Drupal Security Made Simple
Table of Contents
The Truth About Security..............................................................................3
Basic Security Principles...............................................................................5
Types of Hackers............................................................................................9
Knowing the Vulnerabilities........................................................................11
Preventing Vulnerabilities...........................................................................12
Protocols and Guidelines............................................................................19
Legalities and Privacy..................................................................................23
What to Do if You Get Hacked...................................................................24
The Truth About Security
Your Drupal website is done, it looks the way
a completely successful Drupal site. A report
you want it to and has all of the functionality
from the Center for Strategic and International
required, right? Wrong! Oftentimes people
Studies (CSIS) estimates that cybercrime costs
finish what looks like a complete Drupal site
businesses some $400 billion a year worldwide.
without giving a second thought to security.
It is always better to be on the proactive side of
However, security is a major factor in building
web security than on the reactive side.
“A report from the Center for Strategic and International Studies
(CSIS) estimates that cybercrime costs businesses some $400 billion
a year worldwide.”
Security Myths and Truths
I don’t accept credit cards
online, I don’t need to
worry about security.
Security of a system
needs to be built-in
using a holistic approach.
I don’t care if someone
cyber-squats on my
website, as long as they
don’t use too much
Security of your
system and protecting
company or client data is
You can only get viruses
or malware from shady
areas of the web.
Security includes an
audit of people, process
and technologies. Any
gaps in any of these
areas can cause critical
Security through
obscurity. I’m not
interesting enough. No
one wants to hack me.
The biggest security risk
is humans.
I don’t have anything
worth stealing on my site.
The cost to fix security
is more than the cost to
implement it properly
from the start.
All I need is an SSL. That
makes me secure.
PR damage can be
Why Hackers Target Sites
What is OWASP?
To use your computer
The Open Web Application Security Project
To steal services and/or valuable files
(OWASP) is a 501(c)(3) worldwide not-for-profit
For thrill and excitement
To get even
As a publicity stunt
organizations worldwide can make informed
To set up malicious commerce sites
decisions about true software security risks.
To spy
Prestige or bragging rights
Intellectual challenge
average cost to a company was $3.5 million in US
Money/Financial Gain
dollars and 15 percent more than what it cost last
To engage in various forms of credit card fraud
year. If you ever face a security breach and credit
charitable organization focused on improving the
security of software. Their mission is to make
software security visible, so that individuals and
Learn more about OWASP on their website.
The Cost of a Breach
As revealed in the 2014 Cost of Data Breach
Study: Global Analysis, sponsored by IBM, the
card information is stolen, having a proven record
of your PCI compliance can protect you from
financial penalties (ranging from $25 to $215 per
compromised card). Major corporations, such as
Heartland Payment Systems, have faced fines as
large as $12.5 million. Target attributed a portion
of its 5.3% loss in sales and a 46% drop in profit
during the 4th quarter of 2013 to its security
breach in November.
“If cars were built like applications [...] safety tests would assume
frontal impact only. Cars would not be roll tested, or tested for stability
in emergency maneuvers, brake effectiveness, side impact, and
resistance to theft.”
– Denis Verdon, Head of Information Security at Fidelity National Financial
The Basic Security Principles
A Holistic Approach to CyberSecurity
and Privacy, Security is a Process,
Not a Product.
Use the Right Tools
Website development is a combination of
a multitude of defenses or identify a multitude
people, process, and technology. Testing is the
of problems, in reality there are no silver bullets
most important part of an effective security
to the problem of insecure websites. Tools do
program. An effective testing program should
play a critical role though in the overall security
have components that test:
program. However, it is important to understand
People – to ensure that there is adequate
education and awareness;
Process – to ensure that there are adequate
policies and standards and that people know
how to follow these policies;
Technology – to ensure that the process has
been effective in its implementation.
While it is tempting to think that a security
scanner or application firewall will either provide
exactly what these tools can and cannot do that
they are not oversold or used incorrectly.
