 Thank you for taking the time to join me here. We're going to be talking a little bit about security. I know everybody's favorite subject. So I don't want you to be concerned. I'm starting low. But as we progress through the conversation, I have a tendency to get excitable. Not because you're engaging with me, just because I get excited. And my hands start flaying. My tone starts going up. It might feel exhausting to you, and it will be just as exhausting for me. So I apologize up front. My name is Tony. I work for... Oh, hell no. Yes. So my name is Tony, and I represent a company called Sikuti. Has anybody in here heard of Sikuti? Okay, a few folks. Cool. So for those that don't know, we are a website security company. Who you're seeing up there is my partner, Daniel. We started this company back in 2010. I detected a few website incidents, including infections, and then working to clean them up. We've evolved since then. We've been around for a few years. We're relatively well known in the website open source community, not just Drupal, but WordPress, Juma. And this is actually our first talk at an actual Drupal event. What I'm going to be sharing with you guys is kind of our insights of our network, what we do, the websites we infect, what we see in terms of website infections and website attacks, and things that I think might be of some value to you. So with that, this talk is going to be for a number of folks. Maybe you've been infected before. Maybe you're suffering an infection now. Maybe you're a system integrator. Maybe you're a business owner that's responsible for deploying a site within your infrastructure. You can be a consumer. You can be a large enterprise. It really doesn't matter. We look at websites, you know, independent of who you belong to and what industry because they're exactly the same. We work with small blogs. We work with large Fortune 500 organizations. It doesn't really make a difference to us. For us, it works the same. And when you look at the data, you see that there's about a billion websites out there, at least based on what W3Tech says. And a lot of people don't necessarily go with those stats, but they're just the most reliable, at least for us, just to kind of get a better understanding of what's happening. Of that, 33% of that is made up by open source CMSs, specifically based on these platforms. And these platforms make up about 73% of that, 33%. So this is what kind of Drupal fits, at least in this world. 2.2 of those websites is coming from Drupal specifically and 4.9 of that market share in CMSs from Drupal. What this doesn't show, however, is Drupal's adoption in types of industries, right? So you see WordPress expansion, user adoption, but you see Drupal's expansion in terms of type of organization and complexity of sites and enterprises, right? It's very, very standard, very common. We're all aware of Drupal 8, landed in November, right? Came out with a number of great improvements from a security standpoint. HTML, the way it's managing HTML on the front with Twig, it's handling XSS upfront by default, a lot of security by default, which is what came out of Drupal 8. Everybody's really excited about that. Came out in 2015. This is where things get a little bit interesting, however. When you look at the data and you look at where things fit over the past, since its release, you get a real sense for how folks are migrating from the old versions of Drupal to the new version of Drupal. So we implemented all these awesome things, yet folks are not deploying it, they're not migrating. In fact, we're only at about 6% user adoption for Drupal 8. What that means is a lot of people are still on the older versions of Drupal. And from our analysis, we've identified that close to 81% of the infections that come through from Drupal-specific instances are at about 81%. I think perhaps one of the most interesting things for the Drupal community, and just open source in general, was the Panama Papers compromise recently. Anybody familiar with that? Are you familiar with the discussion that people were having? There was speculation around WordPress and Drupal and the potential contribution to that compromise. It's very speculative, but what it does provide is really good insight into what the reality is out there. So you had Mosec Fronseca out there with a number of instances, one instance of Drupal for their client portal and one instance of WordPress. WordPress is about three months behind, but their Drupal instance was years behind. And in that, they found 25 unique vulnerabilities to include the SQL injection vulnerability that led to an RCE back from 2014. And I think why I bring this up is in the conversations I've been having over the past couple days since I've been here, I know that the Drupal community is very much about technical aptitude. It was built for the developers, right? It was built for the design, not so much the designs, but more for the just technically inclined individuals. And we're very, very proud of that. And so when we talk about things like compatibility, we're like, nah, that's not really us, right? We're worried about going to the enterprise and pushing and stuff. The problem is we have to think about the audience and the users and the people deploying this. The consumers, if they have no backwards compatibility, they will never upgrade. That is a fact. The enterprises, they may want to upgrade. Their compliance tells them that they have to upgrade. But their change control processes don't allow them to. So what good does it do us as a community is we make backwards compatibility and upgrading that much harder. Just something to think about. Like I said, from the data that we have, we have about 400,000 websites that we manage and handle incidents for in our environment. We do about 500 infections a day. Of those, Drupal is a big piece of that. And the ones that we analyze, 81% of them are running vulnerable pieces of code coming from the Drupal ecosystem, whether it's from Core or whether it's from the modules. Patching vulnerability management is very, very tiring. It's very toxic. It doesn't matter the type of organization you are, whether you're a small business or whether you're an enterprise. Everybody's trying to figure out how to do this. They have vulnerabilities disclosed on a continuous basis and people are not unable to prioritize what's that vulnerability, let alone prioritize what their patching sequence is. And we have to remember that Drupal is but part of a much larger ecosystem, regardless of your type of organization. The larger you are, the more complex the process is. Most people can't even keep up with their own infrastructure and the challenges that they have from a security standpoint. Things like, you know, I'm drawing a blank, I apologize, but a number of the vulnerabilities that have come out were like SSL and OpenSSL and Linux-based issues and server and network-based issues. Now you Drupal into the mix, and the one thing that I get on a continuous basis from the various NOCs and SOCs that I'm working with is, how am I supposed to keep up with what's going on in that space? You come to this community and you say, hey, but we have security advisories. We notify people on Twitter, we send out emails, we're listing it, we tell you exactly what to do and how to patch it. But the people responsible for it, the NOCs and the SOCs, are like, that's not my domain. I don't work in that space. How am I supposed to keep up with it and how am I supposed to apply that in my environment? There was an interesting study done recently that was just released last month on the enterprises specifically and the impacts that OpenSource is having on that. They found that 33% have no process for identifying or tracking or remediating OpenSource vulnerabilities. Now this is all OpenSource. Now think to yourself, where does Drupal fit into this space? OpenSource is a big thing that all enterprises are dealing with. So just imagine this number, I would imagine it goes up even higher when we're talking about enterprises. 