Endpoint Security: Could CMSs Pose Problems?
In today’s fast-paced business world – especially in retail, where products change daily, even hourly – there’s an ever-growing need for quick changes to web content.
That used to be the responsibility of webmasters and developers who created HTML code, JavaScript modules, and plug-ins on the fly, but therein lies a fundamental problem: a critically important task depended on a handful of people. In order to scale websites on a sustainable basis, the process had to be decentralized, so a new method was developed: web content management systems, or WCMSs — often simply called CMSs. But with all these content management personnel decentralized on thinly or unprotected endpoints, could CMSs pose endpoint security problems?
“There are a lot of potentially dangerous areas when using CMSs, but one that jumps out to me in retail is front-end scripts and potential cross-site scripting attacks,” said Mike Catania, chief technology officer at PromotionCode.org, a consumer couponing community and merchant services website. “Most retail sites are concerned about site performance speed. Calling third-party, compressed JavaScript files is a quick way to improve performance. Unfortunately, even a sophisticated developer is going to struggle when evaluating what a compressed file says and does. With the rise of browser tools that can execute JavaScript, we’re going to see more sites imperiled by failure to perform due diligence on their chains of third-party scripts.”
And in the current e-commerce climate, the barrier for bringing a product to market is so low that many companies rely on unverified plug-ins and outdated CMSs instead of trained developers, according to Catania.
Unverified, Untested Plug-ins, and Endpoint Security
If CMSs could pose endpoint security problems, unverified plug-ins may be a large part of the problem. And the problems may seem particularly acute when it comes to e-commerce sites. Software supply-chain security is only as good as the weakest link.
“Mentioning e-commerce systems, automated imports from vendor sites have recently become popular, and they could be built into the CMS or in the form of a plug-in,” said Nikolai Tenev, enterprise applications developer and CEO of DigidWorks, a development agency and provider of enterprise and management software. “This is dangerous because the site you’re importing from might have bad data in its database.”
Keep in mind, Tenev says, that plug-ins are a lot less tested and inspected for bugs and intentional hacks. So MSSPs could easily see why they are a potential threat when operating websites for customers. And in most cases, plug-ins are developed by third parties. So they could have embedded malware, like a cryptominer, for example.
Credential Stuffing and Endpoint Security
And while CMSs could pose endpoint security problems for content management personnel generally, high-level administrators could be at an even greater risk with their larger public profiles, which makes them appealing phishing targets. This would not be as big a problem if they practiced prudent password protocols, but they’re only human after all, and tend to reuse their credentials.
“Administrators themselves are the greatest risk of WCMS platforms,” said Michael Wilson, CTO at Enzoic, cybersecurity and fraud prevention specialists. “They reuse login credentials on different systems and make them easy for hackers to guess. This allows attackers to …
- Page 1
- Page 2
Dave at Forever Group here. I found this article very interesting. Of course, locally served or sideloaded content is not going to traverse traditional web gateway or security technologies such as Cisco Umbrella.
For me, this really cements the importance of peripheral cyber security strategies such as patch management to ensure that known browser vulnerabilities are closed down ASAP. Likewise, endpoints should really have zero-day-capable security solutions in place – and ideally intrusion prevention and web security to thwart the inevitable ‘dial-home’ if a foothold is gained.
Thank you for highlighting a non-obvious avenue where website-based threats could circumvent perimeter defences.