 Good morning everyone my name is Tony Perez for those that don't know who I am or what I do I go by Perez box online you can find me at press box calm press box on Twitter press box on Facebook press book on LinkedIn I think you get to kind of get the trend there I'm the VP of product management over at the GoDaddy security business unit it's a brand new business unit responsible for security for website owner specifically it's a recent organization that was stood up during the acquisition of security which is one of the company that I co-founded and I was previously the CEO at a lot of the information that I'm going to be sharing today is based on my experience working in the website security domain for a little bit over the past six six and a half years working with thousands and thousands of business owners everyone from the smallest blog owner to the largest of organizations from folks using WordPress folks using Drupal folks using dotnet applications it doesn't really matter so I'll be basing a lot of my opinions on that and and I'll be pushing some of my own ideology and you can walk away and be like that guy is crazy that's all right I mean I respect that so for those that don't understand know what security is security is a security platform that we developed about seven years ago designed to provide a suite of tools to website owners and we focus around three core areas around protecting websites from external attacks detecting issues and providing incident response in the event of a compromise that being said we're not really going to talk much about that and in fact I'm going to contradict myself a little bit we built a solution for website owners to help with their security posture but in reality our product isn't for everyone and we realize that along this way and the reason it isn't for everyone is because I think as website owners we kind of think of security in the wrong way we try to fit it into this the same box when it really isn't we can't approach it the way we do everything else and we normally approach it from a technological perspective what technology what configurations what solutions do I need to be deploying but the fact is that in many instances we're not really prepared for that we're not really prepared to deploy the right technology because we're not really asking the right questions and so we'll deploy a solution which we have we'll have organizations purchase our product and they'll go six months without configuring and then they'll get compromised I'm like oh my god but I bought this product and I was like well why did you buy the product what were you trying to mitigate what were you trying to achieve and in many instances they don't know there's a lot of bureaucracy there's all these organizations trying to nobody knows who to communicate who's the real owner when it comes to security you talk to the security guy and the security guy guess that's it I don't want any to do with that right that's PHP based I don't want that's not going to my network that belongs to the marketing group marketing group says but I'm just a marketer I just want to push my content out right and then a compromise happens the brand gets affected and then everybody gets involved then the executives get involved and they're like hey who's responsible for this and then the security guys come into place like oh we're gonna lock it all down right but unfortunately we're just not having the right conversation and so I want to kind of change that dialogue a little bit so instead of sitting here and telling you all the various configuration changes you need to be doing all the articles you should be reading around blocking certain things I want to take it up a level and talk about security a little bit more holistically right I'm going to talk a little bit more about principles things that I believe we should all be thinking about and mindsets that we should be deploying when we're thinking either about processes we want to implement or any controls we want to deploy within our stack and hopefully kind of we set the same tone across the entire discussion the very first thing I always like to start with is that security is not a static state yet we always treat it that way oh what are today's threats oh what what are we talking about today we're talking about DDoS oh my god didn't got taken down Twitter was down right holy shit I got to prepare for DDoS listen when was the last time you got DDoS I don't even know what DDoS is so why are you so concerned about it oh because I just read it on TechCrunch and I got to be worrying about that I'm like okay well sounds good let's let's plan for that I got a solution for that right and that's traditionally how vendors will take it you go to the latest RSA last year it was identity access management this year everybody does DDoS and I'm like how is this even possible how is it that last year you were a professional an expert in identity access management and then this year you know everything about DDoS I don't understand how that's going on but then as as business owners we go in and we're like okay well these are the latest things that I'm hearing about this is what we need to deploy we need to kind of change that mindset and we need to understand security is always going to evolve and it has for many many years and if we're always thinking about what's happening today we're always going to be two steps behind right because the attackers are that much further ahead of course in security we have this big challenge this is the biggest challenge that I have when I talk to organizations is that we're not a revenue generating function right nobody really likes to talk about security until they have to talk about security you go to your executives like oh we need to invest in security how much you need oh I need a million dollars yeah I'll give you 50,000 awesome and then you get hacked how did we get hacked well we don't have the resources we don't have the people we don't have the knowledge we don't have all this stuff why do we have all this stuff well because we don't make any money well we need to fix that okay next quarter comes around you no longer focusing on anymore because now it's out of sight out of mind right your availability wasn't affected anymore you're not distributing malware anymore right and so it's a very difficult conversation that we have this is compounded by the issue that the threats are growing at an exponential rate relative to the knowledge and resources that we have available to us right the people that actually understand what security is about and what we need to be thinking about and how we need to be communicated is a lot less than the growth at which these platforms are going online if you think about how the open source applications have dramatically infected the internet ecosystem right look at the word presses the Drupal's the Joomla's they have facilitated a new type of website owner a new website owner that doesn't understand the nuances of IT security or secure or IT in general most of them where do you host I host on Google how do I even begin that conversation like I don't think Google hosts your site right and so that is an example of the challenge that we have and so as a community we have to come together we need to start having better conversations it's not about us coming up here and telling people what they need to be configuring it's about us educating them on the concepts and the principles around security we have to understand that it's all about timing and resources and motivation and the attackers have all of that especially today today there's an elaborate supply chain available to attackers people can go on the dark web sell their solutions sell their exploit kits get it up online and they can make money really fast right with the explosion of online applications such as Drupal