Think Strategically, Not Tactically
To prevent recurring security problems within
an application, it is essential to build security
into the Software Development Life Cycle
(SDLC) by developing standards, policies,
Unless a holistic approach is adopted, testing
and guidelines that fit and work within the
just the technical implementation of an
development methodology. Threat modeling
application will not uncover management or
and other techniques should be used to help
operational vulnerabilities that could be present.
assign appropriate resources to those parts of a
system that are most at risk.
By integrating security into each phase of
This is one of the reasons why automated
the SDLC, it allows for a holistic approach
tools are actually bad at automatically testing
to security that leverages the procedures
for vulnerabilities. Proper testing requires
already in place within the organization. Typical
creativity and at this point in history, still
SDLC phases include: define, design, develop,
requires humans.
deploy, maintain. Each phase has security
considerations that should become part of the
existing process, to ensure a cost-effective and
comprehensive security program.
Test Early, Test Often,
and Document
A superficial security review of an application
will instill a false sense of confidence that can
be as dangerous as not having done a security
review in the first place. Verify that every
possible section of the application logic has
been tested, and that every use case scenario
was explored for possible vulnerabilities.
When a bug is detected early within the SDLC,
Review the findings and weed out any false-
it can be addressed more quickly and at a
positives that may remain in the report.
lower cost. A security bug is no different from
Reporting an incorrect security finding can
a functional or performance-based bug in
often undermine the valid message of the rest
this regard. New threats arise constantly and
of a security report.
developers must be aware of those that affect
the software they are developing. Code reviews
are still an invaluable step in the process. If the
source code for the application is available,
it should be given to the security staff to
assist them while performing their review. It
is possible to discover vulnerabilities within
the application source that would be missed
during a black box engagement.
To conclude the testing process, it is important
to produce a formal record of what testing
actions were taken. The report must be clear
to the business owner in identifying where
material risks exist and sufficient enough to
get their backing for subsequent mitigation
actions. The report must be clear to the
developer in pinpointing the exact function that
is affected by the vulnerability, with associated
Successfully testing an application for security
recommendations for resolution in a language
vulnerabilities requires thinking “outside of
that the developer will understand (no pun
the box.” Good security testing requires going
intended). Last but not least, the report writing
beyond what is expected and thinking like an
should not be overly burdensome, so agree to
attacker who is trying to break the application.
a format that is acceptable to all involved.
Understand the Scope
It is important to know how much security a
given project will require. Discussions should
occur with legal council to ensure that any
specific security need will be met. Compliance,
i.e. HIPPA, to protect sensitive data, should be
known at the outset of the project to ensure
that it is properly implemented and tested
throughout the process.
Another important part of a good security
program is the ability to determine if things
are getting better. Metrics can show If more
education and training are required. They can
also show if there are gaps in the processes.
Or, if there is a particular security mechanism
that is not clearly understood by development.
Metrics can also help determine if the total
number of security related problems being
found each month is going down.
One of the first major initiatives in any good
security program should be to require accurate
documentation of the application. The
architecture, data-flow diagrams, use cases, and
more should be written in formal documents
and made available for review. The technical
specification and application documents
should include information that lists not only
the desired use cases, but also any specifically
disallowed use case. Finally, it is good to have at
least a basic security infrastructure that allows
the monitoring and trending of attacks against
an organization’s applications and network.
Types of Hackers
An ethical hacker is usually employed by an
organization who trusts him or her to attempt to
penetrate networks and/or computer systems,
using the same methods as a hacker, for the
purpose of finding and fixing computer security
vulnerabilities. Unauthorized hacking (i.e.,
gaining access to computer systems without
prior authorization from the owner) is a crime in
most countries, but penetration testing done by
request of the owner of the victim system(s) or
network(s) is malicious hacking.
Spam & Adware
Persistent Threat
The Malicious Hacker
Cyber Criminals
Professional criminals comprise the biggest
group of malicious hackers. They use malware
Corporate Spies
and exploits to steal money. It doesn’t matter
how they do it, whether they’re manipulating your
bank account, using your credit card numbers,
faking anti-virus programs, or stealing your
identity or passwords. Their motivation is fast,
big financial gain.
