In our last blog post, we discussed the semi-annual report from MELANI (Swiss Reporting and Analysis Centre for Information Assurance) one of the main topics was the vulnerability of CMS systems and their plug-ins.
In today’s post I would like to return to this topic in more detail.
At nine.ch’s Managed Server segment, we clearly distinguish between the tasks related to security updates for the various technologies. nine.ch is responsible for the hardware, operating system and Managed Services such as MySQL or Apache, whereas the customer is responsible for the applications they choose to run on these platforms.
Security updates for the components managed by nine.ch are installed almost daily or sometimes even more frequently in the case of critical security gaps. We’ve constantly optimized our update and patching practices in recent years. Using our configuration management system, we are able to promptly and easily install updates on thousands of servers.
In other words, we offer our customers a highly secure foundation for their applications.
Nevertheless, we occasionally still receive reports from various sources that servers under our management have been hacked and misused for illegal activities. In most cases, the cause is a CMS that is not up-to-date and therefore vulnerable to attacks.
For us, these incidents are aggravating for many reasons. Firstly, we are unable to provide optimal support in these cases because we aren’t always familiar with the specifics of the CMS in question. Secondly, other customers may be affected by the attack depending on the setup.
From our customers’ perspective, such incidents are of course much worse because their websites may be inaccessible or only partially accessible (when a backup has to be restored, for example), staff resources are required, and there may be additional costs. In the worst case scenario, customer data may even be compromised, which can certainly result in reputational damage.
One recent case (German only) of a particularly malicious trojan horse is the CTB-locker ransomware trojan, which infiltrates unprotected CMS systems on servers and then begins to encrypt as many files as possible so that they can only be decrypted in exchange for a ransom payment. If this occurs on a Managed Server hosted by nine.ch, it is of course possible to restore a backup, but the server will then be just as vulnerable as before.
Moral of the story: please keep your CMS up-to-date! Aside from the security of your website and its data, updates frequently offer other benefits as well:
- CMS developers are constantly working on improving the code of the system. In other words, regular updates also include useful new features.
- In addition, most CMS upgrades also deliver performance improvements.
- Search engines reward frequent changes on websites by giving them better rankings.
These are just a few benefits of keeping your CMS up-to-date, but the security of your website and its data is most important from our perspective.
Perhaps you’re wondering, “What if an update causes something to stop working on my website?” In fact, that is probably a benefit to you because there are usually good reasons why certain features are discontinued. In addition, it’s definitely much easier to install updates in small version increments to fix minor errors than to only install major version upgrades after a year or more – or, even worse, to have to build something from the ground up in a rush.
We recommend that all customers who have technical support for their application purchase a maintenance contract for their CMS from this service provider. While this does come at a price, the costs are at least predictable. An emergency, on the other hand, costs time and money right at the most inopportune moment. If you no longer have a partner to help you with this, we will be happy to assist you. We should be able to recommend one of our valued partner agencies who specialize in your specific CMS.
If you manage your CMS yourself, make sure to follow these basic rules:
- Always keep the CMS up-to-date.
- Always keep all plug-ins up-to-date.
- Make sure to use plug-ins and CMS software that are constantly being developed further.
- Never use default passwords or passwords that are easy to guess.
- Never use the same password for multiple logins.
- Change your passwords periodically.
You can find information on updates or security risks in the administration area of application or on the following sites for all common CMS systems:
If you have any questions concerning security and updates, feel free to contact our support team at any time.
Andy Liyanage works as Head of Product Management & Customer Solution Architect at nine.ch and uses his technical background to analyse and shape complex customer setups.