They are everywhere.
Not hackers per se, but the very platforms whose vulnerabilities hackers seek to exploit. I’m talking about content management systems (CMSs). As you may be aware, 20% of the top sites have already adopted CMS, and enterprises of all sizes will continue to rely on CMSs to edit, modify, and publish content from a central interface.
From SharePoint and WordPress to Drupal and Joomla!, and beyond—businesses depend on third-party platforms to manage and present online content. CMSs are literally everywhere. But like all software, and this is without exception, CMSs have many security concerns.
To give you an idea, according to research conducted by BSI in Germany, roughly 20% of vulnerabilities discovered in third-party code are found in the CMS core while 80% are found in plugins and extensions. From a hacker’s perspective, this is like shooting fish in a barrel.
Because CMSs are cheap, easy to deploy, and widely adopted by reputable organizations – like the White House, CNN, Harvard, to name a few, and many Fortune 500 companies – CMSs have become truly pervasive.
The era of industrialized hacking
The popularity of CMSs have been a windfall for hackers. They give hackers a much larger surface area to attack. This is fundamentally changing their modus operandi. In the past, a hacker would identify a single target, like an academic institution, a bank, or an ecommerce site, find a vulnerability in that target, and then exploit it to compromise or steal data. That is to say, a hacker had to be a fairly enterprising individual willing to put in some long, hard hours.
Nowadays, however, with the vast opportunities presented by CMS, hackers don’t break a sweat at all. They take the path of least resistance. Because CMS is greased for their success, hackers don’t waste precious time and resources identifying targets. They simply drop that part from their equation. Instead of identifying one specific target, hackers use search engines to identify common security vulnerabilities in a CMS platform as a means to accomplish server takeover and data theft. And there are literally thousands of them. Once these weaknesses are identified, hackers use a search engine to easily fingerprint websites based on a CMS that harbor the known vulnerability and exploit it in multiple CMSs in many companies, fast.
Voila or $#@! You and others have just been hacked. It’s really that easy.
Disrupting the efficiencies of hackers
Although the security threat landscape is constantly growing, businesses can defend themselves with some simple tactics. Awareness is always key. I encourage people and companies to “dork” themselves, to learn as much as possible from experts who know what the evolving risks and threats are, and what the necessary precautions are to protect your data and your business from today’s industrialized hacker.
Carefully monitor your applications. Reviewing your logs every now and then won’t fend off attackers. It’s important to have real-time alerting on your web applications that track against a baseline of behavior so that any strange anomaly can be promptly investigated.
Lastly, assume that third-party code, like the CMS your website is based on, has countless security vulnerabilities, because it does. And don’t assume that your software development life cycle will automatically fix these problems either, because it won’t. Specific code authored by someone else is not controllable within your environment. You can’t fix code you don’t own. To protect your business from evolving risks and security threats, you can deploy a security solution like a Web Application Firewall that enables you to virtually patch vulnerabilities, mitigate new risks when they arise, and physically and virtually patch new CVEs.
Just because CMS attracts hackers doesn’t mean you can’t thwart them.
To learn more about these kinds of security threats, watch CMS Hacking 101: Analyzing the Risk of 3rd Party Applications.
About the Author
Barry Shteiman | Imperva | @bshteiman
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.