WordPress Security Managing Risks Sagely

Transcription

1 WordPress Security Managing Risks Sagely Today s Cool New Features are Tomorrow s Security Risks Presented by Elyse Nielsen October 11,

2 Presentation Purpose The purpose for sharing this information provides an opportunity for you to: 1. Raise your risk awareness regarding your WordPress site. 2. Share security practices which are used to mitigate risk. 3. Provide some basic security tactics to manage risk. 2

3 A Bit about Me Portfolio Manager with Ascension Information Services with IT Organizational Excellence. Managed the establishment of the Security Service Delivery Line for Ascension. I formerly worked as a Director of Information Services at Albany Medical Center in Upstate, NY. Which all culminates in extensive experience in technology & project management. Certified Project Management Professional (PMP) by the Project Management Institute and a Certified Professional in Healthcare Information Management Systems (CPHIMS) by HIMSS. Working with WordPress since Blogging since Best WordPress Site Established Back in 2005 implemented a site for a family to share the outcomes of a child with leukemia. Recent Work is more a passionate hobby (might be a business according to IRS). 3

4 Interesting Jeopardy About how many websites exist on the internet today? What percentage do you think is WordPress? How are most attacks accomplished? What are you most worried about? AnonGhost s mark on SaratogaCountyNY.com on August 9 th this year. 4

5 Your Website Application Tools Your Website The first impression to build trust with your customers Application Scripting Database Web Server Operating System Network 5

6 Swiss Cheese Risk Assessment Database Plugins & Themes Outside Threat Applications Linux 6

7 Zero Entry Hacking 1 Recon Gather Information on Target Define Target Gather Offsite Info Google Social Media Harvest Onsite Info (Host s Authors) Zero Entry Hacking Methodology from Penetration Testing casts a wide net which brings about a focused attack upon the weaknesses. The objective of this methodology is basically the old quote knowledge is power. By evaluating the vulnerabilities, opportunities to expand the exposure are explored.. 2 Evaluate Info (Type, Programs Effected) 3 Target Vulnerabilities (Passwords Gain Access) 4 Scan Determine critical vulnerabilities Scan Vulnerabilities (wpscan port scan) ) Map Vulnerabilities (older legacy wp plugins) Exploit Determine how to leverage weakness in security Increase Privileges (Owner, Barriers, Action Steps) Leverage Position (other hosts, systems, databases) Maintain Access Implement Back Doors, Erase Evidence A BAD EXPOSURE IS LIKE A VAMPIRE, IT COMES BACK TO BITE YOU IN THE NECK 7

8 Potential Security Land Mines Interception of client credit card numbers Unauthorized access to the WordPress application Changing your website to offer Mythical and Mystical Pharma Overloading your website so it is not available any more. (DOS) Corrupting your customer membership data. Changing your website to show it can be hacked. Sessions are hijacked and orders are placed for which you can t recoup. Your backend database doesn t have any tables any more. Your admin password does not work. 8

9 Situation Assessment The complexities of managing and maintaining a website for business growth through content marketing is time-consuming. Business owners are hard pressed to find additional time to focus upon security issues. How can we be more proactive in our approach to security as the website is transitioned to the business owner? The strategy is to have security managed by resources with the right skill set and to assure all employees are a are of the security concerns to protect our data. Security management will help to establish guidelines and practices to manage risks according complexity and impact. Key Security Concepts around protecting information Confidentiality Our ability to protect our data and information from those who are not authorized to view it. Integrity Availability Our ability to prevent our data and information from being changed in a less than desirable manner Our ability to access our data at our convenience when needed. How do we assess security risks and manage them sagely? 9

10 Managing Risk 10

11 Risk Management Approach 1 Identify Risks Examine the Application and Technology Define Risk Context (Risk Management Plan) Elicit Risks (Interviews - SWOT Reviews) Describe Risks (Cause - Risk Impact) Risk management is key where interdependencies exist between technologies or when the risks from one technology raises other risks. The objective of risk management for your website is to have the right amount of risk intolerance to mitigate the circumstances which make the vulnerability exist. 2 Analyze Risks Assess likelihood, overall impact and determine criticality Ascertain Impact Span (Type, Programs Effected) Assess Risks (Consequences - Likelihood) Qualify Risks (Category - Criticality) 3 Manage Risks Determine how to handle and approved response Determine Approach (Consider Secondary Risk Impacts) Document Response (Owner, Barriers, Action Steps) Determine Urgency (Action Window, Impact Window) 4 Monitor Risks Re-Assessing Monthly Risk Review 11

