When Even Our Kids Can Hack a Government Site...
It is really, really embarrassing that a kid in elementary school could hack into any government computer system, however a 12 year old boy has pleaded guilty to doing just that in 2012. I'm not sure how much is known about how he did this, and no doubt he is a very bright and curious child, but this really needs to be a glaring warning about a systemic problem with how governments in Canada manage security.
In my dealings with government IT, I find far too often that departments go only so far as to apply a CYA approach security. Far too often this comes down to choosing a big vendor, and assuming that all they need to do is set a policy to buy from huge companies like Microsoft, Red Hat or Novell and then they are covered for security.
This approach is sadly inadequate. Any software can be set-up to be insecure if it is configured that way. It takes patience, persistence & a certain amount of paranoia to secure a computer system, but it is critical that government agencies start systematically addressing this issue. It shouldn't take a security story making the news to make a government department question if they are doing it right.
A month ago I wrote a blog post about Principles of Web Security. This generated a bit of traffic, but ultimately it was a small part of the Drupal Security Guide which which we started writing in the summer. This certainly isn't a comprehensive guide, but high-lights some of the things which government departments should be considering when setting up a web server.
We've written it specially for Drupal running on either a Debian or Red Hat system, as we consider these to be best practices. That being said, the principles apply to much more than this CMS and these popular Linux Distributions.
We do have further plans for this security guide, but ultimately we want to build up a community contributing to it. This field changes quickly and collaboration is critical in order to establish best practices that everyone can adopt.
About The Author
Mike Gifford is the founder of OpenConcept Consulting Inc, which he started in 1999. Since then, he has been particularly active in developing and extending open source content management systems to allow people to get closer to their content. Before starting OpenConcept, Mike had worked for a number of national NGOs including Oxfam Canada and Friends of the Earth.