TeraTech

The ColdFusion Experts: Develop | Secure | Optimize

  • Services
  • About
  • CF Alive
  • Blog
  • Podcast
  • Contact

  • Services
  • About
  • CF Alive
  • Blog
  • Podcast
  • Contact

How One Company Improved Their ColdFusion Security (From Datanapped to Safe)

August 15, 2020 By Michaela Light Leave a Comment

One day a company much like yours -let’s call them “The Company”- called us to get our help with a serious problem. Someone had hacked into to their ColdFusion server and encrypted all of their important data files. Subsequently, The Company received an email asking for $100,000 to decrypt these files. The Company had been both hacked and “datanapped”.

Could this happen to your company?

Contents

  • How Secure is Your ColdFusion Server?
  • A Short Look at The Company’s ColdFusion Security Issues
  • What Were the Main Issues Uncovered in the ColdFusion Security Audit?
  • Should Other Security Issues be Explored?
  • Wrapping Up and Going Forward with ColdFusion Security

How Secure is Your ColdFusion Server?

These are some of the problems you can experience with an insecure ColdFusion server:

  • After a breach, personnel job security goes into rapid decline
  • If you are datanapped, monetary demands may be excessively high

  • Your customer’s sensitive data could be posted in the Darknet for scamming purposes

  • If news of the breach goes public, company PR will be damaged

  • The scope of the problem may be far greater than one particular system

  • Your CF site slows/crashes due to hackers using the server for spam email sending

Now let’s find out some background from The Company and see if we can gain some insight into the problem.

A Short Look at The Company’s ColdFusion Security Issues

When we arrived at The Company, it was chaos. People were scrambling and unsure of how to handle the situation.

We set up our team and accessed their server. One of the first things we noticed is that regular interval maintenance had not been completed.  Tasks such as applying security patches and updates were still needing to be done.

The hackers had infiltrated most of the areas of the ColdFusion server.  They had been inside the system for over six months! Many of the server’s systems were affected including the central database.

In addition, the hackers had been using The Company’s CF server to send out an enormous amount of SPAM. In fact, that spam is how The Company finally noticed they had been hacked because it was slowing down the server performance greatly. The hacker’s presence also affected The Company’s email deliverability due to their SMTP server being blacklisted.

What Were the Main Issues Uncovered in the ColdFusion Security Audit?

As part of the initial security audit, we looked at the following issues:

  • Scanned the server for security holes
  • Reviewed the server configuration for security
  • Reviewed the ColdFusion configuration for security
  • Reviewed database configuration for security
  • Tuned ColdFusion, database, and server configuration for high security

After audit, we recognized that we had to do something about the files that had been datanapped and repairing the affected systems. A quick check revealed that they had been doing regular backups. Instead of paying the hackers, an older backup of the files was applied to the system after all traces of the hackers’ presence was gone.

Upon finishing repairs, we turned our sights to preventing this event from ever happening again. We looked at a sample of code for security holes and made recommendations for future prevention best practices. Our team recommended continuing server backups and implementing a scheduled plan for future updates and security patches.

As Pete Freitag says in episode 020 of the ColdFusion Alive Podcast, “Secrets of High-Security ColdFusion Code”:

“Why should someone even care about the security in their ColdFusion code? It's something that's a very important topic. If you've got security vulnerabilities within your code base–eventually at some point if you don't address them– you might find out the hard way; which is a really horrible thing to have to go through. Having somebody hack your server and all the potential things that they might be able to do.

It could be deleting important assets that are difficult to recover; corrupted databases that might be very difficult to restore back to a reasonable state. There's just all sorts of things that an attacker could potentially do to your applications, and they can really be a costly problem for you to recover from.”

Should Other Security Issues be Explored?

One of the ways the hackers gained access to The Company’s database was through SQL Injection. SQL Injection is the placement of malicious code in SQL statements. This is one of the most common issues our clients have reported to us here at TeraTech and to others. David Epler touches on this in his webinar, “ColdFusion Security and Web Hacking Tools”.

Consider the story of Lauri Love, a British hacker who infiltrated many U.S. government ColdFusion servers using SQL Injection.  This can give you an idea of how widespread the use of SQL Injection is by hackers.

Your ColdFusion servers can be protected by using CFQueryParam in SQL queries and remaining vigilant!

