preparing for the internet zombie apocalypse
TRANSCRIPT
PANTHEON.IO
Preparing for the Internet Zombie ApocalypseBest Practices for Securing Your Website
PANTHEON.IO
WHO AM I?
@getpantheon
PANTHEON.IO
Websites Are Not Safe
According to the FBI, 35% of data thefts in 2014 came from website breaches.
http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
PANTHEON.IO
These Websites Have Been Hacked
PANTHEON.IO
Your Website is Being Attacked
The average server will see 8000 dictionary attacks a day.
PANTHEON.IO
Websites Are Not Safe
There are two main attack vectors:
People Technology
PANTHEON.IO
The People Problem
● Humans are prone to error and administrative systems are chaotic and messy.
● Attackers take advantage of the chaos and find ways to impersonate users.
● Chaos can make managing access and knowing you has access to the website difficult.
PANTHEON.IO
Solving the People Problem
Controlling access & minimizing administrative chaos:
● Role-based Permissions ● Centralized Account Management ● 2-factor authentication ● IP or Network restrictions
PANTHEON.IO
The Technology Problem
Your website is getting attacked right now. When you are breached what will be compromised? How will you respond?
PANTHEON.IO
The Technology Problem - Hosting
Where is your website running? Is it in your datacenter?
Corporate Site
Community Site
Marketing Site
Internal Systems & Data
On Premise Servers
PANTHEON.IO
The Technology Problem - Cloud or Managed
Running your website in the “cloud”. This is not a real cloud!
Corporate Site
Community Site
Marketing Site
Datacenter
Internal Systems & Data
VPN
PANTHEON.IO
The Technology Problem - Virtualization
You’re still managing the full stack. You may deal with noisy neighbor issues.
PANTHEON.IO
Solving the Hosting Problem
With a container-based cloud, if your website is compromised your sensitive data is still safe.
Corporate Site
Community Site
Marketing Site
App Containers
Internal Systems & Data
PANTHEON.IO
Solving the Infrastructure Problem
Security as a Service for websites ● DoS protection ● Network intrusion protection ● Encrypted communications available by default ● Systems managed via automation ● Central administration of access, permissions
PANTHEON.IO
The Technology Problem - DIY Website Infrastructure
Single instance IP, maybe a CDN PUBLIC FACE
Code sitting on a server APPLICATION
Optional firewall No encryption by default DATABASE
Sysadmins monitor CVEs, run fire drills, play whackamole. LINUX
IT or old-school ops NETWORK & PHYSICAL SECURITY
No central management or audit trail Plain old FTP? YOUR DEVELOPERS
PANTHEON.IO
The Technology Solution - Modern Website Infrastructure
Highly available and horizontally scalable. Also, reverse-proxy cache.PUBLIC FACE
Version control & scripted deployment Clear chain of custody for all changesAPPLICATION
Encrypted connections Run only over internal networkDATABASE
All systems managed via automation Treat servers like cattle, not petsLINUX
SOC2 compliant infrastructure vendor All internal traffic is encrypted
NETWORK & PHYSICAL SECURITY
Centralized account management Audit trail
All SSH all the timeYOUR DEVELOPERS
PANTHEON.IO
Solving the Website Infrastructure Problem
Systems automation Treat your servers like cattle, not like pets.
PANTHEON.IO
The Technology Problem - Website Technology
Custom Code
Plugins / Modules
Core CMS
PANTHEON.IO
Solving the Website Technology Problem
How are you managing updates? How quickly can you update?
Can you trust the ones you’re using? They can often be collections of modules. How are you managing updates?
Do you have a process for understanding if your custom code is following security best practices? Do you know who made changes and what they changed?
Custom Code
Plugins / Modules
Core CMS
PANTHEON.IO
Summary
The main website vulnerabilities center around:
People
Chaotic systems Human error
PANTHEON.IO
Summary
The main website vulnerabilities center around:
Technology & Infrastructure
Hosting Infrastructure
Website technology
PANTHEON.IO
Our Solutions
Pantheon Provides: ● Isolated and secure web infrastructure. ● Role based access and permissions. ● Administrative oversight on your teams. ● NEW: SAML integration for SSO ● NEW: Secure Runtime Access to harden website
security.
PANTHEON.IO
Summary
Protect yourself by: ● Managing roles and access with practices like SSO and
2-factor authentication ● Running your website in the cloud–one that gives you
robust security features and protection ● Staying on top of updates
PANTHEON.IO
Sign Up for a Free Account pantheon.io/register
PANTHEON.IO
Questions?