Website security essentials with Logan Kipp aka website security 101. Logan has dedicated himself to website security, and has taken the time to chat to us about the latest in security. Just SiteLock has catalogued millions of unique malware strains and audits over 30,000 new suspected malware strains in the wild per month. Website security is no longer an option, it’s become essential.
Logan it was great meeting you at WCEU Vienna, but in the midst of the chaos I didn’t get to ask you in detail about what got you into security? Where did you start and what brought you to SiteLock?
I’ve always identified as a tinkerer of sorts, taking things apart to see how they work and adapting them to new purposes. This sort of hardware hacking carried over into software when my dad brought home an Apple IIe running Unix and I felt compelled to find out how the machine ticked. Once you know how a given mechanism works, it becomes more clear how it can be manipulated, and you can devise solutions to prevent said manipulation.
I worked in the hosting industry for three years, which helped to develop my skillset with massive-scale shared and dedicated hosting environments and in 2012 SiteLock recruited me to work in their then-new Scottsdale, Arizona office, which was my first position focused solely on security.
You could say SiteLock was my “big break” into the security industry.
You have over 7 years of experience in WordPress hosting and security, over time you must have seen and resolved some interesting security issues. Recently you went from Lead Security Analyst to Product Evangelist at SiteLock, how has your role changed within SiteLock?
Over the years, I’ve certainly seen some unique and creative ways that hackers have acquired control over websites and even entire servers. I’d love to say that I’ve seen it all, but the fact is that malware is still being developed today using original techniques that are, in a way, quite fascinating in their innovation.
The shift from Lead Security Analyst to Product Evangelist was actually a pretty natural evolution when I look back at it. I like to say that as Lead Security Analyst I was Chief Firefighter. My day-to-day focus was primarily on resolving the most critical or complex malware and vulnerability cases, while providing guidance to SiteLock’s paragon Tier 3 Security Concierge (‘SECCON’) on techniques and processes. As we formed new partnerships, I would often provide onsite training to get our new associates up to speed on SiteLock’s products and services, which evolved into becoming a security communicator of sorts and got me nominated to attend several industry conferences. I’ve always had a passion for teaching, and acquired a passion for WordPress during my time in the hosting industry. It felt very natural for me to put the two together.
What is the difference between SiteLock customers’ mindset if they are proactive about their security or if they come to you with an infected website?
The proactive customer is typically more informed about the state of internet security, and may be familiar with modern security technologies. When a customer is proactive about security, evaluating risk and the best route to provide the highest level of security can be a more composed process for the customer, where the only deadline is for the launch of the website.
Often when a customer is initiating contact after becoming a victim of malware, they are understandably upset and often losing money from the associated downtime, especially in the case of eCommerce websites. Fortunately, when using SiteLock SMART™ (Secure Malware Alert & Removal Tool), over 99 percent of infected websites can be cleaned within a matter of minutes after configuring the scanner. This puts even the most distraught malware victim at ease.
What makes SiteLock security better than the other options available and who would you recommend it to?
In terms of “killer features,” there’s a lengthy list. For example, SiteLock is the only security vendor in the industry that provides automatic malware removal, which helps to provide industry-leading resolution times for malware cases. SiteLock TrueSpeed™ global content delivery network (CDN), which powers SiteLock TrueShield™ web application firewall, consists of 30 data centers providing a network capacity of over 2Tbps, producing unrivaled performance in the WordPress space. SiteLock also provides 24/7/365 US-based phone support to all of our customers. We have solutions for websites that service practically every industry, and we’re able to scale services to any size website from the mom and pop shops, to the Fortune 500 businesses.
You have worked in incident response, disaster recovery, trend analysis, vulnerability analysis, malware cataloging and removal among other things. Tell us an interesting story about a security issue that stuck with you.
The case that stands out most in my memory was from a global non-profit organization’s website that had been infected by a particularly clever malware apparatus. The breach appeared to be a rather run-of-the-mill infection using a new incarnation of a recent malware strain that pieced together and executed obfuscated code that had been broken apart into variables that were named after words from an English dictionary. After performing the first pass and cleaning the evident malware, the case appeared to be an easy resolution.
However, during a second quality assurance pass, the malware had been found in different locations and in completely new iterations. This was the first time I’d witnessed a true functional “hydra”-type infection, where like the mythological creature, removing one “head,” simply resulted in the production of two more. After attempting various remediation methods with only moderate success, I called on the help of a senior engineer.
