WordPress Security Managing Risks Sagely

WordPress Security –

Managing Risks Sagely

Today’s Cool New Features are

Tomorrow’s Security Risks

Presented by Elyse Nielsen

Presentation Purpose

The purpose for sharing this information

provides an opportunity for you to:

1. Raise your risk awareness regarding your

WordPress site.

2. Share security practices which are used to

mitigate risk.

3. Provide some basic security tactics to manage

risk.

A Bit about Me

 Portfolio Manager with Ascension Information Services with IT

Organizational Excellence. Managed the establishment of the

Security Service Delivery Line for Ascension. I formerly worked as a Director of Information Services at Albany Medical Center in Upstate, NY. Which all culminates in extensive experience in technology & project management.

 Certified Project Management Professional (PMP) by the Project

Management Institute and a Certified Professional in Healthcare Information Management Systems (CPHIMS) by HIMSS.

 Working with WordPress since 2007. Blogging since 2003.

 Best WordPress Site Established – Back in 2005 implemented a site

for a family to share the outcomes of a child with leukemia.

 Recent Work is more a passionate hobby (might be a business

Interesting Jeopardy

4

• About how many websites exist on the internet today?

AnonGhost’s mark on

SaratogaCountyNY.com on August 9th _{this year.}

• What percentage do you think is WordPress?

• How are most attacks accomplished?

Your Website

5 Scripting Database Web Server Application Application Tools Operating System Network

Your Website

The first

impression to

build trust

with your

customers

Outside

Threat

Linux

Database

Applications

Plugins & Themes

Swiss Cheese Risk Assessment

1

Recon Gather Information on Target Define Target

2

Scan Determine critical vulnerabilities

Gather Offsite Info

Google – Social Media

Harvest Onsite Info

(Host –Emails – Authors)

Scan Vulnerabilities

(wpscan – port scan)

)

Target Vulnerabilities

(Passwords – Gain Access)

Map Vulnerabilities (older legacy wp – plugins)

4

Maintain Access Implement Back Doors, Erase Evidence Increase Privileges

(Owner, Barriers, Action Steps)

3

Exploit Determine how to leverage weakness in security Leverage Position

(other hosts, systems, databases)

Evaluate Info

(Type, Programs Effected)

Zero Entry Hacking Methodology from Penetration Testing casts a wide net which brings about a focused attack upon the weaknesses. The objective of this methodology is basically the old quote knowledge is power. By evaluating the vulnerabilities, opportunities to expand the exposure are explored..

Zero Entry Hacking

 Interception of client credit card numbers  Unauthorized access to the WordPress

application

 Changing your website to offer “Mythical and Mystical Pharma”

 Overloading your website so it is not available any more. (DOS)

 Corrupting your customer membership data.

 Changing your website to show it can be hacked.  Sessions are hijacked and orders are placed for

which you can’t recoup.

 Your backend database doesn’t have any tables any more.

 Your admin password does not work.

8

Potential Security “Land Mines”

The complexities of managing and maintaining a website for business growth through content marketing is time-consuming. Business owners are hard pressed to find additional time to focus upon security issues. How can we be more proactive in our approach to security as the website is transitioned to the business owner?

The strategy is to have security managed by resources with the right skill set and to assure all employees are a are of the security concerns to protect our data. Security management will help to establish guidelines and practices to manage risks according complexity and impact.

Confidentiality Our ability to protect our data and information _{from those who are not authorized to view it.}

Integrity

Our ability to prevent our data and

information from being changed in a less than desirable manner

Key Security Concepts around protecting information

How do we assess security risks and manage them sagely?

Situation Assessment

Managing Risk

1

Identify Risks Examine the Application and Technology

Define Risk Context

(Risk Management Plan)

2

Analyze Risks

Assess likelihood, overall impact and determine criticality

Elicit Risks

(Interviews - SWOT – Reviews) Describe Risks (Cause - Risk – Impact)

Assess Risks (Consequences - Likelihood)

Determine Approach (Consider Secondary Risk Impacts)

Qualify Risks (Category - Criticality)

4

Monitor Risks Re-Assessing Monthly Risk Review Document Response

(Owner, Barriers, Action Steps)

3

Manage Risks Determine how to handle and approved response Determine Urgency (Action Window, Impact Window) Ascertain Impact Span

(Type, Programs Effected)

Risk management is key where interdependencies exist between technologies or when the risks from one technology raises other risks. The objective of risk management for your website is to have the right amount of risk intolerance to mitigate the circumstances which make the vulnerability exist.

