Website Security

Mar 02 2017

Launching a website without taking the necessary security precautions is like building a house without locks on the doors. Most people may not notice, but anyone with any malicious intent to steal or corrupt your data will have multiple vulnerabilities they can exploit. And in addition to any immediate financial or reputational losses to your business, you may also be putting it in a position of liability if it’s entrusted with your customer’s data as well. We sat down with ImageX’s website security expert, Leslie Cordell, to discuss what basic steps a business can take on their own to protect their website, what a security expert can offer in addition, and how Drupal can help.

What are some basic steps that a business can take on their own to improve the security of their website, without the help of an expert? A business owner with a basic level of technical knowledge can take discovery steps and some proactive measures depending on the freedom offered by the system being used:

Web security audit - There are many sites, both paid and free, that will provide you with a basic to advanced website audit. Some of these applications can provide very in-depth results that can be passed on to a professional to deal with. These results may expose flaws such as cross-site scripting vulnerabilities, SQL injection and JavaScript injection vulnerabilities. Some of these audit sites can also perform scans on intervals to detect signatures. Because they are often a web application, a business owner could sign up and perform a scan.
Strong password policy - Although this one is mentioned in almost every article on website security, one of the most convenient ways to hack a website remains to brute force attack a very simple password. To help prevent this, some systems will allow the customization of a password policy. A good policy is subjective -- some prefer to have a minimum of 12 characters, requiring a number, a capital letter and sometimes a special character; but other policies are less strict. We recommend a 12-character password minimum and to enforce this among your entire team. A very long and forgettable password or passphrase that’s stored in a password manager like LastPass or 1password can bring some peace of mind and close an attack vector.
Captcha or HoneyPot - To prevent spam on webforms in Drupal, it’s possible for a business owner to install the Captcha and HoneyPot modules to prevent robots from spamming their webform submissions. The Captcha module will enforce a check that the user submitting the form is a real person; likewise, the HoneyPot module will wait for a certain duration of time to have passed before the form can be submitted. Form spam, while not necessarily posing a security risk, can clutter up your form submissions making it harder to discern the good from the bad and in some instances fill up the database with undesirable entries that use up disk space.
Locking down HTML input - Drupal allows the site administrator to set a permission level on the type of data a user can input. For example, allowing untrusted users to enter full HTML is a high risk as this will allow them to add script tags and exploit a page. The permissions page gives the option to disallow untrusted users access to this input type.
Security kit - For Drupal users, there is a useful module called Security Kit, which allows the user to adjust the various security settings for the website. Although this may prove too advanced for a non-professional, the module is openly available and can be configured via the website without resorting to code.

The Drupal community is good at adding modules that can be installed on a website, including some great security modules that can be used to lock down some of the more common vectors for website exploitation.

What value can an expert in website security add above and beyond what a business can do themselves? While CMS community modules can handle a lot of the more common problems, a professional will be able to manage the following, but not limited to:

Port scanning - Depending on your setup, your website might be hosted on a managed platform like Acquia, Platform.sh or Pantheon. In other cases, you may have your own dedicated server or VPS. In the latter instance, a professional will be able to set up monitoring for port changes, with a port being a service on a computer that opens it up to receive and transmit data. Regularly scanning ports on a server is useful for seeing what someone on the outside looking in is able to talk to.
Regular updates - A professional is going to be able to run the regular updates on a server and any web applications. This will make sure patches for all known security vulnerabilities are installed. And in the instance of an update not going as planned, they will be able to revert your website back for you.
Rootkit scanning - A rootkit is a piece of malicious software that a hacker can install on a server to gain access to it at will. Often, they will replace the software existing on the server with their own versions that can do things like email passwords out to the exploiter, spam emails, etc. A professional will be able to put in an early warning system to detect such a change.
Audit response - If you are running a regular audit via a web application or haven’t run one in a while, a professional will be able to help out and proactively fix items that are identified in an automated audit, or run their own audit for you.
Firewall - Software firewalls come installed standard on most UNIX/Linux distributions, and setting up rules to prevent intruders should be done by a professional to keep only certain ports open to the outside and keep an eye on traffic.
DDoS - To prevent unwanted traffic and DDoS attacks, which is an attack that attempts to render your services unusable by flooding them with requests, a professional will be able to help you by putting scripts in place, or helping to configure a paid service like CloudFlare.
HTTPS - A professional is going to be able to help you put an HTTPS certificate in place, which is vital whenever sensitive credentials, such as passwords or credit card information, are being transferred through your website.
Sensitive data protection - A professional can make sure any sensitive data, such as credit card data, is encrypted and stored in a way that meets industry security standards. They can also lock down files and directories that shouldn’t be accessible over the web.

