SlideShare une entreprise Scribd logo

CMS Hacking 101

Imperva
Imperva

With the rise of blogs, forums, online magazines, e-commerce, and corporate websites, many organizations are turning to Content Management Systems (CMS), such as Joomla or SharePoint, to create rich websites. CMSs simplify website delivery - but they also expose your organization to a new set of vulnerabilities.This presentation shows how malicious hackers exploit vulnerabilities found in popular Content Management Systems to systematically identify and attack unsuspecting organizations.

Technologie
1  sur  38
Télécharger pour lire hors ligne
© 2013 Imperva, Inc. All rights reserved. CMS Hacking 101 Analyzing the Risk with 3rd Party Applications Confidential1 Barry Shteiman Senior Security Strategist
© 2013 Imperva, Inc. All rights reserved. Agenda Confidential2 §  CMS defined §  Risks and trends §  Recent incidents §  Into the details •  An attack campaign •  Industrialized attack campaign §  Reclaiming security
© 2013 Imperva, Inc. All rights reserved. Today’s Speaker - Barry Shteiman Confidential3 §  Senior Security Strategist §  Security consultant working with the CTO office §  Author of several application security tools §  Open source security projects code contributor §  Twitter @bshteiman
© 2013 Imperva, Inc. All rights reserved. CMS Defined Confidential4 Content Management System
© 2013 Imperva, Inc. All rights reserved. What is a CMS? Confidential5 A content management system (CMS) is a computer program that allows publishing, editing and modifying content as well as maintenance from a central interface. Source: https://en.wikipedia.org/wiki/Content_management_system
© 2013 Imperva, Inc. All rights reserved. Deployment Distribution Confidential6 Source: http://trends.builtwith.com/cms
© 2013 Imperva, Inc. All rights reserved. Enterprise Adoption Confidential7
© 2013 Imperva, Inc. All rights reserved. Risks and Trends Confidential8
© 2013 Imperva, Inc. All rights reserved.9 OWASP Top 10 – 2013 Update New, A9 - Using Known Vulnerable Components Confidential
© 2013 Imperva, Inc. All rights reserved.10 3rd Party According to Veracode: •  “Up to 70% of internally developed code originates outside of the development team” •  28% of assessed applications are identified as created by a 3rd party Confidential
© 2013 Imperva, Inc. All rights reserved. When a 3rd Party Brings its Friends Confidential11 §  More than 20% of the 50 most popular WordPress plugins are vulnerable to web attacks §  7 out of top 10 most popular e-commerce plugins are vulnerable to common Web attacks -- Checkmarx Ltd. research lab “The Security State of WordPress’ Top 50 Plugins” white paper, June 18, 2013 You can’t fix code you don’t own, even if you host your own, that code has third party components in it.
© 2013 Imperva, Inc. All rights reserved. Attack Surface Confidential12 Source: https://www.bsi.bund.de/DE/Publikationen/Studien/CMS/Studie_CMS.html BSI is Germany's federal office for information security In a research conducted by BSI in Germany, ~20% of the vulnerabilities discovered were found in the CMS core, ~80% in plugins and extensions.
© 2013 Imperva, Inc. All rights reserved. Classic Web Site Hacking Confidential13 Hacking 1.  Identify Target 2.  Find Vulnerability 3.  Exploit Single Site Attack
© 2013 Imperva, Inc. All rights reserved. Classic Web Site Hacking Confidential14 Hacking 1.  Identify Target 2.  Find Vulnerability 3.  Exploit Hacking 1.  Identify Target 2.  Find Vulnerability 3.  Exploit Hacking 1.  Identify Target 2.  Find Vulnerability 3.  Exploit Hacking 1.  Identify Target 2.  Find Vulnerability 3.  Exploit Hacking 1.  Identify Target 2.  Find Vulnerability 3.  Exploit Multiple Site Attacks
© 2013 Imperva, Inc. All rights reserved. CMS Hacking Confidential15 Hacking 1.  Identify CMS 2.  Find Vulnerability 3.  Exploit CMS Targeting Attack
© 2013 Imperva, Inc. All rights reserved. Recent Incidents Confidential16
© 2013 Imperva, Inc. All rights reserved. 3rd Party Code Driven Incidents Confidential17 Breached via 3rd party application on Drupal.org own servers.
© 2013 Imperva, Inc. All rights reserved. 3rd Party Code Driven Incidents Confidential18 3rd party service provider hacked, customer data affected.
© 2013 Imperva, Inc. All rights reserved. 3rd Party Code Driven Incidents Confidential19 Yahoo’s 3rd party hack as detailed in Imperva’s January HII report. HII Report: http://www.imperva.com/docs/HII_Lessons_Learned_From_the_Yahoo_Hack.pdf
© 2013 Imperva, Inc. All rights reserved. CMS Related Incidents Confidential20
© 2013 Imperva, Inc. All rights reserved. Into the Details Confidential21 How a CMS Attack Campaign Might Look
© 2013 Imperva, Inc. All rights reserved.22 The Attacker’s Focus Server Takeover Direct Data Theft Confidential
© 2013 Imperva, Inc. All rights reserved. CMS Mass Hacking Confidential23 Source: www.exploit-db.com Step 1: Find a vulnerability in a CMS platform Even public vulnerability databases, contain thousands of CMS related vulnerabilities.
© 2013 Imperva, Inc. All rights reserved. CMS Gone Wild(card) Confidential24 Step 2: Identify a fingerprint in a relevant CMS-based site A fingerprint can be •  Image •  URL •  Tag •  Object Reference •  Response to a query •  etc..
© 2013 Imperva, Inc. All rights reserved. Fingerprinted Confidential25 Tag based The code will usually contain fingerprints (unless obfuscated) of the CMS in use.
© 2013 Imperva, Inc. All rights reserved. Fingerprinted Confidential26 URL based An administrator interface may be front facing, allowing detection and login attempts
© 2013 Imperva, Inc. All rights reserved. Google Dork for the Masses Confidential27 §  Query: inurl:(wp-config.conf | wp-config.txt) ext:(conf | txt | config) §  Results: 144,000
© 2013 Imperva, Inc. All rights reserved. Google Dork for the Masses Confidential28 In our case: Database Host, User and Password Exposed
© 2013 Imperva, Inc. All rights reserved. Botnets Targeting Your CMS Confidential29 Recently Observed: •  Botnets Scan websites for vulnerabilities •  Inject Hijack/Drive-by code to vulnerable systems •  Onboarding hijacked systems into the Botnet
© 2013 Imperva, Inc. All rights reserved. From a Botnet Communication Confidential30 Botnet operator uses zombies to scan sites for vulnerabilities * As observed by Imperva’s ADC Research Team Google Dork
© 2013 Imperva, Inc. All rights reserved. From a Botnet Communication Confidential31 Botnet exploits vulnerabilities and absorbs victim servers * As observed by Imperva’s ADC Research Team
© 2013 Imperva, Inc. All rights reserved. Reclaiming Security Confidential32 Securing 3rd Party Applications
© 2013 Imperva, Inc. All rights reserved. Analyzing the Attack Surface Confidential33 Graphics Source: https://www.bsi.bund.de/DE/Publikationen/Studien/CMS/Studie_CMS.html BSI is Germany's federal office for information security Certain vulnerabilities in 3rd party applications, can only be properly fixed using Web Application Firewalls.
© 2013 Imperva, Inc. All rights reserved. Deployment Matters Confidential34 Cloud based deploymentOn premise deployment Applications and 3rd party code deployed in your virtual/physical data center. Hosted applications and B2B services. Imperva Incapsula Cloud
© 2013 Imperva, Inc. All rights reserved. When a company builds its security model it usually does not take into account elements that are not in control, which creates the security hole. Companies should: §  Implement policies both on the legal and technical aspects to control data access and data usage. §  Require third party applications to accept your security policies and put proper controls in place §  Monitor. Recommendations 35 Confidential35
© 2013 Imperva, Inc. All rights reserved. §  Assume third-party code – coming from partners, vendors, or mergers and acquisitions – contains serious vulnerabilities §  Pen test before deployment to identify these issues §  Deploy the application behind a WAF to •  Virtually patch pen test findings •  Mitigate new risks (unknown on the pen test time) •  Mitigate issues the pen tester missed •  Use cloud WAF for remotely hosted applications §  Virtually patch newly discovered CVEs •  Requires a robust security update service Technical Recommendations 36 Confidential36
© 2013 Imperva, Inc. All rights reserved. Post-Webcast Discussions Answers to Attendee Questions Webcast Recording Link Join Group Join Imperva LinkedIn Group, Imperva Data Security Direct, for… Presentation Materials Confidential3737
© 2013 Imperva, Inc. All rights reserved. www.imperva.com 38 Confidential

