CMS security - new defences, new attacks
As Eidosmedia prepares to extend its ISO 27001 security certification into the cloud with the 27017 standard, customers came under fire in what turned out to be a worldwide cyber attack.
In our last post I talked about the cross-company efforts we’d made to certify our operations to the ISO 27001 security standard.
This time I wanted to talk about the benefits of ISO 27001 compliance we were already seeing from the certification, but first I’d like to mention a bit of excitement we had on the security front just before Christmas.
CMS vulnerability: the logj4 event
Apache Log4J is a popular Java-based logging utility used in pretty much every distribution of web libraries and third-party software. Just like many other companies, Eidosmedia woke up in early December to news of a major vulnerability in a component used, in one way or another, across its entire customer base.
The team immediately ran an assessment to evaluate the actual risk to our customers and carry out a kind of ‘triage’ to prioritize remedial action across our various installations. At the same time, they set to work patching the software components that might be exposed to suit customer requirements (Cobalt web CMS, PageTrack or Swing web applications … )
Because of the way Eidosmedia application are deployed, the vulnerability could only be exploited by a privileged user operating inside customer networks in ways that would be quite hard to conceal. This was good news.
Nevertheless, a hotfix was devised, following Apache Foundation recommendations, to remove the CMS vulnerability altogether. Within two business days of the publication of the vulnerability, Eidosmedia had a tested hotfix applied to its SaaS customer environments, while the other (‘non-managed’) customers were supplied with the hotfix script and simple deployment instructions. For some components, patches were available as early as December15th.
None of the Eidosmedia deployments worldwide suffered any damage.
All’s well that ends well!
The benefits of ISO 27001 compliance
Not long after we’d obtained the certification, the value of complying with a recognized security standard soon became clear. Prospects and existing customers started to say: “Oh good, you’ve got ISO 27001! That eliminates most of the security audits we have to carry out to adopt Eidosmedia products in our operations.”
We knew that there would be advantages for customers in terms of compliance and insurance provision, but the benefits of ISO 27001 compliance emerged almost immediately.
ISO 27017 - into the cloud
This year our focus is on extending the ISO certification into our cloud-based operations. The ISO 27017 cloud security standard provides guidelines for additional security controls for providers and customers of cloud services. Since Eidosmedia customers’ operations are increasingly cloud hosted, the adoption of best practices and responsibilities for these deployments is an important guarantee of the continuity and security of their operations.
Most of the cloud controls were already in place when we started the certification process for ISO 27001 (the management system) but we chose to postpone the effort on the additional controls for a year so the system would be mature enough.
With an existing ISMS in place, adding the monitoring of cloud controls is fairly smooth, with a process that will lead to certification by the beginning of Q2 2022.
Our main expectation in terms of benefits is to organize our cloud customer and supplier relationships in a standardized way, helping our own customers in their due diligence with us as a vendor. This is particularly important in the supply chain risk management required by the latest recommendations and regulations of the European Securities and Markets Authority (ESMA) and the European Banking Authority (EBA).
No ‘resting on laurels’
In the meantime, the effort to maintain the standards of last year’s ISO 27001 certification continues apace. We carry out regular internal audits to check that the procedures we put in place last year are being followed correctly. A company-wide program of online training has ensured that all staff are aware of the methods that may be used to penetrate the company’s defenses (with remedial training for the few people that fell into the ‘phishing traps’ we use from time to time to test their vigilance).
At the same time, we’ve already started our surveillance assessment with our external auditors in order to renew our certification for another year.
In short, it never stops! But, as the continuing cyber-attacks by both private and state-sponsored agents show, a culture of security awareness is fast becoming an indispensable element in an organization’s business preparation.
Find out more about the unified platform approach to CMS security.