47% of them don't even know what OpenSource technologies they're using. Because it's not always that people are making the decisions at the strategic level for deployment of something like Drupal or any other CMS application. It's someone at the functional unit. I need to build a complex user portal and I'm going to use this and I'm not going to go through IT or I may go through somebody that I know that might get me up and running quickly or I might go to a third party hosting service that will allow me to get it up quicker. But then once the compromise happens to the brand and it's like, what do we do now? How do we roll that back internally? 50% of them have no one responsible for OpenSource. On the consumer side, these numbers are dramatically higher. And regardless of where you fit, more so on the consumer side, I have a feeling that we're suffering a lot from security fatigue. Every day we're hearing more and more and it's not just about the platforms, we're hearing more and more in general about the everyday technologies we use. The devices we have. So how do we make that easier? How do we make it easier for the users of our platform to better understand the challenges that we're suffering or we're facing and how do we convey that? Through awareness, education and things like this. So I provide that just to provide some context on what we're working with and now what I want to do is kind of dive a little bit deeper into various facets of security. At least the way I look at the world when it comes to security and website security specifically. First and foremost, it's a complex environment and I think if you're a developer you understand this. But business owners don't necessarily do. The application you're deploying is but one piece of a much larger environment. And that environment extends not just from the infrastructure and the environment in which that application sits, but also you being here on this public Wi-Fi. We have public Wi-Fi, we share the same username and password, well I guess what? I can intercept most traffic that's intercepted and I'm not saying it's bad. I'm saying it's fine. But as an integrator we start thinking about things like HTTPS and encryption point to point. To ensure that any critical information being passed logging into our environment are safe. But we have to be thinking of our online experiences as well. We're here. What do we do? We check our mobile devices. We have joy devices, we have iOS devices, we have our laptops, we're on social media, we're sharing links continuously. Right. For click-jacking, intercepting communications, attacking things on your browsers. Right. Cross-site request forgery attempts through cross-site request, cross-site scripting attempts. It just makes it that much easier because there's so much information, everybody's just clicking things. So we have to be cognizant of that as users. Even as developers. I work with developers all the time. They're like, oh yeah, I built the greatest stuff. I have my own online experiences. Right. I was like, oh awesome, they opened the computer, no password. That's amazing. You know. So we're part of a much larger ecosystem. That's one thing I want to highlight. And this is what I'm talking about, right. So on the environmental side, we have things like our devices. You know, we have the networks and the end users themselves. It's not just about you personally, but it's about the people that are going to be using it. The authors, the administrators, the people that are going to be taking control of that application once it goes live at some point. The application itself. Remember that in most instances, even like the Panama Papers, what did you have? You had a Drupal instance for the client portal and a WordPress instance for the website. So we're not just talking about security specifically to the application that we're responsible for in deploying. We're talking about security about the entire ecosystem in which it sits. You have things like the server itself. A lot of folks don't necessarily manage that. If you're an enterprise, you might have your own infrastructure. You might have your own knock. If you're a consumer, maybe you're using someone like Pantheon or Siteground to manage it for you. And so they're responsible for that. But how often are we having the conversation that extends beyond the application? How often are we saying, hey, what do you do for me from a security standpoint? A lot of people will be surprised to find out that not much. A lot of hosts are responsible for their network ensuring that their perimeter is safe for other applications in their environment. But if you have one account with multiple sites and multiple deployments, that's your responsibility as an end user. You could have multiple cross-site contamination issues occur within the same environment, within the same bucket. Then the infrastructure itself. A lot of people won't necessarily get into that, but it's always good to have a good conversation on that. What this does, though, is it creates a security chain in which everything's united. In security, these security chains are very common, right? Any weak link in this chain creates a problem for you as a website owner. So if you have poor usage on the environmental side, you do silly things in your laptop, maybe you spend the night doing God knows what, having a good time, and then you have a bunch of malware and stuff in your local environment, and then, boom, sealing your credentials and then they can gain access. This is important. Now that we understand that, I'm going to go into attacks. I always break attacks into two very distinct forms. Targeted and opportunistic. About 99% of the attacks we see are opportunistic attacks, right? Oh, hey. They're using a version of this module that's susceptible to some remote code execution. Cool. It's not a matter of I targeted that individual. They just happen to be on the web. Why wouldn't I target it? Or maybe you're in an environment