Secure content: a pipe dream ?

This post was originally published on AIIM's Expert Blogs by Serge Huber, CTO at Jahia Solutions


With all the recent news headlines relating to high profile websites hacked, the illusion of safe and secure content is slowly disappearing. As it is well known among security experts, security is only as safe as the weakest link in the chain, and this link is often a human one. So is there anything that can be done to protect online and offline content ? Or at least detect intrusions and modifications ? What are the best strategies and implementations that can help protect both your content and your infrastructure ?

Some of the recent hacks that have made news headlines involved hacks that were a little different from the usual run-of-the-mill attacks perpetrated on web sites. The New York Times network intrusion was an attempt by hackers reckoned to be working for the Chinese government to spy on the newspaper, clearly illustrating the possibility for government and military organizations to use modern warfare techniques to conduct intelligence missions.

Despite common thinking, this is really nothing new. Actually it has been suspected for a long time that virus’ have been created by various organized groups to serve deliberate purposes. For example one of the earlier viruses ever created was written by a pair of Pakistani programmers in order to protest against the pirating of their software.

Whatever the reason, intrusions will happen, and they will potentially cause damage to the content you are hosting on different publishing systems. So how can you protect against this, or what can be done to at least minimize damage to a minimum ? I present here a short list of recommendations that should help setup basic protection for content and systems, but it is by far not exhaustive nor complete, and is mostly presented to serve as a basis for more complete security setups.

1. Backups. This may seem obvious, but backups are an excellent way to restore any system to a state prior to an attack. Of course this means that backups should not be easy to compromise, and should be stored remotely, using different credentials than the usual ones used on the system. Backups should also be encrypted, using highly secure cryptography, and password and encryption keys should also be changed on a regular basis. Finally, and I cannot stress this point enough, backup restores need to be tested, as often I have seen backup procedures that were improperly tested and could not be used to restore the system to the exact state it had before an attack.

2. Passwords and lost password policies. Your content may be accessed and edited by many different users, and the protection of this content will be highly dependant on the safety of the user accounts. So the strength of the account security will only be as good as the password policies, which is nothing new, but more importantly it will be highly dependent on the security of the lost password recovery procedure. Most of the accounts hacks now go through lost password processes rather than attacking passwords directly, as these procedures are (still) often based on very simple questions that may be easy to answer by a motivated intruder. Of course this doesn’t mean that you shouldn’t have secure requirements for passwords, those are still necessary. A policy that is often recommended for users is to change their passwords regularly, but this one is sometimes unrealistic. People already have trouble remembering a few secure (meaning mostly random) password, now if they have to change them every month, they are going to spend their time in the lost password recovery procedure, which will then become their main mean of authentication, and therefore again the main potential point of attack.

3. Software upgrading. It is very important to keep all your running software (from the server operating system to the desktop end user application) up to date as most software vendors now react quickly to security issues. Your company might have constraints as to how to handle updates, for example requiring validation of every upgrade, but this will come at the cost of software security so it is usually more reasonable to separate minor upgrade from major ones, and learn to deal with the minor inconveniences this might bring. With the publicly available servers, it is highly critical to have up to date operating systems, as these are probably being scanned on a regular basis for security vulnerabilities.

4. Content change monitoring. On Wikipedia, the site administrators quickly had to deal with the problems of content destruction or minor changes that were dubious in nature. The solution they came up with (among others) were to find ways to monitor content changes to see if they were acceptable or not. Despite what you might think this is not so difficult. For example you can simply setup a web crawler that will retrieve the contents of a website and save it to files and then simply perform MD5 or SHA checksums on the downloaded content. You can then compare these with checksum archives on a regular basis to see what content has changed, and whether the changes are expected or not. Setting this up, in combination with email notifications might be a great way to check for unauthorized content editing, and might possibly catch changes even before a user browsing the site might see them. One thing that is critical in such a setup is that the crawler and the stored historical checksums should not be on the same network as the content, otherwise they might also be compromised if the content is hacked. In a more general way, setting up an intrusion detection system is a good practice, and highly recommended.

5. Perform your own intrusion tests. If you have the skills, or if you are confortable hiring them, I highly recommended performing your own intrusion tests on your systems. If you’re not familiar with him, Kevin Mitnick (famously known for being the world’s most wanted hacker now turned security consultant), has written really good books (see references below) about the real truths about network and content security. So when you perform your own intrusion testing, don’t forget the human element. Can anyone walk into your office and convince someone to make a change or retrieve a piece of information that they could not get off the internet ? Does anyone who uses the proper tech jargon seem like he’s trustworthy ? The answers to these questions might surprise you, and his books are good illustrations of these problems.

The above points are of course just some recommendations I think really need to be systematically applied and target a wide range of content systems. Of course the field of security is really wide and many other techniques (such as honeypots, PR damage control, ..) may help ensure content and system security. I only listed the ones I see as most important, but maybe you have good suggestions to add to this list ? If so, feel free to add them in the comments below.

Further recommended reading:
- Almost all US networks can be hacked: Intelligence Committee, ZDNet  
- What the New York Times Chinese hack tells us about the layer cake of hacking, The Guardian
- The Art of Deception: Controlling the Human Element of Security, Kevin Mitnick, Wiley Books, (very highly recommended reading for anyone interested in security)
- The Art of Intrusion: The Real Stories Behind the Exploits of Hackers, Intruders and Deceivers, Kevin Mitnick, Wiley Books
- Bit9 hacked, its certificates stolen and used to sign malware, Net Security

Serge Huber
Serge Huber

Serge Huber est co-fondateur et directeur technique de Jahia. Il est membre de l'Apache Software Foundation et président du comité de gestion du projet Apache Unomi, ainsi que co-président de l'OASIS Customer Data Platform Specification.