SlideShare ist ein Scribd-Unternehmen logo

CMS Hacking

Als PPTX, PDF herunterladen
Barry Shteiman
Barry Shteiman

ISACA 10/22/2013 Covering an analysis of the 3rd party application threats, focusing on CMS systems.

Technologie
1 von 38
CMS Hacking Analyzing the Risk with 3rd Party Applications Barry Shteiman – Director of Security Strategy 11/7/2013 1 © 2013 Imperva, Inc. All rights reserved. Confidential
Agenda  CMS defined  Risks and trends  Recent incidents  Into the details • An attack campaign • Industrialized attack campaign  Reclaiming security 2 © 2013 Imperva, Inc. All rights reserved. Confidential
Today’s Speaker - Barry Shteiman  Director of Security Strategy  Security Researcher working with the CTO office  Author of several application security tools, including HULK  Open source security projects code contributor  Twitter @bshteiman 3 © 2013 Imperva, Inc. All rights reserved. Confidential
CMS Defined Content Management System 4 © 2013 Imperva, Inc. All rights reserved. Confidential
What is a CMS? A content management system (CMS) is a computer program that allows publishing, editing and modifying content as well as maintenance from a central interface. Source: https://en.wikipedia.org/wiki/Content_management_system 5 © 2013 Imperva, Inc. All rights reserved. Confidential
Deployment Distribution Source: http://trends.builtwith.com/cms 6 © 2013 Imperva, Inc. All rights reserved. Confidential
Enterprise Adoption 7 © 2013 Imperva, Inc. All rights reserved. Confidential
Risks and Trends 8 © 2013 Imperva, Inc. All rights reserved. Confidential
OWASP Top 10 – 2013 Update New, A9 - Using Known Vulnerable Components 9 © 2013 Imperva, Inc. All rights reserved. Confidential
3rd Party According to Veracode: • “Up to 70% of internally developed code originates outside of the development team” • 28% of assessed applications are identified as created by a 3rd party 10 © 2013 Imperva, Inc. All rights reserved. Confidential
When a 3rd Party Brings its Friends  More than 20% of the 50 most popular WordPress plugins are vulnerable to web attacks  7 out of top 10 most popular e-commerce plugins are vulnerable to common Web attacks -- Checkmarx Ltd. research lab “The Security State of WordPress’ Top 50 Plugins” white paper, June 18, 2013 You can’t fix code you don’t own, even if you host your own, that code has third party components in it. 11 © 2013 Imperva, Inc. All rights reserved. Confidential
Attack Surface In a research conducted by BSI in Germany, ~20% of the vulnerabilities discovered were found in the CMS core, ~80% in plugins and extensions. Source: https://www.bsi.bund.de/DE/Publikationen/Studien/CMS/Studie_CMS.html BSI is Germany's federal office for information security 12 © 2013 Imperva, Inc. All rights reserved. Confidential
Classic Web Site Hacking Single Site Attack Hacking 1. 2. 3. 13 © 2013 Imperva, Inc. All rights reserved. Identify Target Find Vulnerability Exploit Confidential
Classic Web Site Hacking Multiple Site Attacks Hacking 1. 2. 3. Identify Target Find Vulnerability Exploit Hacking 1. 2. 3. Identify Target Find Vulnerability Exploit Hacking 1. 2. 3. Identify Target Find Vulnerability Exploit Hacking 1. 2. 3. Identify Target Find Vulnerability Exploit Hacking 1. 2. 3. 14 © 2013 Imperva, Inc. All rights reserved. Identify Target Find Vulnerability Exploit Confidential
CMS Hacking CMS Targeting Attack Hacking 1. 2. 3. 15 Identify CMS Find Vulnerability Exploit © 2013 Imperva, Inc. All rights reserved. Confidential
Recent Incidents 16 © 2013 Imperva, Inc. All rights reserved. Confidential
3rd Party Code Driven Incidents Breached via 3rd party application on Drupal.org own servers. 17 © 2013 Imperva, Inc. All rights reserved. Confidential
3rd Party Code Driven Incidents 3rd party service provider hacked, customer data affected. 18 © 2013 Imperva, Inc. All rights reserved. Confidential
3rd Party Code Driven Incidents Yahoo’s 3rd party hack as detailed in Imperva’s January HII report. HII Report: http://www.imperva.com/docs/HII_Lessons_Learned_From_the_Yahoo_Hack.pdf 19 © 2013 Imperva, Inc. All rights reserved. Confidential
Just Last Week… 20 © 2013 Imperva, Inc. All rights reserved. Confidential
Into the Details How a CMS Attack Campaign Might Look 21 © 2013 Imperva, Inc. All rights reserved. Confidential
The Attacker’s Focus Server Takeover Direct Data Theft 22 © 2013 Imperva, Inc. All rights reserved. Confidential
CMS Mass Hacking Step 1: Find a vulnerability in a CMS platform Source: www.exploit-db.com Even public vulnerability databases, contain thousands of CMS related vulnerabilities. 23 © 2013 Imperva, Inc. All rights reserved. Confidential
CMS Gone Wild(card) Step 2: Identify a fingerprint in a relevant CMS-based site A fingerprint can be • Image • URL • Tag • Object Reference • Response to a query • etc.. 24 © 2013 Imperva, Inc. All rights reserved. Confidential
Fingerprinted Tag based The code will usually contain fingerprints (unless obfuscated) of the CMS in use. 25 © 2013 Imperva, Inc. All rights reserved. Confidential
Fingerprinted URL based An administrator interface may be front facing, allowing detection and login attempts 26 © 2013 Imperva, Inc. All rights reserved. Confidential
Google Dork for the Masses  Query: inurl:(wp-config.conf | wp-config.txt) ext:(conf | txt | config)  Results: 144,000 27 © 2013 Imperva, Inc. All rights reserved. Confidential
Google Dork for the Masses In our case: Database Host, User and Password Exposed 28 © 2013 Imperva, Inc. All rights reserved. Confidential
Botnets Targeting Your CMS Recently Observed: • Botnets Scan websites for vulnerabilities • Inject Hijack/Drive-by code to vulnerable systems • Onboarding hijacked systems into the Botnet 29 © 2013 Imperva, Inc. All rights reserved. Confidential
From a Botnet Communication Google Dork Botnet operator uses zombies to scan sites for vulnerabilities * As observed by Imperva’s ADC Research Team 30 © 2013 Imperva, Inc. All rights reserved. Confidential
From a Botnet Communication Botnet exploits vulnerabilities and absorbs victim servers * As observed by Imperva’s ADC Research Team 31 © 2013 Imperva, Inc. All rights reserved. Confidential
Reclaiming Security Securing 3rd Party Applications 32 © 2013 Imperva, Inc. All rights reserved. Confidential
Analyzing the Attack Surface Certain vulnerabilities in 3rd party applications, can only be properly fixed using Web Application Firewalls. Graphics Source: https://www.bsi.bund.de/DE/Publikationen/Studien/CMS/Studie_CMS.html BSI is Germany's federal office for information security 33 © 2013 Imperva, Inc. All rights reserved. Confidential
Deployment Matters Imperva Incapsula Cloud On premise deployment Cloud based deployment Applications and 3rd party code deployed in your virtual/physical data center. 34 © 2013 Imperva, Inc. All rights reserved. Hosted applications and B2B services. Confidential
Recommendations When a company builds its security model it usually does not take into account elements that are not in control, which creates the security hole. Companies should:  Implement policies both on the legal and technical aspects to control data access and data usage.  Require third party applications to accept your security policies and put proper controls in place  Monitor. 35 © 2013 Imperva, Inc. All rights reserved. Confidential
Technical Recommendations  Assume third-party code – coming from partners, vendors, or mergers and acquisitions – contains serious vulnerabilities  Pen test before deployment to identify these issues  Deploy the application behind a WAF to • Virtually patch pen test findings • Mitigate new risks (unknown on the pen test time) • Mitigate issues the pen tester missed • Use cloud WAF for remotely hosted applications  Virtually patch newly discovered CVEs • Requires a robust security update service 36 © 2013 Imperva, Inc. All rights reserved. Confidential
Questions? www.imperva.com 37 © 2013 Imperva, Inc. All rights reserved. Confidential
Thank You 38 © 2013 Imperva, Inc. All rights reserved. Confidential

