A website defacement represents the modification and/or replacement of the initial content displayed on a website. Hackers use it to share messages or disrupt operations as they can reach many people thanks to the constant availability of a website.

What is a website defacement attack?

The website defacement attack is a particular cyber-attack, in the sense that cybercriminals are generally not really looking for information to steal. Their initial goal is most of the time to make as much noise as possible. In order to do that, they either share their own ideas or thoughts via the website or simply display a blank or black page and pictures or videos of their own choosing. Either way, the website cannot carry out its initial purpose, whether it is to inform or to provide services.

Usually, a website defacement is carried out by ‘hacktivists’. Through the use of hacking, or any other computer-based attack, the people launching the attack want to promote their political view or initiate a social change. As such, their most common targets are governmental or religious websites. However, regular hackers, who don’t specifically aim at sharing ideological ideas, can also carry out a website defacement and anyone can be a target.

A website is the face of an organisation, and such messages or disruptions displayed through it indicate that attackers were able to penetrate an organisation’s server and potentially access confidential and personal information. This can cause important reputational damage and loss of trust from customers and providers.

How does it happen?

The attacker seeks one or more security vulnerabilities that will allow them to gain access to an organisation’s environment. Once in, their goal will be to gain privileges, in terms of access, in order to reach the administrative level type of account and be able to modify whatever they want to and thus control what is displayed to the website’s visitors. In addition, by reaching the administrative level access, which is one with high privileges, they can have an entrance to other of the organisation’s resources and launch other types of attack or disruption.

horizontal black and white diagram illustrating the steps and links between the hacker and the victim user

How can a website defacement be identified?

As the main goal of cybercriminals for this type of attack is to make as much noise as they can, the changes done to the targeted website will be pretty obvious for anybody. Besides that, there is not much that can be done to identify that an attack will be specifically a website defacement. However, detection means can be set up to identify if an intrusion is happening or already happened. Monitoring all the critical systems ensuring an organisation’s operations is a key element in ensuring a good level of protection against a website defacement attack. If something indeed happens, the IT Responsible and their team can be notified through alerts they set up beforehand. In addition, there are several website monitoring tools that can help detect modifications of the content and other type of change done to a website, such as an attacker trying to link the website to newly setup domains.

When thinking of implementing tools to monitor a website, it is important for an organisation to evaluate the costs against the benefits. There are typically three aspects those tools can monitor: availability, speed and content. In the context of website defacement, the focus will be on the content. However, there is no ‘one fits all’ solution. The overall cost will depend on how heavily and regularly an organisation wants the content on their website to be monitored. This is thus specific to each organisation, depending on their needs and requirements: if the website represents a key element to carry out daily operations or provide services to customers, it will be best to invest in website monitoring tools.

Website monitoring tools are a great asset, however the solution chosen must be validated by the organisation’s IT Responsible from a security and performance point of view.

How to protect a website from defacement?

1. Raise the collaborators’ awareness on the website defacement risk

People cannot react properly to suspicious events if they are not aware of the dangers they might be facing when using information and communication technologies. Analysing all current cyber risks, deciding how to mitigate them and defining a set of policies that identify the right code of conduct is important for every organisation. However, all these measures are deemed to fail if they are not properly communicated to and understood by the collaborators. It is thus important to make sure everybody is aware of how to identify a website defacement and of the internal processes to notify and remediate an incident.

2. Raise the collaborators’ awareness on scams that aim to steal their credentials

An organisation’s collaborators are its first line of defence. However, when encountering a cyber scam, they cannot adopt the right reflexes if they don’t know what they are.

There are several ways cybercriminals try to steal collaborators’ credentials in order to get access to an organisation’s resources. It is thus important to have regular informative sessions to train the collaborators about not sharing too much on social media and not clicking on a link or opening a file without analysing where it comes from first.

3. Activate and configure a Web Application Firewall

The Web Application Firewall monitors incoming and outgoing network traffic in order to allow or deny communications based on defined security rules. It acts as a controller between the server and the client and by decrypting the traffic, it will analyse the users’ requests to access the network. This way, if it detects something suspicious according to its configurations rules, it can generate alerts and send them to the IT Responsible and their team who will decide on which actions to take next.

The Web Application Firewall protects from attacks that are coming from the web. It doesn’t replace a perimeter firewall, which will block unauthorised access and detect attacks coming from other entry points.

4. Update all software, operating systems and internet browsers

Cybercriminals always seek for vulnerabilities to exploit so it is important to keep all systems up-to-date. This makes sure that the latest and more secure version is used.

5. Keep all web server components up-to-date

As for all information and technology systems, updates of website components are also crucial to make sure any known vulnerabilities is remediated, giving hackers no chance to exploit them.

