Sponsors

Monday, February 15, 2010

All You Ever Wanted To Know About Joomla Security


https://www.palmettomastersingers.org/Joomla/images/stories/Links/Joomla_Logo_Vert_Color.png

All You Ever Wanted To Know About Joomla Security


Due to the time I spent rebuilding and cleaning up a recent Joomla hack and defacement of a web by an individual from the country of Turkey, I have become much more knowledgeable of Joomla security issues.

Looking through the monitoring statistics of the attacked site, it only took 4 minutes for the person hacking the site to compromise it; they found the site by searching for vulnerable Joomla 3rd party extensions which were installed in the site, which can get indexed on Google.

Joomla has become on of the hottest, easy to use, and simple to setup web site Content Managmet Systems  out there. With that, it has increasingly become the target of hackers. Just like Microsoft did with the popularity of the Windows Operating System, Joomla is reaping the success of developing software that helps people work and communicate more efficiently,  but at the cost of being on the radar for individuals who like to destroy and cause havoc on websites.

So for all of those looking for guidance on Joomla security I have provided a list of sources from various places that offer great Joomla security advance. The Majority of what you need to know about staying in the know and securing your Joomla site can be found here on my blog.



1)     Getting Started with your Joomla site
A.     Official Joomla Documentation

·   http://docs.joomla.org/

B.     How to Choose a Hosting Provider

·   http://docs.joomla.org/Security_and_Performance_FAQs

C.     Look at Ultra Secure Web Host Providers Like, FireHost.com a Secure Web Hosting Probider Who Defends against DDoS and Provides Top Notch, Corporate Enterprise Class Intrution Detection (IDS) & Intrusion Provention (IPS) Services.

2)      Install most up-to-date version of Joomla
·   http://www.joomla.org/download.html

3)      Test and Patch Joomla installation as Soon as a New Patch Update is Released
·   http://joomlacode.org/gf/project/joomla/frs/?action=FrsReleaseBrowse&frs_package_id=4947

4)      Rename admin account

5)      Change default password “admin” to a strong password

6)      Redirect Joomla Management Console Default
http://www.yoursite.com/administrator to something else by using a secure plug-in or something else. plugins/system/404.html

A.     Consider Using JSecure Authentication for Console Access and Re-Direction

·   http://extensions.joomla.org/extensions/access-a-security/site-security/5809

7)     Joomla Permissions  Give Write and Execute permissions only to files and folders that need them. See #12 below: Joomla Hardening.

8)      Don’t Use High Risk Joomla Extensions that appear on Vulnerablity Extensions lists
A.     Vulnerable Extensions List

·   http://docs.joomla.org/Vulnerable_Extensions_List

B.     U.S. Vulnerabilities Database: Enter Joomla or Names of Joomla Extensions

·   http://web.nvd.nist.gov/view/vuln/search?cid=1.

9)      Scan your Joomla site often to check for vulnerabilities
A.     OWASP’s free JoomaScan Vulnerability Scanner- Usage : Note to run on Windows, you will first need to install a Perl Distribution; Such as ActivePerl.  Real easy to install, then begin your scanning!

·   http://sourceforge.net/projects/joomscan/

·   Mailing List

·   Subscribe: https://lists.owasp.org/mailman/listinfo/owasp-joomla-vulnerability-scanner

·    or Use: owasp-joomla-vulnerability-scanner@lists.owasp.org

B.     Hacker Targets’ free web based Joomla site scanner

·   http://hackertarget.com/joomla-security-scan

·   Web site protection http://yehg.net/lab/pr0js/papers/MULTIPLE%20TRICKY%20WAYS%20TO%20PROTECT.pdf

10)   Disaster Recovery: Backup Your Site!

A.     JoomPack Site Back Up

·   http://extensions.joomla.org/extensions/1606/details

·   Restore JoomPack: http://joomlapack.net/download/itemlist/category/52-kickstart.html

11)   Create a Test Site on a Local Host/ Workstation Before Making Changes To Your Joomla Site
A.      Joomla Downloadable Local Host Instant Infrastructure!

·   http://demo.joomla.org- Jumpbox, TurnKey & Online Joomla Demo Site

B.      Manually Install/Setup a Windows Test/Development Joomla Environment

·   Part 1 -  http://docs.joomla.org/Setting_up_your_workstation_for_Joomla!_development

·   Part 2 -  http://docs.joomla.org/Setting_up_your_workstation_for_Joomla!_development_--_Part_2
C.      How To Copy From Host to Remote Host and Vice-Versa

·   http://docs.joomla.org/How_do_you_copy_a_site_from_localhost_to_a_remote_host%3F


12)   Joomla Website Hardening


A.      Joomla Security Guide

·   http://www.myjoomlasecurity.com/index.php/Main_PageCheck


13)   More Joomla Security Resources

A.      Joomla Administrators Security Checklist

·   http://developer.joomla.org/security/articles-tutorials/260-joomla-administrators-security-checklist.html

B.     Joomla Security Strike Team

·   http://developer.joomla.org/security.html

C.     Joomla Security FAQs

  http://docs.joomla.org/Category:Security_FAQ
D. Top 10 Joomla Security Problems and How To Avoid Them

·  http://joomplaza.com/index.php/tutorials/82-top-ten-joomla-security-problems---and-how-to-avoid-them

E. Top 10 Joomla Security Extentions

. http://hostingword.com/web-hosting-reviews/10-most-popular-joomla-security-extensions/

 If any of the above links disappear or are not working properly, please let me know. Thanks in advance!

Enjoy your Joomla Content Management Experience Safely and with no Headaches!

Sincerely,

Julius, CISSP, CISA

 In addition, if you are new to the IT Security field, or have no experience and want to change your career consult with me at:











Friday, February 5, 2010

You Would Protect Your Kids In Real Life Woudn't You? Then Why Not On The Internet?

Powerful add on Internet Safety for children from the McGruff SafeGuard program

http://www.GoMcGruff.com  

Protect Your Children!

Klaus & Anna's Excellent Internet Adventure






Julius


Tuesday, February 2, 2010

What Should One Know When Preparing for an IT Security Technical Job Interview?

Here are some technical areas that I have been asked to explain in detail.




  1. Understand what Defense-in-depth is.
  2. Be prepared to design a network that contains the must haves to adequately protect a corporate network.
  3. Understand what attacks can occur at each TCP/IP layer; and how to mitigate.
  4. Know what the most common IP ports are and the common attacks associated with them; and how to mitigate.
  5.  Understand all the types of encryption available to protect data in transit and at rest.
  6. Understand how to protect Desktops and Servers from unauthorized access and attacks.
  7. Understand how security roles and permissions operate in a Windows domain, and how security flows from domain controllers to desktops.
  8. Understand the aspects of providing Physical Security to protect against unauthorized access and harm for People, Processes, Technology and Administratively.
  9. Understand what IDS, Firewalls, IPS, and router access control lists are.
  10. Be prepared to explain how you stay abreast of emerging threats to Internet and network security.
  11. Become familiar with the security guidelines and publications on www.nist.org
Enjoy,

Julius

Get Expert Advice!