Security tips for CMS

Information security has become key for any business in the current technological climate. The need for experienced personnel to secure company assets and analyse potential risks to data is increasing daily. Public security breaches are becoming a regular news feature to the embarrassment of large companies responsible for losing vital customer information and security vulnerabilities are being exploited more than ever in the ever-increasing connectivity of our world.

CIA model

The ‘CIA model’ is used by security professionals as a guide for policies to ensure the securing of information within an organisation. Confidentiality represents the set of rules that limits access to information, integrity the assurance that the information is trustworthy and accurate, and availability is the guarantee of reliable access to the information by authorised personnel.

To keep in line with the CIA model, it is important for companies to consider the extent to which information is spread across different applications and members of the enterprise. Content management systems represent a large chunk of internal and external information for a lot of companies, therefore it is important for those responsible to take the security of these systems seriously to prevent the loss or manipulation of important data.

The wide integration of CMS’s is understandable given the sheer amount of data companies have to handle on a day-to-day basis . A one-stop-shop to create and manage digital content is highly desirable for organising and distributing information. These systems are heavily relied upon to store a lot of data, some of which is of extreme importance and if compromised could affect a business’s productivity in a huge way.

Security of Open Source Vs. Proprietary

One of the major questions people ask when deciding about the security of an application is whether it’s open-source or proprietary. Open source projects rely heavily on the community for evolving and maintaining software, whereas propriety projects are built and maintained by a single company and typically do not allow access to the source code.

Some conclude that due to past security breaches of open source projects, which were made public, the open model is inherently insecure. Those who come to such a conclusion believe that because the source code is made publicly available it makes it vulnerable to hackers reviewing the code and finding possible entries for exploitation. On the other hand, supporters of the open model believe that the transparent nature of the source code means that the community behind the project can spot bugs and security holes that are likely to go unnoticed by a smaller team of people.

The reality is that both proprietary and open source projects have vulnerabilities and are susceptible to security breaches. It would be incorrect to say that open-source is more, or less, susceptible to attacks. The fact that proprietary projects are implemented by employed professionals and are distributed for profit can easily lull a buyer into a false sense of security, but it is important to note that this doesn’t make them wholly immune to security attacks.

Use Plug-ins sparingly

CMS’s generically have a wide variety of plug-ins and add-ons available for their platforms, and the benefits that derive from the wide variety of extensions give the user means to customise and utilise features that aren’t included in the original package. The disadvantages of using plug-ins however, is that there is far more vulnerabilities found in the source code of plug-ins than in the CMS itself, and integrating additional application gives hackers more scope for points of entry. Therefore, it is worthwhile finding out the exact requirements that suit the business’s needs to prevent the need for any unnecessary external plug-ins. It is also worth paying attention to reviews and recommendations from those in the CMS community, and not to be too quick to download brand new plug-ins which may have serious security flaws.

CMS maintenance

Regular maintenance of any CMS is mandatory to keep security at a high level. If there’s an update, it is worth taking some time to implement the newest version of the chosen CMS. This may sound simple, but the importance of updating can’t be stressed enough, as this is where developers will create patches for discovered bugs and release the most stable version of the system. With large amounts of confidential data, log monitoring should also be implemented to keep tabs on system events. So if anything were to happen, a detailed footprint will prove useful for analysis and in order to prevent a similar event happening again in the future. Log monitoring can be implemented by an experienced admin or utilising plug-ins for various CMS, but as stated in the previous point users should wary of the reliability of any plug-in and take appropriate steps to ensure the plug in is reliable.

Risk Assessment and Treatment

When it comes to information security it is a game of hide and seek. Hackers will find a hole in some software and developers will catch up to patch it up as soon as possible, until another hole is found and so forth. For that reason, risk assessment is used by info security professionals to assess the incidents that could potentially occur and what damage could be caused to the company’s assets. Once a detailed report of the potential risks has been developed, this allows for the best possible safeguarding against potential attacks. Using tools such as vulnerability scanners (some free tools aimed at CMS available online) allows admins to determine the weakest aspects of the systems being used and find methods to strengthen up the security. With this information, risk treatment guidelines can be created that will minimise the damage done in the event of a breach and should be implemented as part of an overall disaster recovery plan.

URL rewrites

One of the most common attacks experienced using popular CMS’s is through the generic URL’s provided when setting up the system ( for WordPress for example). By targeting these generic URL’s, hackers can use sophisticated attacks that undermine the standard log-in procedure and gain unauthorised access to company data. After locating the log-in page, an attacker can use a brute force or dictionary attack to undermine weak passwords to gain access. By re-writing the URL and adopting secure passwords, sites are much less vulnerable to such attacks. Experienced developers can perform a URL re-write themselves and there are also plug-ins out there that will carry out the process automatically. Changing the default ‘Admin’ name from the URL and administrator account will also help prevent hackers stumbling across easy entry points.

With the growing anxiety surrounding the security of information, provisions will continue to grow to safeguard the data our personal, and working lives have come to depend on. IT administrators should take at least 15 minutes per day maintaining all aspects of company systems, make adequate backups and patch installations if required. It is also worth noting that the weakest part of any security implementation is the human aspect. The most robust security in system on the planet won’t provide protection against staff who are easily manipulated into handing out credentials over the phone. Enlightening staff members to the importance of securing company data is the first step in the right direction in protecting the systems at the heart of any business.