SlideShare una empresa de Scribd logo

Content Management System Security

Samvel Gevorgyan
Samvel Gevorgyan

Content Management System Security. How to secure your CMS? Common rules: + Choose your CMS with both functionality and security in mind + Update with urgency + Use a strong password (admin dashboard access, database users, etc.) + Have a firewall in place (detect or prevent suspicious requests) + Keep track of the changes to your site and their source code + Give the user permissions (and their levels of access) a lot of thought + Limit the type of files to non-executables and monitor them closely + Backup your CMS (daily backups of your files and databases) + Uninstall plugins you do not use or trust.

Tecnología
1 de 16
COPYRIGHT 2018 © CYBER GATES SAMVEL GEVORGYAN CEO, CYBER GATES Ph.D. in Information systems and cybersecurity SECURITY
WEBSITE ATTACK STATISTICS WWW.CYBERGATES.ORG Attacks around the Worldwide  Nearly 2 Billion active websites (NetCraft reports)  Nearly 1 Million hacked websites / year (Zone-H reports) Over 4K hacked websites since 2011 Top attacks  Jan 2011 (379)  Jul 2012 (364)  Feb 2013 (275)  Feb 2014 (359)  Apr 2015 (129)  Dec 2016 (188) Attacks in Armenia
CMS MARKET SHARES WWW.CYBERGATES.ORG  WordPress: 60.0%  Joomla: 5.8%  Drupal: 3.8%  Squarespace: 2.5%  Shopify: 2.4%  Magento: 2.0%  Wix: 1.7%  Blogger: 1.7%  Other: 20.1% Source: https://w3techs.com/technologies/overview/content_management/all  Nearly 30% of all websites run on WordPress (WebsiteSetup reports)  WordPress controls nearly 60% of the CMS market (w3techs reports)  Over 40K WordPress websites in Alexa Top 1 Million are vulnerable (WPwhitesecurity reports) CMS vulnerability statistics
TARGET WEBSITES OF MASS ATTACKS WWW.CYBERGATES.ORG Top 5 categories  Websites that use same CMS (WordPress, Joomla, etc.)  Websites built by the same developer(s)  Websites that use same technology, library or certain component  Websites served by the same Hosting Provider  Websites of agencies/companies working in the same industry
TARGET WEBSITES OF TARGETED ATTACKS WWW.CYBERGATES.ORG Top 5 categories  Online banks and financial institutions  Cloud services (dropbox, Gmail, iCloud, etc.)  Government agencies, hospitals  Hosting and Internet Service Providers (ISP)  Popular CMS solutions or small outdated websites that are easy to hack
TRADITIONAL CMS ARCHITECTURE WWW.CYBERGATES.ORG
IS MY CMS SECURE? WWW.CYBERGATES.ORG Frequently asked questions  Is your CMS team taking cyber security seriously?  Avg. time to resolve vulnerabilities?  Who has developed the CMS component(s) you use? Why CMS security matters?  New vulnerabilities and issues emerge all the time  Popular CMS solutions are an attractive target for hackers  CMS updates often reveal vulnerabilities in previous versions in the changelog, exposing websites that are not automatically updated  The more you add to your CMS installation, the higher the risk of your site becoming vulnerable.
UPDATES REVEAL VULNERABILITIES? WWW.CYBERGATES.ORG Drupal 7.x changelog  Drupal 7.59, 2018-04-25 - Fixed security issues (remote code execution). See SA-CORE-2018- 004.  Drupal 7.58, 2018-03-28 - Fixed security issues (remote code execution). See SA-CORE-2018- 002.  Drupal 7.57, 2018-02-21 - Fixed security issues (multiple vulnerabilities). See SA-CORE-2018- 001.  Drupal 7.56, 2017-06-21 - Fixed security issues (access bypass). See SA-CORE-2017-003. Source: https://api.drupal.org/api/drupal/CHANGELOG.txt/7.x
INCIDENT AND VULNERABILITY FACTS WWW.CYBERGATES.ORG The average number of serious vulnerabilities per website is 56 Serious vulnerabilities are resolved in an average of 193 days from first notification 43% of cyber attacks target small businesses 30% of SMEs lack an incident response plan 68% of funds lost as a result of a cyber attack where declared unrecoverable 60% of small businesses close their doors within 6 months after a serious cyber attack.
DRUPAL VULNERABILITIES WWW.CYBERGATES.ORG “Ukrainian Energy Ministry site downed in Drupal ransomware attack at the end of April 2018.” “Drupalgeddon2 is a highly critical remote code execution bug affecting most Drupal sites which was disclosed at the end of March 2018.” “Two months later, over 115,000 Drupal sites still vulnerable to Drupalgeddon 2.”
JOOMLA! VULNERABILITIES WWW.CYBERGATES.ORG “Attackers can leverage the Joomla security hole to compromise servers and use them for hosting malware and other malicious activities. They can also sell access to the targeted servers on the underground market, allowing others to abuse them for distributed denial-of- service (DDoS) attacks.” “On January, 2016, Symantec has detected up to 20,000 daily attempts to exploit a recently patched Joomla vulnerability that can be leveraged for remote code execution.”
HOW YOUR SOURCE CODE LOOKS LIKE WWW.CYBERGATES.ORG
HOW YOUR WEBPAGE LOOKS LIKE WWW.CYBERGATES.ORG
COMMON BUSINESS THREATS WWW.CYBERGATES.ORG
HOW TO SECURE YOUR CMS? WWW.CYBERGATES.ORG Common rules  Choose your CMS with both functionality and security in mind  Update with urgency  Use a strong password (admin dashboard access, database users, etc.)  Have a firewall in place (detect or prevent suspicious requests)  Keep track of the changes to your site and their source code  Give the user permissions (and their levels of access) a lot of thought  Limit the type of files to non-executables and monitor them closely  Backup your CMS (daily backups of your files and databases)  Uninstall plugins you do not use or trust.
IS YOUR BUSINESS IN COMPLIANCE? WWW.CYBERGATES.ORG PROJECT URL https://websecurity.pro https://onlineservices.cybergates.org/en/websecurity

