[BreachExchange] Security tips for CMS

Audrey McNeil audrey at riskbasedsecurity.com
Tue Mar 14 19:07:41 EDT 2017


https://www.cmscritic.com/security-tips-for-cms/

Information security has become key for any business in the current
technological climate. The need for experienced personnel to secure company
assets and analyse potential risks to data is increasing daily. Public
security breaches are becoming a regular news feature to the embarrassment
of large companies responsible for losing vital customer information and
security vulnerabilities are being exploited more than ever in the
ever-increasing connectivity of our world.

CIA model

The ‘CIA model’ is used by security professionals as a guide for policies
to ensure the securing of information within an organisation.
Confidentiality represents the set of rules that limits access to
information, integrity the assurance that the information is trustworthy
and accurate, and availability is the guarantee of reliable access to the
information by authorised personnel.

To keep in line with the CIA model, it is important for companies to
consider the extent to which information is spread across different
applications and members of the enterprise. Content management systems
represent a large chunk of internal and external information for a lot of
companies, therefore it is important for those responsible to take the
security of these systems seriously to prevent the loss or manipulation of
important data.

The wide integration of CMS’s is understandable given the sheer amount of
data companies have to handle on a day-to-day basis . A one-stop-shop to
create and manage digital content is highly desirable for organising and
distributing information. These systems are heavily relied upon to store a
lot of data, some of which is of extreme importance and if compromised
could affect a business’s productivity in a huge way.

Security of Open Source Vs. Proprietary

One of the major questions people ask when deciding about the security of
an application is whether it’s open-source or proprietary. Open source
projects rely heavily on the community for evolving and maintaining
software, whereas propriety projects are built and maintained by a single
company and typically do not allow access to the source code.

Some conclude that due to past security breaches of open source projects,
which were made public, the open model is inherently insecure. Those who
come to such a conclusion believe that because the source code is made
publicly available it makes it vulnerable to hackers reviewing the code and
finding possible entries for exploitation. On the other hand, supporters of
the open model believe that the transparent nature of the source code means
that the community behind the project can spot bugs and security holes that
are likely to go unnoticed by a smaller team of people.

The reality is that both proprietary and open source projects have
vulnerabilities and are susceptible to security breaches. It would be
incorrect to say that open-source is more, or less, susceptible to attacks.
The fact that proprietary projects are implemented by employed
professionals and are distributed for profit can easily lull a buyer into a
false sense of security, but it is important to note that this doesn’t make
them wholly immune to security attacks.

Use Plug-ins sparingly

CMS’s generically have a wide variety of plug-ins and add-ons available for
their platforms, and the benefits that derive from the wide variety of
extensions give the user means to customise and utilise features that
aren’t included in the original package. The disadvantages of using
plug-ins however, is that there is far more vulnerabilities found in the
source code of plug-ins than in the CMS itself, and integrating additional
application gives hackers more scope for points of entry. Therefore, it is
worthwhile finding out the exact requirements that suit the business’s
needs to prevent the need for any unnecessary external plug-ins. It is also
worth paying attention to reviews and recommendations from those in the CMS
community, and not to be too quick to download brand new plug-ins which may
have serious security flaws.

CMS maintenance

Regular maintenance of any CMS is mandatory to keep security at a high
level. If there’s an update, it is worth taking some time to implement the
newest version of the chosen CMS. This may sound simple, but the importance
of updating can’t be stressed enough, as this is where developers will
create patches for discovered bugs and release the most stable version of
the system. With large amounts of confidential data, log monitoring should
also be implemented to keep tabs on system events. So if anything were to
happen, a detailed footprint will prove useful for analysis and in order to
prevent a similar event happening again in the future. Log monitoring can
be implemented by an experienced admin or utilising plug-ins for various
CMS, but as stated in the previous point users should wary of the
reliability of any plug-in and take appropriate steps to ensure the plug in
is reliable.

Risk Assessment and Treatment

When it comes to information security it is a game of hide and seek.
Hackers will find a hole in some software and developers will catch up to
patch it up as soon as possible, until another hole is found and so forth.
For that reason, risk assessment is used by info security professionals to
assess the incidents that could potentially occur and what damage could be
caused to the company’s assets. Once a detailed report of the potential
risks has been developed, this allows for the best possible safeguarding
against potential attacks. Using tools such as vulnerability scanners (some
free tools aimed at CMS available online) allows admins to determine the
weakest aspects of the systems being used and find methods to strengthen up
the security. With this information, risk treatment guidelines can be
created that will minimise the damage done in the event of a breach and
should be implemented as part of an overall disaster recovery plan.

URL rewrites

One of the most common attacks experienced using popular CMS’s is through
the generic URL’s provided when setting up the system (
www.domain.com/wp-admin for WordPress for example). By targeting these
generic URL’s, hackers can use sophisticated attacks that undermine the
standard log-in procedure and gain unauthorised access to company data.
After locating the log-in page, an attacker can use a brute force or
dictionary attack to undermine weak passwords to gain access. By re-writing
the URL and adopting secure passwords, sites are much less vulnerable to
such attacks. Experienced developers can perform a URL re-write themselves
and there are also plug-ins out there that will carry out the process
automatically. Changing the default ‘Admin’ name from the URL and
administrator account will also help prevent hackers stumbling across easy
entry points.

With the growing anxiety surrounding the security of information,
provisions will continue to grow to safeguard the data our personal, and
working lives have come to depend on. IT administrators should take at
least 15 minutes per day maintaining all aspects of company systems, make
adequate backups and patch installations if required. It is also worth
noting that the weakest part of any security implementation is the human
aspect. The most robust security in system on the planet won’t provide
protection against staff who are easily manipulated into handing out
credentials over the phone. Enlightening staff members to the importance of
securing company data is the first step in the right direction in
protecting the systems at the heart of any business.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170314/c96ffe35/attachment.html>


More information about the BreachExchange mailing list