Imperva Incapsula, profile picture
Uploaded byImperva Incapsula
1,112 views

Joomla Security Simplified —  Seven Easy Steps For a More Secure Website

This document outlines seven steps website owners can take to improve the security of their Joomla websites. It begins by discussing recent major security breaches in 2014 like Heartbleed and botnets. It then details the seven steps which are: 1) regularly updating software, 2) implementing strong passwords, 3) multi-factor authentication, 4) using a web application firewall, 5) identifying and blocking bad bots, 6) implementing DDoS mitigation, and 7) using a secure hosting environment. It emphasizes the importance of these steps given the prevalence of vulnerabilities and how automated tools can exploit known issues.

Embed presentation

Presented by: Orion Cassetto, Sr. Product Marketing Manager, Incapsula Joomla Security Simplified — Seven Easy Steps For a More Secure Website
What’s with the ‘Stache? Movember. Of Course! (http://mobro.co/orioncassetto) Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.2 ?
Mustache Aspirations Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.3
Overview • Recent web security events and major security threats • Seven easy steps for a more secure website • Automated tools to secure and improve performance on Joomla sites Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.4
Major Hacks of 2014 2014 has several enormous data breaches from hackers including:
Heartbleed – the Epic SSL Crisis of 2014 • Heartbleed is a security bug that was disclosed in April of 2014 • It was present in the widely used Open SSL Cryptography • When disclosed, around 17% of the Internet's secure web servers was vulnerable • Why do I care? > The vulnerability allowed for the theft of the servers' private keys and users' session cookies and passwords “Some might argue that [Heartbleed] is the worst vulnerability found since commercial traffic began to flow on the Internet.” Joseph Steinberg – Forbes Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.6
Semalt Hijacks Hundreds of Thousands of Computers for Referrer Spam What is it? 1. Semalt is a Ukrainian search engine optimization (SEO) “company” 2. They used malware to hijack computers and create a giant botnet 3. This Botnet visits sites across the internet with fake referral sources What damage could this cause your website? • Long term SEO Damage to your website’s rankings • Complete search engine result page blacklisting and removal Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.7
Distributed Denial Of Service (DDoS) Attacks • DDoS attack are attacks where many infected computers band together to attack a single target • These attacks exhaust network connections and server resources causing website outages Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.8
Seven easy steps for a more secure website Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.9
Websites Have Many Vulnerabilities 96% of web applications have vulnerabilities 96% WEB APP Sources: Cenzic, Inc. – Feb. 2014, Incapsula, Inc. –2013 13% of websites can be compromised automatically 13%
Known Vulnerabilities are Common and Easy to Find • When a new Joomla version is released, vulnerability details of the prior version are released • Older versions are thus easier to attack • Automated tools can be created to identify and attack these versions Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.11
Security Step #1 - Regularly Update EVERYTHING All Software should be updated Regularly including. Create a regular schedule to update patches for: • Joomla • Extensions • Web servers
Tips for Keeping Joomla Updated • Be careful what you download > Never download or install Joomla from any website other than http://Joomla.org. Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.13
• More extensions on your Joomla site means more software to keep up to date • Include patches in your update schedule • Use trusted vendors. Each vendor has its own > Security Controls > SDLC > Code Quality Don’t Forget to Update Extensions Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.14
Other Software is Potentially Vulnerable too • Run stable, secure versions of web servers • Avoid Default Anything (particularly database tables) > Make sure your Database is as secure as possible > Consider changing your “table_prefix” from the default “jos_” • Update SSL certs after Heartbleed (if necessary) • Update firewall signatures • Update anti-virus signatures Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.15
Use of Stolen Credentials Reigns Supreme • Use of stolen authentication credentials by hackers is the number one threat of 2013 • Once stolen hackers can use credentials at other websites to increase the impact of a breach • Automated tools combined with stolen password lists become a dangerous combination Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.16 Sources: Verizon Data Breach Report 2014
Security Step #2 - Implement Password Security • Avoid Default UN/Passwords • Implement Strong Passwords > Goal: Hard to Guess / Hard to brute Force attack > Include – MiXed CASe > Include – NuMB3rS > Include – SP3C!4LCh@R$ > Use a password phrase – BowTies 4r3 Co0l! • Use different passwords for different sites • Change your password periodically • Consider using a password management tool Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.17
Security Step #3 - Implement Multi-factor Authentication Problem • Lost or stolen passwords allow hackers to bypass your security measure Solution • Secure Admin areas with multi-factor authentication > Email > SMS > Google Authenticator > Other Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.18
Security Step #4 – Use a Web Application Firewall (WAF) 80~96% of all websites have high risk vulnerabilities 13% of websites can be compromised automatically Most wide spread vulnerabilities are • Cross-site Scripting • SQL Injection • Information Leakage • HTTP Response Splitting Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.19 Sources: WASC - http://projects.webappsec.org/w/page/13246989/Web%20Application%20Security%20Statistics
SQL Injection – What it is and why it matters • What is SQL Injection? > SQL Injection attacks attempt to use application code to access or corrupt database content > It is accomplished by embedding SQL statements in user supplied Data > Example: • What happens if a hacker exploits this vulnerability? > They can access your database and it’s data. • Basic Rule > If it is going into your database, clean it up first! Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.20 'OR “=” The application was expecting my name, but I entered an SQL Statement
Cross Site Scripting (XSS) – What it is and why it matters • What is XSS? > A type of attack in which hackers inject scripts (like JavaScript) into otherwise trusted websites • What happens if a hacker exploits an XSS vuln on my website? > Stolen cookies or sessions > Redirection to a malicious page • Basic Rule > If user supplied data is going into your application, clean it up first! Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.21 Attacker inserts malicious unfiltered code into an application1 User visits the web page and malicious code is returned with the web page 2 Attacker gains control over user data or system via injected exploit 3
Security Step #4 - Use a Web Application Firewall (WAF) • WAFs provide similar protection as traditional network layer firewall but for a web application • Using a WAF can protect website from application layer hacking attempts • WAFs should be used in conjunction with traditional firewalls Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.22
Automated Clients are the Majority of Web Traffic Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.23 Over 61%of all website traffic is non-human. 61.5% Non-Human Traffic 38.5% Human Traffic 1/2of that is malicious.
The Impact of Bots on Website Security • DDoS • Site Scraping • Comment Spam • SEO Spam • Fraud • Vulnerability scanning Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.24 • Search Engine Crawling • Website Health Monitoring • Vulnerability Scanning Good Bots Bad Bots
Site Scraping • Site Scraping is when a bot visits a website to copy or steal content • Usually done by reading and parsing web page source code Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.25 Your Site Their Site <!DOCTYPE <HTML> <HEAD> <TITLE>… Your Code Your Content
Bots and Comment Spam • What is Comment Spam > Posts in comment sections on websites allegedly linking to: - Steams of popular TV shows - Cheap Shoes - Designer bags, - Viagra, Cialis, etc. • How bots are involved > Bots are used to automatically find victim sites and insert spam posts • Why it matters > Comment spam is frequently responsible for - Worse user experiences - Lower website conversions (links usually exit your site) - Malware distribution (infecting your visitors)
Brute Force Attacks Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.27 Your Joomla Site
# 5 Identify and Block Bad Bots • Don’t rely on robots.txt • Implement a solution which can block bad bots to prevent > Comment Spam > Site Scraping > Vulnerability Scanning > Automated SEO Poisoning • Bot Mitigation can be > Standalone service or appliance > Part of other tools like a WAF Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.28
Security Step #6 Implement a DDoS mitigation Strategy • DDoS attacks make your website completely inaccessible Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.29 Legitimate Traffic Your Site Your Internet Connection • If website availability is important to you, then DDoS protection should be too • Any application without a DDoS mitigation strategy is at risk DDoS Traffic Your ISP
Defend against DDoS attacks • DDoS mitigation services are preferable to Mitigation Appliances • Overprovisioning bandwidth is expensive Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.30 Legitimate Traffic Your Site Your Internet Connection DDoS Traffic Your ISP DDoS Mitigation Appliance
DDoS Mitigation Requires Specialized Tools or Services • DDoS mitigation services are preferable to Mitigation Appliances • Overprovisioning bandwidth is expensive • DDoS attacks should be mitigated close to their source (away from your network) Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.31 Legitimate Traffic Your Site Your Internet Connection DDoS Traffic Your ISP DDoS Mitigation Service
Security Step #7 - Use a Secure Hosting Environment Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.32 Problem • If any site on a server is hacked, there's a chance that any other site on that same server could be vulnerable. Hacked Website Your Website Server
Security Step #7 - Use a Secure Hosting Environment Pick a Secure Hosting Provider that offers • Segregated environment (physically or logically) • Network layer firewalls • Vulnerability scanning > Infrastructure > Servers > Databases > Applications • Backup Services • Security Certification > SAS 70 Type II > SSAE 16 Type II Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.33
Bonus Security Step - Secure Your Personal Computers Don’t let your computer sabotage your security efforts with malware • Install antivirus and regularly update the signatures • Keep your personal computer’s OS, programs, and plug-ins updated • Use personal firewalls • Open sites with HTTPs whenever possible • Use secure FTP (SFTP) instead of FTP Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.34
Incapsula Helps Website Owners Solve Operational Problems PerformanceSecurity Availability Solving Top Operational Problems Delivered from the Cloud
Incapsula Application Delivery Cloud Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.36
Website Security and Performance in Minutes with a Simple DNS Change Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.37 By routing website traffic through the Incapsula network, malicious traffic is blocked, and legitimate traffic is accelerated. Incapsula Network Your Website Legitimate Traffic For a Free Trial of Incapsula visit us at www.Incapsula.com
Please send follow up questions to info@incapsula.com Twitter: @orionevolution Movember: mobro.co/orioncassetto Thank you

