How Blockchain Technology Can Change Security Landscape in BFSI Sector

Posted by Shy Lee on Nov 29, 2019 4:22:12 PM

The concept of the blockchain that led to the development of the now-famous cryptocurrencies can be traced back to the early '90s when Stuart Haber and W. Scott Stornetta introduced the world to it and Satoshi Nakamoto used it in the form of Bitcoins back in 2008. 

Blockchain is a sequential method where the implementation of public ledgers and processing power is observed to have transaction transparency along with keeping a full track record for the previous owner. It is still the most secure way of managing the data as it is not owned or controlled by a centralized authority. The horizon which can be sought with the implementation of blockchain is not merely limited to the digital currency but fields like medical and military are also efficiently gaining momentum based on this tech.

Dive in further to understand the subtle changes that the financial world will undergo with the implementation of this widely accepted advanced technology in BFSI sector-

Significance Of Decentralized Processing In Banking

Primarily the large scale implementation of blockchain was observed in the banking and financial sectors which used decentralization for processing, storing and verification of monetary transactions. These industries are the major stopovers that observed quite a tremendous amount of frauds out of which some were detected and rest remained undetectable. 

Millions of dollars are invested in a security module but none of the solutions have ever been even close to the performance of blockchain technology. This is a practical solution that has the involvement of public ownership of data which grantees no scam policy.

Today topmost financial and insurance organizations are leveraging blockchain for replacing their traditional processing model. According to a worldwide survey conducted in 2019 for all the industrial segments, it was observed that around 71% agreed that blockchain offers higher security over its traditional counterparts. It is also expected that around $4 billion would be saved globally in cross-border payments. Countries like India which are in its growing phase tend to be giving a trial for this implementation and may need a more convincing ideology for full acceptance of it. 

Flowchart for KYC Validation

1. "Know Your Customer" While You Provide Insurance

This procedure of accumulating user's information is to bridge the gap between a company's customer data and their actual verified identity, source of income, tax information, and proof of residence. By following a strict code of conduct formulated in KYC policy, the organizations providing insurance can stay one step ahead from the unethical practices which incur a hefty loss of making statements for the company. Spanning the wings of blockchain, a company can get a lift in their KYC procedure to be completed efficiently in a short period and with a considerable amount of low effort.

Once data gets decentralized, any authorized users can update it, analyze the previous financial track records, and build an authenticated client base as per the guidelines issued by organizations.

Srijan also developed a POC for an Intelligent Automation solution for (KYC) validation, to automate some part of the process. The solution employs deep learning, convoluted neural network (CNN) using Python and TensorFlow, OpenCV for Computer vision, and OCR & MRZ packages to scan docs and images uploaded by users and classify them as per pre-programmed categories.

KYC is a lengthy process & must be done only once and made available to all the organizations for their reference, trust-building, and adding significant information to build a unique portfolio for every user. It will be a track record for the companies to refer and not entertain users who have acted notoriously in their past financial journey.

2. International Money Transfers Made Easy & Secure

Millions of financial transactions are happening worldwide on any given day and this also leads to the possibility of frauds, taxation theft, money laundering, and various illegal activities. Though not accepted by some countries, there are many nations whose ardent acceptance towards blockchain for the financial transactions has gained momentum. This way transactions can be tracked for its state of current and previous ownership. A digital contract that happens between these parties is stored in an encrypted format, making it impossible for anyone to tamper it. 

Further, contractual transactions happen through cryptocurrency medium where the exchange rate is very low and takes place in no time. 


A circle with four intersections and text written over

3. Worldwide Effect On The Stock Exchange

When the era of internet-driven market investment started, many companies cheated the investor class by showing high-valued returns. There exist no preventive methods during those initial days but now we are acquainted with the application of blockchain technology in stock trading platforms. Numerous kinds of safety features with interest to investors funds are implemented for establishing a secure environment. Now all the middleware involvements in buying and selling of stocks are eradicated which gave them greater control over the investments made by the user. This is a significant factor as it contributes to the nation’s GDP. Hence, to ensure safe processing, managing, and providing reliable data storage system, deliberate emphasis must be on blockchain implementation.

4. Reduced Processing Cost For Banking Organizations

Centralized banking business requires a great digital power to manage the transactions which happen to be at an extremely higher cost of servers, communication network, application platforms, and security modules. Managing all these is practically a challenging task as compared to the more feasible option of blockchain processing. It helps to serve the transnational purpose through public-key encryption and private-key decryption, moreover, this procedure is done on decentralized node servers which ensures that the transactions are done are impenetrable. The banking organization thus is freed from on-premise management of hardware and payroll software to continuously serve the users. 

5. Enhanced Data Security

There is more to the decentralization of data in the blockchain - the concept of private keys for encryption is also prevalent in centralized server processing, but what makes decentralized stands out is its hash-keys which needs to be aligned in a sequential processing of blocks for authenticating the transaction to be processed. Alteration of anything in the chain is not possible as the forward and backward block's references are stored among every node. None of the elements has any disclosure regarding the data storage which makes it impossible for any hacker to creep and manipulate information. This is the future of secure processing and none other tech has surpassed these standards of reliable processing.

6. Guaranteed Avoidance Of Fraudulent Experience

An in-depth study revealed that globally 45% of business executives are still observing fraud concerns that are done by tampering the transaction information. These scams have more occurrences in the countries which are deprived of blockchain's presence. Not welcoming the disruptions which are happening worldwide can economically cost such countries to fall behind. Apart from its no scam environment, the government's taxation policy can also be configured in this process flow to make sure all the citizens are following taxation regulation. Tax frauds are the greatest concerns for any country which can be addressed effectively with blockchain processing. 

Conclusion

Imagine the world with financial organizations that are deprived of monopoly practices in any region of the world!

Wouldn't it be a great idea to leap into the future of decentralized management where the data hosting and processing power is not under the control of a single entity?

With the diversified data servers and storage units the system against affinity towards every possible system breach. Not only financial but other sectors like medical, military and education are also having a disruptive implementation of blockchain technology which is saving lives and allowing us to build a better society. 

 

**This post is written by our guest author Shy Lee. She's an Associate Digital Marketing Manager at factorHR.

 

 Interested to write for us? Drop a mail at guestpost@srijan.net with your awesome ideas.

Topics: Technology, Security, Blockchain

Do away with Security Risk Through AppSec Shift-Left Approach

Posted by Rahul Kumar on Nov 5, 2019 10:45:58 PM

With developers under the constant pressure of completing the software development process expeditiously, more and more facets of the process are compelled to make a “shift-left”, and bob up in the software development lifecycle (SDLC).

