Joomla Security Simplified — Seven Easy Steps For a More Secure Website
•
2 j'aime•1,094 vues
Recommandé
Recommandé
Contenu connexe
Tendances
Tendances (20)
Similaire à Joomla Security Simplified — Seven Easy Steps For a More Secure Website
Similaire à Joomla Security Simplified — Seven Easy Steps For a More Secure Website (20)
Plus de Imperva Incapsula
Plus de Imperva Incapsula (20)
Dernier
Dernier (20)
Joomla Security Simplified — Seven Easy Steps For a More Secure Website
- 1. Presented by: Orion Cassetto, Sr. Product Marketing Manager, Incapsula Joomla Security Simplified — Seven Easy Steps For a More Secure Website
- 2. What’s with the ‘Stache? Movember. Of Course! (http://mobro.co/orioncassetto) Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.2 ?
- 3. Mustache Aspirations Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.3
- 4. Overview • Recent web security events and major security threats • Seven easy steps for a more secure website • Automated tools to secure and improve performance on Joomla sites Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.4
- 5. Major Hacks of 2014 2014 has several enormous data breaches from hackers including:
- 6. Heartbleed – the Epic SSL Crisis of 2014 • Heartbleed is a security bug that was disclosed in April of 2014 • It was present in the widely used Open SSL Cryptography • When disclosed, around 17% of the Internet's secure web servers was vulnerable • Why do I care? > The vulnerability allowed for the theft of the servers' private keys and users' session cookies and passwords “Some might argue that [Heartbleed] is the worst vulnerability found since commercial traffic began to flow on the Internet.” Joseph Steinberg – Forbes Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.6
- 7. Semalt Hijacks Hundreds of Thousands of Computers for Referrer Spam What is it? 1. Semalt is a Ukrainian search engine optimization (SEO) “company” 2. They used malware to hijack computers and create a giant botnet 3. This Botnet visits sites across the internet with fake referral sources What damage could this cause your website? • Long term SEO Damage to your website’s rankings • Complete search engine result page blacklisting and removal Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.7
- 8. Distributed Denial Of Service (DDoS) Attacks • DDoS attack are attacks where many infected computers band together to attack a single target • These attacks exhaust network connections and server resources causing website outages Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.8
- 9. Seven easy steps for a more secure website Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.9
- 10. Websites Have Many Vulnerabilities 96% of web applications have vulnerabilities 96% WEB APP Sources: Cenzic, Inc. – Feb. 2014, Incapsula, Inc. –2013 13% of websites can be compromised automatically 13%
- 11. Known Vulnerabilities are Common and Easy to Find • When a new Joomla version is released, vulnerability details of the prior version are released • Older versions are thus easier to attack • Automated tools can be created to identify and attack these versions Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.11
- 12. Security Step #1 - Regularly Update EVERYTHING All Software should be updated Regularly including. Create a regular schedule to update patches for: • Joomla • Extensions • Web servers
- 13. Tips for Keeping Joomla Updated • Be careful what you download > Never download or install Joomla from any website other than http://Joomla.org. Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.13
- 14. • More extensions on your Joomla site means more software to keep up to date • Include patches in your update schedule • Use trusted vendors. Each vendor has its own > Security Controls > SDLC > Code Quality Don’t Forget to Update Extensions Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.14
- 15. Other Software is Potentially Vulnerable too • Run stable, secure versions of web servers • Avoid Default Anything (particularly database tables) > Make sure your Database is as secure as possible > Consider changing your “table_prefix” from the default “jos_” • Update SSL certs after Heartbleed (if necessary) • Update firewall signatures • Update anti-virus signatures Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.15
- 16. Use of Stolen Credentials Reigns Supreme • Use of stolen authentication credentials by hackers is the number one threat of 2013 • Once stolen hackers can use credentials at other websites to increase the impact of a breach • Automated tools combined with stolen password lists become a dangerous combination Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.16 Sources: Verizon Data Breach Report 2014
- 17. Security Step #2 - Implement Password Security • Avoid Default UN/Passwords • Implement Strong Passwords > Goal: Hard to Guess / Hard to brute Force attack > Include – MiXed CASe > Include – NuMB3rS > Include – SP3C!4LCh@R$ > Use a password phrase – BowTies 4r3 Co0l! • Use different passwords for different sites • Change your password periodically • Consider using a password management tool Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.17
