A Practical Security Framework for Website Owners
Download as PPTX, PDF0 likes423 views
The document discusses the security challenges posed by websites, emphasizing that the simplification of the online process has led to lower technical aptitude and increased security issues. It highlights a layered approach to security, the need for risk management, and identifying common threats such as weak credentials and software vulnerabilities. Additionally, it advocates for focusing on critical risks rather than a checklist mentality and outlines various risk mitigation strategies for website owners.
A Practical Security Framework for Website Owners
- 2. Tony Perez perezbox VP of Product Management GoDaddy Security Business Sucuri Co-Founder
- 3. US Department of Homeland Security GRIZZLY STEEPE 2016 Joint Analysis Report (JAR)
- 4. Spring of 2016Summer of 2015 EmailWebsite Delivery Mechanisms
- 5. They could use websites as an attack vector via a technique known as water-hole attack. They could depend on our curiosity as humans to click on something. (links are meant to be clicked, attachments opened) Attackers in both scenarios knew…
- 6. There is an exponential growth event expected in the world of websites. Facilitated by the emphasis being placed by platforms to make the process of getting online even simpler.
- 7. Process simplification simplifies the process of getting online, but lowers the technical aptitude. The lower the technical aptitude the more security issues we can expect.
- 8. “Give a person a tool, secure them today; teach a person to think, secure them tomorrow."
- 10. website owners
- 13. We must look at not introducing a new security approach, but rather improving our approach.
- 14. “Attackers are successful not because we’re technically incapable, but because we are behaviorally weak."
- 15. A Layered Approach to Security
- 16. Defense in Depth
- 17. “Defense in Depth subscribes to the ideology that there is no single solution that ensures 100% protection."
- 18. The layout and design Of Beaumaris Castle, 1295. Early employment of a Defense in Depth strategy. Beaumaris Castle Map
- 21. Access Control We like to use a Blacklist approach because we believe it to be more convenient. All IPs Adding Deny Rules for latest batch of Bad IPs Bad IP Blacklisted
- 22. Access Control Non-Whitelisted IPs Verified IPs All IPs Alternatively, we employ a Whitelist approach. Instead of focusing on all the bad, we focus on the good.
- 24. Cyber Criminal Trifecta • Highly motivated • Technology that exponentially improves their success rate • Criminal supply chain where information can be shared, exchanged and sold amongst themselves.
- 25. Top 5 Threats Weak Credentials Software Vulnerability Poorly Configured Environment Third-Party Integrations Site Availability
- 26. Weak Credentials • Creatures of habit. • Same credentials across all systems. • Don’t update their passwords. • Never think it’ll happen to them. • Think of themselves as being unique.
- 27. Software Vulnerability • Do not update. • Not capable of keeping up with all the attack vectors. • Do not maintain or administer their web environments. • Resources are limited.
- 28. Poorly Configured Environment • Manage soup kitchen servers. • Do not employ functional isolation. • Do not leverage least privilege principles. • Employ configurations that are most convenient for themselves.
- 31. “Today’s attacks are automated and target low-hanging fruit. Don’t be low-hanging fruit."
- 33. A Practical Approach to Security Instead of focusing on every possible scenario, we focus on the ones that are most important to us as an organization.
- 36. Never use a Checklist Mentality It’s not about doing x, y, and z.
- 37. Risk Management It’s about risk reduction, not risk elimination.