More Related Content

PPTX
From 1000/day to 1000/sec: The Evolution of Incapsula's BIG DATA System [Surg...
byImperva Incapsula
 
PPTX
Understanding Web Bots and How They Hurt Your Business
byImperva Incapsula
 
PDF
Is the Cloud Going to Kill Traditional Application Delivery?
byImperva Incapsula
 
PPTX
A DevOps Guide to Web Application Security
byImperva Incapsula
 
PPTX
Incapsula: How to Increase SaaS Websites’ Uptime and Accelerate Performance
byImperva Incapsula
 
PDF
Migrating from Akamai to Incapsula: What You Need to Know
byImperva Incapsula
 
PDF
An Inside Look at a Sophisticated, Multi-vector DDoS Attack
byImperva
 
PDF
Naxsi, an open source WAF for Nginx
byPositive Hack Days
 
From 1000/day to 1000/sec: The Evolution of Incapsula's BIG DATA System [Surg...
byImperva Incapsula
 
Understanding Web Bots and How They Hurt Your Business
byImperva Incapsula
 
Is the Cloud Going to Kill Traditional Application Delivery?
byImperva Incapsula
 
A DevOps Guide to Web Application Security
byImperva Incapsula
 
Incapsula: How to Increase SaaS Websites’ Uptime and Accelerate Performance
byImperva Incapsula
 
Migrating from Akamai to Incapsula: What You Need to Know
byImperva Incapsula
 
An Inside Look at a Sophisticated, Multi-vector DDoS Attack
byImperva
 
Naxsi, an open source WAF for Nginx
byPositive Hack Days
 

What's hot

PDF
Ground Zero Training- Metasploit For Web
byNipun Jaswal
 
PDF
Novinky F5
byMarketingArrowECS_CZ
 
PPT
Beyond Ethical Hacking By Nipun Jaswal , CSA HCF Infosec Pvt. Ltd
byNipun Jaswal
 
PPTX
How to Reduce Latency with Cloudflare Argo Smart Routing
byCloudflare
 
PDF
OWASP ATL - Social Engineering Technical Controls Presentation
byOWASP Atlanta
 
PDF
CloudFlare vs Incapsula vs ModSecurity
byZero Science Lab
 
PPTX
Cyber ppt
bykarthik menon
 
PDF
Novinky F5 pro rok 2018
byMarketingArrowECS_CZ
 
PPTX
Automated Intrusion Detection and Response on AWS
by2nd Sight Lab
 
PPTX
Cybereason - behind the HackingTeam infection server
byAmit Serper
 
PPTX
Using a secured, cloud-delivered SD-WAN to transform your business network
byNetpluz Asia Pte Ltd
 
PDF
Basics of Meterpreter Evasion
byNipun Jaswal
 
PDF
Kona Web Application Firewall Overview - Akamai at RSA Conference 2013
byAkamai Technologies
 
PPTX
Evolution of WAF - Stop Worrying About Vulnerabilities
byBrian A. McHenry
 
PDF
F5 Web Application Security
byMarketingArrowECS_CZ
 
PDF
Breakout - Airheads Macau 2013 - ClearPass Access Management Basics
byAruba, a Hewlett Packard Enterprise company
 
PPTX
Introducing Savvius Vigil
bySavvius, Inc
 
PPTX
DevSecCon Tel Aviv 2018 - Serverless Security
byAvi Shulman
 
PDF
Avoiding Sophisticated Targeted Breach Critical Guidance Healthcare
byCybereason
 