Empfohlen

Protecting Against Vulnerabilities in SharePoint Add-ons
Protecting Against Vulnerabilities in SharePoint Add-onsProtecting Against Vulnerabilities in SharePoint Add-ons
Protecting Against Vulnerabilities in SharePoint Add-onsImperva
 
Defense In Depth Using NIST 800-30
Defense In Depth Using NIST 800-30Defense In Depth Using NIST 800-30
Defense In Depth Using NIST 800-30Kevin M. Moker, CFE, CISSP, ISSMP, CISM
 
IBM Security Software Solutions - Powerpoint
IBM Security Software Solutions - Powerpoint IBM Security Software Solutions - Powerpoint
IBM Security Software Solutions - PowerpointThierry Matusiak
 
How Can I Reduce The Risk Of A Cyber-Attack?
How Can I Reduce The Risk Of A Cyber-Attack?How Can I Reduce The Risk Of A Cyber-Attack?
How Can I Reduce The Risk Of A Cyber-Attack?Osei Fortune
 
Cyber Security 4.0 conference 30 November 2016
Cyber Security 4.0 conference 30 November 2016Cyber Security 4.0 conference 30 November 2016
Cyber Security 4.0 conference 30 November 2016InfinIT - Innovationsnetværket for it
 
Strategies to Combat New, Innovative Cyber Threats - 2017
Strategies to Combat New, Innovative Cyber Threats - 2017Strategies to Combat New, Innovative Cyber Threats - 2017
Strategies to Combat New, Innovative Cyber Threats - 2017PaladionNetworks01
 
IBM Security Software Solutions - One Pager
IBM Security Software Solutions - One PagerIBM Security Software Solutions - One Pager
IBM Security Software Solutions - One PagerThierry Matusiak
 
Compete To Win: Don’t Just Be Compliant – Be Secure!
Compete To Win: Don’t Just Be Compliant – Be Secure!Compete To Win: Don’t Just Be Compliant – Be Secure!
Compete To Win: Don’t Just Be Compliant – Be Secure!IBM Security
 

Empfohlen

Protecting Against Vulnerabilities in SharePoint Add-ons
Protecting Against Vulnerabilities in SharePoint Add-onsProtecting Against Vulnerabilities in SharePoint Add-ons
Protecting Against Vulnerabilities in SharePoint Add-onsImperva
 
Defense In Depth Using NIST 800-30
Defense In Depth Using NIST 800-30Defense In Depth Using NIST 800-30
Defense In Depth Using NIST 800-30Kevin M. Moker, CFE, CISSP, ISSMP, CISM
 
IBM Security Software Solutions - Powerpoint
IBM Security Software Solutions - Powerpoint IBM Security Software Solutions - Powerpoint
IBM Security Software Solutions - PowerpointThierry Matusiak
 
How Can I Reduce The Risk Of A Cyber-Attack?
How Can I Reduce The Risk Of A Cyber-Attack?How Can I Reduce The Risk Of A Cyber-Attack?
How Can I Reduce The Risk Of A Cyber-Attack?Osei Fortune
 
Cyber Security 4.0 conference 30 November 2016
Cyber Security 4.0 conference 30 November 2016Cyber Security 4.0 conference 30 November 2016
Cyber Security 4.0 conference 30 November 2016InfinIT - Innovationsnetværket for it
 
Strategies to Combat New, Innovative Cyber Threats - 2017
Strategies to Combat New, Innovative Cyber Threats - 2017Strategies to Combat New, Innovative Cyber Threats - 2017
Strategies to Combat New, Innovative Cyber Threats - 2017PaladionNetworks01
 
IBM Security Software Solutions - One Pager
IBM Security Software Solutions - One PagerIBM Security Software Solutions - One Pager
IBM Security Software Solutions - One PagerThierry Matusiak
 
Compete To Win: Don’t Just Be Compliant – Be Secure!
Compete To Win: Don’t Just Be Compliant – Be Secure!Compete To Win: Don’t Just Be Compliant – Be Secure!
Compete To Win: Don’t Just Be Compliant – Be Secure!IBM Security
 