Given this circumstance, security can no longer be taken as a casual job especially when the code is being updated and delivered every few seconds and minutes.

That is where this “AppSec Shift-Left” movement comes into the spotlight. A strategy to audit code by discovering and eliminating software vulnerabilities without hampering the development process.

This blog will elucidate the need for AppSec shift-left approach and the application security tools that can be leveraged to patch the same issues.

The Need of Shift-Left Approach

The idea behind using the shift-left approach is to find vulnerabilities at an early stage in the SDLC in a fast and efficient manner. The earlier the development teams find bugs, the lesser is the rework they’ll have to do later. This is the reason why enterprises are setting up their developers responsible for application security. 

As a result, developers will have to embed this approach asap as a part of their responsibility to keep security in check and deliver the applications on time, and in case errors occur, they can fix in on time and not throw it over the fence to let someone else take care of it.

How Application Security Tools Can Support Developers 

7 Hexagons closely placed with text insideGenerally, developers have the common goal of producing secure, functional code within a deadline. To ensure security and functionality, they typically perform a code review process to debug their code.

Debugging code is not among the hopes and dreams of most of the developers. Plus, lengthy debugging sessions can delay the projects. So the ideal application security tools should help developers debug their code swiftly to boost their productivity and help them meet their deadlines. 

All these accomplishments will encourage developers to use the tool to remove software vulnerabilities. 

Additionally, whenever developers embrace these app security tools as a means to enhance their productivity, these tools are far more likely to showcase a material impact on vulnerability remediation.

Simply put, these application security tools reduce the amount of time they take for developers to debug their code. However, this is no easy task! To help developers produce secure, functional software on-time, these solutions must:

  1. Integrate into daily developer workflows. They shouldn’t interrupt development processes geared towards complying with the next deadline.
  2. Produce accurate and actionable results. Going forward, developers can fix vulnerabilities quickly once they have been identified.

Implement Shift-Left Approach With These Tools

Below mentioned tools, when implemented in CI/CD pipeline, will empower developers in finding the security loopholes, if any, at the right time.

  1. Fortify Static Code Analyzer (SCA) - 

The Micro Focus Fortify Static Code Analyzer (SCA) can identify, analyze, and resolve complex issues efficiently as it scans massive amounts of code in a flash followed by immediate actionable results; making it convenient for developers to create secure code.

SCA plays an essential role in creating secure software by identifying vulnerabilities in software security architecture and application code with minimal effort & in negligible time; without compromising on the quality of the code. 

  1. Black Duck - 

Black Duck software composition analysis solutions and open source audits give you the insight you need to track the open source in your code, mitigate security & license compliance risks, and automatically enforce open source policies using your existing DevOps tools and processes.

Watch this video further to understand about AppSec Shift-Left Approach-

Open Source and Third-Party Software Audits

No matter what your organizations’ business is, you must be using open-source in one or the other way. The question that arises with the use of open-source is, whether you know how your organization is using it, what kind of licenses are playing the roles, and whether you can meet all of your license requirements. 

To answer all these questions, an audit is conducted to find what kind of open-source software (OSS) is present within your code and what licenses that OSS falls under.

Black Duck, an open-source library analyzer, comprises of following features-

  • Open Source and Third-Party Code Audit

Provides you with a complete open source bill of materials (BOM) for the target codebase; showing all open source components and associated license obligations and conflict analysis.

  • Open Source Risk Assessment

It offers a detailed view of open source risks in the codebase, including known security vulnerabilities, using Black Duck Enhanced Vulnerability Data. It can serve as a high-level action plan to prioritize research and potential remediation actions.

  • Web Services and API Risk Audit

Lists the external web services used by an application, with insight into potential legal and data privacy risks. It allows you to quickly evaluate web services risks across three key categories, i.e., governance, data privacy, and quality.

Conclusion

The software development life cycle (SDLC) is constantly increasing the pace and becoming more automated.

Developers must keep up with the pace and leave security behind with the shift-left approach. Considered as the fastest and most comprehensive tool, it can be easily integrated into DevOps pipelines to analyze the code, and boost security into digital SDLCs without compromising on the innovation part!

 

Srijan takes security issues as a serious threat to organizations’ valuable assets and progress. And so, to mitigate the risk, it has provided its clients with a solution to deal with it efficiently. You too can reach out to us for the same. Contact now!

Topics: Drupal, Planet Drupal, Security, Framework and Libraries, Opensource

Open-source vs Proprietary Software - Which One Is More Secure?

Posted by Urvashi Melwani on Sep 6, 2019 4:33:00 PM

 


Today, IT security is paramount to succeed in business. Enterprises are spending hefty amount on security than ever before. Progress in both security and hacking technologies such as intrusion detection systems, honey pots, honeynets, and other various security-related hardware and software solutions are showcasing the pressing need for transformation in the information security domain.

One of the reports by Gartner cited that enterprises in India alone are going to spend laboriously on the information security front which will mark up to US$2 billion in 2020.

The increasing awareness on the benefits of the risk assessment and the realization of the fact that security is one of the driving forces for digital transformation are boosting enterprise security globally. 

The battle between open-source and proprietary software has been throwing a fit since long. Multiple issues and concerns are being examined and scrutinized by both sides of the story. In the most recent phase of this fanatical dispute, both camps have inspected the issue of security with serious tenacity.

Having said that, let’s take a sneak peek into this blog for further insights on the same.

Myths Are Meant to Be Debunked

Proprietary software is more secure than open-source software. This myth comes from many prejudices. But a commercial license doesn’t assure security. Unlike proprietary software, open-source software is transparent about potential vulnerabilities.

#Myth1: Anyone can view the code 

Because it is open source, anyone can view the code. People often want to argue that being able to view the code allows nefarious hackers to look at it and exploit vulnerabilities.

However, this openness enables collaboration. Unlike, say, one proprietary software, which is developed and is maintained by a single company, Drupal is developed and maintained by more than one hundred thousand programmers around the world. These programmers might work for companies that compete with each other, or they might volunteer to create something new that’s then given away. For free.


In fact, in 2015 Google open sourced its artificial intelligence engine, TensorFlow. Something which is a core part of its business. It hoped more developers would make the software better as they adapted it to their own needs. And it did, by making it open source, Google boasts of more than 1,300 developers, outside Google, have worked on TensorFlow making it one of the standard frameworks for developing AI applications, which could bolster its cloud-hosted AI services. 