PPT
Benefits of web application firewalls
byEnclaveSecurity
 
Ground Zero Training- Metasploit For Web
byNipun Jaswal
 
Novinky F5
byMarketingArrowECS_CZ
 
Beyond Ethical Hacking By Nipun Jaswal , CSA HCF Infosec Pvt. Ltd
byNipun Jaswal
 
How to Reduce Latency with Cloudflare Argo Smart Routing
byCloudflare
 
OWASP ATL - Social Engineering Technical Controls Presentation
byOWASP Atlanta
 
CloudFlare vs Incapsula vs ModSecurity
byZero Science Lab
 
Cyber ppt
bykarthik menon
 
Novinky F5 pro rok 2018
byMarketingArrowECS_CZ
 
Automated Intrusion Detection and Response on AWS
by2nd Sight Lab
 
Cybereason - behind the HackingTeam infection server
byAmit Serper
 
Using a secured, cloud-delivered SD-WAN to transform your business network
byNetpluz Asia Pte Ltd
 
Basics of Meterpreter Evasion
byNipun Jaswal
 
Kona Web Application Firewall Overview - Akamai at RSA Conference 2013
byAkamai Technologies
 
Evolution of WAF - Stop Worrying About Vulnerabilities
byBrian A. McHenry
 
F5 Web Application Security
byMarketingArrowECS_CZ
 
Breakout - Airheads Macau 2013 - ClearPass Access Management Basics
byAruba, a Hewlett Packard Enterprise company
 
Introducing Savvius Vigil
bySavvius, Inc
 
DevSecCon Tel Aviv 2018 - Serverless Security
byAvi Shulman
 
Avoiding Sophisticated Targeted Breach Critical Guidance Healthcare
byCybereason
 
Benefits of web application firewalls
byEnclaveSecurity
 

Similar to Joomla Security Simplified —  Seven Easy Steps For a More Secure Website

PDF
Joomla! security jday2015
bykriptonium
 
PPTX
Joomla! security jday2015
byShaiffulnizam Mohamad
 
PPSX
Web security
bykareem zock
 
PPTX
Keeping up with the Revolution in IT Security
byDistil Networks
 
PPTX
Thoughts on Defensive Development for Sitecore
byPINT Inc
 
PDF
Joomla Security Basics presented by Jeff Mendelson
byJeff Mendelson
 
PDF
WordPress security 101 - WP Turku Meetup 2.2.2017
byOtto Kekäläinen
 
PDF
How to Ensure You're Launching the Most Secure Website - Michael Tremante
byWP Engine
 
PPTX
Webinar - Tips and Tricks on Website Security
byStopTheHacker
 
PDF
Web Security: What's wrong, and how the bad guys can break your website
byAndrew Sorensen
 
PPTX
CSS 17: NYC - Protecting your Web Applications
byAlert Logic
 
PDF
8 Simple Ways to Hack Your Joomla
bySiteGround.com
 
PDF
Things that go bump on the web - Web Application Security
byChristian Heilmann
 
PDF
Protecting Against Web App Attacks
byAlert Logic
 
PDF
Tech Talent Meetup Hacking Security Event Recap
byDominic Vogel
 
PDF
Seravo.com: WordPress Security 101
bySeravo
 
PPTX
Word press security 101
byKojac801
 
PPTX
How to Secure your WordPress Website - WordCamp UK 2014
byPrimary Image Ltd
 
PDF
Keep Your SIte Secure
byMichele Butcher-Jones
 
PDF
Owasp top 10 2013
byEdouard de Lansalut
 
Joomla! security jday2015
bykriptonium
 
Joomla! security jday2015
byShaiffulnizam Mohamad
 
Web security
bykareem zock
 
Keeping up with the Revolution in IT Security
byDistil Networks
 
Thoughts on Defensive Development for Sitecore
byPINT Inc
 
Joomla Security Basics presented by Jeff Mendelson
byJeff Mendelson
 
WordPress security 101 - WP Turku Meetup 2.2.2017
byOtto Kekäläinen
 
How to Ensure You're Launching the Most Secure Website - Michael Tremante
byWP Engine
 
Webinar - Tips and Tricks on Website Security
byStopTheHacker
 
Web Security: What's wrong, and how the bad guys can break your website
byAndrew Sorensen
 
CSS 17: NYC - Protecting your Web Applications
byAlert Logic
 
8 Simple Ways to Hack Your Joomla
bySiteGround.com
 
Things that go bump on the web - Web Application Security
byChristian Heilmann
 
Protecting Against Web App Attacks
byAlert Logic
 
Tech Talent Meetup Hacking Security Event Recap
byDominic Vogel
 
Seravo.com: WordPress Security 101
bySeravo
 
Word press security 101
byKojac801
 
How to Secure your WordPress Website - WordCamp UK 2014
byPrimary Image Ltd
 
Keep Your SIte Secure
byMichele Butcher-Jones
 
Owasp top 10 2013
byEdouard de Lansalut
 

More from Imperva Incapsula

PPTX
D3TLV17- You have Incapsula...now what?
byImperva Incapsula
 
PPTX
D3TLV17- Keeping it Safe
byImperva Incapsula
 
PPTX
D3TLV17- The Incapsula WAF: Your Best Line of Denfense Against Application La...
byImperva Incapsula
 
PPTX
D3TLV17- Advanced DDoS Mitigation Techniques
byImperva Incapsula
 
PPTX
D3LDN17 - Recruiting the Browser
byImperva Incapsula
 
PPTX
D3LDN17 - A Pragmatists Guide to DDoS Mitigation
byImperva Incapsula
 
PPTX
D3LDN17 - Keynote
byImperva Incapsula
 
PPTX
D3NY17- Customizing Incapsula to Accommodate Single Sign-On
byImperva Incapsula
 
PPTX
D3NY17 - Migrating to the Cloud
byImperva Incapsula
 
PPTX
D3NY17- Using IncapRules to Customize Security
byImperva Incapsula
 
PPTX
D3SF17- Using Incap Rules to Customize Your Security and Access Control
byImperva Incapsula
 
PPTX
D3SF17- Boost Your Website Performance with Application Delivery Rules
byImperva Incapsula
 
PPTX
D3SF17- A Single Source of Truth for Security Issues- Pushing Siem Logs to Cl...
byImperva Incapsula
 
PPTX
D3SF17- Improving Our China Clients Performance
byImperva Incapsula
 
PPTX
D3SF17- Migrating to the Cloud 5- Years' Worth of Lessons Learned
byImperva Incapsula
 
PPTX
D3SF17 -Keynote - Staying Ahead of the Curve
byImperva Incapsula
 
PPTX
E-commerce Optimization: Using Load Balancing and CDN to Improve Website Perf...
byImperva Incapsula
 