that's like a soup kitchen and you have every platform under the sun and there's a vulnerability in one of those other platforms. And so that environment gets compromised via that and you just happen to be there. The larger of an organization you are, that changes. If there's enough motivation, enough incentive for me as an attacker, I'll target you all day. I'll see what you've got. There's a bigger return for me to compromise your environment. But with the attacks of opportunity, I get mass exposure. I set up automation and I attack. With that, we get into our flow and how that works. The first thing to understand about flow is automation. All the attacks we see have some automated component to it. Even if it's a targeted attack, there's some automation to it. Opportunistic? Absolutely. That's the only way they do it via scale. And automation allows them to set it and forget it. If I know that I'm looking for a specific string, I can configure a script to just crawl the web and identify any potential sites that have that. It reports back of the issue. I then initiate my exploit attempt and say, okay, perfect, I've identified what the problem is. Which actually talks into how it happens. So you have a phase of reconnaissance. Regardless of what you're working with, you have a phase of reconnaissance. And reconnaissance is trying to identify, what am I working with? If it's targeted, I'm looking at an organization and I'm saying, okay, where are their servers? What firewalls do they have? What applications are they using? Maybe it's too complicated. Maybe instead I'm going to target it with some kind of fishing lure or maybe they're going to an event like this and so I'll target this environment. Then we get into identification phase. When it comes to opportunistic attacks, reconnaissance and identification kind of occur at the same time. I'm attacking what I already know. I know that I'm looking for a specific module or maybe I'm looking for that SQL injection vulnerability in Drupal from a few years ago. And I'm saying, hey, anybody that's learning this version, I'm going to go ahead and attack. I don't really care who it is. On the targeted side, the identification occurs individually. This is what the environment looks like. This is what they have. I like this vulnerability. I'm going to attack this vulnerability. Then the actual exploitation happens. When I've identified what I want, I'm going to exploit that. Then the one thing a lot of folks don't think about is the sustainment. Once I've penetrated the environment, it's about how do I ensure I can get back in this environment once they clean me up? Things like backdoors. This is one of the leading causes or issues for reinfections. Whatever the case may be happening. Then they get reinfected again and they don't understand what happened. I don't even get it. The actual compromise. A lot of people think about credit card information, personal identifiable information. Those are the easier things to think about. Data exfiltration, stealing information, like Panama Papers, but it's not just about that. Think about NBC back in 2012. NBC for about two hours was hacked. Drive by downloads and spam. In those two hours, they affected millions of users. Millions of users. Now think about the brands that you represent. Potentially. And the impacts that that has. Maybe you work for a federal organization. What does that do to that federal organization as a brand? Think about when the CIA was hacked recently, maybe about two years ago and they were defaced. Granted, the CIA, I have high hopes that their website was not on their network. It was likely on some shared account, whatever, no problem. But from a branding perspective, they were affected. They're like, oh, even the CIA can't control their environment. They got hacked. It's so stupid. But still, most of the community will say, no, that must be an issue. They must not handle security. Granted, they're a government agency. They're not a for-profit organization, so they're like, whatever, you guys are idiots. But think about the organization you represent that do depend on profitability or selling products or goods. And then cleanup. I don't see this as much on the automated side or the opportunistic side, but I see this more on the targeted side, which is I want to make sure I don't get detected. I'm going to do as much cleanup as I possibly can to ensure that I don't get detected. So maybe I'll go through the logs. I'll clean up after myself. I'll remove any traces that show that I might have been in that environment. I'll even go in and I'll modify the file dates to ensure that you don't see when that occurred. So the file dates look exactly like when the installation occurred. Here are a couple ways that I like people to think about it. So on the reconnaissance side, you're looking at scanning the specific environment, scanning the web for a specific issue, right? You see here on the identification state it kind of occurs at the same time as opportunistic, which is 99% of the time that's what's going on. And then you're identifying potential attack factors. Exploitation, explaining specific weaknesses, and then it kind of just flows along the list. You don't see as much on the opportunistic side. It's more in the targeted, but it does happen. You can't automate that process of cleaning up access logs and error logs to ensure that they don't see that. So a couple ways to think about it and controls to be thinking about. So on the reconnaissance side, how are you reducing that attack surface? How are you ensuring that they don't know what versions of stuff you're using? Or how are you ensuring that you don't have unnecessary ports and services running on that server? A lot of folks forget about this. They don't think about this. They put it on a web server that's running everything else under the sun and they leave all the ports available. Oh, yeah, I can't attack that server. Oh, look, port 25 is open. Let me attack that. There's a vulnerability on that. How do you even know that vulnerabilities exist? Large organizations are familiar with concepts like vulnerability management, programs, and processes. They're familiar with that. They have teams dedicated to that. But now think of your customers. Do they? Do they have the resources for that? Do they have the tools available to do that kind of stuff? To identify not only known issues, but unknown issues. How do they identify unknown unknowns? How do they go through that process? What are you employing to avoid the exploitation? We all know that security is not 100%. That's a given. Anybody that tells you that it is, is wrong, right? It's all about enough time and enough motivation. So what are we doing? What technologies are we employing to address that? How do you know you have no backdoors? It's not as simple as just looking for basic evals or obfuscation. Most of the backdoors we find aren't obfuscated. Most of them are written really well and in fact you can borrow some of their code. It's