CMS Security
Can You Answer These Six Key Security Questions?
by Colin Cornelius
19-Oct-2001
I've just read a report that earlier this month that more than a dozen web sites were vandalised by hackers. It wasn't serious; the home pages had simply been replaced with the hacker's logo.
The common denominator appears to be that all the sites used the same popular "weblog" -- an automated news system. This reminded me that I had seen an entry for this particular system in a SANS Security Alert Consensus two weeks earlier. Perhaps I'm not the only person reading the security alerts?
Now, many CMSWatch readers won't consider a "weblog" to be a CMS -- and I'm not about to argue the point. However it does raise several good questions that can be applied to most of the CMS offerings around. Without too much ado let's fire away at a series of questions that might just get your CMS sales manager blustering.
Who runs security tests on the CMS?
Does your nice, shiny and expensive CMS have a security certification? Ask your supplier to identify which organisation puts the package through regular security testing. Is it one of the Big Five or a recognised security firm in which you have some faith?
I bet you'll get the answer, "Mega Big Bank Inc. use our CMS and they wouldn't if they weren't sure of the security." I could tell you a thing or two about how financial institutions select a CMS, and security doesn't always enter into it.
I would find it reassuring to know that the supplier is certified according to recognised standards like BSI 7799 or ISO 17799, and that the system is regularly scanned and tested by an independent organisation who will stand by its findings.
Are there regular security notifications?
All software has more than one security "hole" waiting to be found and patched. This is a more manageable fact as long as when problems are found the supplier submits formal security alerts to you. These should be proactive cascades and not depend upon you viewing a support site or bulletin board.
Which third party products are included within the CMS?
This is not always an easy one to get answered, as most suppliers like to pretend that they developed everything themselves. This is often far from true and a close read of the licence agreement usually discloses other included works. This is important as it means that unless the supplier is doing its job particularly well you will need to watch for security alerts related to any included products. A good way to do this is via the SANS Security Alert Consensus.
Are there security specific guidelines for the CMS?
Check out the manuals ("manuals -- what manuals!" I hear you shout). All software has security considerations and CMSs are no exception. They sit within a much larger infrastructure and you shouldn't just plug a package in and forget it. The depth of security information within the documentation will probably reflect the supplier's concerns about security.
Can the supplier provide staff with recognised security qualifications?
Most CMS implementations come with a hefty portion of consultancy, including installation and commissioning support. Part of any service provisioning should cover security implications that address not only the CMS, but also the architecture in which it sits. It's nice to know that the supplier's staff are suitably qualified. Certifications such as CISSP from the International Information Systems Security Consortium are appropriate and well recognised.
Have you established adequate internal controls?
You may think that everything above doesn't really concern you, since your organisation only uses a CMS internally and publishes static pages to the live environment. But don't forget that over 80% of security breaches still come from within the organisation.
Well, these are a few questions to start you off. I could go on for much longer but since this is the Web, let's keep it brief. Anyone who wants to know more may contact me directly.