here
Drupal Security Made Simple Table of Contents The Truth About Security..............................................................................3 Basic Security Principles...............................................................................5 Types of Hackers............................................................................................9 Knowing the Vulnerabilities........................................................................11 Preventing Vulnerabilities...........................................................................12 Protocols and Guidelines............................................................................19 Legalities and Privacy..................................................................................23 What to Do if You Get Hacked...................................................................24 Conclusion....................................................................................................25 2 The Truth About Security Your Drupal website is done, it looks the way a completely successful Drupal site. A report you want it to and has all of the functionality from the Center for Strategic and International required, right? Wrong! Oftentimes people Studies (CSIS) estimates that cybercrime costs finish what looks like a complete Drupal site businesses some $400 billion a year worldwide. without giving a second thought to security. It is always better to be on the proactive side of However, security is a major factor in building web security than on the reactive side. “A report from the Center for Strategic and International Studies (CSIS) estimates that cybercrime costs businesses some $400 billion a year worldwide.” 3 Security Myths and Truths MYTH MYTH TRUTH MYTH I don’t accept credit cards online, I don’t need to worry about security. Security of a system needs to be built-in using a holistic approach. I don’t care if someone cyber-squats on my website, as long as they don’t use too much bandwidth. TRUTH MYTH TRUTH Security of your system and protecting company or client data is paramount. You can only get viruses or malware from shady areas of the web. Security includes an audit of people, process and technologies. Any gaps in any of these areas can cause critical vulnerabilities. MYTH MYTH TRUTH MYTH Security through obscurity. I’m not interesting enough. No one wants to hack me. The biggest security risk is humans. I don’t have anything worth stealing on my site. TRUTH MYTH TRUTH The cost to fix security is more than the cost to implement it properly from the start. All I need is an SSL. That makes me secure. PR damage can be irreparable. 4 Why Hackers Target Sites What is OWASP? • To use your computer The Open Web Application Security Project • To steal services and/or valuable files (OWASP) is a 501(c)(3) worldwide not-for-profit • For thrill and excitement • To get even • As a publicity stunt organizations worldwide can make informed • To set up malicious commerce sites decisions about true software security risks. • Knowledge/Experiment/Ethical • Curiosity • To spy • Prestige or bragging rights • Intellectual challenge average cost to a company was $3.5 million in US • Money/Financial Gain dollars and 15 percent more than what it cost last • To engage in various forms of credit card fraud year. If you ever face a security breach and credit charitable organization focused on improving the security of software. Their mission is to make software security visible, so that individuals and Learn more about OWASP on their website. The Cost of a Breach As revealed in the 2014 Cost of Data Breach Study: Global Analysis, sponsored by IBM, the card information is stolen, having a proven record of your PCI compliance can protect you from financial penalties (ranging from $25 to $215 per compromised card). Major corporations, such as Heartland Payment Systems, have faced fines as large as $12.5 million. Target attributed a portion of its 5.3% loss in sales and a 46% drop in profit during the 4th quarter of 2013 to its security breach in November. “If cars were built like applications [...] safety tests would assume frontal impact only. Cars would not be roll tested, or tested for stability in emergency maneuvers, brake effectiveness, side impact, and resistance to theft.” – Denis Verdon, Head of Information Security at Fidelity National Financial 5 The Basic Security Principles A Holistic Approach to CyberSecurity and Privacy, Security is a Process, Not a Product. Use the Right Tools Website development is a combination of a multitude of defenses or identify a multitude people, process, and technology. Testing is the of problems, in reality there are no silver bullets most important part of an effective security to the problem of insecure websites. Tools do program. An effective testing program should play a critical role though in the overall security have components that test: program. However, it is important to understand • People – to ensure that there is adequate education and awareness; • Process – to ensure that there are adequate policies and standards and that people know how to follow these policies; • Technology – to ensure that the process has been effective in its implementation. While it is tempting to think that a security scanner or application firewall will either provide exactly what these tools can and cannot do that they are not oversold or used incorrectly. Think Strategically, Not Tactically To prevent recurring security problems within an application, it is essential to build security into the Software Development Life Cycle (SDLC) by developing standards, policies, Unless a holistic approach is adopted, testing and guidelines