Cyber Warriors
Spam and Adware Spreaders
Purveyors of spam and adware make their
money through illegal advertising, either getting
paid by a legitimate company for pushing
business their way or by selling their own
Rogue Hackers
products. Cheap Viagra, anyone? Members
of this group believe they are just “aggressive
marketers.” Whatever helps them sleep at night.
Advanced Persistent Threat Agents
Cyber Warriors
Intruders engaging in APT-style attacks represent
Cyber warfare is a city-state against city-state
well-organized, well-funded groups — often
exploitation, with an endgame objective of
located in a “safe harbor” country — and they’re
disabling an opponent’s military capability.
out to steal a company’s intellectual property.
Participants may operate as APT or corporate
They aren’t out for quick financial gain like cyber
spies at times, but everything they learn is geared
criminals; they’re in it for the long haul. Their
toward a specific military objective. The Stuxnet
dream assignment is to essentially duplicate
worm is a great example of this attack method.
their victim’s best ideas and products in their
own homeland, or to sell the information they’ve
Rogue Hackers
purloined to the highest bidder. This group has
There are hundreds of thousands of hackers
been continually getting better, stronger and
who simply want to prove their skills, brag to
bigger. It is expected to top the charts this year
friends, and are thrilled to engage in unauthorized
according to all cyber security predictions.
activities. They may participate in other types
Corporate Spies
of hacking (crimeware), but it isn’t their only
objective and motivation. These are the traditional
Corporate spying is not new; it’s just significantly
stereotyped figures popularized by the 1983 film,
easier to do, thanks to today’s pervasive Internet
“War Games,” hacking late at night, while drinking
connectivity. Corporate spies are usually
Mountain Dew and eating Doritos. These are
interested in a particular piece of intellectual
the petty criminals of the cyber world. They’re
property or competitive information. They differ
a nuisance, but they aren’t about to disrupt the
from APT agents in that they don’t have to be
Internet and business as we know it, unlike
located in a safe-harbor country. Corporate
members of the other groups.
espionage groups aren’t usually as organized as
APT groups, and they are more focused on short
to mid-term financial gains.
A lot of hackers are motivated by political,
religious, environmental, or other personal beliefs.
They are usually content with embarrassing their
opponents or defacing their websites, although
they can slip into corporate-espionage mode if
it means they can weaken the opponent. Think
WikiLeaks or Anonymous.
Knowing the Vulnerabilities
The OWASP Top 10 focuses on identifying the most
serious risks for a broad array of organizations. For
each of these risks, they provide generic information
about the likelihood and technical impact using
Missing Function Level
Access Control
Cross-Site Request Forgery
Using Components with
Known Vulnerabilities
Unvalidated Redirects and
a simple ratings scheme, which is based on the
OWASP Risk Rating Methodology.
Broken Authentication and
Session Management
Cross-Site Scripting (XSS)
Insecure Direct Object
Security Misconfiguration
Sensitive Data Exposure
Protecting from these vulnerabilities is a must. Tools
can not do it all. Manual testing and attention to
detail is also a must. Security is multi-layered and all
layers must be properly configured. It is important to
remember that security is a process not a product.
Complacency is our biggest threat. OWASP provides
some great resources and tools, but only you know
the specifics of your environment and your business.
“It is important to remember that security is a
process not a product. Complacency is our biggest
threat. OWASP provides some great resources
and tools, but only you know the specifics of your
environment and your business.”
Preventing Vulnerabilities
The Target breach was easy to prevent by using a
Drupal core has had no major zero-day vulnerability
secure development process, a properly hardened
threat. The established process of the Security
server, profiling the behavior and setting up alerts
Team and resolution record mitigates the threat
and good corporate security framework.
of a vulnerability being disclosed publicly before a
fix is available. Responsible vulnerability reporters
Drupal Core and Security
Secrecy of source code is not a sustainable
security practice. Developers make mistakes and
cut corners but the increased visibility of code
are credited in all security advisories to encourage
continued advance disclosure.