Cyber Security 4.0 conference 30 November 2016
Cyber Security 4.0 conference 30 November 2016Cyber Security 4.0 conference 30 November 2016
Cyber Security 4.0 conference 30 November 2016InfinIT - Innovationsnetværket for it
 
Thinking like a criminal – Cybersecurity 101
Thinking like a criminal – Cybersecurity 101Thinking like a criminal – Cybersecurity 101
Thinking like a criminal – Cybersecurity 101PECB
 
Cloud security enforcer - Quick steps to avoid the blind spots of shadow it
Cloud security enforcer - Quick steps to avoid the blind spots of shadow itCloud security enforcer - Quick steps to avoid the blind spots of shadow it
Cloud security enforcer - Quick steps to avoid the blind spots of shadow itIBM Security
 
Cyber Security 2017 Challenges
Cyber Security 2017 ChallengesCyber Security 2017 Challenges
Cyber Security 2017 ChallengesLeandro Bennaton
 
Security Trend Report, 2017
Security Trend Report, 2017Security Trend Report, 2017
Security Trend Report, 2017Bill Chamberlin
 
IBM Security Strategy
IBM Security StrategyIBM Security Strategy
IBM Security StrategyCamilo Fandiño Gómez
 
Ibm security products portfolio
Ibm security products portfolioIbm security products portfolio
Ibm security products portfolioPatrick Bouillaud
 
Integrated Response with v32 of IBM Resilient
Integrated Response with v32 of IBM ResilientIntegrated Response with v32 of IBM Resilient
Integrated Response with v32 of IBM ResilientIBM Security
 
The Resilient End-of-Year Review: The Top Cyber Security Trends in 2018 and P...
The Resilient End-of-Year Review: The Top Cyber Security Trends in 2018 and P...The Resilient End-of-Year Review: The Top Cyber Security Trends in 2018 and P...
The Resilient End-of-Year Review: The Top Cyber Security Trends in 2018 and P...IBM Security
 
Outsmart Fraudsters: Give Customers Great User Experience While Keeping Fraud...
Outsmart Fraudsters: Give Customers Great User Experience While Keeping Fraud...Outsmart Fraudsters: Give Customers Great User Experience While Keeping Fraud...
Outsmart Fraudsters: Give Customers Great User Experience While Keeping Fraud...IBM Security
 
Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...Edureka!
 
Wannacry & Petya ransomware
Wannacry & Petya ransomwareWannacry & Petya ransomware
Wannacry & Petya ransomwareRaghavendra P.V
 
Solar winds supply chain breach - Insights from the trenches
Solar winds supply chain breach - Insights from the trenchesSolar winds supply chain breach - Insights from the trenches
Solar winds supply chain breach - Insights from the trenchesInfosec
 
How to beat ransomware
How to beat ransomwareHow to beat ransomware
How to beat ransomwarePaladionNetworks01
 
Cyber Security 4.0 conference 30 November 2016
Cyber Security 4.0 conference 30 November 2016Cyber Security 4.0 conference 30 November 2016
Cyber Security 4.0 conference 30 November 2016InfinIT - Innovationsnetværket for it
 
Check Point Infinity powered by R80.10
Check Point Infinity powered by R80.10Check Point Infinity powered by R80.10
Check Point Infinity powered by R80.10MarketingArrowECS_CZ
 
Hyphenet Security Awareness Training
Hyphenet Security Awareness TrainingHyphenet Security Awareness Training
Hyphenet Security Awareness TrainingJen Ruhman
 
Bridging the Gap between Privacy and Security: Using Technology to Manage Com...
Bridging the Gap between Privacy and Security: Using Technology to Manage Com...Bridging the Gap between Privacy and Security: Using Technology to Manage Com...
Bridging the Gap between Privacy and Security: Using Technology to Manage Com...IBM Security
 
Automation: Embracing the Future of SecOps
Automation: Embracing the Future of SecOpsAutomation: Embracing the Future of SecOps
Automation: Embracing the Future of SecOpsIBM Security
 
IBM Security Software Solutions
IBM Security Software Solutions IBM Security Software Solutions
IBM Security Software Solutions Thierry Matusiak
 
CMS Hacking 101
CMS Hacking 101CMS Hacking 101
CMS Hacking 101Imperva
 
DSS @CERT.LV_ISACA_2013_Conference - IBM X Force Report 2013
DSS @CERT.LV_ISACA_2013_Conference - IBM X Force Report 2013DSS @CERT.LV_ISACA_2013_Conference - IBM X Force Report 2013
DSS @CERT.LV_ISACA_2013_Conference - IBM X Force Report 2013Andris Soroka
 

Weitere ähnliche Inhalte

Was ist angesagt?

Thinking like a criminal – Cybersecurity 101
Thinking like a criminal – Cybersecurity 101Thinking like a criminal – Cybersecurity 101
Thinking like a criminal – Cybersecurity 101PECB
 
Cloud security enforcer - Quick steps to avoid the blind spots of shadow it
Cloud security enforcer - Quick steps to avoid the blind spots of shadow itCloud security enforcer - Quick steps to avoid the blind spots of shadow it
Cloud security enforcer - Quick steps to avoid the blind spots of shadow itIBM Security
 
Cyber Security 2017 Challenges
Cyber Security 2017 ChallengesCyber Security 2017 Challenges
Cyber Security 2017 ChallengesLeandro Bennaton
 
Security Trend Report, 2017
Security Trend Report, 2017Security Trend Report, 2017
Security Trend Report, 2017Bill Chamberlin
 
Ibm security products portfolio
Ibm security products portfolioIbm security products portfolio
Ibm security products portfolioPatrick Bouillaud
 
Integrated Response with v32 of IBM Resilient
Integrated Response with v32 of IBM ResilientIntegrated Response with v32 of IBM Resilient
Integrated Response with v32 of IBM ResilientIBM Security
 
The Resilient End-of-Year Review: The Top Cyber Security Trends in 2018 and P...
The Resilient End-of-Year Review: The Top Cyber Security Trends in 2018 and P...The Resilient End-of-Year Review: The Top Cyber Security Trends in 2018 and P...
The Resilient End-of-Year Review: The Top Cyber Security Trends in 2018 and P...IBM Security
 
Outsmart Fraudsters: Give Customers Great User Experience While Keeping Fraud...
Outsmart Fraudsters: Give Customers Great User Experience While Keeping Fraud...Outsmart Fraudsters: Give Customers Great User Experience While Keeping Fraud...
Outsmart Fraudsters: Give Customers Great User Experience While Keeping Fraud...IBM Security
 
Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...Edureka!
 
