At WP Engine, we’re passionate about helping our customers learn and grow. In keeping with that ethos, we proudly present “Finely Tuned Expert,” a series of interviews with some of the brightest talents in tech, marketing, and (naturally) WordPress.
For this episode, we’re diving back into an all-important topic: web security. Eric Murphy, Senior Director of the WP Engine Security Team will join us along and David Endler, Managing Partner of an Austin-based organization that helps build successful cybersecurity companies called Manifest. Whether you’re just starting to get a handle on the current state of web security or you’re a battle-hardened security warrior, this episode will supply you with new tips and information to help you keep your sites secure.
The whole show goes down on Wednesday, February 8 at 1:30 p.m. Central. Catch it live here on the WP Engine blog, or on our YouTube channel. Don’t miss it!
Jonathan : From WPengine.com, you’re watching Finely Tuned Expert, a series of interviews with some of the brightest talents in tech, marketing, and WordPress. On this episode we’re tackling website security and joining us from the security team here at WP engine is Security Director, Eric Murphy. Eric Murphy, thanks for being with us.
Eric Murphy: No problem at all.
Jonathan : Right on. And our special guest today is David Endler. David is a managing partner for an Austin based organization called Manifest. They helped build successful cyber security companies. David, welcome to the show.
David Endler: Thanks for having me.
Jonathan : Right on. David, before we dive too deeply to web security. let’s talk about you and about Manifest. What is it, what’s the general mission? Kind of give us the gist.
David Endler: Sure. So Manifest is a group of cybersecurity entrepreneurs, people who have been through startup grind to acquisition to exit before. And we have a large group of people who are at the core of helping other startup entrepreneurs navigate the early stage. The early stage is the hardest part, figuring out what you want to build, figuring out how to sell it, raising money. We are entirely focused on the Austin market. And so we have an amazing group of mentors. Everyone does this, including myself, for free. We don’t get anything out of it except to pay it forward a little bit. We get to expand our own network. We get to help potentially a new upcoming cybersecurity startup, either as a mentor, some of us become so enamored with some of the companies that come through that we actually want to join them. And so, Eric, actually here is a mentor to Manifest as well. So thanks for your participation.
Eric Murphy: Absolutely. So Manifest is really a great organization, as Dave said. We do this completely for free. For me, it gives me an opportunity to give not only security insights to starting companies, but also business insight as well. So moreover, Manifest is a fantastic organization and I’m happy to be part of it.
David Endler: If any of you listening are considering starting a cybersecurity company in Austin, come check us out. Manifest.io is the website. Even if you just want to sit down for coffee with one of our many mentors it’s probably a good bet that one of them, one of us have done something similar if not exactly what you guys are trying to achieve. Maybe even we could help you refine your messaging, refine your product.
Jonathan : Cool. Very cool. What projects are currently underway that you can share with us?
David Endler: One that is about to come out of stealth, probably by me mentioning it on this webcast, is one that actually I became so excited about that I joined myself. It’s called SpyCloud. It’s a breach detection as a service company, and we look for your credentials, your most valued information flowing around the dark web being traded by criminals, being bought and sold in some cases, and in other cases being actively used to break in not just to the organization but to the services that your organization uses. And so a SpyCloud.com is that website, and anyone can actually just go check to see what kind of exposure they have by entering in their email. So I’m excited, and that was the Manifest process. I was talking to the early team and I thought I could help by adding value in joining the company. So we have some other companies that we’re working with through Manifest as well, which will come to light in the next few months.
Eric Murphy: Yeah. Actually on that note, so many of you out there might use that LeakedSource. For example, SpyCloud really has kind of a-
David Endler: Not anymore actually.
Eric Murphy: Really?
David Endler: They got taken down.
Eric Murphy: They did get taken down.
David Endler: [inaudible 00:03:54] this might be the …
Eric Murphy: Yes [crosstalk 00:03:56] version. In any case, a SpyCloud offers a bit of extra beef, if you will. So I’d recommend checking them out.
Jonathan : So on our last security focused episode, just I guess a couple months ago, we started by trying to get a lay of the land on web security. And I think maybe for the folks who didn’t turn in last time, for new new viewers, let’s start there. How does it look? Can you guys fill us in on what your thoughts are?