- 38. Three Risk Considerations We must Clearly Define Scope Risk will NEVER be Zero Risk is a Continuous Process
- 39. Risk Management
- 40. 5 Risk Mitigation Options: Options Association Website owner decides that this risk is too high with storing credit cards, decide to discontinue storing card information locally. Avoids risk. Website owner deploys security controls to mitigate risks; deploy a firewall to combat exploit attempts, patch out of date software, etc... Remediates risk. Website owner chooses a third-party to collect and process credit card information. Transfers risk to third-party. Website owner acknowledges a vulnerability exists, but it’s low severity and only exploitable if the user is an admin. Decides to accept risk. Risk Avoidance Risk Remediation Risk Transference Risk Acceptance
- 41. Brochure Site Social Platform Health Application Ecommerce • Ensuring they protect their brand is important • Probably don’t want to get blacklisted by Google if SEO is the game. • Availability is probably very important. • Ensuring a safe experience for your users is high on the list of requirements. • Want to ensure their user information is safe. • Encryption at rest and in transit are very important. • Safe keeping of health information is high on the list. • Regulations like HIPPA are of the utmost importance. • Encryption at rest and in transit are very important. • Safe keeping of the payment flow and payment data is very important. • Safe keeping of the customer data is high on the list of requirements. • Your site being available is probably pretty important. • Regulations like PCI are of utmost importance. A Risk Thought Exercise
- 43. IDENTIFY Category Subcategory Asset Inventory & Management • Web Properties • Web servers / infrastructure • Modules / extensions • Third-party integration / services • Access points / nodes
- 44. PROTECT Category Subcategory Protective Technologies • Cloud-based Firewall • Application-level Firewall • Server / Application Hardening
- 45. DETECT Category Subcategory Continuous Monitoring • Server level monitoring • Application level monitoring • User access monitoring • Change and integrity monitoring
- 46. RESPOND Category Subcategory Analysis & Mitigation • Deploy an incident response team • Develop an incident response report • Mitigate effects of an event
- 47. RECOVER Category Subcategory Recovery Planning • Review the output of all phases, document, and deploy updates to the processes. • Team review of all findings.
- 50. A Framework for Websites, built on NIST
- 51. Leverage a Sensible Framework Create an Inventory of Your Assets Implement Security Controls Revisit the Process Repeatedly Actively Administer and Manage
- 52. Security is a Continuous Process
- 53. Thank You!I’d be happy to take your questions.
Editor's Notes
- #3: My name is Tony Perez. I go by perezbox online. I am the VP of Product Management in GoDaddy’s Security Business unit, and one of the Co-Founders of Sucuri.
- #9: Now let’s pay special emphasis on the human factor..
- #15: Now let’s pay special emphasis on the human factor..
- #16: In security, we have had this old metaphor where we relate security to an onion.. It’s designed to correlate the idea that there is no single solution approach, but instead the deployment of multiple complementary controls that make up a good security posture..
- #17: It’s better known as Defense in Depth and for most this concept should not be foreign and yet it’s rarely something we employ. To put it into context, one of the biggest mistakes I see with organizations is that they say Oh the tools I use employ Defense in Depth, or a vendor might say that as well.. But that’s a fundamental misunderstanding of the concept.. Organizations can employ a defense in depth approach in the development and management of their organizations, but defense in depth is an approach you have to employ. So for those that use Sucuri, we don’t give you defense in depth, we complement your defense in depth posture.
- #19: The roots of of defense in depth can be traced to the military as far back as 1295. Via this design, you can see how the architects of the castle employed multiple defensive “controls” throughout their design to help mitigate external attacks. From the moat to create separation from the exterior walls, to the additional interior walls, to the multiple watch towers (all with overlapping fields of view), while also restricting access to one point of entry.
- #20: When we take this same concept and apply to our world of web applications we extend it not only to look at the depth of the controls we employ, but include the breadth of our attack surface and various security domains. Too often though we stop short by focusing one very small part of the attack surface.. Or perhaps we only employ one very specific domain.. (e.g., Monitoring Only, Protection Only).
- #21: To help balance things, we must begin to employ a Secure by Default mindset. Instead of focusing on all the possible scenarios, working with an impossible environment. We need to focus on two things: Defining Our Scope Reducing Our Scope
- #22: A perfect illustration of how something like this works is to look at our Access Control.. We like to use a Blacklist approach because we believe it to be more convenient. We employ tools to help us throttle the incoming requests, in the worst case scenarios we actually spend time adding Deny rules to our application for the latest batch of bad IP’s. It’s like staying dry while standing in front of a broken fire hose. It’s practically impossible, you’re always behind. You’re playing catch up. Alternatively, we employ a whitelist approach. Instead of focusing on all the bad, we focus on the good. We restrict access to environments that we’ve identified to be good. We can do this via VPN’s, Proxy configurations, or dynamic with whitelist links that allow you to pass your latest IP to the application.