12 Security Management EFFECTIVE SECURITY MANAGEMENT FRAMEWORK Establishing the rules of the game clearly and upfront STRUCTURE Having the right processes interwoven to ensure effective and efficient security management EMPLOYEES Having the right people execute their roles effectively POLICY CONTROLS PROCESS PRACTICE ENGAGE TRAIN 12

13 Policy and Controls Security Management Framework Gain Agreement on a security management plan with a standard tool set. Assure within policy and controls there is a transparent monitor of risks and escalations as needed. Key Actions: Conduct Business Impact Assessments for business online presence. Develop and Gain Agreement on a Business Continuity Plan for your Web Site Develop and Authorize a Security Policy Determine Security Oversight Process Develop a Security Management Plan Assure all critical risks have mitigation approaches 13

14 Security Management Structure Process and Practice Implement a Security Management Process for the crucial services which would have the most impact if they were sabotaged. Have risks assessed for all technologies and potential business impacts. Key Actions: Assign an Accountable Leader manage the critical risks. Audit the website Conduct a Disaster Recovery Test Implement processes to support security policy Conduct Risk Assessments with periodic reviews. Assign Risk Ownership and Accountability to empowered leaders and have written risk acceptance. Establish Quarterly Major Risk Reviews and Monthly Minor Risk Reviews Purchase Tools and Services to alleviate and manage critical risks. 14

15 Security Management for Employees Engage and Train Train our employees to have risk awareness. Assure employees have a similar toolset and vocabulary for security management. Key Actions: Implement a formal Security Management Training Program Offer a Training Webinar Conduct Brown Bag Question and Answer Sessions. Share discussions with other leaders Provide an escalation path for concern Develop Security Management Communications and Awareness Program 15

16 Security Management Tactics Technology Management Release Management Security Tools Access Management Assessing how much technology management and administration is going to need to be done. Planning which services are to be done inhouse vs outsourced. Planning for that mode and support. Staying Current on updates is critical. WordPress has an automatic upgrade, several plug-ins do not. After an update has been applied also have a standard test plan which checks form processing, design and content Currently in the WordPress Market Space there are two main types of tools Back Ups - Intrusion Detection Systems - Intrusion Prevention Systems - Spam Prevention - Two-Factor Authentication r Having appropriate safeguards for accessing crucial resources. Assure there is a good business process to elevate privileges and a review process at least twice a year to check on accounts and access. The consensus is that these four pillars of Security Management address risks and offer appropriate levels of management given the vulnerability of the exposure. 16

17 Technology Management - Hosting Shared Hosting Application Tools Dedicated Hosting Application Tools Managed Hosting Application Tools Application Application Application Scripting Scripting Scripting Database Database Database Web Server Web Server Web Server Linux Network Linux Linux

18 Technology Management -Backups What should I back up and When? Backups should be an automated process covering your files and databases. The backup should not be stored on the website. Key Actions: Determine how much you trust your host Conduct a test restore of some files with your host (particularly the wp-content folder) If there is a concern, consider another 3 rd party solution 18

19 Stay Current on Software Releases

20 Security Tools of the Trade Brute Protect is a network counterforce against Botnets. Once a malicious IP address is caught on one website. It is blocked from that Website and all websites under the protection of Brute Protect. Clef enables you to log in to WP via your phone. By lining up the barcode on your iphone with the barcodes on the screen. It also offers two-factor authentication. 20

21 Security Tools of the Trade ithemes Security runs a diagnostic check on your website and provides a list of actions to take to harden your WordPress security. Akismet is anti-comment spam solution constructed by the Automattic team. It stops comment spam. 21