#Myth2: Proprietary software are secure and not prone to attacks

There have been multiple instances in the past that depicts that proprietary software has been attacked several times. Such as:

Melissa Virus and ILoveYou Worm - spread through Microsoft Word email attachments. The email contained attachment. If the victim’s system had the Microsoft outlook application installed, then the virus would send the email to 50 too all contacts in the Outlook program’s address book. would also overwrite & consequently destroy various types of files on the victim’s device including MP3 files, JPEG files, and more. It led Microsoft to shut down its inbound email system.

Wannacry - a worldwide cyberattack that took place in 2017. It was a ransomware crypto worm attack that aimed at computers using Windows operating systems, encrypting all the files on hard drives on these machines. It didn’t let users access the files until they paid a ransom in the cryptocurrency Bitcoin.

The WannaCry attack impacted major entities all over the world, such as the National Health Service in Britain and Scotland, the University of Montreal in Canada, State Government websites in India, and Russian Railways.

With that said, it's evident that proprietary software is also easily vulnerable to attacks!

Although countermeasures like anti-virus programs and security patches were implemented to mitigate the threats and weaknesses, the long-term and especially exorbitant effects of these dangers have been engraved for permanent into the memories of people all over the world. This is because these attacks not only damaged vital electronic data but also shut down business operations and services, and facilitated malicious infiltration and theft of money & proprietary information.

History of Open source Software

The term “open-source”, popular since its inception in the late 70s and early 80s has come from a revolution, “open-source revolution”, which completely revamped the way software is developed- resulting in the birth of the community-generated software development method.

Box with text written inside it

In 1971, Richard Stallman, a young software engineer from Harvard, joined the MIT Artificial Intelligence Lab with the intent of developing computing platforms. After serving for a few years in the early 1980s, the MIT Lab became extinct due to the booming of proprietary software in the market and lost its talented developers to privately held tech companies.

Stallman, who was closely involved in the field knew customers’ software requirements believed customers should be empowered enough to fix and debug the software themselves instead of simply operating it.

“Users should be empowered enough to fix and debug the software themselves-instead of simply operating it”

The majority of software until now was controlled in its entirety by the developer where individual user rights were completely discarded. This was also a pain point for MIT AI Lab since they failed to incorporate this feature into their software development strategies.

The Disembarkation of the Free Software Movement

But this was until 1984. Post evaluation, Stallman began his GNU Project. Initiating with a compiler, GCC and a new operating systems-Stallman felt that GNU project was the major turning point in the evolution of free software community.

“The Free Software Foundation was formulated to let users run the software as they wanted”

Stallman believed that software should be available for free in terms of accessibility. Hence, the Free Software Foundation (FSF) was formulated so that users can run, modify, update, and disseminate software in the community.

Later on, he also introduced the concept of copyleft, wherein a program is first copyrighted, and then additional distribution terms are added for its further use.

Challenges Associated With Proprietary CMS 

Proprietary CMS comes up with a set of restrictions which makes it less flexible in comparison to open-source software. 

“The contribution and development teams of proprietary cms are smaller, which makes it evident that there is a probability of missing out on mistakes and bugs in the code”

It might appear that closed source software or proprietary software is more secure since the code is not available. But unfortunately, it is not the case! The contribution and development teams of proprietary CMS are smaller, which makes it evident that there is a probability of missing out on mistakes and bugs in the code.

You might not know what issues the proprietary system has had in the past, or is having currently because the provider of the proprietary CMS isn’t going to voluntarily reveal this information. This sets a major drawback for proprietary CMS users in terms of security as well.

Let’s further see the challenges associated with proprietary CMS-

Not many customizations options

Since these proprietary CMS are developed for a specific kind of industry and audience, it gets difficult to customize the website to fit the exact needs of the people. Users are not building their system so it's obvious that they will have limited flexibility options.

Portability is beyond the bounds of possibility

Users don’t have an option to extract data and files out of their system with a proprietary solution. They are quite restricted because they won’t be able to even move their website from one hosting service to another.

“Several CMS vendors don’t upgrade their platforms, so it's better to do a bit of research first and then jump onto doing business with a vendor”

You don’t have any option other than trusting the company blindly

Since the company owns the platform and the storage space your website will be built upon, you’ll have to manifest a lot of trust into your vendor. They will have to continuously develop and refine their software, to handle their consumers’ needs better. The vendor should also be in reach whenever you need assistance with your website

Several CMS vendors don’t upgrade their platforms, so it's better to do a bit of research first and then jump onto doing business with a vendor.

You are just renting software

Even if you have bought the proprietary CMS, you won’t own the code it's built with. It is not yours and hence requires a monthly rent from you, to keep your website running.

Benefits of Open-source Software

“People in the open-source community come forward to find solutions, assist each other, and to share extensions that would benefit the masses”

  • It is open-source!

This implies that the source code is available for anyone who wishes to study it, analyze it, and modify it in any way.

Thanks to this feature that people can easily extend the code and add specific functionalities as per their requirements.

  • An open-source CMS is maintained by the large community

There is always a primary group of developers, similar to WordPress but it is also supported by its user base. People in the open-source community come forward to find solutions, assist each other, and to share extensions that would benefit the masses.

Rectangle with various lengths of horizontal bar
Source: Sas.com

  • An open-source CMS can be hosted ubiquitously

Most of them, like Drupal, offers one-click installs in the control panel of the accompanying hosting service, which again is very user-friendly and comfortable.

  • The CMS software itself is usually free of cost

You can easily make use of plenty of extensions, themes, and a variety of tools for free. However, there are plenty of paid extensions and themes as well. Some solutions can only be leveraged with paid software. An open-source CMS is usually the most budget-friendly solution.

Alternatives to Proprietary Software

It is interesting to see that there are so many open-source software alternatives for the existing proprietary software which are equivalent or more reliable, secure, and flexible. 

If you are contemplating to migrate from proprietary software to open-source, you can surely - that too with ease!

Software Category

Proprietary Software

Equivalent Open-source Software

Operating System

Microsoft Windows

Linux Ubuntu

Browser

Internet Explorer

Mozilla Firefox

Office automation

Microsoft Office

Open Office

MATHWORKS

MATLAB

Sci Lab

Graphics Tool

Adobe Photoshop

GIMP(GNU Image Manipulation Program

Drafting tool

Auto CAD

Archimedes

Web Editors

Adobe Dreamweaver

NVU

Desktop Publishing

Adobe Acrobat

PDF Creator

Blogs

Blogger

WordPress

Mobile

IOS

Android

Media Player

Windows Media Player

VLC Player

Database

Oracle, Microsoft SQL Server

My SQL, Mongo DB, HADOOP

Server

Microsoft Window Server

Red Hat Server, Ubuntu Server

Web Server

IIS

Apache

Open-source Security in Drupal

Drupal, having a proven track record of being the most secure CMS, has been rolling with punches against critical internet susceptibleness. Thanks to Drupal security team for earnestly finding anomalies, authenticating them, and responding to security issues.  

