 So my name is Victor. Victor Santoyo, welcome. I know most of us are probably still suffering from food coma Syndrome after lunch. So i'm going to, if you find me Speaking really loudly, a, it's in my nature, but b, it's Intentionally to try and keep you guys awake. I know i was struggling with the food coma before i got here. If you don't know who i am, i am a fifth time attendee to This conference, which is crazy thinking back on it, how far it's come. Spoken a few times. And in fact, if you saw me last year, I did an am a session on just web security. What i do, part of security, we secure, monitor and protect Websites for you and making sure they stay safe. And a lot of the questions i ended up getting last year was Surrounding this idea about ssl, what it is, what type should i get, Where should i get it from, those types of questions. So i figured there would be some value in allowing you guys to Have a better understanding if you haven't already about what That is, ssl, htps, and how does it fit within security, if at all, right? So for example, see if this is working. Okay. This is something i hear a lot about. Ssl protects my website. All right. Something people read about, get green padlock, go to a website. Surely that website must be safe. But not so much. It's a trap. Let's slow up a second. Let's understand exactly what ssl does. One thing i can assure you of is ssl does not protect your Website. All right. So how many people have Ssl or some form htps implemented under sites currently? That's a good portion, but that's not everybody. How many people do not know how to implement ssl or what type They should get? this is just about an even crowd, right? So this is something, you know, it's going to be a really big Trending thing, right? google is going to be something that's Going to be a big factor here in marking on ssl, are you Protecting information, even if you're not taking payment. All right. So we're going to cover a few things. Hoping these are the takeaways for you guys today. You know, what exactly is ssl? if you had maybe a misconception About it, how exactly does it fit in? within a security Workflow, right? what is it securing? if it's not my Website, and if not ssl, then what will help defend my Website? because i know one thing we all don't want to Be dealing with is hacks or compromises or anything like that. So let's start back at this premise. Ssl does not protect my website. What does it do? well, ssl protects my data. It protects the information being sent to my website. So it's very different, right? it's not the website itself It's protecting my data. but what exactly is that? So let's go through the formal definition of it, right? Ssl, standard security technology, it's basically an encrypted Link between the web browser and the server so that when Data is passed through, that data is protected, right? That's the technical understanding of it. But let's understand exactly first how that works, what types Exists out there, and what you think would be the best Ssl certificate for you if it's something you are looking to Do as you put a new e-commerce site or website in general And production. so here are the types of Certificates, right? this is generic information in terms Of the validation levels, right? certificate that are Tied to a domain, might be associated with an organization, The types of host teams associated with it. Is it for a single site? is it for a number of domains? Would it be under a wild card certificate for all your Sub-domain properties? there's a lot of different types up there. I'll probably describe this a bit generically over the next Few slides so you have an understanding of what might be A good fit based on what your site might look like in So what your configuration may be. so first, level of validation? Well, that's a preference. domain level certificates are Essentially just a standard green padlock you'll see next to Your url in the browser. Meaning, obviously, the browser Trust a certificate on your site which will basically allow For information to be properly encrypted and sent to the Server so that if anyone does steal that information in Transit, no one can make sense of it. You may have others that are organizational based, more strict, Which essentially are those types like if you go on paypal.com, Not only is it a green padlock, there's an extended bar that Says paypal so you know that that certificate was issued Specifically for that organization. Here's an example of that. people have gone through Different websites, they've seen what that looks like. Now, one thing to keep in mind as we go through this, And i'll be talking a bit on what customer data is, is That data can actually mean anything. It could mean, yeah, the standard understanding of ssl Obviously is something an e-commerce site might have Because you have credit card information being passed. But if you're a website that's collecting names, e-mails, Phone numbers, just for maybe generic information through Forms, well, that data is still sensitive. It's still personally identifiable to the user behind the browser. That's just as delicate information as someone's credit card Information, right? wouldn't want someone stealing e-mails And phone numbers and that particular bad actor spamming you For other means, right? so if your website is taking in Even just names and phone numbers, ssl is something you Have to absolutely consider. so moving on, what type of Certificates are there? well, depends on your url Structure, right? if you're going to have blog. You're going to have, let's say, other sub-sections for Regional areas of the website, landing pages and such, make Sure you have certificates that will cover those sub-domains. If it's just a single domain that you're managing over, Well, then a single domain certificate will be sufficient For you. but just understand that Before, let's say, going to any other, you know, whether