Eric Murphy: Sure, I can start. So web security as a whole is very interesting in 2017. Especially with the election and everything that’s been happening, it’s very much the hot topic currently. So the state of web security is actually great for people that are in the security market. That being said, it’s vitally important that people understand order of operations and operating procedures around security in order to successfully protect their assets. And we can dive in a bit about that specifically, but for the most part staying in the know and understanding the landscape is increasingly important.
David Endler: I would agree. Those in the security community will never go to business thanks to all of the things involved with web security and anyone in the know knows it’s not just your web server, there’s all the different layers. So obviously a web server runs on an operating system. That operating system has to live somewhere in a network, and that network has to be probably co-located with a lot of other things that are also hosted. So keeping up to date, just with the security of each of those slices is a hard. Operating system patches come out all the time. Web server patches, the application patches come out all the time. Not to mention the code that actually runs on all of those servers. So you have a development team whose sole mission isn’t necessarily security, and that makes sense, their job is to a product out. And so that includes, if we’re talking about WordPress, WordPress itself, that includes plugins that people are writing.
David Endler: Very rarely do you have control over all of the software that you’re running in your organization. You have to rely on if it’s open source, hopefully enough people have looked at the source code enough to know if there’s bugs, but even open source packages like OpenSSL, been around forever, there’s still bugs that are being discovered. So web security I don’t think is ever going to be bulletproof. I think it all comes down to having a process to make sure that you can respond when there is an incident and then layering your defenses appropriately. And so let’s assume that someone will eventually get into your organization or maybe they get into your front facing web application, to limit the damage you can do things like encrypting the data that you’re most trying to protect. That way you don’t become one of these headlines in the paper about all the breaches that you see from day to day.
Eric Murphy: Just to expand a little bit on that, many people focus on the tech side of the pyramid, if you will, your host layer security, your network layer security, application layer. If it’s WordPress what plugins can I install to protect my site? But as Dave mentioned, there’s another important aspect, which is kind of like the incident response, the corporate security posture. These are things that companies, especially small businesses are just starting to figure out how to do mainly because security’s been such a hot topic lately. So I think later in the discussion we will dive into that a bit. But for the most part, security is not purely technical. There’s many other layers regarding governance, risk compliance, but also just people operating, or people types of processes. So we can’t forget that.
Jonathan : Well, on that front, let’s talk about the basic level novice security folks, the people who own websites, owns maybe a small website business, something like that and are trying to find their footing on web security. What is the best way for them to get started and what resources would you guys recommend to them? I’m asking for myself mainly.
David Endler: I think one of the best ways to know how to defend yourself is to put the hat on of a potential attacker, even if it’s not a sophisticated attacker, there are a lot of what we call script kiddies, people who are novices on the attacker front, who can do a lot of damage just by downloading a tool off the internet and pointing it at your website. So I think one way is just if you’re not already administering a server or a web server on your own, install something at your house, something that’s not exposed to the internet, but something you can just poke around with. There’s a lot of tools you can download on a lot of sites you can go to learn how to hack into websites.
David Endler: Now, I really liked the OWASP website, the open web application security project, OWASP.org. They provide a lot of resources on defense and offense, and they actually provide an intentionally buggy web server called WebGoat that you can install and it’s almost like a tutorial. Here’s what sequel injection is, and it kind of gives you hints on places that you have to actually perform a sequel injection attack. And so to get to the next level, it’s almost like an exam, you have to actually perform the attack and then move on. So I think learning how to attack yourself is one of the first steps. What else would you think?
Eric Murphy: Yeah, absolutely. I’m glad you brought up the OWASP because understanding that threat landscape, what the OWASP top 10 are is really the first incremental bit to understanding security data.
David Endler: Explain what the top 10 is.
Eric Murphy: Well, there’s quite a few, right? So there’s injections, there’s CSRF, there’s LFIs …
David Endler: The top 10 attacks.
Eric Murphy: Yes, the top 10 attacks, rather. We’ll actually be linking to that after this episode so you can take a look. But understanding specifically what those are will help you navigate the threat landscape. In addition, if you are running a WordPress site, there is understanding and installing various plugins. You have everything from WordFence to security plugins, there’s WAS. But before you can get into any of that you really need to understand what that threat landscape looks like.
Jonathan : What about events? Are there security based events that basic novice users can go to help find their footing?
Eric Murphy: Events, do you mean like conferences?
Jonathan : Yeah.