The responsibilities of the security team include documentation of these identifications and alterations made so that developers don’t feel heebie-jeebies when faced with similar kind of situation.

“Drupal community comprises of over 100,000 contributors towards its enhancement”

Besides, the team also assists the infrastructure team to keep the Drupal.org infrastructure secure. They ensure that any security issues for code hosted on Drupal are reviewed, reported, and solved in the shortest period possible.

Important features that make Drupal 8 the best WCMS in regards to Security-

  • The Security Working Group (SecWBG) ensures that Drupal core and Drupal’s contributed project ecosystem provides a secure platform while ensuring that the best practices are followed.
  • The community makes sure that people are notified the day patches are released, which are released every Wednesday for contributed projects, and the third Wednesday of every month for core, usually for a fixed period.
  • Drupal abides by the OWASP ( Open Web Application Security Project) standards and its community is devoted towards prevention of any security breaches.
  • Drupal community comprises of over 100,000 contributors towards its enhancement. An open-source code base, where contributed modules are properly reviewed, verified, and sent a notification if that module is acceptable for use.
  • Apart from encrypting and hashing the passwords, Drupal provides those modules which can support two-step authentication and SSL certificates.
  • Any member can make changes to Drupal modules and report any issues or bugs that occur in their system.
  • Access controls offered by Drupal is a superb feature. Dedicated accounts can be created for certain user roles with specified permissions. For instance, you can create separate user accounts for Admin and Editor.
  • It’s multibranched cache structure that assists in reducing Denial of Service (DoS) attacks and makes it as the best CMS for some of the world’s highest traffic websites like NASA, the University of Oxford, Grammys, Pfizer, etc.

Statistics Says It All

Sucuri, a security platform for websites, curated the “Hacked website report 2018”. It evaluated more than 34,000 compromised websites. Among the statistics it shared, one of the factors was to juxtapose the affected open-source CMS applications.

drupal-sucuri

The results were clearly on Drupal’s side declaring it a better WCMS than other leading platforms for preventing safety hazards.

The infection crept in these websites due to improper deployment, configuration, and maintenance.

Additionally, Cloud Security Report by Alert Logic also marked Drupal as the website content management system with the least number of web application attacks.11 Columns and 8 rows with text written inside them                                                                        Source: Alert Logic

Difference Between Open-source and Proprietary Software

Factor

Open-source

Proprietary

Cost

Open-source software is free which makes it an alluring option if you have in-house capacities to meet your business requirements.



Proprietary software costs differently from a couple of thousand dollars to one hundred thousand dollars, depending upon the multifaceted nature of the framework needed.

 

Service and support

Open-source software communities of developers are huge and steadfast which helps clients with prompt solutions to their problems.

Proprietary software vendors offer progressing backing to clients- a key offering point for clients without specialized mastery.

Innovation

Open-source software boosts innovation by providing users the opportunity to modify, append, or distribute as per their requirements.

Proprietary software vendors don’t permit its users to view or adjust the source code, thus making it unfit for organizations who desire scalability and flexibility.

Only developers can incorporate new features to the product as and when requested by users.

Security

As open-source code is available to everybody, it increases the possibility of finding more vulnerabilities easily. 

It is also worth noting that open-source communities fixed security vulnerabilities twice as quickly as commercial software vendors do.



Proprietary software is considered secure as it is developed in a governed condition of the employees having a frequent direction.

However, getting rid of the possibility of backdoor Trojans as well as lowering the threat of any other bugs or obstacles can be troublesome in proprietary software.



Availability

Open-source software is available for free on the web with 24*7 support from the community.




Proprietary software is accessible if the companies have the rights to the bundle or they have purchased from the respective vendors.

The trial version is also accessible for free to test.

Flexibility

As organizations aim at deriving more business values from less, open-source software can deliver high flexibility, lower IT costs and increased opportunities for innovation.



With proprietary software, such as Microsoft Windows, and Office, companies are required to upgrade both software and hardware on a timely basis. Updates must be installed for the proper working. However, not all updates are flexible with all the versions of the software.

In The End

Website security has always been a cause of hindrance in the journey of digital transformation and survival due to several potential threats. 

Open-source software can be considered as a befitting solution than a closed source or proprietary software. Further, this report indicates that there is an obvious desire among companies to adopt open-source technology and also prioritize the task of enhancing security in their organization.
Rectangle with text written inside Source: Gartner

However, it all depends on the preferences and needs of the organization and the on-going project for their digital business.

Drupal, an open-source content management framework, comes out as the most secure CMS in comparison to the leading players in the market.

It has been the pacesetter when it comes to opting the security focussed CMS. More individuals working on and reviewing the product always means a higher chance of a secure product!

Topics: Drupal, Planet Drupal, Security

The Modern Guide to Building the Right Content Strategy with Drupal

Posted by Akshita Rawat on May 21, 2019 12:00:00 AM

To keep up with consumer demand, businesses need to tactically rethink and reform the way they produce and manage content. 

What you need is a way to stand out in the consistent content chaos. To make that happen, you need a strategy that can help:

  • push out content intuitively
  • transform disorganized assets into a comprehensive manner
  • manage real-time collaboration effectively

And that’s where the role of a CMS is important.

Here’s a comprehensive guide to building the right content strategy with Drupal, focusing primarily on the technological aspect, which will help you build and establish the right notes with your audience.

You Need to Have a Content Strategy. But Why?

With an increase in the number of content dissemination channels, it is easy to lose consistency and easier to lose track of the larger goal.

“Pushing out content without being focused on the goal, its relevance, distribution, or the target audience is a waste of time and money – even if your content is amazing!”

The 2018 Demand Gen Report revealed that buyers are becoming more discerning and selective in the content they decide to consume. 88% agree that content producers need to focus less on product specifics and more on the value that can be brought to their business.

Infographic with three hexagons and text on it on a blue background

 

These key findings from the audience can be harnessed only with a well-designed content strategy. Which means by doing as little as creating a persona you get ahead of 58% of your competition (2018, CMI Report).

According to the same study, a whopping 97% of top performing B2B marketers have a content marketing strategy, while 32% of (overall) B2B marketers do not have a documented plan. In most cases, this means that they really have no clue what they’re doing.

Some of the benefits of a digital content strategy are:

  • Aligns your team with the organization’s mission/goals
  • Helps you figure out which types of content to develop and which will work
  • Keeps your team focused on priorities
  • Helps you allocate resources for better results
  • Clarifies your target audience/s

Building Content Strategy With Drupal

Traditionally, the content strategy involves planning, creation, and governance of content. However, with an explosion of channels and proliferation of new devices, content strategy can not be limited to just website content.