Recommandé

Protecting Against Vulnerabilities in SharePoint Add-ons
Protecting Against Vulnerabilities in SharePoint Add-onsProtecting Against Vulnerabilities in SharePoint Add-ons
Protecting Against Vulnerabilities in SharePoint Add-onsImperva
 
Defense In Depth Using NIST 800-30
Defense In Depth Using NIST 800-30Defense In Depth Using NIST 800-30
Defense In Depth Using NIST 800-30Kevin M. Moker, CFE, CISSP, ISSMP, CISM
 
How Can I Reduce The Risk Of A Cyber-Attack?
How Can I Reduce The Risk Of A Cyber-Attack?How Can I Reduce The Risk Of A Cyber-Attack?
How Can I Reduce The Risk Of A Cyber-Attack?Osei Fortune
 
IBM Security Software Solutions - Powerpoint
IBM Security Software Solutions - Powerpoint IBM Security Software Solutions - Powerpoint
IBM Security Software Solutions - PowerpointThierry Matusiak
 
Cyber Security 4.0 conference 30 November 2016
Cyber Security 4.0 conference 30 November 2016Cyber Security 4.0 conference 30 November 2016
Cyber Security 4.0 conference 30 November 2016InfinIT - Innovationsnetværket for it
 
Strategies to Combat New, Innovative Cyber Threats - 2017
Strategies to Combat New, Innovative Cyber Threats - 2017Strategies to Combat New, Innovative Cyber Threats - 2017
Strategies to Combat New, Innovative Cyber Threats - 2017PaladionNetworks01
 
IBM Security Software Solutions - One Pager
IBM Security Software Solutions - One PagerIBM Security Software Solutions - One Pager
IBM Security Software Solutions - One PagerThierry Matusiak
 
Cyber Security 4.0 conference 30 November 2016
Cyber Security 4.0 conference 30 November 2016Cyber Security 4.0 conference 30 November 2016
Cyber Security 4.0 conference 30 November 2016InfinIT - Innovationsnetværket for it
 

Recommandé

Protecting Against Vulnerabilities in SharePoint Add-ons
Protecting Against Vulnerabilities in SharePoint Add-onsProtecting Against Vulnerabilities in SharePoint Add-ons
Protecting Against Vulnerabilities in SharePoint Add-onsImperva
 
Defense In Depth Using NIST 800-30
Defense In Depth Using NIST 800-30Defense In Depth Using NIST 800-30
Defense In Depth Using NIST 800-30Kevin M. Moker, CFE, CISSP, ISSMP, CISM
 
How Can I Reduce The Risk Of A Cyber-Attack?
How Can I Reduce The Risk Of A Cyber-Attack?How Can I Reduce The Risk Of A Cyber-Attack?
How Can I Reduce The Risk Of A Cyber-Attack?Osei Fortune
 
IBM Security Software Solutions - Powerpoint
IBM Security Software Solutions - Powerpoint IBM Security Software Solutions - Powerpoint
IBM Security Software Solutions - PowerpointThierry Matusiak
 
Cyber Security 4.0 conference 30 November 2016
Cyber Security 4.0 conference 30 November 2016Cyber Security 4.0 conference 30 November 2016
Cyber Security 4.0 conference 30 November 2016InfinIT - Innovationsnetværket for it
 
Strategies to Combat New, Innovative Cyber Threats - 2017
Strategies to Combat New, Innovative Cyber Threats - 2017Strategies to Combat New, Innovative Cyber Threats - 2017
Strategies to Combat New, Innovative Cyber Threats - 2017PaladionNetworks01
 
IBM Security Software Solutions - One Pager
IBM Security Software Solutions - One PagerIBM Security Software Solutions - One Pager
IBM Security Software Solutions - One PagerThierry Matusiak
 
Cyber Security 4.0 conference 30 November 2016
Cyber Security 4.0 conference 30 November 2016Cyber Security 4.0 conference 30 November 2016
Cyber Security 4.0 conference 30 November 2016InfinIT - Innovationsnetværket for it
 
Compete To Win: Don’t Just Be Compliant – Be Secure!
Compete To Win: Don’t Just Be Compliant – Be Secure!Compete To Win: Don’t Just Be Compliant – Be Secure!
Compete To Win: Don’t Just Be Compliant – Be Secure!IBM Security
 
Thinking like a criminal – Cybersecurity 101
Thinking like a criminal – Cybersecurity 101Thinking like a criminal – Cybersecurity 101
Thinking like a criminal – Cybersecurity 101PECB
 
