Organisations are relying more than ever on their web presence. Customer portals and supported web applications have become critical in doing business. This reliance has increased significantly in light of the current pandemic as organisations are forced to shift into heavy eCommerce.
However, these very systems that businesses depend on are some of the most targeted among cyber hackers. Content Management Systems (CMS) platforms manage the creation and modification of digital content and have evolved to offer eCommerce functionality too. They are considered high value and often low effort attack targets. The Payment Card Industry (PCI) is concerned with such attacks, as they quickly turn into credit card theft and fraud.
This reality is backed up by NTT Ltd.’s 2020 Global Threat Intelligence Report. It shows that some of the most dominant activity during the past year was related to attacks against popular CMS systems. Around 20% of all attacks globally target these systems, including WordPress, Joomla!, Drupal and noneCMS. They account for about 70% of the CMS market share.
Risks to CMS platforms
There is a long history of cyber attackers leveraging CMS platforms and web application vulnerabilities. It’s concerning that unmitigated vulnerabilities remain a significant factor in many CMS-based attacks. More than half (55%) of attacks on CMS platforms are application-specific and frequently leverage vulnerabilities which are several months or, worse still, several years old.
In light of the business impact from COVID-19, for example, credit card transactions have gone up significantly. It has resulted in an increase in risks such as credit card skimming attacks. Interestingly, it’s not only the CMS platforms themselves that hackers are targeting. Over the last two years, researchers have identified 258 new vulnerabilities in Apache frameworks and software. These are widely used for web applications and in combination with WordPress.
Hackers can just as easily inject malicious code by exploiting third party plugin vulnerabilities, insecure integrations or using default configurations. It’s possible even when CMS software is up to date. What’s certain is that inconsistent patching practices and mitigation of vulnerabilities across increasingly complex eCommerce and digital presences brings significant risk. It leaves both open front and back doors for hackers to steal customer and credit card data.
PCI’s clamping down on CMS
The Payment Card Industry Data Security Standard (PCI DSS) has long recognised the high value of credit card information and the importance of protecting eCommerce platforms. The standard is critical for organisations which engage in eCommerce. It also provides best practices and governance necessary to mitigate an attack on CMS platforms.
One of the core goals of PCI DSS is maintaining a vulnerability management program which organisations must heed. PCI is one of the earliest frameworks to focus heavily on active and ongoing vulnerability management. This is because vulnerabilities are so highly leveraged by hackers so they can successfully steal credit card information and execute credit card fraud.
Over time, the standard has become more prescriptive about how to perform vulnerability assessments. The standard has broadened to include applications and systems which interact with third party processors. And, because hackers are increasingly targeting weaknesses within CMS platforms, the most recent PCI DSS requires any connected system within a PCI network to require PCI compliance even if credit card transactions aren’t processed or stored on the system.
Proactive approach to securing CMS
Protecting CMS platforms and eCommerce websites requires active and ongoing vulnerability management. Organisations need to prioritise regular scanning and frequent patching – and even the validation of scanning by third parties. Quarterly scans with a certified Qualified Security Assessor (QSA) and annual penetration testing are a must for PCI compliance. What’s more, they are highly effective at helping organisations protect any of their CMS platforms.
The challenge is that some organisations lack the required skillset to manage vulnerabilities or know how to achieve PCI compliance. This complexity can be significantly reduced by working in partnership with PCI compliant cloud solutions and experienced service providers. They can perform critical activities and respond quickly to new risks, such as zero-day vulnerabilities.
The bottom line is that CMS platforms will remain and will continue to grow in popularity among both businesses and cyber attackers. Organisations that are unable to prove they are taking the protection of their digital presence seriously, face both reputational and financial impacts. Those engaging in eCommerce are expected to be aware of, and engage with, PCI compliance. It will be those that embrace PCI compliance for their CMS platform that will be better prepared to prevent attacks and build a strong digital presence for today and the future.
NTT Ltd. is a leading global technology services company. We partner with organizations around the world to shape and achieve outcomes through intelligent technology solutions. For us, intelligent means data driven, connected, digital and secure. As a global ICT provider, we employ more than 40,000 people in a diverse and dynamic workplace that spans 57 countries, trading in 73 countries and delivering services in over 200 countries and regions. Together we enable the connected future.
Visit us at hello.global.ntt
