CMSs are easy to attack, but there are ways to at least try to fend off attackers, says Imperva’s Barry Shteiman
They are everywhere. Platforms whose vulnerabilities hackers seek to exploit cover the Internet. I’m talking, specifically, about content management systems (CMSs). As you may be aware, 20 percent of the top sites have already adopted CMS, and enterprises of all sizes will continue to rely on CMSs to edit, modify and publish content from a central interface.
From SharePoint and WordPress to Drupal and Joomla!, and beyond – businesses depend on third-party platforms to manage and present online content. Because CMSs are cheap, easy to deploy, and widely adopted by reputable organisations – like the White House, CNN, Harvard, to name a few, and many Fortune 500 companies – CMSs have become truly pervasive.
To give you an idea, according to research conducted by BSI in Germany, roughly 20 percent of vulnerabilities discovered in third-party code are found in the CMS core while 80 percent are found in plugins and extensions. From a hacker’s perspective, this is like shooting fish in a barrel.
The era of industrialised hacking
These platforms give hackers a much larger surface area to attack. This is fundamentally changing their modus operandi. In the past, a hacker would identify a single target, like an academic institution, a bank, or an e-commerce site, find a vulnerability in that target, and then exploit it to compromise or steal data. That is to say, a hacker had to be a fairly enterprising individual willing to put in some long, hard hours.
Nowadays, however, with the vast opportunities presented by CMS, hackers don’t break a sweat at all. They take the path of least resistance. Because CMS is greased for their success, hackers don’t waste precious time and resources identifying targets. They simply drop that part from their equation. Instead of identifying one specific target, hackers use search engines to identify common security vulnerabilities in a CMS platform as a means to accomplish server takeover and data theft. And there are literally thousands of them.
Once these weaknesses are identified, hackers use a search engine to easily fingerprint websites based on a CMS that harbours the known vulnerability and exploit it in multiple CMSs in many companies, fast.
Voila or $#@!. You and others have just been hacked. It’s really that easy.
Disrupting the efficiencies of hackers
Although the security threat landscape is constantly growing, businesses can defend themselves with some simple tactics. Awareness is always key. I encourage people and companies to “dork” themselves, to learn as much as possible from experts who know what the evolving risks and threats are, and what the necessary precautions are to protect your data and your business from today’s industrialised hacker.
Carefully monitor your applications. Reviewing your logs every now and then won’t fend off attackers. It’s important to have real-time alerting on your web applications that track against a baseline of behaviour so that any strange anomaly can be promptly investigated.
Lastly, assume that third-party code, like the CMS your website is based on, has countless security vulnerabilities, because it does. And don’t assume that your software development life cycle will automatically fix these problems either, because it won’t. Specific code authored by someone else is not controllable within your environment. You can’t fix code you don’t own. To protect your business from evolving risks and security threats, you can deploy a security solution like a Web Application Firewall that enables you to virtually patch vulnerabilities, mitigate new risks when they arise, and physically and virtually patch new CVEs.
Just because CMS attracts hackers doesn’t mean you can’t thwart them.
Barry Shteiman is Imperva’s senior security strategist
What do you know about Internet security? Find out with our quiz!