that fit and work within the just the technical implementation of an development methodology. Threat modeling application will not uncover management or and other techniques should be used to help operational vulnerabilities that could be present. assign appropriate resources to those parts of a system that are most at risk. People Technology Process 6 By integrating security into each phase of This is one of the reasons why automated the SDLC, it allows for a holistic approach tools are actually bad at automatically testing to security that leverages the procedures for vulnerabilities. Proper testing requires already in place within the organization. Typical creativity and at this point in history, still SDLC phases include: define, design, develop, requires humans. deploy, maintain. Each phase has security considerations that should become part of the existing process, to ensure a cost-effective and comprehensive security program. Test Early, Test Often, and Document A superficial security review of an application will instill a false sense of confidence that can be as dangerous as not having done a security review in the first place. Verify that every possible section of the application logic has been tested, and that every use case scenario was explored for possible vulnerabilities. When a bug is detected early within the SDLC, Review the findings and weed out any false- it can be addressed more quickly and at a positives that may remain in the report. lower cost. A security bug is no different from Reporting an incorrect security finding can a functional or performance-based bug in often undermine the valid message of the rest this regard. New threats arise constantly and of a security report. developers must be aware of those that affect the software they are developing. Code reviews are still an invaluable step in the process. If the source code for the application is available, it should be given to the security staff to assist them while performing their review. It is possible to discover vulnerabilities within the application source that would be missed during a black box engagement. To conclude the testing process, it is important to produce a formal record of what testing actions were taken. The report must be clear to the business owner in identifying where material risks exist and sufficient enough to get their backing for subsequent mitigation actions. The report must be clear to the developer in pinpointing the exact function that is affected by the vulnerability, with associated Successfully testing an application for security recommendations for resolution in a language vulnerabilities requires thinking “outside of that the developer will understand (no pun the box.” Good security testing requires going intended). Last but not least, the report writing beyond what is expected and thinking like an should not be overly burdensome, so agree to attacker who is trying to break the application. a format that is acceptable to all involved. 7 Understand the Scope It is important to know how much security a given project will require. Discussions should occur with legal council to ensure that any specific security need will be met. Compliance, i.e. HIPPA, to protect sensitive data, should be known at the outset of the project to ensure that it is properly implemented and tested throughout the process. Another important part of a good security program is the ability to determine if things are getting better. Metrics can show If more education and training are required. They can also show if there are gaps in the processes. Or, if there is a particular security mechanism that is not clearly understood by development. Metrics can also help determine if the total number of security related problems being found each month is going down. One of the first major initiatives in any good security program should be to require accurate documentation of the application. The architecture, data-flow diagrams, use cases, and more should be written in formal documents and made available for review. The technical specification and application documents should include information that lists not only the desired use cases, but also any specifically disallowed use case. Finally, it is good to have at least a basic security infrastructure that allows the monitoring and trending of attacks against an organization’s applications and network. 8 Types of Hackers An ethical hacker is usually employed by an organization who trusts him or her to attempt to penetrate networks and/or computer systems, Cyber Criminals using the same methods as a hacker, for the purpose of finding and fixing computer security vulnerabilities. Unauthorized hacking (i.e., gaining access to computer systems without prior authorization from the owner) is a crime in most countries, but penetration testing done by request of the owner of the victim system(s) or network(s) is malicious hacking. Spam & Adware Spreaders Advanced Persistent Threat Agents The Malicious Hacker Cyber Criminals Professional criminals comprise the biggest group of malicious hackers. They use malware Corporate Spies and exploits to steal money. It doesn’t matter how they do it, whether they’re manipulating your bank account, using your credit card numbers, faking anti-virus programs, or stealing your identity or passwords. Their motivation is fast, big financial gain. Hacktivists Cyber Warriors Spam and Adware Spreaders Purveyors of spam and adware make their money through illegal advertising, either getting paid by a legitimate company for pushing business their way or by selling their own Rogue Hackers products. Cheap Viagra, anyone? Members of this group believe they are just “aggressive marketers.” Whatever helps them sleep at night. 