Ben  Franklin Ben Franklin | 19 Mar 2019

You may feel quite confident that your Kentico CMS is secure against malicious attacks. As the manager of a Kentico CMS, you may think of security as a matter of mitigating against a handful of potential issues.

  • Stealing confidential information
  • Infecting with viruses or other malware
  • Deleting databases
  • Overloading your server or network with traffic to disrupt usability

Broadly speaking, yes, these are the final outcomes a company may face after their CMS security has been breached. And yes, you’re working to mitigate risk against these things happening. But you can’t wait until they’ve already occurred to find out there’s a problem.

Put best security practices into place

The fact is, the ways in which attackers achieve malicious end goals are numerous, clever, and evolving. Kentico CMS is a fantastic platform. But just like any platform it requires robust and ongoing attention to detail to ensure that it is fully secure from a determined attack.

So what can you do about it? There are plenty of immediate actions you can take that will close lots of little gaps. They may sound elementary, but they’re the kind of things that can easily get overlooked in the rush and excitement of getting a new CMS online.

For example, you can ensure your site is running on HTTPS. This not only ensures a standard of website encryption, but also has the added bonus of improving your search engine rankings. So this really ought to be part of your SEO strategy, as well.

You can also take care over server antivirus software. Dropping antivirus updates down the priority list is easily done, especially if you’re firefighting other IT issues. But total coverage is a crucial CMS security component.

Password encryption and two-step verification for registered users helps keep information secure and ensure that only authenticated users are accessing your site. Limiting user uploads to your website or doing away with them altogether will also lessen the risk of attack. And there is plenty more advice out there on all the loose ends you can tie up from your end.

Keep vigilant in quiet times

But perhaps you’re right on top of all these things. Your Kentico CMS has been doing a great job for your business, it’s running smoothly, and everyone’s happy. You haven’t had any major security problems up to now, so everything must be tight as a drum. Right?

This is when complacency over Kentico website security sets in. And it’s a killer.

The fact is, attackers are trawling sites for tiny cracks in the backend to creep their way in. Sites that are well maintained in terms of up-to-date security patches and antivirus can be built on code that is full of vulnerabilities that are invisible until attacked. It’s like living in a beautiful house with a big lock on the front door, but where none of the plumbing has been tightened up. Behind the walls, it’s leaking like mad.

Understand invisible vulnerabilities

Some of these attacks—such as SQL and XPath injection—exploit weaknesses such as a lack of data sanitization to gain access to databases. These attacks inject code or scripts that weren’t intended to run on the database and force it to execute malevolent functions. This can reveal sensitive data, change it, or wipe it out. There’s a fundamental change to the backend of the CMS, as if it was written as part of the website.

On the other hand, you have attacks like XSS, which take advantage of vulnerabilities in user input, such as form validation, to attack users of your website. Your application databases may or may not be directly affected. But you’re still responsible for the damage done to those who trust your site. They may find their login details stolen, their computers infected with a virus, or they’re redirected to dangerous sites when they visit your page. And that can definitely have significant and lasting repercussions for your reputation.

These are significant susceptibilities. These are problems that live on the development side of things, and don’t reveal themselves until they’re under attack. And they’re the type of thing that really should have been sorted at the outset of developing your Kentico CMS.

Think of it this way. If you’re heading into battle, getting hit by an arrow is a final outcome you want to avoid. To try to manage that risk, you hire a blacksmith to make you some chainmail. How do you know whether the smith has done a good job? One surefire way to find out you’ve got a loose link is by getting an arrow shot straight through it the first time you wear it. Risk mitigated? Sure. But the mitigation ultimately failed because you didn’t perform quality control before you put it on. You’ve got to check to make sure the mail is sound before you go on campaign.

Stay a few steps ahead of attack

If you’re totally sure that the original development of your site yielded no loose mail, so to speak, you can rest easy. Just make sure you have a strong Kentico support package in place to keep on top of security patches and version upgrades.

Keep in mind that Kentico only supports security patches for its two most recent CMS versions at any given time (Versions 11 and 12 at the moment), so if you’re on Version 10 or lower, one of the most significant strategic actions for your business security is to migrate onto the most current Kentico.

If you’re not feeling 100% confident, you can still take action to source and lock down any potential loose mail no matter how long it’s been since you first implemented Kentico. A full health check and code audit of your Kentico CMS can flag deep seated vulnerabilities.

If you’re interested in finding out more about whether a Kentico CMS health check might be right for your website, contact Technical Director, Ben Franklin to discuss your needs. enquiries@quba.co.uk or 0114 279 7779