Cloud security enforcer - Quick steps to avoid the blind spots of shadow it
Cloud security enforcer - Quick steps to avoid the blind spots of shadow itCloud security enforcer - Quick steps to avoid the blind spots of shadow it
Cloud security enforcer - Quick steps to avoid the blind spots of shadow itIBM Security
 
Cyber Security 2017 Challenges
Cyber Security 2017 ChallengesCyber Security 2017 Challenges
Cyber Security 2017 ChallengesLeandro Bennaton
 
Security Trend Report, 2017
Security Trend Report, 2017Security Trend Report, 2017
Security Trend Report, 2017Bill Chamberlin
 
IBM Security Strategy
IBM Security StrategyIBM Security Strategy
IBM Security StrategyCamilo Fandiño Gómez
 
Ibm security products portfolio
Ibm security products portfolioIbm security products portfolio
Ibm security products portfolioPatrick Bouillaud
 
The Resilient End-of-Year Review: The Top Cyber Security Trends in 2018 and P...
The Resilient End-of-Year Review: The Top Cyber Security Trends in 2018 and P...The Resilient End-of-Year Review: The Top Cyber Security Trends in 2018 and P...
The Resilient End-of-Year Review: The Top Cyber Security Trends in 2018 and P...IBM Security
 
Outsmart Fraudsters: Give Customers Great User Experience While Keeping Fraud...
Outsmart Fraudsters: Give Customers Great User Experience While Keeping Fraud...Outsmart Fraudsters: Give Customers Great User Experience While Keeping Fraud...
Outsmart Fraudsters: Give Customers Great User Experience While Keeping Fraud...IBM Security
 
Integrated Response with v32 of IBM Resilient
Integrated Response with v32 of IBM ResilientIntegrated Response with v32 of IBM Resilient
Integrated Response with v32 of IBM ResilientIBM Security
 
Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...Edureka!
 
Wannacry & Petya ransomware
Wannacry & Petya ransomwareWannacry & Petya ransomware
Wannacry & Petya ransomwareRaghavendra P.V
 
Check Point Infinity powered by R80.10
Check Point Infinity powered by R80.10Check Point Infinity powered by R80.10
Check Point Infinity powered by R80.10MarketingArrowECS_CZ
 
How to beat ransomware
How to beat ransomwareHow to beat ransomware
How to beat ransomwarePaladionNetworks01
 
Cyber Security 4.0 conference 30 November 2016
Cyber Security 4.0 conference 30 November 2016Cyber Security 4.0 conference 30 November 2016
Cyber Security 4.0 conference 30 November 2016InfinIT - Innovationsnetværket for it
 
Solar winds supply chain breach - Insights from the trenches
Solar winds supply chain breach - Insights from the trenchesSolar winds supply chain breach - Insights from the trenches
Solar winds supply chain breach - Insights from the trenchesInfosec
 
Hyphenet Security Awareness Training
Hyphenet Security Awareness TrainingHyphenet Security Awareness Training
Hyphenet Security Awareness TrainingJen Ruhman
 
Bridging the Gap between Privacy and Security: Using Technology to Manage Com...
Bridging the Gap between Privacy and Security: Using Technology to Manage Com...Bridging the Gap between Privacy and Security: Using Technology to Manage Com...
Bridging the Gap between Privacy and Security: Using Technology to Manage Com...IBM Security
 
Automation: Embracing the Future of SecOps
Automation: Embracing the Future of SecOpsAutomation: Embracing the Future of SecOps
Automation: Embracing the Future of SecOpsIBM Security
 
Cybersecurity Interview Questions and Answers | CyberSecurity Interview Tips ...
Cybersecurity Interview Questions and Answers | CyberSecurity Interview Tips ...Cybersecurity Interview Questions and Answers | CyberSecurity Interview Tips ...
Cybersecurity Interview Questions and Answers | CyberSecurity Interview Tips ...Edureka!
 
CMS Hacking
CMS Hacking CMS Hacking
CMS Hacking Barry Shteiman
 
The most possible risk factors faced by Wordpress Developers
The most possible risk factors faced by Wordpress DevelopersThe most possible risk factors faced by Wordpress Developers
The most possible risk factors faced by Wordpress DevelopersiMOBDEV Technologies Pvt. Ltd.
 

Contenu connexe

Tendances

Compete To Win: Don’t Just Be Compliant – Be Secure!
Compete To Win: Don’t Just Be Compliant – Be Secure!Compete To Win: Don’t Just Be Compliant – Be Secure!
Compete To Win: Don’t Just Be Compliant – Be Secure!IBM Security
 
Thinking like a criminal – Cybersecurity 101
Thinking like a criminal – Cybersecurity 101Thinking like a criminal – Cybersecurity 101
Thinking like a criminal – Cybersecurity 101PECB
 
Cloud security enforcer - Quick steps to avoid the blind spots of shadow it
Cloud security enforcer - Quick steps to avoid the blind spots of shadow itCloud security enforcer - Quick steps to avoid the blind spots of shadow it
Cloud security enforcer - Quick steps to avoid the blind spots of shadow itIBM Security
 
Cyber Security 2017 Challenges
Cyber Security 2017 ChallengesCyber Security 2017 Challenges
Cyber Security 2017 ChallengesLeandro Bennaton
 
Security Trend Report, 2017
Security Trend Report, 2017Security Trend Report, 2017
Security Trend Report, 2017Bill Chamberlin
 
Ibm security products portfolio
Ibm security products portfolioIbm security products portfolio
Ibm security products portfolioPatrick Bouillaud
 
The Resilient End-of-Year Review: The Top Cyber Security Trends in 2018 and P...
The Resilient End-of-Year Review: The Top Cyber Security Trends in 2018 and P...The Resilient End-of-Year Review: The Top Cyber Security Trends in 2018 and P...
The Resilient End-of-Year Review: The Top Cyber Security Trends in 2018 and P...IBM Security
 
Outsmart Fraudsters: Give Customers Great User Experience While Keeping Fraud...
Outsmart Fraudsters: Give Customers Great User Experience While Keeping Fraud...Outsmart Fraudsters: Give Customers Great User Experience While Keeping Fraud...
Outsmart Fraudsters: Give Customers Great User Experience While Keeping Fraud...IBM Security
 
Integrated Response with v32 of IBM Resilient
Integrated Response with v32 of IBM ResilientIntegrated Response with v32 of IBM Resilient
Integrated Response with v32 of IBM ResilientIBM Security
 
Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...Edureka!
 