Recomendados

CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011Samvel Gevorgyan
 
BEST PRACTICES OF WEB APPLICATION SECURITY By SAMVEL GEVORGYAN
BEST PRACTICES OF WEB APPLICATION SECURITY By SAMVEL GEVORGYANBEST PRACTICES OF WEB APPLICATION SECURITY By SAMVEL GEVORGYAN
BEST PRACTICES OF WEB APPLICATION SECURITY By SAMVEL GEVORGYANSamvel Gevorgyan
 
Websecurity fundamentals for beginners
Websecurity fundamentals for beginnersWebsecurity fundamentals for beginners
Websecurity fundamentals for beginnersSamvel Gevorgyan
 
What is the Cybersecurity plan for tomorrow?
What is the Cybersecurity plan for tomorrow?What is the Cybersecurity plan for tomorrow?
What is the Cybersecurity plan for tomorrow?Samvel Gevorgyan
 
Can you predict who will win the US election?
Can you predict who will win the US election?Can you predict who will win the US election?
Can you predict who will win the US election?Samvel Gevorgyan
 
Phishing with Super Bait
Phishing with Super BaitPhishing with Super Bait
Phishing with Super BaitJeremiah Grossman
 
Web Application Security and Awareness
Web Application Security and AwarenessWeb Application Security and Awareness
Web Application Security and AwarenessAbdul Rahman Sherzad
 
Security risks awareness
Security risks awarenessSecurity risks awareness
Security risks awarenessJanagi Kannan
 

Recomendados

CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011Samvel Gevorgyan
 
BEST PRACTICES OF WEB APPLICATION SECURITY By SAMVEL GEVORGYAN
BEST PRACTICES OF WEB APPLICATION SECURITY By SAMVEL GEVORGYANBEST PRACTICES OF WEB APPLICATION SECURITY By SAMVEL GEVORGYAN
BEST PRACTICES OF WEB APPLICATION SECURITY By SAMVEL GEVORGYANSamvel Gevorgyan
 
Websecurity fundamentals for beginners
Websecurity fundamentals for beginnersWebsecurity fundamentals for beginners
Websecurity fundamentals for beginnersSamvel Gevorgyan
 
What is the Cybersecurity plan for tomorrow?
What is the Cybersecurity plan for tomorrow?What is the Cybersecurity plan for tomorrow?
What is the Cybersecurity plan for tomorrow?Samvel Gevorgyan
 