9 Advanced Persistent Threat Agents Cyber Warriors Intruders engaging in APT-style attacks represent Cyber warfare is a city-state against city-state well-organized, well-funded groups — often exploitation, with an endgame objective of located in a “safe harbor” country — and they’re disabling an opponent’s military capability. out to steal a company’s intellectual property. Participants may operate as APT or corporate They aren’t out for quick financial gain like cyber spies at times, but everything they learn is geared criminals; they’re in it for the long haul. Their toward a specific military objective. The Stuxnet dream assignment is to essentially duplicate worm is a great example of this attack method. their victim’s best ideas and products in their own homeland, or to sell the information they’ve Rogue Hackers purloined to the highest bidder. This group has There are hundreds of thousands of hackers been continually getting better, stronger and who simply want to prove their skills, brag to bigger. It is expected to top the charts this year friends, and are thrilled to engage in unauthorized according to all cyber security predictions. activities. They may participate in other types Corporate Spies of hacking (crimeware), but it isn’t their only objective and motivation. These are the traditional Corporate spying is not new; it’s just significantly stereotyped figures popularized by the 1983 film, easier to do, thanks to today’s pervasive Internet “War Games,” hacking late at night, while drinking connectivity. Corporate spies are usually Mountain Dew and eating Doritos. These are interested in a particular piece of intellectual the petty criminals of the cyber world. They’re property or competitive information. They differ a nuisance, but they aren’t about to disrupt the from APT agents in that they don’t have to be Internet and business as we know it, unlike located in a safe-harbor country. Corporate members of the other groups. espionage groups aren’t usually as organized as APT groups, and they are more focused on short to mid-term financial gains. Hacktivists A lot of hackers are motivated by political, religious, environmental, or other personal beliefs. They are usually content with embarrassing their opponents or defacing their websites, although they can slip into corporate-espionage mode if it means they can weaken the opponent. Think WikiLeaks or Anonymous. 10 Knowing the Vulnerabilities The OWASP Top 10 focuses on identifying the most serious risks for a broad array of organizations. For each of these risks, they provide generic information about the likelihood and technical impact using A07 Missing Function Level Access Control A08 Cross-Site Request Forgery (CSRF) A09 Using Components with Known Vulnerabilities A10 Unvalidated Redirects and Forwards a simple ratings scheme, which is based on the OWASP Risk Rating Methodology. A01 Injection A02 Broken Authentication and Session Management A03 Cross-Site Scripting (XSS) A04 Insecure Direct Object References A05 Security Misconfiguration A06 Sensitive Data Exposure Protecting from these vulnerabilities is a must. Tools can not do it all. Manual testing and attention to detail is also a must. Security is multi-layered and all layers must be properly configured. It is important to remember that security is a process not a product. Complacency is our biggest threat. OWASP provides some great resources and tools, but only you know the specifics of your environment and your business. “It is important to remember that security is a process not a product. Complacency is our biggest threat. OWASP provides some great resources and tools, but only you know the specifics of your environment and your business.” 11 Preventing Vulnerabilities The Target breach was easy to prevent by using a Drupal core has had no major zero-day vulnerability secure development process, a properly hardened threat. The established process of the Security server, profiling the behavior and setting up alerts Team and resolution record mitigates the threat and good corporate security framework. of a vulnerability being disclosed publicly before a fix is available. Responsible vulnerability reporters Drupal Core and Security Secrecy of source code is not a sustainable security practice. Developers make mistakes and cut corners but the increased visibility of code are credited in all security advisories to encourage continued advance disclosure. Maintaining Strong Security and emphasis on the individual in open-source A strong security process on a Drupal site involves communities encourages improved programming running the latest secure releases of core and skill and practices. Drupal’s strict requirements contributed code, maintaining secure configuration, before code can be committed to core increases and implementing custom code that uses the collaboration and peer-review as well as protecting established APIs and follows best practices. It against security holes. is important to remember that security must be Many other open source CMS applications do not publicly produce vulnerability disclosures or resolutions to the same degree as the Drupal project. The Security Team publishes vulnerability disclosures in the form of Security Advisories. The core API tools and techniques, when used correctly, address critical and common security risks. It is important to understand that security is a process and not a static product, and that there is always room for improvement. maintained on all software and hardware layers as well. Staying informed of the latest security releases is possible by many means. Advisories are published on drupal.org and accessible as RSS, sent via an email list, and posted on several Twitter accounts. In the administration pages, each Drupal site also informs administrators of relevant security releases. The front page of drupal.org always lists the most up-to-date and secure stable release of core. Educational resources regarding secure configuration and writing secure code are provided A zero-day attack or threat is an attack that exploits on drupal.org and many community sites. Several a previously unknown vulnerability in a computer contributed modules provide security-related application, meaning that the attack occurs on “day services or implement specific security additions. zero” of awareness of the vulnerability. 