Are your protecting your WordPress website from attacks?

With the popularity of WordPress, and the support it gets from the development team, it’s easy to think that your installation of WordPress is secure. Since you didn’t code it from scratch, you might assume that it is hardened and you don’t have to do any further tinkering with security.  Well, you may just want to put some effort into locking down your WordPress installation.  As with any website, you need an IT Security Policy, walk through an IT Security Checklist

There are several methods that are generally used in an attack on a website. First you have mis-configurations. This can mean everything from leaving the ‘wp-config’ file readable to the world to allowing any kind of file to be uploaded in a form to weak password security.  The second type of access can usually be gained through bad coding techniques. If you add a Plugin or write your own code to add to the WordPress installation, this can possible allow and attacker to take advantage of bad code to break into your site. And lastly you have can lump other attacks into infrastructure attacks. Maybe you don’t have a firewall running, or intrusion prevention service running to stop attacks. Or you are hosting you website on a shared service like Godaddy or Hostgator and someone else’s website is vulnerable, leading to a compromise of the whole hosted server.

For now, lets address some easy things you can do to reduce configuration weaknesses that could lead to a hacked website.

1)      Password – no matter how many times you say it, people still use weak passwords that can be guessed or broken with brute force attacks.  There are several free and paid login protection plugins you can use.

2)      File Permissions – this is a bit trickier if you do not know how file permissions works. You can get an easy primer from the WordPress help file, http://codex.wordpress.org/Hardening_WordPress  Its also provide a lots of details for the more technically savvy.

3)      Monitoring – you should know what is going one with access attempts or changes in your files and configurations of your WordPress site. There are a number of tools you can search for monitoring and logging activity. Its especially important to monitor for healthcare IT security.

4)      Security Testing – even if you have installed security plugins and have configured your website correctly, you should still periodically test the security for vulnerabilities. You can pay third party companies to do penetration testing or you can try some of the plugins on your own. Testing is important to risk management and assessment

There are lots of different tools you can use to secure your site. The first step is to know that it will not stay secure without you actively implementing security measures.

