Authentic8 Blog Category: Remote Browser

How to Secure Your Content Management System (CMS)

By Derek Handova

Content management systems present attractive targets for cybercriminals and state-sponsored adversaries. E-commerce sites, investor relations pages, and HR portals are just three examples where CMS vulnerabilities can cause severe reputational and financial harm.

The CMS offers multiple attack surfaces for targeting commercial or public sector entities. How can IT, administrators, creative personnel, and developers ensure CMS security?

*

In 2018 alone, more than 18 million CMS users suffered security breaches. 73.2 percent of well-known websites managed with WordPress, the most widely used CMS, contained vulnerabilities exploitable through common attacks.

Which security approaches would effectively protect CMS owners, their network, their business, and their customers? To answer this question, we have to confront the issue that many data breach vulnerabilities lie within the surface layer of the websites themselves.

There, threat actors can insert malicious code without website owners even knowing about it. For example, RiskIQ recently reported that JavaScript vulnerabilities in CloudCMS and Picreel web service scripts allowed the

GDPR: A Letter from Elizabeth Denham

Elizabeth Denham.

If your company is doing business in Europe, put that name on top of the list of people you’ll not want to hear from in their official capacity.

Just ask BA (British Airways) or Marriott International. Both encountered data breaches that put millions of their customers at risk. Now, they’ve both received notice from Ms. Denham that they’ll be fined the record amounts of $ 230 million and $ 125 million, respectively, under the European Union’s General Data Protection Regulation (GDPR).

Elizabeth Denham heads up the Information Commissioner's Office (ICO) of the United Kingdom. Yes, the recipients of her notice of intent may appeal the decision. And no, observers don’t expect the ICO to reduce these first GDPR penalties against major international corporations to the proverbial slap on the wrist.

To the contrary. GDPR applies to all companies, including in the US, that store or process data of EU citizens and residents. The EU’s privacy commissioners

ActiveX Data Leaks: Making Bad (Non-) Browsers Worse

Outdated browsers and browser plugins. People use them, forget about them, they become outdated, and their machine gets compromised. It’s a story almost as old as the web browser. The problem is, people never learn and never update - or, in this case, get rid of the problematic plugin.

List of Plugins

Source: sploit.io

ActiveX, a framework native to Internet Explorer, was introduced in 1996. Still supported in Windows 10, it allows an attacker to steal data and fully take over the victim’s machine when that person visits a page that contains a particular set of scripts.

How relevant is this exploit in 2019? In an unscientific survey among software engineers about ActiveX and if it still played a role, we got answers like this, from Zachary S. in San Francisco: "I think it’s dead. I hope it’s dead. It should be killed if it’s not dead."

Unfortunately, it’s not. According to NetMarketShare ("Market share statistics for Internet

Showdown: VPN vs. Cloud Browser

In many companies, VPN has become a staple of the traditional IT security stack. Annually, mid-sized organizations (<5,000 employees) spend an average of $60 per user on VPN technology and maintenance. Not much longer though, it seems.

While VPN has been around for more than 20 years, it now looks as if its promises of secure and private web access have worn off - many of them unfulfilled. In the words of Patrick Sullivan, Global Director of Security at Akamai, we are witnessing The death of VPN.

In his article for SC Magazine, Sullivan proclaimed: “It’s time to say goodbye.”

Sullivan’s farewell to VPN sounds timely, and he is not alone. Organizations large and small have found a way to cut their VPN costs or eliminated them altogether. In the same step, they attained a level of secure and private web access that VPN has never been able to deliver. What happened?

How Companies Cut VPN Costs

They

85% of Infected Websites Are NOT Blacklisted

Website attacks increased by 59% in 2018, according to the 2019 Website Security Report [PDF] recently published by Scottsdale, AZ-based SiteLock, a provider of business website security solutions. Most of the attacks were automated, the company reports, with 330 bots staging on average 62 attacks per day.

So far, so not surprising - just wait, there’s more. Let’s look next at a significant aspect of the SiteLock findings. It illustrates how much the attackers behind such malware campaigns can rely on the inherent vulnerability of traditional browsers.

When someone visits an infected site, the regular browser dutifully executes the malicious code from the web on the local machine. From there, ransomware, spyware or cryptojackers can spread through the user’s corporate or home network. Game over.

“Not so fast,” you may object. “Our IT security team has many ways to prevent such exploits. AV/EPP/ATP, CASB, VPN, SWG/URL Filters…” Which brings up that other finding in the report