12 Applying Security Upgrades Drupal Best Practices Drupal core updates within a major branch almost Drupal’s best practices also serve to keep your exclusively containing security and bug fixes, so Drupal site secure. upgrades are usually quick and without fault. In • Never Hack the Core! securely within the administrative interface of the • Backup your database and files website. Contributed projects are not subject to • Avoid hardcoding Drupal core’s strict policy so upgrade procedures and • Bundling site settings using Features • Ensure that your site is secure • Use test sites • Avoid too many modules Drupal 7, applying module upgrades can be done results vary. Popular community modules are often better documented and supported. 13 Must Have Drupal Security Modules The modules listed here will protect from all OWASP vulnerabilities not addressed in core. Security Review Protects against: A05 The Security Review module automates testing for many of the easy-to-make mistakes that render your site insecure. This module is only a small part in the security of a site. A site passing this review with no additional security modules and audit, can not be Captcha considered secure. Protects against: Spam Input Filters (Core) A CAPTCHA is a challenge-response test most Protects against: A03 often placed within web forms to determine whether the user is human. The purpose of CAPTCHA is By default, there are three input filters: Plain text, to block form submissions by spambots, which Filtered HTML and Full HTML. Additional filters can are automated scripts that post spam content be added on the Input filters page. Input filters are not everywhere they can. The CAPTCHA module provides associated with a WYSIWYG editor by default, and this feature to virtually any user facing web form on are configured accordingly (i.e. URLs turn into links a Drupal site. automatically and line breaks automatically become <br> or <p> tags). Care should be taken when Honeypot configuring these filters to ensure the integrity of Protects against: Spam the system. Automated Logout Protects against: A02 A05 A06 Honeypot uses both the honeypot and timestamp methods of deterring spam bots from completing forms on your Drupal site. These methods are effective against many spam bots, and are not as This module provides a site administrator the ability intrusive as CAPTCHAs or other methods which to log users out after a specified time of inactivity. It punish the user. The module currently supports is highly customizable and includes “site policies” by enabling for all forms on the site, or particular forms role to enforce logout. like user registration or password reset forms, webforms, contact forms, node forms, and comment forms. 14 Security Kit Additional Security Modules Protects against: A03 A08 The modules listed below will help sites pass a The Security Kit module provides the Drupal installation with various security hardening options. This lets you mitigate the risks of exploitation of different web application vulnerabilities. Most of this can be achieved using http headers. But, if access to the server does not permit, this module will correct the issue. Session Limit Protects against: A02 A05 A06 Session Limit allows administrators to limit the number of simultaneous sessions per user. By default, a session is created for each browser that a user uses to log in. This module will force the user to log out of any extra sessions after they exceed the administrator-defined maximum. Username Enumeration Prevention Protects against: A02 A05 A06 corporate audit and promote best practices: Password Policy Protects against: A02 A05 A06 The password policy module allows you to enforce a specific level of password complexity for the user passwords on the system. Example: an uppercase constraint (with a parameter of 2) and a digit constraint (with a parameter of 4) means that a user password must have at least 2 uppercase letters and at least 4 digits for it to be accepted. Flood Control This project is intended to add an administration interface for hidden flood control variables in Drupal 7, like the login attempt limiters and any future hidden variables. PCI Update A simple module to encompass updates to Drupal When the module is enabled, the error message will to satisfy vulnerabilities reported by Approved Scan be replaced for the same message as a valid user Vendors (ASV), often as a result of the PCI DSS and they will be redirected back to the login form. If compliance processes. Currently this module only the user does not exist, no password reset email will affects the login form, but will be a home for updates be sent, but the attacker will not know this is the case. as they are identified in the future. 