PPTX
Protect Your Assets with Single IP DDoS Protection
byImperva Incapsula
 
PPT
[Webinar] DDoS Pentester Reveals: How Hackers Find Your Website’s Weak Points...
byImperva Incapsula
 
PPTX
An Inside Look at a Sophisticated Multi-Vector DDoS Attack
byImperva Incapsula
 
D3TLV17- You have Incapsula...now what?
byImperva Incapsula
 
D3TLV17- Keeping it Safe
byImperva Incapsula
 
D3TLV17- The Incapsula WAF: Your Best Line of Denfense Against Application La...
byImperva Incapsula
 
D3TLV17- Advanced DDoS Mitigation Techniques
byImperva Incapsula
 
D3LDN17 - Recruiting the Browser
byImperva Incapsula
 
D3LDN17 - A Pragmatists Guide to DDoS Mitigation
byImperva Incapsula
 
D3LDN17 - Keynote
byImperva Incapsula
 
D3NY17- Customizing Incapsula to Accommodate Single Sign-On
byImperva Incapsula
 
D3NY17 - Migrating to the Cloud
byImperva Incapsula
 
D3NY17- Using IncapRules to Customize Security
byImperva Incapsula
 
D3SF17- Using Incap Rules to Customize Your Security and Access Control
byImperva Incapsula
 
D3SF17- Boost Your Website Performance with Application Delivery Rules
byImperva Incapsula
 
D3SF17- A Single Source of Truth for Security Issues- Pushing Siem Logs to Cl...
byImperva Incapsula
 
D3SF17- Improving Our China Clients Performance
byImperva Incapsula
 
D3SF17- Migrating to the Cloud 5- Years' Worth of Lessons Learned
byImperva Incapsula
 
D3SF17 -Keynote - Staying Ahead of the Curve
byImperva Incapsula
 
E-commerce Optimization: Using Load Balancing and CDN to Improve Website Perf...
byImperva Incapsula
 
Protect Your Assets with Single IP DDoS Protection
byImperva Incapsula
 
[Webinar] DDoS Pentester Reveals: How Hackers Find Your Website’s Weak Points...
byImperva Incapsula
 
An Inside Look at a Sophisticated Multi-Vector DDoS Attack
byImperva Incapsula
 

Recently uploaded

PDF
Rustici Software: eLearning standards in the age of AI
byRustici Software
 
PDF
UiPath Automation Developer Associate Training Series 2026 - Session 3
byDianaGray10
 
PPTX
PPTX game guess the logo with a twistppt
byAdrianAnig
 
PDF
Security-Fails-in-the-Gaps-Between-Systems.pptx.pdf
byOhhproJunction
 
PDF
Escape from the Forbidden Zone: Smuggling green and inclusive tech past the g...
byBookNet Canada
 
PDF
Transcript: Escape from the Forbidden Zone: Smuggling green and inclusive tec...
byBookNet Canada
 
PDF
Logical Optimal Actions – Towards Knowledge-based Reinforcement Learning with...
byMichiaki Tatsubori
 
PDF
Poročilo odbora CIS (CH08873) za leto 2025 na letni skupščini IEEE Slovenija ...
byUniversity of Maribor
 
PDF
TrustArc Webinar - From Trends to Action: Fitting AI Governance into Privacy Ops
byTrustArc
 
PDF
GenerationAI Paris 2025 | How Agentic AI is Reinventing Organizations
byapidays
 
PPTX
Workflow and decision Automation with Flowable
bychakib ch
 
PDF
The Emergence of Empathic XR: AWE Asia 2026 keynote
byMark Billinghurst
 
PDF
AI Vector Search Best Practices Multicloud Feb 2026
bySandesh Rao
 
PDF
Spec-Driven Development with Kiro: Elevating Software Quality, Traceability, ...
byHaim Michael
 
PDF
Odoo Implementation Checklist: A Strategic ERP Blueprint for Business-Ready D...
byBANIBRO IT SOLUTION
 
PDF
Towards a Vibrant AI Hardware Accelerator Ecosystem, invited talk at the 4th ...
byMichiaki Tatsubori
 
PDF
Chapter 5 Security Mechanisms iin computer security.pdf
byGetnet Tigabie Askale -(GM)
 
PDF
How to Install XRDP on CentOS 10 .pdf
byGreen Webpage
 
PPTX
apidays Paris 2025 | Integration is Feminist: Building Peace in Distributed S...
byapidays
 
PDF
20260212 Security-JAWS activity results for 2025 and activity goals for 2026
byTyphon 666
 
Rustici Software: eLearning standards in the age of AI
byRustici Software
 
UiPath Automation Developer Associate Training Series 2026 - Session 3
byDianaGray10
 
PPTX game guess the logo with a twistppt
byAdrianAnig
 
Security-Fails-in-the-Gaps-Between-Systems.pptx.pdf
byOhhproJunction
 
Escape from the Forbidden Zone: Smuggling green and inclusive tech past the g...
byBookNet Canada
 
Transcript: Escape from the Forbidden Zone: Smuggling green and inclusive tec...
byBookNet Canada
 
Logical Optimal Actions – Towards Knowledge-based Reinforcement Learning with...
byMichiaki Tatsubori
 
Poročilo odbora CIS (CH08873) za leto 2025 na letni skupščini IEEE Slovenija ...
byUniversity of Maribor
 
TrustArc Webinar - From Trends to Action: Fitting AI Governance into Privacy Ops
byTrustArc
 
GenerationAI Paris 2025 | How Agentic AI is Reinventing Organizations
byapidays
 
Workflow and decision Automation with Flowable
bychakib ch
 
The Emergence of Empathic XR: AWE Asia 2026 keynote
byMark Billinghurst
 
AI Vector Search Best Practices Multicloud Feb 2026
bySandesh Rao
 
Spec-Driven Development with Kiro: Elevating Software Quality, Traceability, ...
byHaim Michael
 
Odoo Implementation Checklist: A Strategic ERP Blueprint for Business-Ready D...
byBANIBRO IT SOLUTION
 
Towards a Vibrant AI Hardware Accelerator Ecosystem, invited talk at the 4th ...
byMichiaki Tatsubori
 
Chapter 5 Security Mechanisms iin computer security.pdf
byGetnet Tigabie Askale -(GM)
 
How to Install XRDP on CentOS 10 .pdf
byGreen Webpage
 
apidays Paris 2025 | Integration is Feminist: Building Peace in Distributed S...
byapidays
 
