Versions Compared

Version Old Version 10 New Version Current
Changes made by

Sydnee Funke

Sydnee Funke

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

DNN version 07.04.02 is one that has many security vulnerabilities; according to 10 Lb, the version is “right in the middle of the worst” of a number of consecutive DNN versions with major security vulnerabilities. The top priority is upgrading the site to the most recent version of DNN (09.06.01).

The PackFlash module is a known major security risk. 10 Lb recently helped another organization in a similar situation to migrate content from PackFlash into a stable and secure module that works on current versions of DNN, and that is the other main priority. For reference: http://www.packflash.com/. Packflash PackFlash is currently used for TDIC’s menu, several list modules, and publications like Liability Lifeline and RM Matters.

There is no way to ensure tdicinsurance.com is secure without completely eliminating the PackFlash module and any PackFlash add-on modules.

Solution/Approach:

  1. Set up clean instance of TDIC from the oldest backup, with no content (conventional wisdom would indicate the breach actually occurred prior to 9/8/2020, and the hackers waited a certain period of time to exploit it)

  2. Remove any problematic modules; upgrade those that can be upgraded

  3. Export PackFlash content into Easy DNN News or other secure module

  4. Upgrade DNN

  5. When the site is upgraded/stable, import the content and assets

...

  • Compile a list for 10 Lb of content/sections on the TDIC website that are a top priority (ie there are legal or other reasons that these sections should be handled first).

  • Compile a list of sections that are of lower priority so that 10 Lb can be sure they are focusing their efforts on the top priority items first

  • Work with TDIC stakeholders to put together an emergency communication and backup plan in the event that the website does go down. We don’t expect this to happen, but we should be prepared in the event that it does.

IT/all:

  • We will meet as a group with 10 Lb early next week to discuss the findings of their audit, timing, and next steps.

Risks:

We will be discussing steps to take to secure the site during Presents this week, but we do not know for certain that we can prevent this from happening.