15 Logging and Alerts This is a collection of logging and alerts modules. They interface to the new custom logging watchdog hook available in 6.x. Currently, the following modules are included: Login Security Email Logging and Alerts The Login Security module improves the security Allows routing of watchdog messages to various options in the login operation of a Drupal site. By email addresses, based on their severity levels. For default, Drupal introduces only basic access control example, emergency and critical messages need to denying IP access to the full content of the site. With go to a pager or mobile phone email address, while the Login Security module, a site administrator may debug messages go no where. protect and restrict access by adding access control features to the login forms (default login form in /user and the block called “login form block”). Enabling this module, a site administrator may limit the number of invalid login attempts before blocking accounts, or denying access by IP addresses, temporarily or permanently. Coder This module utilizes rules (mostly regular expressions) to review source code files for code that needs to change due to Drupal API changes and does not satisfy Drupal coding standards. Web Server Logging Allows routing of watchdog messages to the web server’s error log. Note that what is in your PHP configuration for error_log defines where the message will go. For example, on a UNIX like system, this will be syslog(3), which may end up in / var/log/apache2/error.log, and on Windows, it would be the event log. You define which severity levels are to go to the error log. For example, you can only specify that emergency and critical messages need to go to the error log, and use other modules for the other levels. Watchdog Triggers Generate Password This is a great utility module which makes the Provides a trigger for watchdog events. You may now trigger actions when an event occurs. password field optional (or hidden) on the add new Watchdog Rules user page (admin and registration). If the password Provides rules integration for watchdog events. You field is not set during registration, the system will may now trigger additional ruleset responses when generate a password. You can optionally display this an event occurs. password at the time it’s created. 16 Secure Login HTML Purifier Protects against: A02 A05 A06 Protects against: A03 The Secure Login module enables the user login and The HTML Purifier is a standards-compliant HTML other forms to be submitted securely via HTTPS, thus filter library. The HTML Purifier will not only remove preventing passwords and other private user data all malicious code (better known as XSS) with a from being transmitted in clear text. This module thoroughly audited, secure yet permissive whitelist, locks down not just the user/login page but also any it will also make sure your documents are standards page containing the user login block (or other forms compliant, something only achievable with a that you configure to be secured). For Drupal 7, the comprehensive knowledge of W3C’s specifications. Secure Login module enforces secure authenticated session cookies, thus preventing session hijacking. Content Security Policy For previous versions of Drupal, PHP’s session. Protects against: A03 cookie_secure flag must be enabled on the HTTPS site to enforce secure authenticated session cookies. MD5Check The MD5 Check generates an md5 checksum of all module files. If a module is changed a critical security error is generated in a watchdog log. This module should only be used in production environments. Hacked This module does not and will not prevent your site from being ‘hacked’. This module scans the currently installed Drupal, contributed modules and themes, re-downloads them and determines if they have been changed. Changes are marked clearly and if the diff module is installed then Hacked! will allow you to see the exact lines that have changed. Hacked! also An implementation of the Content Security Policy specification. The content Security Policy is intended to mitigate a large class of Web Application Vulnerabilities: Cross Site Scripting. Cross Site Request Forgery has also become a large scale problem in Web Application Security, though it is not a primary focus of Content Security Policy. More Information https://wiki.mozilla.org/Security/CSP Paranoia The Paranoia module attempts to identify all the places that a user can evaluate PHP via Drupal’s web interface and then block those. It reduces the potential impact of an attacker gaining elevated permission on a Drupal site. Disable user 1 account when not in use with drush. provides drush integration so that you can see what files have changed from the command line. This is primarily a developer tool and should never ever (don’t even think it) be installed on a production site. 17 Testing Tools • VEGA Scanner: Vulnerability Scanner •Zap: OWASP Penetration tool • Nessus Scanner: Monitor and Scan Server •CSF: Firewall and email protection, server configuration There are some tools for specific vulnerabilities as well: A01 • SQL Inject Me browser plugin A02 • Zap • A03 HackBar browser plugin A04 • Burp A05 • Tamper Data browser plugin • A06 Watobo A08 • Nikto/Witkto A09 • Calomel A10 • Watcher 18 Protocols and Guidelines The W3C mission is to lead the World Wide Web to its rather than an annual validation exercise. The new full potential by developing protocols and guidelines version emphasizes the need to establish a culture of that ensure the long-term growth of the Web. Below security through more education to maintain and drive we discuss important aspects of this mission, all of accountability throughout the organization. It also which further W3C’s vision of One Web. calls out the need for more processes to ensure that payments are secure, rather than merely ensuring that Compliance Payment Card Industry Data Security Standard (PCI DSS) a merchant has a specific security