and WordPress and Joomla and all these open source solutions we've created this new ecosystem that allows attackers to more easily exploit environments look at what happened with the DNC hack what do we learn from the DNC hack well it wasn't an elaborate attack it was exploitation of everyday websites that many of you will use that were being used maliciously to fish into the network there's nothing fancy about that like I wish I could come up here like oh look at this crazy thing right now I was a little WordPress site that got exploited and they were being served you know phishing attacks and you know phishing is the number one way to get into environments these days and so our websites are a critical piece to a much larger internet ecosystem with much more drastic impacts around the world and we're seeing that every day and so the way I look at it it's not about presenting new concepts but rather just about expanding our existing approach to security right um what does it really entail and the first thing I was second thing I always like to introduce is kind of security is while technology is a critical piece of security it's really about the people the process and the technologies right the technology by itself is done I told you a story a minute ago about organizations that come deploy our solution and then they still get compromised about 40 percent of our customers never configure the product why is that why do they go they buy it and then once the minute they buy they feel that they've got the solution that they required did it check all the marks in their checklist oh it does de-dust mitigation oh it provides incident response right they're forgetting that without the people in the process the technology is usually pretty dumb you buy a firewall you deploy but you don't configure it and you allow allow all that's awesome you know you have a really expensive pass-through right the people go in and they identify what am I trying to mitigate what am I trying to understand what is my website about and so we have to work together to try to bridge that divide we have to bridge the divide between the knowledge that we have and the knowledge that the environment in which we work with has and in many instances there's a very very big divide so as we're talking about it I always I'm a big believer in the layered approach to security right many of you will know it as defense in depth it's always it's always synonymous with onions because of the multiple layers right and the idea is that there are complementary layers that work together to ensure that if something fails we're prepared in some way or shape there's never one single solution that will prevent us from being that compromised we should always assume that at some point we will be compromised it's not about our number of when but it's if it's not about if it's when and when I talk about defense in depth I was doing some research on this and kind of figuring out how far back it goes and in fact it goes all the way back to twelve ninety five in the original designs of castles and what's really interesting and why I like this illustration is because you can see how the architects were thinking about protecting their castles right what you don't see is outside of the moat what they would do is that they would actually clear all the trees for about a hundred two hundred yards so they can see any any enemy advancing they would then create a moat and they would only have one axis point down here at the bottom and that axis point will be where everybody comes in and so you would have to pass the clearing you would have all the towers shooting arrows at you right you would have to cross the moat that was deep and then you would only have one axis point if you reach the outer wall that was backed up by an inner wall so you would get over the outer wall you would be in that middle area there that and then you would have an outer wall that's even higher than the the inner wall that's even higher than the outer wall and thicker so if they break down one they have another layer and then they would have defensive positions within the castle itself right this is how they thought about physically protecting their castles and the last thing you don't see in here either is outside of the clearing is that the the castle would actually be raised as well so the land around it would be at one level and the castle would be raised so not only would they have to cross the moat but they would have to climb additionally that's a really really interesting thing and what I would challenge you to do is I would challenge you to go back and think about your security posture and what are the layers that you're deploying and when you're doing that don't just think about defense in depth which is what you traditionally hear but think about defense in depth and defense in breadth what does your entire attack surface look like in many instances when we talk about website security we stop at the application but the attack surface is that much more greater you've had your local environment your desktops how many of you actually look at that you have the application of course the things we have to do the configuration there you have the server the infrastructure that people asked of it and I'll be spending a lot more time on the people as we move forward but in the server and infrastructure we were briefly joking about this on GoDaddy security right but who's the responsible person for your server do you have a shared account do you have a vps have you had a dialogue with your server or whoever manages your server whether that's an internal property whether that's a host do you truly understand who's responsible in the event of an incident and do you understand the differences in incidents the difference between network-based incidents versus an application-based incidents versus an account incident and are you prepared to respond to it in the event that there's an issue you should be asking yourself these questions and going back to your organizations and asking them and saying hey what do I have for the various layers of security and what are the controls that we've deployed to address them if they ever come up we're going to go through a little bit of an exercise and I'm going to talk about the top five threats as I perceive them and I may be wrong this is not an argument these are my beliefs right so we credentials of course a lot of us you know we use bad bad bad username and password combinations exploitation of software vulnerabilities poorly configured environments third-party integrations inside availability those are the kind of the top five things that I see and that we see and that we believe to be the challenges whether you're a small organization or a large organization right it doesn't really matter and I really hope that a lot of these aren't new these should be common to you but what I'm going to talk to specifically is what we call the human factor right how do we as humans fit into each of those layers or into each of those threats and when I talk about the human factor I'm referring to what I call layer 8 or the weakest link this is the OSI model in case no one is familiar and in many instances when we think about security we're deploying security at any one of these layers right either at the application of the presentation of the session layer whatever whatever it may be we're thinking of it in those terms but why aren't we thinking about the people aspect why are we talking about the human factor associated with each one of those layers for instance let's look at weak credentials what's the real problem about weak credentials is it that we're getting brute-forced or is it that we're using weak credentials bad passwords we're creatures of habits we have bad behavioral problems we use the same credentials across all our systems I bet you