Can you predict who will win the US election?
Can you predict who will win the US election?Can you predict who will win the US election?
Can you predict who will win the US election?Samvel Gevorgyan
 
Phishing with Super Bait
Phishing with Super BaitPhishing with Super Bait
Phishing with Super BaitJeremiah Grossman
 
Web Application Security and Awareness
Web Application Security and AwarenessWeb Application Security and Awareness
Web Application Security and AwarenessAbdul Rahman Sherzad
 
Security risks awareness
Security risks awarenessSecurity risks awareness
Security risks awarenessJanagi Kannan
 
Starwest 2008
Starwest 2008Starwest 2008
Starwest 2008Caleb Sima
 
OWASP Top 10 Vulnerabilities 2017- AppTrana
OWASP Top 10 Vulnerabilities 2017- AppTranaOWASP Top 10 Vulnerabilities 2017- AppTrana
OWASP Top 10 Vulnerabilities 2017- AppTranaIshan Mathur
 
Top 10 Web Application vulnerabilities
Top 10 Web Application vulnerabilitiesTop 10 Web Application vulnerabilities
Top 10 Web Application vulnerabilitiesTerrance Medina
 
Hack miami emiliocasbas
Hack miami emiliocasbasHack miami emiliocasbas
Hack miami emiliocasbasEmilio Casbas
 
The Whys and Wherefores of Web Security – by United Security Providers
The Whys and Wherefores of Web Security – by United Security ProvidersThe Whys and Wherefores of Web Security – by United Security Providers
The Whys and Wherefores of Web Security – by United Security ProvidersUnited Security Providers AG
 
Cisco WebEx vulnerability: it’s a kind of magic
Cisco WebEx vulnerability: it’s a kind of magicCisco WebEx vulnerability: it’s a kind of magic
Cisco WebEx vulnerability: it’s a kind of magicITrust - Cybersecurity as a Service
 
Owasp top 10 security threats
Owasp top 10 security threatsOwasp top 10 security threats
Owasp top 10 security threatsVishal Kumar
 
OWASP Top 10 - 2017 Top 10 web application security risks
OWASP Top 10 - 2017 Top 10 web application security risksOWASP Top 10 - 2017 Top 10 web application security risks
OWASP Top 10 - 2017 Top 10 web application security risksKun-Da Wu
 
OWASP Top 10 - 2017
OWASP Top 10 - 2017OWASP Top 10 - 2017
OWASP Top 10 - 2017HackerOne
 
Open Source CMS : How secure are they?
Open Source CMS : How secure are they?Open Source CMS : How secure are they?
Open Source CMS : How secure are they?Yassine Aboukir
 
How to get deeper administration insights into your tenant
How to get deeper administration insights into your tenantHow to get deeper administration insights into your tenant
How to get deeper administration insights into your tenantRobert Crane
 
Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017TriNimbus
 
Owasp Top 10
Owasp Top 10Owasp Top 10
Owasp Top 10Shivam Porwal
 
Watering hole attacks detect the undetectable
Watering hole attacks detect the undetectableWatering hole attacks detect the undetectable
Watering hole attacks detect the undetectablePaladionNetworks01
 
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security RisksOWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security RisksAndre Van Klaveren
 
OWASP Top 10 2017 - New Vulnerabilities
OWASP Top 10 2017 - New VulnerabilitiesOWASP Top 10 2017 - New Vulnerabilities
OWASP Top 10 2017 - New VulnerabilitiesDilum Bandara
 
React security vulnerabilities
React security vulnerabilitiesReact security vulnerabilities
React security vulnerabilitiesAngelinaJasper
 
Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOWASP Delhi
 
OWASP
OWASPOWASP
OWASPgehad hamdy
 
A7 Missing Function Level Access Control
A7 Missing Function Level Access ControlA7 Missing Function Level Access Control
A7 Missing Function Level Access Controlstevil1224
 
The state of CMS in 2019: Headless, JAMstack and ReactJS – or: If your Conten...
The state of CMS in 2019: Headless, JAMstack and ReactJS – or: If your Conten...The state of CMS in 2019: Headless, JAMstack and ReactJS – or: If your Conten...
The state of CMS in 2019: Headless, JAMstack and ReactJS – or: If your Conten...Thomas Witt
 
Liferay as solution for legacy applications
Liferay as solution for legacy applicationsLiferay as solution for legacy applications
Liferay as solution for legacy applicationsManish Kumar Jaiswal
 

