I remember when I created my first website. It was a actually the first cut for my tech writing business, and my best friend, Dr. Morgan Deters helped me with it. He didn’t actually create the website, but he gave me the baseline code in which to establish the website. In other words, he gave me one page of the baseline HTML code, and he said to run with it from there. Well, I did, and it took me forever to learn all this new stuff to me.
I actually built the first website by hard coding it HTML, with the example page that Morgan gave me. So essentially, I had to learn the hard way how to embed an image, upload files, create links, and basically, keep the whole thing updated manually, all by myself. It was a pain to have to do all of this manually, but I did a learn a lot in the process about the HTML structure.
When I first saw what HTML code looked like, it appeared like graduate level differential equations course. But after I learned what it all meant and broke down the code line by line, I came to realize that a majority of the code is actually the verbiage that appears on the web page. So over time, I learned all the basics of HTML, though I never became an expert at it. Just a novice.
Now these days, there are plenty of tools known as Content Management Systems. Some of the most popular ones today are that of Word Press, Joomla, and Drupal. From when I remember, the first Content Management System I came across was called “Dot Net Nuke”.
These tools are called “CMSs”, and have become very powerful. For example, with the Drupal package, you can create a stunning webpage in just a matter of minutes, and even have it translated into different foreign languages if you have an online business with a worldwide presence.
So, it should come to no surprise that these CMSs are also another prime target for the Cyber attacker. After all, hacking into websites (especially the database) is a great way to get personal information and data. So, why go after the site and when you can just go to the heart of it all, the CMS? Makes perfect sense from the standpoint of the Cyber attacker.
Just recently, Drupal came under attack. The threat apparently affected versions 6, 7, and 8. The scariest part about this is that a hacker could take mere control over a particular just by visiting it. Yikes, I say. Once this website was under the direct control of a Cyber attacker, confidential data could just be automatically wiped off from the CMS platform itself.
It has been estimated that well over 1,000,000 websites have been impacted by this, and once this was discovered, Drupal came out immediately with the necessary patches to fix up any impacts that were faced. In much more technical terms, the security flaw which allowed this large scale attack to occur was “ . . . an input validation issue where invalid query parameters could be passed into Drupal webpages . . .” (SOURCE: https://threatpost.com/drupal-issues-highly-critical-patch-over-1m-sites-vulnerable/130859/).
It’s not just Drupal that is taking productive counter measures to combat this problem, but the ISPs that host these Drupal sites are also taking proactive stances as well. For example, providers such as Pantheon, Acquia, Platform.sh and Amazee.io have created solutions that are linked to the Web Application Firewall layer of the web servers.
Essentially, a firewall inspects for all incoming data packets, and discards those that are deemed to be too malicious.
So, in order to get to the website, the Cyber attacker has to get to the web server first, and if the firewalls are fortified enough, they should not be able to get through at all. This is what the ISPs have done. In fact, this attack is very similar to that of a SQL Injection attack, where malicious input can be used to return bogus values onto the code of the website.
But, the good news is that the web developers whom use Drupal as their CMS have already taken a proactive stance as well in securing their websites. For example, about a 100,000 websites that were impacted were patched up in just the first 12 hours after the fixes were released.
But on the flipside, it is estimated that only 18% of the impacted sites have been patched up. Meaning, they are still a prime target for the Cyber attacker. Drupal is considered to be what is known as an “Open Source” software platform, versus something like Windows which is considered to be a “Closed Source” software.
We will examine the pros and cons of both of them in a future blog. But long story short, any software that is created with an Open Source platform will have patches that come out immediately, versus the Closed Source platform. This is just the nature and the mindset of the vendors whom create Open Source based software apps.