15 Oct 2020 - Dennis Egen

CMS Security: Is Your Platform Being Targeted?

bulls eye target

We hate to break it to you, but if you’re wondering if your content management system (CMS) is being targeted by malicious hackers, you should know it probably is. 

CMS platforms allow non-technical and technical users to easily manage a website. Because they offer all kinds of functionalities, each CMS is stacked with plenty of different technologies all in one place to help you make the most of your system. 

While this is ideal for easy management of your system, what this also means is that most CMS systems have a huge surface area, which can make them vulnerable to attack.

Your system should have security supports in place so that it is protected from malicious attacks but not entirely locked down. This way, people from within your organization can access what they need from your CMS. 

What needs to be secured?

  • Web servers
  • File systems
  • Operating systems
  • Database
  • Administrative areas

On the front end, your CMS may be just as vulnerable. Front-end code might be written in HTML, CSS, JavaScript and custom codes, and there might be all kinds of forms and inputs that can leave you vulnerable. That’s a lot of surface area available to the general public that can be attacked.

From end to end, you need to be sure that your CMS is protected. Here’s what you need to know about keeping it secure.

Take Advantage of Alert Logic Managed Detection and Response Services

Managed detection and response (MDR) refers to an outsourced service that’s integrated with your CMS, hunts for threats and responds to them when they are discovered. 

What else does an MDR have? MDRs also supply you with a team of security researchers and engineers whose sole focus is to monitor your CMS and your network, analyze incidents, and respond to security cases.

What can an MDR service do for you? 

Many businesses today don’t have the resources to employ a fully loaded security team ready to tackle 24/7 threat hunting. Larger corporations might be able to afford this, but most companies struggle with having enough resources to dedicate to something like this. Even if you have the resources to hire someone, you may not be able to find the right fit. In fact, the number of unfilled cybersecurity positions is expected to grow to 3.5 million by 2021

Because of this, enterprises usually aren’t maximizing the use of their endpoint detection and response (EDR) solutions; there just isn’t enough personnel to handle these tools. An MDR service will integrate your EDR into its security implementation.

An MDR service helps you manage the huge volume of threats and security alerts your IT team regularly receives. A lot of these alerts need to be evaluated on an individual basis to determine whether or not they are malicious, and without an MDR service, there just isn’t the time. 

Alert Logic MDR is the industry’s leading managed detection response service, with purpose-built technology and a team of cybersecurity experts. It works closely with you to understand your needs and the context of your operations to resolve any threats that appear.

Here’s how Alert Logic makes it happen:

  • Round-the-clock monitoring
  • Scalability
  • Threat research
  • Security expertise
  • Knowledge of the inner workings of your operations
  • A personalized security strategy
  • Safe, secure architectural changes 

Develop an Incident Response Plan

If your company stores any kind of sensitive data, you need to be developing an incident response plan if you haven’t already. This plan is key to rebounding from a data breach, and without one, you could struggle to make crucial decisions in a timely fashion. 

Many companies without incident response plans (eBay, Target and Snapchat come to mind) were harmed financially and reputationally by their response to data breaches because they were slow to take action and their responses were ineffective and unhelpful. They lacked an adequate incident response plan.

Your response plan will guide your personnel through the process of handling a data breach with thoughtful intention and rapid response. Even just a lost or stolen laptop can put you at great risk of a data breach.

Data is valuable—not just to you but to your clients and customers and also to hackers. Especially if you hold the following kinds of data, you need an effective response plan to ensure you are prepared:

  • Federally protected or state-protected information
  • Personal health information
  • Trade secret information
  • Anything other than data that’s vital to your success.  

So what should be included in your response plan? How can you ensure that your recovery from a data breach can happen quickly and effectively?