Wannacry & Petya ransomware
Wannacry & Petya ransomwareWannacry & Petya ransomware
Wannacry & Petya ransomwareRaghavendra P.V
 
Solar winds supply chain breach - Insights from the trenches
Solar winds supply chain breach - Insights from the trenchesSolar winds supply chain breach - Insights from the trenches
Solar winds supply chain breach - Insights from the trenchesInfosec
 
Check Point Infinity powered by R80.10
Check Point Infinity powered by R80.10Check Point Infinity powered by R80.10
Check Point Infinity powered by R80.10MarketingArrowECS_CZ
 
Hyphenet Security Awareness Training
Hyphenet Security Awareness TrainingHyphenet Security Awareness Training
Hyphenet Security Awareness TrainingJen Ruhman
 
Bridging the Gap between Privacy and Security: Using Technology to Manage Com...
Bridging the Gap between Privacy and Security: Using Technology to Manage Com...Bridging the Gap between Privacy and Security: Using Technology to Manage Com...
Bridging the Gap between Privacy and Security: Using Technology to Manage Com...IBM Security
 
Automation: Embracing the Future of SecOps
Automation: Embracing the Future of SecOpsAutomation: Embracing the Future of SecOps
Automation: Embracing the Future of SecOpsIBM Security
 
IBM Security Software Solutions
IBM Security Software Solutions IBM Security Software Solutions
IBM Security Software Solutions Thierry Matusiak
 

Was ist angesagt? (20)

Cyber Security 4.0 conference 30 November 2016
Cyber Security 4.0 conference 30 November 2016Cyber Security 4.0 conference 30 November 2016
Cyber Security 4.0 conference 30 November 2016
 
Thinking like a criminal – Cybersecurity 101
Thinking like a criminal – Cybersecurity 101Thinking like a criminal – Cybersecurity 101
Thinking like a criminal – Cybersecurity 101
 
Cloud security enforcer - Quick steps to avoid the blind spots of shadow it
Cloud security enforcer - Quick steps to avoid the blind spots of shadow itCloud security enforcer - Quick steps to avoid the blind spots of shadow it
Cloud security enforcer - Quick steps to avoid the blind spots of shadow it
 
Cyber Security 2017 Challenges
Cyber Security 2017 ChallengesCyber Security 2017 Challenges
Cyber Security 2017 Challenges
 
Security Trend Report, 2017
Security Trend Report, 2017Security Trend Report, 2017
Security Trend Report, 2017
 
IBM Security Strategy
IBM Security StrategyIBM Security Strategy
IBM Security Strategy
 
Ibm security products portfolio
Ibm security products portfolioIbm security products portfolio
Ibm security products portfolio
 
Integrated Response with v32 of IBM Resilient
Integrated Response with v32 of IBM ResilientIntegrated Response with v32 of IBM Resilient
Integrated Response with v32 of IBM Resilient
 
The Resilient End-of-Year Review: The Top Cyber Security Trends in 2018 and P...
The Resilient End-of-Year Review: The Top Cyber Security Trends in 2018 and P...The Resilient End-of-Year Review: The Top Cyber Security Trends in 2018 and P...
The Resilient End-of-Year Review: The Top Cyber Security Trends in 2018 and P...
 
Outsmart Fraudsters: Give Customers Great User Experience While Keeping Fraud...
Outsmart Fraudsters: Give Customers Great User Experience While Keeping Fraud...Outsmart Fraudsters: Give Customers Great User Experience While Keeping Fraud...
Outsmart Fraudsters: Give Customers Great User Experience While Keeping Fraud...
 
Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...
 
Wannacry & Petya ransomware
Wannacry & Petya ransomwareWannacry & Petya ransomware
Wannacry & Petya ransomware
 
Solar winds supply chain breach - Insights from the trenches
Solar winds supply chain breach - Insights from the trenchesSolar winds supply chain breach - Insights from the trenches
Solar winds supply chain breach - Insights from the trenches
 
How to beat ransomware
How to beat ransomwareHow to beat ransomware
How to beat ransomware
 
Cyber Security 4.0 conference 30 November 2016
Cyber Security 4.0 conference 30 November 2016Cyber Security 4.0 conference 30 November 2016
Cyber Security 4.0 conference 30 November 2016
 
Check Point Infinity powered by R80.10
Check Point Infinity powered by R80.10Check Point Infinity powered by R80.10
Check Point Infinity powered by R80.10
 
Hyphenet Security Awareness Training
Hyphenet Security Awareness TrainingHyphenet Security Awareness Training
Hyphenet Security Awareness Training
 
Bridging the Gap between Privacy and Security: Using Technology to Manage Com...
Bridging the Gap between Privacy and Security: Using Technology to Manage Com...Bridging the Gap between Privacy and Security: Using Technology to Manage Com...
Bridging the Gap between Privacy and Security: Using Technology to Manage Com...
 