written so well. You're like, my goodness. On the compromise side I cannot tell you the number of organizations that I talk to that say, hey, so how many websites do you have? That's what they say. I have no idea. I have no idea what's in my network. The only time they find out that they have an issue is when something like NBC happens, they get compromised, everybody's sharing something and then of course everybody's pissed off of security. You guys failed. You didn't even tell me you deployed it. There's no asset management, no asset inventory. There is, but websites just aren't part of that. And then the cleanup side. Most organizations, at least large organizations have some kind of incident response protocols or systems in place. But do your customers have that? Do they even understand what that means or what the process looks like? What I'm hoping is what you take from this is I'm trying to give you information that can help you, if you're a developer, to go back and communicate to your customers and have better dialogue with them on the things that they should be considering from a security standpoint. If you're a business owner these are questions you should be asking your developers. Hey, how am I addressing these things? And by breaking out the different phases I have found that to be the most effective. I have found that most people can understand and say, wow, let me focus on that. Because if there's one thing I always tell my team we can't eat a sandwich without chewing. And we can't address the entire sandwich at the same time. So we break it up into pieces. Start off on the reconnaissance side. Hey, okay, do I feel comfortable there? Have I implemented whatever controls I need to there? If I have cool, let me move into the next phase. When I was in the Marine Corps whenever we go on humps we'd always look down. We'd always look down to the person in front of us and we would just march. It didn't matter how far we were going we would just march that way. Why? Because if I had to think about looking at the top of that freaking hill and say I got to go up to that freaking thing there'd be no way. I beat myself mentally. Too many times in security we get consumed by all the different things even this conversation might feel very overwhelming. But the goal is to break into small manageable pieces from which you can execute. When you look back six months, 12 months what you'll realize that your overall security posture is much, much better but you did it in small pieces. The other thing I want to talk about is availability. One of things we're seeing on a continuous basis is an increase in attacks against the availability. So in this instance my intent isn't necessarily to penetrate your environment to penetrate your perimeter. I don't care about distributing malware. What I care the most about is ensuring that your site isn't available. That it's down. And we're seeing a lot of blackmailing attempts against organizations of all sizes saying hey I'm going to do what's called a distributed denial service on your environment. And I'm going to attack you to the point where your resources are exhausted. Once they're exhausted I will continue to do that for hours until you pay me a fine. You know who just suffered a very severe case of this? Linod. Linod went through this for about five, four or five days something like that. Now think put yourself in the shoes, in their shoes as a business owner. Linod is a pretty big organization right? How would that affect you? Maybe if you're smaller the effect isn't that great but if you're larger it might be different. If you're doing commerce it might be greater. Imagine four days of no revenue. Maybe if you're a federal government you're like thank goodness I don't have to go to work today. I don't know. I was a defense contractor for many years so I can say that. So now I want to talk about so we kind of went over that phase I want to kind of talk about attack vectors now right? How we should think about that. At least the ones that I feel to be the most important are the things that I'm seen on a continuous basis. So of course we have access control right? Who here wouldn't think of access control? User name, passwords, silly stuff like that. We hear that conversation all the time. We have things like software vulnerabilities again something that we would all think about. What we don't necessarily always talk about though is things like cross-site contamination or third-party integrations and then hosting but hosting in a different way. So on the access control side one of the biggest things that I'd like to emphasize here is that it's not just about the application again seems to be the, did I open that door? Interesting. So it's not just about the application as integrators we say maybe our Drupal instance is the most important thing in the world. Unfortunately in case nobody told you it's not. But the username and passwords, yes very important but then also think about all access control how do you get into that server? How do you get into your DNS? Shit. Do you use a universal tag manager for Google or some other third-party servers? How do you get into that? Every one of those are potential entry quotes into your environment. Vulnerabilities very very standard stuff right we're talking about things like cross-site scripting perhaps one of the leading vulnerabilities in Drupal core itself right that's what we talk about a lot access access but remember there's different types right when we're talking reflective you're kind of hacking yourself you see that in efficient lawyers things like that. The ones to keep an eye out for are things like stored access the ones where I can penetrate your environment ensure that anybody that visits that page will continuously get hit by that. I don't have to do any malformations of the URL, I don't have to embed that I don't have to hide it, I don't have to send it out stored access are the ones you're most interested in. Those are actually the most severe ones in terms of access world right but you have things like SQL injection the ability to inject something into the database and manipulate or pull the information or use that to leapfrog into the environment itself to some kind of remote code execution or whatever the case may be you have things like CSER or cross-eyed request forgery facilitated through things like cross-eyed scripting right how are we addressing that how do we know the things that we don't know okay yeah maybe there's a security advisor when we patch it and we deploy it maybe we know there's a security advisory we really really want to patch it but our organization doesn't allow us to patch it because it has to go through change control has to go to user acceptance that has to go through a process then it has to get deployed and that might take 3 months and in some instances I used to be a defense contractor we would build an application for 12 months it would take us 6 months to go through the approval to deploy it another 6 months to go