… am I getting them all? Video, reviews, and testimonials.
Linda: I got it, but today-
Charles: A star.
Linda: … We’re here to talk about websites, which in our opinion is the foundation of your online presence, your digital marketing, and we have the pleasure to be talking to Dre Armeda, so thank you so much, and I’m going to let Charles do a brief introduction.
Charles: We are talking about websites today, but more importantly, we’re talking about the security of websites-
Charles: Because in the last 18 months, we personally have seen a tremendous increase in malicious website activity, and look, let’s be clear, neither one of us are the experts, we’ve seen it, but we’re talking again to Dre Armeda, co-founder of Sucuri. If you don’t know how these folks are, Sucuri, Sucuri.net. Go look them up, start reading some of the articles, because again, I’m telling you right now, if you don’t have security on your website regardless of what it is, you’re running a big risk, and it’s only a matter of time. It’s kind of like the motorcycle riders.
If you’re a website owner, you’re a person who either has been down because of some malicious activity or is going to be going down because of some malicious website activity. With that, let me just tell you a little bit about Dre. First of all, we met Dre at this crazy conference, WordCamp Orange County, and-
Linda: We didn’t steal that by the way.
Charles: Oh, we didn’t?
Charles: No. We didn’t. We didn’t. We didn’t. Penelope gave that to us or somebody. Patricia-
Charles: Priscilla. That’s right. Love Priscilla by the way, but anyway, so we’re walking through the hallway, and there’s, it’s just like anytime else, we’ve talked about it before. You know when you see someone and the way they carry themselves, the way that they talk, there’s an air, there’s a confidence, this was Dre, and just let me tell you a little bit about Dre. First of all, Navy Vet for 12 years. Thank you for your service, my friend. In the Navy, this is where it becomes a little bit weird, he fell in love with security and making stuff for the web back in the 1990s, so you were an early adopter of the online marketing web-geek mentality that we’ve now so come to love and embrace, so you were way ahead of us. He just went through a successful acquisition with GoDaddy earlier this year, and we were talking offline, he kept all of his employees, so that is an amazing tribute just to what you’ve done and what you’ve built.
Dre now heads the business development for Sucuri as part of the security business unit at GoDaddy, and I’m telling you, we’ve for the last six months have been running tests side-by-side, Sucuri and three or four others that will remain nameless right now, and we’ve had this conversation that our experience, Sucuri is the first one notify us and the first one to fix the issues when we’ve seen them, so there’s our vote for Sucuri.
Look, so after the Navy, and I’m looking at my sheet, everyone knows, Dre held various executive leadership positions in the tech startup world, including companies such as Applied Watch Technologies, Secure-I Inc., WebDevStudios, and if you know Dre, you know he loves to chat and speak about various events every year about security in business, which is why we are so thankful that he jumped online with us today. Look, Dre’s not just some guy who was out there tinkering around and figuring some stuff out. Dre is actually a Certified Information System Security Professional. Is that a CISSP?
Dre Armeda: Sure is.
Charles: He also earned a Bachelor’s of Science in Management from the University of Phoenix. He holds various technical military training certifications, and look, this is what really is intriguing about Dre, on his off time, because he just has so much of it, right? I mean you don’t do anything anymore. You just lay around and collect those check, but you’ll find Dre, and this is what I appreciate, Dre first, he’s got his priorities together, because the first place you’ll find him is hanging out with his five daughters or on the mat practicing some Brazilian Jiu-Jitsu, and I’m intrigued by that, probably never going to roll, because I’ve seen those guys, and I’ll just stick to working out.
Linda: He’s a purple belt.
Charles: Oh, yeah, and a purple belt, an accomplished purple belt. Oh, and this is again with the Carlson Gracie Team in Menifee, so this isn’t just some fly-by-night, unknown, BJJ team, he’s working with some of the greats that are out there, or if he’s not doing any of that stuff, you’ll find this guy in his crazy Jeep, we need a picture of the Jeep, crawling rocks all over Southern California or up in Big Bear, wherever he’s at. Then, sometimes, this is what I really get, and I won’t hold this against you, he’s just eating tacos, hanging out watching the Angels or the Chargers, and that’s, my friend, you will have to suffer the rebuke on that from all the folks who have all the other teams, but other than that, Dre, welcome to our show today, man.
Dre Armeda: Thanks for having me. I got to say, in my defense, the Chargers, and the Angels, since I was a kid, I’ve learned to live with disappointment, so things are what they are. We’re in a good place, we’ve accepted it, and we move on, right?
Linda: That’s right.
Charles: I think it’s one of those things that makes you stronger, right?
Dre Armeda: That’s it.
Charles: In any situation.
Dre Armeda: Yep.
Charles: I won’t even tell you who our teams are because they don’t even rank, so we’ll just leave it right there.
Dre Armeda: Well, I appreciate you having me. Thanks for setting this up. I’m excited to chat with you guys.