Automation: Embracing the Future of SecOps
Automation: Embracing the Future of SecOpsAutomation: Embracing the Future of SecOps
Automation: Embracing the Future of SecOps
 
IBM Security Software Solutions
IBM Security Software Solutions IBM Security Software Solutions
IBM Security Software Solutions
 

Ähnlich wie CMS Hacking

CMS Hacking 101
CMS Hacking 101CMS Hacking 101
CMS Hacking 101Imperva
 
DSS @CERT.LV_ISACA_2013_Conference - IBM X Force Report 2013
DSS @CERT.LV_ISACA_2013_Conference - IBM X Force Report 2013DSS @CERT.LV_ISACA_2013_Conference - IBM X Force Report 2013
DSS @CERT.LV_ISACA_2013_Conference - IBM X Force Report 2013Andris Soroka
 
Protect Your IT Infrastructure from Zero-Day Attacks and New Vulnerabilities
Protect Your IT Infrastructure from Zero-Day Attacks and New VulnerabilitiesProtect Your IT Infrastructure from Zero-Day Attacks and New Vulnerabilities
Protect Your IT Infrastructure from Zero-Day Attacks and New VulnerabilitiesSymantec
 
Imperva - Hacking encounters of the 3rd kind
Imperva - Hacking encounters of the 3rd kindImperva - Hacking encounters of the 3rd kind
Imperva - Hacking encounters of the 3rd kindBarry Shteiman
 
Adrian Aldea - IBM X-Force 2013 Mid-Year Trend and Risk Report #uisgcon9
Adrian Aldea - IBM X-Force 2013 Mid-Year Trend and Risk Report #uisgcon9Adrian Aldea - IBM X-Force 2013 Mid-Year Trend and Risk Report #uisgcon9
Adrian Aldea - IBM X-Force 2013 Mid-Year Trend and Risk Report #uisgcon9UISGCON
 
Module 12 (web application vulnerabilities)
Module 12 (web application vulnerabilities)Module 12 (web application vulnerabilities)
Module 12 (web application vulnerabilities)Wail Hassan
 
Hiding in Plain Sight: The Danger of Known Vulnerabilities
Hiding in Plain Sight: The Danger of Known VulnerabilitiesHiding in Plain Sight: The Danger of Known Vulnerabilities
Hiding in Plain Sight: The Danger of Known VulnerabilitiesImperva
 
IBM Security intelligence v1 - ahmed el nahas
IBM Security intelligence v1 - ahmed el nahasIBM Security intelligence v1 - ahmed el nahas
IBM Security intelligence v1 - ahmed el nahasShwetank Jayaswal
 
A Blueprint for Web Attack Survival
A Blueprint for Web Attack SurvivalA Blueprint for Web Attack Survival
A Blueprint for Web Attack SurvivalImperva
 
Top Security Threats to Look Out for in 2023
Top Security Threats to Look Out for in 2023Top Security Threats to Look Out for in 2023
Top Security Threats to Look Out for in 2023K7 Computing Pvt Ltd
 
Security Trends and Risk Mitigation for the Public Sector
Security Trends and Risk Mitigation for the Public SectorSecurity Trends and Risk Mitigation for the Public Sector
Security Trends and Risk Mitigation for the Public SectorIBMGovernmentCA
 
Everything to Understand About Cyberattacks Around Supply Chain Industry in 2023
Everything to Understand About Cyberattacks Around Supply Chain Industry in 2023Everything to Understand About Cyberattacks Around Supply Chain Industry in 2023
Everything to Understand About Cyberattacks Around Supply Chain Industry in 2023MobibizIndia1
 
Cyber Security
Cyber SecurityCyber Security
Cyber SecurityRamiro Cid
 
IBM X-Force Threat Intelligence: Why Insider Threats Challenge Critical Busin...
IBM X-Force Threat Intelligence: Why Insider Threats Challenge Critical Busin...IBM X-Force Threat Intelligence: Why Insider Threats Challenge Critical Busin...
IBM X-Force Threat Intelligence: Why Insider Threats Challenge Critical Busin...IBM Security
 
Hacking Encounters of the 3rd Kind
Hacking Encounters of the 3rd KindHacking Encounters of the 3rd Kind
Hacking Encounters of the 3rd KindImperva
 
IBM X-Force: Insights from the 1Q 2015 X-Force Threat Intelligence Quarterly
IBM X-Force: Insights from the 1Q 2015 X-Force Threat Intelligence QuarterlyIBM X-Force: Insights from the 1Q 2015 X-Force Threat Intelligence Quarterly
IBM X-Force: Insights from the 1Q 2015 X-Force Threat Intelligence QuarterlyIBM Security
 
JavaOne2013: Secure Engineering Practices for Java
JavaOne2013: Secure Engineering Practices for JavaJavaOne2013: Secure Engineering Practices for Java
JavaOne2013: Secure Engineering Practices for JavaChris Bailey
 
Security and Audit for Big Data
Security and Audit for Big DataSecurity and Audit for Big Data
Security and Audit for Big DataNicolas Morales
 
Rochester Security Event
Rochester Security EventRochester Security Event
Rochester Security Eventcalebbarlow
 
Detect & Remediate Malware & Advanced Targeted Attacks
Detect & Remediate Malware & Advanced Targeted AttacksDetect & Remediate Malware & Advanced Targeted Attacks
Detect & Remediate Malware & Advanced Targeted AttacksImperva
 

Ähnlich wie CMS Hacking (20)

CMS Hacking 101
CMS Hacking 101CMS Hacking 101
CMS Hacking 101
 
DSS @CERT.LV_ISACA_2013_Conference - IBM X Force Report 2013
DSS @CERT.LV_ISACA_2013_Conference - IBM X Force Report 2013DSS @CERT.LV_ISACA_2013_Conference - IBM X Force Report 2013
DSS @CERT.LV_ISACA_2013_Conference - IBM X Force Report 2013
 
Protect Your IT Infrastructure from Zero-Day Attacks and New Vulnerabilities
Protect Your IT Infrastructure from Zero-Day Attacks and New VulnerabilitiesProtect Your IT Infrastructure from Zero-Day Attacks and New Vulnerabilities
Protect Your IT Infrastructure from Zero-Day Attacks and New Vulnerabilities
 
Imperva - Hacking encounters of the 3rd kind
Imperva - Hacking encounters of the 3rd kindImperva - Hacking encounters of the 3rd kind
Imperva - Hacking encounters of the 3rd kind
 
Adrian Aldea - IBM X-Force 2013 Mid-Year Trend and Risk Report #uisgcon9
Adrian Aldea - IBM X-Force 2013 Mid-Year Trend and Risk Report #uisgcon9Adrian Aldea - IBM X-Force 2013 Mid-Year Trend and Risk Report #uisgcon9
Adrian Aldea - IBM X-Force 2013 Mid-Year Trend and Risk Report #uisgcon9
 