live by the time it goes live the technology is already 3 years old think about that cross-examination maybe you do everything under the sun and Drupal is as secure as it gets you cannot bounce a nickel off that right but what about the rest of the environment what about that dev box that dev site you left on that nobody maintains but it's still live because everybody just forgot about it or that wordpress instance in that environment or that jubilant instance in that environment cross-examination is one of the leading things of infections and what happens is people don't think about cross-examination they say I don't understand how I got infected or they clean up the infectant and they continue to get re-infected continuously like I was mentioning before and what's happening is just that neighbor and environment that lateral movement lateral movement is not a new concept lateral movement happens in perimeters all the time we penetrate the perimeter, we get into the environment and then we figure out where we can go from there what other services happen, why? because in security we always have this mindset of hey I just need to keep them out everything inside my perimeter is safe now reduce that scope to your web server to your web application we're doing the same thing, oh if I just keep them out of the website just what I'm looking right here I'm good I'm not looking laterally I'm not looking what's coming over from here third-party integration is an interesting thing who can tell me a website right now that doesn't leverage some form of third-party integration whether that's a library whether that's an API for some service whether that's ads I see ads all the time and they introduce something called malvertising and malvertising is the ability to attack the ad network penetrate your environment without you even knowing it I'm compromising your website without compromising your website because I just attack the ad network and every website that uses this ad network I will now rotate my malware through their ads I will embed it in their payload I will make it highly conditional and it might show up once a year it might show up once a month it might only show up if you're coming in from Africa it might only show up if you're using Windows XP shit it might only show up when I feel like it very very difficult and it drives people mad but you know who doesn't care when it shows up things like Google things like Bing things like Yandex or other AVs and guess what happens when they blacklist you people can no longer access it maybe organizations use websites as their firewall they don't get categorized as potentially malicious and nobody in that network can now access that site happens all the time on the hosting side things are a little bit different on the hosting side it's not necessarily about the large hosts these days it's no longer circa 2010-2011 where we saw mass compromises where hosts were just misconfiguring the environment and the attackers were able to get in and they would just attack everybody what we see a lot of is the issues on the host come from the hosts that aren't really hosts the hosts that are an ancillary service to an agency where they say by the way I'm a host I picked up an AWS instance I'm deploying it, I'll just deploy your application in this environment I know absolutely squat about system administration and security but I tell you what you pay me those hard dollars and I'm going to take care of your environment you pay them and they come back and they're like shit what do I do now then they get hacked and they're like shit what do I do now and you as a website don't understand you offer me all these services I provide container stuff and you're like yeah I pulled it off that website that's the issue we have on the hosting side motivations I like talking about motivations because I think they're very important obviously they help us understand the psychology of the attackers why do they do what they do and some of them sounds very obvious and some of them not so much I break it into four distinct categories there's a revenue piece an audience piece, resources piece and then just because I'm bored on the revenue side that's pretty apparent the opportunity to make money I'm lazy as shit, I don't want to do anything else and it's just easier for me to sit here and attack your website and make money off it pharma hacks alone it's a multi-million dollar business pharma hacks they abuse the way the affiliate schemes work for pharmaceuticals and they can make anywhere between 20 to 40 million a year through pharma hacks by injecting little Viagra's Cialis, erectile dysfunction sites on your site just the clicks and the impressions that they get that's how they're getting paid that doesn't even talk to drive-by downloads drive-by downloads are things like drive-by downloads are things like fake AVs think of non-technical people think of people using Windows XP and you're like the horror who would use that I bet you a lot of your customers do not because they want to because they haven't been able to upgrade remember what I talked about earlier about inability to upgrade environments, there's some environments there's some system, critical infrastructure systems that still use Windows XP because they have to think of the Marine Corps for the love of price, we're always at the bottom we got Windows XP, we just moved there from Windows NT last year we're like alright and I tell you what Marines do they spend half their time online and it's not for good stuff audience we don't pay enough attention to this maybe not so much on the enterprise not so much on the enterprise side or large organizations where they just kind of have a website because they need to have a website that's not necessarily how they sell, it's just it's an expectation but think about like the mid-market think about the consumers, the people, the bloggers the website or maybe a large commerce site that depends on their audience think of an NBC, a media site that audience is valuable the web is a distribution mechanism it's no longer me having to go around with a USB stick and drop it did you know, fun fact if you were to drop a USB stick in a parking lot and put a logo on it about 80% of the people would be like take it and plug it into the machine thinking I wonder what Jackass dropped that let's see what they got going on there did you know that? and what do most machines do? autoplay right use that, hijack the machine, I'm in the network I didn't have to do shit, no reconnaissance required I just go different story, oh man I digress but on the audience side think of your large customers that require that maybe you're a blogger we have huge bloggers out there that generate a lot of traffic a lot of them use WordPress some of them use Drupal maybe your customer is in a commerce and they depend on audience as an attacker if I can manipulate that and affect your millions of users and distribute my payloads, my malware whether it's SEO spam or not it's valuable for me