Wannacry & Petya ransomware
Wannacry & Petya ransomwareWannacry & Petya ransomware
Wannacry & Petya ransomwareRaghavendra P.V
 
Check Point Infinity powered by R80.10
Check Point Infinity powered by R80.10Check Point Infinity powered by R80.10
Check Point Infinity powered by R80.10MarketingArrowECS_CZ
 
Solar winds supply chain breach - Insights from the trenches
Solar winds supply chain breach - Insights from the trenchesSolar winds supply chain breach - Insights from the trenches
Solar winds supply chain breach - Insights from the trenchesInfosec
 
Hyphenet Security Awareness Training
Hyphenet Security Awareness TrainingHyphenet Security Awareness Training
Hyphenet Security Awareness TrainingJen Ruhman
 
Bridging the Gap between Privacy and Security: Using Technology to Manage Com...
Bridging the Gap between Privacy and Security: Using Technology to Manage Com...Bridging the Gap between Privacy and Security: Using Technology to Manage Com...
Bridging the Gap between Privacy and Security: Using Technology to Manage Com...IBM Security
 
Automation: Embracing the Future of SecOps
Automation: Embracing the Future of SecOpsAutomation: Embracing the Future of SecOps
Automation: Embracing the Future of SecOpsIBM Security
 
Cybersecurity Interview Questions and Answers | CyberSecurity Interview Tips ...
Cybersecurity Interview Questions and Answers | CyberSecurity Interview Tips ...Cybersecurity Interview Questions and Answers | CyberSecurity Interview Tips ...
Cybersecurity Interview Questions and Answers | CyberSecurity Interview Tips ...Edureka!
 

Tendances (20)

Compete To Win: Don’t Just Be Compliant – Be Secure!
Compete To Win: Don’t Just Be Compliant – Be Secure!Compete To Win: Don’t Just Be Compliant – Be Secure!
Compete To Win: Don’t Just Be Compliant – Be Secure!
 
Thinking like a criminal – Cybersecurity 101
Thinking like a criminal – Cybersecurity 101Thinking like a criminal – Cybersecurity 101
Thinking like a criminal – Cybersecurity 101
 
Cloud security enforcer - Quick steps to avoid the blind spots of shadow it
Cloud security enforcer - Quick steps to avoid the blind spots of shadow itCloud security enforcer - Quick steps to avoid the blind spots of shadow it
Cloud security enforcer - Quick steps to avoid the blind spots of shadow it
 
Cyber Security 2017 Challenges
Cyber Security 2017 ChallengesCyber Security 2017 Challenges
Cyber Security 2017 Challenges
 
Security Trend Report, 2017
Security Trend Report, 2017Security Trend Report, 2017
Security Trend Report, 2017
 
IBM Security Strategy
IBM Security StrategyIBM Security Strategy
IBM Security Strategy
 
Ibm security products portfolio
Ibm security products portfolioIbm security products portfolio
Ibm security products portfolio
 
The Resilient End-of-Year Review: The Top Cyber Security Trends in 2018 and P...
The Resilient End-of-Year Review: The Top Cyber Security Trends in 2018 and P...The Resilient End-of-Year Review: The Top Cyber Security Trends in 2018 and P...
The Resilient End-of-Year Review: The Top Cyber Security Trends in 2018 and P...
 
Outsmart Fraudsters: Give Customers Great User Experience While Keeping Fraud...
Outsmart Fraudsters: Give Customers Great User Experience While Keeping Fraud...Outsmart Fraudsters: Give Customers Great User Experience While Keeping Fraud...
Outsmart Fraudsters: Give Customers Great User Experience While Keeping Fraud...
 
Integrated Response with v32 of IBM Resilient
Integrated Response with v32 of IBM ResilientIntegrated Response with v32 of IBM Resilient
Integrated Response with v32 of IBM Resilient
 
Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...
 
Wannacry & Petya ransomware
Wannacry & Petya ransomwareWannacry & Petya ransomware
Wannacry & Petya ransomware
 
Check Point Infinity powered by R80.10
Check Point Infinity powered by R80.10Check Point Infinity powered by R80.10
Check Point Infinity powered by R80.10
 
How to beat ransomware
How to beat ransomwareHow to beat ransomware
How to beat ransomware
 
Cyber Security 4.0 conference 30 November 2016
Cyber Security 4.0 conference 30 November 2016Cyber Security 4.0 conference 30 November 2016
Cyber Security 4.0 conference 30 November 2016
 
Solar winds supply chain breach - Insights from the trenches
Solar winds supply chain breach - Insights from the trenchesSolar winds supply chain breach - Insights from the trenches
Solar winds supply chain breach - Insights from the trenches
 
Hyphenet Security Awareness Training
Hyphenet Security Awareness TrainingHyphenet Security Awareness Training
Hyphenet Security Awareness Training
 
Bridging the Gap between Privacy and Security: Using Technology to Manage Com...
Bridging the Gap between Privacy and Security: Using Technology to Manage Com...Bridging the Gap between Privacy and Security: Using Technology to Manage Com...
Bridging the Gap between Privacy and Security: Using Technology to Manage Com...
 
Automation: Embracing the Future of SecOps
Automation: Embracing the Future of SecOpsAutomation: Embracing the Future of SecOps
Automation: Embracing the Future of SecOps
 
Cybersecurity Interview Questions and Answers | CyberSecurity Interview Tips ...
Cybersecurity Interview Questions and Answers | CyberSecurity Interview Tips ...Cybersecurity Interview Questions and Answers | CyberSecurity Interview Tips ...
Cybersecurity Interview Questions and Answers | CyberSecurity Interview Tips ...
 

En vedette

The most possible risk factors faced by Wordpress Developers
The most possible risk factors faced by Wordpress DevelopersThe most possible risk factors faced by Wordpress Developers
The most possible risk factors faced by Wordpress DevelopersiMOBDEV Technologies Pvt. Ltd.
 
Botnets presentation
Botnets presentationBotnets presentation
Botnets presentationMahmoud Ibra
 
Botnet Detection Techniques
Botnet Detection TechniquesBotnet Detection Techniques
Botnet Detection TechniquesTeam Firefly
 
Digital Strategy 101
Digital Strategy 101Digital Strategy 101
Digital Strategy 101Bud Caddell
 

En vedette (7)

CMS Hacking
CMS Hacking CMS Hacking
CMS Hacking
 
The most possible risk factors faced by Wordpress Developers
The most possible risk factors faced by Wordpress DevelopersThe most possible risk factors faced by Wordpress Developers
The most possible risk factors faced by Wordpress Developers
 
Botnets presentation
Botnets presentationBotnets presentation
Botnets presentation
 
Botnets 101
Botnets 101Botnets 101
Botnets 101
 
Botnet Detection Techniques
Botnet Detection TechniquesBotnet Detection Techniques
Botnet Detection Techniques
 
The Loyalty Program: A Recipe for Success
The Loyalty Program: A Recipe for SuccessThe Loyalty Program: A Recipe for Success
The Loyalty Program: A Recipe for Success
 
Digital Strategy 101
Digital Strategy 101Digital Strategy 101
Digital Strategy 101
 