- 18. Security Step #3 - Implement Multi-factor Authentication Problem • Lost or stolen passwords allow hackers to bypass your security measure Solution • Secure Admin areas with multi-factor authentication > Email > SMS > Google Authenticator > Other Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.18
- 19. Security Step #4 – Use a Web Application Firewall (WAF) 80~96% of all websites have high risk vulnerabilities 13% of websites can be compromised automatically Most wide spread vulnerabilities are • Cross-site Scripting • SQL Injection • Information Leakage • HTTP Response Splitting Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.19 Sources: WASC - http://projects.webappsec.org/w/page/13246989/Web%20Application%20Security%20Statistics
- 20. SQL Injection – What it is and why it matters • What is SQL Injection? > SQL Injection attacks attempt to use application code to access or corrupt database content > It is accomplished by embedding SQL statements in user supplied Data > Example: • What happens if a hacker exploits this vulnerability? > They can access your database and it’s data. • Basic Rule > If it is going into your database, clean it up first! Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.20 'OR “=” The application was expecting my name, but I entered an SQL Statement
- 21. Cross Site Scripting (XSS) – What it is and why it matters • What is XSS? > A type of attack in which hackers inject scripts (like JavaScript) into otherwise trusted websites • What happens if a hacker exploits an XSS vuln on my website? > Stolen cookies or sessions > Redirection to a malicious page • Basic Rule > If user supplied data is going into your application, clean it up first! Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.21 Attacker inserts malicious unfiltered code into an application1 User visits the web page and malicious code is returned with the web page 2 Attacker gains control over user data or system via injected exploit 3
- 22. Security Step #4 - Use a Web Application Firewall (WAF) • WAFs provide similar protection as traditional network layer firewall but for a web application • Using a WAF can protect website from application layer hacking attempts • WAFs should be used in conjunction with traditional firewalls Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.22
- 23. Automated Clients are the Majority of Web Traffic Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.23 Over 61%of all website traffic is non-human. 61.5% Non-Human Traffic 38.5% Human Traffic 1/2of that is malicious.
- 24. The Impact of Bots on Website Security • DDoS • Site Scraping • Comment Spam • SEO Spam • Fraud • Vulnerability scanning Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.24 • Search Engine Crawling • Website Health Monitoring • Vulnerability Scanning Good Bots Bad Bots
- 25. Site Scraping • Site Scraping is when a bot visits a website to copy or steal content • Usually done by reading and parsing web page source code Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.25 Your Site Their Site <!DOCTYPE <HTML> <HEAD> <TITLE>… Your Code Your Content
- 26. Bots and Comment Spam • What is Comment Spam > Posts in comment sections on websites allegedly linking to: - Steams of popular TV shows - Cheap Shoes - Designer bags, - Viagra, Cialis, etc. • How bots are involved > Bots are used to automatically find victim sites and insert spam posts • Why it matters > Comment spam is frequently responsible for - Worse user experiences - Lower website conversions (links usually exit your site) - Malware distribution (infecting your visitors)
- 27. Brute Force Attacks Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.27 Your Joomla Site
- 28. # 5 Identify and Block Bad Bots • Don’t rely on robots.txt • Implement a solution which can block bad bots to prevent > Comment Spam > Site Scraping > Vulnerability Scanning > Automated SEO Poisoning • Bot Mitigation can be > Standalone service or appliance > Part of other tools like a WAF Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.28
- 29. Security Step #6 Implement a DDoS mitigation Strategy • DDoS attacks make your website completely inaccessible Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.29 Legitimate Traffic Your Site Your Internet Connection • If website availability is important to you, then DDoS protection should be too • Any application without a DDoS mitigation strategy is at risk DDoS Traffic Your ISP
- 30. Defend against DDoS attacks • DDoS mitigation services are preferable to Mitigation Appliances • Overprovisioning bandwidth is expensive Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.30 Legitimate Traffic Your Site Your Internet Connection DDoS Traffic Your ISP DDoS Mitigation Appliance
- 31. DDoS Mitigation Requires Specialized Tools or Services • DDoS mitigation services are preferable to Mitigation Appliances • Overprovisioning bandwidth is expensive • DDoS attacks should be mitigated close to their source (away from your network) Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.31 Legitimate Traffic Your Site Your Internet Connection DDoS Traffic Your ISP DDoS Mitigation Service