Image representing Facebook as depicted in Cru...
Image via CrunchBase
Is there such a thing as Social Media Warfare? We have had cyber warfare going on for years now. So it should be an obvious “YES” that Social Media warfare exists. But is that true?  To get to a full blown war opposing sides go through an escalation process. Where are we in this process? From a pure cyber warfare perspective, we are in world war three, many opposing sides, lots of new and improved weapons, completely escalating attacks and no end in sight. Companies are used to conducting vulnerability management and risk assessment. This new war will require new tactics and defense strategies. I think we have seen the first skirmishes of the war. It started with all the spammers morphing their tools into Facebook and Twitter hacking. Then moving into phishing. Then into negative attacks on your reputation by disgruntled customers and competitors. So what is the progression of this coming war? Is there a similarity to how “normal” cyber  warfare started? But why is this war inevitable? The attack vectors in the Social Media War are probably categorized into personal use and corporate use. If these are the assets that needs to be protected, we can then figure out how the assets will be attacked, how will the enemies do reconnaissance, what alliances will be formed and what should be the defense strategies and weapons for defense. The progression of of this war will follow different patterns and there is probably no end in sight.
Action Personal Corporate
Skirmish Home users receiving spam and phishing attacks and scams Corporate users seeing more phishing attacks, attackers going through Linkedin profiles
Protest Actions Users might complain to attorney generals, or write nasty messages about Microsoft Adobe or Apple security weaknesses The IT department is inundated with help desk calls. Companies have the ability to complain to ISPs or event countries about originating attacks.
Negotiations There really isn’t anyone to negotiate with. Writing on your Facebook wall will not do a darn thing. Companies definitely do not want to negotiate. But will see blackmail more and more.
Failed Negotiations The home user is bascially screwed anyway. Succumbing to blackmail will only lead down a bad path.
Declaration of War This is a defacto state with the home user. They are at war whether they know it or not. Companies have to take a proactive approach to security versus reactive. Anticipate the next types of attacks and have a budget to address it.
Launch Attacks and Defend More defend, get your anti-spyware, antivirus, personal firewalls and encryption up to speed. But after that, understand how attackers use Social Media. Spend massive amounts of money on understanding how so fight in the Social media landscape, security hardware and software are not enough.
Allies Join the War The home user can only rely on the Social media companies for basic security. Their will be more collaboration between companies and governments. Perhaps together they have a fighting chance. Regulations are also going to force changes.
Years of Conflict – Never Ending Whats the next thing after Facebook and Twitter? Whatever it is will have its own security challenges. But by that time the home user will probably have given out every bit of personal information on all the Social Media venues anyway. A company can only rely on the right process to secure their social media usage. As technologies change and new sites go live, a good process and social media security policy is all you can rely on.
Winner The ISP, they get to sell bandwidth. The VCs who fund companies like Facebook and Twitter.
I will get into more tactics in the coming war in future posts. Gary Bahadur CEO KRAA Security,  baha@kraasecurity.com http://www.kraasecurity.com http://blog.kraasecurity.com http://twitter.com/kraasecurity *Managed Security Services *Vulnerability Management *Compliance & Policy Development *PGP Security *FREE Website Security Test
Enhanced by Zemanta
Image representing Facebook as depicted in Cru...
Image via CrunchBase
 The trends in Social Media are heading towards more sharing of information. But sharing of information has moved beyond your circle of friends and family. Social media is becoming less social and more… well more corporate. Or more like many people shouting in a bar, you are all in close proximity, but you can’t distinguish the individual conversations, you can’t make out who people really are or who is a potential quality relationship. How many random friend requests do you get now from Facebook, Friendster, MySpace, LinkedIn, etc. Twitter is a bit different obviously, but that’s a whole other story. Now you are also getting bombarded with corporate Fanpages, groups and other means of luring you to their sites, brands and social following. This is the erosion of your true social circle.Social Media Security is really more about Insecurity. The distribution of your information across multiple platforms used to be in a restricted circle. This can be true data loss.  Now its pretty much everywhere. You can find a person’s LinkedIn profile with a generic Google search. This should be restricted to the LinkedIn environment, but it’s not.With the advent of location based services, we will see physical insecurity based on social media usage. A recently popular site Please Rob Me http://pleaserobme.com has already begun taking advantage of the Twitter location feature. Imagine what can be done by a stalker following someone on twitter or a deranged Ex-boyfriend following you based on the events you are attending on Facebook? It’s easy to see how you can give away all your personal information without event thinking of it. Trends towards making information available will lead to Insecurity. Insecurity will lead to data breaches and compromise. Compromise will lead to lots of crying, money lost, probably lawsuits and other painful results. How do we get past this Social Media Insecurity?  Gary Bahadur http://www.kraasecurity.com http://blog.kraasecurity.com http://twitter.com/kraasecurity Address: 200 Se 1st St #601 Miami FL 33131 *Managed Security Services *Vulnerability Management *Compliance & Policy Development  *PGP Security *FREE Website Security Test 
Reblog this post [with Zemanta]
Ponemon Institute recently released their  Cyber megratrends as listed below. While I agree with these I think there were a couple that could easily be added to the list. First, I would either add or modify Web 2.0 into Web 3.0. Lets look to what is going to happen versus what is happening. Incremental change may not be the trend.  Secondly, I suggest adding Vendor Risk Management. The vendor does not have to be offshore to pose a problem. Vendors are so integrated into companies and business processes that they are like an employee but are not subjected to the same Network Security Assessment requirements in many cases. Its a difficult thing to try and forecast. The good thing about it is that no one really remembers your forecaste anyway. Regards Gary Bahadur http://www.kraasecurity.com

http://blog.kraasecurity.com

http://twitter.com/kraasecurity Managed Security Services Managed Firewall Managed Vulnerability Scanning

++++++++++++++++++++++++++++++++++++++++++++++++ Cyber Security Mega Trends Study Prepared by Dr. Larry Ponemon, November 18, 2009 Related articles by Zemanta
Reblog this post [with Zemanta]