Similaire à CMS Hacking 101

Hiding in Plain Sight: The Danger of Known Vulnerabilities
Hiding in Plain Sight: The Danger of Known VulnerabilitiesHiding in Plain Sight: The Danger of Known Vulnerabilities
Hiding in Plain Sight: The Danger of Known VulnerabilitiesImperva
 
A Blueprint for Web Attack Survival
A Blueprint for Web Attack SurvivalA Blueprint for Web Attack Survival
A Blueprint for Web Attack SurvivalImperva
 
DSS @CERT.LV_ISACA_2013_Conference - IBM X Force Report 2013
DSS @CERT.LV_ISACA_2013_Conference - IBM X Force Report 2013DSS @CERT.LV_ISACA_2013_Conference - IBM X Force Report 2013
DSS @CERT.LV_ISACA_2013_Conference - IBM X Force Report 2013Andris Soroka
 
Protect Your IT Infrastructure from Zero-Day Attacks and New Vulnerabilities
Protect Your IT Infrastructure from Zero-Day Attacks and New VulnerabilitiesProtect Your IT Infrastructure from Zero-Day Attacks and New Vulnerabilities
Protect Your IT Infrastructure from Zero-Day Attacks and New VulnerabilitiesSymantec
 
Adrian Aldea - IBM X-Force 2013 Mid-Year Trend and Risk Report #uisgcon9
Adrian Aldea - IBM X-Force 2013 Mid-Year Trend and Risk Report #uisgcon9Adrian Aldea - IBM X-Force 2013 Mid-Year Trend and Risk Report #uisgcon9
Adrian Aldea - IBM X-Force 2013 Mid-Year Trend and Risk Report #uisgcon9UISGCON
 
IBM Security intelligence v1 - ahmed el nahas
IBM Security intelligence v1 - ahmed el nahasIBM Security intelligence v1 - ahmed el nahas
IBM Security intelligence v1 - ahmed el nahasShwetank Jayaswal
 
Imperva - Hacking encounters of the 3rd kind
Imperva - Hacking encounters of the 3rd kindImperva - Hacking encounters of the 3rd kind
Imperva - Hacking encounters of the 3rd kindBarry Shteiman
 
Security and Audit for Big Data
Security and Audit for Big DataSecurity and Audit for Big Data
Security and Audit for Big DataNicolas Morales
 
Rochester Security Event
Rochester Security EventRochester Security Event
Rochester Security Eventcalebbarlow
 
When Insiders ATT&CK!
When Insiders ATT&CK!When Insiders ATT&CK!
When Insiders ATT&CK!MITRE ATT&CK
 
Detect & Remediate Malware & Advanced Targeted Attacks
Detect & Remediate Malware & Advanced Targeted AttacksDetect & Remediate Malware & Advanced Targeted Attacks
Detect & Remediate Malware & Advanced Targeted AttacksImperva
 
JavaOne2013: Secure Engineering Practices for Java
JavaOne2013: Secure Engineering Practices for JavaJavaOne2013: Secure Engineering Practices for Java
JavaOne2013: Secure Engineering Practices for JavaChris Bailey
 
IBM X-Force Threat Intelligence: Why Insider Threats Challenge Critical Busin...
IBM X-Force Threat Intelligence: Why Insider Threats Challenge Critical Busin...IBM X-Force Threat Intelligence: Why Insider Threats Challenge Critical Busin...
IBM X-Force Threat Intelligence: Why Insider Threats Challenge Critical Busin...IBM Security
 
Cyber Security
Cyber SecurityCyber Security
Cyber SecurityRamiro Cid
 
Key Resources - z/Assure Sales Presentation
Key Resources - z/Assure Sales PresentationKey Resources - z/Assure Sales Presentation
Key Resources - z/Assure Sales Presentationrfragola
 
IBM security systems overview v1.0 - rohit nagarajan
IBM security systems overview v1.0 - rohit nagarajanIBM security systems overview v1.0 - rohit nagarajan
IBM security systems overview v1.0 - rohit nagarajanShwetank Jayaswal
 
Module 12 (web application vulnerabilities)
Module 12 (web application vulnerabilities)Module 12 (web application vulnerabilities)
Module 12 (web application vulnerabilities)Wail Hassan
 
Hacking Encounters of the 3rd Kind
Hacking Encounters of the 3rd KindHacking Encounters of the 3rd Kind
Hacking Encounters of the 3rd KindImperva
 
Using m365 defender to protect against solorigate
Using m365 defender to protect against solorigateUsing m365 defender to protect against solorigate
Using m365 defender to protect against solorigateMatt Soseman
 
IBM X-Force: Insights from the 1Q 2015 X-Force Threat Intelligence Quarterly
IBM X-Force: Insights from the 1Q 2015 X-Force Threat Intelligence QuarterlyIBM X-Force: Insights from the 1Q 2015 X-Force Threat Intelligence Quarterly
IBM X-Force: Insights from the 1Q 2015 X-Force Threat Intelligence QuarterlyIBM Security
 

Similaire à CMS Hacking 101 (20)

Hiding in Plain Sight: The Danger of Known Vulnerabilities
Hiding in Plain Sight: The Danger of Known VulnerabilitiesHiding in Plain Sight: The Danger of Known Vulnerabilities
Hiding in Plain Sight: The Danger of Known Vulnerabilities
 
A Blueprint for Web Attack Survival
A Blueprint for Web Attack SurvivalA Blueprint for Web Attack Survival
A Blueprint for Web Attack Survival
 
DSS @CERT.LV_ISACA_2013_Conference - IBM X Force Report 2013
DSS @CERT.LV_ISACA_2013_Conference - IBM X Force Report 2013DSS @CERT.LV_ISACA_2013_Conference - IBM X Force Report 2013
DSS @CERT.LV_ISACA_2013_Conference - IBM X Force Report 2013
 
Protect Your IT Infrastructure from Zero-Day Attacks and New Vulnerabilities
Protect Your IT Infrastructure from Zero-Day Attacks and New VulnerabilitiesProtect Your IT Infrastructure from Zero-Day Attacks and New Vulnerabilities
Protect Your IT Infrastructure from Zero-Day Attacks and New Vulnerabilities
 
Adrian Aldea - IBM X-Force 2013 Mid-Year Trend and Risk Report #uisgcon9
Adrian Aldea - IBM X-Force 2013 Mid-Year Trend and Risk Report #uisgcon9Adrian Aldea - IBM X-Force 2013 Mid-Year Trend and Risk Report #uisgcon9
Adrian Aldea - IBM X-Force 2013 Mid-Year Trend and Risk Report #uisgcon9
 
IBM Security intelligence v1 - ahmed el nahas
IBM Security intelligence v1 - ahmed el nahasIBM Security intelligence v1 - ahmed el nahas
IBM Security intelligence v1 - ahmed el nahas
 
Imperva - Hacking encounters of the 3rd kind
Imperva - Hacking encounters of the 3rd kindImperva - Hacking encounters of the 3rd kind
Imperva - Hacking encounters of the 3rd kind
 
Security and Audit for Big Data
Security and Audit for Big DataSecurity and Audit for Big Data
Security and Audit for Big Data
 
Rochester Security Event
Rochester Security EventRochester Security Event
Rochester Security Event
 
When Insiders ATT&CK!
When Insiders ATT&CK!When Insiders ATT&CK!
When Insiders ATT&CK!
 
