Tips to safeguard your Joomla website

Let’s first understand what Joomla is and how does it help to build a website?

 

 

 

 

 

 

 

 

 

 

It is an open source system that can manage content efficiently. Joomla is also used for development of websites and applications that are supported on line. Technically, Joomla consists of two templates, a front-end template which is made user friendly and a back-end template which is mostly used by the administrators of the website. Joomla is created using PHP (designing the front end), Object Oriented Programming language (for coding), MySQL (for storing data).

What is Content Management System (CMS)?

It is a software that is capable of keeping track of all the data. Data can be in various forms such as text, images, document, etc. This data is available on the site. CMS also helps in editing, altering and publishing the content of website.

Generally, Joomla is used for developing websites of different kinds and sizes. Joomla can be used for development of following:

• Sites and portals for Corporates
• Start-ups and small-sized business websites
• Magazines, newspapers, and publications that have an online presence
• E-commerce sites and online booking & reservations
• Websites for government, NGO’s and organizations

Open source softwares are free to use, distribute and modify. It has a lower cost compared to the cost of its proprietary counterparts. But at the same time, it is subjected to getting attacked. Taking precautions before your website gets hacked and working on how to improvise its Security is extremely necessary.

Read More>>

Input Validation Errors: The Core of Website Security Evils

In the past few years with the rise of technological innovations, there has been an increase in the number and sophistication of security breaches. Poor input validation has turned out to be the root cause of these embarrassing data breaches reported in the last few years. While compiling the code, the developers create input fields for the users to enter whatever they wish. The website is secure until the unchecked input fields are not used for hacking.

Let’s see why input validation is crucial for website security

What Is Input Validation?

Websites processing input data from users or a wide range of systems should ensure that it is valid. Validation is carried on a variety of levels ranging from simply verifying the input types and lengths i.e. syntactic validation to ensuring the inserted values are valid in the application context i.e. semantic validation.

For websites, input validation is nothing but verifying the values inserted in the input field ensuring date, email address and other details inserted in the field are valid. This is the initial step for client-side validation performed directly in the browser and submitted values are verified on the server-side.

Input Validation is a commonly used method to check potentially dangerous inputs ensuring they are safe to be processed within the code.

Consequences of Improper Input Validation

Input validation reduces the attack surface minimizing the impact that tends to succeed. Improper input validation leads to incorrect results on the website or even crash. Insufficient input validation degrades the user experience on the website. If the registration form fails to detect the incorrect details entered on the form, the user won’t be able to confirm the account.

Also, there might be a circumstance where the invalid data clears the validation process on the browser side and is trapped during server validation. This process might take a longer duration to drive a response to the user.

How can we ensure Proper Input Validation?

Earlier, input fields were validated using the JavaScript either manually or with the help of a dedicated library. It’s better to look for the existing validation features rather than implementing validation since it is a tedious process. Languages and frameworks are consisting of built-in validators ensuring reliable and easier input validation.

• Blacklist and Whitelist Based Validation

Typically input validation for website security is carried out by blocking elements that can be used for an injection attack. Apostrophes and semicolons can be disabled to prevent SQL injection, parenthesis can be banned to stop a malicious user from inserting a JavaScript function. This is nothing but blacklisting elements and it is not advisable to use the technique. Blacklist-based validation is not feasible to implement since the developer can’t predict all the attack vectors which might help the hacker to bypass the validation.

Whitelist based validation can be used for well-defined input variables like numbers, dates, postcodes, etc. Whitelist based validation will help you to state the permitted values and reject the other input values. HTML5 format delivers a predefined whitelisting logic with built-in data type definitions where the inputs fields have predefined validations. 

Read More>>

Safeguarding your Organization from Internal Threats

Just a quick recap from my previous blog where we focused majorly on How crucial data is and what’s even more important is its security. We also saw some standard practices for ensuring Data Security.