Más contenido relacionado

La actualidad más candente

OWASP Top 10 Vulnerabilities 2017- AppTrana
OWASP Top 10 Vulnerabilities 2017- AppTranaOWASP Top 10 Vulnerabilities 2017- AppTrana
OWASP Top 10 Vulnerabilities 2017- AppTranaIshan Mathur
 
Top 10 Web Application vulnerabilities
Top 10 Web Application vulnerabilitiesTop 10 Web Application vulnerabilities
Top 10 Web Application vulnerabilitiesTerrance Medina
 
Hack miami emiliocasbas
Hack miami emiliocasbasHack miami emiliocasbas
Hack miami emiliocasbasEmilio Casbas
 
The Whys and Wherefores of Web Security – by United Security Providers
The Whys and Wherefores of Web Security – by United Security ProvidersThe Whys and Wherefores of Web Security – by United Security Providers
The Whys and Wherefores of Web Security – by United Security ProvidersUnited Security Providers AG
 
Owasp top 10 security threats
Owasp top 10 security threatsOwasp top 10 security threats
Owasp top 10 security threatsVishal Kumar
 
OWASP Top 10 - 2017 Top 10 web application security risks
OWASP Top 10 - 2017 Top 10 web application security risksOWASP Top 10 - 2017 Top 10 web application security risks
OWASP Top 10 - 2017 Top 10 web application security risksKun-Da Wu
 
OWASP Top 10 - 2017
OWASP Top 10 - 2017OWASP Top 10 - 2017
OWASP Top 10 - 2017HackerOne
 
Open Source CMS : How secure are they?
Open Source CMS : How secure are they?Open Source CMS : How secure are they?
Open Source CMS : How secure are they?Yassine Aboukir
 
How to get deeper administration insights into your tenant
How to get deeper administration insights into your tenantHow to get deeper administration insights into your tenant
How to get deeper administration insights into your tenantRobert Crane
 
Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017TriNimbus
 
Watering hole attacks detect the undetectable
Watering hole attacks detect the undetectableWatering hole attacks detect the undetectable
Watering hole attacks detect the undetectablePaladionNetworks01
 
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security RisksOWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security RisksAndre Van Klaveren
 
OWASP Top 10 2017 - New Vulnerabilities
OWASP Top 10 2017 - New VulnerabilitiesOWASP Top 10 2017 - New Vulnerabilities
OWASP Top 10 2017 - New VulnerabilitiesDilum Bandara
 
React security vulnerabilities
React security vulnerabilitiesReact security vulnerabilities
React security vulnerabilitiesAngelinaJasper
 
Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOWASP Delhi
 
A7 Missing Function Level Access Control
A7 Missing Function Level Access ControlA7 Missing Function Level Access Control
A7 Missing Function Level Access Controlstevil1224
 

La actualidad más candente (20)

Starwest 2008
Starwest 2008Starwest 2008
Starwest 2008
 
OWASP Top 10 Vulnerabilities 2017- AppTrana
OWASP Top 10 Vulnerabilities 2017- AppTranaOWASP Top 10 Vulnerabilities 2017- AppTrana
OWASP Top 10 Vulnerabilities 2017- AppTrana
 
Top 10 Web Application vulnerabilities
Top 10 Web Application vulnerabilitiesTop 10 Web Application vulnerabilities
Top 10 Web Application vulnerabilities
 
Hack miami emiliocasbas
Hack miami emiliocasbasHack miami emiliocasbas
Hack miami emiliocasbas
 
The Whys and Wherefores of Web Security – by United Security Providers
The Whys and Wherefores of Web Security – by United Security ProvidersThe Whys and Wherefores of Web Security – by United Security Providers
The Whys and Wherefores of Web Security – by United Security Providers
 
Cisco WebEx vulnerability: it’s a kind of magic
Cisco WebEx vulnerability: it’s a kind of magicCisco WebEx vulnerability: it’s a kind of magic
Cisco WebEx vulnerability: it’s a kind of magic
 
Owasp top 10 security threats
Owasp top 10 security threatsOwasp top 10 security threats
Owasp top 10 security threats
 
OWASP Top 10 - 2017 Top 10 web application security risks
OWASP Top 10 - 2017 Top 10 web application security risksOWASP Top 10 - 2017 Top 10 web application security risks
OWASP Top 10 - 2017 Top 10 web application security risks
 
OWASP Top 10 - 2017
OWASP Top 10 - 2017OWASP Top 10 - 2017
OWASP Top 10 - 2017
 
Open Source CMS : How secure are they?
Open Source CMS : How secure are they?Open Source CMS : How secure are they?
Open Source CMS : How secure are they?
 