Charles: Absolutely, and so look, because we’ve been talking about again, in the last 18 months, we have seen a significant increase of website attacks. One of our bigger customers actually spent one day, 10 hours of just brute force attacks. Hundreds of attempts per hour, it was mind-boggling, and that was really what sparked our interest into if that’s going on, I’m sure that’s just the tip of the iceberg. What was really going on deep? Because of that, we started looking at ways to protect our own online properties as well as a lot of our customers, and we found Sucuri, oh, jeez, over a year or so ago, didn’t know who Dre was, but the bottom line is we evaluated and compared the services. Took a leap of faith unfortunately at that time, and I call it a leap of faith because you just never know what you’re getting, but, man, the customer service, the just keeping the site safe has been top notch, and so that’s why we had this call today.
Charles: I just got a question, Dre. What are you seeing out there right now? What’s going on in your world in terms of website security?
Dre Armeda: That’s a good question, but the answer’s very broad, because I think it’s really based on the mechanics that you implement on a site as a site owner, and the security controls that you implement. Look, we know as a fact that over 90% of all of the attacks out there that we see, whether that’s brute force attacks, DDOS attacks, drive-by downloads, all the fun stuff that gets injected into websites is automated, one, and two, it’s opportunistic. It’s not really a targeted attack. People go, “Hey. They’re looking at my cupcake company. It’s a competitor trying to take my stuff.” No, that’s not typically the case. Certainly, it happens, and you see that in a lot of these larger cases that you see in the media.
For the most part, the majority is opportunistic attacks that are automated, so we’re talking about scanners out there looking for known vulnerabilities or passwords, terrible access control management, and they use automated scripts to come in there and inject this bad stuff or commandeer the site and have some type of command and control, so later on when it’s time for them to attack something that’s of higher value to them, they have all these websites that are out there that are under their control. They can now use those to implement their attack tactics at a larger scale, and that’s where you see a lot of these large DDOS attacks and DDOS being Denial of Service or Distributed Denial of Service, and the idea there is to inundate a site in such capacity that the site is no longer available.
That’s one of the legs of security. We want to make sure the confidentiality is taken care of, right? The integrity of the site and the data, all of the stuff within that environment, but also the availability, and if any of those pieces of that triad go away, we’ve got a problem, right? We’ve got a security incident that we need to take a look at. That with a higher influx of phishing attacks, which again use injection ports or very similar, so if you’re using password as a password, which, yes, active today at 17 is one of the highest used passwords. We’ve seen with the recent attacks with our favorite credit service, some of their executives were literally using password as a password, and they were infiltrated, and all of us are at risk now, right?
You see phishing attacks, that’s one that we see a high influx of, so what that means is all of a sudden you’re getting an email from your favorite bank. You think it’s legitimate, but it’s probably not. You click the link, it takes you to a site that looks legitimate. They kind of obfuscate the way that the URL or the main structure looks, and you might think that it’s real, you start to put all of your information in there, next thing you know, you’ve got all your credit card info, your Social Security number, and it’s been sent to a server off in Russia or name your culprit, and you’ve been owned, so that’s a big attack type that we’ve seen.
Certainly, the availability attacks that we’ve seen with DDOS, brute force attacks, people coming in and trying to enumerate and figure out your password, so they can come in take some type of administrative control of your panels or whatever software you’re using online, and again, it just really depends on how you’re taking care of your security on your site. What controls are you implementing? How are you reducing risk? They don’t care, right? They all have some type of financial reason to be attacking you, but again, they’re mostly automated. They don’t really care that you’re selling cupcakes. Cupcakes are awesome, we all love them, but it doesn’t really matter, right?
It just really varies. It’s challenging to give you a kind of pinpoint we see attacks, and if you head over to Blog.Sucuri.net, we post all of the stuff that we’re seeing, right? As a big attack happens, we’re notifying folks certainly through responsible to disclosures to these folks when we figure out some type of solution for them. We want to make sure that we’re reporting bugs to major software folks out there. We’ve done it with WordPress over the years, where last year, there was a big attack on the REST API for WordPress. We worked with the WordPress security team to figure out what that was, built up proof of concept, and then from there, helped them patch that to the millions of people, being that it now commandeers 25% of the internet, we want to make sure that that’s done in a responsible way and not adding to the issues or the risk.
Again, it just varies. There’s a lot of things leading to these attacks. I can’t really pinpoint I’d say right now in the total threat scape one thing attributing to an increase or a decrease, because it’s so variable, right? It might be something that you’re seeing a big attack or an increase in attacks in let’s say the environments that you’re involved with and the customer base that you’re involved with, because that might be through automation some level of higher targeting versus others, depending on how those algorithms are set, but I don’t know as a threat scape across the globe at any given time, I mean it’s pretty steady. There hasn’t been a huge outbreak I’d say in the last year, but it’s just this kind of roller coaster of attacks that are just constant, just constant.
Charles: You know, good point.
Dre Armeda: That’s my caffeinated version.