Related: Top 5 Security Issues Solved with Adobe ColdFusion 2018

Wrapping Up and Going Forward with ColdFusion Security

Just like we told The Company, there are ways you can learn best practices and troubleshooting for your ColdFusion server. Charlie Arehart’s  “ColdFusion Troubleshooting Blog” is a great resource to do just that.

After solving the issues at The Company, we were able to set them up on a plan to success. This plan included CFML best practices for security and regular maintenance/updates of their ColdFusion server. Their server is now secure.

Don’t let the same thing happen to your company.  Follow the advice above and learn from The Company’s unfortunate situation.

Your ColdFusion server security and business depend on it!

Related: Adobe ColdFusion Comprehensive Guide (More Powerful, More Modernized, More Alive)

And to continue learning how to make your ColdFusion apps more modern and alive, I encourage you to download our free ColdFusion Alive Best Practices Checklist.

Because… perhaps you are responsible for a mission-critical or revenue-generating CF application that you don’t trust 100%, where implementing new features is a painful ad-hoc process with slow turnaround even for simple requests.

What if you have no contingency plan for a sudden developer departure or a server outage? Perhaps every time a new freelancer works on your site, something breaks. Or your application availability, security, and reliability are poor.

And if you are depending on ColdFusion for your job, then you can’t afford to let your CF development methods die on the vine.

You’re making a high-stakes bet that everything is going to be OK using the same old app creation ways in that one language — forever.

All it would take is for your fellow CF developer to quit or for your CIO to decide to leave the (falsely) perceived sinking ship of CFML and you could lose everything—your project, your hard-won CF skills, and possibly even your job.

Luckily, there are a number of simple, logical steps you can take now to protect yourself from these obvious risks.

No Brainer ColdFusion Best Practices to Ensure You Thrive No Matter What Happens Next

ColdFusion Alive Best Practices Checklist

ColdFusion Alive Best Practices Checklist

Modern ColdFusion development best practices that reduce stress, inefficiency, project lifecycle costs while simultaneously increasing project velocity and innovation.

√ Easily create a consistent server architecture across development, testing, and production

√ A modern test environment to prevent bugs from spreading

√ Automated continuous integration tools that work well with CF

√ A portable development environment baked into your codebase… for free!

 

Learn about these and many more strategies in our free ColdFusion Alive Best Practices Checklist.

 

 

Michaela Light is the host of the CF Alive Podcast and has interviewed more than 100 ColdFusion experts. In each interview, she asks "What Would It Take to make CF more alive this year?" The answers still inspire her to continue to write and interview new speakers. Michaela has been programming in ColdFusion for more than 20 years. She founded TeraTech in 1989. The company specializes in ColdFusion application development, security and optimization. She has also founded the CFUnited Conference and runs the annual State of the CF Union Survey.                  

Related Posts

  • 5 Reasons Why Adobe ColdFusion is Better Than C#5 Reasons Why Adobe ColdFusion is Better Than C#
  • 077 Fundamentals of Unit Testing, BDD and Mocking (using TestBox and MockBox) with Uma Ghotikar077 Fundamentals of Unit Testing, BDD and Mocking (using TestBox and MockBox) with Uma Ghotikar
  • 070 CommandBox 4 Deep Dive (new version revealed) with Brad Wood070 CommandBox 4 Deep Dive (new version revealed) with Brad Wood
  • State of the ColdFusion Union 2017 Survey Amazing ResultsState of the ColdFusion Union 2017 Survey Amazing Results
  • State of the ColdFusion Union 2017 Survey Amazing ResultsState of the ColdFusion Union 2017 Survey Amazing Results
  • 019 A Whirlwind Tour of Preside Application Framework in the Wild, with Alex Skinner
  • Facebook
  • Twitter
  • LinkedIn

Filed Under: ColdFusion, Security Tagged With: ColdFusion code

← Previous Post ColdFusion Alive Revolution
Next Post → 103 Cool Lucee CFML (GigaBytes file parsing and more) with Gert Franz

CF Alive Best Practices Checklist

 

Modern ColdFusion development best practices that reduce stress, inefficiency, project lifecycle costs while simultaneously increasing project velocity and innovation.

