Launching a website without taking the necessary security precautions is like building a house without locks on the doors. Most people may not notice, but anyone with any malicious intent to steal or corrupt your data will have multiple vulnerabilities they can exploit. And in addition to any immediate financial or reputational losses to your business, you may also be putting it in a position of liability if it’s entrusted with your customer’s data as well.
We sat down with ImageX’s website security expert, Leslie Cordell, to discuss what basic steps a business can take on their own to protect their website, what a security expert can offer in addition, and how Drupal can help.
A business owner with a basic level of technical knowledge can take discovery steps and some proactive measures depending on the freedom offered by the system being used:
- Strong password policy - Although this one is mentioned in almost every article on website security, one of the most convenient ways to hack a website remains to brute force attack a very simple password. To help prevent this, some systems will allow the customization of a password policy. A good policy is subjective -- some prefer to have a minimum of 12 characters, requiring a number, a capital letter and sometimes a special character; but other policies are less strict. We recommend a 12-character password minimum and to enforce this among your entire team. A very long and forgettable password or passphrase that’s stored in a password manager like LastPass or 1password can bring some peace of mind and close an attack vector.
- Captcha or HoneyPot - To prevent spam on webforms in Drupal, it’s possible for a business owner to install the Captcha and HoneyPot modules to prevent robots from spamming their webform submissions. The Captcha module will enforce a check that the user submitting the form is a real person; likewise, the HoneyPot module will wait for a certain duration of time to have passed before the form can be submitted. Form spam, while not necessarily posing a security risk, can clutter up your form submissions making it harder to discern the good from the bad and in some instances fill up the database with undesirable entries that use up disk space.
- Locking down HTML input - Drupal allows the site administrator to set a permission level on the type of data a user can input. For example, allowing untrusted users to enter full HTML is a high risk as this will allow them to add script tags and exploit a page. The permissions page gives the option to disallow untrusted users access to this input type.
- Security kit - For Drupal users, there is a useful module called Security Kit, which allows the user to adjust the various security settings for the website. Although this may prove too advanced for a non-professional, the module is openly available and can be configured via the website without resorting to code.
The Drupal community is good at adding modules that can be installed on a website, including some great security modules that can be used to lock down some of the more common vectors for website exploitation.
While CMS community modules can handle a lot of the more common problems, a professional will be able to manage the following, but not limited to:
- Port scanning - Depending on your setup, your website might be hosted on a managed platform like Acquia, Platform.sh or Pantheon. In other cases, you may have your own dedicated server or VPS. In the latter instance, a professional will be able to set up monitoring for port changes, with a port being a service on a computer that opens it up to receive and transmit data. Regularly scanning ports on a server is useful for seeing what someone on the outside looking in is able to talk to.
- Regular updates - A professional is going to be able to run the regular updates on a server and any web applications. This will make sure patches for all known security vulnerabilities are installed. And in the instance of an update not going as planned, they will be able to revert your website back for you.
- Rootkit scanning - A rootkit is a piece of malicious software that a hacker can install on a server to gain access to it at will. Often, they will replace the software existing on the server with their own versions that can do things like email passwords out to the exploiter, spam emails, etc. A professional will be able to put in an early warning system to detect such a change.
- Audit response - If you are running a regular audit via a web application or haven’t run one in a while, a professional will be able to help out and proactively fix items that are identified in an automated audit, or run their own audit for you.
- Firewall - Software firewalls come installed standard on most UNIX/Linux distributions, and setting up rules to prevent intruders should be done by a professional to keep only certain ports open to the outside and keep an eye on traffic.
- DDoS - To prevent unwanted traffic and DDoS attacks, which is an attack that attempts to render your services unusable by flooding them with requests, a professional will be able to help you by putting scripts in place, or helping to configure a paid service like CloudFlare.
- HTTPS - A professional is going to be able to help you put an HTTPS certificate in place, which is vital whenever sensitive credentials, such as passwords or credit card information, are being transferred through your website.