many of you in here have multiple accounts and you have this one password like I don't ever happen to me I use it on social I use it on my Wells Fargo account I use it on my Drupal account I use it on my github account that's okay because it'll never happen to me that's just our habit it's what we do we don't update our passwords there'll be a major leak that's okay that's an old password anyways little did you know that you just had that one variation I added that asterisk two years ago so i'm good now same thing with vulnerabilities we don't update for a variety of reasons maybe our organizations don't allow us maybe our change control processes are too stringent right maybe we just don't know that there's an update available we got too much shit going on poorly configured environment this happens to a lot of integrators and designers and developers you stand something up really quick oh i'm just gonna stand it up to test something i'll come back and delete that later you deploy you configure a production and you forget about it this happens in smaller organizations not so much in larger organizations where they have stringent control processes right but we still have a habit even on the large production environments when we'll leave modules or extensions or plugins in our environment that we just forget about we never use it anymore but we never go back to this continuous process to figure out should we remove this is it still applicable how many people log into their application says what are these modules i have like has nobody cleaned this up who's responsible for this third-party integrations who actually knows what libraries they're using and they're coming from authoritative sources how much attrition do organizations have who's keeping track of that or do we use our sites to serve up ads have we ever had a conversation around malvertizing and the threats that that introduces in many instances the answer is no said availability does this really matter to you do you need to have your site up all the time do you not what are the impacts of the site goes down and what have you done to to to plan for that I have this little thing right attackers are not successful because we're technically incapable but because we're behaviorally weak as humans when you really think about it and we don't spend enough time talking about it internally amongst ourselves or even presenting and talking about it with groups everybody can go online and find the top eight 10 things that we should be doing everybody can go online and figure out what are the top 15 modules that actually deploy for security and we check those boxes off and in many instances we place all our energy on the protective side the problem is that it doesn't fit the ideology of the defense in depth the ideology is that there is no single solution that will ever ensure a hundred percent protection once we accept this ideology and we realize that it's an okay thing it's not like I can't believe you just said I might get hacked it's just the reality in which we live in we have to remember that as defenders we have to win every time and in case you guys are wondering anybody who watches Game of Thrones just a quick aside you know when John Snow's like standing there and all the horses are running at him in the last season that was the motivation for this image right just gonna want to share that but anyways the idea is that we have to be right every single time and the problem is that there's a lot it's like standing in front of a fire hose and you're getting just and you're trying not to get wet and so we have to kind of change this dialogue a little bit we have to start looking beyond just a protective layer and we still have to start looking at it a little bit more completely start looking at okay we invested in our protective layers but how are we continuously monitoring our environments how do we understand if we do have a problem how do we know what the indicators of a potential compromise are as humans we are our best solutions so you may configure your solution to identify if somebody is logging in or to log when somebody logs in so now I have a log everybody logs in but does the system know if it's right or wrong in many instances you as the website owner do if you're in LA and somebody's logged in from Shanghai is that good or bad you have to dictate that as a business unit and then the question becomes why can Shanghai log in anyways if they're not part of your organization those are the ways we need to be thinking about it in fact in the enterprise world Gardner came out with an estimate that about 60 percent of organizations will be switching their focus from protection to detection and response what that means for us in this industry is that it'll probably be another five ten years before we start thinking about it that's kind of like our cycle like whatever the enterprise does we'll start doing you know five ten years later and be like I can't believe this is happening this has never happened to anybody but in reality it is happening and so we have to try to curve that divide a little bit with the enterprise and say what are they doing and why are they doing it and doesn't it apply at this level and how can we deploy it at this level so we've talked about the knowledge gap right failure to employ basic security principles we've talked about the human factor failure to account for the biggest vulnerabilities and then the investments the improper balance of that and so what can we do right and so the easiest way I like to think about it is we need to employ this this approach of security by default and almost everything we do and this is more of a mindset right more than a configuration change but I will present it to you from a technology standpoint to hopefully try to provide you a better analogy of what I'm talking about in case you're wondering I have an hour right so we got time so let's think about access control for a moment right let's think about how we traditionally do this and in many conversations we have even here on the show floor when we talk about access control we say hey well what are you doing as well you know how can I get the latest list of blacklists how can I get the latest list of IPs that I can blacklist and apply it how can I get the latest list of bad bots and like latest list as of when right now how about right now how about right now how about right now right and the idea there is to show it's continuously changing and how are you accounting for that every time you deploy something by the time it goes production it's already out of date okay and so instead of taking this blacklist approach where we have to invest all this energy to identify and parse through all the IPs doesn't match my IP and then pass it through and then you have this opportunity of false negatives like ah shit that was a bad IP oh let me put it back into my cycle then you have all these resources going through this process why are we really not taking a white list approach why are we just blocking everybody and allowing the known goods in many instances we're doing it not because we can't it's because it's inconvenient for a lot of folks oh you don't understand how this functional unit is I can't introduce a new process for them to click a link to whitelist their IP it's impossible you don't understand they're old dogs can't teach them new tricks that's generally the conversation the same thing applies for passwords why are people still creating their own unique passwords with the plethora of password managers in the market right now and everybody supports it for the most part except for banks because banks are ridiculous and I don't want to get into that conversation why is it that they're not using password managers no one should know their password I don't even know what else to say about that but the same