NIS2, Are you on scope?
Belgium's new cybersecurity law will soon enter into force. Check it out now.
In today’s digital society where almost every service are available 24/7, launching an attack that disrupts this availability can have important consequences on organisation’s business activity. A denial of service attack or DDoS aims to make a server inaccessible in order to cause an outage or severely degrade the functioning of the service. This article gathers what to do when an organisation is undergoing such an attack and how to protect from it.
A Distributed Denial of Service (DDoS) attack disrupts the usual operations of an organisation’s web host or server by overloading them with the launch of an enormous amount of page requests. A real-life comparison is a huge traffic jam: a car wants to get from point A to point B, but additional cars keep on getting in between it and the final destination, to the point where it remains stuck. The denial of service attack makes the webpage and services provided through it unavailable until it is stopped, which can cause important financial and productivity loss for the organisation as it cannot offer those services anymore.
A good starting point is browsing your own websites as if you were an external user. If the website unavailable, this might indicate that it was compromised and it could be a DDoS attack. An investigation should be launched by the IT Responsible to identify the cause of the website unavailability and determine the type of attack.
In addition, detection means can be set up to identify if an intrusion is happening or already happened. Monitoring all the critical systems ensuring an organisation’s operations is a key element in ensuring a good level of protection against a website hack. If something indeed happens, the IT Responsible and their team can be notified through alerts they set up beforehand. In addition, there are several website monitoring tools that can help detect modifications of the content and other type of change done to a website, such as an attacker trying to link the website to newly setup domains.
When thinking of implementing tools to monitor a website, it is important for an organisation to evaluate the costs against the benefits. There are typically three aspects those tools can monitor: availability, speed and content. However, there is no ‘one fits all’ solution. The overall cost will depend on how heavily and regularly an organisation wants the content on their website to be monitored. This is thus specific to each organisation, depending on their needs and requirements: if the website represents a key element to carry out daily operations or provide services to customers, it will be best to invest in website monitoring tools.
Website monitoring tools are a great asset, however the solution chosen must be validated by the organisation’s IT Responsible from a security and performance point of view.
The Web Application Firewall monitors incoming and outgoing network traffic in order to allow or deny communications based on defined security rules. It acts as a controller between the server and the client and by decrypting the traffic, it will analyse the users’ requests to access the network. This way, if it detects something suspicious according to its configurations rules, it can generate alerts and send them to the IT Responsible and their team who will decide on which actions to take next.
The Web Application Firewall protects from attacks that are coming from the web. It doesn’t replace a perimeter firewall, which will block unauthorised access and detect attacks coming from other entry points.
Cybercriminals always seek for vulnerabilities to exploit so it is important to keep all systems up-to-date. This makes sure that the latest and more secure version is used.
As for all information and technology systems, updates of website components are also crucial to make sure any known vulnerabilities is remediated, giving hackers no chance to exploit them.
The typical components for a web server include:
* The BIOS/firmware of the hardware the organisations server is running on;
* The operating system of the server;
* The actual web service used (e.g., Apache, nginx, IIS, etc.);
* The content management system (e.g., Drupal, Joomla, WordPress, etc.);
* Optionally, the virtualization layer.
Very few organisations build their website from scratch. They usually use third parties, which come with a great amount of plugins and themes. Make sure to also keep those up to date. The developers from the third parties are constantly looking for new vulnerabilities. Making the updates is thus crucial to have the least vulnerable version of the components used.
As stated previously, one of the important steps to take to make a Content Management System secure is to keep it and its plugins up-to-date. Cybercriminals always look for new vulnerabilities to exploit but security patches are released to fix those vulnerabilities. It is thus important to make the updates as soon as they are available.
In addition, the Content Management System can be protected by not using any default configuration set up for accounts and passwords, but creating one’s own admin account with a strong enough password and in addition implementing Multi-Factor Authentication. Multi Factor Authentication requires a user to provide at least two different methods (e.g., passwords and PIN code, PIN code and a code received via text) to verify their identity and grant them access to the resource they are trying to reach.
Finally, a regular review of the user list must be integrated in the access management process. This applies not only to users having access to the Content Management System, but also to every other user within the organisation in general. This review allows the organisation to check that no test users are still active, and that no users that shouldn’t be there were added.
People tend to use weak passwords as they are easier to remember. However, a password easy to remember is also easy to hack. It is thus important to only allow the use of strong passwords, which combines upper and lower cases, numbers and symbols. In addition, implementing Multi Factor Authentication adds an additional layer to protect the accounts.
It is important to determine whether your organisation is directly connected to the Internet, or it is making use of an Internet Service Provider (ISP). If there is a contract with an Internet Service Provider, make sure to check this contract thoroughly and check what their procedures are in the event of an attack. Internet Service Providers are the gate standing between an organisation and the Internet. That is why they are becoming increasingly concerned about DDoS attacks and their complexity. Most of them are heavily investing in how they can prevent them.
If your organisation is managing its own networks, consider creating different security zones in the network (e.g. Basic network segmentation through VLAN’s or other network access control mechanisms) and control/monitor the traffic between these zones. Next to that, make sure that unused services are disabled or filtered out of the network and never leave the password set as default on the Internet router and other systems. Lastly, operating systems, programs and routers should be automatically updated.
Limit the number of page requests one user can send, for example to a thousand requests per person per 24 hours. This mitigates the possibility to overload the network.
Cloud-based services are much better protected towards DDoS attacks than locally hosted services, especially concerning email services or other online platforms. The extra protection layer that cloud adds is that the services remain widely available.
Testing a website for well-known vulnerabilities is a great way to establish whether it is ready to go live or not, from a security point of view. Identifying the existing vulnerabilities allows more time to fix them, without any damage, before a cybercriminal uses them and actually causes important damages. Security experts can provide assistance, by doing penetration tests and audits for example, to assess a website security.
As soon as an unusual change is suspected on the website, it must be reported immediately to the IT Responsible within the organisation so they can take the remediation steps as follows.
A DDoS attack represents a cybercrime that must be reported to the police. In order to file a complaint, several elements can be gathered to complete the case: screenshots of the attacked website, screenshots of anything unusual displayed on the devices and the log records from the firewall and servers.
If possible, all the devices infected need to be copied on a physical support for forensics purposes.
A DDoS attack is punishable by law and should be reported to the authorities to allow them to investigate the people responsible and prevent them from executing other attacks.
Those passwords should be changed on all the accounts they are being used.
This helps assess the magnitude of the attack to anticipate what the hacker could use in the future to launch other attacks.
By determining exactly how the attacker got access to a resource, the necessary remediation steps can be taken to make sure this vulnerability cannot be used again for other attacks. This might be for example installing a security patch or changing a compromised password.
When an external provider is involved, they should be contacted and informed about the incident so they can also take the necessary steps to remediate it.
Not every organisation has enough resources to remediate efficiently a cyber incident. There are several security specialists that can be hired to help solve the incident. Those specialists can only come from official organisations, such as known consultancy firms, to avoid hiring a scammer.
The aim of this content is to share and raise awareness of good cyber security practice.
Some of this advice may apply differently depending on the context of your organisation.
Always comply with the policy and instructions in force in your organisation.
If in doubt, always ask your IT manager for advice first.