20260212 Security-JAWS activity results for 2025 and activity goals for 2026
byTyphon 666
 

Joomla Security Simplified —  Seven Easy Steps For a More Secure Website

  • 1.
    Presented by: Orion Cassetto,Sr. Product Marketing Manager, Incapsula Joomla Security Simplified — Seven Easy Steps For a More Secure Website
  • 2.
    What’s with the‘Stache? Movember. Of Course! (http://mobro.co/orioncassetto) Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.2 ?
  • 3.
    Mustache Aspirations Incapsula, Inc./ Proprietary and Confidential. All Rights Reserved.3
  • 4.
    Overview • Recent websecurity events and major security threats • Seven easy steps for a more secure website • Automated tools to secure and improve performance on Joomla sites Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.4
  • 5.
    Major Hacks of2014 2014 has several enormous data breaches from hackers including:
  • 6.
    Heartbleed – theEpic SSL Crisis of 2014 • Heartbleed is a security bug that was disclosed in April of 2014 • It was present in the widely used Open SSL Cryptography • When disclosed, around 17% of the Internet's secure web servers was vulnerable • Why do I care? > The vulnerability allowed for the theft of the servers' private keys and users' session cookies and passwords “Some might argue that [Heartbleed] is the worst vulnerability found since commercial traffic began to flow on the Internet.” Joseph Steinberg – Forbes Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.6
  • 7.
    Semalt Hijacks Hundredsof Thousands of Computers for Referrer Spam What is it? 1. Semalt is a Ukrainian search engine optimization (SEO) “company” 2. They used malware to hijack computers and create a giant botnet 3. This Botnet visits sites across the internet with fake referral sources What damage could this cause your website? • Long term SEO Damage to your website’s rankings • Complete search engine result page blacklisting and removal Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.7
  • 8.
    Distributed Denial OfService (DDoS) Attacks • DDoS attack are attacks where many infected computers band together to attack a single target • These attacks exhaust network connections and server resources causing website outages Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.8
  • 9.
    Seven easy stepsfor a more secure website Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.9
  • 10.
    Websites Have ManyVulnerabilities 96% of web applications have vulnerabilities 96% WEB APP Sources: Cenzic, Inc. – Feb. 2014, Incapsula, Inc. –2013 13% of websites can be compromised automatically 13%
  • 11.
    Known Vulnerabilities areCommon and Easy to Find • When a new Joomla version is released, vulnerability details of the prior version are released • Older versions are thus easier to attack • Automated tools can be created to identify and attack these versions Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.11
  • 12.
    Security Step #1- Regularly Update EVERYTHING All Software should be updated Regularly including. Create a regular schedule to update patches for: • Joomla • Extensions • Web servers
  • 13.
    Tips for KeepingJoomla Updated • Be careful what you download > Never download or install Joomla from any website other than http://Joomla.org. Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.13
  • 14.
    • More extensionson your Joomla site means more software to keep up to date • Include patches in your update schedule • Use trusted vendors. Each vendor has its own > Security Controls > SDLC > Code Quality Don’t Forget to Update Extensions Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.14
  • 15.
    Other Software isPotentially Vulnerable too • Run stable, secure versions of web servers • Avoid Default Anything (particularly database tables) > Make sure your Database is as secure as possible > Consider changing your “table_prefix” from the default “jos_” • Update SSL certs after Heartbleed (if necessary) • Update firewall signatures • Update anti-virus signatures Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.15
  • 16.
    Use of StolenCredentials Reigns Supreme • Use of stolen authentication credentials by hackers is the number one threat of 2013 • Once stolen hackers can use credentials at other websites to increase the impact of a breach • Automated tools combined with stolen password lists become a dangerous combination Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.16 Sources: Verizon Data Breach Report 2014
  • 17.
    Security Step #2- Implement Password Security • Avoid Default UN/Passwords • Implement Strong Passwords > Goal: Hard to Guess / Hard to brute Force attack > Include – MiXed CASe > Include – NuMB3rS > Include – SP3C!4LCh@R$ > Use a password phrase – BowTies 4r3 Co0l! • Use different passwords for different sites • Change your password periodically • Consider using a password management tool Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.17
  • 18.
    Security Step #3- Implement Multi-factor Authentication Problem • Lost or stolen passwords allow hackers to bypass your security measure Solution • Secure Admin areas with multi-factor authentication > Email > SMS > Google Authenticator > Other Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.18
  • 19.
    Security Step #4– Use a Web Application Firewall (WAF) 80~96% of all websites have high risk vulnerabilities 13% of websites can be compromised automatically Most wide spread vulnerabilities are • Cross-site Scripting • SQL Injection • Information Leakage • HTTP Response Splitting Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.19 Sources: WASC - http://projects.webappsec.org/w/page/13246989/Web%20Application%20Security%20Statistics
  • 20.
    SQL Injection –What it is and why it matters • What is SQL Injection? > SQL Injection attacks attempt to use application code to access or corrupt database content > It is accomplished by embedding SQL statements in user supplied Data > Example: • What happens if a hacker exploits this vulnerability? > They can access your database and it’s data. • Basic Rule > If it is going into your database, clean it up first! Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.20 'OR “=” The application was expecting my name, but I entered an SQL Statement