thing applies to this but now we start seeing the secure by default mindset where it's like hey explicitly block everybody and allow only the ones you know and it's not that difficult to set up a VPN it's not that difficult to set up a SOX proxy it's not that difficult to educate we had an organization of 110 people 40 of them marketers and salespeople and administrators and we taught them remotely right people are intelligent we just have to take the time and invest it in educating them and what happens when we do this well we reduce the threats to the threat landscape now I'm no longer worrying about all the attacks coming in I'm just worrying about the known goods who who who whitelisted were they traveling were they not versus trying to account for everyone software vulnerabilities right that the common theme we always hear about in almost every security talk is update update update and then you're sitting there like dude you have no idea how hard it is to update you don't know what I have to go through I have to write a five-page justification it has to go to this change board the change board has to ask me 150 questions why we're still using this application and I still haven't got to the update process and a small business is I didn't even know there was an update to make right that is the reality so while it's really easy for us to go back and say hey you should update it's actually really hard to implement that and so what I anticipate is that as we continue to move forward cloud-based technologies are what's going to facilitate that technologies loud like virtual patching virtual hardening is the direction we're going to go why because it removes that process we no longer have to worry about what's going out they're already existing we no longer have to worry about going through the process of updating our production environment because now I have three six months to do that because our virtual patching technology is addressing that for us and so when we look at how that applies we're employing the secure by default approach and if we apply this mindset you'll find that you can apply that everywhere it's not just how you IP whitelist your access control but it's how you access and function within your servers basic concepts like functional isolation fall into this world the idea that everything does what they're supposed to do but nothing more concepts like least privileged give people access for only the things that they require for the time that they require it and only that time basic principles that fall under the secure by default mindset and if we start thinking like that what we immediately start seeing like man why do I have all these processes in place by implementing this one thing I can address 15 processes I can reduce resources I can reduce overhead I can reduce cost we have to remember that security is a complex thing right we can't think of it from a checklist perspective unfortunately when we look at things like FISMOs and FERPA and PCI and HIPAA they approach it from a checklist mentality or they approach it from a checklist perspective they're not saying though to employ a checklist mentality they're simply providing you a guide to complement your security posture but as organizations we deploy it from a checklist mindset like I bought a firewall I didn't configure it but I bought it check on PCI qualified so let's not do that let's leverage checklists let's make them part of the process to help guide us because it's a very complex environment but we cannot think of security that way in this process what we need to start doing is we need to start prioritizing this is a common theme if you talk to any of my team members they'll be like they hate mitoniasms right and they're like oh I have 150 ideas like if everything's important then nothing's important they're like I hate you right but it's the same exact thing oh we need to deploy for DDoS we need to deploy for vulnerabilities we need to deploy for this if everything's important nothing's important focus on one thing finish that move on to the next right what is the most important thing for your organization and so when we the ability to do that a simple way to approach this is to risk management and what's interesting is that security's always been about risk management right but specifically about risk reduction not risk elimination again it's not about us never getting hacked it's about when we get hacked are we prepared for that risk management specifically is about identifying what the issues may be assessing what the impact of those issues may be and then putting together a response for those issues is it a valid issue or is it not when we think about it we want to think about three specific things we want to kind of clearly define what our scope is right what are we really concerned about we want to understand that it will never be zero so it's okay to be you know to have some risk and we have to remember that it's a continuous process and if we keep these three things in mind we can kind of go through a little bit of a thought exercise and so that's exactly what we're going to do let's think about a brochure site for a second right Perez box for instance Perez box maybe a nice little brochure site I throw out some of my ramblings on random stuff on the security and business you know maybe for me it's a branding issue maybe you know my biggest risk is getting blacklisted by Google I don't want to get blacklisted by Google I don't make any money on it but it will look really freaking bad if my site on security gets blacklisted by Google right so maybe I need to look at that maybe I need to implement some solution that tells me how does Google see my site am I distributing any malware right that's going to be how I approach the risk perspective maybe we're a social platform maybe to be successful as a social platform you could never go down can you imagine you have a social platform and it's down 15 minutes every other hour that'd be kind of sad right so maybe availability is more important than anything else maybe we're a health application shit now we start getting into this world we got to worry about things like HIPAA we're storing sensitive information right we got that kind of stuff I don't give a shit if my site goes down I just can't get my information stolen and if it gets stolen they can't do anything with it so I can't just be talking about encrypting shit in transit I got to be thinking about encrypting stuff at rest right oh the big mama e-commerce right we got all kinds of problems going on there right our risk posture just increased dramatically in this process we need to be thinking about our goals what do we what do we want to achieve our goals tell us what we're trying to mitigate against right I don't want people to intercept my sensitive information if I got e-commerce site so what am I going to do to achieve that how am I going to address exploitation of vulnerabilities I don't want to get hacked and I know exploitation of vulnerabilities is the big thing so how am I going to do that how am I going to protect my brand reputation right those goals will help us okay well how am I moving towards that direction now what you notice is I'm not talking to you about every other threat out there you open up OASP top 10 got 257 267 different threats vulnerability potentials out there I can't worry about all those things I'm worried about the specific things that are pertinent to me as an organization I'm not saying that they're not important but again if everything's important then nothing's important let's take a practical approach to security instead of focusing on every possible scenario we'll look at the things that are most important to us as an organization an interesting way to do this is I was doing some research and I always hate presenting new concepts I like to leverage