  1. Assemble an internal team including legal council, your information technology manager, a human relations manager, an operations manager, and corporate communications and government affairs personnel.
  2. Identify external resources you can use for data security. Consider computer forensics experts, a public relations professional, operations personnel who can help you implement your plan, and insurance brokers. 
  3. Evaluate each breach individually. Different people may need to be included in your response based on the severity of the breach.
  4. Write an action checklist of the items that need to be done immediately following a significant data breach, like recording the date and time of discovery, the steps taken to establish a secure perimeter, and bringing forensics personnel on site to make a copy of affected systems so they can be preserved.
  5. Research your breach-related rights, obligations and timelines so you know who you need to report to and when. This includes applicable federal and state laws as well as data security notices to your vendors.
  6. Regularly review your response plan to reflect the current data times, personnel, risk profiles, vendor contracts and service provider agreements.


Read and React to Logs Regularly

“If a tree falls in a forest, and no one is around to hear it, does it make a sound?”—George Berkeley

Here’s a better (and much more relevant) question:

If your security system identifies a security threat but no one checks the log or strengthens your CMS accordingly, are you still vulnerable?

The short answer is, “Absolutely.”

Most security systems generate logs for operating systems, internet browsers, point-of-sale systems, workstations, intrusion detection systems and CMS platforms, but oftentimes, these logs aren’t evaluated. The biggest issue with these logs is that nobody looks at them!

These logs can act as a red flag to point out when suspicious activity occurs, but regular, daily review of the logs can help identify malicious attacks. Since a great deal of log data is generated by each of these reports, it’s not a great use of resources to review them manually, but you can automate this process with log monitoring software that reviews the logs and points out potential threats. Frequently, this is executed with real-time reporting systems that alert you by email when suspicious activity is detected. 

Whether you’re fielding tens of attacks each day or thousands, you need to be in tune with what’s happening in your system through regular security log review. 

Arm Yourself With an Intrusion Detection System

You arm your house with smoke and carbon monoxide detectors. Do you have a detector for your CMS too?

An intrusion detection system (IDS) filters through your network traffic, searching for suspicious activity. It flags out-of-the-norm behavior, and any violations are sent to an administrator or security information and event management (SIEM) system. When this information is sent to your SIEM system, it’s filtered to separate malicious activity from false alarms.

It’s important to know that sometimes (especially when first implemented), these SIEM systems tend to alert you to false alarms. This means that you need to fine-tune your IDS when it is installed and tailor it to your organization’s activities, so it can differentiate normal traffic on your network from malicious attacks. 

Why is this so important? No firewall is truly foolproof. Cyberattacks are always changing and evolving, attempting to breach your system and compromise your data. While firewalls and anti-malware programs can adapt to these changes, it’s wise to have another safeguard in place to keep your CMS secure. 

There are two kinds of intrusion detection systems: network intrusion detection systems (NIDS) and host intrusion detection systems (HIDS)

  • NIDS examine the network traffic passing through your system, looking for irregularities.
  • HIDS examine the events on a computer connected to your network.

Both NIDS and HIDS refer to two different methodologies of operating. Most IDSs use both methods, but some only use one:

  • A signature-based IDS hones in on the signature of an intrusion event. This might look like the pattern of intrusion, which establishes an identity. These IDSs need to be updated regularly as new signatures and attack types are developed all the time. This sometimes means that brand-new signatures may pass through your IDS.
  • An anomaly-based IDS searches for unusual patterns within your system, which can compensate for any new attack signatures that slip through your signature-based IDS. They’re a great way to identify when someone is probing or sweeping your CMS, which is a sign that an attack is imminent.

The bottom line? You wouldn’t skip wearing a seatbelt just because your car has airbags. Using both adds up to a much stronger defense system in the event of an accident. Similarly, you need multiple protections in place to keep your CMS secure.

As CMS platforms grow and evolve with new features and capabilities, so too will the malicious attacks on them. That’s why it’s so vital to the health of your system to have the proper security protocols in place to keep everything as protected as possible. 

If you need assistance securing your CMS, our team at Engine Room is happy to help. Why not check out our webinar dedicated to CMS security? Then contact us to learn more about what we can do for you.