EFFECTIVE SECURITY MANAGEMENT

FRAMEWORK EMPLOYEES

Having the right processes interwoven to ensure effective and efficient security management

STRUCTURE

Having the right people execute their roles effectively

Establishing the rules of the game clearly and upfront

ENGAGE TRAIN PROCESS PRACTICE

POLICY CONTROLS

Security Management

Gain Agreement on a security management plan with a standard tool set. Assure within policy and controls there is a transparent monitor of risks and escalations as needed.

Key Actions:

 Conduct Business Impact Assessments for business online

presence.

 Develop and Gain Agreement on a Business Continuity Plan for

your Web Site

 Develop and Authorize a Security Policy

 Determine Security Oversight Process

 Develop a Security Management Plan

 Assure all critical risks have mitigation approaches

Policy and Controls

Implement a Security Management Process for the crucial services which would have the most impact if they were sabotaged. Have risks assessed for all technologies and potential business impacts. Key Actions:

 Assign an Accountable Leader manage the critical risks.

 Audit the website

 Conduct a Disaster Recovery Test

 Implement processes to support security policy

 Conduct Risk Assessments with periodic reviews.

 Assign Risk Ownership and Accountability to empowered leaders

and have written risk acceptance.

 Establish Quarterly Major Risk Reviews and Monthly Minor Risk

Reviews

 Purchase Tools and Services to alleviate and manage critical

risks.

Process and Practice

14

Train our employees to have risk awareness. Assure employees have a similar toolset and vocabulary for security management. Key Actions:

 Implement a formal Security Management Training Program

– Offer a Training Webinar

– Conduct Brown Bag Question and Answer Sessions. Share discussions with other leaders

– Provide an escalation path for concern

 Develop Security Management Communications and Awareness

Program

Security Management for Employees

16

The consensus is that these four pillars of Security Management address risks and offer appropriate levels of management given

the vulnerability of the exposure.

Technology Management Assessing how much technology management and administration is going to need to be done. Planning which services are to be done inhouse vs outsourced. Planning for that mode and support.

Release Management Staying Current on updates is critical. WordPress has an automatic upgrade, several plug-ins do not. After an update has been applied also have a standard test plan which

checks form processing, design and content r Security Tools Currently in the WordPress Market Space there are two main types of tools – Back Ups - Intrusion Detection Systems - Intrusion Prevention Systems - Spam Prevention - Two-Factor Authentication Having appropriate safeguards for accessing crucial resources. Assure there is a good business process to elevate privileges and a review process at least

twice a year to check on accounts and access.

Access Management

Shared

Hosting

Technology Management - Hosting

Scripting Database Web Server Application Application Tools Linux Network

Managed

Hosting

Scripting Database Web Server Application Application Tools Linux

Dedicated

Hosting

Scripting Database Web Server Application Application Tools Linux

18

Technology Management -Backups

Backups should be an automated process covering your files and databases. The backup should not be stored on the website.

Key Actions:

 Determine how much you trust your host

 Conduct a test restore of some files with your host (particularly

the wp-content folder)

 If there is a concern, consider another 3rd _{party solution}

20

Security Tools of the Trade

Brute Protect is a network counterforce against Botnets. Once a malicious IP address is caught on one website. It is blocked from that Website and all websites under the protection of Brute Protect.

Clef enables you to log in to WP via your phone. By lining up the barcode on your iphone with the

barcodes on the screen. It also offers two-factor authentication.

Security Tools of the Trade

iThemes Security runs a diagnostic check on your website and provides a list of actions to take to harden your WordPress security.

Akismet is anti-comment spam solution

constructed by the Automattic team. It stops comment spam.

22

Security Tools of the Trade

WordFence Security helps prevent denial of service attacks. It will scan your site and share

vulnerabilities. It can block ips for overly accessing admin, password-reset, 404 pages. You can also block countries.