Eric Murphy: Oh, absolutely. Many cities have a community events. One that you may have heard of is called BSides. Austin does [inaudible 00:10:40] it’s fantastic. Anyone can participate. There’s lots of other little community groups that you can find on Meetup, for example. But for the most part, absolutely security events are a fantastic venue to start to begin to understand that threat landscape, and not only that, meet the right people or meet the people that are active insecurity. So it’s, a fantastic avenue to talk to people that participate, for example, in red teaming or penetration testing. These are the guys that are constantly being hired to break into websites or break web applications. So overall participating in an event like BSides would be great. There’s others as well. There’s bigger conferences such as Defcon and Black Hat, which are the more well known conferences. And then there’s even the corporate security conferences such as RSA. Absolutely, almost every city has some semblance of a security meetup or event.
David Endler: And also OWASP has a lot of local chapters, so a lot of them are hosted on Meetup.com. In fact, if you go to Meetup.com, you can actually see a lot of security groups. Some of them like OWASP are web focused, some are just more general security. But those are, I think, worthwhile to go to as well.
Jonathan : Great. For those folks in the audience who are more advanced, more intermediate level, what are the challenges facing web security in the near future and what are the new strategies and techniques that you guys can think of for overcoming some of those challenges?
Eric Murphy: So there are a plethora of attacks that happen every single day and they get more and more sophisticated. One of the areas of focus that the security community is worried about is really the IOT space. Suddenly we have more internet of things devices than there are people. And if you think about that for a moment, bad guys, if they put those devices to use, we see really high escalation DDoS attacks and the like. And these attacks typically deliver payloads and bandwidth that your website will succumb to more or less. So ultimately I think the latest and greatest is definitely around the IOT space, for sure. But the other thing with that is, again, coming back to understand the security data. So the people that are more advanced, for example, do they have intrusion detection? Are they looking at HDP data layer seven, things like that. It’s really about understanding the threat landscape so you can kind of whittle that down into the things that you should be concerned about.
David Endler: I would also say, I agree with Eric. I would also say the basic blocking and tackling, low level attacks are still very popular with attackers because they’re very successful still. Point and case, the emails that were eventually leaked from the democratic campaign didn’t happen because of an elite new attack against the DNC server. It was through social engineering. Someone sent Hillary’s Chief of Staff, John Podesta, an email that looked like a Google reset, and he clicked on it, and low and behold he changed his password not on Google’s site but on an attacker site. So back to what Eric was saying, the people side of the equation can’t be ignored. Your web application may be bulletproof, but someone could still trick your users into giving up vital bits of information. So I think anyone in the security community understands it’s about people, process, and technology.
David Endler: On the advanced side, I’ve heard more and more people, I haven’t seen many attacks. I was going to ask you if you have non-microservices, so a lot more applications are going to the cloud and then in doing so you kind of rely upon say the clouds microservices such as maybe a payment transaction, maybe like google app engine, Amazon has Lambda, and a lot of other cloud providers are starting to allow you to run code sandboxes that code. What is the likelihood that someone else’s code can get access to your information? So I haven’t seen any fancy attacks, but I’ve heard people starting to talk about it. Have you?
Eric Murphy: Yeah, yeah. I wouldn’t say we have seen anything in regards to specific attacks. However, I would agree with you that is definitely an up and coming attack vector. The name of the game is usually break the API endpoint, right? So, [crosstalk 00:15:09] endpoints, but in this case, companies more and more as they move their services or they compartmentalize their services in the cloud are relying on providers like Amazon to provide layers of protection. And that’s great, but that’s not the only thing you should be doing. That does not mean you shouldn’t be building layers of security around your microservices. An example of that might be if you have a series of microservices, you should absolutely have an authentication service. Right? So while those attacks I think are definitely going to be seen more, I think the message here needs to be you can’t rely on other people, particularly the service providers. To provide those layers of security.
David Endler: And then you really need a devops team to manage that. If you’re going to have that level of technology in the cloud, either you have a devops team where you trust someone like WP Engine to host and manage all of those pieces for you, which is why I’m a big fan of you guys because I’ve managed my own WordPress site before and it’s hard. It’s miserable. There’s always updates and, especially on the plugin side, I know you guys do some due diligence in looking at some plugins that are available, but there’s no way to know if the plugins that are being installed have holes in them. And so it’s just nice to have someone else worry about that. So a team, a small team, especially a startup, can worry about getting a product out. Not just a startup, there are large organizations that just don’t have the resources or budget to focus on devops. So a plug to WordPress hosted by these guys.