It's your host, your managed provider, leveraging a tool Like let's encrypt or something, understanding, okay, well, Not only do i have my main site, i've got all these sub-domains, So i've got to make sure i get those covered too. Now, do the very certificates vary in terms of how they encrypt? Well, i mean, not necessarily. so there are various levels, But by minimum, for example, to accept credit card Information, that's the minimum level bit encryption that You need established on the website. Most certificates these days probably will be set up on 56-bit encryption, and that's fine. You'll find that whether it's a domain validated, organizational, Or however you set it up, you can talk with that provider and Let them know, hey, look, i just need to make sure that you Guys are meeting a minimum of this level of bit encryption So that i know that i can process credit card information And the like. but by the most part, That's not something you have to necessarily worry about. People ask all the time, hey, what level of bit encryption Are you utilizing? for the most part, it should be sufficient. Now, we know what it is, how to set it up, Rather, you know, what type i may need. But now that i go online, how do i understand how that ties Into security? i thought ssl meant security. Well, it does, but it only encrypts that data that's Being sent. but what is that, you know, I'm trying to understand that. so here's an example i use A bit, a lot. imagine the ocean is the internet. You have all these people visiting, you have all these Different islands, different areas, different servers. I want to navigate down this river to hit this closed lake of a Website. and on that, i want to send Information along this river to hit that closed lake, so it Sits in that database, sits in that server. Well, if i have a top view of that environment, i can see Everything going down that river. so i can start copying Down names, credit card information, because i know Exactly what i'm seeing when i look over it if you're Not properly encrypting that information. Ssl's role in this is basically covering up all those boats Along the way, so even if i had a top level view of what was Going on, right, hijacking the network and trying to see, i Can't make sense of it because i don't know what's through there. That's ssl's role. it's not protecting the website Itself, but rather it's just making sure that when data Gets from point a to point b, if i take it, the attacker Takes it, they still can't make sense of it because it's in Encrypted language, they don't understand. Unless, god forbid, they hijacked your private key and Only so much we can do there. but that's the role there, right? And another key thing to understand is when it comes to How web security flows, is that the data that's passing Through there that we're encrypting doesn't necessarily Mean that it's good data, right? if you have batch shift Flown up the river, it will end up in the closed lake. If you have someone submitting information in there or script Being uploaded into the form, that's still going to get to The server, that's still going to get to your website. Your website may still be hacked, right? so ssl will Encrypt it but doesn't really care what it's encrypting. So it's not validating anything yet. So that's one thing to keep in mind. Can encrypt the data, make sure it's cool, my good customer Data is safe but bad people can still come up and upload stuff. All right? so let's think about the rest then. That's, for the most part, the short end of where ssl fits In with the security overflow, right? it protects the data, Encrypts it, making sure that once it reaches its destination Along the way, no one steals it. These are called man in the middle of tax. But if not ssl, what does protect my website? Because i don't want my site hacked much less my data Compromised. well, that's a question People struggle with, they think is it a plug-in, do i Harden, do i restrict access, is that a cloud firewall? Well, fact is if you don't know, talk with people in the Know, have conversations with people at this conference, With your host, with your provider about i understand you Guys are pushing ssl, i know i need one, but what i actually Need is something to protect my website from encryption, or From compromises, right? so obviously we want to defend Against bad attacks, but it ultimately starts with you, Right? you know, mod people will say that their hosting Provider is responsible for it, my developer is responsible For it, but if you are the administrator owner of this Website, you have as much a role in how to protect Your website as anybody else, starts with a strong password And the usual things you'll hear. i'll speak more on exactly how To utilize defensive technologies, i'll be my focus here, And i'll include some steps at the end, but these are going To be the four core components to ensuring that your Website is safe, right? making sure that you are going Through the proper patching and hardening techniques if You decide to do that on your own, right? if you have New vulnerabilities that get disclosed, or you're managing Your own server, making sure you're taking care of that Aspect of it, making sure you're monitoring for Malicious bots and ip's, things that seem out of the usual, You know, visitors that you don't want accessing your Website, or you're just noticing the same ip coming over And over, a lot of plugins and work press that will help You identify these things, or will alert you to, You know, my god, i got 50 emails last night about This ip continuing to hit my wp admin, right? Blocking attacks at layers 3, 4, and 7, may sound Broad, but essentially the goal there is to defend against Attacks that are executed at those layers, http type Request, like a sequel injection that people might hear, Remote code execution, if you've heard of it before, Those types of things that will inevitably lead to a black