How to get deeper administration insights into your tenant
How to get deeper administration insights into your tenantHow to get deeper administration insights into your tenant
How to get deeper administration insights into your tenant
 
Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017
 
Owasp Top 10
Owasp Top 10Owasp Top 10
Owasp Top 10
 
Watering hole attacks detect the undetectable
Watering hole attacks detect the undetectableWatering hole attacks detect the undetectable
Watering hole attacks detect the undetectable
 
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security RisksOWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security Risks
 
OWASP Top 10 2017 - New Vulnerabilities
OWASP Top 10 2017 - New VulnerabilitiesOWASP Top 10 2017 - New Vulnerabilities
OWASP Top 10 2017 - New Vulnerabilities
 
React security vulnerabilities
React security vulnerabilitiesReact security vulnerabilities
React security vulnerabilities
 
Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilities
 
OWASP
OWASPOWASP
OWASP
 
A7 Missing Function Level Access Control
A7 Missing Function Level Access ControlA7 Missing Function Level Access Control
A7 Missing Function Level Access Control
 

Similar a Content Management System Security

The state of CMS in 2019: Headless, JAMstack and ReactJS – or: If your Conten...
The state of CMS in 2019: Headless, JAMstack and ReactJS – or: If your Conten...The state of CMS in 2019: Headless, JAMstack and ReactJS – or: If your Conten...
The state of CMS in 2019: Headless, JAMstack and ReactJS – or: If your Conten...Thomas Witt
 
Liferay as solution for legacy applications
Liferay as solution for legacy applicationsLiferay as solution for legacy applications
Liferay as solution for legacy applicationsManish Kumar Jaiswal
 
Risico's Web 2.0
Risico's Web 2.0Risico's Web 2.0
Risico's Web 2.0hnzz pronk
 
Operating system security
Operating system securityOperating system security
Operating system securitySarmad Makhdoom
 
Top 10 Azure Security Best Practices (1).pptx
Top 10 Azure Security Best Practices (1).pptxTop 10 Azure Security Best Practices (1).pptx
Top 10 Azure Security Best Practices (1).pptxHichamNiamane1
 
Joomla Hosting and Hosting Trends - Joomla!Days NL 2009 #jd09nl
Joomla Hosting and Hosting Trends - Joomla!Days NL 2009 #jd09nlJoomla Hosting and Hosting Trends - Joomla!Days NL 2009 #jd09nl
Joomla Hosting and Hosting Trends - Joomla!Days NL 2009 #jd09nlJoomla!Days Netherlands
 
joomla webhosting op joomladagen 2009
joomla webhosting op joomladagen 2009joomla webhosting op joomladagen 2009
joomla webhosting op joomladagen 2009Gruus Van Woerkom
 
Patches Arrren't Just for Pirates
Patches Arrren't Just for PiratesPatches Arrren't Just for Pirates
Patches Arrren't Just for Pirateswebnowires
 
Vmug birmingham mar2013 trendmicro
Vmug birmingham mar2013 trendmicroVmug birmingham mar2013 trendmicro
Vmug birmingham mar2013 trendmicrodvmug1
 
IRJET- Security Attacks Detection in Cloud using Machine Learning Algorithms
IRJET- Security Attacks Detection in Cloud using Machine Learning AlgorithmsIRJET- Security Attacks Detection in Cloud using Machine Learning Algorithms
IRJET- Security Attacks Detection in Cloud using Machine Learning AlgorithmsIRJET Journal
 
Threat_Modelling.pdf
Threat_Modelling.pdfThreat_Modelling.pdf
Threat_Modelling.pdfMarlboroAbyad
 
Protect Your IT Infrastructure from Zero-Day Attacks and New Vulnerabilities
Protect Your IT Infrastructure from Zero-Day Attacks and New VulnerabilitiesProtect Your IT Infrastructure from Zero-Day Attacks and New Vulnerabilities
Protect Your IT Infrastructure from Zero-Day Attacks and New VulnerabilitiesSymantec
 
