Opinion: How we can contain new web-based threats

Opinion: How we can contain new web-based threats

Tuesday, November 17, 2015 Totally Gaming
MGM's Craig Jacobs takes a look at the dangers of CMS platforms

Craig Jacobs, MGM Resorts International executive, tells TotallyGaming.com how the rise of CMS platforms has been a great help to many operators, but has created new online security risks

The prevalence of free Content Management System (CMS) platforms has created an 'easy to launch' path for millions of websites over the past few years.

These platforms, accompanied by thousands of plug-ins, have enabled bloggers and even small and medium-sized businesses to launch websites overnight with features that would have taken months of custom development work only a few years ago.

In larger organisations, CMS platforms have enabled business users to launch internal websites to collaborate with peers, oftentimes without IT department involvement.

WordPress - the most prominent, free CMS in the world - now runs more than 60 million websites worldwide. A staggering number that makes security experts cringe due to the history of vulnerabilities found in the platform and the many plug-ins that enable easy website customisation. With such increased availability, the confidentiality and integrity of the platform suffers.

While enabling automatic updates and limiting the plug-ins that are used can decrease the likelihood of a compromise, businesses should be particularly mindful of the risks of using these CMS solutions in their environment.

Because the platforms are so easy to configure and host, there is often very little time spent thinking about the security of these sites and in many cases because they occur with little or no IT department knowledge these shadow IT sites can become particularly juicy targets for attackers.

External sites are an obvious target for attackers who look to exploit known security flaws in unpatched platforms or plug-ins.

These holes may enable an attacker to gain privileged access to an organisation’s network. If that wasn’t scary enough, even internal collaboration sites pose a security risk because the site may act as a launch pad for hosting malware, extracting files or accessing privileged systems because the sites have been built with little or no security posture.

The site owners are simply seeking an easy path to collaborate with peers, but this ease may allow attackers to 'collaborate' with botnets, zombie-nets or host spam.

IT organisations within the gaming and hospitality sector should take a second look at how and where their websites are hosted and ensure that all web servers are identified within their internal and external environment. To the extent possible, internal collaboration sites should be inaccessible to the outside world and special steps should be taken to ensure that is the case. Websites built for external consumption should be categorised as such and pushed to external hosting when possible.

This limits the attack surface that is available to attackers and further segments external traffic from the world wide web making it easier to identify unexpected traffic patterns accessing the business networks from the outside world. Lastly, third-party tools can be purchased to monitor the health and security of the CMS platform.  


Paddy Power Betfair takes majority stake in Adjarabet


888 secures igaming licence in Portugal


Swedish regulator issues final warning to licensed operators


IG highlights client ‘quality’ as ESMA measures hit

Gaming Products & Services Directory

The essential directory for the gaming industry