existing concepts and the National Institute of Standards Technology came out with a framework for improving critical infrastructure and cyber security what's interesting in it is that they made it very simple because the infrastructure critical infrastructure is so complex and it's so dated that they had no choice but to go simple so when you read it it's like holy crap it's so simple it works for everyday website owners that's amazing and this is what it looks like there's a bunch of pages in this document and this is what it boils down to right here right there's five core functions that you need to be thinking about there's a number of categories and guess what you can define what your own categories are within each of those functions and then a series of sub subcategories within each then if there's any informative reference so it's like hip-hop fisma for butter any other acronym you want to throw and there's some resources that you want to be referencing you add it in there and what's great is this is a very very simple framework that you can do for every site before you go live and it starts to address all the pieces that we just discussed so let's kind of go through that process let's talk about the identification function let's assume that our categories asset inventory management the one thing that we all fail at right because most of us don't know how many domains we have let alone how many modules we have let alone how many integrations we've done right so let's start there how many web properties do you have who where is your web server if you got hit by a bus today would somebody actually know where you're hosting we laugh because we realize how fucked up a situation it is when we go through this process we identify these things protection what the hell are we protecting or application awesome you protected your application good for you did you protect your server whoa what I gotta protect my server too right by having this conversation on the identification phase we now understand what we need to be protecting what are we monitoring what do we care about are we caring about who's logging in are we caring about bots that are scanning our sites are we caring about are we being blacklisted we don't even know so by identifying the things that we care about we now understand what process we need to implement and what solutions we need to look at to help us achieve that response again assuming that it'll always happen someday what will you do if you got hacked right now who do you talk to many of you won't have an answer to that what you'll do is like oh my god oh my god what do I do what does Google tell me you go to your trusted advisor right identify the top 10 organic ranks maybe click a couple ads somebody's gonna fix this for me right but if we take a moment to step back and think about it and we have a plan in place if I get hacked okay I'm gonna go to Pantheon they told me they're gonna take care of this for me or I'm gonna go to Blackmash I'm gonna go whoever it is that you're hosting with or I'm gonna go rip my developer a new one but you know what just having that name on there makes you feel good like I'm gonna hold that little dude accountable right but at least somebody else if you ever get hit by a bus knows how to account for that recovery plan of course we have to be in a constant state of learning so what are we going to do once it's done I never want to deal with that again and move on or what happened where did we go wrong was there a risk that we didn't account for do we need to add that into our cycle do we need a better plan right so it's not a matter of just mitigating the risk but then it's about pushing them back into your cycle so that you're prepared for it in the future you know how much it sucks to get hacked by the same thing every other month that's just annoying and when it's all done you have this nice little matrix and there's no there's no restriction on the number of categories or the number of subcategories that you might have right that's so new as an organization to define but I would encourage you to restrict the functions don't move beyond that because it's too easy to get compliance involved it's too easy to get the security group and they get crazy like oh we gotta add this too that's too simple right we love to complicate things but in reality being more simple is in our interest and then you just put this in a nice little matrix and you can start very high and go more granular as you go through what does it look like for your entire web ecosystem and then what does it look like for each of the domains right some people only manage a few domains so it's not that difficult some people that have a large organization might take a little bit more time but it's a it's an investment worth going through and then it's a it's a continuous process it's not one again it's not a checklist you don't just do this and be like whoo never gonna touch this again no you should be going through this process on a constant basis put up a little plan does it hurt to just open a security document once a quarter is it still valid yes whoo right are my risks still the same well I went from a brochure side to an e-commerce side I might want to reevaluate my security posture right so what does it all look like all this stuff that I just threw at you guys right all this noise my goodness use a sensible framework don't get caught up in all this all this noise you hear about complexity right you gotta do all these crazy things no something as simple as what we just discussed in the past 40 minutes create an inventory for the love of Christ I hate talking to organizations that don't even know what they have how many organizations I don't know I must have a thousand or two thousand nobody knows that and then you do research and they add a hundred like or is the reverse I only have 10 do you research and they have a thousand you're like where do I even begin with you implement implement the controls again don't just do this framework and be like who I'm done with security and you walk away but you never implement any of the controls you just did then like I don't why are we on the opposite end of this now to really administer and manage your site come up with basic cycles once a week once a quarter once a month whatever it is that you requires an organization and just go back and check the worst thing is to have a logs and activity and be monitoring everything but then never really monitor it everybody tracks all these logs but nobody ever looks at it and I can say why are you tracking the logs right revisit the process continuously in some cycle whatever that may be and when it comes down to this is what it looks like nice and basic right and then if you want to dive into specific controls and all that stuff that's great that's a conversation for the day and we can go hours on that right but we can't even begin to have those conversations until we've started this conversation you cannot start looking at solutions like mine or any of my competitors or anything like that until you have a basic understanding of security if not you're just wasting your time and so with that my name is Tony I apologize if I yelled at you too much I apologize if I cursed too much but I go by Perez box online and I'm open to any questions kind of yeah sure first off thanks for the talk this is great and second you talked about people being essentially the weakest link and one of the problems one of the problems I've had is people as you try to tighten the controls on them they have that friction and then they find other ways that are in some sense worse the two examples you gave were the not letting users set their password well then they email their password to themselves or like using a white list well then they travel and they don't tell IT that they're traveling and they come