  • The typical components for a web server include:
  • The BIOS/firmware of the hardware the organisation’s server is running on;
  • The operating system of the server;
  • The actual web service used (e.g., Apache, nginx, IIS, etc.);
  • The content management system (e.g., Drupal, Joomla, WordPress, etc.);
  • Optionally, the virtualization layer.

Very few organisations build their website from scratch. They usually use third parties, which come with a great amount of plugins and themes. Make sure to also keep those up to date. The developers from the third parties are constantly looking for new vulnerabilities. Making the updates is thus crucial to have the least vulnerable version of the components used.

6. Secure the access to and update the content management system

As stated previously, one of the important steps to take to make a Content Management System secure is to keep it and its plugins up-to-date. Cybercriminals always look for new vulnerabilities to exploit but security patches are released to fix those vulnerabilities. It is thus important to make the updates as soon as they are available.

In addition, the Content Management System can be protected by not using any default configuration set up for accounts and passwords, but creating one’s own admin account with a strong enough password and in addition implementing Multi-Factor Authentication. Multi

Factor Authentication requires a user to provide at least two different methods (e.g., passwords and PIN code, PIN code and a code received via text) to verify their identity and grant them access to the resource they are trying to reach.

Finally, a regular review of the user list must be integrated in the access management process. This applies not only to users having access to the Content Management System, but also to every other user within the organisation in general. This review allows the organisation to check that no test users are still active, and that no users that shouldn’t be there were added.

7. Implement the HTTPS protocol

The HTTPS protocol is used on the Internet for secure communication and data transfer over a computer network. It is the secured version of HTTP. Just like HTTP, HTTPS is used to send data between a web browser and a web server. The difference is that HTTPS encrypts the data to increase the security of the transfer. Through the encryption of all exchanges happening between a web browser and a web server, HTTPS ensures that no outsider can eavesdrop the ongoing communications. In fact, even if an attacker is able to intercept the data, as it is encrypted, they will not be able to understand it nor use it.

8. Encrypt, backup and control the access to the database

Data is one of the most valuable assets an organisation has. This is why it should be protected accordingly. It is important to encrypt the data at rest (i.e., when stored in a database and not used) and strictly control the access to that database.

In addition, those databases must be backed up to make sure that even if an incident occurs, the data can still be recovered. It is important to regularly test those backups to confirm that they can actually be used if needed, after an incident.

9. Disable directory browsing

Directory browsing offers the possibility for people visiting a website to access the repository content, i.e., all the files and folders.

Directory browsing must be disabled so attackers cannot randomly find an organisation’s data by simply using search engines. In addition, files must not be stored in default or publicly accessible locations.

Too late, the website has been hacked

There are several steps to carry out when facing a website defacement attack:

1. Report the incident to the organisation’s IT Responsible

As soon as an unusual change is suspected on the website, it must be reported immediately to the IT Responsible within the organisation so they can take the remediation steps as follows.

2. Isolate the compromised devices from Internet and from the organisation’s network

In order to stop the attack and its damage from expanding to the whole organisation’s network, all the devices infected must be unplugged from Internet. This can be done by removing the ethernet cable or by directly deactivating the Wi-Fi on the devices.

3. Gather all the necessary forensics

A website defacement represents a cybercrime that must be reported to the police. In order to file a complaint, several elements can be gathered to complete the case: screenshots of the attacked website, screenshots of anything unusual displayed on the devices and the log records from the firewall and servers.

4. Report the incident to the police and file a complaint

A website defacement attack is punishable by law and should be reported to the authorities to allow them to investigate the people responsible and prevent them from executing other attacks.

5. Make a copy of all the compromised devices

If possible, all the devices infected need to be copied on a physical support for forensics purposes.

6. Make an inventory of all the sensitive information accessed or stolen

This helps assess the magnitude of the attack to anticipate what the hacker could use in the future to launch other attacks.

7. Identify and remediate all the vulnerabilities that were used to get access

By determining exactly how the attacker got access to a resource, the necessary remediation steps can be taken to make sure this vulnerability cannot be used again for other attacks. This might be for example installing a security patch or changing a compromised password.

8. Inform the website provider

Most organisations don’t develop their website in-house. When an external provider is involved, they should be contacted and informed about the incident so they can also take the necessary steps to remediate it.

9. If needed, contact official external security specialists

Not every organisation has enough resources to remediate efficiently to a cyber incident. There are several security specialists that can be hired to help solve the incident. Those specialists can only come from official organisations, such as known consultancy firms, to avoid hiring a scammer.

The aim of this content is to share and raise awareness of good cyber security practice. 
Some of this advice may apply differently depending on the context of your organisation.
Always comply with the policy and instructions in force in your organisation.
If in doubt, always ask your IT manager for advice first.