Recent Posts

  • 4 Reasons Why Your ColdFusion Web Apps Are Suffering (And How To Avoid It)
  • Google Down – An Unprecedented Event (Save Your Data Fast!)
  • 107 ColdFusion 2021 Revealing Details on How it was Created with Rakshith Naresh
  • Into The Box LatAm 2020 Virtual Conference – Free to Register!
  • Slow ColdFusion Applications May Ruin Your Business (3 Steps to Prevent It)

Categories

  • ActionScript
  • Adobe CF Summit
  • Adobe CF Summit East
  • Adobe CF Summit East 2018
  • Adobe ColdFusion 11
  • Adobe ColdFusion 2020 Beta
  • Adobe ColdFusion 2021
  • Adobe ColdFusion Project Stratus
  • Adobe ColdFusion Security
  • AIR
  • Ajax
  • AngularJS
  • Announcement
  • API
  • Apollo
  • Auto Security Lockdown
  • AWS
  • C#
  • Certification
  • CF Alive
  • CF Alive Book
  • CF Alive Podcast
  • CF Camp
  • CF Developer week
  • CF Maintenance
  • CF Summit India
  • CF Tags
  • CF Training
  • CF Vs. Other Languages
  • CFEclipse
  • CFML
  • CFML Open- Source
  • CFObjective
  • cfquery
  • CFSummit
  • CFUnited
  • China Chopper
  • CIO
  • Classes
  • Client Highlights
  • ColdBox
  • ColdFusion
  • ColdFusion 2018
  • ColdFusion 2020
  • ColdFusion 2021
  • ColdFusion 9
  • ColdFusion community
  • ColdFusion Conference
  • ColdFusion Consulting
  • ColdFusion Developer
  • ColdFusion Development
  • ColdFusion Hosting
  • ColdFusion Security
  • ColdFusion Webinar
  • CommandBox
  • Conference
  • Cool Stuff
  • Culture
  • Cybercrime
  • Database
  • Development Approach
  • DevOps
  • Docker
  • Fixinator
  • Flex
  • Frameworks
  • Fusebox
  • FusionReactor
  • Futurology
  • Garbage Collector
  • Google Down
  • Into The Box Latam
  • IntoTheBox Conference
  • Java
  • JavaScript
  • JVM
  • Learn ColdFusion
  • Legacy Code
  • Load Testing
  • Lucee
  • Management
  • MAX
  • MDCFUG Lunch
  • Microsoft Azure
  • Mindmapping
  • MockBox
  • Modernize ColdFusion
  • Monitoring
  • Muracon
  • NCDevCon
  • New Intern
  • News
  • Node.js
  • Open- Source
  • ORM
  • Ortus Developer Week
  • Ortus Roadshow
  • Performance
  • Performance Tuning
  • PHP
  • Productivity
  • Programming Languages
  • Project planning
  • Query of Queries
  • Roadmap
  • Scalability
  • Security
  • Server Software
  • Server Tuning
  • Social Media
  • Spiral Web
  • SQL
  • Success Story
  • Survey
  • Technology
  • TestBox
  • Tips
  • Transcript
  • Trapeze Development
  • Uncategorized
  • Web 2.0
  • Web Application
  • Web Server
  • Webinar
  • Webmail
  • What is ColdFusion?
  • Whole Brain Development
  • Women in Tech
  • Work From Home

Recent Comments

  • Michaela Light on A Comprehensive Guide to Running a Successful CFML Project
  • Michaela Light on Is Lucee CFML now better than Adobe ColdFusion?
  • Michaela Light on Introducing Swansea Jack (Lucee CFML 6 announced)
  • Michaela Light on 082 ColdFusion and the Blockchain Revolution with Mike Brunt
  • Michaela Light on 082 ColdFusion and the Blockchain Revolution with Mike Brunt
  • Home
  • Services
  • About Us
  • CF Alive
    • CF Alive Book
    • CF Alive Inner Circle
    • CF Alive full resources cheatsheet
  • Blog
  • Podcast
    • Podcast Guest schedule
  • Contact
  • Sitemap

The ColdFusion Experts:
Develop, Secure, Optimize

TeraTech Inc
451 Hungerford Drive Suite 119
Rockville, MD 20850

Tel : +1 (301) 424 3903
Fax: +1 (301) 762 8185

Follow us on Facebook Follow us on LinkedIn Follow us on Twitter Follow us on Pinterest Follow us on YouTube

Copyright © 1998–2021 TeraTech Inc. All rights Reserved.