By James Henry, Consulting Practice Director, Auriga
The compromise of the ‘Just for Men’ website last week led to a lot of head-scratching, if you’ll excuse the pun. The question was why was such a big brand so lax in its website management and what can such companies – whose core business certainly isn’t security – do to improve their posture?
In the case of the ‘Just for Men’ attack, visitors to the website could have been infected with malware, seriously damaging the brand. An update to the latest version of the WordPress CMS and plugin Yoast version 3.5 was all it took to remedy the situation. So why did the company fail to patch and why is poor management persisting?
The answer is clearly that for these businesses, where the website is very much seen as a marketing vehicle, security maintenance is seen as a low priority and it’s for this reason that these types of compromise, which are so easily prevented, will persist until organisations look at how they are going to continually monitor and update their infrastructure.
For this to change, such brands need to recognise the gaps in their security provisioning and take steps to redress this. Outsourcing this type of security maintenance and testing makes perfect sense if that management is taking away resource from your core line of business and it’s here where a security consultancy can add real value. Outsourcing takes away the pressure to remain constantly vigilant and allows the organisation to benefit from the expertise of security specialists.
So what should the organisation do to lessen the risk of becoming the next victim of ‘old CMS or plugin syndrome’?. Number one: ensure these are ‘kept up to date’. Two, implement other security controls to make it harder for the website to be compromised. And three, use automated solutions and threat intelligence to monitor the site and keep an ear to the ground for security threats.
For example, ‘one-click’ or automated security updates will support the organisation’s patch management efforts. When it comes to hosting, where shared hosting is favoured as a cost effective solution, the organisation needs to ensure they risk assess to ensure adequate protections are in place. In this type of hosting environment, every organisation should opt for account isolation so that in the event of a compromise of another organisation’s service, they remain unaffected.
Every organisation should also practice good security hygiene. That means changing default usernames and passwords to make it harder for those trying to exploit vulnerabilities, checking for out-of-date plugins and those no longer in use and removing these, and routinely carrying out IT health checks.
There are also automated solutions that can make life easier. Online scanning tools and plugins can actively scan a CMS installation to detect any sign of malicious activity and protect an organisation’s website from a number of common attacks. These plugins are able to limit login attempts, for example, and notify the organisation if any suspicious activity has taken place on the website in question.
Looking to the future, context-based security through actionable threat intelligence is fast becoming essential and it’s something the major brands as well as their online web hosts need to become more aware of. Operating in a vacuum is no longer viable and such organisations need to be aware of the current threat environment and learn lessons from previous attacks to improve resilience via the application of appropriate controls.
Essentially, the take-away from this has to be that big brands shouldn’t sideline security. If it’s not your core business, seek assistance from a consultancy that can advise you on where to invest and how to maintain a vigilant security posture 24/7.