Maintaining Strong Security
and emphasis on the individual in open-source
A strong security process on a Drupal site involves
communities encourages improved programming
running the latest secure releases of core and
skill and practices. Drupal’s strict requirements
contributed code, maintaining secure configuration,
before code can be committed to core increases
and implementing custom code that uses the
collaboration and peer-review as well as protecting
established APIs and follows best practices. It
against security holes.
is important to remember that security must be
Many other open source CMS applications do
not publicly produce vulnerability disclosures or
resolutions to the same degree as the Drupal
project. The Security Team publishes vulnerability
disclosures in the form of Security Advisories. The
core API tools and techniques, when used correctly,
address critical and common security risks. It is
important to understand that security is a process
and not a static product, and that there is always
room for improvement.
maintained on all software and hardware layers
as well. Staying informed of the latest security
releases is possible by many means. Advisories
are published on and accessible as RSS,
sent via an email list, and posted on several Twitter
accounts. In the administration pages, each Drupal
site also informs administrators of relevant security
releases. The front page of always lists
the most up-to-date and secure stable release
of core. Educational resources regarding secure
configuration and writing secure code are provided
A zero-day attack or threat is an attack that exploits
on and many community sites. Several
a previously unknown vulnerability in a computer
contributed modules provide security-related
application, meaning that the attack occurs on “day
services or implement specific security additions.
zero” of awareness of the vulnerability.
Applying Security Upgrades
Drupal Best Practices
Drupal core updates within a major branch almost
Drupal’s best practices also serve to keep your
exclusively containing security and bug fixes, so
Drupal site secure.
upgrades are usually quick and without fault. In
Never Hack the Core!
securely within the administrative interface of the
Backup your database and files
website. Contributed projects are not subject to
Avoid hardcoding
Drupal core’s strict policy so upgrade procedures and
Bundling site settings using Features
Ensure that your site is secure
Use test sites
Avoid too many modules
Drupal 7, applying module upgrades can be done
results vary. Popular community modules are often
better documented and supported.
Must Have Drupal Security Modules
The modules listed here will protect from all OWASP
vulnerabilities not addressed in core.
Security Review
Protects against: A05
The Security Review module automates testing for
many of the easy-to-make mistakes that render your
site insecure. This module is only a small part in the
security of a site. A site passing this review with no
additional security modules and audit, can not be
considered secure.
Protects against: Spam
Input Filters (Core)
A CAPTCHA is a challenge-response test most
Protects against: A03
often placed within web forms to determine whether
the user is human. The purpose of CAPTCHA is
By default, there are three input filters: Plain text,
to block form submissions by spambots, which
Filtered HTML and Full HTML. Additional filters can
are automated scripts that post spam content
be added on the Input filters page. Input filters are not
everywhere they can. The CAPTCHA module provides
associated with a WYSIWYG editor by default, and
this feature to virtually any user facing web form on
are configured accordingly (i.e. URLs turn into links
a Drupal site.
automatically and line breaks automatically become
<br> or <p> tags). Care should be taken when
configuring these filters to ensure the integrity of
Protects against: Spam
the system.
Automated Logout
Protects against: A02 A05 A06
Honeypot uses both the honeypot and timestamp
methods of deterring spam bots from completing
forms on your Drupal site. These methods are
effective against many spam bots, and are not as
This module provides a site administrator the ability
intrusive as CAPTCHAs or other methods which
to log users out after a specified time of inactivity. It
punish the user. The module currently supports
is highly customizable and includes “site policies” by
enabling for all forms on the site, or particular forms
role to enforce logout.
like user registration or password reset forms,
webforms, contact forms, node forms, and
comment forms.