and you know and then you find out you overhear them calling someone on the phone giving them their password over the phone so they can log in from the office because you know they didn't bother getting that taken care of is there do you have any sort of broad strategies or even specific things for dealing with preventing people from having worse strategies or even measuring measuring if those behavior changes are causing more harm or are are you know the thing the hardest thing of that question is this is a behavior problem right and not a psychologist was very difficult for me to talk to that specifically and so but what we like to think though is at least what we do is when we implement our controls we like to be just as sneaky and be like well how are they going to break this right and it's not about making it harder but it's about educating them right but it's it's hard like if somebody travels and they don't tell you they're traveling and they call their guy and the guy gives them their passwords I like to believe that through through awareness and education and by empowering the individuals with knowledge they're going to make the right decisions in some instances there's only so much we can do right and so they're going to do that and and it's going to be a tough one I don't have a good answer for that unfortunately if a user doesn't want to comply they're not going to comply they're always going to find a workaround I don't know I don't know I'm open to anybody recommendations or thoughts and things that other people have done well and that's exactly right yeah it's it's a good point right security has to come from the top down right it can't go from down up it'll never it'll never work so if your leadership isn't bought in to the things that you're trying to do it'll be very difficult for you to implement anything so the best thing unfortunately is if leadership is bought in and you're going to buckle down on it and somebody does it some form of reprimand termination or something like that watch how fast everybody gets in line they're like oh they're not messing around the more they it's like your kids right you tell them no they do it again you tell them no you never you never do anything you never punish them they'll just keep doing it you keep telling them no when you take that iPhone away like yeah what's up now go in their Minecraft destroy their city and see what's up right yeah and what I know I'm just saying absolutely it's not about we have a very bad habit of saying no because you're just so overwhelmed it's like us when we work with our customers you get the same question every day like how many times you can ask me this question little do you know that it's actually a new guy asking you the question every time right but you just deal with it every time so as professionals we have to be like okay let's understand what's going on through their mind and their experience sometimes it can suck but to his point there's always a softer approach and we need to break this barrier of oh I just go to IT they'll say no because that's when they come up with other solutions but if we become part of the problem solving what are you trying to do okay okay using my secure by default approach how can I achieve that for you how can I help you do what you're trying to do that's all they want to do is do their job how do we make it easier for them while still complying with this concept it almost sounds like there's like in the cycle of implementation and review there's almost a cycle a portion that needs to include education or communication oh yes oh yes thank you yeah no thanks for listening here remember that thing I said a couple slides ago what do you see the future for like you know there's all these zombie nets out there that are attacking your sites and doing bad things all of the things you're talking about are internal reactive things you know what's the future for being able to reach out and you know report the sites that are doing bad things so that you can be proactive and try to shut down well there's a lot of groups doing that now right um you know iot is a big thing now right everybody loves that phrase right you know I think we have iot providers coming online by the minute there are a lot of organizations that work with other organizations sharing information a lot of intelligence sharing trying to shut down these things I think that as an organization it's very difficult for you to mitigate that yourselves that's going to be done at a broader level I think at a broader security level I don't think that at an organization level you're going to be able to I think that that's going to continue we have this huge issue with all these devices coming online I mean we have refrigerators with access to the internet I don't know why that's exactly right we have to have everything very very convenient right when I'm in the bathroom I need to know if my toaster is about to come up or not right and so it's a very big challenge and we've started to see regulatory bodies get involved now right and I anticipate that that'll continue there's going to be more regulation there's a lot of lobbying in place to implement stronger controls security controls at the at the service providers themselves right at the product developers right you know the default configurations for telnet configuration active by default or default passwords that never get changed that nobody can change right some of those behaviors are going to change but it's going to change higher up in the supply chain right as an organization I don't know what the future is there it would be great if we had some kind of consortium of sorts that allowed organizations to feed information in so that people can take better action against think of like a let's encrypt like consortium that allows us to pursue organizations and bring down the hammer that would be really cool I think and in streamlining that communication but I don't know I don't know I don't know if that helps or not I said a lot of I don't know isn't that one more on the password issue and and don't tell me to have management crackdown because management and my organization are the worst defenders and if they ask you for to email their password you know you got to do it so but just I know everybody in in my tech department uses password managers from really bulletproof ones to the you know web browser integrated ones but I don't know if anyone has any experience using is there any kind of shared password management you know password manager where you can manage and and pass those along so that you know sort of novices can handle that stuff I mean that would be well ideal to me if you could the one that I use the most and that a lot of organizations have have been implementing has been very successful has been last pass right you'll talk to some security guys go about they've been compromised and I'm like well that's actually a good thing you know what I mean the fact they've been compromised is awesome but last as an administrator and pass no so I don't know I don't know what their enterprise solutions look like in terms of you can do some kind of deployment internally and manage that for your users I just know that it's a very popular and active solution I don't know what other large organizations are deploying internally for their password management and yeah if there were an enterprise solution like that say again Super server oh nice nice and then of course you know it's not just about the passwords right we need to be looking at multifactor authentication you know because we know that the behavior problems are there and we know that no matter what we deploy they're not going to always generate the random generated passwords so let's we need to be deploying some kind of multifactor solution whether something like octa or some form identity access