Jonathan : Cool.
Eric Murphy: Thank you very much.
Jonathan : We appreciate that. Let’s talk about those large organizations real quick. How does the security game change for big corporations, big organizations, enterprise level businesses? What do they need to do to make sure they’re addressing the security needs of all of their clients?
Eric Murphy: I guess I can start. So one of the interesting things about security, as I mentioned earlier, it’s a heavy focus on tech. Everyone’s like, I need my firewalls, I need my WAS, I need all these things, and we often forget about process. So whether you’re a startup or a large enterprise, what seems to come last is the process and policy. Right? So defining how your incident response will work, defining your levels of access control, getting these things down on paper are absolutely required to run a successful security organization. And the good news is if you don’t have those things today, that doesn’t mean you can’t build them now. So security should start really at the very beginning of the process. You always want to inject security as early as possible, but if you find yourself in a large organization that might not have the resources or the processes, or the governance or the risk, it’s very important to conceptualize what these could be because this is how you are going to articulate to various stakeholders what the risks of the business are and how you can protect against them.
Eric Murphy: So in the event of when a company has a breach, the key word being when, you have a process to follow because thing get very hectic when you have your board, your executive team, everyone asking questions during an incident. So incident response, the risk management, access control, so on and so forth, are vitally important to a good security organization.
Jonathan : Cool. All right. How about thoughts on building security teams? What do you guys think about that?
David Endler: First of all, to have an amazing team, whether it’s security or otherwise you have to have support from the top, including the board. Security teams, I think great ones are built with a great culture. So there’s a sense that you have to have some leadership, but also the flexibility to do other things in the organization such as side projects, such as research, such as maybe speaking at conferences. But when it comes to security at large organizations, I think there can be this missed perception of the security team is out to get everyone to make them look bad. And I think, I think that’s part of the executive management and it’s the C level executives to … that the security team is not there to make you look bad. They’re there to enable you and they’re there to help you.
David Endler: And so that’s hard because no one wants to be blamed for the latest breach that led to the company stock going down five percent. And so to build an effective security team you need support from upper level management. I think you also have to have champions there as well to listen to what you’re saying. Just because you report a threat, they might not think is as important, you convince them otherwise. So I’ve seen more and more education, more awareness from boards in large organizations over the last year, and I think some of the high profile hacks and some of the breaches like the Yahoo, LinkedIn, Dropbox have helped in that respect.
Eric Murphy: Absolutely. And just to kind of expand on that, security is not the sole responsibility of the security team. Security is the responsibility of everybody, right? And including your customers, right? So education is extremely important, especially from the board side, but also across the entire organization and really training people into cultivating that security mindset. Helping them to understand that security is not a bad thing. We’re not here to reprimand you, and mistakes are okay. But ultimately security starts from low level to high. It’s across the board. And that education, it really is vital to the success of any security organization.
Jonathan : Yeah. That doesn’t sound so different from any other department really. Leadership, culture, yeah, that all sounds pretty important. Let’s tackle one more big question. The biggest one, we saved the biggest one for last of course, and that is how do you see web security changing in five, ten years? Where do you see it going? What are you anticipating coming down?
David Endler: That is a big question. So let’s start by looking back, how has it changed in the last 10 years, and I think it hasn’t changed so much. Some of the building blocks are still the same where you need secure operating systems. You need secure software on top of those operating systems. You need secure authentication, you need people on both ends that are managing and using the product to understand security. Probably the thing that’s changing now is more and more of these applications are leaving the premise, moving to the cloud, which is obvious, I’m sure everyone realizes that. So you are putting your trust into more and more companies to segment and protect your data. And so I think web application security becomes less about the blocking and tackling of updating the operating system and the application, more protecting against the personal element, the people element. The people are still the weakest link when it comes to social engineering and getting access to their information.
Eric Murphy: Completely agree. In fact, one thing I really wanted to highlight in this discussion is some of the new tech that is all the rage, right? So everyone talks about containers. Containers are not a security boundary. People think if they build their web application within a container that they’re safe and that’s okay. So we also need to take into account that as we add layers of technology or we add complexity to the web applications we develop that does not mean you cannot forget about the security layers. Right? And in addition to that to kind touched on a possible things that are coming down the pipe, as mentioned earlier, IOT is becoming a big concern for the security community. Simply put, they’re the manufacturers of these devices. Many of them do not have ways to actually secure them, and even if they do it’s often very trivial to get around.
