In November, multiple cyberattacks were launched against Estonian state agencies. As a result, at least 350 GB of data and the personal data of around 10 000 Estonians who have tested positive for COVID-19 was leaked. According to Geenius, the attacks started from the Drupal content management system (CMS) and LimeSurvey database. The open source CMS Drupal offers a wide variety of opportunities and can be very secure if it is used properly and securely. The CTO of ADM, Ivo Nellis shares important tips that can help you ensure secure usage of Drupal regardless of the size of the organisation using it.
According to the web technology survey company W3Techs, at least 1,5% of all websites in the world are built on the open source CMS Drupal with the most popular version being Drupal Version 7, which is used for 66,8% of all Drupal websites. Thanks to its large selection of features and reliability, Drupal has earned the trust of many large organisations – for example, it is used by the European Union’s official website europa.eu, the US National Institutes of Health (nih.gov), Harvard University (harvard.edu), the official website of the state of New York, and many others. Drupal is dependable and one of the better content management systems available, but only when it is used in a secure manner.
- The foundation of security is always using the latest version of any software and Drupal is no exception. The Drupal Security Team is responsible for ensuring that the process of implementing any and all security patches is well-defined and clearly guided for all web developers. But this alone is still not enough to guarantee security. Any organisation that uses Drupal must also always have agreed upon a process for implementing updates AKA someone must be responsible for keeping track of the information that is sent out about Drupal updates. There are different ways of doing this, such as watching news feeds or subscribing to newsletters that are aimed at developers.
- Drupal core updates are always released at specific times that are publicly announced ahead of time. For example, bugfixes for Drupal versions 9.1.x, 8.9.x, and 7.x are released on the first Wednesday of every month. And security updates for Drupal versions 9.1.x, 9.0.x, 8.9.x, and 7.x are released on the third Wednesday of every month. Security updates for Drupal’s contributed projects are also always released on Wednesdays within a specified time “window”.
- To ensure that no update goes unnoticed, you must activate the automatic update module on your Drupal website and periodically check the website’s status report. It is recommended that you configure the update module so that an automatic e-mail notification is sent to you as soon as a security update becomes available.
The secure use of any CMS begins with the users who use it to create content for the website. How they log in to the system and what kinds of passwords and usernames they use are of critical importance here.
- Drupal’s default admin username is “admin”. This must be changed as knowing the username increases the chance of successful attacks taking place.
- You should definitely not use reuse passwords that you use to access other websites. Instead, you should create a unique password, keep it only to yourself and switch it out regularly.
- Although Drupal has set down rules for creating a secure password, you should view those rules as the minimum requirements and implement even stricter rules that need to be adhered to within the whole organisation.
- All user activities must always be logged to ensure a consistent overview of all changes. It is important to save the time of the activity, the user data, the context (e.g., modules used, the specific part of the CMS etc), and the activity itself.
- We recommend regularly auditing all Drupal user roles and rights. This is especially important in large organisations where employees often change, but it is also important to know exactly who has access to what in smaller companies with only a couple of employees as well.
- Only a secure SSH connection must be used to access the server and if possible, only predetermined IP-addresses or locations should be given access to it.
- It is recommended that you only give users the minimum required rights. If users can only access the data and resources they need for their work, then that decreases possible security risks. For example, if an employee’s job is only connected to backing up data, then that employee does not need to have the right to install software.
One of Drupal’s strengths is its huge catalogue of modules – there are nearly 50 000 and they are all free and additionally, anyone can create their own modules. Without these contributed projects, Drupal would not have enough features, but at the same time, these modules can also become weaknesses if used incorrectly.
- If possible, you should only use stable modules and avoid unsupported modules.
- We recommend that you keep the number or modules used as low as possible and always remove any modules you are not using. Although this creates additional work for the admin, it helps keep potential attack targets under control.
- Using Composer is recommended for managing and updating Drupal’s modules and dependencies.
- Use Drupal security modules that include everything needed for ensuring security, from two-factor authentication to CAPTCHAs.
- If you are using anything that allows users to upload files to your website, then you must properly configure a private file system as well.