What Managers Need to Know About Security
This is was originally titled What Communications Managers Should Know (and Do) About Web Security, but that was just way too long a title.
Security is something that everyone needs to understand on a basic level in our modern society, but staff need to know more as their organizational mission can also be jeopardized. For people in management it is especially important as they set the tone for everyone else. IT security simply cannot be left to the techies to take care of. The risks are huge, it’s complicated, and unfortunately if management ignores it, it won’t just go away.
Most modern organizations are using a Content Management System(CMS) to ensure that there is an effective means to control and organize their website’s content. Security upgrades need a level of technical understanding that is rare within many organizations. Fortunately, there are lots of organizations who can provide commercial support for all kinds of software, so people in management just need to ensure that there is a contract in place that clearly defines responsibility for ongoing security maintenance. I can’t think of a CMS that wouldn’t require at least some security work every quarter.
It is possible that an organization will need to set up two different contracts – one to maintain the CMS, the other to maintain the server. If the organization is able to have the site hosted with a 3rd party solution like Acquia, then their service will likely address critical security issues for both. If the site is on a shared hosting environment, then management will generally only have to worry about the setting up system to secure the CMS, although there are often other problems with this type of solution. Many organizations are now using virtual, cloud or dedicated hosting for their sites. These options are really coming down in price and and they usually offer complete control over the server (full root access). Unfortunately, this option also comes with the responsibility of maintaining the security releases for the server and many managers don’t realize that their organization is taking on at least some additional responsibility for overseeing security upgrades on the server on top of the need to maintain their CMS.
Also remember that all software has a life cycle, find out when the version of the CMS being installed will be supported to. It is quite likely that no matter what CMS an organization chooses that they will need to budget for a major upgrade every couple of years. This may sound like a lot, but the Internet moves very quickly, and so many of the ideas that were popular back in 2010 frankly turn away clients today.
We have done extensive surveys of non-profits and government agencies that are using Drupal and have been surprised at just how many organizations have sites that are months if not years behind in security updates. With Drupal it is most common to just check the CHANGELOG.txt file to see that it matches the latest security release. If this file isn't visible on an organization's Drupal site, chances are it site is more out-of-date than the web team would like to admit. Removing this file does not make a site more secure.
When an organization's website is compromised it affects your clients, financial support, branding efforts and trust.
Most Common Problem
One of the most common server attacks these days is redirection malware which inserts links and often code as well into the website. Pharma spams usually aren't that dangerous, but still discredit the website site by promoting Viagra, Cialis, Xanax and other drugs which are often “cloaked” or hidden from site visitors so the web pages in question appear normal. However, in the background is software often display unsolicited advertisements, or is used to link to advertising sites that earn revenues for the hacker. In a more extreme example, according to the Wikipedia reference above this code can also be used to allow a hacker to monitor the browsing patterns of site visitors, and can be packaged together with other user-installed software to provide greater privacy infringements.
Being hacked will definitely affect ranking in Google. Google forums have some useful information about this.
What Needs to be Done
Having organization policies about passwords and ensuring that they are stored using secure tools like Keepass is very important since all staff have passwords. Management needs to set policies about who has access to what passwords, how passwords to key accounts are managed and what to do when staff leave the organization. They need to be sufficiently complicated that they simply can't be memorized.
Management doesn't have to understand what an ssh-key is or how it is generated, but it is important that they know that logging into a server with an username and password is no longer considered a best practice (no matter how random your password is).
Make sure that all computers in the organization apply security updates to browsers and other software that may be accessing the Internet. It's a hostile environment and it’s best to be cautious. The most widely known type of security users are familiar with is virus protection, particularly with Windows, but but it is critical to remember that there are many ways which a computer can be compromised.
I was reminded by Michael Richardson of CREDIL that Drupal security planning needs to be done from the beginning of the process to the end and that insecure protocols like FTP simply should not be allowed. If the site has already launched and security hasn't been thought through, it is going to be a bigger, more expensive process.
This is a small part of a free Drupal Security Guide that we wrote and are maintaining. If you have questions about the security of your Drupal website or think your site may have been compromised, give us a call.
About The Author
Mike Gifford is the founder of OpenConcept Consulting Inc, which he started in 1999. Since then, he has been particularly active in developing and extending open source content management systems to allow people to get closer to their content. Before starting OpenConcept, Mike had worked for a number of national NGOs including Oxfam Canada and Friends of the Earth.