wordpress security begins with good posture
TRANSCRIPT
@perezbox | @sucuri_security#wceu
@perezbox | @sucuri_security#wceu
@perezbox | @sucuri_security#wceu
@perezbox | @sucuri_security#wceu
WordPress SecurityIt Starts With Good Posture
@perezbox | @sucuri_security#wceu
Background
@perezbox | @sucuri_security#wceu
“As a species, we are risk adverse when it comes to gains, but risk seeking when it comes to loss…”
- Bruce Schneider, BlackHat 2014
State of Incident Response
@perezbox | @sucuri_security#wceu
Why should I worry about security?
@perezbox | @sucuri_security#wceu
• Audience• Business• Responsibility
@perezbox | @sucuri_security#wceu
“The value of a network is equals the square of the number of users.”
- Metcalf Law – Value of a Network
@perezbox | @sucuri_security#wceu
Attacks come in many formsMalware distribution, email spam, web server abuses, phishing lures
@perezbox | @sucuri_security#wceu
Security begins with Good Posture
@perezbox | @sucuri_security#wceu
Security is about Risk ReductionThe risk will never be zero
@perezbox | @sucuri_security#wceu
As posture increases, risk reduces
@perezbox | @sucuri_security#wceu
Protection
Detection
Response
@perezbox | @sucuri_security#wceu
Maintenance
Protection
Detection
Response
@perezbox | @sucuri_security#wceu
Best Practices/Principles Maintenance
Protection
Detection
Response
@perezbox | @sucuri_security#wceu
“The biggest weakness we face as a community in security is also it’s greatest strength as a platform – its extensibility and ease of use.”
- Tony Perez
@perezbox | @sucuri_security#wceu
Diving into the WordPress Security LifeCycle
@perezbox | @sucuri_security#wceu
Best Practice / PrinciplesThe Foundation
@perezbox | @sucuri_security#wceu
Best Practice/Principles• Defense in Depth
– Layered Defenses
• Principle of Least Privileged– 20 admins?
• Function Isolation (Production vs Staging vs Testing)– Soup Kitchen Servers
@perezbox | @sucuri_security#wceu
MaintenanceIt Begins with Good Administration
@perezbox | @sucuri_security#wceu
Maintenance• User Management
• Backups
• Account Management
• Software Management
@perezbox | @sucuri_security#wceu
ProtectionStopping attacks from impacting your website
@perezbox | @sucuri_security#wceu
Protection• Denial of Service Attacks
• Brute Force Attacks
• Exploitation of Software Vulnerabilities
• Application Hardening
@perezbox | @sucuri_security#wceu
DetectionIdentifying security events
@perezbox | @sucuri_security#wceu
Detection• Activity Monitoring
• Security Scanning
• Malware / Non-Malware Scanning
• Indicators of Compromise
@perezbox | @sucuri_security#wceu
ResponseHow do you address the problem?
@perezbox | @sucuri_security#wceu
Response• Incident Handling
• What’s an Incident?
• Brand / Business Impacts
@perezbox | @sucuri_security#wceu
The WordPress security plugin ecosystem
http://blog.sucuri.net/2014/09/understanding-the-wordpress-security-plugin-ecosystem.html
@perezbox | @sucuri_security#wceu
Access Control – Login33% of infected websites come from poor credentials and user management
@perezbox | @sucuri_security#wceu
Access Control• Whitelisting Access
• Two Factor Authentication
• Password Managers
@perezbox | @sucuri_security#wceu
Online HabitsYour security goes beyond just the application
@perezbox | @sucuri_security#wceu
Online Habits• Local AntiVirus – Mac /
Windows
• Personal Virtual Private Network’s
• Auto Play / Enabled JS
@perezbox | @sucuri_security#wceu
When all else fails, enlist the help of professionals
@perezbox | @sucuri_security#wceu
Get in touchLet’s get social:• Twitter: @perezbox
• Twitter: @sucuri_security
• Facebook: /SucuriSec
Read what I write:• http://blog.sucuri.net
• http://tonyonsecurity.com