Eric Murphy: And then other than that, we’re starting to see some escalations in regards to like Ransomware, of course, that’s a big thing. It’s interesting if you look at the history of attack records and the security in general, history repeats itself, right? So ten years ago it was all about breaking services, penetrating to steal intellectual property, things of that nature. And then it moved into kind of like defacements and the funny things that you might expect from like script kiddies, that Dave mentioned earlier. And it’s really kind of rinse and repeat. The thing that is changing is the tech, the attack vector, the things that enable the attackers. So the attacks themselves are really the standard tried and true things. It’s just their methods of doing it are slightly evolving.
David Endler: Actually, I would love to ask, I’m sure some of the viewers would like to know, so you’re Director of Security. What have you seen that surprised you from an attack perspective against your customers? Not to name names, but has there been something that you just scratched your head and thought, oh wow, I haven’t seen that before, or has it been mostly just the basic sequel injection, vulnerability scanning?
Eric Murphy: Yeah, so it’s really kind of interesting. I would say that the level of sophistication of the attacks that we typically see is not that high. In other words, it’s kind of the same standard thing that we’ve been seeing for a very long time. Where Some of the sophistication is coming in. It’s really in regards to DDoS I would say. For example, with the [inaudible 00:25:04] botnet and IOT things the way that used a GRE encapsulation to DDoS, that was a bit different, right? In regards to WordPress, I think one of the reasons we see so many of the simplistic attacks is because they’re easy. Script kiddies are really the predominant traffic that we see in regards to security.
David Endler: So a vulnerability comes out in the WordPress, for instance, it’s patched, and a lot of people managing their own WordPress site probably don’t get to it immediately. And you guys do. When you do, do you suddenly start to see an uptick in people kind of poking around for that vulnerability? What’s the window, is what I’m getting at? Do most people who aren’t on a hosting provider like you, do they have a day? Do they have a week?
Eric Murphy: It’s pretty instant. Let me give you an actual real world example. So recently a WordPress update, core update, 472 came out and that closed kind of a vulnerability that was referencing the WordPress API, right? That was a very serious vulnerability. There’s not that much press about it. That actually came out about a week and a half ago. And now as of today, what’s hitting the press is all these compromises around WordPress. In fact, I think security just published an article that said 66,000 websites had been defaced. So really that window is very short. Attackers adapt very, very quickly. They’re really good about sharing information. Good guys are not so good about that. So you really have anywhere from hours to days to kind of update and patch, and luckily if you’re a WordPress or WP Engine customer we take care of as much of that for you, but keep in mind it’s also a shared responsibility. So with that being said, that’s actually an example that just happened as of a couple days ago that we have seen.
David Endler: So what do you see as the favorite tool of the script kiddie against WordPress installations? I was also curious about that.
Eric Murphy: Ah, yeah. That’s actually a very good question. So there’s a lot of homegrown tools out there, a lot of bad python code, and we see the standard web shells that you would see. C99, for those familiar with it, is a thing that still exists. So that’s what I meant earlier about the commonality is we still see the old tech, the old attacks, right, it’s just the ways that they’re being used are a little different. As far as other tools go DDoS is a little different because of IOT botnets and things of that nature. But botnets in general, you have your old tried and true IRC style botnets that are still breaking things such as RS modems, for example. It has been around forever. And then you see more sophisticated botnets that typically operate with newer tech. Maybe their command and control is http based or something like that. So to answer your question in regards to tools, it’s really a combination of homegrown, badly coded tools, and a lot of the things that exist out there such as exploit kits and so on and so forth.
David Endler: Okay.
Jonathan : Man, I can tell you guys can talk about this at length, but I’m afraid we’re going to have to cut it short. Eric and David, thank you so much for being on Finely Tuned Expert with us today.
Eric Murphy: Absolutely.
David Endler: Thanks for having me.
Eric Murphy: Right on. For more on security you can head on over to WPEngine.com/blog. We’ll be updating the show with notes and some of the links that Eric mentioned for this show. And as always, you can watch additional episodes of Finely Tuned Expert on our blog or on the WP Engine YouTube channel. We’ll see you next time on Finely Tuned Expert. And now I’m going to press the button. Yay.