22 Security Tools of the Trade WordFence Security helps prevent denial of service attacks. It will scan your site and share vulnerabilities. It can block ips for overly accessing admin, password-reset, 404 pages. You can also block countries. Sucuri.net will scan your site and remediate any malware or viruses if found. 22

23 Passwords are in their Fifties The computer password was invented in the 1960s so it's definitely out of date Fernando Corbató, the 87-year-old inventor of the password says it's 'become kind of a nightmare' TCP/IP Introduced DNS/BIND created DOS developed WordPerfect introduced Commodore 64 released WordPress Apple iphone y2k doom Rails x86 Hypervisor Packet Switching Networks First Mobile Phone Call Placed Unix Created TRS 80s released Linux Created Windows 3.11 PHP Introduced Apple Newton JavaScript Client/Server Computing 2010 Apple ipad introduced Raspberry Pi A released

24 Access Management Top Passwords password qwerty 5. abc Iioveyou 10. adobe123 How to get a good Password 1. Don t use passwords have another method thumbprint, two-factor authentication. 2. Have a complicated password. WordPress allows for PassPhrases. 3. Have a way to vet the user to the password when resetting. 24

25 Access Management Privileges Let s make better mistakes tomorrow! With Great Power comes Great Responsibility. 25

26 Security Management Checklist 1. Have a Security Checklist Every time a website goes out the door, have a Security Czar who reviews and assures there is limited exposure. Key Benefits: Quality Review Process Sales Tactic Provides an opportunity to incorporate learnings 26

27 Security Management Checklist 2. Provide a Security Policy Its really a matter of education and discussion to determine what works for your client. Key Benefits: Increase Understanding of risk and exposure. Key Discussion on what security tools to incorporate Backups, IDS, IPS Establishes a business practice. Guidance for user roles and practical usage of editors, authors, and admins. 27

28 Security Management Checklist 3. Remove Developer Left-Overs Turn off the development/test server and run through a planned and free form testing. Remove Developer Accounts. Key Benefits: Quality Review Process Assures there are not remaining links as you are handing the keys to the business owners. 28

29 Security Management Checklist 4. Setup Backups Establish a backup strategy and implement it. Also provide a physical USB copy of the website. Key Benefits: Establishes trust with the nontwitter generation. Performs the Last Mile of customer service. 29

30 Security Management Checklist 5. Consider an Intrusion Detection System Install WordFence, Sucuri or ithemes and configure it. Key Benefits: Establishes trust with the nontwitter generation. Performs the Last Mile of customer service. 30

31 Security Management Checklist 6. Check Plug-ins for Holes Get VIP Plugin Scanner on GitHub. The plugin itself is the library allows you to create arbitrary "Checks" (e.g. UndefinedFunctionCheck), group them together as Reviews (WordPress.org Theme Review), and run them against themes, plugins, directories, single files, and even diffs Key Steps: Checks out the files for you. Have someone do a code review. Check for large blocks of encoding 31

32 Security Management Checklist 7. Assure Initialization Finishing Touches Review the Security Checkpoints to assure the installation was completed. Key Steps: Update the wp-config Security Keys Validate the DB Prefix is NOT wp Enable SSL Login Enable auto-update for WordPress Minor Release Updates. Set File Permissions to 644 or 640. Set Folder Permissions to 755 or 750 Place the wp-config file wisely based upon hosting choice. 32

33 Security Management Checklist 8. Viewing is a privilege Review robots.txt and.htaccess to assure what needs to be open is open, and what does not need to be open is closed. Key Steps: Is it appropriate to lock down wp-admin? What should bots view in robot.txt Block access to wp-files in.htaccess 33

34 Security Management Checklist 9. Audit User Accounts Walk through an audit on the user accounts and why they are needed. Key Steps: Walk through who has access Confirm with site owner access is appropriate. 34

35 Security Management Checklist 10. Conduct a Penetration Test See ahead of time the vulnerabilities Key Steps: Hire a consultant D-I-Y (Kali and WordScan) 35

36 In Closing Key Take Away Points Pay it forward and share the knowledge Discern what works for the situation Invest the time upfront proactively What possibilities does this open up? Elyse Nielsen Insight Matters Feedback welcomed. 36