Module 12 (web application vulnerabilities)
Module 12 (web application vulnerabilities)Module 12 (web application vulnerabilities)
Module 12 (web application vulnerabilities)
 
Hiding in Plain Sight: The Danger of Known Vulnerabilities
Hiding in Plain Sight: The Danger of Known VulnerabilitiesHiding in Plain Sight: The Danger of Known Vulnerabilities
Hiding in Plain Sight: The Danger of Known Vulnerabilities
 
IBM Security intelligence v1 - ahmed el nahas
IBM Security intelligence v1 - ahmed el nahasIBM Security intelligence v1 - ahmed el nahas
IBM Security intelligence v1 - ahmed el nahas
 
A Blueprint for Web Attack Survival
A Blueprint for Web Attack SurvivalA Blueprint for Web Attack Survival
A Blueprint for Web Attack Survival
 
Top Security Threats to Look Out for in 2023
Top Security Threats to Look Out for in 2023Top Security Threats to Look Out for in 2023
Top Security Threats to Look Out for in 2023
 
Security Trends and Risk Mitigation for the Public Sector
Security Trends and Risk Mitigation for the Public SectorSecurity Trends and Risk Mitigation for the Public Sector
Security Trends and Risk Mitigation for the Public Sector
 
Everything to Understand About Cyberattacks Around Supply Chain Industry in 2023
Everything to Understand About Cyberattacks Around Supply Chain Industry in 2023Everything to Understand About Cyberattacks Around Supply Chain Industry in 2023
Everything to Understand About Cyberattacks Around Supply Chain Industry in 2023
 
Cyber Security
Cyber SecurityCyber Security
Cyber Security
 
IBM X-Force Threat Intelligence: Why Insider Threats Challenge Critical Busin...
IBM X-Force Threat Intelligence: Why Insider Threats Challenge Critical Busin...IBM X-Force Threat Intelligence: Why Insider Threats Challenge Critical Busin...
IBM X-Force Threat Intelligence: Why Insider Threats Challenge Critical Busin...
 
Hacking Encounters of the 3rd Kind
Hacking Encounters of the 3rd KindHacking Encounters of the 3rd Kind
Hacking Encounters of the 3rd Kind
 
IBM X-Force: Insights from the 1Q 2015 X-Force Threat Intelligence Quarterly
IBM X-Force: Insights from the 1Q 2015 X-Force Threat Intelligence QuarterlyIBM X-Force: Insights from the 1Q 2015 X-Force Threat Intelligence Quarterly
IBM X-Force: Insights from the 1Q 2015 X-Force Threat Intelligence Quarterly
 
JavaOne2013: Secure Engineering Practices for Java
JavaOne2013: Secure Engineering Practices for JavaJavaOne2013: Secure Engineering Practices for Java
JavaOne2013: Secure Engineering Practices for Java
 
Security and Audit for Big Data
Security and Audit for Big DataSecurity and Audit for Big Data
Security and Audit for Big Data
 
Rochester Security Event
Rochester Security EventRochester Security Event
Rochester Security Event
 
Detect & Remediate Malware & Advanced Targeted Attacks
Detect & Remediate Malware & Advanced Targeted AttacksDetect & Remediate Malware & Advanced Targeted Attacks
Detect & Remediate Malware & Advanced Targeted Attacks
 

Kürzlich hochgeladen

Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo DiehlFuture Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo DiehlPeter Udo Diehl
 
Portal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russePortal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russe中 央社
 
Salesforce Adoption – Metrics, Methods, and Motivation, Antone Kom
Salesforce Adoption – Metrics, Methods, and Motivation, Antone KomSalesforce Adoption – Metrics, Methods, and Motivation, Antone Kom
Salesforce Adoption – Metrics, Methods, and Motivation, Antone KomCzechDreamin
 
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...marcuskenyatta275
 
Demystifying gRPC in .Net by John Staveley
Demystifying gRPC in .Net by John StaveleyDemystifying gRPC in .Net by John Staveley
Demystifying gRPC in .Net by John StaveleyJohn Staveley
 
AI revolution and Salesforce, Jiří Karpíšek
AI revolution and Salesforce, Jiří KarpíšekAI revolution and Salesforce, Jiří Karpíšek
AI revolution and Salesforce, Jiří KarpíšekCzechDreamin
 
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...CzechDreamin
 
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdfThe Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdfFIDO Alliance
 
Intro in Product Management - Коротко про професію продакт менеджера
Intro in Product Management - Коротко про професію продакт менеджераIntro in Product Management - Коротко про професію продакт менеджера
Intro in Product Management - Коротко про професію продакт менеджераMark Opanasiuk
 
Free and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
Free and Effective: Making Flows Publicly Accessible, Yumi IbrahimzadeFree and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
Free and Effective: Making Flows Publicly Accessible, Yumi IbrahimzadeCzechDreamin
 
IESVE for Early Stage Design and Planning
IESVE for Early Stage Design and PlanningIESVE for Early Stage Design and Planning
IESVE for Early Stage Design and PlanningIES VE
 
The Metaverse: Are We There Yet?
The Metaverse: Are We There Yet?The Metaverse: Are We There Yet?
The Metaverse: Are We There Yet?Mark Billinghurst
 
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...panagenda
 
Enterprise Knowledge Graphs - Data Summit 2024
Enterprise Knowledge Graphs - Data Summit 2024Enterprise Knowledge Graphs - Data Summit 2024
Enterprise Knowledge Graphs - Data Summit 2024Enterprise Knowledge
 
How we scaled to 80K users by doing nothing!.pdf
How we scaled to 80K users by doing nothing!.pdfHow we scaled to 80K users by doing nothing!.pdf
How we scaled to 80K users by doing nothing!.pdfSrushith Repakula
 
A Business-Centric Approach to Design System Strategy
A Business-Centric Approach to Design System StrategyA Business-Centric Approach to Design System Strategy
A Business-Centric Approach to Design System StrategyUXDXConf
 
Where to Learn More About FDO _ Richard at FIDO Alliance.pdf
Where to Learn More About FDO _ Richard at FIDO Alliance.pdfWhere to Learn More About FDO _ Richard at FIDO Alliance.pdf
Where to Learn More About FDO _ Richard at FIDO Alliance.pdfFIDO Alliance
 
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdfSimplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdfFIDO Alliance
 
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...FIDO Alliance
 

Kürzlich hochgeladen (20)

Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo DiehlFuture Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
 
Portal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russePortal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russe
 
Salesforce Adoption – Metrics, Methods, and Motivation, Antone Kom
Salesforce Adoption – Metrics, Methods, and Motivation, Antone KomSalesforce Adoption – Metrics, Methods, and Motivation, Antone Kom
Salesforce Adoption – Metrics, Methods, and Motivation, Antone Kom
 
Overview of Hyperledger Foundation
Overview of Hyperledger FoundationOverview of Hyperledger Foundation
Overview of Hyperledger Foundation
 
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...
 
