The Internet is a wild place… there’re hundreds of attacks targeting our sites and applications each day. We’ve learned a lot in the area of cybersecurity, and would love to share our knowledge with the community. We’ll cover the following topics with practical examples and documentations: Firewall is a must! (Must be installed, enabled, and properly configured.) Basic Linux operating system security, including two-factor authentication Apache web server security, enhanced logging and reporting MySQL Database security and SQL injection prevention Use SFTP and SSH instead of regular FTP Always write code with security in mind Really effective security plugins for Drupal and WordPress This talk was given at TechKnowFile 2017 - University of Toronto's annual information technology conference for its 8000+ staff and faculties. For more information, please visit: https://tkf.utoronto.ca/?session=tutorial-on-protecting-your-websites-and-applications-from-cyber-attacks-by-sam-xu

1. Protect your websites from
cyber attacks
April 27, 2017

3. Overview
Security plugins for Drupal and
Wordpress
Write code with security in mind
Firewall
Operating system security
Web stack security
Protect your user/client
Questions and Answer

4. State of Cybersecurity
The completely secure system doesn’t exist
Balance between security and convenience

5. State of Cybersecurity

6. Really effective
security plugins
for Drupal and
WordPress
Drupal
Security Module
https://www.drupal.org/project/se
curity
WordPress
Wordfence
https://www.wordfence.com

7. Demo

8. Always write code with
security in mind

9. Bad Example:
Uoft.me
alumni.utoronto.ca/?redir=http://
uoftimpactsurvey.ca

10. ● Use both front-end and back-end
input validation
● Always sanitize and escape user
input (mysqli_real_escape_string)
● Always escape the output

11. Firewall
Must install a firewall
Enable it and properly configure
it.
Allow all IPs to access certain
ports (80, 443)
Allow certain IPs to access
specific ports (22)

13. Operating
System
security
Two-factor authentication
Use SSH and SFTP instead of
regular FTP
Use regular user accounts
Keep your OS up-to-date
Install security patches
Edit /etc/hosts.allow file

15. Web stack
security
Web Server
Check config settings
Enable access log and error log
Back up log files
Force HTTPS
SQL Database
Prevent SQL injection
do not allow user input to be used in
creating your SQL query

17. Protect your
end-users /
clients
Protect your end-users also
protects you
Encrypt the connections between
you and your user
Encrypt cookies, session
variables, local storage, etc
Make sure your app / site is
standard compliant

18. Secure OS Secure DB
Web
server
Secure
code
Firewall

20. Resources
WordPress
● WPScan Vulnerability Database: https://wpvulndb.com/
● National Vulnerability Database: https://nvd.nist.gov/home
● Wordfence: https://www.wordfence.com/
Drupal
● Make sure your contrib / core is up-to-date
● Seckit: https://www.drupal.org/project/seckit
● Security Review: https://www.drupal.org/project/security_review
● Security Advisories: https://www.drupal.org/security
● Cybersecurity Best Practices: https://www.cisecurity.org/cybersecurity-best-practices/
● Center for Internet Security: https://www.cisecurity.org/
● Ubuntu Server Benchmark:
https://benchmarks.cisecurity.org/tools2/linux/CIS_Ubuntu_14.04_LTS_Server_Benchmark_v1.0.0.pdf

21. Questions?