Case Study: Q2 2014 Global DDoS Attack Report | Akamai Document
Case Study: Q2 2014 Global DDoS Attack Report | Akamai DocumentCase Study: Q2 2014 Global DDoS Attack Report | Akamai Document
Case Study: Q2 2014 Global DDoS Attack Report | Akamai DocumentProlexic
 
So You Want a Job in Cybersecurity
So You Want a Job in CybersecuritySo You Want a Job in Cybersecurity
So You Want a Job in CybersecurityTeri Radichel
 
Get Ready for Web Application Security Testing
Get Ready for Web Application Security TestingGet Ready for Web Application Security Testing
Get Ready for Web Application Security TestingAlan Kan
 

Similar a Content Management System Security (20)

The state of CMS in 2019: Headless, JAMstack and ReactJS – or: If your Conten...
The state of CMS in 2019: Headless, JAMstack and ReactJS – or: If your Conten...The state of CMS in 2019: Headless, JAMstack and ReactJS – or: If your Conten...
The state of CMS in 2019: Headless, JAMstack and ReactJS – or: If your Conten...
 
Liferay as solution for legacy applications
Liferay as solution for legacy applicationsLiferay as solution for legacy applications
Liferay as solution for legacy applications
 
Risico's Web 2.0
Risico's Web 2.0Risico's Web 2.0
Risico's Web 2.0
 
Operating system security
Operating system securityOperating system security
Operating system security
 
Top 10 Azure Security Best Practices (1).pptx
Top 10 Azure Security Best Practices (1).pptxTop 10 Azure Security Best Practices (1).pptx
Top 10 Azure Security Best Practices (1).pptx
 
Joomla Hosting and Hosting Trends - Joomla!Days NL 2009 #jd09nl
Joomla Hosting and Hosting Trends - Joomla!Days NL 2009 #jd09nlJoomla Hosting and Hosting Trends - Joomla!Days NL 2009 #jd09nl
Joomla Hosting and Hosting Trends - Joomla!Days NL 2009 #jd09nl
 
joomla webhosting op joomladagen 2009
joomla webhosting op joomladagen 2009joomla webhosting op joomladagen 2009
joomla webhosting op joomladagen 2009
 
B&W Netsparker overview
B&W Netsparker overviewB&W Netsparker overview
B&W Netsparker overview
 
Patches Arrren't Just for Pirates
Patches Arrren't Just for PiratesPatches Arrren't Just for Pirates
Patches Arrren't Just for Pirates
 
Vmug birmingham mar2013 trendmicro
Vmug birmingham mar2013 trendmicroVmug birmingham mar2013 trendmicro
Vmug birmingham mar2013 trendmicro
 
Presentation gdl
Presentation gdlPresentation gdl
Presentation gdl
 
Veracode - Overview
Veracode - OverviewVeracode - Overview
Veracode - Overview
 
IRJET- Security Attacks Detection in Cloud using Machine Learning Algorithms
IRJET- Security Attacks Detection in Cloud using Machine Learning AlgorithmsIRJET- Security Attacks Detection in Cloud using Machine Learning Algorithms
IRJET- Security Attacks Detection in Cloud using Machine Learning Algorithms
 
IT Security for Nonprofits
IT Security for NonprofitsIT Security for Nonprofits
IT Security for Nonprofits
 
Threat_Modelling.pdf
Threat_Modelling.pdfThreat_Modelling.pdf
Threat_Modelling.pdf
 
Protect Your IT Infrastructure from Zero-Day Attacks and New Vulnerabilities
Protect Your IT Infrastructure from Zero-Day Attacks and New VulnerabilitiesProtect Your IT Infrastructure from Zero-Day Attacks and New Vulnerabilities
Protect Your IT Infrastructure from Zero-Day Attacks and New Vulnerabilities
 
Case Study: Q2 2014 Global DDoS Attack Report | Akamai Document
Case Study: Q2 2014 Global DDoS Attack Report | Akamai DocumentCase Study: Q2 2014 Global DDoS Attack Report | Akamai Document
Case Study: Q2 2014 Global DDoS Attack Report | Akamai Document
 
