The UK National Cyber Security Centre has advised action following Russia’s further violation of Ukraine’s territorial integrity.
We have entered a period of heightened cyber threat. Whilst there are measures in place at the ISP and national level it is also prudent to ensure your site security meets best practice. Please find below a short security briefing that is essential reading - it explains the reality we face, the likely types of cyber attack and advice on mitigating the impact of an incident.
The threat is real, and has been seen before.
In 2017, a very rapid cyber attack called “NotPetya” occurred, this was an attack believed to be of Russian origin against Ukrainian institutions and companies. Whilst the West wasn’t the focus, the worm spread to Western organizations. Exposure came by virtue of large multinationals that had a presence in the region becoming infected, and it then spread into networks which had a knock-on effect.
The estimated cost for Western companies was around $10 billion dollars. Reportedly, Maersk, the shipping giant, spent $300 million dollars alone.
Ransomware is another proven threat. The “WannaCry” ransomware attacks affected the NHS a few years ago, caused by vulnerabilities in unpatched software that had exposure to the Internet. This led to a shut out for terminals and medical imaging tools that had Windows XP powering them. These were very important and expensive pieces of equipment, worth hundreds of thousands of pounds that could not be used.
Current likely threats
Collateral damage is now likely.
NotPetya was not a deliberate attack on western companies, but rather collateral damage caused by the sort of attack that Symantec reported having occurred in Ukraine yesterday. These types of viruses or worms can spread quickly and highlight the threat posed, prior to any potential deliberate attacks.
DDOS may occur.
Deliberate attacks are likely to be directed at the ISP level, but could also be distributed denial of service (DDOS) attacks against any prominent organization, or any organisations connected to the Government.
Internet neighbour threats are likely and hard to predict.
A DDOS attack could equally affect you due to your Internet neighbours, so anyone who is being attacked who happens to be using similar hosting or similar tools can also take you down. Depending on the nature of the size of denial service attacks that occur and also, which platforms are targeted, there can be quite unexpected consequences. For instance, an issue with AWS may lead Netflix dropping out along with other very prominent brands that do not seem to have obvious dependencies.
Ransomware is likely.
Criminals can take advantage of the greater uncertainty that periods of internet instability create. What we've seen in past attacks is that there is not always a clear distinction between what's state activity and what is just a criminal group. We've also seen that some of the attacks involve ransomware approaches which look criminal, but potentially only to mask a political purpose of an attack and increase plausible deniability. This is not to discount the fact that there will be normal ransomware gangs taking advantage of the situation and conducting their own attacks at the same time.
Organisation side phishing will increase.
Be aware that within your organization, you may start to receive unexpected emails; or communications that take advantage of chaos in these types of situations. So they might use a subject related to a situation that's evolving. To get people to click on something open an attachment as a way into organizations.
What you can do
Along with hardening your defenses, you also need to take stock of what your Internet presence is, and the business requirements that have dependencies on the Internet. You can then define the contingencies and rehearse plans, like backup plans and alternative communication plans.
You need to ensure that you're in the best position possible to fend something off, or mitigate the impact of an attack. Then you also need to plan out what happens when something does go down - so you can still get in touch with your audience, whoever that is.
Mitigation should consider your site, IT, email, social and the reaction of your audience. These things are multifaceted so there's going to be an element of everything in there. So you need to include things like your ability to email people, your social media, your website and think of them all together.
Another aspect is that times of heightened anxiety can affect your audience. Your audiences may behave differently or they may require different information. So it's worth also thinking about what information needs your audience has, whether those have changed, whether you need to display new information on your homepage or across the site.
Keep it simple - use checklists
In this situation a checklist is probably the best solution - an organised set of steps that you can follow for best practice. And in the UK, the National Cyber Security Center has published advice for what they recommend should be ticked off
When we're talking about websites specifically all of the previous steps apply but there are also some simple immediate things to check:
Check that your website is up to date with security patches.
Are all of the users on the website users who still need access?
Do you have a Web Application Firewall in place?
And what is your backup schedule and location. These would be the four most important things for any website owner to consider.
Organisation-wide Cyber security checklist
First step, check your System patching.
That means check your updates. This applies to websites, and digital platforms, the reason that's important is because making sure you're up to date means that any vulnerabilities that are known will have been fixed. It’s also especially important when some of these attacks are automated, ie. when it's bots performing attacks because they generally are looking for things such as out of date software.
The second step would be to verify your access controls.
So, that's making sure that all of the administrator accounts are still people who need to be administrators. Considering adding multi-factor authentication to access the more privileged accounts.
The third step would be to check that you have firewalls in place and antivirus software.
So that applies both from an IT point of view to your general organization network. But also in a website context firewalls are also an important defence to consider. Especially if you don't have one in place already. They can protect the website against a lot of the simplest and most common type of attack, and they normally also include protection against Denial of Service attacks.