management I went back to that but yeah something like that within your stack that allows you to control how people are logging in yeah right you can share your passwords but they can't actually see the password itself which is really really nice I just don't know of at the enterprise level share with multiple users you have a hundred users and each user gets an account I don't know you'd have to look into that but I know last pass is very popular oh nice shut it down that's exactly right that's exactly right that's right thank you for your talk the presentation seems a bit focused towards organizations like internal IT folks who are managing security I'm as a services vendor who supports a lot of clients on quarterly retainers and some of these are basically cover security patching for the smaller ones and not really having a whole lot of opportunities to or power to enforce an internal IT security policy I'm wondering how you might alter your message for that type of well it's interesting because the presentation isn't designed just for larger organizations a lot of the concepts and principles that I talk to here are some of the things that I deploy for myself on my own personal website right I think you're approaching it more from an agency what do I do for an organization where I've been hired to deploy build and deploy a product for them but they themselves don't account for security right I think that's where you're going I think that the message is still exactly the same what changes is that your responsibility in that chain changes so it's not no longer about the technical aspects of it and the management of the site but now you become the educator right and that's why I was saying is that a community we have to come together these are the principles that we understand but it's on us to educate are the business users that are hiring us to do the products for them right so as an agency when you're having this discussion a classic example is we'll go through this discovery phase the design phase the development the deployment phase right but then no more in that process do we ever talk security when do we talk security but features that'd be awesome right but in many instances a lot of agencies don't what I like to encourage is change the conversation and introduce security early in the conversation we're going to build this awesome thing we're going to make a shitload of money we're going to freaking be number one on google and we're going to talk about security too awesome bring that conversation up early so that at the end when you're done with that performance period whether it's a month six months a year security isn't a thing that just comes up out of nowhere but it's something that you've been continuously having this conversation on but what what should I be worried about security I'm so glad you asked we need to be thinking of more security by default approach and we're going to start with access control we know we know you're going to have two main problems you're going to have vulnerability exploitation issues you're going to have brute force attacks against your access control mechanisms so let's talk about that and so you take the same concepts that you you just heard and you use it for yourself in your presentation when you're talking about it and shit add a little line item in there you don't line out on five percent talk about security right but that's that's where that conversation needs to start so this doesn't change it's how you participate in that communication that changes how do you take this information and make it part of your pitch and your communication with your customer through each of those phases discovery, design, development, deployment that'd be my recommendation thanks yeah zero it has to be a mindset I'm great talk so thank you just out of curiosity I think there's kind of like a widely held belief that you know if you follow best practices and you put your security controls in place you know following industry standards for securing an application or a website that if you do that that hackers will bypass your site or your application and go for easier pickings has it been your experience that that's true? Oh yeah if you look at in my last talk I talked to the anatomy of attacks I talked to the psychology of attackers things like that I didn't get into this just because I tried to break it up a little bit but if you look at how attacks are happening today right unless you're a really large organization you're not dealing with targeted attacks you're dealing with 99% of them are automated it's low hanging fruit the basic things that you do around here on the controls that I just discussed people don't realize how beneficial that is for you you risk posture when they're scanning their sites I mean we're not talking very sophisticated cyber criminals in this day and age with the way that things are the way the number of technologies that I've gone online we're dealing with a lot more script kitties that are just really good script kitties that understand how to use these tools oh I can do some google dork scripts and identify all the sites that are using Drupal 6 or all the sites that are using Joomla 1.5 and that goes into another list okay then I'll scan them for whatever extensions and modules they may have okay and then it goes another list another list another list and by the time it gets to the final list they have this final list they press a button and it just does all the automation right it's not sophisticated it's not complex but it's effective it's effective because as humans we have bad behaviors so yes I believe in that I believe that with knowing that 99.9 percent of the websites and the attacks that are occurring are automated and they're being done by script kitties and there you know there isn't any targeted mechanism to it by doing some of these things you reduce your exposure which provides a more secure environment for you I work for a a non-profit media and research company that due to the nature of its content is the target of state sponsored hackers sure countries like Russia and China and they a lot of them they have wiped out our internet and our websites in the past and we currently get a tax from them all the time what's like the best approach to to handle attacking with with that kind of resources behind them what depends right what are the kind of attacks you're dealing with right is it are the external attacks specifically to your website or the attacks against your your employees where they're doing phishing attacks trying to get access things like that right because you handle each of them very differently so if they're the websites type stuff there's a lot of those attacks that can be mitigated at the edge at the cloud right whether they're doing denial of service attacks whether they're doing exploitation attempts whether they're doing brute force attacks a lot of that stuff can happen at the cloud right at the edge and then that compliments your team if you have an organization like that I normally recommend you partner with an organization that can work with you on your security controls unless you have your own security team internally the problem is that many organizations that suffer this don't have their security team they don't they don't even have an IT team let alone a security team right so it's about partnering with someone that can help guide you through that process and you put a plan together like okay what are the big things that they're doing to us okay well let's let's address those how are we gonna address those it's difficult to knock all of them off right now without understanding more details but I would look at cloud-based solutions and I would look at partnering with someone that can help you put a plan in place for that without knowing any specifics right things like fishing