  • 21.
    Cross Site Scripting(XSS) – What it is and why it matters • What is XSS? > A type of attack in which hackers inject scripts (like JavaScript) into otherwise trusted websites • What happens if a hacker exploits an XSS vuln on my website? > Stolen cookies or sessions > Redirection to a malicious page • Basic Rule > If user supplied data is going into your application, clean it up first! Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.21 Attacker inserts malicious unfiltered code into an application1 User visits the web page and malicious code is returned with the web page 2 Attacker gains control over user data or system via injected exploit 3
  • 22.
    Security Step #4- Use a Web Application Firewall (WAF) • WAFs provide similar protection as traditional network layer firewall but for a web application • Using a WAF can protect website from application layer hacking attempts • WAFs should be used in conjunction with traditional firewalls Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.22
  • 23.
    Automated Clients arethe Majority of Web Traffic Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.23 Over 61%of all website traffic is non-human. 61.5% Non-Human Traffic 38.5% Human Traffic 1/2of that is malicious.
  • 24.
    The Impact ofBots on Website Security • DDoS • Site Scraping • Comment Spam • SEO Spam • Fraud • Vulnerability scanning Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.24 • Search Engine Crawling • Website Health Monitoring • Vulnerability Scanning Good Bots Bad Bots
  • 25.
    Site Scraping • SiteScraping is when a bot visits a website to copy or steal content • Usually done by reading and parsing web page source code Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.25 Your Site Their Site <!DOCTYPE <HTML> <HEAD> <TITLE>… Your Code Your Content
  • 26.
    Bots and CommentSpam • What is Comment Spam > Posts in comment sections on websites allegedly linking to: - Steams of popular TV shows - Cheap Shoes - Designer bags, - Viagra, Cialis, etc. • How bots are involved > Bots are used to automatically find victim sites and insert spam posts • Why it matters > Comment spam is frequently responsible for - Worse user experiences - Lower website conversions (links usually exit your site) - Malware distribution (infecting your visitors)
  • 27.
    Brute Force Attacks Incapsula,Inc. / Proprietary and Confidential. All Rights Reserved.27 Your Joomla Site
  • 28.
    # 5 Identifyand Block Bad Bots • Don’t rely on robots.txt • Implement a solution which can block bad bots to prevent > Comment Spam > Site Scraping > Vulnerability Scanning > Automated SEO Poisoning • Bot Mitigation can be > Standalone service or appliance > Part of other tools like a WAF Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.28
  • 29.
    Security Step #6Implement a DDoS mitigation Strategy • DDoS attacks make your website completely inaccessible Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.29 Legitimate Traffic Your Site Your Internet Connection • If website availability is important to you, then DDoS protection should be too • Any application without a DDoS mitigation strategy is at risk DDoS Traffic Your ISP
  • 30.
    Defend against DDoSattacks • DDoS mitigation services are preferable to Mitigation Appliances • Overprovisioning bandwidth is expensive Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.30 Legitimate Traffic Your Site Your Internet Connection DDoS Traffic Your ISP DDoS Mitigation Appliance
  • 31.
    DDoS Mitigation RequiresSpecialized Tools or Services • DDoS mitigation services are preferable to Mitigation Appliances • Overprovisioning bandwidth is expensive • DDoS attacks should be mitigated close to their source (away from your network) Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.31 Legitimate Traffic Your Site Your Internet Connection DDoS Traffic Your ISP DDoS Mitigation Service
  • 32.
    Security Step #7- Use a Secure Hosting Environment Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.32 Problem • If any site on a server is hacked, there's a chance that any other site on that same server could be vulnerable. Hacked Website Your Website Server
  • 33.
    Security Step #7- Use a Secure Hosting Environment Pick a Secure Hosting Provider that offers • Segregated environment (physically or logically) • Network layer firewalls • Vulnerability scanning > Infrastructure > Servers > Databases > Applications • Backup Services • Security Certification > SAS 70 Type II > SSAE 16 Type II Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.33
  • 34.
    Bonus Security Step- Secure Your Personal Computers Don’t let your computer sabotage your security efforts with malware • Install antivirus and regularly update the signatures • Keep your personal computer’s OS, programs, and plug-ins updated • Use personal firewalls • Open sites with HTTPs whenever possible • Use secure FTP (SFTP) instead of FTP Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.34
  • 35.
    Incapsula Helps WebsiteOwners Solve Operational Problems PerformanceSecurity Availability Solving Top Operational Problems Delivered from the Cloud
  • 36.
    Incapsula Application DeliveryCloud Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.36
  • 37.
    Website Security andPerformance in Minutes with a Simple DNS Change Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.37 By routing website traffic through the Incapsula network, malicious traffic is blocked, and legitimate traffic is accelerated. Incapsula Network Your Website Legitimate Traffic For a Free Trial of Incapsula visit us at www.Incapsula.com
  • 38.
    Please send followup questions to info@incapsula.com Twitter: @orionevolution Movember: mobro.co/orioncassetto Thank you

