Not Updating: What's the worst that can happen?

Posted by Alexander Dunn on 28 June 2017
Filed under: CMS, Security, Upgrade, Website

It has been a while since I have written about a security issue, but every now and then something happens that makes you really stop and think. Upgrading a CMS is seen as a costly and difficult process, especially if your solution is complex with a lot of custom code. It is tempting to think that it is a cost that can't be justified. After all, what's the worst that can happen?
For sure there are now many employees and clients of Mossack Fonseca wishing that those responsible for their web presence and IT systems had been more proactive about security updates.
Unless you have been living in a cave you can't have missed the 'Panama Papers' scandal that has already cost the Icelandic prime minister his job, triggered a police raid on UEFA headquarters and a 27 hour Police raid on Mossack Fonseca's own head office.  When the story broke on Sunday April 3 2016 I, like many others, assumed that this was the work of a disgruntled insider. Over the next few days it became clear that this was actually the result of a data security breach.
WordPress security experts Wordfence posted a forensic investigation of just how easy it was to gain access. It appears that the staggering 2.6TB of data has been collected over the past year so I find it unbelievable that even days after the publication of data started, Wordfence still found that "Breaking into this system wouldn’t even tax a beginner security analyst.”

  • The Mossack Fonseca website was running a known vulnerable WordPress module - Revolution Slider that had not been patched.
  • Had the website been running behind a firewall, the vulnerability would not have been exploitable.
  • The WordPress mail plugin stores the mail server login details in plain text in its database.
  • The email server was on the same server.
  • As if allowing access to the email server wasn't bad enough. Forbes reported that Mossack Fonseca provided a 'secure' customer portal for clients to access their account information using a version of Drupal that has been unpatched since August 2013.

It really was a litany of errors and poor judgement that put Mossack Fonseca's data out there for the world to see, but it emphasised some important points:

  1. Ensure that your systems are separated so that a breach in one does not open up your entire network.
  2. Enforce the principle of least privilege. Any account that is used should have the minimum privilege required to fulfil its role.
  3. Ensure that your servers are regularly patched.
  4. Update your database software.
  5. Update your CMS.
  6. Ensure that any other plugins or modules used in your solution are also patched up to date.

Hopefully when your systems were set up, the first couple were correctly handled and you have someone whose responsibility is to ensure that your server and database software remains up to date.
Your CMS, included modules, and custom code are where we come in. Upgrades are not simple, but can you really afford to take that risk? A breach of your data might not bring down a government, but the cost to your organisation could be overwhelming.
Background reading