though things like fishing if that's what they're doing trying to get users credentials trying to trick people to share their information so that they can get access to your environment that's an awareness issue right that's a fundamentally different security problem that would require more engagement internally I don't know what other attacks you're dealing with though but that usually covers the wide range of them is there something in there I didn't address well I mean we do engage with a security technology company that and we do have our own security officer and such okay and I'm the I'm the DevOps engineer for the organization so I'm just looking as a way to to audit what those guys are doing and and they're oh it's odd areas of responsibility because when something does happen you know I'm the one that gets the phone call to like our stuff is I'm not familiar with any auditing services or solutions that would go and essentially verify what your teams are doing right now and if they're being effective and if they're matching what your expectations are because the other dark spot is when something does happen you know everybody keeps that to themselves security officers says you won't tell me how they they got into our stuff and then the you know the security people they're they're also sensitive about revealing you know they look bad because yeah everybody's worried about CYA right like oh my god if somebody sees that I did something wrong but that's a culture issue right if people are are afraid of sharing information because they're afraid of a reprimand of something coming down on them that's a fundamentally different problem right you need to change that culture to be more inclusive and more open so people can share that information and they're not they're not worried about a negative response from leadership again that's a that's a much larger conversation I would encourage you to change that culture because you need that information to flow internally especially if it's an internal it's not like you're going to get fired for this but it's how are we going to learn from this this is why we need to have this information if I don't understand how it happened and where our controls failed how will we ensure that it doesn't happen again and if you approach them like that most reasonable people be like all right no problem and then they tell you then you fire them no I'm just kidding don't do that oh white hat yeah well white hat I know Jeremiah I know his company before he left but they're a great company and I've always known them to be more from a vulnerability standpoint they do they do research to identify any vulnerabilities in your applications things like that I don't know if they do the kind of audits that he's describing because what he's describing is more I want an audit what my teams are doing to see if they're doing what they're said they're doing and are we are we mitigating our risks I don't think they do that but you can contact them yeah that's what you're looking for right and sometimes having an unbiased party helps like they just come in they assess it this is what this is their areas yeah that's the yeah transparency is critical right if you don't have transparency I don't even know how to begin to solve that problem that's what I'm saying you have to solve that cultural problem because you need people to share what happened if you don't know then you can't go back into the process if you don't know what's happening and maybe that's a conversation you need to have maybe you need to sit down with the people that are responsible and be like listen guys let's put all our personal biases aside and let me explain to you why this is such an important thing for our organization right we need to understand if we don't understand how can we ensure that we're mitigating this in the future and put that question to them any other questions yes ma'am I know I know ransomware is it's a really big problem it's actually a problem with websites as much as it is at the endpoints but at the websites it's a little easier to to mitigate at the endpoints the the easiest solution right there is backups there really is nothing there's nothing at least in my opinion no fancy solution that's going to help you mitigate that right unless you have cyber computers in about 240 years backups implementing some mechanism that allows you to do backups in some frequency whether that's daily weekly depending on the sensitivity that's why it does it does yeah I know I um I don't have a good solution for that yes and then sitting sitting here saying this is oh I know what version of Drupal full security note says that that version has these things so I'm going to pretend like I stand in your site and have a little hacker and found these things for you and by the way give me give me yeah I wouldn't I wouldn't necessarily call them white hackers right they'd be more on the gray side but um yeah there's a lot of that too yes sir business come back though well one one point in clarity is I didn't say checklist or a bad thing I said they're good in terms of providing us a foundation a checklist mentality is a bad thing right if we approach it as I do x y and z and that's it then that's bad if we approach it from security but then use a security checklist to help guide us through this process very similar to a PCI does like hey these are the things you should be thinking about that is a good thing but if you keep that mindset in place right but there aren't actually a number of frameworks out there I don't know what kind of organization are you I don't know what everyone else uses right I would encourage you to look at that NIST security framework for critical infrastructure it's a very basic one and I think it's a very good place to start and it can provide you a checklist the difference is that it's going to be your checklist you will create the checklist based on your organization's requirements and in what might be helpful is my usual approach for frameworks is what is what are the other organizations doing like what does PCI do what does HIPAA do what does FISMA do right and then I create my own what applies to me because if you take what everyone does and try to pigeonhole yourself into it you'll find yourself like oh I'm not thinking about this like well yeah but what should you be thinking about that does it really matter right so maybe look at PCI PCI actually does a really good job take away the card data piece of it and think okay well if I'm not thinking card data and I'm thinking my infrastructure how does that apply and you'll start seeing there's a lot of similarities okay let me use this piece for that let me use this piece for that maybe marry the NIST and the PCI components together just to give you a high level understanding of what you should be thinking about that would be a recommendation give me one second I'm here for you yes ma'am which capture are you using are you using the google capture are you using one of the modules do you you leave the registration open to everyone because anybody can register your that's always a tough one that's always a tough one you know you know what the captures I like are the logic ones what is seven plus one right yeah right stuff like that things that have some form of logic that requires a user to think it's a lot harder for the bots to automate that especially if it's always randomized versus even the picture selections they're getting smarter and smarter I would look at that but if you have to have it open to the world and that's part of your position that's going to be a tough one oh okay that's that's cool that's cool so they put all these hidden fields and then yeah so the bots will pick them up immediately because they're just looking at that and they're like wait a minute that's obviously wrong that's cool you know yes ma'am