technology in place. • Requirement 1: Install and Maintain a Firewall! • Requirement 2: Do Not Use Vendor Supplied Default Passwords! There has been a lot of confusion between merchants and service providers over where responsibilities lie. • Requirement 3: Protect Stored Data! The new version adds guidance to cloud providers and • Requirement 4: Encrypt transmission of merchants to ensure there is ‘shared responsibility’. The merchant cannot outsource accountability, as it has shared responsibility with the service provider to comply with the standards. cardholder data across open, public networks • virus software or programs! • The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard for organizations that handle cardholder information for the major debit, credit, prepaid, e-purse, ATM, and POS cards. Defined by the Payment Card Industry Security Standards Council, the standard was created to increase controls around cardholder data to made mandatory as of January 1st, 2015 and is a complete game changer for most Drupal eCommerce • ‘business as usual’ process. A good example of this is Requirement 7: Restrict access to cardholder data by business need-to-know! • Requirement 8: Assign a unique ID to each person with computer access! • Requirement 9: Restrict physical access to cardholder data! • Requirement 10: Track and monitor all access to network resources and cardholder data! • Requirement 11: Regularly test security systems and processes! sites. The new version added a ‘Best Practices for Implementing PCeI’ section, aiming to turn it into a Requirement 6: Develop and maintain secure systems and applications! reduce credit card fraud via its exposure. Version 3.0 of the PCI compliance standard has been Requirement 5: Use and regularly update anti- • Requirement 12: Maintain a policy that addresses information security for all personnel! how it aims to make PCI DSS compliance ‘continuous’ 19 Health Insurance Portability and Accountability Act (HIPPA) “Individually identifiable health information” is information, including demographic data, that relates to: • The individual’s past, present or future physical or mental health or condition HIPAA is the federal Health Insurance Portability and Accountability Act of 1996. The primary goal of the law is to make it easier for people to keep health insurance, protect the confidentiality and security of healthcare information and help the healthcare industry control administrative costs. A person who knowingly obtains or discloses individually identifiable health information in • The provision of health care to the individual • The past, present, or future payment for the penalty of up to $50,000 and up to one-year provision of health care to the individual imprisonment. The criminal penalties increase to Any information that identifies the individual or $100,000 and up to five years imprisonment if the for which there is a reasonable basis to believe wrongful conduct involves false pretenses, and it can be used to identify the individual. to $250,000 and up to 10 years imprisonment if • • Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security Number). violation of the Privacy Rule may face a criminal the wrongful conduct involves the intent to sell, transfer, or use identifiable health information for commercial advantage, personal gain or malicious harm. The Department of Justice is responsible for criminal prosecutions under the Privacy Rule. 20 • Transmission Security — Integrity Controls (addressable): Implement security measures • Access Control — Unique User Identification to ensure that electronically transmitted ePHI is (required): Assign a unique name and/or not improperly modified without detection until number for identifying and tracking disposed of. user identity. • • Transmission Security - Encryption Access Control — Emergency Access (addressable): Implement a mechanism to Procedure (required): Establish (and encrypt ePHI whenever deemed appropriate. implement as needed) procedures for obtaining necessary ePHI during an emergency. • Access Control — Automatic Logoff (addressable): Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity. • Access Control — Encryption and Decryption (addressable): Implement a mechanism to encrypt and decrypt ePHI. • Audit Controls (required): Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use ePHI. • • HHS offers insight into the Security Rule and assistance with the implementation of the security standards. NIST Security Compliance Preliminary CyberSecurity Framework Recognizing that the national and economic security of the United States depends on the reliable functioning of critical infrastructure, the President under the Executive Order “Improving Critical Infrastructure CyberSecurity” has directed NIST to work with stakeholders to develop a voluntary framework for reducing cyber risks to Integrity — Mechanism to Authenticate critical infrastructure. The Framework will consist ePHI (addressable): Implement electronic of standards, guidelines, and best practices to mechanisms to corroborate that ePHI has promote the protection of critical infrastructure. The not been altered or destroyed in an prioritized, flexible, repeatable, and cost-effective unauthorized manner. approach of the framework will help owners and Authentication (required): Implement operators of critical infrastructure to manage procedures to verify that a person or entity CyberSecurity-related risk while protecting business seeking access to ePHI is the one claimed. confidentiality, individual privacy and civil liberties. 