One of the challenges is to remain engaging yet relevant on different channels.

This can be solved by bringing uniformity and consistency across the various touch points from which a user can access information and engage with the content.

“The goal of the content strategy must be to strategically fit the reader into the marketing funnel”

Drupal’s dynamic features at the core make it a perfect fit to cater to the needs of creating great digital experiences. Here’s how:

Unifying the Content Strategy Across Channels with Drupal

Content Governance

Often neglected, content governance is a detailed framework of content delivery and management which ensures consistent brand storytelling across all media.

Implementing a content governance framework requires different users (from the same or different teams) to collaborate with a distinct workflow and audit trail effectively. In the face of exponential growth in the variety and volume of content,  Drupal helps manage, organize, and secure the content with Workflow and Staging.

Since editing the content on live site can also result in accidental publishing, Drupal’s Workflow module provides a separate staging environment . Drupal has an easy staging and preview of content in different environments anchoring full content staging capabilities.

You can define multiple workspaces such as "staging" and "live" which are copies of your site, to create content (or modify) and the changes are visible only within that workspace. Once the changes have been verified, you can "deploy" the content to another workspace.

User, roles, and permission: Security is important and that is why not every user can have permission to access the system of the website. Drupal offers a number of security modules which help manage and secure backend access. 

With User Access Control, site administrators on Drupal can work to provide unique user experiences and different access rights to writers, editors, marketers, and site visitors.

The Workflow module helps in creating arbitrary workflows and assigning them to entities. That's  important from a security perspective too. Workflow with the states like Draft, Review and Published can be assigned to Story node type.

Thus, only the users with ‘Editor’ permissions can set stories to the published state.

Some of the other Drupal modules which can be used are:

  • Workbench Access module: helps in creating editorial access control. Admin can grant access to the users and their content which can be found at My Workbench on Homepage. It harnesses content-focused features in one unified user interface.
  • Domain Access module: allows you to share users, content, and configurations across a group of sites.

Enterprise-wide password control systems

Password security is even more crucial and needs the right kind of strategic perspective with strong policies.Default password management could be considered good, but of course, it can be improved. Here’re some of the Drupal security modules that can be used to provide additional controls for password management:

  1. Password Strength: provides realistic password strength measurement and server-side enforcement for Drupal sites using pattern-matching and entropy calculation.
  2. Password Policy: provides a way to enforce constraints which must be met before a user password change will be accepted.
  3. Restrict Password Change: Adds a new permission 'change other users password'. When the user_profile_form is loaded it checks to see if the current user has the proper permission or if they are editing their own account, otherwise, it removes the password change option.
  4. Login Security: Login Security module improves the security options in the login operation of a Drupal site. By default, Drupal introduces only basic access control denying IP access to the full content of the site.
  5. Shibboleth Authentication: Provides user authentication as well as some authorisation features.
  6. Flood Control: Add an administration interface for hidden flood control variables in Drupal 7, like the login attempt limiters and future hidden variables.
  7. Secure Login: Ensures that the user login and other forms are submitted securely via HTTPS, thus preventing passwords and other private user data from being transmitted in the clear.

Digital Asset Management System: An important part of the governance is business workflow and common identity, which is significant for the smooth functioning of marketing. The CMS needs to provide the ability as a solid repository while also able to modify uploaded digital assets.

It should give editors the ability to make iterative changes to assets to enable promotion of products and brand across channels and devices. Digital Asset Management (DAM) smartly strategizes the way enterprises handle their digital assets.

The Acquia DAM Connector can sync your digital assets with your Drupal website, allowing editors to seamlessly use content from within all the websites you maintain. In order to ensure that the site is using the latest version of an asset stored, it periodically syncs assets from Acquia DAM via a cron job.

It also empowers editors to select Acquia DAM assets directly through a media field or through the WYSIWYG integration. Further, it enables the user to view asset metadata directly in the entity browser without importing the asset and provides a usage report of assets within Drupal.

“In the digital landscape, the creation of digital assets in large numbers is almost inevitable.”

Backup: Writing content is an intensive exercise. And so you need to have a backup to save yourself in case the website system crashes or is hacked.

Backup and Migrate: Back up and restore your Drupal MySQL database, code, and files or migrate a site between environments. Backup and Migrate supports gzip, bzip and zip compression as well as automatic scheduled backups.

Content Modelling with Drupal

Before you start building the site it is important to consider your content as a whole and work out a model that will guide you and the user to smoothly navigate through the website.

It entails detailed definitions of each content type’s elements and their relationships to each other. It also helps to identify the organization’s requirements, develop relevant taxonomy that meets those requirements, and consider where the content blocks and fields should be allowed or required. 

Content modelling is a critical starting point for website content.

Drupal is an incredible CMS for building a content-rich website. Built on its entity system and the variety of field types, Drupal can support a wide range of content models.

At core, it is built on View which can help sort out the default taxonomy/term view however you want. Let’s you want a way to display a block with the X most recent posts of some particular type.

It can be used for anything that handles the display of views, and the core Views UI module permits you to create and edit them in the administrative interface. When you define views, you are interested in taking data from your website and displaying it to the user.

Breaking content types into fields, it allows you to build structured content as well.

Modules like Paragraphs and Stacks let you build rich and dynamic content.

Layout Builder, a stabilized module, in Drupal 8.7, empowers you to build layouts with ready-to-use multi-column layouts and Drupal blocks without the intervention of a developer.

It is unique since it can support multiple and different use cases from templated layouts applied to dozens of pieces of structured content, to designing custom one-off pages with unstructured content.

Here’s how it can be used in three different use cases:

  1. Layouts for templated content: The creation of ‘layout templates’ can be used for a specific content type. Example, blog posts.
  2. Customizations to templated layouts: Can customize the layout templates on a case-by-case basis. Example, to override the layout of a standardized product page.
  3. Custom pages: The creation of custom landing pages which are not in sync to any particular content type or structured content. Example, a single ‘About us’ page.

The Layout Builder is more powerful when used with Drupal's other out-of-the-box features such as revisioning, content moderation, and translations.

Omnichannel Content Strategy with Drupal

Users are always at the centre. Therefore, the content strategy needs to be as dynamic as your user experiences across different channels, if it is to succeed. Omnichannel content strategy is a way to unify the experience across all the channels and touchpoints.

Irrespective of how and where the content/ products are being first consumed at, complete consistency and unified experience is expected.