Listing or something, making sure you have something Defensively in place while it's installed or a cloud Protect against those attacks. Now, you know, a lot of attacks will end up in the Facements, right, people slapping their insignia on your Website saying, yeah, i hacked you, this is what i did. Others might be trying to upload a script to just sort of Break functionality, others might just be intentionally Trying to target availability of the website. If you've ever been faced with these types of attacks, You know that what ends up happening is you get a lot Of hits at that server, and if you're managing a server That might have a lot of websites on it, and all those Websites are getting targeted the same way, i can assure you Your cpu is going to kill you, right. You're going to see if usage go up, eventually your Website spins out, dies, and nothing really happened Outside of the fact that people were just sending a bunch Of malicious requests, dummy requests to your website. So one other thing to keep in mind. How do you do this? like i mentioned, there are a lot Of plugins that can help defend against this, or if you Know yourself, techniques to learn about how to monitor for It, and then deny requests in place. Application firewalls are just an effective way of doing it. Some providers will allow you to manage the rule set so You can implement your own tendencies in place based on Let's say ip's you've already collected, others take that Work for you and might implement things like country Blocking if your audience is more local and you don't Need people from china in the middle of accessing your Website, so think about this, let's say you might be pushing A new site in production, or you have a website out there That just has a cell and assumed incorrectly, right. One thing i want people to leave away also in understanding Is security's role overall, right. Doesn't matter what security mechanisms you have in place, Who you're using, who you purchased it from. At the end of the day, bad guys have a different role than the Security guys, in which we have to be right 100% of the time to Make sure your website stays safe. And sometimes that can be out of our control, maybe using a Bad password, somebody developer who was working in the Project, left their access open, never removed themselves, Someone hijacked that access because somebody forgot about It, things like that. And the bad guys only have to Realize that once, right. Once, the one time they do it is the one time they can get Access, do what they want with your website, your hosting, Mike, shut down the account, you can't even access it, that's Your own vacation, stuff like that, so keep that in mind. You know, make sure you fully understand the potential Implications of your website going down. If you're running an online store, that's going to be Really crucial, what downtime to expect, what's the Workflow in your hosting in terms of understanding what Happens when you face a compromise. So, other things you can do, here's the list. You know, it's pretty broad, but it'll be a good foundation If you don't have a really thorough understanding of how Security is meant to play a role on the availability Of your site. Passwords. Not trying to beat a dead horse, but it's still an Issue, people don't reset default passwords or stuff Like that, so just keep that in mind, use tools like Pass that will help you manage that more effectively. Functional user and isolation of services, what is that? Does anybody know what that means? No. What that essentially means is Making sure that you have users or people who have Administrative rules or contributing rules to your Website that will only do specifically what they're Supposed to do, so you don't want to be giving everybody Administrative access to your website, right? You know, you don't need that access if they only Are there to perform a specific role. Isolate how you set up your website. If you're a developer, keep your developing environment Away from your production environment, away from Wherever you're, you know, setting up your backups. It doesn't seem practical, doesn't seem efficient, But if somebody hacks the main production website, They probably hack the backups. Thus backups are useless, okay? Maintain visibility, right? You can use plugins that have, like, monitoring tools Or anything so you can be identified of an issue Before it gets completely out of hand, right? Protect against website attacks with some kind of A web application firewall. Mentioned man in the middle Of attacks, right? It's the one thing about making sure That customer data is protected. If PCI is a big concern for you, it checks off those Two first items there in your SAQ, so you know That you are implementing something. If you're monitoring and keeping up with these things and Securing information, you'll also check off the next few And that PCI dss, all right? Mentioning number five and Number six, of course, if you're receiving information, Any kind, data, credit cards, whatever, as a cell Certificates are the way to go. And then, of course, know who to call when there's an Emergency. In some cases, you may think You're going to escape by, yeah, I'll just throw an ssl on There, but i'll use the most basic package my host has to Offer or something. I'll be fine. But if something goes wrong, your site goes down, know who To call to help you understand it, whether that's a friend Who's a developer who can go in, review the code, maybe do Some, you know, code vulnerability assessments, or Simply knowing which service will be ideal for you so When your site does get shut down and it's blacklisted By google, you don't have to start wondering, okay, well, There's like 8,000 security vendors out there, who do i pick? Have it in place, have the card ready, so you know, oh, Sites hacked, i know i need to go there, and they'll take Care of it for me. And sometimes, just that Recovery