Website Security from a Business Perspective

Website security from the business perspective
Website Security

I was recently asked to comment on the compromise, or hack – although I don’t like to use that term in the context of criminal behavior, of a very popular regional website (see my comments here).  The site’s homepage was replaced with an image of the Malaysian Coat of Arms and information about who was responsible for the attack.  While not a desirable event to endure for any organization, the attack could have been much worse.  How? In this case, the site was used for notoriety of the group responsible and not to attack the users of the site (read, the organizations customers and/or it’s data).  The down time of the site was minimal, the real site was back online within minutes of the first reports of the defacement.  So how does an organization handle such an event?  This brings us into the often times confusing world of security.  For anyone well-versed in security, and website security in particular, you probably already have several ideas as to what happened.  For those not in security you probably have no idea where to begin.  Instead of making this another article on the technical measures that can be put into place, I’m going to look at it from the business’s perspective.  And in particular, a business that either doesn’t have the security professionals on staff or has hired out their technology services and therefore rely exclusively on a third-party. Continue reading

Drupal SQL Injection Vulnerability

Drupal SQL Injection – SA-CORE-2014-005

This posting discusses the Drupal SQL Injection vulnerability from, which affected Drupal versions 7.0 – 7.31.  This security announcement was released on October 15, 2014 and was marked as Highly Critical.  By October 29th, the Drupal Security Team posted a follow-on Public Service Announcement (PSA),, which warned that all Drupal sites should be considered compromised if not patched by Oct 15th, 11pm UTC – only seven hours after the initial security release! Continue reading