API First Publishing with Drupal


Drupal 8 is API-first which means, it can power ambitious applications of all kinds, from behind-the-scenes systems written in languages like Python, Java or Go to rendered experiences using the latest frontend frameworks, like React, Vue and Ember.

Content touchpoints are proliferating at a fast clip. You now have conversational UI, digital signage, medical and healthcare devices, and it lets you integrate with other systems, use your content anywhere, display it as you please. API-First Drupal is well positioned for entire digital ecosystems.

 

 

The JSON:API module, which is also now in core with Drupal 8.7, is meant for creating high-performance APIs to expose Drupal data in JSON. It works by creating API endpoints and requires no configuration and the module instantly accesses all Drupal entities.

It not only provides a great authoring experience but also a powerful, standards-compliant, web service API to pull that content into JavaScript applications, digital kiosks, chatbots, voice assistants and more.

This makes it easier for Drupal’s core ecosystem, of web services responsible for third-party content and application, to integrate.

Mobile-first and Out of the Box Responsive


Accessibility via any device needs to be useable too. Drupal 8 has been designed with a mobile-first strategy. The responsive design ensures that content and layout are scaled based on the viewport size available.

With  Breakpoint and Responsive Image, out-of-the-box Drupal 8 ships with two modules that ensure mobile-first behaviour .

Responsive content needs to be modular and readable so readers can easily consume it.

Drupal for mobile lets you easily define different pieces of content for different devices. Each field in the backend can be uniquely styled and prioritized according to its content type.

Personalization with Drupal

No matter how good your content is, no one will bother to read it if it doesn’t talk to them, in their own language. Every content piece needs to communicate with your audience and increase the relevance of product proposition, by addressing their unique fears, needs and desires.

This orchestrates customer experience and drive engagement.

Personalization brings familiarity, which brings strength to customer loyalty to your brand, helps track demographics and behavioural patterns and convert an anonymous user into a potential customer.

Acquia Lift solves the challenges for digital teams, by bringing together content and user profile data from any source to personalize the customer journey in ways not previously possible. More than a headline swap or banner choice, Lift presents wholly targeted experiences based on broadly observed visitor behaviors as well as specific user preferences and interactions in real time with the very first engagement across any device or channel.

“And 81% of B2B Marketers (2018, CMI Report) believe that building a content strategy makes it easier to determine which types of content to develop.”

Drupal in Other Marketing Technology

New technologies like artificial intelligence (AI), machine learning, Augmented Reality (AR), Virtual Reality (VR) among others are reshaping how users consume content. It’s a big opportunity for companies to produce and recycle the same content through different channels and mediums. All the while keeping people engaged.

Virtual Reality

Immersive experiences created by virtual reality is the “Next Big Thing” happening. Virtual reality has seen a surge lately, with constantly emerging in Gartner Hype Cycle. While it is rapidly approaching a much more mature stage, in the enterprise sector, virtual reality has already lots of scenarios where it gets employed with success.

For instance, educational purposes. VR can enable a lot of more experiences that in reality are not possible or too dangerous.

Here’s a demo video of a high school student, Jordan who explores Massachusetts State University (a fictional university, built on Drupal) from the comfort of his couch. Jordan is able to take a virtual tour directly from the university's website.

 
Augmented Reality

Another part of the futuristic technology, AR can be used to superimpose useful information in a shopping experience.


The demonstration shown in this video displayed a shopper interacting with the AR application. The mobile application of Freshland Market (a fictional grocery store), built on Drupal 8, guided the shopper through her shopping list.

Wrapping Up

Often, it can be a virtual nightmare for content producers and marketers trying to find the right piece at the right time. Even so, if the content is all in one place, time-consuming complicated systems can mess up really bad.

Drupal 8 provides a perfect foundation for the incorporation of technologies to enable a smart strategy for your brand, content, and digital marketing needs. Your organization might be at infancy or already up with your content strategy, you can always reach out to our experts who can help you deliver quality results with personalized experiences.

Topics: Drupal, Security, Omnichannel

Best Practices for Security in Drupal Website

Posted by Akshita Rawat on Mar 14, 2019 6:09:00 PM

Enterprises - large and small - often rely on Drupal’s secure system safeguard against the most critical internet vulnerabilities. With its dedicated security team, a large professional service provider ecosystem, and one of the largest developer communities, it actually has the capability to do so and secure your enterprise against attacks. But upto what extent?

While Drupal CMS is undoubtedly secure with strong coding standards and rigorous community code review process, and there are several Drupal security modules out there, it still requires some effort on the part of teams that work on Drupal sites. Adherence to the best practices, and having a well-planned security strategy will help you be prepared for any kind of ransomware and phishing attacks, if they occur.

Here’s taking a look at the best practices to ensure security in Drupal website:

Develop a Security Plan

According to a report by Symantec, there was a 42% increase in new ransomware variants in 2018. So even though Drupal is implemented with the highest levels of security, assuming that it will always be foolproof and doing nothing about it isn’t a good idea. A basic security plan would involve:

  • Chalking out the applications in a hierarchical manner. Prioritize which applications to focus on first.

  • Categorizing your applications as normal, serious and critical. Reserve extensive testing for critical ones, and less intensive testing for normal ones. This allows you to make the most effective use of your company’s resources and will help you achieve progress more quickly.

This also ensures that the needs of every department are accounted for, and your bottom line is not compromised in the name of security.

Choose a Secure Hosting Provider

Website security needs to be a holistic approach. From choosing passwords, captchas, SSL certificates, to securing the server, everything needs to adhere to the security standards. Which is why, before you select a hosting provider, make sure that you do not compromise on the security standpoint. The right hosting provider will not only improve the speed and uptime of your website, but also ensure your website security.

In best case scenarios, Drupal-specific hosting provides you with server-side security patches and pre-emptive upgrades to match up with the new upcoming versions.

Always Upgrade to the Latest Version

More often, hackers are able to target the old versions since they are more prone to open vulnerabilities. So always keep your website updated to the latest Drupal version. Keep an eye out for the core updates (even the minor releases). And if you are too busy to do it, simply follow the Drupal security team on Twitter or through emails (newsletter).

Activate Additional Security Modules

Besides having a secure infrastructure, you can also equip your Drupal website with additional security modules. But adding all the modules can slow down the speed of your website, and may even make your website prone to vulnerabilities.

So what is key here is choosing stable and approved modules. Particularly for contribution modules, use only those that have a green batch. Those are the ones approved by the Drupal security team.

Define Permissions with User Role Access

One of the easiest ways to carefully and thoughtfully secure the administrative side is by setting user permissions.  

Through permissions in Drupal, you can govern and restrict user actions on the site, including viewing, editing content and changing configuration. Each permission covers one action or a small subset of actions. And any user will be able to grant permission in order to do the corresponding action on the site; since permissions are defined by the modules that provide the actions.