Sucuri.net will scan your site and remediate any malware or viruses if found.

1970

2000

2010

• Packet Switching Networks • First Mobile Phone Call Placed • Unix Created • Linux Created • Windows 3.11 • PHP Introduced • Apple Newton • JavaScript • WordPress • Apple iPhone • y2K doom • Rails • x86 Hypervisor

• Apple ipad introduced • Raspberry Pi A released 1980 1990 • TCP/IP Introduced • DNS/BIND created • DOS developed • WordPerfect introduced • Commodore 64 released

Passwords are in their Fifties

Fernando Corbató, the 87-year-old inventor of the password says it's 'become kind of a nightmare'

The computer password

was invented in the 1960s

so it's definitely out of date

24

Access Management – Top Passwords

1. 123456 2. password 3. 12345678 4. qwerty 5. abc123 6. 123456789 7. 111111 8. 1234567 9. Iioveyou 10. adobe123

How to get a good Password

1. Don’t use passwords have another method – thumbprint, two-factor authentication.

2. Have a complicated password.

WordPress allows for PassPhrases. 3. Have a way to vet the user to the

Access Management – Privileges

Let’s make better mistakes

tomorrow!

With Great Power comes

Great Responsibility.

26

Security Management – Checklist

Every time a website goes out the door, have a Security “Czar” who reviews and assures there is limited exposure.

Key Benefits:

 Quality Review Process

 Sales Tactic

 Provides an opportunity to incorporate learnings

Security Management – Checklist

Its really a matter of education and discussion to determine what works for your client.

2. Provide a Security Policy

Key Benefits:

 Increase Understanding of risk and

exposure.

 Key Discussion on what security tools to

incorporate – Backups, IDS, IPS

 Establishes a business practice.

 Guidance for user roles and practical usage

28

Security Management – Checklist

Turn off the development/test server and run through a planned and free form testing. Remove Developer Accounts.

Key Benefits:

 Quality Review Process

 Assures there are not remaining

links as you are handing the keys to the business owners.

Security Management – Checklist

Establish a backup strategy and implement it. Also provide a physical USB copy of the website.

4. Setup Backups

Key Benefits:

 Establishes trust with the

non-twitter generation.

 Performs the Last Mile of customer

30

Security Management – Checklist

Install WordFence, Sucuri or iThemes and configure it.

5. Consider an Intrusion Detection System

Key Benefits:

 Establishes trust with the

non-twitter generation.

 Performs the Last Mile of customer

Security Management – Checklist

Get VIP Plugin Scanner on GitHub. The plugin itself is the library allows you to create arbitrary "Checks" (e.g.

UndefinedFunctionCheck), group them together as Reviews (WordPress.org Theme Review), and run them against themes, plugins, directories, single files, and even diffs

Key Steps:

 Checks out the files for you.

 Have someone do a code review.

 Check for large blocks of encoding

32

Security Management – Checklist

Review the Security Checkpoints to assure the installation was completed.

Key Steps:

 Update the wp-config Security Keys

 Validate the DB Prefix is NOT wp

 Enable SSL Login

 Enable auto-update for WordPress Minor Release Updates.

 Set File Permissions to 644 or 640.

 Set Folder Permissions to 755 or 750

 Place the wp-config file wisely based upon hosting choice.

Security Management – Checklist

Review robots.txt and .htaccess to assure what needs to be open is open, and what does not need to be open is closed.

Key Steps:

 Is it appropriate to lock down wp-admin?

 What should bots view in robot.txt

 Block access to wp-files in .htaccess

34

Security Management – Checklist

Walk through an audit on the user accounts and why they are needed.

Key Steps:

 Walk through who has access

 Confirm with site owner access is appropriate.

Security Management – Checklist

See ahead of time the vulnerabilities Key Steps:

 Hire a consultant

 D-I-Y (Kali and WordScan)

In Closing

36

Key Take Away Points

• Pay it forward and share the knowledge • Discern what works for the situation • Invest the time upfront proactively

What possibilities does this open up?

Elyse Nielsen

• [email protected]

• Insight Matters – Feedback welcomed.