Demystifying gRPC in .Net by John Staveley
Demystifying gRPC in .Net by John StaveleyDemystifying gRPC in .Net by John Staveley
Demystifying gRPC in .Net by John Staveley
 
AI revolution and Salesforce, Jiří Karpíšek
AI revolution and Salesforce, Jiří KarpíšekAI revolution and Salesforce, Jiří Karpíšek
AI revolution and Salesforce, Jiří Karpíšek
 
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
 
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdfThe Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
 
Intro in Product Management - Коротко про професію продакт менеджера
Intro in Product Management - Коротко про професію продакт менеджераIntro in Product Management - Коротко про професію продакт менеджера
Intro in Product Management - Коротко про професію продакт менеджера
 
Free and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
Free and Effective: Making Flows Publicly Accessible, Yumi IbrahimzadeFree and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
Free and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
 
IESVE for Early Stage Design and Planning
IESVE for Early Stage Design and PlanningIESVE for Early Stage Design and Planning
IESVE for Early Stage Design and Planning
 
The Metaverse: Are We There Yet?
The Metaverse: Are We There Yet?The Metaverse: Are We There Yet?
The Metaverse: Are We There Yet?
 
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
 
Enterprise Knowledge Graphs - Data Summit 2024
Enterprise Knowledge Graphs - Data Summit 2024Enterprise Knowledge Graphs - Data Summit 2024
Enterprise Knowledge Graphs - Data Summit 2024
 
How we scaled to 80K users by doing nothing!.pdf
How we scaled to 80K users by doing nothing!.pdfHow we scaled to 80K users by doing nothing!.pdf
How we scaled to 80K users by doing nothing!.pdf
 
A Business-Centric Approach to Design System Strategy
A Business-Centric Approach to Design System StrategyA Business-Centric Approach to Design System Strategy
A Business-Centric Approach to Design System Strategy
 
Where to Learn More About FDO _ Richard at FIDO Alliance.pdf
Where to Learn More About FDO _ Richard at FIDO Alliance.pdfWhere to Learn More About FDO _ Richard at FIDO Alliance.pdf
Where to Learn More About FDO _ Richard at FIDO Alliance.pdf
 
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdfSimplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
 
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...
 