- 32. Security Step #7 - Use a Secure Hosting Environment Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.32 Problem • If any site on a server is hacked, there's a chance that any other site on that same server could be vulnerable. Hacked Website Your Website Server
- 33. Security Step #7 - Use a Secure Hosting Environment Pick a Secure Hosting Provider that offers • Segregated environment (physically or logically) • Network layer firewalls • Vulnerability scanning > Infrastructure > Servers > Databases > Applications • Backup Services • Security Certification > SAS 70 Type II > SSAE 16 Type II Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.33
- 34. Bonus Security Step - Secure Your Personal Computers Don’t let your computer sabotage your security efforts with malware • Install antivirus and regularly update the signatures • Keep your personal computer’s OS, programs, and plug-ins updated • Use personal firewalls • Open sites with HTTPs whenever possible • Use secure FTP (SFTP) instead of FTP Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.34
- 35. Incapsula Helps Website Owners Solve Operational Problems PerformanceSecurity Availability Solving Top Operational Problems Delivered from the Cloud
- 36. Incapsula Application Delivery Cloud Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.36
- 37. Website Security and Performance in Minutes with a Simple DNS Change Incapsula, Inc. / Proprietary and Confidential. All Rights Reserved.37 By routing website traffic through the Incapsula network, malicious traffic is blocked, and legitimate traffic is accelerated. Incapsula Network Your Website Legitimate Traffic For a Free Trial of Incapsula visit us at www.Incapsula.com
- 38. Please send follow up questions to info@incapsula.com Twitter: @orionevolution Movember: mobro.co/orioncassetto Thank you
Notes de l'éditeur
- Today we will be talking about: Recent web security events Six easy steps for a more secure website Automated tools to secure and improve performance on Joomla sites
- To set the stage for our discussion I’m going to begin by talking about the Web Security Landscape. The news this year, like many years prior, has seen headlines filled with well known companies falling victim to hackers. [Click] These data breaches frequently result in the theft of millions upon millions of names, passwords, credit card numbers and other personal information. Even large companies with expansive security budgets are not immune to the impact of hackers. But hackers don’t just target large firms, they attack sites of all sizes, including Joomla sites. The motives behind attacks are plentiful, they can range from: Acquiring resources for botnets Distributing Malware Stealing customer data Political Activism And even plain old malice
- One of the largest security events of the year was Heartbleed. Heartbleed is a vulnerability that was disclosed in April. It is essentially a security flaw that was present in OpenSSL, a implementation of the Transport Layer Security or TLS protocol and it is used for encrypting Internet traffic. In April 2014, at the time of disclosure, Open SSL was used to encrypt around 17% of the internet. [Click] The Heartbleed vulnerability potentially provided hackers with a well documented method of stealing user sessions, SSL private keys, cookies, and passwords from vulnerable websites. In other words, it gave hackers the keys to the kingdom for all vulnerable websites. The significance of this vulnerability cannot be understated due to its scope and severity. In the words of Joseph Steinberg, cybersecurity reporter for Forbes, “ Some might argue that [Heartbleed] is the worst vulnerability found since commercial traffic began to flow on the internet.
- Another major security event which happened very recently, is the Semalt referrer spam campaign. This campaign illustrates an amalgamation of several different security threats in a single insidious attack. Those threats being Bots, malware, and Search engine Optimization (also known as SEO) tampering and spam. [Click] Semalt is a Ukrainian based “SEO” Company which recently launched an enormous referral spam campaign. The campaign utilized a botnet of some 290,000 malware infected computers to crawl the internet looking for vulnerable targets and then attacking them. Once a victim was found, the botnet visited them with a fake referral source. These referral sources belong to websites that Semalt was paid to improve search engine rankings for. Referral links are one of the criteria which Google uses to evaluate search engine rankings. When googles crawls the victim websites it will notice all of these fake referral links in the public logs of these websites and then increase the SEO ranking of Semalt’s “clients”. Why does that matter for you or any website owner? This referral spam needs to be identified and blocked because the presence of fake SEO referrals can cause long term SEO Damage to your website’s Search engine results and can result in complete blacklisting or removal from page results. Being blacklisted from Google search results would clearly have a large negative impact on your website.