The fourth step is logging and monitoring.
Make sure that you know which logs you have in place. For example, would you know if your website goes down? Who would be notified? What tools are you using to monitor that?
The fifth step is to have a back up plan
Do you have a backup plan for your important systems, especially your website? Do you understand how long it would take to restore backup? And what that process would be and who would need to be involved? Do you understand how much data would be lost if you had to do a backup? And does this plan work if you have lost access to the internet, and can’t use email?
What we saw with the Facebook outage a few months ago was which wasn't due to attack, it was due to a misconfiguration, but that misconfiguration locked the Facebook system administrators out of their accounts. It blocked their internal communication tools because they're using Facebook Messenger, for example, to communicate internally. It also took down their physical access to a data centre because the access control system on the door was going through a Facebook domain name. So, you do have to think about the process aspects of it, and what would happen if different parts of your normal response aren't available to you.
So with backups it’s essential to know what's in place, know how long it would take to restore and also know how much data would be lost when you restore a backup. For example, if you have a backup set to a daily frequency, and you find out 12 hours later that you need to use the backup, you'll have lost 12 hours of data at least, probably more by the time that you've restored the backup. So when there's heightened risk, you might want to review whether to increase the frequency of your backups. You might move to backups to every two hours for example. That way, if you have to use it, you’ll only have lost a few hours of data.
The sixth step is to have an incident plan
You should rehearse your plans. This starts by knowing what your plans are and who's responsible for each part. Similarly you should check what your Internet facing footprint is, ie. which systems are accessible over the Internet? Those aren't always obvious; sometimes those include internal tools that aren't generally thought of as public facing but they are accessible over the Internet. You should educate your team on how to report to spot and report phishing emails, there's comprehensive guidance in place already for that from people like the National Cyber Security Center. You need to understand which third party organisations have access to your systems, such as contractors, software vendors, suppliers or agencies that you work with.
You must ensure that any organisations that you're working with that do still need access understand and also acknowledge the increased threat and have a plan on their side.
Is it important to brief the rest of your organisation making sure that all of the relevant teams understand what is expected of them and how it might affect their workload; or how they may need to respond.
Seek expert support
It is also prudent to understand what is available through official channels. For example, the National Cyber Security Center have an early warning service, which is a service that informs you if they spot malicious activity, specifically affecting you.
There are other channels to be aware of to receive access to timely information during times of increased risk and larger organisations sometimes choose to use a Managed Detection and Response service to alert them to threats. There’s also online information that you can download now and use to make a checklist for yourself - the NCSC is a good place to start. For larger organizations, there should be frameworks already in place which are part of standards schemes such as ISO27001 and other governance - in this case normally there's already a defined process on paper so it's just making sure that you refresh everyone's memory on what these processes are.
Get in touch with your existing website, and IT providers for more information about their activities, and please do talk to us if you would like expert Drupal security consultancy.
What is the risk profile of Drupal compared to other platforms?
Drupal historically has been very popular with public sector, and government and has a good security profile.
Drupal tends to be used for more complex needs and larger websites, that in itself brings some additional risk because it may be for more high profile organizations or they may contain more personal data and business critical functionality.
But having said that, Drupal as a technology is very secure. The reason for that is that there's a standing security team in place. It is open source platform, therefore there are teams of developers globally who are assigned to this task, and monitor security threats. There's also a well-established decade old process for reporting security risks, which are then picked up by the security team and addressed privately so that patches can be released in a timely manner without alerting attackers. Accordingly, Drupal does have a good track record of security fixes being rolled out and there are regular security updates that tend to be at least once a month.
With Drupal you benefit from the herd effect when you're using a technology that has been tested by many tens of thousands of websites. The larger organizations that use Drupal are working with security consultants and expert penetration testers to test the platform and the technology. So whenever those tests occur you they occasionally have findings that go back to the security team and then they will release a security update for everyone.
Therefore, Drupal compares very well against other platforms. The main comparison to draw would be with proprietary website platforms. So something like Adobe Experience Manager or Sitecore, for example. Security vulnerabilities exist in all software, that's just the nature of software. For example, Windows as an operating system has security updates all the time, so does Mac OS X, as does every operating system and every piece of software. The only difference between open-source and proprietary platforms is how actively they're maintained and how many people use them.
There is also the nature in which the vulnerabilities are communicated. With proprietary software the company who maintains proprietary software decides whether to reveal the details of what any software updates contain. Sometimes you'll see that there's a new version, and they won't announce that a security risk was fixed in that update, but that it was part of the maintenance that occurred.
Drupal are public and transparent about this. This is a strength because you know exactly what's going on. It's important that people know when they can compare a security update against the general update, and know that they should apply the security update immediately.