21 Section 508 Compliance Web Content Accessibility Guidelines 2.0 In 1998 the US Congress amended the Rehabilitation Web Content Accessibility Guidelines (WCAG) Act to require Federal agencies to make their 2.0 cover a wide range of recommendations for electronic and information technology accessible making Web content more accessible. Following to people with disabilities. Section 508 was enacted these guidelines will make content accessible to to eliminate barriers in information technology, a wider range of people with disabilities, including to make available new opportunities for people blindness and low vision, deafness and hearing loss, with disabilities, and to encourage development learning disabilities, cognitive limitations, limited of technologies that will help achieve these goals. movement, speech disabilities, photosensitivity and The law applies to all Federal agencies when they combinations of these. Following these guidelines develop, procure, maintain, or use electronic and will also often make your Web content more usable information technology. Under Section 508 (29 U.S.C. to users in general. § 794d), agencies must give disabled employees and members of the public access to information that is comparable to the access available to others. ”[...] These guidelines will make content accessible to a wider range of people with disabilities, including blindness and low vision, deafness and hearing loss, learning disabilities, cognitive limitations, limited movement, speech disabilities, photosensitivity and combinations of these. Following these guidelines will also often make your Web content more usable to users in general.” 22 Legalities and Privacy Information privacy or data protection laws • There should be mechanisms for individuals prohibit the disclosure or misuse of information to review data about them, to ensure held on private individuals. Over 80 countries accuracy. This may include periodic reporting. and independent territories have now adopted • comprehensive data protection laws including nearly every country in Europe and many in Latin America and the Caribbean, Asia and Africa. The US needed for the stated purpose. • limited sectoral laws in some areas. These laws are based on Fair Information Practices, first developed in the United States in the 1970s by the Department for Health, Education and Welfare (HEW). The basic principles of data protection are: • • Transmission of personal information to locations where “equivalent” personal data is notable for not having adopted a comprehensive information privacy law but rather having adopted Data should be deleted when it is no longer protection cannot be assured is prohibited. • Some data is too sensitive to be collected, unless there are extreme circumstances. (e.g., sexual orientation, religion) There really isn’t any accountability at this point. Just a lot of finger pointing. Cases are going to the state level. States laws are varying. We are currently For all data collected there should be a in a legal and accountability quagmire. As in many stated purpose. cases, the law has to catch up with the technology. Information collected by an individual As of January 1, 2015, the Shared Responsibility cannot be disclosed to other organizations became a part of PCI compliance, which means or individuals unless authorized by law or by more accountability moving forward. consent of the individual. • Records kept on an individual should be accurate and up to date. 23 What to Do if You Get Hacked • Inform interested parties. This includes • Change all passwords. employees, contractors, clients, visitors • Identify the vulnerability. • Make corrections to the system, i.e. anyone that may need/expect access to your website. • Contact the web developer and/or hosting company. • re-configure firewall, install firewall, Restore the site. It may be necessary restore only certain functionality where limit access etc. • Audit server and site security. • Correct any vulnerabilities. security can be guaranteed, until the vulnerability is corrected. 24 Conclusion It’s critical to again note that preventative protection against hacking is easier, less expensive and less time consuming than taking reactive steps. Taking a holistic approach to CyberSecurity is the first step in creating an effective and complete security program. Being knowledgeable of the vulnerabilities, understanding the scope of a project, using the right tools, and testing early and often, you can prevent the attacks of the many types of malicious hackers. Being compliant with the different protocols, guidelines, and privacy policies will also help to ensure the long-term stability of your application. 25 About the Author Krista Trovato Quality Assurance Team Lead, Blink Reaction [email protected] Krista is a 20 year quality assurance expert. Her comprehensive knowledge of the internet, information technology and software development have helped her in leading many successful QA efforts. Why Blink Reaction Blink Reaction is a full service strategy, design, development and testing agency. We’re one of a handful of privately selected Acquia partners based on our knowledge and ability to execute and produce results. We employ some of the world’s best thought leaders in Drupal and the Web. Our Drupalists have experience in all stages of the development process including security. We know how to design and build systems that target and convert customers while optimizing business at the same time. 26 Digital Experiences That Deliver Results We are a global full-service digital agency, specializing in the Drupal platform. You’ll love more than the experience, you’ll love the results. Give Us a Call: (732) 792–6566 116 Village Blvd. Suite 303, Princeton, NJ 08540 125 Cambridge Park Dr. Suite 310, Cambridge, MA 02140
© Copyright 2024