Content Management Systems: An Executive Review
Download as PPT, PDF
0 likes461 views
The need to deliver new and changing content seamlessly across an increasing number of different devices has been a principal driver in the development of todays content management systems (CMS). Do your current change management procedures provide adequate oversight for new content requests and RESTful components before they are deployed? If not, how would you begin to assess the need for change? This workshop will recount the selection and implementation of a CMS, discuss how elements within the CMS can be leveraged for uses beyond their stated purpose, and identify appropriate control alternatives for a CMS-based environment.
![w
w
Content Management Systems An Executive Review
http://www.gdsinternational.com/events/ngsecurity/us/
CMS Timeline - Compliance
Giggle Search
In the Name of Consumer Protection
Third Circuit (August 24, 2015): the 1914 Federal
Trade Commission Act [15 U.S.C. 則 45(a)] empowers
the FTC to regulate cyber security
Multiple breaches occurred in 2008 and 2009
Court decided that the FTC Act empowers agency to
prohibit unfair or deceptive acts or practices in or
affecting commerce.
FTC has been filing cyber-related cases since 2005
Source: https://www.ftc.gov/system/files/documents/cases/150824wyndhamopinion.pdf](https://image.slidesharecdn.com/ngsummitws9-151206051735-lva1-app6891/85/Content-Management-Systems-An-Executive-Review-9-320.jpg)
Content Management Systems: An Executive Review
- 1. w w Content Management Systems An Executive Review http://www.gdsinternational.com/events/ngsecurity/us/ 9th NG Security Summit US Giggle Search SearchSearch An Executive Review Content Management Systems Bill Price 9th NG Security Summit US December 2-4, 2015
- 2. w w Content Management Systems An Executive Review http://www.gdsinternational.com/events/ngsecurity/us/ Introduction Giggle Search Content Management Systems (CMS) The What and the Why CMS Timelines: Technology and Compliance Case Study: Compromise via PHP Control Alternatives Concluding Remarks
- 3. w w Content Management Systems An Executive Review http://www.gdsinternational.com/events/ngsecurity/us/ Introduction Giggle Search Key Takeaways Web-related technology changes are creating new attack vectors. Compliance expectations are changing rapidly. Basic development and management skills still apply.
- 4. w w Content Management Systems An Executive Review http://www.gdsinternational.com/events/ngsecurity/us/ The What and the Why Giggle Search The What Web content management: involves the creating, updating, and publishing of digital content to a web site Content Management System: permits web content management Source: http://www.accrinet.com/blog/web-content-management-101/
- 5. w w Content Management Systems An Executive Review http://www.gdsinternational.com/events/ngsecurity/us/ The What and the Why Giggle Search The Why Ease of updates and site redesigns No mark-up language (XML, HTML, etc.) knowledge required A good content management system includes: Tools for search engine optimization, email marketing, and social media Upgrades and training on new functionality Source: http://www.accrinet.com/blog/5-reasons-you-should-be-using-a-content-management-system/
- 6. w w Content Management Systems An Executive Review http://www.gdsinternational.com/events/ngsecurity/us/ CMS Timeline - Technology Giggle Search How Web Site Construction has Changed Source: https://www.ostraining.com/blog/drupal/what-is-headless-drupal/
- 7. w w Content Management Systems An Executive Review http://www.gdsinternational.com/events/ngsecurity/us/ CMS Timeline - Compliance Giggle Search How Compliance has Changed Securities and Exchange Commission (SEC) Division of Corporation Finance (CF) Disclosure Guidance: Cybersecurity (October 13, 2011) To the extent cyber incidents pose a risk to a registrants ability to record, process, summarize, and report information that is required to be disclosed in Commission filings, management should also consider whether there are any deficiencies in its disclosure controls and procedures that would render them ineffective. Source: http://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm
- 8. w w Content Management Systems An Executive Review http://www.gdsinternational.com/events/ngsecurity/us/ CMS Timeline - Compliance Giggle Search Compliance Requirements Expand SEC Office of Compliance Inspections and Examinations (OCIE) Cybersecurity Initiative investigations will focus on (April 15, 2014): Cybersecurity Governance Protection of Networks and Information Risks associated with Customer Transactions (access, funds transfer) and Third Parties (vendors, business partners) Detection of Unauthorized Activity Identity Theft Red Flag Rules (17 CFR 則 248, Subpart C, Regulation S-ID) Source: https://www.sec.gov/ocie/announcement/Cybersecurity-Risk-Alert--Appendix---4.15.14.pdf