Detect & Remediate Malware & Advanced Targeted Attacks
Detect & Remediate Malware & Advanced Targeted AttacksDetect & Remediate Malware & Advanced Targeted Attacks
Detect & Remediate Malware & Advanced Targeted Attacks
 
JavaOne2013: Secure Engineering Practices for Java
JavaOne2013: Secure Engineering Practices for JavaJavaOne2013: Secure Engineering Practices for Java
JavaOne2013: Secure Engineering Practices for Java
 
IBM X-Force Threat Intelligence: Why Insider Threats Challenge Critical Busin...
IBM X-Force Threat Intelligence: Why Insider Threats Challenge Critical Busin...IBM X-Force Threat Intelligence: Why Insider Threats Challenge Critical Busin...
IBM X-Force Threat Intelligence: Why Insider Threats Challenge Critical Busin...
 
Cyber Security
Cyber SecurityCyber Security
Cyber Security
 
Key Resources - z/Assure Sales Presentation
Key Resources - z/Assure Sales PresentationKey Resources - z/Assure Sales Presentation
Key Resources - z/Assure Sales Presentation
 
IBM security systems overview v1.0 - rohit nagarajan
IBM security systems overview v1.0 - rohit nagarajanIBM security systems overview v1.0 - rohit nagarajan
IBM security systems overview v1.0 - rohit nagarajan
 
Module 12 (web application vulnerabilities)
Module 12 (web application vulnerabilities)Module 12 (web application vulnerabilities)
Module 12 (web application vulnerabilities)
 
Hacking Encounters of the 3rd Kind
Hacking Encounters of the 3rd KindHacking Encounters of the 3rd Kind
Hacking Encounters of the 3rd Kind
 
Using m365 defender to protect against solorigate
Using m365 defender to protect against solorigateUsing m365 defender to protect against solorigate
Using m365 defender to protect against solorigate
 
IBM X-Force: Insights from the 1Q 2015 X-Force Threat Intelligence Quarterly
IBM X-Force: Insights from the 1Q 2015 X-Force Threat Intelligence QuarterlyIBM X-Force: Insights from the 1Q 2015 X-Force Threat Intelligence Quarterly
IBM X-Force: Insights from the 1Q 2015 X-Force Threat Intelligence Quarterly
 

Plus de Imperva

Cybersecurity and Healthcare - HIMSS 2018 Survey
Cybersecurity and Healthcare - HIMSS 2018 SurveyCybersecurity and Healthcare - HIMSS 2018 Survey
Cybersecurity and Healthcare - HIMSS 2018 SurveyImperva
 
API Security Survey
API Security SurveyAPI Security Survey
API Security SurveyImperva
 
Imperva ppt
Imperva pptImperva ppt
Imperva pptImperva
 
Beyond takeover: stories from a hacked account
Beyond takeover: stories from a hacked accountBeyond takeover: stories from a hacked account
Beyond takeover: stories from a hacked accountImperva
 
Research: From zero to phishing in 60 seconds
Research: From zero to phishing in 60 seconds Research: From zero to phishing in 60 seconds
Research: From zero to phishing in 60 seconds Imperva
 
Making Sense of Web Attacks: From Alerts to Narratives
Making Sense of Web Attacks: From Alerts to NarrativesMaking Sense of Web Attacks: From Alerts to Narratives
Making Sense of Web Attacks: From Alerts to NarrativesImperva
 
How We Blocked a 650Gb DDoS Attack Over Lunch
How We Blocked a 650Gb DDoS Attack Over LunchHow We Blocked a 650Gb DDoS Attack Over Lunch
How We Blocked a 650Gb DDoS Attack Over LunchImperva
 
Survey: Insider Threats and Cyber Security
Survey: Insider Threats and Cyber SecuritySurvey: Insider Threats and Cyber Security
Survey: Insider Threats and Cyber SecurityImperva
 
Companies Aware, but Not Prepared for GDPR
Companies Aware, but Not Prepared for GDPRCompanies Aware, but Not Prepared for GDPR
Companies Aware, but Not Prepared for GDPRImperva
 
Rise of Ransomware
Rise of Ransomware Rise of Ransomware
Rise of Ransomware Imperva
 
7 Tips to Protect Your Data from Contractors and Privileged Vendors
7 Tips to Protect Your Data from Contractors and Privileged Vendors7 Tips to Protect Your Data from Contractors and Privileged Vendors
7 Tips to Protect Your Data from Contractors and Privileged VendorsImperva
 
SEO Botnet Sophistication
SEO Botnet SophisticationSEO Botnet Sophistication
SEO Botnet SophisticationImperva
 
Phishing Made Easy
Phishing Made EasyPhishing Made Easy
Phishing Made EasyImperva
 
Imperva 2017 Cyber Threat Defense Report
Imperva 2017 Cyber Threat Defense ReportImperva 2017 Cyber Threat Defense Report
Imperva 2017 Cyber Threat Defense ReportImperva
 
Combat Payment Card Attacks with WAF and Threat Intelligence
Combat Payment Card Attacks with WAF and Threat IntelligenceCombat Payment Card Attacks with WAF and Threat Intelligence
Combat Payment Card Attacks with WAF and Threat IntelligenceImperva
 
HTTP/2: Faster Doesn't Mean Safer, Attack Surface Growing Exponentially
HTTP/2: Faster Doesn't Mean Safer, Attack Surface Growing ExponentiallyHTTP/2: Faster Doesn't Mean Safer, Attack Surface Growing Exponentially
HTTP/2: Faster Doesn't Mean Safer, Attack Surface Growing ExponentiallyImperva
 
Get Going With Your GDPR Plan
Get Going With Your GDPR PlanGet Going With Your GDPR Plan
Get Going With Your GDPR PlanImperva
 
Cyber Criminal's Path To Your Data
Cyber Criminal's Path To Your DataCyber Criminal's Path To Your Data
Cyber Criminal's Path To Your DataImperva
 