- Finally lets take a look at DDoS attacks. DDoS stands for distributed Denial of Service and it is a type of attack where hundreds or thousands of infected computers band together into a single weapon, referred to as a “bot net”. This botnet is then used to attack a single target with the goal of overwhelming the network or server it is using, thus creating a website outage. DDoS attacks are quickly becoming a favorite weapon for attackers because they are relatively cheap to perform and difficult to defend against. One interesting campaign that happened earlier this year around February and March targeted high profile SaaS companies such as Meetup and Basecamp. These SaaS companies have built successful online applications that can scale to support million of users and deliver huge amounts of content. Still all of these examples, and many more, were brought down with DDoS attacks. It is frequently the case that DDoS attackers will request ransom was for small amounts of money, like a couple hundred dollars in exchange for ending the attack and restoring the website’s availability. Although the dollar amount requested may be small, these attacks are typically large enough to bring down any company that does not have an active DDoS mitigation solution in place.
- The fact of the matter is that websites typically have vulnerabilities. The problem is so widespread that – according to a report by Cenzic, a leading vulnerability scanner – 96% of today’s web apps have vulnerabilities and 13% of websites can be compromised automatically. These vulnerabilities leave websites susceptible to attack. http://www.darkreading.com/vulnerabilities---threats/websites-harbor-fewer-flaws-but-most-have-at-least-one-serious-vulnerability/d/d-id/1139670?
- Now that we have discussed some of the larger security events which have transpired during this year, we are going to shift gears and bring the focus back to Joomla and Securing Joomla Sites. [click] The first thing to understand is almost all software has vulnerabilities. As code bases change, these vulnerabilities are created and remediated. According to a report by Whitehat as much as 73% of Joomla installations have vulnerabilities. Many of these vulnerabilities are easily found because whenever a new Joomla version is released, security details about the old versions are also released. This means older versions are easier to attack, and attackers can craft automated tools to identify and attack these versions.
- Security Step #1 Regularly update your software. This may sound like common sense but this is one of the most commonly overlooked things that can be done to secure your Joomla site. A regular patching schedule should include Joomla installations, extensions, and Web Servers.
- Carrying on that logic, I have a few simple tips regarding Joomla updates. First, be careful what you download and only download or install Joomla that you’ve obtained from Joomla.org. It is possible that other versions may include malicious software or backdoors. For those of you looking to cut down on your workload, make sure to update to a version which is 3.7 or greater. These versions of Joomla include an automatic update feature. Finally, many of us manage multiple Joomla sites, using a version control software like Subversion will make life easier.
- Many people regularly update their Joomla installation but don’t think to include their plugins in this process. Joomla plugins, while convenient, increase the complexity of a Joomla environment by introducing software created by multiple vendors. Each vendor will have it’s own level of security expertise, security controls, software development life cycle and code quality. According to a report by Checkmarx, around 20% of the 50 most popular Joomla plugins are vulnerable to common web attacks. This means that 1 in 5 plugins could take a secure Joomla installation and introduce a security flaw. Plug-in related security flaws are fairly common. In July one such plugin resulted in 50,000 hacked Joomla Sites.
- As I stated earlier, the advice to keep your software up to date extends far beyond Joomla installations. Web servers should be running stable, secure versions. Efforts should be made to secure your database. Simple things like changing your table_prefix from the default of WP_ to some other prefix add an extra layer of complexity for would-be hackers. Earlier in this presentation I mentioned that around 17% of the internet which uses SSL was vulnerable to Heartbleed. It is absolutely worth checking to see that your SSL cert is unaffected by Heartbleed. You can do this fairly easily with tools such as Netcraft and then replacing your certificate if needed. As a best practice firewalls and Anti-virus signatures should also be updated.
- One of the most overlooked ways for your web application to be compromised is through the use of Lost or stolen credentials. According to the 2014 Verizon Data breach report, the use of stolen credentials was this years number 1 threat. Once lost or stolen, credentials combined with automated tools because a powerful way for hackers to troll the internet and easily compromise websites. Whats worse is that many people re-use credentials across web sites and one stolen credential can result in multiple websites being hacked.
- Security Step #2 – Implement Password Security best practices. This probably sounds like a no-brainer but even in 2014 password security is still a top issue. The fact is that many people don’t implement strong password policies. The felony of the password security world is using default usernames and passwords. There is likely no lower hanging fruit available for hackers and for this reason it is of utmost importance than you change them. I suggest also using a non default user name. you can do this by creating a new admin user with a different user name and then deleting the default admin account. [click} Other basic tenants would be creating a password that include mixed upper and lower cases, numbers, and special characters. You might consider a password phrase instead of a password as an easy way to remember your longer, stronger password. [Click] No matter what password you choose, it is important to use different passwords for different sites and to update them periodically.
