Seven steps to secure public sector websites using Drupal

The record-breaking WannaCry ransomware attack brought swathes of businesses to a standstill in May 2017. Indeed, its rapid spread across 150 countries prompted many industry officials to label it as the biggest ransomware offensive in history. In Britain, the NHS was the worst hit. Scrambling data on computers and demanding payments of $300-$600 to restore access, WannaCry resulted in countless patients being turned away from hospitals and GP surgeries, and staff forced to use pen and paper as vital systems went into arrest. Such an example of mass system failure is a timely reminder to the entire public sector, not just the health service, of the importance of robust cybersecurity and regular software upgrades. 

For many public sector organisations, their website is a major part of their overall ‘attack surface’, which cybercriminals probe for easy routes into the network. As such, the importance of implementing solid tools and processes specifically designed to protect the website against attack cannot be underestimated. 

A significant proportion of public sector websites are built using the Drupal content management system (CMS). Because it is open source, it is a highly flexible and cost-effective option for under pressure public services – as well as being extremely technically versatile and customisable. So, if your site is built on Drupal, what are the best practices you should be following to safeguard your organisation’s assets? 

1. Upgrade to the latest version of Drupal 

The WannaCry attack proliferated so dramatically because it relies on an exploit in an old version of Windows – one that Microsoft is no longer supporting. This means that even when the exploit was identified – before the WannaCry attack actually took place – Microsoft was under no obligation to patch it. The onus was on Windows users to make sure they were using a more up-to-date version, which is being regularly patched and protected by Microsoft. 

It is absolutely standard practice for vendors and manufacturers to gradually withdraw support from older hardware and software – it is often the only commercially viable option – and most, including Microsoft and Drupal, are very open with their customers about the timescales involved, giving plenty of advance warning. Public sector organisations that are not using one of the latest, supported versions of Drupal – the most up-to-date is version 8.3 – should upgrade as a matter of urgency. 

2. Upgrade to the latest version of modules 

The underlying CMS is just part of the picture when it comes to running up-to-date Drupal, however. The platform is open source and modular, which means that organisations can choose from thousands of additional plug-ins and add-ons to modify their website, all of which are produced by different authors. As such, it is not enough for organisations to simply ensure they are running the latest, best-protected version of Drupal – they need to make sure they are doing the same with each individual module. The author of each extension is responsible for providing appropriate security upgrades and patches, but these will generally only apply to the latest version of the module. In addition there is also the need to track the underlying libraries the modules may use from Symfony or the wider PHP community. 

3. Remove unnecessary modules 

There is no point in organisations, particularly in the cost-sensitive public sector, spending time and money upgrading modules that they are not actually using. It is a waste of resource, and has the potential to damage overall security posture too, by extending the attack surface unnecessarily. Public sector organisations running Drupal websites can improve both their security and their security management burden by continually reviewing all of the modules they are deploying, and removing those that are unnecessary or obsolete. 

4. Use the Status Report tool 

The Admin area of the Drupal platform includes a useful function called Status Report, whose job is to alert administrators to any problems with the code base underpinning the site. This can include out of date modules and core code, or simply refer to available upgrades. It is the easiest way for public sector organisations to keep on top of their website management, ensure they are deploying the latest versions of modules and have implemented the most appropriate protections. 

5. Practice strong user management 

In a typical public sector organisation, several different individuals need to have access to the website, managing different areas within it. Each of these users is a potential chink in the overall security armour, so it is essential to keep a tight handle on their permissions. Users should only have access to the minimum areas of the site they need to, not the whole site by default. Furthermore, when users leave the organisation they should be promptly removed from the administrator list in order to eliminate any unnecessary risk.

The Drupal platform also offers various additional functions to shore up login and user processes, such as the Login Security module, which restricts unauthorised access attempts, and blocking the ‘user #1’ account that is created during setup, which automatically has all permissions in place.  

6. Keep an eye on logs 

Drupal’s integrated log viewer, within the reports area, is an extremely valuable tool when it comes to ascertaining that a cyberattack is taking place and assessing what has actually happened. Public sector organisations should ensure their log settings retain enough events and that they check their log reports regularly. They should also remain vigilant for any early warning signs of an evolving threat such as failed login attempts. 

7. Enable HTTPS 

HTTP Secure (HTTPS) is most commonly used for ecommerce sites and online banking, but any site that transfers sensitive information between user and web server – which covers a lot of public sector organisations – should also be using it. The protocol encrypts HTTP requests and their responses meaning that, in the event somebody is able to compromise the network between a user’s computer and the server they are requesting from, the ‘hacker’ would not be able to listen in or tamper with communications. 

These seven best practices will have a dramatic effect on the overall security of Drupal websites, and ensure that public sector organisations can continue benefitting from the flexibility of the platform without sacrificing protection. 

Mike Carter, Technical Director, Ixis 

Image Credit: Kaspri / Shutterstock