Editor's Notes

  • #5 Today we will be talking about: Recent web security events Six easy steps for a more secure website Automated tools to secure and improve performance on Joomla sites
  • #6 To set the stage for our discussion I’m going to begin by talking about the Web Security Landscape. The news this year, like many years prior, has seen headlines filled with well known companies falling victim to hackers. [Click] These data breaches frequently result in the theft of millions upon millions of names, passwords, credit card numbers and other personal information. Even large companies with expansive security budgets are not immune to the impact of hackers. But hackers don’t just target large firms, they attack sites of all sizes, including Joomla sites. The motives behind attacks are plentiful, they can range from: Acquiring resources for botnets Distributing Malware Stealing customer data Political Activism And even plain old malice
  • #7 One of the largest security events of the year was Heartbleed. Heartbleed is a vulnerability that was disclosed in April. It is essentially a security flaw that was present in OpenSSL, a implementation of the Transport Layer Security or TLS protocol and it is used for encrypting Internet traffic. In April 2014, at the time of disclosure, Open SSL was used to encrypt around 17% of the internet. [Click] The Heartbleed vulnerability potentially provided hackers with a well documented method of stealing user sessions, SSL private keys, cookies, and passwords from vulnerable websites. In other words, it gave hackers the keys to the kingdom for all vulnerable websites. The significance of this vulnerability cannot be understated due to its scope and severity. In the words of Joseph Steinberg, cybersecurity reporter for Forbes, “ Some might argue that [Heartbleed] is the worst vulnerability found since commercial traffic began to flow on the internet.
  • #8 Another major security event which happened very recently, is the Semalt referrer spam campaign. This campaign illustrates an amalgamation of several different security threats in a single insidious attack. Those threats being Bots, malware, and Search engine Optimization (also known as SEO) tampering and spam. [Click] Semalt is a Ukrainian based “SEO” Company which recently launched an enormous referral spam campaign. The campaign utilized a botnet of some 290,000 malware infected computers to crawl the internet looking for vulnerable targets and then attacking them. Once a victim was found, the botnet visited them with a fake referral source. These referral sources belong to websites that Semalt was paid to improve search engine rankings for. Referral links are one of the criteria which Google uses to evaluate search engine rankings. When googles crawls the victim websites it will notice all of these fake referral links in the public logs of these websites and then increase the SEO ranking of Semalt’s “clients”. Why does that matter for you or any website owner? This referral spam needs to be identified and blocked because the presence of fake SEO referrals can cause long term SEO Damage to your website’s Search engine results and can result in complete blacklisting or removal from page results. Being blacklisted from Google search results would clearly have a large negative impact on your website.
  • #9 Finally lets take a look at DDoS attacks. DDoS stands for distributed Denial of Service and it is a type of attack where hundreds or thousands of infected computers band together into a single weapon, referred to as a “bot net”. This botnet is then used to attack a single target with the goal of overwhelming the network or server it is using, thus creating a website outage. DDoS attacks are quickly becoming a favorite weapon for attackers because they are relatively cheap to perform and difficult to defend against. One interesting campaign that happened earlier this year around February and March targeted high profile SaaS companies such as Meetup and Basecamp. These SaaS companies have built successful online applications that can scale to support million of users and deliver huge amounts of content. Still all of these examples, and many more, were brought down with DDoS attacks. It is frequently the case that DDoS attackers will request ransom was for small amounts of money, like a couple hundred dollars in exchange for ending the attack and restoring the website’s availability. Although the dollar amount requested may be small, these attacks are typically large enough to bring down any company that does not have an active DDoS mitigation solution in place.
  • #11 The fact of the matter is that websites typically have vulnerabilities. The problem is so widespread that – according to a report by Cenzic, a leading vulnerability scanner – 96% of today’s web apps have vulnerabilities and 13% of websites can be compromised automatically. These vulnerabilities leave websites susceptible to attack. http://www.darkreading.com/vulnerabilities---threats/websites-harbor-fewer-flaws-but-most-have-at-least-one-serious-vulnerability/d/d-id/1139670?
  • #12 Now that we have discussed some of the larger security events which have transpired during this year, we are going to shift gears and bring the focus back to Joomla and Securing Joomla Sites. [click] The first thing to understand is almost all software has vulnerabilities. As code bases change, these vulnerabilities are created and remediated. According to a report by Whitehat as much as 73% of Joomla installations have vulnerabilities. Many of these vulnerabilities are easily found because whenever a new Joomla version is released, security details about the old versions are also released. This means older versions are easier to attack, and attackers can craft automated tools to identify and attack these versions.
  • #13 Security Step #1 Regularly update your software. This may sound like common sense but this is one of the most commonly overlooked things that can be done to secure your Joomla site. A regular patching schedule should include Joomla installations, extensions, and Web Servers.
  • #14 Carrying on that logic, I have a few simple tips regarding Joomla updates. First, be careful what you download and only download or install Joomla that you’ve obtained from Joomla.org. It is possible that other versions may include malicious software or backdoors. For those of you looking to cut down on your workload, make sure to update to a version which is 3.7 or greater. These versions of Joomla include an automatic update feature. Finally, many of us manage multiple Joomla sites, using a version control software like Subversion will make life easier.
  • #15 Many people regularly update their Joomla installation but don’t think to include their plugins in this process. Joomla plugins, while convenient, increase the complexity of a Joomla environment by introducing software created by multiple vendors. Each vendor will have it’s own level of security expertise, security controls, software development life cycle and code quality. According to a report by Checkmarx, around 20% of the 50 most popular Joomla plugins are vulnerable to common web attacks. This means that 1 in 5 plugins could take a secure Joomla installation and introduce a security flaw. Plug-in related security flaws are fairly common. In July one such plugin resulted in 50,000 hacked Joomla Sites.
  • #16 As I stated earlier, the advice to keep your software up to date extends far beyond Joomla installations. Web servers should be running stable, secure versions. Efforts should be made to secure your database. Simple things like changing your table_prefix from the default of WP_ to some other prefix add an extra layer of complexity for would-be hackers. Earlier in this presentation I mentioned that around 17% of the internet which uses SSL was vulnerable to Heartbleed. It is absolutely worth checking to see that your SSL cert is unaffected by Heartbleed. You can do this fairly easily with tools such as Netcraft and then replacing your certificate if needed. As a best practice firewalls and Anti-virus signatures should also be updated.
  • #17 One of the most overlooked ways for your web application to be compromised is through the use of Lost or stolen credentials. According to the 2014 Verizon Data breach report, the use of stolen credentials was this years number 1 threat. Once lost or stolen, credentials combined with automated tools because a powerful way for hackers to troll the internet and easily compromise websites. Whats worse is that many people re-use credentials across web sites and one stolen credential can result in multiple websites being hacked.
  • #18 Security Step #2 – Implement Password Security best practices. This probably sounds like a no-brainer but even in 2014 password security is still a top issue. The fact is that many people don’t implement strong password policies. The felony of the password security world is using default usernames and passwords. There is likely no lower hanging fruit available for hackers and for this reason it is of utmost importance than you change them. I suggest also using a non default user name. you can do this by creating a new admin user with a different user name and then deleting the default admin account. [click} Other basic tenants would be creating a password that include mixed upper and lower cases, numbers, and special characters. You might consider a password phrase instead of a password as an easy way to remember your longer, stronger password. [Click] No matter what password you choose, it is important to use different passwords for different sites and to update them periodically.
  • #19 Security step #3 is to implement multi-factor authentication to protect admin areas. Imagine this, you created a strong password In accordance with security step #2 but then somehow, be it act of god, or a disgruntled cube-mate, your username and password ended up on a hacker forum. In this scenario, a hacker could simply use your username and password to simply log into your website and do as they please. [Click] Two factor or Multi-factor authentication makes this much harder. By using multi-factor authentication, users will need a traditional username and password but also some other form of identification to gain access to a website. Common forms of multi-factor authentication are email, sms, and google authenticator (which has an iphone/android app).
  • #20 Now that we’ve covered the basics, we need to spend some time to discuss how to protect yourself against some of the more advanced web attacks that might be launched against your website. According to a report by the Web Application Security Consortium, between 80 and 96% of websites have high risk vulnerabilities. [click] Moreover 13% of all vulnerabilities can be compromised automatically. This same report sites the most common web vulnerabilities are cross site scripting, SQL injection, Information leakage, and HTTP response splitting.