Security Kit
Additional Security Modules
Protects against: A03 A08
The modules listed below will help sites pass a
The Security Kit module provides the Drupal
installation with various security hardening options.
This lets you mitigate the risks of exploitation of
different web application vulnerabilities. Most of this
can be achieved using http headers. But, if access to
the server does not permit, this module will correct
the issue.
Session Limit
Protects against: A02 A05 A06
Session Limit allows administrators to limit the
number of simultaneous sessions per user. By
default, a session is created for each browser that a
user uses to log in. This module will force the user to
log out of any extra sessions after they exceed the
administrator-defined maximum.
Username Enumeration Prevention
Protects against: A02 A05 A06
corporate audit and promote best practices:
Password Policy
Protects against: A02 A05 A06
The password policy module allows you to enforce
a specific level of password complexity for the user
passwords on the system. Example: an uppercase
constraint (with a parameter of 2) and a digit
constraint (with a parameter of 4) means that a user
password must have at least 2 uppercase letters and
at least 4 digits for it to be accepted.
Flood Control
This project is intended to add an administration
interface for hidden flood control variables in Drupal
7, like the login attempt limiters and any future
hidden variables.
PCI Update
A simple module to encompass updates to Drupal
When the module is enabled, the error message will
to satisfy vulnerabilities reported by Approved Scan
be replaced for the same message as a valid user
Vendors (ASV), often as a result of the PCI DSS
and they will be redirected back to the login form. If
compliance processes. Currently this module only
the user does not exist, no password reset email will
affects the login form, but will be a home for updates
be sent, but the attacker will not know this is the case.
as they are identified in the future.
Logging and Alerts
This is a collection of logging and alerts modules.
They interface to the new custom logging watchdog
hook available in 6.x. Currently, the following
modules are included:
Login Security
Email Logging and Alerts
The Login Security module improves the security
Allows routing of watchdog messages to various
options in the login operation of a Drupal site. By
email addresses, based on their severity levels. For
default, Drupal introduces only basic access control
example, emergency and critical messages need to
denying IP access to the full content of the site. With
go to a pager or mobile phone email address, while
the Login Security module, a site administrator may
debug messages go no where.
protect and restrict access by adding access control
features to the login forms (default login form
in /user and the block called “login form block”).
Enabling this module, a site administrator may limit
the number of invalid login attempts before blocking
accounts, or denying access by IP addresses,
temporarily or permanently.
This module utilizes rules (mostly regular
expressions) to review source code files for code
that needs to change due to Drupal API changes and
does not satisfy Drupal coding standards.
Web Server Logging
Allows routing of watchdog messages to the
web server’s error log. Note that what is in your
PHP configuration for error_log defines where
the message will go. For example, on a UNIX like
system, this will be syslog(3), which may end up in /
var/log/apache2/error.log, and on Windows, it would
be the event log. You define which severity levels
are to go to the error log. For example, you can only
specify that emergency and critical messages need
to go to the error log, and use other modules for the
other levels.
Watchdog Triggers
Generate Password
This is a great utility module which makes the
Provides a trigger for watchdog events. You may
now trigger actions when an event occurs.
password field optional (or hidden) on the add new
Watchdog Rules
user page (admin and registration). If the password
Provides rules integration for watchdog events. You
field is not set during registration, the system will
may now trigger additional ruleset responses when
generate a password. You can optionally display this
an event occurs.
password at the time it’s created.
Secure Login
HTML Purifier
Protects against: A02 A05 A06
Protects against: A03
The Secure Login module enables the user login and
The HTML Purifier is a standards-compliant HTML
other forms to be submitted securely via HTTPS, thus
filter library. The HTML Purifier will not only remove
preventing passwords and other private user data
all malicious code (better known as XSS) with a
from being transmitted in clear text. This module
thoroughly audited, secure yet permissive whitelist,
locks down not just the user/login page but also any
it will also make sure your documents are standards
page containing the user login block (or other forms
compliant, something only achievable with a
that you configure to be secured). For Drupal 7, the
comprehensive knowledge of W3C’s specifications.