So You Want a Job in Cybersecurity
So You Want a Job in CybersecuritySo You Want a Job in Cybersecurity
So You Want a Job in Cybersecurity
 
cybersecurity-careers.pdf
cybersecurity-careers.pdfcybersecurity-careers.pdf
cybersecurity-careers.pdf
 
Get Ready for Web Application Security Testing
Get Ready for Web Application Security TestingGet Ready for Web Application Security Testing
Get Ready for Web Application Security Testing
 

Más de Samvel Gevorgyan

Information Security Management System in the Banking Sector
Information Security Management System in the Banking SectorInformation Security Management System in the Banking Sector
Information Security Management System in the Banking SectorSamvel Gevorgyan
 
Five Ways to Improve Yandex.Taxi Service
Five Ways to Improve Yandex.Taxi ServiceFive Ways to Improve Yandex.Taxi Service
Five Ways to Improve Yandex.Taxi ServiceSamvel Gevorgyan
 
Բախումներ Լեռնային Ղարաբաղում. Քառօրյա պատերազմը կիբեռ տարածքում
Բախումներ Լեռնային Ղարաբաղում. Քառօրյա պատերազմը կիբեռ տարածքումԲախումներ Լեռնային Ղարաբաղում. Քառօրյա պատերազմը կիբեռ տարածքում
Բախումներ Լեռնային Ղարաբաղում. Քառօրյա պատերազմը կիբեռ տարածքումSamvel Gevorgyan
 
Nagorno-karabakh clashes - four-day war in cyberspace
Nagorno-karabakh clashes - four-day war in cyberspaceNagorno-karabakh clashes - four-day war in cyberspace
Nagorno-karabakh clashes - four-day war in cyberspaceSamvel Gevorgyan
 
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011Samvel Gevorgyan
 

Más de Samvel Gevorgyan (6)

Information Security Management System in the Banking Sector
Information Security Management System in the Banking SectorInformation Security Management System in the Banking Sector
Information Security Management System in the Banking Sector
 
Five Ways to Improve Yandex.Taxi Service
Five Ways to Improve Yandex.Taxi ServiceFive Ways to Improve Yandex.Taxi Service
Five Ways to Improve Yandex.Taxi Service
 
Բախումներ Լեռնային Ղարաբաղում. Քառօրյա պատերազմը կիբեռ տարածքում
Բախումներ Լեռնային Ղարաբաղում. Քառօրյա պատերազմը կիբեռ տարածքումԲախումներ Լեռնային Ղարաբաղում. Քառօրյա պատերազմը կիբեռ տարածքում
Բախումներ Լեռնային Ղարաբաղում. Քառօրյա պատերազմը կիբեռ տարածքում
 
Nagorno-karabakh clashes - four-day war in cyberspace
Nagorno-karabakh clashes - four-day war in cyberspaceNagorno-karabakh clashes - four-day war in cyberspace
Nagorno-karabakh clashes - four-day war in cyberspace
 
MAPY
MAPYMAPY
MAPY
 
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
 

Último

New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesZilliz
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfSeasiaInfotech2
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embeddingZilliz
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 

Último (20)

New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector Databases
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdf
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embedding
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 

