How Companies are Hacked via Basic CMS Vulnerabilities

How Companies are Hacked via Basic CMS Vulnerabilities

If you run a business in the modern world, then you have to have some sort of digital presence, and that probably means a website. And if you run a website, then you know that running a website can get to be a bit of a headache.

Even if you let your tech guys handle most of the heavy lifting for you, now and then you’re going to have to get hands on in order to make sure that you’re getting the results that you want. We need a little help with that, and that’s where your CMS is going to come into play.

What’s A CMS?

CMS stands for Content Management System. Now, that’s a pretty broad, flexible term. It doesn’t refer to any specific type of management system, it just refers to, well, systems for managing online content. This means that it applies to website management systems as well as social media posting schedulers and so on. Pretty much any system that manages online content, the kind that’s intended for a human audience, is going to be referred to as a CMS. Systems past, present and future are all referred to by the same label. If you’re building a whole new, custom-made system to manage your files and web content, they’re gonna call that a CMS once it’s implemented.

CMS has become a sector all its own. People are always looking for an easier, more intuitive way to manage digital tasks. Whether it’s coding an app or running a website, the irony of a programmer’s job is that they’re sort of working to make their own jobs obsolete. Of course there will always be a place for programmers, but many of the tasks that we once offloaded onto low-level coders are now manageable from your phone with a few quick taps and swipes. Modern tech is all about user-friendliness, taking tasks that once demanded a team of professionals and turning it into something that almost anyone can do through a simple interface. That ease of accessibility does bring some problems along with it, however.

Security Concerns

If you run a website, then you have to be concerned about security issues. Maybe it’s not a big deal for, say, a restaurant where your website is just there to list your menu and business hours and maybe run a blog. Worst case scenario someone can hack your website and vandalize it, but customers are going to be pretty forgiving of that kind of thing happening. It’s mildly embarrassing, but it’s not a serious liability concern.

But if, on the other hand, you have any transactions going through your website at all, then security is going to be a major concern. A breach can compromise the information of everyone who has ever made a purchase through your website. And if your customers are having their information compromised, then the whole future of your business may be in jeopardy. Even if you can contain the breach and make sure that nobody winds up having to call their credit card company in order to fix the problem themselves, you’re still having your reputation being dealt some serious harm, and there is no shortage of stories about companies that never recovered from a data breach.

A CMS offers a lot of ways in for someone who is after that data.

What Are The Vulnerabilities?

The very ease of use is the greatest strength and weakness of a good CMS. The strengths come down to the fact that a good CMS is going to be easy to install, it’s going to have ready-made functions and components like forums and so on, and you can add new features, give permission to new users, and manage the whole thing without much effort or technical know-how. This means that the very best content management systems tend to be incredibly popular since almost anyone can download and install it very easily, and they’ll probably keep it running if they like what they see. This popularity means that most businesses are running just a handful of systems. So attackers are sort of crowd-sourcing the labor of learning how to crack these systems.

In any knowledge-based field, the more people you have working on a single task, the more efficient each individual user is going to be. Twenty years ago if you wanted to know something you had to walk to the library. Now you can go online and find all the research you need in seconds because thousands of other people have already gone to the library for you. This is why research papers are all about citations. It’s also why hackers are so effective at cracking popular platforms. It’s not just the guy trying to break into your system you have to worry about, it’s every hacker trying to break into every system that uses the same CMS software.

That popularity can also lead to stronger security, of course. There may be thousands of people trying to break into the software, but there’s a small army of people trying to make it safer to use, as well. Whenever there’s a minor breach, the user who experienced it can send a report to the company that creates the CMS, and the company can put out an update to patch up that vulnerability.

Unfortunately, security is by definition reactionary rather than proactive. So, by definition, hackers are always one step ahead. It might not always be a very big step, but the security team can’t patch up vulnerabilities until they know what those vulnerabilities are. This is why companies like Google will offer “bounties” for anyone who can crack their security. By tasking white-hat hackers with the job, there’s more profit in helping them keep their system safe than there is in cracking it for illegal reasons.

Is It Just The Software That’s Vulnerable?

CMS typically refers to the software itself, although, for security reasons, it’s not unwise to think of the entire pipeline as part of the CMS. Many breaches take place not because someone hacked into the server, but because someone on staff was careless with company secrets or left their work-issue phone where someone could get it, and maybe they were too embarrassed to say anything until it was too late to lock the phone out remotely. In any event, making sure that both the digital and human components of your CMS are working in unison for strong security is of the utmost importance.

Training seminars on company security can go a long way towards keeping you safe. A lot of the human-element breaches in data are not “inside jobs,” rather, they come down to a lack of understanding as to the nature of digital security. Teaching your people how to keep sensitive data safe is just as important as the software end of your digital security plan.

Staying Safe

There will probably never be any such thing as a one hundred percent safe system in any line of work, and that’s not just software. The best hand sanitizer can do is eliminate ninety nine percent of germs. The same goes for online security. There’s always going to be some risk involved in putting data on a server that is accessible to millions of computers around the world. The companies who produce the software we need and help to manage our data and so on can help to make it a little bit safer today than it was yesterday, but we need to put some effort in, as well. There are a few key failings on the part of many who use computer management systems, and by dealing with these we can keep our data a little more safe:

  • Don’t ignore patches and updates. The whole reason many systems work on a subscription basis rather than a one-time-payment basis is because of these patches and updates. If your CMS developer is trying to send you an update, it’s probably because they just found out about a vulnerability in the system and they’re trying to patch it up before the hackers get talking about it in their forums and chat rooms.
  • Third party plugins are a gamble. Before installing any third party plugin you should do a little research. Some of them may carry trojans, but even if the software developer is on the level, plugins can offer a backdoor for hackers to get into your system. You should be able to find forum conversations and so on where people are discussing the vulnerabilities of these plugins. Did anyone get hacked after installing it? Does the developer release their own security updates from time to time? Make sure that there are no added vulnerabilities before installing a third party plugin for your content management system.
  • Set your own configuration. The default configuration may not pose an immediate vulnerability, but it does make the system a little easier for a hacker to navigate if they can safely assume that you haven’t made any fundamental changes to the CMS. Anyway, you’re just going to get better results out of your content management system if you take the time to fine tune it to your own needs with your website or other content distribution outlets. Think of it like suburban housing: If a burglar has been in one of them, then he already knows how the neighbors’ homes are laid out. Unlike suburban housing, you’re free to modify your CMS to your heart’s content at no additional charge and with no pesky letters from the Homeowners Association.
  • Make sure your administrators and other tech guys know what they’re doing. Some tech people just aren’t very savvy about security concerns. Whenever you’re hiring someone new to your tech team, make sure to cover security concerns during the interview and feel them out to make sure they know what they’re doing. For best results you may want to be willing to sponsor additional training for your people. Some techies have a habit of coasting on the knowledge they came in with rather than continuing to push their abilities forward.

Most content management systems have built-in capabilities for tracking vulnerabilities, and you can also install scanners to make sure that WordPress and Joomla are not going to offer an open door and a welcome mat to hackers. Essentially if you stay on top of it, you’re probably going to be safe. Most hackers are not specifically targeting anyone. It’s more like fishing: You’re not chasing the one who’s too smart to grab the bait, you’re chasing the one who’s going to bite the first worm it sees. Hackers are like that. They’re looking for people who have their guards down. By keeping up to date and hiring the right people, you might not be completely invulnerable, but most hackers will accept that you’re not worth the effort.

Leave a Reply

Your email address will not be published.