Secure Login module enforces secure authenticated
session cookies, thus preventing session hijacking.
Content Security Policy
For previous versions of Drupal, PHP’s session.
Protects against: A03
cookie_secure flag must be enabled on the HTTPS
site to enforce secure authenticated session cookies.
The MD5 Check generates an md5 checksum of all
module files. If a module is changed a critical security
error is generated in a watchdog log. This module
should only be used in production environments.
This module does not and will not prevent your site
from being ‘hacked’. This module scans the currently
installed Drupal, contributed modules and themes,
re-downloads them and determines if they have been
changed. Changes are marked clearly and if the diff
module is installed then Hacked! will allow you to
see the exact lines that have changed. Hacked! also
An implementation of the Content Security Policy
specification. The content Security Policy is intended
to mitigate a large class of Web Application
Vulnerabilities: Cross Site Scripting. Cross Site
Request Forgery has also become a large scale
problem in Web Application Security, though it is not
a primary focus of Content Security Policy. More
The Paranoia module attempts to identify all the
places that a user can evaluate PHP via Drupal’s
web interface and then block those. It reduces the
potential impact of an attacker gaining elevated
permission on a Drupal site. Disable user 1 account
when not in use with drush.
provides drush integration so that you can see what
files have changed from the command line. This is
primarily a developer tool and should never ever (don’t
even think it) be installed on a production site.
Testing Tools
VEGA Scanner: Vulnerability Scanner
•Zap: OWASP Penetration tool
Nessus Scanner: Monitor and Scan Server
•CSF: Firewall and email protection, server configuration
There are some tools for specific vulnerabilities as well:
SQL Inject Me browser plugin
HackBar browser plugin
Tamper Data browser plugin
Protocols and Guidelines
The W3C mission is to lead the World Wide Web to its
rather than an annual validation exercise. The new
full potential by developing protocols and guidelines
version emphasizes the need to establish a culture of
that ensure the long-term growth of the Web. Below
security through more education to maintain and drive
we discuss important aspects of this mission, all of
accountability throughout the organization. It also
which further W3C’s vision of One Web.
calls out the need for more processes to ensure that
payments are secure, rather than merely ensuring that
Payment Card Industry Data Security
Standard (PCI DSS)
a merchant has a specific security technology in place.
Requirement 1: Install and Maintain a Firewall!
Requirement 2: Do Not Use Vendor Supplied
Default Passwords!
There has been a lot of confusion between merchants
and service providers over where responsibilities lie.
Requirement 3: Protect Stored Data!
The new version adds guidance to cloud providers and
Requirement 4: Encrypt transmission of
merchants to ensure there is ‘shared responsibility’.
The merchant cannot outsource accountability, as it
has shared responsibility with the service provider to
comply with the standards.
cardholder data across open, public networks
virus software or programs!
The Payment Card Industry Data Security Standard
(PCI DSS) is a proprietary information security
standard for organizations that handle cardholder
information for the major debit, credit, prepaid, e-purse,
ATM, and POS cards. Defined by the Payment Card
Industry Security Standards Council, the standard was
created to increase controls around cardholder data to
made mandatory as of January 1st, 2015 and is a
complete game changer for most Drupal eCommerce
‘business as usual’ process. A good example of this is
Requirement 7: Restrict access to cardholder
data by business need-to-know!
Requirement 8: Assign a unique ID to each
person with computer access!
Requirement 9: Restrict physical access to
cardholder data!
Requirement 10: Track and monitor all access
to network resources and cardholder data!
Requirement 11: Regularly test security
systems and processes!
sites. The new version added a ‘Best Practices for
Implementing PCeI’ section, aiming to turn it into a
Requirement 6: Develop and maintain secure
systems and applications!
reduce credit card fraud via its exposure.