resources, a lot of people don't think of resources some people think of malware some people think of drive-by downloads some people think about penetrating into the network but what about becoming part of the larger security network part of a larger botnet what we see a lot is once in a website is attacked and we see the payload get dropped not only do we see things like backdoors but we see things like server-level scripts for integrating them into larger CNC networks or CNCs like command and control networks so part of a 10,000 botnet environment used to attack other sites so remember that story I was telling you about DDoS and attack and availability who do you think attacks those sites part of that botnet so they can start off with 100 sites and it just sits idle once somebody pays they can ramp up to 10,000 servers infected in fact the servers that we see attacking our customers and our network are often coming from environments that have compromised desktops and servers that they themselves may not even know that they have and a lot of them come from educational institutions and government institutions but that's another conversation who has kids here anybody kids like between 10 and 16 yeah, they're probably in this group because most of you are here at conferences most of us are working, most of us are doing things I have a 10 year old and I have all these settings on the router and I can see him, I walk by and that little bugger is sitting there looking at the network I'm like what are you doing there trying to get by because I have control where he can't go to certain sites I mean that's kind of fun but still that's what's happening they're born in an age where they're always interconnected they're always trying to beat systems they're playing video games the video game tells them you can't do this oh yeah, I can't do this, watch this they're online talking to their friends figuring out they're building this breaker mentality something these guys just for the fun of it then you have the folks doing like defacement and stuff like that they were using a vulnerable version I'm gonna show these guys they're doing on a coffee break oh look, that's interesting, let me just try it out real quick so what do they do the first thing I like to tell folks is that security, at least when it comes to compromises is kind of like an iceberg what you see is but a fraction of the issue maybe 10, 20% oh, I'm distributing mower that's amazing, congratulations you remove it but you need to extend beyond that and start looking at the rest of the iceberg what else did they do how are they sustaining access to the environment because most of them will what manipulations, configuration changes that they make did they install anything that they shouldn't have when we do that, I break it into 7 distinct um infection types that I feel to be kind of the most relevant today there's others, of course but these are the ones that I want you to focus on anybody need a bio break you guys good so we have mower distribution which we have discussed we have search engine poisoning which we briefly discussed which is the act of manipulating things or targeting things like search engine result pages on google, being, yahoo, right the ability to kind of abuse that audience we have fishing lures fishing lures is something you probably get a lot of training on don't click on the links you get in emails but the reason that that happens is because they're highly, highly effective that's the easiest way to get into a network so if you have any emails in that organization send them a blast via some compromise site, maybe one of yours maybe not, that says hey, I need you to log in to give me your credentials and most people just simply click put their information in and they're like oh sweet, cool, thanks then they get to the office, they try to log in it's like I don't know, I thought I changed this none the wiser spam email this is happening more and more spam email is a little bit complicated it could be a page, improper function definition, it could be it could be a mailer script on the server itself defacemate DDoS and ransomware, ransomware is probably something that we've all been talking about a lot in the security space so just a little bit more information on these so on the mildest research side you have things like drive-by downloads again, the focus there are the endpoints right, hey, who's visiting this site, what can I do in that site maybe I can download a financial trojan maybe I can steal some information the motivation being around revenue and audience, search engine poisoning being more like pharma hacks we see a lot of casino hacks as well we see a lot of SEO spam not SEO spam but we saw a really interesting one where people were advertising essays school essays so you can go to these sites and they'll write your essays for school, maybe you have a class assignment I guess that's a big thing fishing wars like I mentioned a minute ago the ability to penetrate other environments steal information get people to click on it, get their information maybe it's for their social accounts but maybe if I'm targeting an enterprise I'm trying to penetrate that environment and that's how I do it defacements, a lot of hacktivism you know support the Turkish cause right, yay ISIS stuff like that DDoS spotscripts, integrating into a larger network sustaining access to that environment ransomware so ransomware is a little bit interesting who's heard of the ransomware issues that hospitals been having lately it's a big issue again, why are they having that issue if they would have just updated their environment it wouldn't have this issue again, an example of the exhaustion and the challenges that we have not just within the application but within the ecosystem as a whole they haven't upgraded their environment not because they don't want to but because it's challenging a lot of the critical infrastructure, I think life support systems are built on those old OS's and nobody's upgraded them so they can't just go and upgrade it but the web is a distribution mechanism guess what they do at hospitals, the same that you do at home they check their emails they go to social accounts they click on links that's an easy way to penetrate perimeters download information and our websites are part of that process so they use the websites to distribute ransomware they take it, they download a trojan in the environment they then encrypt the environment now they have to pay something to get access but it's just not the environment the other thing we started to see is ransomware on websites themselves I penetrate your environment similar to DDoS my intent is to reduce availability when I compromise your environment and I encrypt that with ransomware so you can't access your information a lot of people will say I have backups well guess what, a lot of people don't have backups very difficult to comprehend I know, but it's true even large organizations what's the other challenge we have with backups I get