By Derek Handova

In today’s fast-paced business world – especially in retail, where products change daily, even hourly – there’s an ever-growing need for quick changes to web content.

That used to be the responsibility of webmasters and developers who created HTML code, JavaScript modules, and plug-ins on the fly, but therein lies a fundamental problem: a critically important task depended on a handful of people. In order to scale websites on a sustainable basis, the process had to be decentralized, so a new method was developed: web content management systems, or WCMSs — often simply called CMSs. But with all these content management personnel decentralized on thinly or unprotected endpoints, could CMSs pose endpoint security problems?

“There are a lot of potentially dangerous areas when using CMSs, but one that jumps out to me in retail is front-end scripts and potential cross-site scripting attacks,” said Mike Catania, chief technology officer at PromotionCode.org, a consumer couponing community and merchant services website. “Most retail sites are concerned about site performance speed. Calling third-party, compressed JavaScript files is a quick way to improve performance. Unfortunately, even a sophisticated developer is going to struggle when evaluating what a compressed file says and does. With the rise of browser tools that can execute JavaScript, we’re going to see more sites imperiled by failure to perform due diligence on their chains of third-party scripts.”

And in the current e-commerce climate, the barrier for bringing a product to market is so low that many companies rely on unverified plug-ins and outdated CMSs instead of trained developers, according to Catania.

Unverified, Untested Plug-ins, and Endpoint Security

If CMSs could pose endpoint security problems, unverified plug-ins may be a large part of the problem. And the problems may seem particularly acute when it comes to e-commerce sites. Software supply-chain security is only as good as the weakest link.

Digidworks’ Nikolai Tenev

“Mentioning e-commerce systems, automated imports from vendor sites have recently become popular, and they could be built into the CMS or in the form of a plug-in,” said Nikolai Tenev, enterprise applications developer and CEO of DigidWorks, a development agency and provider of enterprise and management software. “This is dangerous because the site you’re importing from might have bad data in its database.”

Keep in mind, Tenev says, that plug-ins are a lot less tested and inspected for bugs and intentional hacks. So MSSPs could easily see why they are a potential threat when operating websites for customers. And in most cases, plug-ins are developed by third parties. So they could have embedded malware, like a cryptominer, for example.

Credential Stuffing and Endpoint Security

And while CMSs could pose endpoint security problems for content management personnel generally, high-level administrators could be at an even greater risk with their larger public profiles, which makes them appealing phishing targets. This would not be as big a problem if they practiced prudent password protocols, but they’re only human after all, and tend to reuse their credentials.

“Administrators themselves are the greatest risk of WCMS platforms,” said Michael Wilson, CTO at Enzoic, cybersecurity and fraud prevention specialists. “They reuse login credentials on different systems and make them easy for hackers to guess. This allows attackers to …

… take over the entire WCMS account with just a list of compromised credentials. Hackers use this type of credential stuffing attack to guess the admin account password. They can then use the site as part of malware distribution campaigns.”

To defend against credential stuffing attacks, Wilson recommends deploying two-factor authentication and checking password strength as passwords are being created. Other security measures can also help protect endpoint security, but they can entail asking hard questions of CMS vendors, design agencies, hosting companies and MSSPs themselves.

Hosted CMS Applications and Endpoint Security

And when companies use outside providers like design agencies, hosting companies or MSSPs to host their CMS-powered websites, the CMS could pose endpoint security problems for their end-user customers if not properly protected against adware, say digital marketing experts.

BrandLock’s Vanhishikha Bhargava

“Common belief says that a CMS can actually protect a site from adware,” said Vanhishikha Bhargava, head of marketing at BrandLock, a provider of conversion optimization suites. “But the truth is that it only protects the site from hacks. So while the CMS will keep a retail site’s customer data safe, adware injected by browser extensions and web apps almost appear similar to an overlay.”

Even worse, the CMS has absolutely no way of identifying what kind of ad an adware strain will inject into the consumer’s browser while on the site. Bhargava says her company has identified that brands like Cartier, Jabra, and Puma have been threatened by adware on the consumer endpoint but that its machine learning-powered solution strengthens CMSs and keeps adware at bay.

Browser Security and Endpoint Security

When it comes to browser security, it should be strict by default — locked down to prevent unannounced automatic installation of hidden plug-ins and block unsigned and untrusted content.

“Browser security should include testing and validation with warnings if untrusted code, content or communications are initiated,” said Scott Mongeau, principal cybersecurity solutions manager at SAS. “A protocol should be in place to alert security stewards when suspicious content shows up in the supply chain. There should be a clear disaster recovery plan concerning how to quickly remediate an incident.”

The Large Attack Surface of CMSs

With at least half of websites built with a CMS, statistics show that the number of installations of some publicly available and vulnerable CMSs is making things worse, due to the large surface of potential attacks, according to security researchers.

“Often, enterprises have decent systems with a good amount of protection mechanisms in place, but they can still be compromised,” said Leigh-Anne Galloway, cybersecurity resilience lead at Positive Technologies, a security specialist. “It’s inevitable because of the low level of security awareness for the majority of companies in the retail industry. Vulnerabilities such as default credentials, database abuse, publicly available backups and configuration files, and using outdated versions of software were all used in successful intrusion scenarios.”

Then if a CMS is combined with e-commerce features, not only is your business infrastructure vulnerable to attack, but your customers’ financial information also is vulnerable to theft, such as in recent attacks on British Airways and Magento, Galloway says.