GDPR Compliance

With the implementation of GDPR, user data privacy is now an added note to security. So you need to ensure that your customer data is secure and protected. Every data collection step should involve the clear consent of the user, and data should be encrypted and secured in a place which is tough to locate.

Not complying with GDPR, can also put your business at significant risk. So it is in your interest that all the data collected is secure and subject to data security and privacy principles.

Backup your Website

Backups are yet another important element of security. In case of any unforeseen instance, a secure backup can save your data as well as reputation. It will cover the latest copy of the system and data that can be deployed to restore the information.

Web security is not just about saving the website from nefarious activities, such as phishing and other social engineering attacks, it is a proactive measure that you must take to make it difficult to break in.

Every business is unique, and it is always good to contact IT professionals who can evaluate your system and suggest best practices for your business. Our Drupal experts are just one click away. Drop a mail at business@srijan.net to chalk out the best practices and secure your website.

Topics: Drupal, Security

18 Drupal Security Modules You Need to Start Using for Your Site

Posted by Akshita Rawat on Mar 13, 2019 5:35:00 PM

The number of data breaches and exposed records in the U.S. has reached the highest figures to date in 2017. While practically every CMS talks about the scalability and user experience, security still remains a critical component that doesn’t get as much air time as it should.

Drupal has a reputation when it comes to security. According to 2017 Sucuri hacked website reports, Drupal is one of the least infected CMS for that year.

Drupal is one of the least infected CMS for that year

Source: Hacked Website Report 2017 Statistics  

Several government, educational, and global enterprises are opting for Drupal for its security, and content management. Taking a look at Drupal’s top security modules:

Top Drupal Security Modules

Challenge Response and Spam Detection Modules

Challenge–response authentication is a protocol where the user is presented with a question. Failing to provide the right answer, the user may be debarred from accessing the website.

We all have come across the captcha response which ensures that the spambots are filtered out. Here are the top challenge-response and spam detection modules:

     1. Captcha: A challenge-response test, which is often placed within the web forms to determine whether the user is human. The purpose of CAPTCHA is to block form submissions by spambots. The module provides this feature to virtually any user-facing web form on a Drupal site.

     2. reCaptcha: Using Google reCAPTCHA web service, the module helps to improvise the CAPTCHA       system. It helps you detect abusive traffic on your website without any user friction.

drupal-for-securities-srijan-captcha-1
3. Spamicide: It aims to prevent spam submission to any form on your Drupal website. Spamicide adds an input field to each form then hides it with CSS. When spam bots fill in the field, the form is discarded.
The field, and matching .css file, are named in such a way so as to not let on that it is a spam defeating device, and can be set by the admins to almost anything they like. It can also show if and when a particular form has been compromised, allowing the admin to change the form's field name (and corresponding .css file) to something else.

4. Honeypot: It uses a method to inculcate a fake input field into the form which is only visible to the bots. Honeypot uses both the honeypot and timestamp methods of deterring spam bots from completing forms on your Drupal site.
The module currently supports all forms on the site, or particular forms like user registration or password reset forms, web forms, contact forms, node forms, and comment forms.

5. Antibot - An extremely lightweight module designed to eliminate robotic form submissions, Antibot works completely behind the scenes and doesn't require any interaction from the end-users (no annoying CAPTCHAs!) with an exception to enabled Javascript. 

“In case your website is built on Drupal 8 you can use up to 187 modules".

Authentication Module

A number of systems have been developed that allow domain name owners to identify an email address as authorized. While not directly attacking spam, these systems make it much harder to spoof addresses, a common technique of spammers.

6. Oauth - Providing a method for clients to access server resources on behalf of a resource owner (such as a different client or an end-user). OAuth provides a process for end-users to authorize third-party access to their server resources without sharing their credentials (typically, a username and password pair), using user-agent re-directions.

7. LDAP - The Lightweight Directory Access Protocol (LDAP) provides authentication, user provisioning, authorization, feeds, and views.

       8. Secure Login - For sites that are available via both HTTP and HTTPS, Secure Login ensures that the user login and other forms are submitted securely via HTTPS. It helps prevent passwords and  ther private user data from being transmitted in the process.

The module locks down not just the user/login page but also any page containing the user login block, and any other forms that you configure to be secured.

Secure Login module enforces secure authenticated session cookies, thus preventing session hijacking by eavesdroppers.

9. SimpleSAML - This module integrates Drupal with SimpleSAMLphp, the most robust and      complete implementation of SAML in PHP. It makes it possible for Drupal to communicate with SAML or Shibboleth identity providers (IdP) for authenticating users. The resulting Drupal site can effectively act as a SAML or Shibboleth service provider (SP).

Password

Repeatedly using the same or 'weak' passwords can leave you vulnerable to hackers. If the  password is hacked, your personal and sensitive information could be prone to misuse.

      10. Password policy - A password policy can be defined with a set of constraints which must be met before a user password change will be accepted. Each constraint has a parameter allowing for the minimum number of valid conditions which must be met before the constraint is satisfied.

11. Encrypt - With an API for performing symmetric encryption, Encrypt allows encryption and decryption of data in a standardized manner. Aside from administration pages to manage encryption profiles, it supports a variety of ciphers for strong encryption.

Admin and User Security

Users, roles and permissions are key components of website security, and they're of major importance in Drupal as well.

12. Admin per menu - Users with no admin access will, by default, not be able to see the menu item. Drupal allows only users with the Administer menus and menu items permission to add, modify or delete menu items, thus preventing the possibility of accidents and security breaches.Menu Admin per Menu allows giving ‘roles per menu’ admin permissions without giving them full admin permission.

13. Username Enumeration prevention - There is a way to exploit the system by using a technique called username enumeration. By using the forgot password form and a technique called “username enumeration”, the attacker can enter a username that does not exist and they will get a response from Drupal saying so.User Enumeration Prevention prevents this from   happening.

When the module is enabled, the error message will be replaced for the same message as a valid user and they will be redirected back to the login form. If the user does not exist, no password reset email will be sent, but the attacker will not know this is the case. 

14. Key - Empowering the site administrator by letting them define how and where keys are stored, Key elevates the security by meeting the regulatory requirements. In the end, it ensures that sensitive keys (encryption keys and API)  are managed and security is improved.

Miscellaneous

While the above mentioned modules cover the majority of the security modules, here are some more you can use:

15. SecKit - SecKit provides Drupal with various security-hardening options. This lets your mitigate the risks of exploitation of different web application vulnerabilities.It secures the site from cross site scripting, click jacking, cross site request forgery, and SSL/TLS.  