all the time, oh I have a backup cool, can we test it go to test it, oh shit it hasn't worked for 8 months something to think about we have things like ransomware like I said, data exfiltration the most relevant the one that we're probably the most aware of is data exfiltration we saw it with Panama Papers with about 2.2 terabytes of information stolen we have an e-commerce site we've been drilled on our heads with PCI the importance of data exfiltration stealing credit card information if we're in health, we're familiar with HIPAA and the responsibility of ensuring the storage of our customers' information which of our applications support that what are we doing what kind of encryption are we employing are we using things like HTTPS on that note let's remember that deploying HTTPS doesn't secure your site it secures the communication between point A and point B or in other words, data in transit so in other words, if I push a payload from the browser to your web server over HTTPS guess what, now I've just pushed an encrypted version of that payload if your website is infected and it's distributing malware and you're using HTTPS, guess what now you have securely distributed malware that's all it's doing I think that's very very important because I have more and more conversations especially with business owners that say but I deployed HTTPS I am safe I was like, no no no sit down, let's have a conversation the impacts of this why do I care I get this a lot well, I've never been hacked what do I care, etc I break this out into two distinct groups you have the business impacts regardless of the type of organization you have and then you have the technical impacts on the business side you have the brand reputation maybe as a government I really could care less whatever but if you're a commerce site if you're a for profit organization shit, if you're an NGO you're at your brand you depend on people coming to your brand and feeling safe and secure and ensuring that they can get the information that they require, whatever that information may be you have the economic impacts if you get infected especially if you're not an organization and you don't have the systems in place you can find yourself spending a lot of money trying to figure that out not just in terms of paying somebody to clean it up for you but also in terms of the knowledge that you have to gain the time that you have to invest to figure this process out because we didn't take a little bit of a proactive step and we cannot undervalue the emotional distress I cannot tell you the number of organizations that I've talked to where one day we're crying I'm gonna get fired right and in some instances we've seen a lot of CEOs get fired for it and in another instance just not understanding what's happening especially you think mid-market business owner that hired you to develop something maybe they paid whatever to get the site up and running they get compromised, they spent all this money they're going to the developers and say hey why did you let this happen and the developers are like are you freaking kidding me I let absolutely nothing happen or you go to the host why aren't you doing something about this it's not my responsibility, look at the terms it's your responsibility, you're their own end user you're the owner you go through kind of these phases anxiety anger, sadness, distress all the customers that I've ever worked with we have about 40,000 customers I've experienced something like this that I've talked to personally on the phone on the technical side we have things like website blacklisting blacklisting extends beyond things like Google the other thing that gets blacklisted is the domain itself imagine nobody gets your emails anymore it happens a lot you have antiviruses that will blacklist you network firewalls like web senses of the world that will blacklist your environment once you get one blacklist you then have to find and traverse all the different environments, okay we have search blacklist, we have AV blacklist we have Mets blacklist and you go through that process why is nobody responding to me why is nobody clicking on my links because they're not getting it then you have the SEO impact this might be not a value to a lot of folks but for some folks it is if you find information out maybe somebody is hijacking your SEO rankings they're abusing that information maybe they're using that to distribute malware things like that then of course it's the actual visitor compromise itself your audience, people coming to it and thinking about hey why do I no longer have any money on my account oh because I visited this site there was atrociousness to all my finances very simple concept to understand as brief as possible we have to remember that it's not a static state it's a continuous process security has been around since day one since the first code since the 90s we gotta think about hey how do we maintain and stay ahead of these emerging threats and it's impractical to think that one person or one organization that doesn't focus on it can keep up with it I like to break it out into these five distinct groups we gotta think about how we protect the environment how we detect potential issues because we know protection is never 100% how do we respond in the event that there is an incident for the mid-market to slower market the consumer market I always like to introduce things like basic maintenance concepts like virtual management patching management upgrade management things like that I also like to talk about best practices things like defense and depth or things like lease privileged basic concepts that a lot of people have security and even in the enterprise and large organizations understand so much I also like to emphasize that technology is not the easy button too often we say hey what should I deploy what modules should I deploy in my environment what should I configure and it's this mindset of a checklist oh well if I have this module I'm set it's kinda like when they say you look at PCI and they're like you must have a firewall so you've got a firewall and you put in your network and you're like I have a firewall I am now secure I'm like nobody you are compliant I'm not secure it's a three part process right you've got people process technology technology without the people is completely done right you buy it out of the box plug it in it does absolutely nothing for you now you have a fancy device that filters all your traffic the people have to go in and configure they have to configure it based on the environment hey I have this kind of traffic I have these kind of applications I have these kind of things that are current in my environment this is what I want and then you have a process like hey how do I keep up with the threats as they're emerging what do I do does this technology satisfy what I'm looking for right it's a mindset I have to tell folks that security is not a DIY project obviously I'm biased because I have a security company and that's what I do right but it's