1. Disk Encryption- Converting data into a form that cannot be easily interpreted without a key that makes it legible.

2. Backups- Creating multiple copies of data at regular interval so it can be recovered if the original copy is lost.

3. Data Masking- Masking certain areas of data so sensitive information can be protected from unauthorized access.

4. Data Erasure- Ensuring data no longer in use is completely removed and cannot be recovered by unauthorized people.

Threats are not always bound by external sources; we need to focus on Insider Threats as well which now a days are posing more serious risks to any organization. We do have lots of security measures inside our perimeter but is it not enough? Speaking of an organization like ESDS, need to protect its integrity from our staff, vendors, customers who have Co-located their servers, Contractors, etc. The in-depth knowledge of our Network Layout, Connectivity, Policies, Processes, Business practices completely lie in the hands of our staff members.

One interesting fact about security which I came across while browsing the security zone website is maximum data breaches occur due to Internal Attackers.

The study also revealed, Organization that incurred serious loss and negative financial impact was of major share of 68%.

Most of the Internal Threats can be prevented rather it is manageable to prevent by giving proper Trainings to the employees. What an organization needs are a clearly drafted and defined policy framework that is implemented across the complete organization and monitored regularly by the Security Teams. Following are some of the steps which will enable an organization in prevention against internal threats.

1) First Security Policy

Your ISMS 27001 should include the Information transfer process. How is the data flow for Internal Teams? Similarly, while sending data outside your organization, it should be sent through secure network.

Organization Chart is another important aspect. Hierarchy should be followed in-case of any incident. Specify in your Security policy who is allowed to access which data. Even with whom the employees are allowed to share the data. Inform the consequences if any data is mishandled.

2) Educate your employees

Every department of your organization has some localized data within the department. This data might be of high or low importance. It may relate to Marketing, Sales or Personal Information of any customer. To secure this data from your employees, they need to undergo security training sessions. The best way to reduce risk from Internal Threats is to provide High end security training; explaining the importance of data and what will be the consequences if they fail to follow the security standards. Make the training interactive with some security related games. We do not say that employees will do any malicious incident but at least if they see, they may recognize it and will raise a red flag to their seniors.

3) Classify your Data

Data is classified into 3 main categories: Restricted, Private and Public data. This classification is mandatory in every organization and for every process. It should be included in your Security Policy. This helps the security team to easily rectify the data and its severity. Access to the classified data will be based on the designation of employees.

4) Physical Security

Every valuable computer must be highly secure. Only the ones who are handling the data must have the access. Use of CCTV to monitor the sensitive areas. Dual Factor authentication using smart cards or pins must be implemented in Secure zones like Data Center, Stores, Legal etc. Even consider biometric authentication for all your employees. Use of USBs must be restricted for the employees unless it is necessary. It should get scanned from IT team before using.

5) New Hires Screening

One way where you can minimize the risk is during the employment process. The role of HR begins while hiring a new candidate. A thorough background check is necessary before the employee gets on-board. HR needs to perform checks not only at the professional level but also a complete family background check if necessary. For an organization security of data is the main concern. After onboarding the employee should undergo training on Security related to the organization. Not only this, when any employee leaves the organization, HR needs to revoke all its access and make sure before being relieved the employee has submitted all the data which he was holding in his possession.

6) Strong Authentication

A strong password policy should be followed. The password should change on biweekly basis to prevent any kind of loss. Every system, servers, and the storage must be in Dual Authentication mode.

7) Monitor for “Abnormal” Behavior

Try to install right software and devices with proper access control. You need to use granular access control to monitor all the activities of the systems. Unauthorized users must be blocked from logging into the sytem. Track the behavior and if you find any abnormal action track the behavior and raise the red flag for further investigation and any Legal implications.

For investing on security we always look for reliable service provider. If you want more details on External and Internal Threats and about securing your organization, you have come to the right blog!

Request you to visit https://www.esds.co.in/soc-as-a-service for our offerings and experience of (Security Operation Center) SOC as a Service.