What are the most common vulnerabilities that a website can face? Some of the most common vulnerabilities a website can encounter are:

Brute force password attack - This is when an attacker runs an automated script to spam login attempts to a website over and over again until they guess the right password. Because of this, a strong password policy is especially important for administrators of people with access to important site components.
JavaScript injection - This is when an unauthorized attempt is made to insert a script onto one or many of your pages that will run, often without one’s knowledge. Anywhere a user is able to submit a value, that value should be sanitized.
SQL injection - Similar to a JavaScript injection, this is when an attacker attempts to add SQL (database) code into any input field or in the URL to try to override a database query. If the attack is successful they will be able to overwrite data in the database, adding their own users, changing passwords, modifying pages, or accessing credit card data (if it’s stored in the database, encrypted or otherwise). This can also be mitigated by sanitizing input data. Luckily in Drupal and many other CMS’, the majority of SQL manipulation is handled using their core in libraries; however, if using older systems or custom code, there might be edge cases where a SQL injection can be used.
Cross-site scripting - Similar to Javascript injections, an attacker can add some inline javascript to a page. This is often done via a form field or anywhere an input value is later displayed on a page. This would allow someone to add some malicious code to a page and then pass a link to that page via an email or a link to do things like steal credentials and hijack user sessions. There are two kinds of XSS attacks -- reflective and persistent. The first being when code is injected on the fly and the latter being when the code is stored, such as in the database or on a template.
Session data/cookies - Depending on what data your system is storing on the client-side, a knowledgeable hacker may try to exploit this and forge their own cookies to gain access to areas of the website they normally wouldn’t. Only non-confidential data or data that doesn’t play a major role in authentication should be stored in cookies. It is common to store session data in a database like Redis and store encrypted cookies like HMAC on the client-side to prevent tampering.
DDoS attacks - As mentioned above, this is when an attack attempts to flood a service with more requests that it can handle, grinding it to a halt. A lot of the large attacks you see in the news that take websites offline are due to DDoS attacks.

There are many more ways a site can be exploited, especially when more services are added to a website, such as REST, SOAP, FTP, etc., but the list above includes the most common vulnerabilities.

What are the most common issues a website security expert will see -- both the basic ones that a business can resolve themselves, as well as the more complex ones that an expert is needed for? The most common issues a professional is going to encounter when a website has been exploited are the attacks mentioned above. The majority of instances that we have encountered have been pages that have been compromised with an SQL injection and DDoS attacks. Hacked passwords are also very common due to poor password policies. However, it also depends on the web application and server. Drupal is good at mitigating many core security issues like cross-site scripting, SQL injections, JavaScript injections, and brute force attacks out of the box.

What are the most common misperceptions about website security? An ex-Soviet propagandist, Yuri Bezmenov, once said that the most common perception of espionage is blowing up bridges, stealing microfilms, and high-speed car chases. Similar things could probably be said for people's perception of hackers, but the reality is very different. The vast majority of attacks, unless politically motivated, will be targeted towards a specific goal of either bringing down a website or extracting some sort of personal profit. Most hackers will be looking for something automated they can put onto your site and move on to their next target to maximize any gains. They will often begin by running various scans on your system; if they’re going to try to gain access to your server, they will try to run a port scan and check for software versions running on the various ports. If your server hasn’t been upgraded or updated in quite a while, there is a chance an exploit is available for a piece of software running and that they might try to exploit it. Or if a service you’re running on your server also might have lax permissions on it, they could try to gain access that way. If your server runs FTP to allow you to upload files, a hacker may try to brute force a user and password combination by trying common dictionaries of words to get in. If there is a user with a weak password, they might be able to get access, place a script, and then run it if the server doesn’t have certain measures in place to prevent this. A hacker may also run a web scanner to try to determine the system you’re using, the version, and what modules you have enabled. If one of these modules or the system itself isn’t up to date with the latest security updates, they may try to take advantage of an exploit to gain access to the system. If this isn’t possible, they might try a mixture of URL patterns on your system, passing in queries to the URL to try to carry out an SQL injection or cross-site scripting exploit. If you are running an older system or some custom code that is below standard, this might work for them. Failing this, they may look for various pages on your website that have forms or input fields and try to inject malicious code. They may run a script that fires off endless requests to your server, which can grind your server to a halt if multiple hackers are targeting your site with the same method, in which case having a good system in place to prevent this is critical. The hacker might also start inspecting the cookies your website is storing in their browser and try to decode them to find a way to exploit them. These are really just a few examples, but unless a hacker is seriously intent on getting into your website and your website alone, they will be looking for the quickest and easiest ways to get in so they can place a political message or something for monetary gain and then move on to their next target.

What security benefits does Drupal offer that sets it apart from other CMS’?

At Drupal’s core, it is good at preventing JavaScript and SQL injection attacks and cross-site requests by sanitizing values by default and not allowing unauthorized and low-level users to enter tags in text fields.
Drupal contains many of the web server files required to restrict access to various directories.
Encryption can also be set up on the website database with control over what exactly to encrypt, from lax to very strict.
Drupal has a dedicated security team; any time a potential security risk is discovered, an update will be made available to the community.
Passwords are encrypted by default and there are a maximum amount of login attempts before a user is locked out to prevent brute force attacks.
It’s possible to set up LDAP, two-factor authentication, OAUTH, and many other authentication methods to secure logins.
Permissions can be controlled on a very fine level and managed by administrators to restrict and allow access to different pieces of content or functions of the site.
And for even greater control, community modules are also available.

To find out more about Drupal security, check out Drupal's security page here.