Slide 1
Slide 1 text
Security Best Practices for Agencies
Slide 2
Slide 2 text
@VicDrover
Panama Papers
Slide 3
Slide 3 text
@VicDrover
Joomla implicated in data loss
Slide 4
Slide 4 text
@VicDrover
Threats keep coming
Slide 5
Slide 5 text
@VicDrover
JED Server Security Incident
Slide 6
Slide 6 text
@VicDrover
Levels of website security
Slide 7
Slide 7 text
@VicDrover
Levels of website security
Slide 8
Slide 8 text
@VicDrover
Levels of website security
Slide 9
Slide 9 text
Client Passwords
Slide 10
Slide 10 text
No content
Slide 11
Slide 11 text
@VicDrover
Agency Passwords
Slide 12
Slide 12 text
No content
Slide 13
Slide 13 text
@VicDrover
Trust extends to your team
Slide 14
Slide 14 text
@VicDrover
Email security
Slide 15
Slide 15 text
@VicDrover
Staff
Slide 16
Slide 16 text
Staff
Slide 17
Slide 17 text
@VicDrover
Disaster Response Plan
Slide 18
Slide 18 text
@VicDrover
Initial response
Who, What, When
Emergency contact info
Service provider info
1-time use passwords
Slide 19
Slide 19 text
Agency 7
Slide 20
Slide 20 text
Agency 7
Slide 21
Slide 21 text
@VicDrover
Security policy
Email usage
Resource access
Password strength
Password duration
Account sharing
Team composition
Disaster planning
Continuing Education
Slide 22
Slide 22 text
@VicDrover
Levels of website security
Local
Remote
Slide 23
Slide 23 text
@VicDrover
Website: one piece of the puzzle
Slide 24
Slide 24 text
@VicDrover
PHP Usage
Slide 25
Slide 25 text
@VicDrover
Webserver security
Slide 26
Slide 26 text
@VicDrover
Heartbleed
Slide 27
Slide 27 text
@VicDrover
ssllabs.com/ssltest/
SSL Report: joomla.org
Slide 28
Slide 28 text
@VicDrover
Let’s Encrypt
Slide 29
Slide 29 text
@VicDrover
Other local issues
SSH on non-default port, encryption keys
Disable FTP
Strong database password
Enable logging
Disable magic_quotes
Disable register_globals
Slide 30
Slide 30 text
@VicDrover
Levels of website security
Local
Remote
Slide 31
Slide 31 text
@VicDrover
Remote services - email
Slide 32
Slide 32 text
@VicDrover
Remote services - DNS
Slide 33
Slide 33 text
@VicDrover
Remote services - reverse proxy
Slide 34
Slide 34 text
@VicDrover
Remote services - reverse proxy
Slide 35
Slide 35 text
@VicDrover
Levels of website security
Slide 36
Slide 36 text
@VicDrover
Well-known Joomla best-practices
Unique administrator account
Disable guest registration
Remove Joomla installation directory
No FTP password storage
Disable Error Reporting
Slide 37
Slide 37 text
@VicDrover
YourSites MySites
Best Practice Scanners
Slide 38
Slide 38 text
No content
Slide 39
Slide 39 text
No content
Slide 40
Slide 40 text
@VicDrover
Enforce strong passwords
Slide 41
Slide 41 text
@VicDrover
Password control
Slide 42
Slide 42 text
@VicDrover
Password expiry
Slide 43
Slide 43 text
After activation you may
login to your website
using the following
username and password:
Slide 44
Slide 44 text
No content
Slide 45
Slide 45 text
@VicDrover
Other site tips
Prevention
Software firewall (Admin Tools, RS Firewall)
Protect admin areas with a password/token
Don’t store credit card data locally
Don’t share user accounts!!!
Log User Activity
Slide 46
Slide 46 text
No content
Slide 47
Slide 47 text
@VicDrover
Apply update early & often
Slide 48
Slide 48 text
No content
Slide 49
Slide 49 text
No content