  • #21 Let’s take some time to understand a few of these top attacks. SQL injection is a type of vulnerability which attempts to input database instructions or commands into an application in hopes that the application will blindly pass them on to the database. This is typically accomplished by putting a SQL command or query into an input field not designed for this. [Click] For example, the application was expecting my username and I put an attack in the field instead. If this attack isn’t filtered out before going to the database it can allow hackers to gain access to, change, or delete your database contents. [click] As a rule, if it is going into your database, clean it first!
  • #22 Another very common type of web attack is Cross site scripting. This type of attack is similar in nature as a SQL injection in that it is a hackers attempt to get a web application to do something it wasn’t designed to do by providing it an input it wasn’t expecting. In this case, the hacker is trying to insert a script, frequently JavaScript into the website. [Click] Cross site scripting attacks can result in stolen user cookies or sessions. They can also be used to infect website visitors with malware but sending them to malicious websites where malware is silently downloaded to their computer. [Click] The basic rule for dealing with XSS is as follows, “If user supplied data is going into your application, clean it first!”
  • #23 While changing your code to deal eliminate web vulnerabilities like SQL Injection and Cross Site scripting is one way to deal with these problems it is not the only way. In fact, remediating vulnerabilities at the code level can be time consuming, expensive and potentially not possible of you do not own the code base. Instead, I recommend security step #4, to use a Web Application Firewall, or WAF. WAFs provide the same type of protection that traditional network firewalls provide, but they do it at the application layer by inspecting http/https traffic for attacks. Best practice is to use a WAF to protect against application layer threats, while continuing to use a traditional firewall to protect against non-http/s based attacks. As an added benefit, WAFs frequently include other services like 2 factor authentication or fraud detection.
  • #24 Another growing trend on the internet today is the rise of bots, or automated clients. Based on research by the Incapsula team, these bots now make up as much as 61% of website traffic. While much of this traffic is legitimate and does things like indexing web content, testing website connections, populating widgets and providing search engine results, it would be naive to assume this is all they are up to. In fact, roughly 50% of the automated traffic we analyzed was malicious.
  • #25 Let’s dive deeper on this topic. We already know that legitimate or “benevolent bots” were indexing content for search engines, monitoring website availability and helping us website vulnerabilities. That begs the question, if so much of automated traffic is malicious, what are these bad bots doing? [Click] Bad bots do a wide variety of things, including Performing the DDoS attacks we just talked about, site scraping to steal website content or intellectual property, SEO and comment spam, and doing reconnaissance to provide hackers with vulnerability information to be used to attack your website.
  • #26 The most common type of scraping is called site scaping. The goal of this activity is to copy or steal webpage content for use elsewhere. This repurposing of content may or may not be approved by the website owner. Typically bots do this by crawling a website, accessing the source code of the website and then parsing it to remove the key pieces of data they want. After obtaining content, they typically post it elsewhere on the internet.
  • #27 If you’ve spent any amount of time on blog sites or forums, you’ll likely have noticed suspicious looking posts for sneakers, designer bags, Viagra, Cialis etc. [click] This is comment spam and it is typically put there by purpose built bots which seek out websites which accept user comment and are not designed to defend against submissions made by automated clients. [click] Comment spam, while more of a nuisance than anything else does have several negative affects on web sites. From the user point of view these posts are annoying and result in a worse website viewing experience. They can also direct visitors of to potentially malicious sites where they may be infected with Malware. From the website operator point of view they drive traffic away from their websites, can link to competitors’ websites, and are burdensome to identify and clean off of comment sections.
  • #29 Earlier in the presentation I mentioned that bad bots are a major problem for websites and that they are responsible for a host of different attacks ranging from: Comment Spam Site Scraping Vulnerability Scanning To Automated SEO Poisoning Implementing a solution capable of analyzing web traffic in real time to pin-point these automated threats will help you greatly improve the security posture of your website. Bot mitigation tools can be purchased as a standalone product or as part of other security solutions including WAFs, or Application Delivery Controllers.
  • #30 Security Step #5 is to implement a DDoS mitigation Strategy. As I said at the beginning of my presentation, DDoS attacks take a website offline by overwhelming it with too much traffic or too many requests. [Click] This network diagram shows an example of traffic flow under normal conditions. Website visitors are routed across the internet, through a customer’s Internet service provider and to the destination website. Data is then sent back along this route to the web visitor. DDoS attacks interrupt this flow. [Click] A common type of DDoS attack called a volumetric attack does this by banding together hundreds of thousands of infected computers into a botnet. Then using this botnet to attack a single target. On the way to the target website, the volume of this traffic usually becomes so immense that it cannot fit through the internet connection the web owner has purchased from it’s ISP. The result is that no legitimate web traffic will be able to use this conduit and thus the website will appear offline until the attack subsides. [Click] If website availability is important to you, then DDoS protection should be too [click] Any application without a DDoS mitigation strategy is at risk. DDoS mitigation is tricky to deal with because the volume and complexity of the attacks requires specialized tools or services to mitigate it.
  • #31 There are several options in terms of dealing with DDoS attacks: Using a DDoS mitigation appliance Using a DDOS mitigation service Trying to overprovision bandwidth Because of where a DDOS protection appliance would be located on a network diagram, I suggest using a ddos mitigation service. [click] Here is a network diagram showing internet traffic from website visitors. The traffic moves across the internet, through your ISP, across your internet connection and then to your web application. DDoS appliances are typically deployed here, within your network or datacenter. The reason I suggest a service instead of an appliance has to do with the fact that a large DDOS attack will saturate even a large internet connection upstream of these devices. [click] Overprovisioning bandwidth to deal with attack volumes or give this appliance a fighting shot of dealing with a large attack is expensive. Instead a specialized DDoS protection service may be preferred.
  • #32 DDoS mitigation services, usually function as cloud networks or scrubbing networks which traffic is routed through for cleansing before it reaches your ISP. This blocks the attack close to its source and away from your network.
  • #33 One problem that many Joomla users face is shared hosting. One risk associated with many shared hosting services is security. If multiple tenants are sharing the same server and one of them is hacked, there is a chance that other sites on the same server could be vulnerable as well. [Click] Of course this depends on the specific circumstances of the hack and hosting environment, but it is a valid enough concern to bring me to Security Step #6, use a secure hosting environment.
  • #34 Not all hosting companies are created equal. Website owners concerned with security should pick a hosting company which has existing security controls in place. These security controls should include segregation of environments, whether it be physical or logical to prevent the scenario described on the last slide. Security solutions like network firewalls, intrusion prevention systems and vulnerability scanning services for servers, databases, applications and infrastructure differentiate these companies from bargain hosting services. When selecting a secure hosting company, look for companies which are SAS 70 Type II or SSAE 16 Type II compliant. These certifications require companies to comply with a myriad of requirements all of which benefit your websites’ security posture.
  • #35 I am going to throw in a bonus step, secure your personal computer. Many Website owners spend time securing their Joomla environments but neglect the security of their own personal computers. Don’t be the weak link in your own security posture but letting something like a malware infection lead to a breach of your Website. Much of this is common sense. Use Anti-virus and a personal firewall. Update the signatures. Install updates for you operating system and applications. Use encryption when possible, etc.
  • #36 Incapsula Helps Website Owners Solve Operational Problems. Keeping websites and cloud applications available, fast and secure are the fundamental concerns of all website owners. Users expect websites to be available and get annoyed when they are down or when the site won’t load within a few seconds. And customers find somewhere else to shop when an ecommerce site is breached and private customer data is exposed. Keeping sites fast, secure and available has until now required a complex and expensive mix of hardware and software from several vendors.
  • #37 Incapsula has changed that by building a cloud service on a global network that provides the security, DDoS Protection, Performance and Availability that website owners need.
  • #38 Incapsula works by using DNS redirection to reout website traffic through the Incapsula Network. Once traffic is flowing through Incapsula, malicious traffic is blocked, and legitimate traffic is accelerated. This leads to a more secure, faster loading website. For a free trial of Incapsula, visit us at www.incapsula.com