- Sensitive data protection - A professional can make sure any sensitive data, such as credit card data, is encrypted and stored in a way that meets industry security standards. They can also lock down files and directories that shouldn’t be accessible over the web.
Some of the most common vulnerabilities a website can encounter are:
- Brute force password attack - This is when an attacker runs an automated script to spam login attempts to a website over and over again until they guess the right password. Because of this, a strong password policy is especially important for administrators of people with access to important site components.
- Session data/cookies - Depending on what data your system is storing on the client-side, a knowledgeable hacker may try to exploit this and forge their own cookies to gain access to areas of the website they normally wouldn’t. Only non-confidential data or data that doesn’t play a major role in authentication should be stored in cookies. It is common to store session data in a database like Redis and store encrypted cookies like HMAC on the client-side to prevent tampering.
- DDoS attacks - As mentioned above, this is when an attack attempts to flood a service with more requests that it can handle, grinding it to a halt. A lot of the large attacks you see in the news that take websites offline are due to DDoS attacks.
There are many more ways a site can be exploited, especially when more services are added to a website, such as REST, SOAP, FTP, etc., but the list above includes the most common vulnerabilities.
The most common issues a professional is going to encounter when a website has been exploited are the attacks mentioned above. The majority of instances that we have encountered have been pages that have been compromised with an SQL injection and DDoS attacks. Hacked passwords are also very common due to poor password policies.
An ex-Soviet propagandist, Yuri Bezmenov, once said that the most common perception of espionage is blowing up bridges, stealing microfilms, and high-speed car chases. Similar things could probably be said for people's perception of hackers, but the reality is very different. The vast majority of attacks, unless politically motivated, will be targeted towards a specific goal of either bringing down a website or extracting some sort of personal profit. Most hackers will be looking for something automated they can put onto your site and move on to their next target to maximize any gains.
They will often begin by running various scans on your system; if they’re going to try to gain access to your server, they will try to run a port scan and check for software versions running on the various ports. If your server hasn’t been upgraded or updated in quite a while, there is a chance an exploit is available for a piece of software running and that they might try to exploit it. Or if a service you’re running on your server also might have lax permissions on it, they could try to gain access that way.
If your server runs FTP to allow you to upload files, a hacker may try to brute force a user and password combination by trying common dictionaries of words to get in. If there is a user with a weak password, they might be able to get access, place a script, and then run it if the server doesn’t have certain measures in place to prevent this.
A hacker may also run a web scanner to try to determine the system you’re using, the version, and what modules you have enabled. If one of these modules or the system itself isn’t up to date with the latest security updates, they may try to take advantage of an exploit to gain access to the system. If this isn’t possible, they might try a mixture of URL patterns on your system, passing in queries to the URL to try to carry out an SQL injection or cross-site scripting exploit. If you are running an older system or some custom code that is below standard, this might work for them.
Failing this, they may look for various pages on your website that have forms or input fields and try to inject malicious code. They may run a script that fires off endless requests to your server, which can grind your server to a halt if multiple hackers are targeting your site with the same method, in which case having a good system in place to prevent this is critical. The hacker might also start inspecting the cookies your website is storing in their browser and try to decode them to find a way to exploit them.
These are really just a few examples, but unless a hacker is seriously intent on getting into your website and your website alone, they will be looking for the quickest and easiest ways to get in so they can place a political message or something for monetary gain and then move on to their next target.
- Drupal contains many of the web server files required to restrict access to various directories.
- Encryption can also be set up on the website database with control over what exactly to encrypt, from lax to very strict.
- Drupal has a dedicated security team; any time a potential security risk is discovered, an update will be made available to the community.
- Passwords are encrypted by default and there are a maximum amount of login attempts before a user is locked out to prevent brute force attacks.
- It’s possible to set up LDAP, two-factor authentication, OAUTH, and many other authentication methods to secure logins.
- Permissions can be controlled on a very fine level and managed by administrators to restrict and allow access to different pieces of content or functions of the site.
- And for even greater control, community modules are also available.
To find out more about Drupal security, check out Drupal's security page here.