not and I think a lot of people find out the hard way that it's not with that being said let me tell you all the technologies that are available to configure your site from a security standpoint for Drupal modules just to give you an idea of how complex it is this is the stuff that's recommended for a Drupal instance right now and if you look every one of them address a little bit different stuff this is just security how do you address this for marketing sales any other functional unit that's trying to use this application and you're going to go to your customer and say hey check this out I just deployed this thing you're going to need these 20 modules to ensure you're safe aggregation is we're looking at things like cloud based technologies concepts like website application firewalls intrusion detection systems intrusion prevention systems need to be something that we're thinking about right how do we stay ahead of these attacks how do we look at these attacks how do we know that we have a problem what are we going to do if we do get compromised so with that oh one thing I want to say is log aggregation and retention I cannot stress the importance of this too often the organizations we work with have absolutely nothing enabled either the host has no logging they have no logging so it's impossible to understand what happened we cannot do it through osmosis right we can see the issue but we won't be able to know for sure if it goes mitigated or not and you as an organization would want to know this you want to know how it happened not because anybody wants to come down on you but because we want to make sure that that vector gets closed down and then we'll move on from there so with that I open it for Q and A's that will release you to lunch any questions you are standing between people and lunch no I'm just kidding oh cool I have yours down to go to actually yeah this is like arguing a religion right I am personally a fan of complexity over frequency most people don't understand the concept of password managers as much as you may breathe it down their throats I like random generation I have about 600 accounts that I have passwords through I know one password right I don't like the idea of encouraging people to use phrases or adding characters and stuff like that because they still know it and you get into this habit of habitual use of that same password I'm just going to create this social account really quick oh I'm just going to log into my account with this really quick before you know it all your accounts are using the same thing the there was a good talk at sans network security about three years ago in which they talked about the frequency of passwords password changes and in that they talked about a lot of people use like this three month configuration every three months every six months things like that and they were saying that it's actually very antiquated and that was based on a time where technology itself wasn't where it is today the computing power isn't what it is today and so at that time it would actually take about three months to crack some complex environment this is before we were talking about randomly generated stuff before we had technologies to facilitate that like password managers you know this was 10-15 years ago the problem is that like most things that stays well it's part of my process how hard is it to update controls how hard is it to update compliance requirements this is for crying out loud it's still telling us to do crazy stuff in the 70s it's one of those things that just hasn't caught up I think with time we're going to realize that changing things out on a continuous basis actually makes the process a lot harder most website owners or most users just don't operate like that so my preference is specifically complexity and I'm always looking at 20, 30 plus complexity because it really doesn't matter because I'm not going to know it when people start putting controls in like 15, 16, 20 you're still putting it within the realm of possibility that they'll remember it you know what I mean so that's just my preference what's up bud? I'm only taking one question at a time I'm just kidding I personally think there was no row in it now that being said 2.2 terabytes of data was stolen some of that was client information that could potentially have come from the client portal I don't know all the information that came out was there was an email server compromise and some of the scans are showing that they had in a different hosting environment once you breach a perimeter it's pretty complex from there it's really, really hard it feels very targeted it feels like an internal attack I know that they're saying that it's not but if I was them I would say the same exact thing of course my people are not at fault like everybody loves us but when you look at the manifesto that just went out the level of hate that they have for that of all the organizations that could have targeted they targeted them I don't know I think Drupal's impact on that was very low but what do I know it's very speculative until I know more let's think about that for a second so massive scans on the automation the way I talked happened at scale so I have a server that's going through and scanning things and it's reporting back and then it triggers the next piece that just automatically exploits that means that somebody is there monitoring the millions of websites coming through their server and saying here's some random site of course there are shell companies for this let me exploit them or they're saying wow this site just gave me 2.2 terabytes let me just go through this and figure out what that's about that didn't come from masked scanning that's my personal opinion the only reason I bring that up is because that's an example of what it looks like in the real world I'm not saying that it was a vector for that what I'm saying is that that's the challenge those are your users that's where it sits 6-point adoption from the time of release is really really low how do we fix that how do we close that gap how do we get people to leverage the latest controls that are implemented in Drupal yeah we do actually have a few in our network that we saw come through and I thought we reported on it I'll talk back to my partner Daniel to see if we can get something out and share it of all their exploit attempts that occurred yeah for sure we actually just did one this week for image tragic the minute we started seeing that come through our network and what they were doing with that so I'll go back and look I think we reported on it and shared something but I'll confirm and I'll talk to my partner and see if he's got something in a very large network so we'll just see what we can pull some logs and if anything's still happening if I get your info I'll make sure I follow up with you and send it to you any other questions was I lying about anything I'm cool with that I got thick skin brother then with that I think we'll break for lunch thank you guys so much for your time