- #23: A perfect illustration of how something like this works is to look at our Access Control.. We like to use a Blacklist approach because we believe it to be more convenient. We employ tools to help us throttle the incoming requests, in the worst case scenarios we actually spend time adding Deny rules to our application for the latest batch of bad IP’s. It’s like staying dry while standing in front of a broken fire hose. It’s practically impossible, you’re always behind. You’re playing catch up. Alternatively, we employ a whitelist approach. Instead of focusing on all the bad, we focus on the good. We restrict access to environments that we’ve identified to be good. We can do this via VPN’s, Proxy configurations, or dynamic with whitelist links that allow you to pass your latest IP to the application.
- #24: It’s better known as Defense in Depth and for most this concept should not be foreign and yet it’s rarely something we employ. To put it into context, one of the biggest mistakes I see with organizations is that they say Oh the tools I use employ Defense in Depth, or a vendor might say that as well.. But that’s a fundamental misunderstanding of the concept.. Organizations can employ a defense in depth approach in the development and management of their organizations, but defense in depth is an approach you have to employ. So for those that use Sucuri, we don’t give you defense in depth, we complement your defense in depth posture.
- #25: We have cyber criminals that are both highly motivated, technology that exponentially improves their success rate and worse yet, we have a defined criminal supply chain where information can be shared, exchanged and sold amongst themselves. It’s the perfect trifecta of time, motivation and resources.
- #26: To help illustrate my point around people.. Let’s spend some time to understand the top 5 threats we’re faced with. A majority of the compromises we deal with stem from one of the following: An attacker exploits weak credentials abusing the access control mechanism; An attacker exploits a weakness in the code, a software vulnerability; An attacker exploits a poorly configured environment, lateral movement; An attacker exploits a third-party integration, malvertising; An attacker exploits the availability of your site; If we dive deeper into each of these, I think we’ll find some common denominators…
- #27: Attackers exploit weak credentials, abuse your access control.. People are creatures of habit. People use the same credentials across all systems. People don’t update their passwords. People never think it’ll happen to them. People think of themselves as being unique.
- #28: An attacker exploits a weakness in code, a software vulnerability: People do not update. People are not capable of keeping up with all the attack vectors. People do not maintain or administer their web environments. People resources are limited.
- #29: An attacker exploits a poorly configured environment, lateral movement; People manage soup kitchen servers. People do not employ functional isolation. People do not leverage least privilege principles. People employ configurations that are most convenient for themselves.
- #30: An attacker exploits a third-party integration, malvertising; People rarely know what third-party integrations they are supporting. People are unclear if the integrations they have are authoritative.
- #31: An attacker exploits the availability of your site; People do not invest in redundancy and failover. People never believe it’ll happen to them.
- #32: Now let’s pay special emphasis on the human factor..
- #33: Lastly, I believe that what we lack is an effective approach to managing our security. To account for this, I want to leverage a simplified version of the NIST security framework, adapted for our web environments
- #34: This approach is a practical approach to security. Instead of focusing on every possible scenario, we focus on the ones that are most important to us as an organization. It’s not to say the others aren’t important, it’s that we can only focus on so many things. Once we have a good system in place to account for our initial goals (being that security is continuous) we revisit our approach and expand upon it.
- #35: Instead, approach it practically. If everything is important, than nothing is. As with most things, it comes down to the basics.
- #38: First, security is about risk management. Specifically, it’s about risk reduction, not risk elimination.
- #39: There are three things to remember about Risk: We must clearly define scope Risk will never be zero Security is a continuous process
- #40: Risk management is an ongoing process of identifying, assessing and responding to risk. To achieve this, an organization must understand the likelihood of an event occurring and the impacts if it does.
- #43: When you put it together, this is what the framework looks like and using the structure we just defined we can start filling in the table.
- #53: For instance, Security has never been about only “technology.” Yet, we see it as a solely technical problem. Instead it’s about People, Process and Technology. Without the people and processes, technology itself is dumb. If you buy the latest firewall, but don’t configure it, what good is the firewall? Some might laugh or scoff at the idea, but within our own platform about 40% of our own customers purchase and don’t configure the technology. They later suffer a compromise and their response is - “but I bought the technology”.