- 9. w w Content Management Systems An Executive Review http://www.gdsinternational.com/events/ngsecurity/us/ CMS Timeline - Compliance Giggle Search In the Name of Consumer Protection Third Circuit (August 24, 2015): the 1914 Federal Trade Commission Act [15 U.S.C. 則 45(a)] empowers the FTC to regulate cyber security Multiple breaches occurred in 2008 and 2009 Court decided that the FTC Act empowers agency to prohibit unfair or deceptive acts or practices in or affecting commerce. FTC has been filing cyber-related cases since 2005 Source: https://www.ftc.gov/system/files/documents/cases/150824wyndhamopinion.pdf
- 10. w w Content Management Systems An Executive Review http://www.gdsinternational.com/events/ngsecurity/us/ CMS Timeline - Compliance Giggle Search Compliance Net Grows Further SEC OCIE Cybersecurity Initiative investigations will now focus on (September 15, 2015): Governance and Risk Assessment Access Rights and Controls Data Loss Prevention Vendor Management Training (Employees, Vendors/Business Partners) Incident Response Source: https://www.sec.gov/ocie/announcement/ocie-2015-cybersecurity-examination-initiative.pdf
- 11. w w Content Management Systems An Executive Review http://www.gdsinternational.com/events/ngsecurity/us/ Case Study Compromise via PHP Giggle Search An Example CMS Life-Cycle May 2012 Digital Government Strategy Open Data, Content, and Web APIs Dec 2012 Web Enterprise Service Technologies (WEST) Contract Award Content management, search, and collaboration Aug 2014 Initial Migration Completed Over 100 websites; new CMS: Drupal 7 Apr 2015 Headless Drupal implemented Optimize for mobile devices
- 12. w w Content Management Systems An Executive Review http://www.gdsinternational.com/events/ngsecurity/us/ Case Study Compromise via PHP Giggle Search Web Site Construction Revisited
- 13. w w Content Management Systems An Executive Review http://www.gdsinternational.com/events/ngsecurity/us/ Case Study Compromise via PHP Giggle Search Three servers defaced All sites were in a shared virtual environment and used Drupal for content management All sites were on a single subnetwork One was a collaborative site All sites were isolated during the investigation All sites had valid backups prior to the defacements
- 14. w w Content Management Systems An Executive Review http://www.gdsinternational.com/events/ngsecurity/us/ Case Study Compromise via PHP Giggle Search How did this happen? Drupal installations contain default PHP scripts: Authorize: file operations Cron: start tasks at specific times Index: serves all page requests Install: initiates browser-based installation* Update: updates Drupal version to another Xmlrpc: handles incoming XML and RPC requests *: attack point
- 15. w w Content Management Systems An Executive Review http://www.gdsinternational.com/events/ngsecurity/us/ Case Study Compromise via PHP Giggle Search Three re-Installs Original install script checks to see if Drupal is being installed in a new environment Modified script checked Drupal environment by virtual host name The same check by IP address returned an error (e.g. no default case) Attacker was able to re-install Drupal in each environment with their own settings
- 16. w w Content Management Systems An Executive Review http://www.gdsinternational.com/events/ngsecurity/us/ Control Alternatives Giggle Search Control Recommendations Remove all PHP scripts from the CMS root They are put there when Drupal is first installed Validate all modified/developed scripts (usually PHP, Perl, and/or Python) Error checking Case/Default Case handling Delegate specific oversight for CMS development to Configuration Control Board
- 17. w w Content Management Systems An Executive Review http://www.gdsinternational.com/events/ngsecurity/us/ Control Alternatives Giggle Search Other Considerations Review Network Infrastructure What data resources are reachable from the CMS? Are any of these resources crown jewels? Assess Existing Controls Have patches kept up with CMS changes? Are any data sources exposed/newly exposed? Implement CMS-specific processes Developer training Collaborative policies and procedures
- 18. w w Content Management Systems An Executive Review http://www.gdsinternational.com/events/ngsecurity/us/ Concluding Remarks Giggle Search Suggested Resources Violent Python Author: T. J. OConnor ISBN: 978-1-5974-9957-6, 2013, Elsevier Inc. Programmers Guide to Drupal (2nd Edition) Author: Jennifer Hodgdon ISBN: 978-1-4919-1146-4, 2015, ORelly Media Inc.
- 19. w w Content Management Systems An Executive Review http://www.gdsinternational.com/events/ngsecurity/us/ Merry Christmas Giggle Search Key Takeaways Web-related technology changes are creating new attack vectors. Compliance expectations are changing rapidly. Basic development and management skills still apply.
- 20. w w Content Management Systems An Executive Review http://www.gdsinternational.com/events/ngsecurity/us/ Happy New Year Giggle Search Thank you. Contact Information: Bill Price http://www.linkedin.com/in/wprice Like these slides? Visit www.presentationmagazine.com for other examples of free Powerpoint templates.