How your CMS could be breeding security vulnerabilities

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.itproportal.com/2013/10/08/how-your-cms-could-be-breeding-security-vulnerabilities/

They are everywhere.

Not hackers per se, but the very platforms whose vulnerabilities hackers
seek to exploit. I'm talking about content management systems (CMSs). As
you may be aware, 20 per cent of the web's top sites have already adopted a
CMS, and enterprises of all sizes will continue to rely on CMSs to edit,
modify, and publish content from a central interface.

> From SharePoint and WordPress to Drupal and Joomla! and beyond, businesses
depend on third-party platforms to manage and present online content. CMSs
are literally everywhere. But like all software, and this is without
exception, CMSs carry security concerns.

According to research conducted by BSI in Germany, roughly 20 per cent of
vulnerabilities discovered in third-party code are found in the CMS core,
while 80 per cent are found in plug-ins and extensions. Because CMSs are
cheap, easy to deploy, and widely adopted by reputable organisations – like
the White House, CNN, Harvard, and many Fortune 500 companies – CMSs have
become truly pervasive.

The era of industrialised hacking

The popularity of CMSs have been a windfall for hackers. They give hackers
a much larger surface area to attack, which is fundamentally changing their
modus operandi. In the past, a hacker would identify a single target, like
an academic institution, a bank, or an ecommerce site, find a vulnerability
in that target, and then exploit it to compromise or steal data. That is to
say, a hacker had to be a fairly enterprising individual willing to put in
some long, hard hours.

Nowadays, however, with the vast opportunities presented by CMS, hackers
don't break a sweat at all. They take the path of least resistance. Because
the CMS is greased for their success, hackers don't waste precious time and
resources identifying targets. They simply drop that part from their
equation. Instead of identifying one specific target, hackers use search
engines to identify common security vulnerabilities in a CMS platform as a
means to accomplish server takeover and data theft. And there are literally
thousands of them. Once these weaknesses are identified, hackers use a
search engine to easily fingerprint websites based on a CMS that harbor the
known vulnerability and exploit it in multiple CMSs in many companies, fast.

Voila. You and others have just been hacked. It's really that easy.

Disrupting the efficiencies of hackers

Although the security threat landscape is constantly growing, businesses
can defend themselves with some simple tactics. Awareness is always key. I
encourage people and companies to "dork" themselves, to learn as much as
possible from experts who know what the evolving risks and threats are, and
what the necessary precautions are to protect your data and your business
from today's industrialised hacker.

Carefully monitor your applications. Reviewing your logs every now and then
won't fend off attackers. It's important to have real-time alerting on your
web applications that track against a baseline of behaviour so that any
strange anomaly can be promptly investigated.

Lastly, assume that third-party code, like the CMS your website is based
on, has countless security vulnerabilities, because it does. And don't
assume that your software development life cycle will automatically fix
these problems either, because it won't. Specific code authored by someone
else is not controllable within your environment. You can't fix code you
don't own. To protect your business from evolving risks and security
threats, you can deploy a security solution like a web application firewall
that enables you to virtually patch vulnerabilities, mitigate new risks
when they arise, and physically and virtually patch new CVEs.

Just because CMSs attracts hackers doesn't mean you can't thwart them.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

# OWASP http://www.appsecusa.org
# Builders, Breakers and Defenders
# Time Square, NYC 20-21 Nov
o()xxxx[{::::::::::::::::::::::::::::::::::::::::>

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.