CMS Hacking

  • 1. CMS Hacking Analyzing the Risk with 3rd Party Applications Barry Shteiman – Director of Security Strategy 11/7/2013 1 © 2013 Imperva, Inc. All rights reserved. Confidential
  • 2. Agenda  CMS defined  Risks and trends  Recent incidents  Into the details • An attack campaign • Industrialized attack campaign  Reclaiming security 2 © 2013 Imperva, Inc. All rights reserved. Confidential
  • 3. Today’s Speaker - Barry Shteiman  Director of Security Strategy  Security Researcher working with the CTO office  Author of several application security tools, including HULK  Open source security projects code contributor  Twitter @bshteiman 3 © 2013 Imperva, Inc. All rights reserved. Confidential
  • 4. CMS Defined Content Management System 4 © 2013 Imperva, Inc. All rights reserved. Confidential
  • 5. What is a CMS? A content management system (CMS) is a computer program that allows publishing, editing and modifying content as well as maintenance from a central interface. Source: https://en.wikipedia.org/wiki/Content_management_system 5 © 2013 Imperva, Inc. All rights reserved. Confidential
  • 6. Deployment Distribution Source: http://trends.builtwith.com/cms 6 © 2013 Imperva, Inc. All rights reserved. Confidential
  • 7. Enterprise Adoption 7 © 2013 Imperva, Inc. All rights reserved. Confidential
  • 8. Risks and Trends 8 © 2013 Imperva, Inc. All rights reserved. Confidential
  • 9. OWASP Top 10 – 2013 Update New, A9 - Using Known Vulnerable Components 9 © 2013 Imperva, Inc. All rights reserved. Confidential
  • 10. 3rd Party According to Veracode: • “Up to 70% of internally developed code originates outside of the development team” • 28% of assessed applications are identified as created by a 3rd party 10 © 2013 Imperva, Inc. All rights reserved. Confidential
  • 11. When a 3rd Party Brings its Friends  More than 20% of the 50 most popular WordPress plugins are vulnerable to web attacks  7 out of top 10 most popular e-commerce plugins are vulnerable to common Web attacks -- Checkmarx Ltd. research lab “The Security State of WordPress’ Top 50 Plugins” white paper, June 18, 2013 You can’t fix code you don’t own, even if you host your own, that code has third party components in it. 11 © 2013 Imperva, Inc. All rights reserved. Confidential
  • 12. Attack Surface In a research conducted by BSI in Germany, ~20% of the vulnerabilities discovered were found in the CMS core, ~80% in plugins and extensions. Source: https://www.bsi.bund.de/DE/Publikationen/Studien/CMS/Studie_CMS.html BSI is Germany's federal office for information security 12 © 2013 Imperva, Inc. All rights reserved. Confidential
  • 13. Classic Web Site Hacking Single Site Attack Hacking 1. 2. 3. 13 © 2013 Imperva, Inc. All rights reserved. Identify Target Find Vulnerability Exploit Confidential
  • 14. Classic Web Site Hacking Multiple Site Attacks Hacking 1. 2. 3. Identify Target Find Vulnerability Exploit Hacking 1. 2. 3. Identify Target Find Vulnerability Exploit Hacking 1. 2. 3. Identify Target Find Vulnerability Exploit Hacking 1. 2. 3. Identify Target Find Vulnerability Exploit Hacking 1. 2. 3. 14 © 2013 Imperva, Inc. All rights reserved. Identify Target Find Vulnerability Exploit Confidential
  • 15. CMS Hacking CMS Targeting Attack Hacking 1. 2. 3. 15 Identify CMS Find Vulnerability Exploit © 2013 Imperva, Inc. All rights reserved. Confidential
  • 16. Recent Incidents 16 © 2013 Imperva, Inc. All rights reserved. Confidential
  • 17. 3rd Party Code Driven Incidents Breached via 3rd party application on Drupal.org own servers. 17 © 2013 Imperva, Inc. All rights reserved. Confidential
  • 18. 3rd Party Code Driven Incidents 3rd party service provider hacked, customer data affected. 18 © 2013 Imperva, Inc. All rights reserved. Confidential
  • 19. 3rd Party Code Driven Incidents Yahoo’s 3rd party hack as detailed in Imperva’s January HII report. HII Report: http://www.imperva.com/docs/HII_Lessons_Learned_From_the_Yahoo_Hack.pdf 19 © 2013 Imperva, Inc. All rights reserved. Confidential
  • 20. Just Last Week… 20 © 2013 Imperva, Inc. All rights reserved. Confidential
  • 21. Into the Details How a CMS Attack Campaign Might Look 21 © 2013 Imperva, Inc. All rights reserved. Confidential
  • 22. The Attacker’s Focus Server Takeover Direct Data Theft 22 © 2013 Imperva, Inc. All rights reserved. Confidential
  • 23. CMS Mass Hacking Step 1: Find a vulnerability in a CMS platform Source: www.exploit-db.com Even public vulnerability databases, contain thousands of CMS related vulnerabilities. 23 © 2013 Imperva, Inc. All rights reserved. Confidential
  • 24. CMS Gone Wild(card) Step 2: Identify a fingerprint in a relevant CMS-based site A fingerprint can be • Image • URL • Tag • Object Reference • Response to a query • etc.. 24 © 2013 Imperva, Inc. All rights reserved. Confidential
  • 25. Fingerprinted Tag based The code will usually contain fingerprints (unless obfuscated) of the CMS in use. 25 © 2013 Imperva, Inc. All rights reserved. Confidential
  • 26. Fingerprinted URL based An administrator interface may be front facing, allowing detection and login attempts 26 © 2013 Imperva, Inc. All rights reserved. Confidential
  • 27. Google Dork for the Masses  Query: inurl:(wp-config.conf | wp-config.txt) ext:(conf | txt | config)  Results: 144,000 27 © 2013 Imperva, Inc. All rights reserved. Confidential
  • 28. Google Dork for the Masses In our case: Database Host, User and Password Exposed 28 © 2013 Imperva, Inc. All rights reserved. Confidential
  • 29. Botnets Targeting Your CMS Recently Observed: • Botnets Scan websites for vulnerabilities • Inject Hijack/Drive-by code to vulnerable systems • Onboarding hijacked systems into the Botnet 29 © 2013 Imperva, Inc. All rights reserved. Confidential
  • 30. From a Botnet Communication Google Dork Botnet operator uses zombies to scan sites for vulnerabilities * As observed by Imperva’s ADC Research Team 30 © 2013 Imperva, Inc. All rights reserved. Confidential
  • 31. From a Botnet Communication Botnet exploits vulnerabilities and absorbs victim servers * As observed by Imperva’s ADC Research Team 31 © 2013 Imperva, Inc. All rights reserved. Confidential
  • 32. Reclaiming Security Securing 3rd Party Applications 32 © 2013 Imperva, Inc. All rights reserved. Confidential
  • 33. Analyzing the Attack Surface Certain vulnerabilities in 3rd party applications, can only be properly fixed using Web Application Firewalls. Graphics Source: https://www.bsi.bund.de/DE/Publikationen/Studien/CMS/Studie_CMS.html BSI is Germany's federal office for information security 33 © 2013 Imperva, Inc. All rights reserved. Confidential
  • 34. Deployment Matters Imperva Incapsula Cloud On premise deployment Cloud based deployment Applications and 3rd party code deployed in your virtual/physical data center. 34 © 2013 Imperva, Inc. All rights reserved. Hosted applications and B2B services. Confidential
  • 35. Recommendations When a company builds its security model it usually does not take into account elements that are not in control, which creates the security hole. Companies should:  Implement policies both on the legal and technical aspects to control data access and data usage.  Require third party applications to accept your security policies and put proper controls in place  Monitor. 35 © 2013 Imperva, Inc. All rights reserved. Confidential
  • 36. Technical Recommendations  Assume third-party code – coming from partners, vendors, or mergers and acquisitions – contains serious vulnerabilities  Pen test before deployment to identify these issues  Deploy the application behind a WAF to • Virtually patch pen test findings • Mitigate new risks (unknown on the pen test time) • Mitigate issues the pen tester missed • Use cloud WAF for remotely hosted applications  Virtually patch newly discovered CVEs • Requires a robust security update service 36 © 2013 Imperva, Inc. All rights reserved. Confidential
  • 37. Questions? www.imperva.com 37 © 2013 Imperva, Inc. All rights reserved. Confidential
  • 38. Thank You 38 © 2013 Imperva, Inc. All rights reserved. Confidential

Hinweis der Redaktion

  1. Popularity > less dev more results, consistency, ease of use and time-to-deliver
  2. Wordpress 6.3 M sitesJoomla 1.7 M sitesDrupal 400k sites
  3. Organizations choose to outsource code knowingly or unknowinglyUsing 3rd party code means faster development lifecycle, sometimes more matureNOT more secure
  4. The threat landscape is rich and full of different vulnerabilitiesCMSs and their plugins are like petri dishes for vulnerabilities
  5. Hackers have spread thin but effectively.
  6. Hackers have spread thin but effectively.
  7. Hackers have spread thin but effectively.