Through our collaboration, a brand new internal tool was crafted to combat this malware and the hacker behind it in real-time, ultimately resolving the case hours ahead of the customer’s expectations. We dubbed the tool “Geneva” after the Geneva Conventions, because we felt it was especially tasteless and wrong to target this non-profit which actually disrupted their global humanitarian efforts. A violation of the rules of war, so to speak.
What would you say the top reasons are for hacking a website, and what type of websites are more vulnerable to attacks?
The dominant motivation for large-scale compromises is still clearly financial gain.
One example is a “pharmahack,” where malware incursions are funded by illegal online pharmacies. A small bounty may be offered to advertise or redirect traffic to these rogue pharmacies. Hackers gain larger payouts by infecting a larger number of innocent websites. The broadest trend in vulnerabilities in terms of numbers is still folks that simply aren’t updating their software. For example, we often see trends erupt when a new vulnerability is discovered in an older version of a web platform like WordPress, where a multitude of users are neglecting to stay on top of patches. The second largest group are those that have misconfigured software, like installing a web service to a server and not adjusting the settings appropriately for a public environment. In both cases, educating the public in the best way to address the problem.
What are the first signs of malware, and where to look for it in your website?
The first signs I usually tell people to look for are changes in the behavior of the website.
This could be changed content or the text in search engine results; however, many types of malware are designed not to be discovered so they often don’t exhibit symptoms. The location and behavior of malware can vary across a vast spectrum. The most practical and effective approach is to employ the use of automated systems to monitor your website through both internal and external scanning methods to look for malware.
People often think that paying for a security solution monthly can be too expensive, but surely a data breach or malware attack is far more expensive, not to mention stressful?
In short, yes,
a breach is almost guaranteed to cost far more than simply implementing proper security mechanisms in the first place,
even when credit card information isn’t compromised. There are really two things I like to drive home when we’re talking about a security budget.
First, that security is not an elective. Proper security is absolutely a requirement. In many cases this requirement is more resolute, taking the form of regulatory controls such as the Payment Card Industry’s Data Security Standards (PCI DSS) or legislation such as the Federal Trade Commission (FTC) Act in the United States. Requirements will depend on your business type.
The second is that good security does not have to be expensive. What you’re looking at is a trade-off between time and money, like any part of a business. Say the starter on your car needs replacement–you could either pay a professional to acquire the new part and install it for you, or purchase and install the part yourself for some savings. However, you’ll need to first educate yourself on the process of how to properly install the part before executing the process. Much like the car, your ability to perform certain tasks on your website in terms of security will be limited by your scope of knowledge and the time you have available. Whether you’re a do-it-yourselfer or a hands-off consumer, SiteLock offers affordable solutions to fit your needs.
You recently spoke at WCFAY about security, how did it go and what are the key takeaways?
It went really well! Thank you for asking. My big takeaway was that there are still a lot of US conferences that may not have had the benefit of a security-focused talk or workshop and thirst for that expertise. I took this back to our team and we’ve decided to put a greater focus on offering security workshops to camps to inform WordPress beginners on security best practices.
How do you plan to develop yourself in the field of security further?
One of my favorite aspects of the security field is that the landscape changes so frequently. Trends can change so dramatically from week to week that you have no choice but to analyze the data and research the latest ways hackers are making moves. It’s a constant arms race that helps keep you humble about your knowledge and pushes you further into researching how to stay ahead. Some of my longer-term goals include acquiring additional security-specific certifications which I’ve been studying for, and to bring that knowledge back our the team in the form of internal training and in talks at upcoming WordCamps.
If you could throw a parade of any caliber through the SiteLock office, what type of parade would it be?
I don’t want to spoil any surprises, but SiteLock has an anniversary around the corner, and I’m thinking giant elephants and 100-foot parade balloons that will put Macy’s to shame. I haven’t yet put together exactly how this will work under our 12-foot drop ceilings, but I’m not opposing to installing a retractable roof in the spirit of Phoenix’s Chase Field to get it done. After all, we’re problem solvers here at SiteLock.
Logan, I like your idea with the giant elephants so much, I thought I would help you out with your parade and I asked our designer to come up with a stylish SiteLock design for your elephant. Hope you like it!