Content Management System Security

  • 1. COPYRIGHT 2018 © CYBER GATES SAMVEL GEVORGYAN CEO, CYBER GATES Ph.D. in Information systems and cybersecurity SECURITY
  • 2. WEBSITE ATTACK STATISTICS WWW.CYBERGATES.ORG Attacks around the Worldwide  Nearly 2 Billion active websites (NetCraft reports)  Nearly 1 Million hacked websites / year (Zone-H reports) Over 4K hacked websites since 2011 Top attacks  Jan 2011 (379)  Jul 2012 (364)  Feb 2013 (275)  Feb 2014 (359)  Apr 2015 (129)  Dec 2016 (188) Attacks in Armenia
  • 3. CMS MARKET SHARES WWW.CYBERGATES.ORG  WordPress: 60.0%  Joomla: 5.8%  Drupal: 3.8%  Squarespace: 2.5%  Shopify: 2.4%  Magento: 2.0%  Wix: 1.7%  Blogger: 1.7%  Other: 20.1% Source: https://w3techs.com/technologies/overview/content_management/all  Nearly 30% of all websites run on WordPress (WebsiteSetup reports)  WordPress controls nearly 60% of the CMS market (w3techs reports)  Over 40K WordPress websites in Alexa Top 1 Million are vulnerable (WPwhitesecurity reports) CMS vulnerability statistics
  • 4. TARGET WEBSITES OF MASS ATTACKS WWW.CYBERGATES.ORG Top 5 categories  Websites that use same CMS (WordPress, Joomla, etc.)  Websites built by the same developer(s)  Websites that use same technology, library or certain component  Websites served by the same Hosting Provider  Websites of agencies/companies working in the same industry
  • 5. TARGET WEBSITES OF TARGETED ATTACKS WWW.CYBERGATES.ORG Top 5 categories  Online banks and financial institutions  Cloud services (dropbox, Gmail, iCloud, etc.)  Government agencies, hospitals  Hosting and Internet Service Providers (ISP)  Popular CMS solutions or small outdated websites that are easy to hack
  • 7. IS MY CMS SECURE? WWW.CYBERGATES.ORG Frequently asked questions  Is your CMS team taking cyber security seriously?  Avg. time to resolve vulnerabilities?  Who has developed the CMS component(s) you use? Why CMS security matters?  New vulnerabilities and issues emerge all the time  Popular CMS solutions are an attractive target for hackers  CMS updates often reveal vulnerabilities in previous versions in the changelog, exposing websites that are not automatically updated  The more you add to your CMS installation, the higher the risk of your site becoming vulnerable.
  • 8. UPDATES REVEAL VULNERABILITIES? WWW.CYBERGATES.ORG Drupal 7.x changelog  Drupal 7.59, 2018-04-25 - Fixed security issues (remote code execution). See SA-CORE-2018- 004.  Drupal 7.58, 2018-03-28 - Fixed security issues (remote code execution). See SA-CORE-2018- 002.  Drupal 7.57, 2018-02-21 - Fixed security issues (multiple vulnerabilities). See SA-CORE-2018- 001.  Drupal 7.56, 2017-06-21 - Fixed security issues (access bypass). See SA-CORE-2017-003. Source: https://api.drupal.org/api/drupal/CHANGELOG.txt/7.x
  • 9. INCIDENT AND VULNERABILITY FACTS WWW.CYBERGATES.ORG The average number of serious vulnerabilities per website is 56 Serious vulnerabilities are resolved in an average of 193 days from first notification 43% of cyber attacks target small businesses 30% of SMEs lack an incident response plan 68% of funds lost as a result of a cyber attack where declared unrecoverable 60% of small businesses close their doors within 6 months after a serious cyber attack.
  • 10. DRUPAL VULNERABILITIES WWW.CYBERGATES.ORG “Ukrainian Energy Ministry site downed in Drupal ransomware attack at the end of April 2018.” “Drupalgeddon2 is a highly critical remote code execution bug affecting most Drupal sites which was disclosed at the end of March 2018.” “Two months later, over 115,000 Drupal sites still vulnerable to Drupalgeddon 2.”
  • 11. JOOMLA! VULNERABILITIES WWW.CYBERGATES.ORG “Attackers can leverage the Joomla security hole to compromise servers and use them for hosting malware and other malicious activities. They can also sell access to the targeted servers on the underground market, allowing others to abuse them for distributed denial-of- service (DDoS) attacks.” “On January, 2016, Symantec has detected up to 20,000 daily attempts to exploit a recently patched Joomla vulnerability that can be leveraged for remote code execution.”
  • 12. HOW YOUR SOURCE CODE LOOKS LIKE WWW.CYBERGATES.ORG
  • 13. HOW YOUR WEBPAGE LOOKS LIKE WWW.CYBERGATES.ORG
  • 15. HOW TO SECURE YOUR CMS? WWW.CYBERGATES.ORG Common rules  Choose your CMS with both functionality and security in mind  Update with urgency  Use a strong password (admin dashboard access, database users, etc.)  Have a firewall in place (detect or prevent suspicious requests)  Keep track of the changes to your site and their source code  Give the user permissions (and their levels of access) a lot of thought  Limit the type of files to non-executables and monitor them closely  Backup your CMS (daily backups of your files and databases)  Uninstall plugins you do not use or trust.
  • 16. IS YOUR BUSINESS IN COMPLIANCE? WWW.CYBERGATES.ORG PROJECT URL https://websecurity.pro https://onlineservices.cybergates.org/en/websecurity