Version 3.0 of the PCI compliance standard has been
Requirement 5: Use and regularly update anti-
Requirement 12: Maintain a policy that
addresses information security for all personnel!
how it aims to make PCI DSS compliance ‘continuous’
Health Insurance Portability and
Accountability Act (HIPPA)
“Individually identifiable health information” is
information, including demographic data, that
relates to:
The individual’s past, present or future
physical or mental health or condition
HIPAA is the federal Health Insurance Portability
and Accountability Act of 1996. The primary goal of
the law is to make it easier for people to keep health
insurance, protect the confidentiality and security
of healthcare information and help the healthcare
industry control administrative costs.
A person who knowingly obtains or discloses
individually identifiable health information in
The provision of health care to the individual
The past, present, or future payment for the
penalty of up to $50,000 and up to one-year
provision of health care to the individual
imprisonment. The criminal penalties increase to
Any information that identifies the individual or
$100,000 and up to five years imprisonment if the
for which there is a reasonable basis to believe
wrongful conduct involves false pretenses, and
it can be used to identify the individual.
to $250,000 and up to 10 years imprisonment if
Individually identifiable health information
includes many common identifiers (e.g., name,
address, birth date, Social Security Number).
violation of the Privacy Rule may face a criminal
the wrongful conduct involves the intent to sell,
transfer, or use identifiable health information for
commercial advantage, personal gain or malicious
harm. The Department of Justice is responsible for
criminal prosecutions under the Privacy Rule.
Transmission Security — Integrity Controls
(addressable): Implement security measures
Access Control — Unique User Identification
to ensure that electronically transmitted ePHI is
(required): Assign a unique name and/or
not improperly modified without detection until
number for identifying and tracking
disposed of.
user identity.
Transmission Security - Encryption
Access Control — Emergency Access
(addressable): Implement a mechanism to
Procedure (required): Establish (and
encrypt ePHI whenever deemed appropriate.
implement as needed) procedures for obtaining
necessary ePHI during an emergency.
Access Control — Automatic Logoff
(addressable): Implement electronic
procedures that terminate an electronic session
after a predetermined time of inactivity.
Access Control — Encryption and Decryption
(addressable): Implement a mechanism to
encrypt and decrypt ePHI.
Audit Controls (required): Implement hardware,
software, and/or procedural mechanisms that
record and examine activity in information
systems that contain or use ePHI.
HHS offers insight into the Security Rule and
assistance with the implementation of the security
NIST Security Compliance
Preliminary CyberSecurity Framework
Recognizing that the national and economic
security of the United States depends on the
reliable functioning of critical infrastructure, the
President under the Executive Order “Improving
Critical Infrastructure CyberSecurity” has directed
NIST to work with stakeholders to develop a
voluntary framework for reducing cyber risks to
Integrity — Mechanism to Authenticate
critical infrastructure. The Framework will consist
ePHI (addressable): Implement electronic
of standards, guidelines, and best practices to
mechanisms to corroborate that ePHI has
promote the protection of critical infrastructure. The
not been altered or destroyed in an
prioritized, flexible, repeatable, and cost-effective
unauthorized manner.
approach of the framework will help owners and
Authentication (required): Implement
operators of critical infrastructure to manage
procedures to verify that a person or entity
CyberSecurity-related risk while protecting business
seeking access to ePHI is the one claimed.
confidentiality, individual privacy and civil liberties.
Section 508 Compliance
Web Content Accessibility Guidelines 2.0
In 1998 the US Congress amended the Rehabilitation
Web Content Accessibility Guidelines (WCAG)
Act to require Federal agencies to make their
2.0 cover a wide range of recommendations for
electronic and information technology accessible
making Web content more accessible. Following
to people with disabilities. Section 508 was enacted
these guidelines will make content accessible to
to eliminate barriers in information technology,
a wider range of people with disabilities, including
to make available new opportunities for people
blindness and low vision, deafness and hearing loss,
with disabilities, and to encourage development
learning disabilities, cognitive limitations, limited
of technologies that will help achieve these goals.
movement, speech disabilities, photosensitivity and
The law applies to all Federal agencies when they
combinations of these. Following these guidelines
develop, procure, maintain, or use electronic and
will also often make your Web content more usable
information technology. Under Section 508 (29 U.S.C.
to users in general.
