Recently a Dutch agency investigated the vulnerability of Dutch municipality websites and the results are quite shocking. At least, that was my first sentiment when I read the results. Almost one quarter of all local government websites use an outdated Web CMS or other web software tool version.
The municipalities with open source CMSs (Joomla!, TYPO3, Drupal) scored the highest in vulnerability. TYPO3 scored best with 63 percent being up-to-date, but that still means 37 percent used an outdated version. The researchers even found out some software versions were so outdated that updating was no longer a possibility.
When Will We Ever Learn?
The results were shocking, because at the end of 2011 we had quite a big scandal in the Netherlands, when the Dutch certificate provider DigiNotar was hacked through their website. This website was managed by a DotNetNuke version from March 2008 (!). In May 2008 DotNetNuke warned against a serious leak in their software, for which they provided an update. The 2011 hack used this vulnerability. That's 3 years later.
This hack had a huge impact because the hacked organization was the certificate provider for the Dutch government. Government organizations, notaries and others had to delete all their DigiNotar certificates and renew them. Without this renewal their websites were banned by all kinds of services throughout the internet. Many government websites and extranets didn't work for days and weeks.
You might think everybody was alarmed after this incident, but another initiative under the name of "Leaktober" (Leaktober, from the month October in which the initiative took place) proved that government organizations keep on neglecting their web software security. Both in 2011 and 2012 this yearly October investigation made clear government websites are still quite vulnerable, despite a government manifest and even an official team of government experts that can help.
Hacking isn't as Difficult as it Used to Be
The problem with these scandals and warnings is that people tend to ignore them. “It didn't happen to our website.”
Right. Not yet. But what if it does?
I help organizations select content management tools and nine out of ten of my clients have an outdated Web CMS when they contact me. Reasons for having an outdated version are: they are not happy with the CMS, they are not happy with the system integrator, they ended the service contract because it was too expensive, they didn't update because some tailor made modules and integrations didn't work after the last update, they didn't even know you can update a CMS, and so forth and so on.
Organizations with an outdated CMS are quite vulnerable for any hacker. Make no mistake, hacking is not just for whiz kids. You can find hacking tutorials on the internet (even video tutorials for newbies), you can find tools to search for outdated web software. In other words: almost anyone can find, hack and mess-up a website. So the question is not if you are going to be hacked, but when.
Risk Management is Serious Business
I believe that when no one is responsible for risk management, websites will stay vulnerable. You cannot expect editors, web masters or developers to do this task. You need to address your update policy to a specific role, e.g. the functional manager. If release management isn't a recognized process in your organization just get inspired by the IT IL Release Management Process and you're almost there.
The problem with keeping track of CMS updates is that organizations select a CMS and rebuild a website in a project. In this project, security is sort of less covered, at least in the requirements. But once finished, the project is handed over to a department and things like security, update management and other issues are often neglected if it isn't part of your governance plan.
How to Keep your Web CMS Up-to-Date
Having a security officer or a release management process helps, but even in this case you need a security policy for your websites and web software. Which is just a "paper tiger" if you don't act on them. But here are some things you can do: