This document outlines seven steps website owners can take to improve the security of their Joomla websites. It begins by discussing recent major security breaches in 2014 like Heartbleed and botnets. It then details the seven steps which are: 1) regularly updating software, 2) implementing strong passwords, 3) multi-factor authentication, 4) using a web application firewall, 5) identifying and blocking bad bots, 6) implementing DDoS mitigation, and 7) using a secure hosting environment. It emphasizes the importance of these steps given the prevalence of vulnerabilities and how automated tools can exploit known issues.
From 1000/day to 1000/sec: The Evolution of Incapsula's BIG DATA System [Surg...Imperva Incapsula
Mondrian, MySQL, Mongo, Casandra, Lucene. You name it, we tried it. As a startup looking for cost-efficient and scalable solutions to power our event processing and statistics backend, we gave almost every Big Data technology out there a go. What we learned from these experiences is that doing it yourself is better than using plug-and-play black box solutions.
This presentation details the building of Incapsula’s Big Data system as a case study, examining the requirements and the different evolutionary phases it went through before becoming what it is today.
Is the Cloud Going to Kill Traditional Application Delivery?Imperva Incapsula
Application delivery controllers provide load balancing, acceleration, traffic shaping and other services that improve the performance, availability and security of web applications. But with more and more web application developers hosting their applications in the cloud, using application delivery hardware is often a non-starter.
This presentation discusses the architecture of a new type of service called the Application Delivery Cloud. This new cloud service not only offers critical performance, availability and security capabilities to web application vendors, it goes beyond its hardware analog to deliver new capabilities that today’s applications require, including regional content policies and up-to-the-minute security intelligence.
You’ve seen the headlines—"[Well-Known Company] Falls Victim To Hackers".
These data breaches result in the theft of millions of names, passwords, credit card numbers, and other personal data. Imagine if such a breach lead to the theft of your application's data. . .
If multi-national companies with dedicated security teams and expansive budgets aren’t immune to the impact of hackers, how can you adequately prepare yourself to defeat this threat?
This presentation will explore the web application threat landscape. It will zero in on some of the most common attacks wreaking havoc on the internet, teaching you how to defend your online assets from them.
This presentation will discuss:
• The major security breaches of 2014
• Web application threats and common attack types
• How to defend against today’s common attacks
• Automated tools to help simplify website security
Incapsula: How to Increase SaaS Websites’ Uptime and Accelerate PerformanceImperva Incapsula
All too often, online threats such as DDoS attacks, scrapers, or traffic that consumes too much bandwidth are disrupting or slowing down SaaS websites. It is now more important than ever to keep website traffic flowing quickly without service interruptions.
Tempus Technologies’ president, Jason Sweitzer, talks about the technological challenges his company faced and the solutions his team adopted to increase website acceleration and uptime.
Join us for Incapsula’s free 30-minute webinar to learn how you can increase your website’s uptime and enhance its performance. We’ll be discussing opportunities SaaS companies can explore through WAF protection, frontend SSL, failover ISPs, and against DDoS attacks and using Incapsula solutions.
Migrating from Akamai to Incapsula: What You Need to KnowImperva Incapsula
The webinar gives an overview of and compares the two platforms: Incapsula and Akamai. In addition to the benefits of migrating to Incapsula, it covers planning, transitioning, configuring Incapsula and lessons learned from the field.
An Inside Look at a Sophisticated, Multi-vector DDoS AttackImperva
This presentation explores the current DDoS attack landscape, it covers the basics of DDoS attacks, current trends including the most recent results from the newly published 2015 Imperva Incapsula DDoS Report. It also discusses a detailed analysis of one of today’s modern, multi-vector DDoS attacks. While dissecting this DDoS attack, this presentation explores the anatomy and timeline of the attack, as well as the steps used to mitigate each phase of the assault. This session will close with a review of the aspects of effective DDoS protection solutions used to combat these sophisticated denial of service attacks.
From 1000/day to 1000/sec: The Evolution of Incapsula's BIG DATA System [Surg...Imperva Incapsula
Mondrian, MySQL, Mongo, Casandra, Lucene. You name it, we tried it. As a startup looking for cost-efficient and scalable solutions to power our event processing and statistics backend, we gave almost every Big Data technology out there a go. What we learned from these experiences is that doing it yourself is better than using plug-and-play black box solutions.
This presentation details the building of Incapsula’s Big Data system as a case study, examining the requirements and the different evolutionary phases it went through before becoming what it is today.
Is the Cloud Going to Kill Traditional Application Delivery?Imperva Incapsula
Application delivery controllers provide load balancing, acceleration, traffic shaping and other services that improve the performance, availability and security of web applications. But with more and more web application developers hosting their applications in the cloud, using application delivery hardware is often a non-starter.
This presentation discusses the architecture of a new type of service called the Application Delivery Cloud. This new cloud service not only offers critical performance, availability and security capabilities to web application vendors, it goes beyond its hardware analog to deliver new capabilities that today’s applications require, including regional content policies and up-to-the-minute security intelligence.
You’ve seen the headlines—"[Well-Known Company] Falls Victim To Hackers".
These data breaches result in the theft of millions of names, passwords, credit card numbers, and other personal data. Imagine if such a breach lead to the theft of your application's data. . .
If multi-national companies with dedicated security teams and expansive budgets aren’t immune to the impact of hackers, how can you adequately prepare yourself to defeat this threat?
This presentation will explore the web application threat landscape. It will zero in on some of the most common attacks wreaking havoc on the internet, teaching you how to defend your online assets from them.
This presentation will discuss:
• The major security breaches of 2014
• Web application threats and common attack types
• How to defend against today’s common attacks
• Automated tools to help simplify website security
Incapsula: How to Increase SaaS Websites’ Uptime and Accelerate PerformanceImperva Incapsula
All too often, online threats such as DDoS attacks, scrapers, or traffic that consumes too much bandwidth are disrupting or slowing down SaaS websites. It is now more important than ever to keep website traffic flowing quickly without service interruptions.
Tempus Technologies’ president, Jason Sweitzer, talks about the technological challenges his company faced and the solutions his team adopted to increase website acceleration and uptime.
Join us for Incapsula’s free 30-minute webinar to learn how you can increase your website’s uptime and enhance its performance. We’ll be discussing opportunities SaaS companies can explore through WAF protection, frontend SSL, failover ISPs, and against DDoS attacks and using Incapsula solutions.
Migrating from Akamai to Incapsula: What You Need to KnowImperva Incapsula
The webinar gives an overview of and compares the two platforms: Incapsula and Akamai. In addition to the benefits of migrating to Incapsula, it covers planning, transitioning, configuring Incapsula and lessons learned from the field.
An Inside Look at a Sophisticated, Multi-vector DDoS AttackImperva
This presentation explores the current DDoS attack landscape, it covers the basics of DDoS attacks, current trends including the most recent results from the newly published 2015 Imperva Incapsula DDoS Report. It also discusses a detailed analysis of one of today’s modern, multi-vector DDoS attacks. While dissecting this DDoS attack, this presentation explores the anatomy and timeline of the attack, as well as the steps used to mitigate each phase of the assault. This session will close with a review of the aspects of effective DDoS protection solutions used to combat these sophisticated denial of service attacks.
Presentation on topics beyond the conventional ethical hacking , discusses job factors and scope in the security field :) this was presented in LPU (Lovely Professional University) as a Seminar with attendees over 200. Meet m e at FB if u want it fb/nipun.jaswal
How to Reduce Latency with Cloudflare Argo Smart RoutingCloudflare
The Internet is inherently unreliable, a collection of networks connected to each other where things break all the time; cables get cut, bogus routes get advertised, routers crash. Today, to fix all of this, Cloudflare launched Argo, a “virtual backbone” for the modern Internet. Just as Waze can tell you which route to take to avoid congested or blocked roads, Argo can route connections across the Internet efficiently by avoiding packet loss, congestion, and outages.
OWASP ATL - Social Engineering Technical Controls PresentationOWASP Atlanta
Meetup July 16th, 2015
User awareness training will always fail to prevent 100% of social engineering attacks. However, consistent and reliable technical controls drastically mitigate an organization’s risk and increase the difficulty for malicious actors to launch successful attacks.
This talk describes social engineering from the perspectives of an attacker and a defender. The presentation will cover techniques designed to help organizations develop an ideal incident response plan crafted specifically for social engineering attacks. It will explain technical controls that are designed to inhibit attackers, as well as procedures that allow an incident response team to quickly identify successful attacks and eradicate their presence.
Bishop Fox conducted new research into the state of email spoofing defenses and identified organizations that are most commonly targeted for brand spoofing. This research will show that 99.9% of the top million domains are vulnerable to email spoofing and provide recommendations for avoiding attack.
This presentation covers attacks and defenses for dangerous social engineering activities, including:
· Email spoofing
· Domain hijacks
· Typo-squatting
· Client-side attacks
· Watering hole attacks
This document contains the results of a comparative penetration test conducted by a team of security specialists at Zero Science Lab against three ‘leading’ web application firewall solutions. Our goal was to bypass security controls in place, in any way we can, circumventing whatever filters they have. This report also outlines the setup and configuration process, as well as a detailed security assessment.
Cybereason - behind the HackingTeam infection serverAmit Serper
On July of 2015, Italian cybersecurity solutions vendor "HackingTeam" was breached and more than 400 gigabytes of HackingTeam's most sensitive data leaked to the internet. Security researchers Amit Serper and Alex Frazer from Cybereason were one of the first to study the datadump and to publish information about. The research was quoted in several tech news sites such as Ars Technica. The research was also published in Hebrew in the DigitalWhisper e-zine, On the cybereason blog as an e-book (in english) and on public free lectures in Tel-aviv by the researchers themselves. The following slide deck is from that lecture.
Using a secured, cloud-delivered SD-WAN to transform your business networkNetpluz Asia Pte Ltd
For more information on Managed Software Defined Wide Area Network (SD-WAN) service, please visit https://www.netpluz.asia/services/data/sd-wan/
Website: www.netpluz.asia
The presentation demonstrates basics of antivirus evasion on the payloads created using metasploit. The aim of this presentation is to aid penetration testers during a professional VAPT and is for educational purposes only.
Kona Web Application Firewall Overview - Akamai at RSA Conference 2013Akamai Technologies
Web application performance and security are critical to innovation. Akamai's Web Application Firewall (WAF) is a highly scalable edge defense service architected to detect and mitigate potential attacks, including SQL injection attacks, in HTTP and HTTPs traffic as they pass through Akamai's Intelligent Platform in their attempt to reach origin data centers.
WAF is designed to scale instantly to preserve performance and filter attack traffic close to the source, protecting your infrastructure and keeping your web applications up and running. Learn more about Kona Security Solutions: http://www.akamai.com/html/solutions/kona-solutions.html
Learn more about Akamai's presence at RSA Conference 2013: http://www.akamai.com/html/ms/rsa_conference_2013.html
Savvius Vigil is the first network appliance able to intelligently store months of packet-level information to enhance security investigations. Savvius Vigil integrates with your existing SIEM platform to examine packets related to a breach weeks or months after the incident occurred. This information is often vital to a full understanding of the threat.
DevSecCon Tel Aviv 2018 - Serverless SecurityAvi Shulman
Serverless architectures enable organizations to build and deploy software and services without having to maintain or provision any physical or virtual servers. Applications built using serverless architectures are suitable for a wide range of services, and can scale elastically as cloud workloads grow. From a software development perspective, organisations adopting serverless can focus on core product functionality, and completely disregard the underlying operating system, application server or software runtime environment. In essence, when you develop applications using serverless, you relieve yourself from the daunting task of having to constantly apply security patches for the underlying operating system and application servers – these tasks are now the responsibility of the serverless architecture provider.
However, the comfort and elegance of serverless architectures is not without its drawbacks – serverless architectures introduce a new set of security concerns that must be taken into consideration when coming to secure such applications. In this talk, we will present an overview of serverless architectures, the challenge of securing serverless applications, and an overview of the top 10 most common security concerns that developers, DevSecOps and architects should consider when designing and developing such applications. We will also demonstrate a unique CI/CD tool for hardening serverless projects during deployment time.
Presentation on topics beyond the conventional ethical hacking , discusses job factors and scope in the security field :) this was presented in LPU (Lovely Professional University) as a Seminar with attendees over 200. Meet m e at FB if u want it fb/nipun.jaswal
How to Reduce Latency with Cloudflare Argo Smart RoutingCloudflare
The Internet is inherently unreliable, a collection of networks connected to each other where things break all the time; cables get cut, bogus routes get advertised, routers crash. Today, to fix all of this, Cloudflare launched Argo, a “virtual backbone” for the modern Internet. Just as Waze can tell you which route to take to avoid congested or blocked roads, Argo can route connections across the Internet efficiently by avoiding packet loss, congestion, and outages.
OWASP ATL - Social Engineering Technical Controls PresentationOWASP Atlanta
Meetup July 16th, 2015
User awareness training will always fail to prevent 100% of social engineering attacks. However, consistent and reliable technical controls drastically mitigate an organization’s risk and increase the difficulty for malicious actors to launch successful attacks.
This talk describes social engineering from the perspectives of an attacker and a defender. The presentation will cover techniques designed to help organizations develop an ideal incident response plan crafted specifically for social engineering attacks. It will explain technical controls that are designed to inhibit attackers, as well as procedures that allow an incident response team to quickly identify successful attacks and eradicate their presence.
Bishop Fox conducted new research into the state of email spoofing defenses and identified organizations that are most commonly targeted for brand spoofing. This research will show that 99.9% of the top million domains are vulnerable to email spoofing and provide recommendations for avoiding attack.
This presentation covers attacks and defenses for dangerous social engineering activities, including:
· Email spoofing
· Domain hijacks
· Typo-squatting
· Client-side attacks
· Watering hole attacks
This document contains the results of a comparative penetration test conducted by a team of security specialists at Zero Science Lab against three ‘leading’ web application firewall solutions. Our goal was to bypass security controls in place, in any way we can, circumventing whatever filters they have. This report also outlines the setup and configuration process, as well as a detailed security assessment.
Cybereason - behind the HackingTeam infection serverAmit Serper
On July of 2015, Italian cybersecurity solutions vendor "HackingTeam" was breached and more than 400 gigabytes of HackingTeam's most sensitive data leaked to the internet. Security researchers Amit Serper and Alex Frazer from Cybereason were one of the first to study the datadump and to publish information about. The research was quoted in several tech news sites such as Ars Technica. The research was also published in Hebrew in the DigitalWhisper e-zine, On the cybereason blog as an e-book (in english) and on public free lectures in Tel-aviv by the researchers themselves. The following slide deck is from that lecture.
Using a secured, cloud-delivered SD-WAN to transform your business networkNetpluz Asia Pte Ltd
For more information on Managed Software Defined Wide Area Network (SD-WAN) service, please visit https://www.netpluz.asia/services/data/sd-wan/
Website: www.netpluz.asia
The presentation demonstrates basics of antivirus evasion on the payloads created using metasploit. The aim of this presentation is to aid penetration testers during a professional VAPT and is for educational purposes only.
Kona Web Application Firewall Overview - Akamai at RSA Conference 2013Akamai Technologies
Web application performance and security are critical to innovation. Akamai's Web Application Firewall (WAF) is a highly scalable edge defense service architected to detect and mitigate potential attacks, including SQL injection attacks, in HTTP and HTTPs traffic as they pass through Akamai's Intelligent Platform in their attempt to reach origin data centers.
WAF is designed to scale instantly to preserve performance and filter attack traffic close to the source, protecting your infrastructure and keeping your web applications up and running. Learn more about Kona Security Solutions: http://www.akamai.com/html/solutions/kona-solutions.html
Learn more about Akamai's presence at RSA Conference 2013: http://www.akamai.com/html/ms/rsa_conference_2013.html
Savvius Vigil is the first network appliance able to intelligently store months of packet-level information to enhance security investigations. Savvius Vigil integrates with your existing SIEM platform to examine packets related to a breach weeks or months after the incident occurred. This information is often vital to a full understanding of the threat.
DevSecCon Tel Aviv 2018 - Serverless SecurityAvi Shulman
Serverless architectures enable organizations to build and deploy software and services without having to maintain or provision any physical or virtual servers. Applications built using serverless architectures are suitable for a wide range of services, and can scale elastically as cloud workloads grow. From a software development perspective, organisations adopting serverless can focus on core product functionality, and completely disregard the underlying operating system, application server or software runtime environment. In essence, when you develop applications using serverless, you relieve yourself from the daunting task of having to constantly apply security patches for the underlying operating system and application servers – these tasks are now the responsibility of the serverless architecture provider.
However, the comfort and elegance of serverless architectures is not without its drawbacks – serverless architectures introduce a new set of security concerns that must be taken into consideration when coming to secure such applications. In this talk, we will present an overview of serverless architectures, the challenge of securing serverless applications, and an overview of the top 10 most common security concerns that developers, DevSecOps and architects should consider when designing and developing such applications. We will also demonstrate a unique CI/CD tool for hardening serverless projects during deployment time.
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...IBM Security
View the on-demand recording: http://securityintelligence.com/events/avoiding-application-attacks/
Your organization is running fast to build your business. You are developing new applications faster than ever and utilizing new cloud-based development platforms. Your customers and employees expect applications that are powerful, highly usable, and secure. Yet this need for speed coupled with new development techniques is increasing the likelihood of security issues.
How can you meet the needs of speed to market with security? Hear Paul Ionescu, IBM Security, Ethical Hacking Team Lead discuss:
- How application attacks work
- Open Web Application Security Project (OWASP) goals
- How to build defenses into your applications
- The 10 most common web application attacks, including demos of the infamous Shellshock and Heartbleed vulnerabilities
- How to test for and prevent these types of threats
With the help of GCHQ and Cert-UK, we've produced this presentation on reducing the impact of normal cyber attacks. It's not meant to be an exhaustive guide on cyber security threats. The presentation isn't tailored to individual needs, and it is not a replacement for specialist cyber security advice.
Introduction of Ethical Hacking, Life cycle of Hacking, Introduction of Penetration testing, Steps in Penetration Testing, Foot printing Module, Scanning Module, Live Demos on Finding Vulnerabilities a) Bypass Authentication b) Sql Injection c) Cross site Scripting d) File upload Vulnerability (Web Server Hacking) Countermeasures of Securing Web applications
Internet security is a branch of computer security specifically involving browser security but also network security on a more general level.
Contents:
Intro...
Need..
Security Related Threats
-Hijacked web servers
-Denial-of-Service Attacks
-Cross Site Scripting
-Trap Doors
-Email Spoofing
Conclusions...
Similar to Joomla Security Simplified — Seven Easy Steps For a More Secure Website (20)
Learn everything from the Imperva resources you can count on when you need help, to how you can bolster your security and performance by working with the Incapsula support organization.
Get an inside look at Incapsula Security, straight from the Security Research Team. Plus, get your vulnerability management strategy on track by assessing the automated threats you face and learn about the new security features we’re working on to keep you protected.
D3TLV17- The Incapsula WAF: Your Best Line of Denfense Against Application La...Imperva Incapsula
Learn about the most important aspects of a Web Application Firewall your organization needs to have in place to protect against the most critical web application security risks. Plus, see how we’re evolving to ensure you’re protected against new attack campaigns.
In this presentation, we cover advanced mitigation techniques used by Behemoth 2 – our latest mitigation platform – as well as real-life examples of different DDoS attack vectors and traffic samples. Plus, learn how we utilize a network of 4.7 Tbps to handle complex high throughput attacks and get a heads up on the latest trends we’re seeing in DDoS attacks.
Scott Helme, renowned security researcher and international speaker, shares his unique perspective on content security policy and how security has evolved.
Phil Williams, Principal Cloud Solutions Architect, explains how to evaluate your exposure to DDoS attack and how to best shape your defenses to budget requirements.
D3NY17- Customizing Incapsula to Accommodate Single Sign-OnImperva Incapsula
In this session, learn how the Greek Orthodox Archdiocese of America was able to customize their Incapsula service to accommodate a single sign-on solution.
In this session, learn how The Economist approached migrating to the cloud and moving economist.com from legacy datacenters to Amazon Web Services (AWS).
IncapRules are an integral method to customize Incapsula for your specific applications and environment. However, we find that our enterprise clients may have questions on building advanced rules or need help understanding how to write them for complex scenarios. In this session, Jeff Serota, Technical Account Manager, discusses the interface, some of the most common filters and actions, and how a large client collaborated with our security team to thwart credential stuffing on their client self-service portal.
D3SF17- Using Incap Rules to Customize Your Security and Access ControlImperva Incapsula
IncapRules are an integral method to customize Incapsula for your specific applications and environment. However, we find that our enterprise clients may have questions on building advanced rules or need help understanding how to write them for complex scenarios. In this session, Peter Klimek, Principal Security Engineer, discusses the interface, some of the most common filters and actions, and how a large client collaborated with our security team to thwart credential stuffing on their client self-service portal.
D3SF17- Boost Your Website Performance with Application Delivery RulesImperva Incapsula
Incapsula introduced Application Delivery Rules (ADR) in October of 2016, but many clients have not tapped into their powerful abilities. In this session, Jeff Serota, Technical Account manager, provides an overview of ADR, discusses how they differ from IncapRules, and teaches you how to leverage them in your own Incapsula deployment.
D3SF17- A Single Source of Truth for Security Issues- Pushing Siem Logs to Cl...Imperva Incapsula
It can be challenging for security teams to cut through the clutter of SIEM logs in order to analyze security information and alerts. In this session, Bryan Jones, Senior Security Engineer, walks you through the 5 major configuration steps needed to help you better manage security issues across your entire tech stack.
In this session, David Ting, VP of Engineering at DataVisor, explores the latency challenges associated with a global client base and what can be learned when implementing a performance-improving solution.
D3SF17- Migrating to the Cloud 5- Years' Worth of Lessons LearnedImperva Incapsula
Moving your critical applications from on-premises servers to the cloud can be a daunting prospect — but it doesn't need to be. Drawing on over 5 years of experience bringing some of the largest CMS sites on the Web into the cloud, Vasken Hauri, VP of Engineering at 10up, covers the key aspects you'll need to consider to ensure a smooth and successful migration. He also touches on some best practices you can apply post-migration to keep your sites secure, performant, and worry-free in an era where our toasters can launch DDoS attacks.
Keynote presentation by Dvir Shapira, Director of Product Management. Opening remarks include a look at where we’ve been in terms of the Internet as a whole and Internet security and performance, as well as where we’re going.
E-commerce Optimization: Using Load Balancing and CDN to Improve Website Perf...Imperva Incapsula
As more people shop online, it’s critical that your website meets—and even exceeds—their expectations. Online shoppers want sites that are easy to use and don’t waste their time.
According to a recent Imperva Incapsula survey, more than 60% of users said they wouldn’t wait more than five seconds for a site to load. And almost 70% said that poor website performance would cause them to leave a site and never return.
If you’re serious about reaping the benefits of the significant growth in online shopping, it’s time to get your web “house” in order. And a new free webinar from Imperva can help.
A secure web server isn’t really secure if the infrastructure supporting it remains vulnerable. Unless you implement infrastructure protection, your non-HTTP assets are vulnerable and you may not be as protected as you think you are.
You may be like others who need to get better DDoS protection but haven’t been able to or had to settle for an imperfect solution because of deployment limitations such as protocol dependencies and BGP restrictions. Incapsula IP Protection has now overcome these barriers — and we are the only service that can do it.
At this webinar our product experts will discuss how Incapsula customers are adopting IP Protection and bringing their DDoS protection to the next level. We’ll also have a discussion with Imperva CISO Shahar Ben-Hador who will share insights on how we use IP Protection and real-world lessons learned.
You need to protect more than just your web servers from DDoS attacks. We’ll address these questions:
Why do you need to protect more than just your web servers?
What were the limitations others ran into when they tried to do it?
How did Incapsula help them overcome the limitations?
...and much more!
[Webinar] DDoS Pentester Reveals: How Hackers Find Your Website’s Weak Points...Imperva Incapsula
DDoS attacks are bigger and more sophisticated than ever before. Odds are your business is going to be attacked – and without an effective mitigation strategy, you don't stand a chance.
In this webinar Andrew Shoemaker a DDoS simulation expert from NimbusDDOS gives you a rare glimpse into how hackers find the weak points in your defenses and exploit them to level devastating DDoS attacks. You'll see real world examples of the tactics and methods used to create tailored DDoS attacks that can bring down a targeted network or application, and learn how best to defend them.
An Inside Look at a Sophisticated Multi-Vector DDoS AttackImperva Incapsula
By Nabeel Saeed
This presentation explores the current DDoS attack landscape, it covers the basics of DDoS attacks, current trends including the most recent results from the newly published 2015 Imperva Incapsula DDoS Report. It also discusses a detailed analysis of one of today’s modern, multi-vector DDoS attacks. While dissecting this DDoS attack, this presentation explores the anatomy and timeline of the attack, as well as the steps used to mitigate each phase of the assault. This session will close with a review of the aspects of effective DDoS protection solutions used to combat these sophisticated denial of service attacks.
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
Elevating Tactical DDD Patterns Through Object Calisthenics
Joomla Security Simplified — Seven Easy Steps For a More Secure Website
1. Presented by:
Orion Cassetto, Sr. Product Marketing Manager, Incapsula
Joomla Security Simplified —
Seven Easy Steps For a More Secure Website
2. What’s with the ‘Stache?
Movember. Of Course!
(http://mobro.co/orioncassetto)
Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.2
?
4. Overview
• Recent web security events and major security threats
• Seven easy steps for a more secure website
• Automated tools to secure and improve performance on
Joomla sites
Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.4
5. Major Hacks of 2014
2014 has several enormous data breaches from hackers including:
6. Heartbleed – the Epic SSL Crisis of 2014
• Heartbleed is a security bug that was
disclosed in April of 2014
• It was present in the widely used
Open SSL Cryptography
• When disclosed, around 17% of
the Internet's secure web servers was vulnerable
• Why do I care?
> The vulnerability allowed for the theft of the servers' private
keys and users' session cookies and passwords
“Some might argue that [Heartbleed] is the worst vulnerability
found since commercial traffic began to flow on the Internet.”
Joseph Steinberg – Forbes
Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.6
7. Semalt Hijacks Hundreds of Thousands of Computers
for Referrer Spam
What is it?
1. Semalt is a Ukrainian search engine optimization (SEO) “company”
2. They used malware to hijack computers and create a giant botnet
3. This Botnet visits sites across the internet with fake referral
sources
What damage could this cause your website?
• Long term SEO Damage to your website’s rankings
• Complete search engine result page blacklisting and removal
Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.7
8. Distributed Denial Of Service (DDoS) Attacks
• DDoS attack are attacks where many infected computers band
together to attack a single target
• These attacks exhaust network connections and server
resources causing website outages
Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.8
9. Seven easy steps for a more secure website
Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.9
10. Websites Have Many Vulnerabilities
96% of web applications
have vulnerabilities
96%
WEB
APP
Sources: Cenzic, Inc. – Feb. 2014, Incapsula, Inc. –2013
13% of websites can be
compromised automatically
13%
11. Known Vulnerabilities are Common and Easy to Find
• When a new Joomla version is released, vulnerability details of the
prior version are released
• Older versions are thus easier to attack
• Automated tools can be created to identify and attack these
versions
Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.11
12. Security Step #1 - Regularly Update EVERYTHING
All Software should be updated
Regularly including. Create a regular
schedule to update patches for:
• Joomla
• Extensions
• Web servers
13. Tips for Keeping Joomla Updated
• Be careful what you download
> Never download or install Joomla from any website other than
http://Joomla.org.
Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.13
14. • More extensions on your Joomla site means more software
to keep up to date
• Include patches in your update schedule
• Use trusted vendors. Each vendor has its own
> Security Controls
> SDLC
> Code Quality
Don’t Forget to Update Extensions
Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.14
15. Other Software is Potentially Vulnerable too
• Run stable, secure versions of web servers
• Avoid Default Anything (particularly database tables)
> Make sure your Database is as secure as possible
> Consider changing your “table_prefix” from the default “jos_”
• Update SSL certs after Heartbleed (if necessary)
• Update firewall signatures
• Update anti-virus signatures
Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.15
16. Use of Stolen Credentials Reigns Supreme
• Use of stolen authentication
credentials by hackers is the number
one threat of 2013
• Once stolen hackers can use
credentials at other websites to
increase the impact of a breach
• Automated tools combined with
stolen password lists become a
dangerous combination
Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.16
Sources: Verizon Data Breach Report 2014
17. Security Step #2 - Implement Password Security
• Avoid Default UN/Passwords
• Implement Strong Passwords
> Goal: Hard to Guess / Hard to brute Force attack
> Include – MiXed CASe
> Include – NuMB3rS
> Include – SP3C!4LCh@R$
> Use a password phrase – BowTies 4r3 Co0l!
• Use different passwords for different sites
• Change your password periodically
• Consider using a password management tool
Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.17
18. Security Step #3 - Implement Multi-factor Authentication
Problem
• Lost or stolen passwords
allow hackers to bypass
your security measure
Solution
• Secure Admin areas with
multi-factor authentication
> Email
> SMS
> Google Authenticator
> Other
Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.18
19. Security Step #4 – Use a Web Application Firewall (WAF)
80~96% of all websites have high risk vulnerabilities
13% of websites can be compromised automatically
Most wide spread vulnerabilities are
• Cross-site Scripting
• SQL Injection
• Information Leakage
• HTTP Response Splitting
Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.19
Sources:
WASC - http://projects.webappsec.org/w/page/13246989/Web%20Application%20Security%20Statistics
20. SQL Injection – What it is and why it matters
• What is SQL Injection?
> SQL Injection attacks attempt to use application code to access or
corrupt database content
> It is accomplished by embedding SQL statements in user supplied Data
> Example:
• What happens if a hacker exploits this vulnerability?
> They can access your database and it’s data.
• Basic Rule
> If it is going into your database, clean it up first!
Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.20
'OR “=” The application was
expecting my name, but I
entered an SQL Statement
21. Cross Site Scripting (XSS) – What it is and why it matters
• What is XSS?
> A type of attack in which hackers
inject scripts (like JavaScript) into
otherwise trusted websites
• What happens if a hacker
exploits an XSS vuln on my
website?
> Stolen cookies or sessions
> Redirection to a malicious page
• Basic Rule
> If user supplied data is going into
your application, clean it up first!
Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.21
Attacker inserts malicious
unfiltered code into an application1
User visits the web
page and malicious
code is returned with
the web page
2
Attacker gains
control over user
data or system via
injected exploit
3
22. Security Step #4 - Use a Web Application Firewall (WAF)
• WAFs provide similar protection as traditional network layer
firewall but for a web application
• Using a WAF can protect website from application layer hacking
attempts
• WAFs should be used in conjunction with traditional firewalls
Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.22
23. Automated Clients are the Majority of Web Traffic
Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.23
Over 61%of all website traffic is non-human.
61.5%
Non-Human Traffic
38.5%
Human Traffic
1/2of that is malicious.
24. The Impact of Bots on Website Security
• DDoS
• Site Scraping
• Comment Spam
• SEO Spam
• Fraud
• Vulnerability
scanning
Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.24
• Search Engine
Crawling
• Website Health
Monitoring
• Vulnerability
Scanning
Good Bots Bad Bots
25. Site Scraping
• Site Scraping is when a bot visits a website to copy or steal
content
• Usually done by reading and parsing web page source code
Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.25
Your Site Their Site
<!DOCTYPE
<HTML>
<HEAD>
<TITLE>…
Your Code Your Content
26. Bots and Comment Spam
• What is Comment Spam
> Posts in comment sections on websites allegedly linking to:
- Steams of popular TV shows
- Cheap Shoes
- Designer bags,
- Viagra, Cialis, etc.
• How bots are involved
> Bots are used to automatically find victim sites and insert spam posts
• Why it matters
> Comment spam is frequently responsible for
- Worse user experiences
- Lower website conversions (links usually exit your site)
- Malware distribution (infecting your visitors)
28. # 5 Identify and Block Bad Bots
• Don’t rely on robots.txt
• Implement a solution which can block bad bots to prevent
> Comment Spam
> Site Scraping
> Vulnerability Scanning
> Automated SEO Poisoning
• Bot Mitigation can be
> Standalone service or appliance
> Part of other tools like a WAF
Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.28
29. Security Step #6 Implement a DDoS mitigation Strategy
• DDoS attacks make your website completely inaccessible
Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.29
Legitimate
Traffic
Your Site
Your Internet
Connection
• If website availability is important to you, then DDoS
protection should be too
• Any application without a DDoS mitigation strategy is at risk
DDoS Traffic
Your ISP
30. Defend against DDoS attacks
• DDoS mitigation services are preferable to Mitigation Appliances
• Overprovisioning bandwidth is expensive
Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.30
Legitimate
Traffic
Your Site
Your Internet
Connection
DDoS Traffic
Your ISP
DDoS Mitigation Appliance
31. DDoS Mitigation Requires Specialized Tools or Services
• DDoS mitigation services are preferable to Mitigation Appliances
• Overprovisioning bandwidth is expensive
• DDoS attacks should be mitigated close to their source
(away from your network)
Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.31
Legitimate
Traffic
Your Site
Your Internet
Connection
DDoS Traffic
Your ISP
DDoS
Mitigation
Service
32. Security Step #7 - Use a Secure Hosting Environment
Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.32
Problem
• If any site on a server is hacked, there's a chance that
any other site on that same server could be vulnerable.
Hacked Website Your Website
Server
33. Security Step #7 - Use a Secure Hosting Environment
Pick a Secure Hosting Provider that offers
• Segregated environment (physically or logically)
• Network layer firewalls
• Vulnerability scanning
> Infrastructure
> Servers
> Databases
> Applications
• Backup Services
• Security Certification
> SAS 70 Type II
> SSAE 16 Type II
Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.33
34. Bonus Security Step - Secure Your Personal Computers
Don’t let your computer sabotage your security efforts with
malware
• Install antivirus and regularly update the signatures
• Keep your personal computer’s OS, programs, and plug-ins
updated
• Use personal firewalls
• Open sites with HTTPs whenever possible
• Use secure FTP (SFTP) instead of FTP
Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.34
35. Incapsula Helps Website Owners Solve Operational Problems
PerformanceSecurity Availability
Solving Top Operational Problems
Delivered from the Cloud
37. Website Security and Performance in Minutes with a Simple DNS Change
Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.37
By routing website traffic through the Incapsula network,
malicious traffic is blocked, and legitimate traffic is accelerated.
Incapsula Network Your Website
Legitimate Traffic
For a Free Trial of Incapsula visit us at
www.Incapsula.com
38. Please send follow up questions to info@incapsula.com
Twitter: @orionevolution
Movember: mobro.co/orioncassetto
Thank you
Editor's Notes
Today we will be talking about:
Recent web security events
Six easy steps for a more secure website
Automated tools to secure and improve performance on Joomla sites
To set the stage for our discussion I’m going to begin by talking about the Web Security Landscape. The news this year, like many years prior, has seen headlines filled with well known companies falling victim to hackers.
[Click]
These data breaches frequently result in the theft of millions upon millions of names, passwords, credit card numbers and other personal information.
Even large companies with expansive security budgets are not immune to the impact of hackers. But hackers don’t just target large firms, they attack sites of all sizes, including Joomla sites. The motives behind attacks are plentiful, they can range from:
Acquiring resources for botnets
Distributing Malware
Stealing customer data
Political Activism
And even plain old malice
One of the largest security events of the year was Heartbleed. Heartbleed is a vulnerability that was disclosed in April. It is essentially a security flaw that was present in OpenSSL, a implementation of the Transport Layer Security or TLS protocol and it is used for encrypting Internet traffic. In April 2014, at the time of disclosure, Open SSL was used to encrypt around 17% of the internet.
[Click]
The Heartbleed vulnerability potentially provided hackers with a well documented method of stealing user sessions, SSL private keys, cookies, and passwords from vulnerable websites. In other words, it gave hackers the keys to the kingdom for all vulnerable websites.
The significance of this vulnerability cannot be understated due to its scope and severity. In the words of Joseph Steinberg, cybersecurity reporter for Forbes, “ Some might argue that [Heartbleed] is the worst vulnerability found since commercial traffic began to flow on the internet.
Another major security event which happened very recently, is the Semalt referrer spam campaign. This campaign illustrates an amalgamation of several different security threats in a single insidious attack. Those threats being Bots, malware, and Search engine Optimization (also known as SEO) tampering and spam.
[Click]
Semalt is a Ukrainian based “SEO” Company which recently launched an enormous referral spam campaign. The campaign utilized a botnet of some 290,000 malware infected computers to crawl the internet looking for vulnerable targets and then attacking them.
Once a victim was found, the botnet visited them with a fake referral source. These referral sources belong to websites that Semalt was paid to improve search engine rankings for. Referral links are one of the criteria which Google uses to evaluate search engine rankings. When googles crawls the victim websites it will notice all of these fake referral links in the public logs of these websites and then increase the SEO ranking of Semalt’s “clients”.
Why does that matter for you or any website owner? This referral spam needs to be identified and blocked because the presence of fake SEO referrals can cause long term SEO Damage to your website’s Search engine results and can result in complete blacklisting or removal from page results.
Being blacklisted from Google search results would clearly have a large negative impact on your website.
Finally lets take a look at DDoS attacks. DDoS stands for distributed Denial of Service and it is a type of attack where hundreds or thousands of infected computers band together into a single weapon, referred to as a “bot net”. This botnet is then used to attack a single target with the goal of overwhelming the network or server it is using, thus creating a website outage. DDoS attacks are quickly becoming a favorite weapon for attackers because they are relatively cheap to perform and difficult to defend against.
One interesting campaign that happened earlier this year around February and March targeted high profile SaaS companies such as Meetup and Basecamp.
These SaaS companies have built successful online applications that can scale to support million of users and deliver huge amounts of content.
Still all of these examples, and many more, were brought down with DDoS attacks.
It is frequently the case that DDoS attackers will request ransom was for small amounts of money, like a couple hundred dollars in exchange for ending the attack and restoring the website’s availability. Although the dollar amount requested may be small, these attacks are typically large enough to bring down any company that does not have an active DDoS mitigation solution in place.
The fact of the matter is that websites typically have vulnerabilities. The problem is so widespread that – according to a report by Cenzic, a leading vulnerability scanner – 96% of today’s web apps have vulnerabilities and 13% of websites can be compromised automatically. These vulnerabilities leave websites susceptible to attack.
http://www.darkreading.com/vulnerabilities---threats/websites-harbor-fewer-flaws-but-most-have-at-least-one-serious-vulnerability/d/d-id/1139670?
Now that we have discussed some of the larger security events which have transpired during this year, we are going to shift gears and bring the focus back to Joomla and Securing Joomla Sites.
[click]
The first thing to understand is almost all software has vulnerabilities.
As code bases change, these vulnerabilities are created and remediated. According to a report by Whitehat as much as 73% of Joomla installations have vulnerabilities. Many of these vulnerabilities are easily found because whenever a new Joomla version is released, security details about the old versions are also released. This means older versions are easier to attack, and attackers can craft automated tools to identify and attack these versions.
Security Step #1 Regularly update your software. This may sound like common sense but this is one of the most commonly overlooked things that can be done to secure your Joomla site. A regular patching schedule should include Joomla installations, extensions, and Web Servers.
Carrying on that logic, I have a few simple tips regarding Joomla updates.
First, be careful what you download and only download or install Joomla that you’ve obtained from Joomla.org. It is possible that other versions may include malicious software or backdoors.
For those of you looking to cut down on your workload, make sure to update to a version which is 3.7 or greater. These versions of Joomla include an automatic update feature.
Finally, many of us manage multiple Joomla sites, using a version control software like Subversion will make life easier.
Many people regularly update their Joomla installation but don’t think to include their plugins in this process. Joomla plugins, while convenient, increase the complexity of a Joomla environment by introducing software created by multiple vendors. Each vendor will have it’s own level of security expertise, security controls, software development life cycle and code quality.
According to a report by Checkmarx, around 20% of the 50 most popular Joomla plugins are vulnerable to common web attacks. This means that 1 in 5 plugins could take a secure Joomla installation and introduce a security flaw.
Plug-in related security flaws are fairly common. In July one such plugin resulted in 50,000 hacked Joomla Sites.
As I stated earlier, the advice to keep your software up to date extends far beyond Joomla installations. Web servers should be running stable, secure versions. Efforts should be made to secure your database. Simple things like changing your table_prefix from the default of WP_ to some other prefix add an extra layer of complexity for would-be hackers.
Earlier in this presentation I mentioned that around 17% of the internet which uses SSL was vulnerable to Heartbleed. It is absolutely worth checking to see that your SSL cert is unaffected by Heartbleed. You can do this fairly easily with tools such as Netcraft and then replacing your certificate if needed.
As a best practice firewalls and Anti-virus signatures should also be updated.
One of the most overlooked ways for your web application to be compromised is through the use of Lost or stolen credentials. According to the 2014 Verizon Data breach report, the use of stolen credentials was this years number 1 threat. Once lost or stolen, credentials combined with automated tools because a powerful way for hackers to troll the internet and easily compromise websites. Whats worse is that many people re-use credentials across web sites and one stolen credential can result in multiple websites being hacked.
Security Step #2 – Implement Password Security best practices. This probably sounds like a no-brainer but even in 2014 password security is still a top issue. The fact is that many people don’t implement strong password policies.
The felony of the password security world is using default usernames and passwords. There is likely no lower hanging fruit available for hackers and for this reason it is of utmost importance than you change them. I suggest also using a non default user name. you can do this by creating a new admin user with a different user name and then deleting the default admin account.
[click}
Other basic tenants would be creating a password that include mixed upper and lower cases, numbers, and special characters. You might consider a password phrase instead of a password as an easy way to remember your longer, stronger password.
[Click]
No matter what password you choose, it is important to use different passwords for different sites and to update them periodically.
Security step #3 is to implement multi-factor authentication to protect admin areas. Imagine this, you created a strong password In accordance with security step #2 but then somehow, be it act of god, or a disgruntled cube-mate, your username and password ended up on a hacker forum. In this scenario, a hacker could simply use your username and password to simply log into your website and do as they please.
[Click]
Two factor or Multi-factor authentication makes this much harder. By using multi-factor authentication, users will need a traditional username and password but also some other form of identification to gain access to a website. Common forms of multi-factor authentication are email, sms, and google authenticator (which has an iphone/android app).
Now that we’ve covered the basics, we need to spend some time to discuss how to protect yourself against some of the more advanced web attacks that might be launched against your website. According to a report by the Web Application Security Consortium, between 80 and 96% of websites have high risk vulnerabilities.
[click]
Moreover 13% of all vulnerabilities can be compromised automatically. This same report sites the most common web vulnerabilities are cross site scripting, SQL injection, Information leakage, and HTTP response splitting.
Let’s take some time to understand a few of these top attacks. SQL injection is a type of vulnerability which attempts to input database instructions or commands into an application in hopes that the application will blindly pass them on to the database. This is typically accomplished by putting a SQL command or query into an input field not designed for this.
[Click]
For example, the application was expecting my username and I put an attack in the field instead. If this attack isn’t filtered out before going to the database it can allow hackers to gain access to, change, or delete your database contents.
[click]
As a rule, if it is going into your database, clean it first!
Another very common type of web attack is Cross site scripting. This type of attack is similar in nature as a SQL injection in that it is a hackers attempt to get a web application to do something it wasn’t designed to do by providing it an input it wasn’t expecting. In this case, the hacker is trying to insert a script, frequently JavaScript into the website.
[Click]
Cross site scripting attacks can result in stolen user cookies or sessions. They can also be used to infect website visitors with malware but sending them to malicious websites where malware is silently downloaded to their computer.
[Click]
The basic rule for dealing with XSS is as follows, “If user supplied data is going into your application, clean it first!”
While changing your code to deal eliminate web vulnerabilities like SQL Injection and Cross Site scripting is one way to deal with these problems it is not the only way. In fact, remediating vulnerabilities at the code level can be time consuming, expensive and potentially not possible of you do not own the code base. Instead, I recommend security step #4, to use a Web Application Firewall, or WAF. WAFs provide the same type of protection that traditional network firewalls provide, but they do it at the application layer by inspecting http/https traffic for attacks. Best practice is to use a WAF to protect against application layer threats, while continuing to use a traditional firewall to protect against non-http/s based attacks.
As an added benefit, WAFs frequently include other services like 2 factor authentication or fraud detection.
Another growing trend on the internet today is the rise of bots, or automated clients. Based on research by the Incapsula team, these bots now make up as much as 61% of website traffic. While much of this traffic is legitimate and does things like indexing web content, testing website connections, populating widgets and providing search engine results, it would be naive to assume this is all they are up to. In fact, roughly 50% of the automated traffic we analyzed was malicious.
Let’s dive deeper on this topic. We already know that legitimate or “benevolent bots” were indexing content for search engines, monitoring website availability and helping us website vulnerabilities.
That begs the question, if so much of automated traffic is malicious, what are these bad bots doing?
[Click]
Bad bots do a wide variety of things, including Performing the DDoS attacks we just talked about, site scraping to steal website content or intellectual property, SEO and comment spam, and doing reconnaissance to provide hackers with vulnerability information to be used to attack your website.
The most common type of scraping is called site scaping. The goal of this activity is to copy or steal webpage content for use elsewhere. This repurposing of content may or may not be approved by the website owner. Typically bots do this by crawling a website, accessing the source code of the website and then parsing it to remove the key pieces of data they want. After obtaining content, they typically post it elsewhere on the internet.
If you’ve spent any amount of time on blog sites or forums, you’ll likely have noticed suspicious looking posts for sneakers, designer bags, Viagra, Cialis etc.
[click]
This is comment spam and it is typically put there by purpose built bots which seek out websites which accept user comment and are not designed to defend against submissions made by automated clients.
[click]
Comment spam, while more of a nuisance than anything else does have several negative affects on web sites. From the user point of view these posts are annoying and result in a worse website viewing experience. They can also direct visitors of to potentially malicious sites where they may be infected with Malware. From the website operator point of view they drive traffic away from their websites, can link to competitors’ websites, and are burdensome to identify and clean off of comment sections.
Earlier in the presentation I mentioned that bad bots are a major problem for websites and that they are responsible for a host of different attacks ranging from:
Comment Spam
Site Scraping
Vulnerability Scanning
To Automated SEO Poisoning
Implementing a solution capable of analyzing web traffic in real time to pin-point these automated threats will help you greatly improve the security posture of your website. Bot mitigation tools can be purchased as a standalone product or as part of other security solutions including WAFs, or Application Delivery Controllers.
Security Step #5 is to implement a DDoS mitigation Strategy. As I said at the beginning of my presentation, DDoS attacks take a website offline by overwhelming it with too much traffic or too many requests.
[Click]
This network diagram shows an example of traffic flow under normal conditions. Website visitors are routed across the internet, through a customer’s Internet service provider and to the destination website. Data is then sent back along this route to the web visitor. DDoS attacks interrupt this flow.
[Click]
A common type of DDoS attack called a volumetric attack does this by banding together hundreds of thousands of infected computers into a botnet. Then using this botnet to attack a single target. On the way to the target website, the volume of this traffic usually becomes so immense that it cannot fit through the internet connection the web owner has purchased from it’s ISP. The result is that no legitimate web traffic will be able to use this conduit and thus the website will appear offline until the attack subsides.
[Click]
If website availability is important to you, then DDoS protection should be too
[click]
Any application without a DDoS mitigation strategy is at risk. DDoS mitigation is tricky to deal with because the volume and complexity of the attacks requires specialized tools or services to mitigate it.
There are several options in terms of dealing with DDoS attacks:
Using a DDoS mitigation appliance
Using a DDOS mitigation service
Trying to overprovision bandwidth
Because of where a DDOS protection appliance would be located on a network diagram, I suggest using a ddos mitigation service.
[click]
Here is a network diagram showing internet traffic from website visitors. The traffic moves across the internet, through your ISP, across your internet connection and then to your web application. DDoS appliances are typically deployed here, within your network or datacenter. The reason I suggest a service instead of an appliance has to do with the fact that a large DDOS attack will saturate even a large internet connection upstream of these devices.
[click]
Overprovisioning bandwidth to deal with attack volumes or give this appliance a fighting shot of dealing with a large attack is expensive. Instead a specialized DDoS protection service may be preferred.
DDoS mitigation services, usually function as cloud networks or scrubbing networks which traffic is routed through for cleansing before it reaches your ISP. This blocks the attack close to its source and away from your network.
One problem that many Joomla users face is shared hosting. One risk associated with many shared hosting services is security. If multiple tenants are sharing the same server and one of them is hacked, there is a chance that other sites on the same server could be vulnerable as well.
[Click]
Of course this depends on the specific circumstances of the hack and hosting environment, but it is a valid enough concern to bring me to Security Step #6, use a secure hosting environment.
Not all hosting companies are created equal. Website owners concerned with security should pick a hosting company which has existing security controls in place. These security controls should include segregation of environments, whether it be physical or logical to prevent the scenario described on the last slide.
Security solutions like network firewalls, intrusion prevention systems and vulnerability scanning services for servers, databases, applications and infrastructure differentiate these companies from bargain hosting services.
When selecting a secure hosting company, look for companies which are SAS 70 Type II or SSAE 16 Type II compliant. These certifications require companies to comply with a myriad of requirements all of which benefit your websites’ security posture.
I am going to throw in a bonus step, secure your personal computer. Many Website owners spend time securing their Joomla environments but neglect the security of their own personal computers. Don’t be the weak link in your own security posture but letting something like a malware infection lead to a breach of your Website.
Much of this is common sense.
Use Anti-virus and a personal firewall. Update the signatures.
Install updates for you operating system and applications.
Use encryption when possible, etc.
Incapsula Helps Website Owners Solve Operational Problems. Keeping websites and cloud applications available, fast and secure are the fundamental concerns of all website owners. Users expect websites to be available and get annoyed when they are down or when the site won’t load within a few seconds. And customers find somewhere else to shop when an ecommerce site is breached and private customer data is exposed.
Keeping sites fast, secure and available has until now required a complex and expensive mix of hardware and software from several vendors.
Incapsula has changed that by building a cloud service on a global network that provides the security, DDoS Protection, Performance and Availability that website owners need.
Incapsula works by using DNS redirection to reout website traffic through the Incapsula Network.
Once traffic is flowing through Incapsula, malicious traffic is blocked, and legitimate traffic is accelerated. This leads to a more secure, faster loading website.
For a free trial of Incapsula, visit us at www.incapsula.com