16. Persistent login - The Persistent Login module provides a "Remember Me" option on the user login form. Persistent Login is independent of the PHP session settings and is more secure (and user-friendly) than simply setting a long PHP session lifetime. 

17. Mime detection - MimeDetect provides a complete system for detecting the actual content of files in your Drupal site.

By default, Drupal provides a "guessing" system based on the filename extension. This is very weak and your site could store files with real content different from the one indicated by its extension.

18. Paranoia - The Paranoia module attempts to identify all the places that a user can evaluate PHP via Drupal's web interface and then block those. It reduces the potential impact of an attacker gaining elevated permission on a Drupal site.

The specific features are:

      1. Disable granting of the "use PHP for block visibility" permission.

      2. Disable creation of input formats that use the PHP filter.

      3. Disable editing the user #1 account.

      4. Prevent granting risky permissions.

Looking for better security options? Drop us a line and our Drupal experts will be in touch.

Topics: Drupal, Security

Drupal and security: What you need to know

Posted by Nilanjana on Sep 24, 2015 1:17:00 PM

Security has always been an important area for every website and same was discussed at DrupalCon Barcelona. The session started with an intro of the speakers and then about the Drupal Security issues. Here are some of the tips that were shared initially:

  • https instead of http, ssh keys and sftp instead of ftp for file transfer
  • Strong password policy
  • Verify and sanitize database backups

 

Furthermore, security from site config was discussed:

    • Make sure features like roles & permissions are configured properly as this can be a very sensitive area for hackers to gain access
    • Text formats must be handled properly
    • Remove and avoid any module that allows you to run PHP code from the UI. It must be totally removed from your codebase as well, so that there is no chance of running the PHP code in any case arbitrarily.
    • File permissions must be set properly

You can also secure your site by using Drupal hosting providers/companies products. They provide tuned Drupal security and performance (code, db, config, uploaded files) and manage security updates as well.

Security can also be enforced by using contrib modules like secure login, paranoia, security review, and many more.

 

Sites can also be secured by following the security process that includes:

  • Coordinating with the Drupal Security team

  • Educating the community on security best practices

  • Copying the security advisory for every security release

 

Most common issues were -

  • XSS

  • Access bypass

  • CSRF
  • SQL injection
  • Arbitrary code execution and more 
 

Drupal 8 is going to implement a lot more hardening security:

  • PDO MySQL statements limited to executing single statements
  • PHP execution in subfolders is forbidden in .htaccess
  • Clickjacking protection
  • Hashed user session IDs

Topics: Drupal, Security

Drupal Security Upgrade 7.32

Posted by Nilanjana on Dec 4, 2014 5:47:00 PM

The Drupal Security team announced a highly critical vulnerability in Drupal 7.x on October 15, 2014 which allows SQL injection attacks on websites. The vulnerability is called SA-CORE-2014-005 - Drupal core - SQL injection, and soon got the name Drupageddon.

The Team also announced the security release to address this: Drupal 7.32. All Drupal 7 users were asked to upgrade to this new release immediately.

Shortly after this announcement, many Drupal 7 sites were exploited for the vulnerability which arose from a database abstraction API. According to the Security Team, “...this vulnerability allows an attacker to send specially crafted requests resulting in arbitrary SQL execution. Depending on the content of the requests this can lead to privilege escalation, arbitrary PHP execution, or other attacks.”

Seeing the widespread attacks made on Drupal sites following the announcement, it was further declared that if users had not upgraded their Drupal 7 versions to Drupal 7.32 within seven hours of the announcement, it was highly likely that the sites were already compromised.

At Srijan, all our systems use GIT to manage the code base for the sites deployed on production servers. After the announcement, the sites were put to offline mode and security patch was applied to release tag and a new Release tag was created and pushed to production environment/server, after which the sites were reverted back to online mode. The complete process was completed in around 20 mins.

A patch was also released for sites which could not be upgraded to Drupal 7.32. However, the patch or the upgrade would not fix the vulnerability, if the site is already compromised. Many websites also reported that their sites had the patches already fixed, even though they had not done it. This is also being seen as a way to know that your Drupal website has been compromised. Drupal.org also says that there may be no trace of an attack.

So what happens if your website has been compromised? It’s possible that all your data might have been copied, and which can be used for malicious purposes.

Attackers could also create access points or backdoors to reach the database, files directory, code and other locations. This could give them further access that could compromise services on the server. Removing these access points is not a fool-proof method. So if the patching or upgrade was not performed by your hosting provider, it’s best to revert to a backup of the website older than October 15.

The process described at drupal.org for this is mentioned here:

  • Take the website offline by replacing it with a static HTML page
  • Notify the server’s administrator emphasizing that other sites or applications hosted on the same server might have been compromised via a backdoor installed by the initial attack
  • Consider obtaining a new server, or otherwise remove all the website’s files and database from the server. (Keep a copy safe for later analysis.)
  • Restore the website (Drupal files, uploaded files and database) from backups from before 15 October 2014
  • Update or patch the restored Drupal core code
  • Put the restored and patched/updated website back online
  • Manually redo any desired changes made to the website since the date of the restored backup
  • Audit anything merged from the compromised website, such as custom code, configuration, files or other artifacts, to confirm they are correct and have not been tampered with.
  • A meticulous file integrity check of the site is required. If Git SCM is used then "git status"  or Hacked module should be able to point out suspicious changes
  • An audit of the server is require.
  • Install, Security review, Drupalgeddon, Site Audit contributed modules and execute these modules checks.
  • Change the Drupal hash salt in settings.php for password generation.
  • Reset all passwords.
  • Rebuild the menu system using "menu_rebuild".
  • Scan through the users to check users having "admin" role when they are not required.
  • Run scripts to check public / private files locations for any php or shell files.
  • If the site is built using Features module, check for any overridden feature.

In case a restore from a backup is not possible, it is recommended that the website be rebuilt from scratch.

What about other versions of Drupal? Drupal 6.x sites are not vulnerable to SA-CORE-2014-005. But if a Drupal 6 site is hosted on a server that also hosts a Drupal 7 site, it might be vulnerable. Also D6 sites using the DBTNG module might be vulnerable, according to the Drupal Security Team. Drupal core 8.0.x before 8.0.0-beta2 is also vulnerable.

Is your Drupal website at risk? Has it been compromised? If you need help to figure this out, contact us and we will get back to you immediately.

Topics: Drupal, Security

Discussion

Write to us

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms Of Service apply. By submitting this form, you agree to our Privacy Policy.

See how our uniquely collaborative work style, can help you redesign your business.

Contact us