Combat Today's Threats With A Single Platform For App and Data Security
Combat Today's Threats With A Single Platform For App and Data SecurityCombat Today's Threats With A Single Platform For App and Data Security
Combat Today's Threats With A Single Platform For App and Data SecurityImperva
 
Hacking HTTP/2 : New attacks on the Internet’s Next Generation Foundation
Hacking HTTP/2 : New attacks on the Internet’s Next Generation FoundationHacking HTTP/2 : New attacks on the Internet’s Next Generation Foundation
Hacking HTTP/2 : New attacks on the Internet’s Next Generation FoundationImperva
 

Plus de Imperva (20)

Cybersecurity and Healthcare - HIMSS 2018 Survey
Cybersecurity and Healthcare - HIMSS 2018 SurveyCybersecurity and Healthcare - HIMSS 2018 Survey
Cybersecurity and Healthcare - HIMSS 2018 Survey
 
API Security Survey
API Security SurveyAPI Security Survey
API Security Survey
 
Imperva ppt
Imperva pptImperva ppt
Imperva ppt
 
Beyond takeover: stories from a hacked account
Beyond takeover: stories from a hacked accountBeyond takeover: stories from a hacked account
Beyond takeover: stories from a hacked account
 
Research: From zero to phishing in 60 seconds
Research: From zero to phishing in 60 seconds Research: From zero to phishing in 60 seconds
Research: From zero to phishing in 60 seconds
 
Making Sense of Web Attacks: From Alerts to Narratives
Making Sense of Web Attacks: From Alerts to NarrativesMaking Sense of Web Attacks: From Alerts to Narratives
Making Sense of Web Attacks: From Alerts to Narratives
 
How We Blocked a 650Gb DDoS Attack Over Lunch
How We Blocked a 650Gb DDoS Attack Over LunchHow We Blocked a 650Gb DDoS Attack Over Lunch
How We Blocked a 650Gb DDoS Attack Over Lunch
 
Survey: Insider Threats and Cyber Security
Survey: Insider Threats and Cyber SecuritySurvey: Insider Threats and Cyber Security
Survey: Insider Threats and Cyber Security
 
Companies Aware, but Not Prepared for GDPR
Companies Aware, but Not Prepared for GDPRCompanies Aware, but Not Prepared for GDPR
Companies Aware, but Not Prepared for GDPR
 
Rise of Ransomware
Rise of Ransomware Rise of Ransomware
Rise of Ransomware
 
7 Tips to Protect Your Data from Contractors and Privileged Vendors
7 Tips to Protect Your Data from Contractors and Privileged Vendors7 Tips to Protect Your Data from Contractors and Privileged Vendors
7 Tips to Protect Your Data from Contractors and Privileged Vendors
 
SEO Botnet Sophistication
SEO Botnet SophisticationSEO Botnet Sophistication
SEO Botnet Sophistication
 
Phishing Made Easy
Phishing Made EasyPhishing Made Easy
Phishing Made Easy
 
Imperva 2017 Cyber Threat Defense Report
Imperva 2017 Cyber Threat Defense ReportImperva 2017 Cyber Threat Defense Report
Imperva 2017 Cyber Threat Defense Report
 
Combat Payment Card Attacks with WAF and Threat Intelligence
Combat Payment Card Attacks with WAF and Threat IntelligenceCombat Payment Card Attacks with WAF and Threat Intelligence
Combat Payment Card Attacks with WAF and Threat Intelligence
 
HTTP/2: Faster Doesn't Mean Safer, Attack Surface Growing Exponentially
HTTP/2: Faster Doesn't Mean Safer, Attack Surface Growing ExponentiallyHTTP/2: Faster Doesn't Mean Safer, Attack Surface Growing Exponentially
HTTP/2: Faster Doesn't Mean Safer, Attack Surface Growing Exponentially
 
Get Going With Your GDPR Plan
Get Going With Your GDPR PlanGet Going With Your GDPR Plan
Get Going With Your GDPR Plan
 
Cyber Criminal's Path To Your Data
Cyber Criminal's Path To Your DataCyber Criminal's Path To Your Data
Cyber Criminal's Path To Your Data
 
Combat Today's Threats With A Single Platform For App and Data Security
Combat Today's Threats With A Single Platform For App and Data SecurityCombat Today's Threats With A Single Platform For App and Data Security
Combat Today's Threats With A Single Platform For App and Data Security
 
Hacking HTTP/2 : New attacks on the Internet’s Next Generation Foundation
Hacking HTTP/2 : New attacks on the Internet’s Next Generation FoundationHacking HTTP/2 : New attacks on the Internet’s Next Generation Foundation
Hacking HTTP/2 : New attacks on the Internet’s Next Generation Foundation
 

Dernier

Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfhans926745
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 

Dernier (20)

Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 

CMS Hacking 101

  • 1. © 2013 Imperva, Inc. All rights reserved. CMS Hacking 101 Analyzing the Risk with 3rd Party Applications Confidential1 Barry Shteiman Senior Security Strategist
  • 2. © 2013 Imperva, Inc. All rights reserved. Agenda Confidential2 §  CMS defined §  Risks and trends §  Recent incidents §  Into the details •  An attack campaign •  Industrialized attack campaign §  Reclaiming security
  • 3. © 2013 Imperva, Inc. All rights reserved. Today’s Speaker - Barry Shteiman Confidential3 §  Senior Security Strategist §  Security consultant working with the CTO office §  Author of several application security tools §  Open source security projects code contributor §  Twitter @bshteiman
  • 4. © 2013 Imperva, Inc. All rights reserved. CMS Defined Confidential4 Content Management System
  • 5. © 2013 Imperva, Inc. All rights reserved. What is a CMS? Confidential5 A content management system (CMS) is a computer program that allows publishing, editing and modifying content as well as maintenance from a central interface. Source: https://en.wikipedia.org/wiki/Content_management_system
  • 6. © 2013 Imperva, Inc. All rights reserved. Deployment Distribution Confidential6 Source: http://trends.builtwith.com/cms
  • 7. © 2013 Imperva, Inc. All rights reserved. Enterprise Adoption Confidential7
  • 8. © 2013 Imperva, Inc. All rights reserved. Risks and Trends Confidential8
  • 9. © 2013 Imperva, Inc. All rights reserved.9 OWASP Top 10 – 2013 Update New, A9 - Using Known Vulnerable Components Confidential
  • 10. © 2013 Imperva, Inc. All rights reserved.10 3rd Party According to Veracode: •  “Up to 70% of internally developed code originates outside of the development team” •  28% of assessed applications are identified as created by a 3rd party Confidential
  • 11. © 2013 Imperva, Inc. All rights reserved. When a 3rd Party Brings its Friends Confidential11 §  More than 20% of the 50 most popular WordPress plugins are vulnerable to web attacks §  7 out of top 10 most popular e-commerce plugins are vulnerable to common Web attacks -- Checkmarx Ltd. research lab “The Security State of WordPress’ Top 50 Plugins” white paper, June 18, 2013 You can’t fix code you don’t own, even if you host your own, that code has third party components in it.
  • 12. © 2013 Imperva, Inc. All rights reserved. Attack Surface Confidential12 Source: https://www.bsi.bund.de/DE/Publikationen/Studien/CMS/Studie_CMS.html BSI is Germany's federal office for information security In a research conducted by BSI in Germany, ~20% of the vulnerabilities discovered were found in the CMS core, ~80% in plugins and extensions.
  • 13. © 2013 Imperva, Inc. All rights reserved. Classic Web Site Hacking Confidential13 Hacking 1.  Identify Target 2.  Find Vulnerability 3.  Exploit Single Site Attack
  • 14. © 2013 Imperva, Inc. All rights reserved. Classic Web Site Hacking Confidential14 Hacking 1.  Identify Target 2.  Find Vulnerability 3.  Exploit Hacking 1.  Identify Target 2.  Find Vulnerability 3.  Exploit Hacking 1.  Identify Target 2.  Find Vulnerability 3.  Exploit Hacking 1.  Identify Target 2.  Find Vulnerability 3.  Exploit Hacking 1.  Identify Target 2.  Find Vulnerability 3.  Exploit Multiple Site Attacks
  • 15. © 2013 Imperva, Inc. All rights reserved. CMS Hacking Confidential15 Hacking 1.  Identify CMS 2.  Find Vulnerability 3.  Exploit CMS Targeting Attack
  • 16. © 2013 Imperva, Inc. All rights reserved. Recent Incidents Confidential16
  • 17. © 2013 Imperva, Inc. All rights reserved. 3rd Party Code Driven Incidents Confidential17 Breached via 3rd party application on Drupal.org own servers.
  • 18. © 2013 Imperva, Inc. All rights reserved. 3rd Party Code Driven Incidents Confidential18 3rd party service provider hacked, customer data affected.
  • 19. © 2013 Imperva, Inc. All rights reserved. 3rd Party Code Driven Incidents Confidential19 Yahoo’s 3rd party hack as detailed in Imperva’s January HII report. HII Report: http://www.imperva.com/docs/HII_Lessons_Learned_From_the_Yahoo_Hack.pdf
  • 20. © 2013 Imperva, Inc. All rights reserved. CMS Related Incidents Confidential20
  • 21. © 2013 Imperva, Inc. All rights reserved. Into the Details Confidential21 How a CMS Attack Campaign Might Look
  • 22. © 2013 Imperva, Inc. All rights reserved.22 The Attacker’s Focus Server Takeover Direct Data Theft Confidential
  • 23. © 2013 Imperva, Inc. All rights reserved. CMS Mass Hacking Confidential23 Source: www.exploit-db.com Step 1: Find a vulnerability in a CMS platform Even public vulnerability databases, contain thousands of CMS related vulnerabilities.
  • 24. © 2013 Imperva, Inc. All rights reserved. CMS Gone Wild(card) Confidential24 Step 2: Identify a fingerprint in a relevant CMS-based site A fingerprint can be •  Image •  URL •  Tag •  Object Reference •  Response to a query •  etc..
  • 25. © 2013 Imperva, Inc. All rights reserved. Fingerprinted Confidential25 Tag based The code will usually contain fingerprints (unless obfuscated) of the CMS in use.
  • 26. © 2013 Imperva, Inc. All rights reserved. Fingerprinted Confidential26 URL based An administrator interface may be front facing, allowing detection and login attempts
  • 27. © 2013 Imperva, Inc. All rights reserved. Google Dork for the Masses Confidential27 §  Query: inurl:(wp-config.conf | wp-config.txt) ext:(conf | txt | config) §  Results: 144,000
  • 28. © 2013 Imperva, Inc. All rights reserved. Google Dork for the Masses Confidential28 In our case: Database Host, User and Password Exposed
  • 29. © 2013 Imperva, Inc. All rights reserved. Botnets Targeting Your CMS Confidential29 Recently Observed: •  Botnets Scan websites for vulnerabilities •  Inject Hijack/Drive-by code to vulnerable systems •  Onboarding hijacked systems into the Botnet
  • 30. © 2013 Imperva, Inc. All rights reserved. From a Botnet Communication Confidential30 Botnet operator uses zombies to scan sites for vulnerabilities * As observed by Imperva’s ADC Research Team Google Dork
  • 31. © 2013 Imperva, Inc. All rights reserved. From a Botnet Communication Confidential31 Botnet exploits vulnerabilities and absorbs victim servers * As observed by Imperva’s ADC Research Team
  • 32. © 2013 Imperva, Inc. All rights reserved. Reclaiming Security Confidential32 Securing 3rd Party Applications
  • 33. © 2013 Imperva, Inc. All rights reserved. Analyzing the Attack Surface Confidential33 Graphics Source: https://www.bsi.bund.de/DE/Publikationen/Studien/CMS/Studie_CMS.html BSI is Germany's federal office for information security Certain vulnerabilities in 3rd party applications, can only be properly fixed using Web Application Firewalls.
  • 34. © 2013 Imperva, Inc. All rights reserved. Deployment Matters Confidential34 Cloud based deploymentOn premise deployment Applications and 3rd party code deployed in your virtual/physical data center. Hosted applications and B2B services. Imperva Incapsula Cloud
  • 35. © 2013 Imperva, Inc. All rights reserved. When a company builds its security model it usually does not take into account elements that are not in control, which creates the security hole. Companies should: §  Implement policies both on the legal and technical aspects to control data access and data usage. §  Require third party applications to accept your security policies and put proper controls in place §  Monitor. Recommendations 35 Confidential35
  • 36. © 2013 Imperva, Inc. All rights reserved. §  Assume third-party code – coming from partners, vendors, or mergers and acquisitions – contains serious vulnerabilities §  Pen test before deployment to identify these issues §  Deploy the application behind a WAF to •  Virtually patch pen test findings •  Mitigate new risks (unknown on the pen test time) •  Mitigate issues the pen tester missed •  Use cloud WAF for remotely hosted applications §  Virtually patch newly discovered CVEs •  Requires a robust security update service Technical Recommendations 36 Confidential36
  • 37. © 2013 Imperva, Inc. All rights reserved. Post-Webcast Discussions Answers to Attendee Questions Webcast Recording Link Join Group Join Imperva LinkedIn Group, Imperva Data Security Direct, for… Presentation Materials Confidential3737
  • 38. © 2013 Imperva, Inc. All rights reserved. www.imperva.com 38 Confidential