- Security step #3 is to implement multi-factor authentication to protect admin areas. Imagine this, you created a strong password In accordance with security step #2 but then somehow, be it act of god, or a disgruntled cube-mate, your username and password ended up on a hacker forum. In this scenario, a hacker could simply use your username and password to simply log into your website and do as they please. [Click] Two factor or Multi-factor authentication makes this much harder. By using multi-factor authentication, users will need a traditional username and password but also some other form of identification to gain access to a website. Common forms of multi-factor authentication are email, sms, and google authenticator (which has an iphone/android app).
- Now that we’ve covered the basics, we need to spend some time to discuss how to protect yourself against some of the more advanced web attacks that might be launched against your website. According to a report by the Web Application Security Consortium, between 80 and 96% of websites have high risk vulnerabilities. [click] Moreover 13% of all vulnerabilities can be compromised automatically. This same report sites the most common web vulnerabilities are cross site scripting, SQL injection, Information leakage, and HTTP response splitting.
- Let’s take some time to understand a few of these top attacks. SQL injection is a type of vulnerability which attempts to input database instructions or commands into an application in hopes that the application will blindly pass them on to the database. This is typically accomplished by putting a SQL command or query into an input field not designed for this. [Click] For example, the application was expecting my username and I put an attack in the field instead. If this attack isn’t filtered out before going to the database it can allow hackers to gain access to, change, or delete your database contents. [click] As a rule, if it is going into your database, clean it first!
- Another very common type of web attack is Cross site scripting. This type of attack is similar in nature as a SQL injection in that it is a hackers attempt to get a web application to do something it wasn’t designed to do by providing it an input it wasn’t expecting. In this case, the hacker is trying to insert a script, frequently JavaScript into the website. [Click] Cross site scripting attacks can result in stolen user cookies or sessions. They can also be used to infect website visitors with malware but sending them to malicious websites where malware is silently downloaded to their computer. [Click] The basic rule for dealing with XSS is as follows, “If user supplied data is going into your application, clean it first!”
- While changing your code to deal eliminate web vulnerabilities like SQL Injection and Cross Site scripting is one way to deal with these problems it is not the only way. In fact, remediating vulnerabilities at the code level can be time consuming, expensive and potentially not possible of you do not own the code base. Instead, I recommend security step #4, to use a Web Application Firewall, or WAF. WAFs provide the same type of protection that traditional network firewalls provide, but they do it at the application layer by inspecting http/https traffic for attacks. Best practice is to use a WAF to protect against application layer threats, while continuing to use a traditional firewall to protect against non-http/s based attacks. As an added benefit, WAFs frequently include other services like 2 factor authentication or fraud detection.
- Another growing trend on the internet today is the rise of bots, or automated clients. Based on research by the Incapsula team, these bots now make up as much as 61% of website traffic. While much of this traffic is legitimate and does things like indexing web content, testing website connections, populating widgets and providing search engine results, it would be naive to assume this is all they are up to. In fact, roughly 50% of the automated traffic we analyzed was malicious.
- Let’s dive deeper on this topic. We already know that legitimate or “benevolent bots” were indexing content for search engines, monitoring website availability and helping us website vulnerabilities. That begs the question, if so much of automated traffic is malicious, what are these bad bots doing? [Click] Bad bots do a wide variety of things, including Performing the DDoS attacks we just talked about, site scraping to steal website content or intellectual property, SEO and comment spam, and doing reconnaissance to provide hackers with vulnerability information to be used to attack your website.
- The most common type of scraping is called site scaping. The goal of this activity is to copy or steal webpage content for use elsewhere. This repurposing of content may or may not be approved by the website owner. Typically bots do this by crawling a website, accessing the source code of the website and then parsing it to remove the key pieces of data they want. After obtaining content, they typically post it elsewhere on the internet.
- If you’ve spent any amount of time on blog sites or forums, you’ll likely have noticed suspicious looking posts for sneakers, designer bags, Viagra, Cialis etc. [click] This is comment spam and it is typically put there by purpose built bots which seek out websites which accept user comment and are not designed to defend against submissions made by automated clients. [click] Comment spam, while more of a nuisance than anything else does have several negative affects on web sites. From the user point of view these posts are annoying and result in a worse website viewing experience. They can also direct visitors of to potentially malicious sites where they may be infected with Malware. From the website operator point of view they drive traffic away from their websites, can link to competitors’ websites, and are burdensome to identify and clean off of comment sections.
