CNTHA Website Overhaul
Let’s all agree there is no safe harbour on the Internet. We must accept that there will always be cyber-attacks. The press is full of them, but three recent examples shared a feature in common with the CNTHA site. Their headlines read:
- Beware of hacked ISOs if you downloaded Linux Mint on February 20th 
- Website of security certification provider spreading ransomware 
- Mossack Fonseca Breach – WordPress Revolution Slider Plugin Possible Cause 
The common feature of these particular attacks was their use of Content Management System (CMS) frameworks, tools that allow non-programmers to edit websites through the same connection the world uses to read them. The best examples of these frameworks are Wordpress, Drupal, and Joomla, all excellent tools that are popular for good reason. But consider the security demands placed on the administrators in these stories and compare them with those of a volunteer website. The first organization hosts the top Linux distribution of the year in 2015, the second makes cybersecurity its very business, and the third promised to protect the financial practices of some of the richest people on the planet.
Although the CNTHA’s server never made the headlines, it did join the legion of email zombies for a few hours over the Christmas holidays. On December 29th a nightly script detected some misbehaving image files, and our server vendor confirmed that we had been sending spam. We repaired the system that same day, but the infected files had somehow appeared on a fully patched site with administrative access secured behind a virtual private network. A scan of VPN logs showed nothing suspicious. In our perpetual battle with hackers it was time for strategic retreat.
Our first task was to evaluate CNTHA’s needs. The site’s appearance from the web was not complex, comprising only web pages, PDF content, and search. We update it regularly but not every minute. We had enabled a password protected area for a time, but this was largely unused by the site’s members while being heavily abused by would-be intruders. We were hoping to include our PDF content in the search results but were having difficulty choosing the right CMS plugin for the job.
Through our analysis we established that the most important CMS features were the efficient publishing of updated content and a comprehensive search index. We decided we would replace our CMS with automation techniques widely used in open source software engineering. We could greatly reduce the server’s attack surface by automating its construction rather than relying on the dynamic page generation of a CMS. We would create our search index as part of the build program, and it could finally include the PDF content we had been missing. We would keep our content fresh by means of automated triggers with read-only access to our code base, replacing vulnerable passwords with strong cryptographic signatures.
The CNTHA website is now the result of a process we can easily protect, repeat, confirm, and improve. The code lives in secured version control repositories that are easy to share with appointed contributors. A separate software program generates our servers too, allowing us to experiment with new configurations, apply security patches, replace rogue or obsolete servers, and gradually improve our site’s quality, all with nearly no downtime. In the end, replacing our CMS with software engineering tools has made the result faster, safer, more scalable, and more robust. This meant that the Webmaster had to learn how to maintain such sites but good results have been achieved.