How your CMS could be breeding security vulnerabilities

They are everywhere.

Not hackers per se, but the very platforms whose vulnerabilities hackers seek to exploit. I'm talking about content management systems (CMSs). As you may be aware, 20 per cent of the web's top sites have already adopted a CMS, and enterprises of all sizes will continue to rely on CMSs to edit, modify, and publish content from a central interface.

From SharePoint and WordPress to Drupal and Joomla! and beyond, businesses depend on third-party platforms to manage and present online content. CMSs are literally everywhere. But like all software, and this is without exception, CMSs carry security concerns.

According to research conducted by BSI in Germany, roughly 20 per cent of vulnerabilities discovered in third-party code are found in the CMS core, while 80 per cent are found in plug-ins and extensions. Because CMSs are cheap, easy to deploy, and widely adopted by reputable organisations – like the White House, CNN, Harvard, and many Fortune 500 companies – CMSs have become truly pervasive.

The era of industrialised hacking

The popularity of CMSs have been a windfall for hackers. They give hackers a much larger surface area to attack, which is fundamentally changing their modus operandi. In the past, a hacker would identify a single target, like an academic institution, a bank, or an ecommerce site, find a vulnerability in that target, and then exploit it to compromise or steal data. That is to say, a hacker had to be a fairly enterprising individual willing to put in some long, hard hours.

Nowadays, however, with the vast opportunities presented by CMS, hackers don't break a sweat at all. They take the path of least resistance. Because the CMS is greased for their success, hackers don't waste precious time and resources identifying targets. They simply drop that part from their equation. Instead of identifying one specific target, hackers use search engines to identify common security vulnerabilities in a CMS platform as a means to accomplish server takeover and data theft. And there are literally thousands of them. Once these weaknesses are identified, hackers use a search engine to easily fingerprint websites based on a CMS that harbor the known vulnerability and exploit it in multiple CMSs in many companies, fast.

Voila. You and others have just been hacked. It's really that easy.

Disrupting the efficiencies of hackers

Although the security threat landscape is constantly growing, businesses can defend themselves with some simple tactics. Awareness is always key. I encourage people and companies to "dork" themselves, to learn as much as possible from experts who know what the evolving risks and threats are, and what the necessary precautions are to protect your data and your business from today's industrialised hacker.

Carefully monitor your applications. Reviewing your logs every now and then won't fend off attackers. It's important to have real-time alerting on your web applications that track against a baseline of behaviour so that any strange anomaly can be promptly investigated.

Lastly, assume that third-party code, like the CMS your website is based on, has countless security vulnerabilities, because it does. And don't assume that your software development life cycle will automatically fix these problems either, because it won't. Specific code authored by someone else is not controllable within your environment. You can't fix code you don't own. To protect your business from evolving risks and security threats, you can deploy a security solution like a web application firewall that enables you to virtually patch vulnerabilities, mitigate new risks when they arise, and physically and virtually patch new CVEs.

Just because CMSs attracts hackers doesn't mean you can't thwart them.

Barry Shteiman is director of security strategy for security company Imperva