- Earlier in the presentation I mentioned that bad bots are a major problem for websites and that they are responsible for a host of different attacks ranging from: Comment Spam Site Scraping Vulnerability Scanning To Automated SEO Poisoning Implementing a solution capable of analyzing web traffic in real time to pin-point these automated threats will help you greatly improve the security posture of your website. Bot mitigation tools can be purchased as a standalone product or as part of other security solutions including WAFs, or Application Delivery Controllers.
- Security Step #5 is to implement a DDoS mitigation Strategy. As I said at the beginning of my presentation, DDoS attacks take a website offline by overwhelming it with too much traffic or too many requests. [Click] This network diagram shows an example of traffic flow under normal conditions. Website visitors are routed across the internet, through a customer’s Internet service provider and to the destination website. Data is then sent back along this route to the web visitor. DDoS attacks interrupt this flow. [Click] A common type of DDoS attack called a volumetric attack does this by banding together hundreds of thousands of infected computers into a botnet. Then using this botnet to attack a single target. On the way to the target website, the volume of this traffic usually becomes so immense that it cannot fit through the internet connection the web owner has purchased from it’s ISP. The result is that no legitimate web traffic will be able to use this conduit and thus the website will appear offline until the attack subsides. [Click] If website availability is important to you, then DDoS protection should be too [click] Any application without a DDoS mitigation strategy is at risk. DDoS mitigation is tricky to deal with because the volume and complexity of the attacks requires specialized tools or services to mitigate it.
- There are several options in terms of dealing with DDoS attacks: Using a DDoS mitigation appliance Using a DDOS mitigation service Trying to overprovision bandwidth Because of where a DDOS protection appliance would be located on a network diagram, I suggest using a ddos mitigation service. [click] Here is a network diagram showing internet traffic from website visitors. The traffic moves across the internet, through your ISP, across your internet connection and then to your web application. DDoS appliances are typically deployed here, within your network or datacenter. The reason I suggest a service instead of an appliance has to do with the fact that a large DDOS attack will saturate even a large internet connection upstream of these devices. [click] Overprovisioning bandwidth to deal with attack volumes or give this appliance a fighting shot of dealing with a large attack is expensive. Instead a specialized DDoS protection service may be preferred.
- DDoS mitigation services, usually function as cloud networks or scrubbing networks which traffic is routed through for cleansing before it reaches your ISP. This blocks the attack close to its source and away from your network.
- One problem that many Joomla users face is shared hosting. One risk associated with many shared hosting services is security. If multiple tenants are sharing the same server and one of them is hacked, there is a chance that other sites on the same server could be vulnerable as well. [Click] Of course this depends on the specific circumstances of the hack and hosting environment, but it is a valid enough concern to bring me to Security Step #6, use a secure hosting environment.
- Not all hosting companies are created equal. Website owners concerned with security should pick a hosting company which has existing security controls in place. These security controls should include segregation of environments, whether it be physical or logical to prevent the scenario described on the last slide. Security solutions like network firewalls, intrusion prevention systems and vulnerability scanning services for servers, databases, applications and infrastructure differentiate these companies from bargain hosting services. When selecting a secure hosting company, look for companies which are SAS 70 Type II or SSAE 16 Type II compliant. These certifications require companies to comply with a myriad of requirements all of which benefit your websites’ security posture.
- I am going to throw in a bonus step, secure your personal computer. Many Website owners spend time securing their Joomla environments but neglect the security of their own personal computers. Don’t be the weak link in your own security posture but letting something like a malware infection lead to a breach of your Website. Much of this is common sense. Use Anti-virus and a personal firewall. Update the signatures. Install updates for you operating system and applications. Use encryption when possible, etc.
- Incapsula Helps Website Owners Solve Operational Problems. Keeping websites and cloud applications available, fast and secure are the fundamental concerns of all website owners. Users expect websites to be available and get annoyed when they are down or when the site won’t load within a few seconds. And customers find somewhere else to shop when an ecommerce site is breached and private customer data is exposed. Keeping sites fast, secure and available has until now required a complex and expensive mix of hardware and software from several vendors.
- Incapsula has changed that by building a cloud service on a global network that provides the security, DDoS Protection, Performance and Availability that website owners need.
- Incapsula works by using DNS redirection to reout website traffic through the Incapsula Network. Once traffic is flowing through Incapsula, malicious traffic is blocked, and legitimate traffic is accelerated. This leads to a more secure, faster loading website. For a free trial of Incapsula, visit us at www.incapsula.com