plan by itself will save you a lot of trouble. So hope you all took away something from this, right? Understanding how ssl actually fits in, what it does and Does not do, and then exactly what you can do to Make sure your website stays safe. So that's our blog, blog. We post a lot of good resources in terms of just education of Pieces on more things like what is a WAF, how do i understand What expectations i can expect from my host about security And more specific things for developers about nutrients. This is my twitter if you want to follow me. Otherwise, i think i'm good on time. So if you have any questions, by all means, let's go. Most hosting providers will have pretty good handle on the Certificate they use. If it is a concern for you, Where you just don't want to risk the certificate of other Domains, because they'll use things like, well, i don't Want to speak on them, but there are other types of Shared certificates for domains that get clumped in. There are other free resources out there. Speak to your host about what those can be. Let's encrypt as an option if you know how to implement that or Ask your host about it. There should be some flexibility In that, and if not, there are options that are cost Effective or otherwise free that might make you feel better About utilizing a certificate that is specific to that domain. Keep a backup of your backups. Use what your hosting gives you. That's obviously a really good direct option. You can just go into your panel or whatever and restore from there. But i would even just find another resource out there and Back up that as well. Another issue you might run into is Let's say the latest backup that you need is corrupted. You run into issues there. I subscribe to two backup Environments, and even so the ones i use are both off-site. Meaning they're not set up wherever my website is. So just keep that in mind. Not even necessarily just for Security reasons, but simply just sometimes a backup Fails, does an executor properly, at least you have Something else that is a bit more recent that will save you When you're in a tough spot. Broad question. He asked what do you use to remove malware. I mean, if you understand it, there are some tools that will Like, you know, like monitoring tools that will pick up on Signatures and identify the files to you that were Compromised. We have like a lab that's Accessed to that net library basically of signatures and Dissociating them with the types of malware that maybe Are faced specifically. Then you can use that to maybe Try to figure that out on your own. Otherwise, i mean, there are Some other tools out there or vendors that will clean that out For you and report back like a report on what file Or compromise, so maybe it's like a one-time thing or Whatever, and then you can just keep it for reference if It's a recurring issue. If it is a recurring issue, Implement a defensive strategy. The last thing you don't, You know, cleaning up a hacked site once it's been Hacked doesn't mean that the attacker doesn't know to Go right back in there and do it again. If you cleaned it up, cool. But the attacker is probably going To swing right by in a couple of days. Your gate is still open and just throw the same trash out There. Make sure. I avoid entering those questions sometimes. Ask me the second question after the session in terms of the First. You're going to find that there Are a number of vendors out there that will provide you The same, three similar components, right? Monitoring to maintain visibility so it's just done Automatically not to worry about it. Protecting them using Their own web application firewall so it defends against Attacks and you have some kind of proactive layer and They'll also include some kind of incident response service, Meaning you have a team that will be available at all Hours to help clean out malware or, you know, However, their approach is. I would make sure that as You investigate these vendors and vet them out and see which One is the best fit for you. Understand things like, you Know exactly what support availability they have. What are your preferences for supporting things like that? Because I know when people, when sites get hacked, their First inclination is to get it up right away. You got to get somebody on the phone right away when not Every security vendor will do that. You know, just understanding those expectations are going to be key. If you want, you can ask me after about the second thing I can provide some more clarity on that. Any other questions? Yes. What about them? Oh, self-signed. The trouble with self-signed certificates are not so much in The certificate, well, I mean, I guess suppose it isn't that, But the browsers won't trust them. You know, chrome, firefox, they just won't trust those Certificates and they're going to serve an error and Then, you know, people will log on and they'll see if You notice that yellow pat error page earlier with the Website, meaning it's just not trusting that certificate. I would avoid them if it's something that you were going to do That. I mean, there are free services out There. I mean, I know I keep using Let's Encrypt, but just, you know, it's just an option for People who want to do it. But if you are with the Hosting provider that offers them, speak with them. Talk about what the options are and, you know, the last Thing you don't want is to implement a cell certificate That's not valid, that's serving errors, and then That's going to cause concern for people visiting your Website. Oh, that's weird. Why wouldn't the certificate be valid? Maybe I shouldn't submit my information here. Any other questions? Cool. So if you have anything else, feel free to just come to the Front and, you know, I can ask about anything else more Specific. I know there's still ice cream Downstairs, so I know I'm eager to get some as well. Yeah. So do us a little bit of Flavor. But any case, thank you for the time.