Several statistics gathering engines on the web reveal an interesting picture. Content management systems (CMS) have become far more popular in the last couple of years. A trend graph over at builtwith.com shows that over 20% of the top 10,000 websites rely on CMS. And it’s fair to assume that the number is higher for companies that use a CMS as a middleware between their content and their front end website.
But like all software, and this is without exception, CMSs have many security concerns.
Let’s take a closer look at a research paper published by Checkmarx. We learn that in WordPress (which is the most widely deployed CMS right now) seven of the top 10 e-Commerce plugins and 20% of the top plugins are vulnerable to attack. These are sobering numbers. When a company chooses a CMS to support online transactions, they rarely give thought to the fact that the shopping cart mechanism, for instance, can be easily hacked, resulting in PCI violations and credit card and PII data theft. This has the potential to become a really big problem that we cannot ignore.
In other research conducted by BSI in Germany, we learn that roughly 20% of vulnerabilities discovered in third-party code are found in the CMS core while 80% are found in plugins and extensions.
One of the most interesting developments we’ve seen is the addition of item A9 to the OWASP Top 10. This change describes the threat of “Using known vulnerable components,” which means that OWASP recognizes the problem of using third-party code and applications (like a CMS) with known vulnerabilities and weaknesses embedded in them, raising the risk of being breached.
Net-net: CMSs are a petri dish of vulnerabilities.
CMS as ‘the path of least resistance’
The popularity of CMSs has been a boon for hackers. They give hackers a much larger surface area to attack. This is fundamentally changing the way they operate. In the past, a hacker would identify a single target, like an academic institution, a bank, or an ecommerce site, find a vulnerability in that target, and then exploit it to compromise or steal data. That is to say, a hacker had to be a fairly enterprising individual willing to put in some long, hard hours.
Now with the vast opportunities presented by CMS, hackers don’t break a sweat at all. They simply take the path of least resistance. Because CMS is greased for their success, hackers don’t waste precious time and resources identifying targets. Instead of identifying one specific target, hackers use search engines to identify common security vulnerabilities in a CMS platform as a means to accomplish server takeover and data theft. And there are literally thousands of them. Once these weaknesses are identified, hackers use a search engine to easily fingerprint websites based on a CMS that harbors the known vulnerability and then exploit it in multiple CMSs in many companies, fast.
As part of our hacker research process at Imperva, we investigate different botnets managed by cyber criminals and closely monitor their activity. We definitely see a huge opportunity for hackers to move from manually infecting computers online to simply adding them to larger botnet schemes, using different identification mechanisms, such as “Google Dork,” to identify CMSs and other third-party vulnerabilities. This makes it very easy for hackers to inject malware and onboard infected servers for later use.
In the past, hackers focused on hacking personal computers. Nowadays it makes a lot more sense to focus on CMS servers because: (1) It’s fairly easy to hack into a CMS server where vulnerability options are
massive. By comparison, it takes a lot more time and effort to breach a PC or device. (2) Hacking a CMS server is cost efficient. If a botnet’s goal is to create DDoS attacks, 100 severs could potentially have the same impact as 100,000 infected PC and devices. From a hacker’s perspective, it just makes good business sense to focus on servers as targets. It’s quicker, easier and cheaper.
Steps to protect your business
Although the security threat landscape is constantly shifting, businesses can defend themselves with some simple tactics. Awareness is always key. I encourage companies to “dork” themselves, to learn as much as possible from experts who know what the evolving risks and threats are, and what the necessary precautions are to protect your data and your business from today’s industrialized hacker.
Be vigilant. Carefully monitor your applications. Have real-time alerting on your web applications that track against a baseline of behavior so that any strange anomaly can be promptly investigated, because reviewing your logs every now and then won’t fend off attackers.
Lastly, assume that all third-party code, including the CMS your website is based on, has countless security vulnerabilities, because it does. And don’t assume that your software development life cycle will automatically fix these problems either, because it won’t. Specific code authored by someone else is not controllable within your environment. It’s impossible to fix code you don’t own. Vigilantly patching vulnerabilities, coupled with physical and virtual patching of CVEs, can help protect your business from these evolving security threats.
Just because CMS attracts hackers doesn’t mean you can’t protect your business.
Barry Shteiman is Director of Security Strategy at Imperva.