§ 794d), agencies must give disabled employees and
members of the public access to information that is
comparable to the access available to others.
”[...] These guidelines will make content accessible to a wider range of
people with disabilities, including blindness and low vision, deafness and
hearing loss, learning disabilities, cognitive limitations, limited movement,
speech disabilities, photosensitivity and combinations of these. Following
these guidelines will also often make your Web content more usable to
users in general.”
Legalities and Privacy
Information privacy or data protection laws
There should be mechanisms for individuals
prohibit the disclosure or misuse of information
to review data about them, to ensure
held on private individuals. Over 80 countries
accuracy. This may include periodic reporting.
and independent territories have now adopted
comprehensive data protection laws including
nearly every country in Europe and many in Latin
America and the Caribbean, Asia and Africa. The US
needed for the stated purpose.
limited sectoral laws in some areas.
These laws are based on Fair Information Practices,
first developed in the United States in the 1970s by
the Department for Health, Education and Welfare
(HEW). The basic principles of data protection are:
Transmission of personal information to
locations where “equivalent” personal data
is notable for not having adopted a comprehensive
information privacy law but rather having adopted
Data should be deleted when it is no longer
protection cannot be assured is prohibited.
Some data is too sensitive to be collected,
unless there are extreme circumstances.
(e.g., sexual orientation, religion)
There really isn’t any accountability at this point.
Just a lot of finger pointing. Cases are going to the
state level. States laws are varying. We are currently
For all data collected there should be a
in a legal and accountability quagmire. As in many
stated purpose.
cases, the law has to catch up with the technology.
Information collected by an individual
As of January 1, 2015, the Shared Responsibility
cannot be disclosed to other organizations
became a part of PCI compliance, which means
or individuals unless authorized by law or by
more accountability moving forward.
consent of the individual.
Records kept on an individual should be
accurate and up to date.
What to Do if You Get Hacked
Inform interested parties. This includes
Change all passwords.
employees, contractors, clients, visitors
Identify the vulnerability.
Make corrections to the system, i.e.
anyone that may need/expect access to
your website.
Contact the web developer and/or
hosting company.
re-configure firewall, install firewall,
Restore the site. It may be necessary
restore only certain functionality where
limit access etc.
Audit server and site security.
Correct any vulnerabilities.
security can be guaranteed, until the
vulnerability is corrected.
It’s critical to again note that preventative protection
against hacking is easier, less expensive and less
time consuming than taking reactive steps. Taking
a holistic approach to CyberSecurity is the first
step in creating an effective and complete security
program. Being knowledgeable of the vulnerabilities,
understanding the scope of a project, using the
right tools, and testing early and often, you can
prevent the attacks of the many types of malicious
hackers. Being compliant with the different protocols,
guidelines, and privacy policies will also help to
ensure the long-term stability of your application.
About the Author
Krista Trovato
Quality Assurance Team Lead, Blink Reaction
[email protected]
Krista is a 20 year quality assurance expert. Her comprehensive
knowledge of the internet, information technology and software
development have helped her in leading many successful QA efforts.
Why Blink Reaction
Blink Reaction is a full service strategy, design, development and
testing agency. We’re one of a handful of privately selected Acquia
partners based on our knowledge and ability to execute and produce
results. We employ some of the world’s best thought leaders in Drupal
and the Web. Our Drupalists have experience in all stages of the
development process including security. We know how to design and
build systems that target and convert customers while optimizing
business at the same time.
Digital Experiences
That Deliver Results
We are a global full-service digital agency, specializing in
the Drupal platform. You’ll love more than the experience,
you’ll love the results.
Give Us a Call: (732) 792–6566
116 Village Blvd. Suite 303, Princeton, NJ 08540
125 Cambridge Park Dr. Suite 310, Cambridge, MA 02140