We found that despite the awareness to Web application security, more than 25% of critical suppliers still run old, outdated website content systems.
Unfortunately, we’re all too-much aware of the Target attack, where the initial point of penetration was through Target’s supplier, the HVAC vendor. The Target attack was not a standalone case.
According to a study from The Ponemon Institute, 56 percent of organizations have had a breach that was caused by one of their vendors. Their study also found that the average number of third parties with access to sensitive information at each organization had increased and only 35 percent of companies had a list of all the third parties they were sharing sensitive information with.
An earnest question that must be posed is whether the security posture of a company’s perimeter (i.e. what’s exposed to the outside) indicates the security posture of internal processes.
The correlation between frontend security practices and the likelihood of the breach was shown during the Equifax breach. The Equifax breach announced at end of July 2017 affected 143 million US consumers. The initial attack vector occurred through an unpatched Struts server behind Equifax’s US online dispute portal web application. The exploitable vulnerability was disclosed by US Cert in March 2017 which means 4 months prior to the actual breach disclosure.
According to investigation, unauthorized access already occurred during May 2017 – two months after the vulnerability disclosure. Equifax’s frontend servers were not patched in time to prevent this breach.
Putting this theory to test, we looked at the content systems behind the websites of 134 US management consulting firms as an indicator to their security processes.
Our research focused on US management consultancy firms. By all means, a critical supplier. After all, these firms hold strategic, sensitive and confidential information belonging to their clients.
We concentrated on the Content Management Systems (CMS), the underlying platform running websites, of these companies. The CMS stores all the website’s information and is configured to display items such as website text, brochures and videos and may also be configured, say, to place other items behind a registration wall. The CMS is also used to process the customer information as the visitors enters it into the website.
Using Forbes’ 2018 Top US Management Firms we investigated the server upgrading process of the underlying CMS systems at 134 companies. Specifically, looking at those firms that are running WordPress or Drupal – the two most common CMS systems.
Considering an industry benchmark of 6 months to upgrade old CMS versions, we decided to investigate how many companies were lacking even the basics of an upgrading process.
Our research revealed that 37 companies, equating to 28% of those surveyed, were running at least one instance older than 6 months.
Unfortunately, the situation is actually worse. We found that 24 out of 37 companies,in other words, two out of three companies – were running at least a single instance that was even older than a year.
More so, most of the companies that ran some old instance per the 6 months benchmark – specifically, 25 out of the 37 companies – had most of their servers running old instances of the CMS application. The majority of them, 20 companies, running more than 75% of their instances on older versions.
We can safely assume that most of those companies that don’t upgrade their systems regularly actually never upgrade.
One thing that we typically do in security, is look at the “bad”. However, we must also look at the good suppliers. Since they indicate a level that can be reached and we need to expect from suppliers.
In our research we found that 79 of the 134 suppliers ran the latest CMS versions across all their servers. Meaning, these companies “excelled” by going beyond the 6-month upgrade benchmark.
It comes to show that upgrading the CMS systems is not an impossible task. Achieving the benchmark is absolutely doable and must be expected.
When choosing and working with a supplier, security must be an evaluating factor.
At the end of day, the website and thus its underlying CMS is the window pane to the company. If security practices lack at such a basic level, it should sound a warning.
What steps should you take when choosing a supplier?
It would be interesting to continue delving into this research and seeing whether a poor security state of CMS systems also indicates problematic security practices pertaining to other security perimeter parameters.
In the next post, we’ll test the state of SSL upgrading process and correlate it with the CMS results.
Stay tuned for our next research blog post!