company• Game Studio Manager• Game Producer• Web Manager• Lead Web Programmer• Online Marketing & Sales• Multi-media Developer• System/Database Administrator• Community Manager• Computer Sales, Building and Maintenance
Security is a Mindset
• Secured Million Dollar Online Store (Owner just wanted Sales)
• Cleaned a Server with 50 Websites Hacked (Actively Being Hacked)
• Access to a website in under 10 Seconds (Outsourced)
• Penetration Testing Online Stores in Australia 83% with issues
Passwords
From a list of 10 Million Common Passwords…
PasswordsTips:• Use a Password Manager (Daily Use)
• Different password per login
• Never Reuse (2012 - Dropbox 60m+)
• Change passwords regularly
• Use Phrases for Sensitive Logins
Example: IloveFlashGordon120%
Becomes faster every year…
Passwords
www.LastPass.com
Key Benefits:
• Manage
• Sync
• Share
• Auto Login
• Audit / Change Passwords
USB Sticks• Over 48% of people will pickup a USB Stick and Plug it in
• Only about 16% of those people will Scan it
Tips:
• Do NOT pickup Random USB sticks and make it a Policy
• Encrypt and/or Password protect the data on your USB sticks
Killer USB SticksCost: $79
1. Charges capacitors from device (ie. PC, Laptop, TV, Printer)
2. Once charged, it discharges all power back into device
3. And Repeats…
It’s meant to be able to kill 95% of devices that have a USB port that do not have protection, which many do not.
Pokémon GoMobile Apps.
At Release: Pokémon GO, granted itself FULL access to your Google Account.
Full Access includes the ability to:• Read your Emails• Send Emails from your Account• Access Google Drive documents• Look at Search History• Access Private Photos on Google Photos• And More…
Tip:Strick Policy around the use of Email Accounts on Mobile devices.
* Use a Burn Email
Google Apps & Siteshttps://myaccount.google.com/security#connectedapps
Phishing Attacks
Phishing Attacks• May be emailed from someone you know
• May be via a Website
• Fake web pages
• Fake Domains
• Pull your Heart Strings, Urgency, Outragous
Phishing Attacks
Tip:
Pick up the Phone!
Cloud StorageTips
• Research your requirements
• You want Protection by two-factor authentication
• Don’t use Cloud Storage as your main Backup
• Updated files sync, this includes infected files
For Home & Home Office
• Cybersecurity- Viruses and Spyware- Anti-Ransomware- Phishing Attacks- Identity Theft- Social Network Threats- Unsafe Websites
• PC and Mac
For Business
• Next-generation endpoint security
• Cloud-based threat intelligence services
• Mobile Security
• Secure web Gateway
• IoT cybersecurity
www.WebRoot.com.au
Website SecuritySome of the Reasons to Hack a Website:
• Information thief
• Malicious Distribution
• Email Spamming
• Website Hi-Jacking
• Platform for DDOS attacks
Website Security• 70% of websites have vulnerabilities
• Google search is a tool used by Hackers
• 205 days is the average time to detect a Breach
• 2/3 Stolen data is detected externally, usually when being sold
Website Security
Website Security
Sucuri: Website Hacked Trend Report 2016 - Q1
Reasons for being Hacked:
• Out of Date
• Improper deployment
• Bad configuration
• Poor maintenance
• 3rd Party Plugins
Website SecurityChallenges of staying up to date:
• Highly customized deployments
• Issues with backward compatibility
• Lack of staff
• No procedures in place
• Web Application Firewall
• Real-Time Threat Defence Feed
• Block Brute Force Attacks
• Country Blocking
• Manual Blocking
• Malware Scanner
• Website Spam Checks
• Track Site Logins
• View intrusion attempts
• File Repair
• Password Audit
• Cell Phone Sign-in
www.WordFence.com
Website Security
www.CloudFlare.com
Filtering, Server Load Reduction, Speed Optimization and more…
CloudFlare
Website Securityhttps://www.google.com/transparencyreport/safebrowsing/diagnostic/?
Website Security
Email/Domain Check:Mail, Domain, Blacklisted?www.MXToolBox.com
DNS:Check your DNS Recordswww.LeafDNS.com
Website SecuritySite Check:Scan content, Check Firewall, and more…sitecheck.Sucuri.net
Site Rating:Website Ratingsafeweb.Norton.com
Website Security
Web Vulnerability Scanner:Vulnerability and Penetration Testing,Used by Governments, Large Corp. and Militarywww.Acunetix.com
Website Host Security
Questions to Ask your Hosting:
• What Security is implemented?
• What should I be doing?
• Who Updates the Server?
• What is the Process if I am hacked?
Website Security Overview• Secure Username & Passwords
• Multiple Layered Security
• Stay Updated (Host, Website & Plugins)
• Secure Hosting
• Regular and Archived Back Ups
• Stay Informed
Common Web Admin Usernames:• Admin• Administrator• Marketing• Firstname• Domain Name• …
Suggestions
• Stay Up to Date
• Avoid the Shinny
• Pay to Stay Protected
• Have an Offline Component
• Create a Security Mindset in Staff