NIS2, Are you on scope?
Belgium's new cybersecurity law enters into force. Check it out now.
A website defacement represents the modification and/or replacement of the initial content displayed on a website. Hackers use it to share messages or disrupt operations as they can reach many people thanks to the constant availability of a website.
The website defacement attack is a particular cyber-attack, in the sense that cybercriminals are generally not really looking for information to steal. Their initial goal is most of the time to make as much noise as possible. In order to do that, they either share their own ideas or thoughts via the website or simply display a blank or black page and pictures or videos of their own choosing. Either way, the website cannot carry out its initial purpose, whether it is to inform or to provide services.
Usually, a website defacement is carried out by ‘hacktivists’. Through the use of hacking, or any other computer-based attack, the people launching the attack want to promote their political view or initiate a social change. As such, their most common targets are governmental or religious websites. However, regular hackers, who don’t specifically aim at sharing ideological ideas, can also carry out a website defacement and anyone can be a target.
A website is the face of an organisation, and such messages or disruptions displayed through it indicate that attackers were able to penetrate an organisation’s server and potentially access confidential and personal information. This can cause important reputational damage and loss of trust from customers and providers.
The attacker seeks one or more security vulnerabilities that will allow them to gain access to an organisation’s environment. Once in, their goal will be to gain privileges, in terms of access, in order to reach the administrative level type of account and be able to modify whatever they want to and thus control what is displayed to the website’s visitors. In addition, by reaching the administrative level access, which is one with high privileges, they can have an entrance to other of the organisation’s resources and launch other types of attack or disruption.
As the main goal of cybercriminals for this type of attack is to make as much noise as they can, the changes done to the targeted website will be pretty obvious for anybody. Besides that, there is not much that can be done to identify that an attack will be specifically a website defacement. However, detection means can be set up to identify if an intrusion is happening or already happened. Monitoring all the critical systems ensuring an organisation’s operations is a key element in ensuring a good level of protection against a website defacement attack. If something indeed happens, the IT Responsible and their team can be notified through alerts they set up beforehand. In addition, there are several website monitoring tools that can help detect modifications of the content and other type of change done to a website, such as an attacker trying to link the website to newly setup domains.
When thinking of implementing tools to monitor a website, it is important for an organisation to evaluate the costs against the benefits. There are typically three aspects those tools can monitor: availability, speed and content. In the context of website defacement, the focus will be on the content. However, there is no ‘one fits all’ solution. The overall cost will depend on how heavily and regularly an organisation wants the content on their website to be monitored. This is thus specific to each organisation, depending on their needs and requirements: if the website represents a key element to carry out daily operations or provide services to customers, it will be best to invest in website monitoring tools.
Website monitoring tools are a great asset, however the solution chosen must be validated by the organisation’s IT Responsible from a security and performance point of view.
People cannot react properly to suspicious events if they are not aware of the dangers they might be facing when using information and communication technologies. Analysing all current cyber risks, deciding how to mitigate them and defining a set of policies that identify the right code of conduct is important for every organisation. However, all these measures are deemed to fail if they are not properly communicated to and understood by the collaborators. It is thus important to make sure everybody is aware of how to identify a website defacement and of the internal processes to notify and remediate an incident.
An organisation’s collaborators are its first line of defence. However, when encountering a cyber scam, they cannot adopt the right reflexes if they don’t know what they are.
There are several ways cybercriminals try to steal collaborators’ credentials in order to get access to an organisation’s resources. It is thus important to have regular informative sessions to train the collaborators about not sharing too much on social media and not clicking on a link or opening a file without analysing where it comes from first.
The Web Application Firewall monitors incoming and outgoing network traffic in order to allow or deny communications based on defined security rules. It acts as a controller between the server and the client and by decrypting the traffic, it will analyse the users’ requests to access the network. This way, if it detects something suspicious according to its configurations rules, it can generate alerts and send them to the IT Responsible and their team who will decide on which actions to take next.
The Web Application Firewall protects from attacks that are coming from the web. It doesn’t replace a perimeter firewall, which will block unauthorised access and detect attacks coming from other entry points.
Cybercriminals always seek for vulnerabilities to exploit so it is important to keep all systems up-to-date. This makes sure that the latest and more secure version is used.
As for all information and technology systems, updates of website components are also crucial to make sure any known vulnerabilities is remediated, giving hackers no chance to exploit them.
Very few organisations build their website from scratch. They usually use third parties, which come with a great amount of plugins and themes. Make sure to also keep those up to date. The developers from the third parties are constantly looking for new vulnerabilities. Making the updates is thus crucial to have the least vulnerable version of the components used.
As stated previously, one of the important steps to take to make a Content Management System secure is to keep it and its plugins up-to-date. Cybercriminals always look for new vulnerabilities to exploit but security patches are released to fix those vulnerabilities. It is thus important to make the updates as soon as they are available.
In addition, the Content Management System can be protected by not using any default configuration set up for accounts and passwords, but creating one’s own admin account with a strong enough password and in addition implementing Multi-Factor Authentication. Multi
Factor Authentication requires a user to provide at least two different methods (e.g., passwords and PIN code, PIN code and a code received via text) to verify their identity and grant them access to the resource they are trying to reach.
Finally, a regular review of the user list must be integrated in the access management process. This applies not only to users having access to the Content Management System, but also to every other user within the organisation in general. This review allows the organisation to check that no test users are still active, and that no users that shouldn’t be there were added.
The HTTPS protocol is used on the Internet for secure communication and data transfer over a computer network. It is the secured version of HTTP. Just like HTTP, HTTPS is used to send data between a web browser and a web server. The difference is that HTTPS encrypts the data to increase the security of the transfer. Through the encryption of all exchanges happening between a web browser and a web server, HTTPS ensures that no outsider can eavesdrop the ongoing communications. In fact, even if an attacker is able to intercept the data, as it is encrypted, they will not be able to understand it nor use it.
Data is one of the most valuable assets an organisation has. This is why it should be protected accordingly. It is important to encrypt the data at rest (i.e., when stored in a database and not used) and strictly control the access to that database.
In addition, those databases must be backed up to make sure that even if an incident occurs, the data can still be recovered. It is important to regularly test those backups to confirm that they can actually be used if needed, after an incident.
Directory browsing offers the possibility for people visiting a website to access the repository content, i.e., all the files and folders.
Directory browsing must be disabled so attackers cannot randomly find an organisation’s data by simply using search engines. In addition, files must not be stored in default or publicly accessible locations.
It is very common for cyber criminals to use an existing account to get access to an organisation’s resources. The access control management should be well established and implemented within an organisation. The basic principles of least privilege and need-to-know must be applied: a user should only get the accesses they require to perform their job, nothing additional. They should always get the minimum required, not extra accesses ‘just in case’.
In addition, a user access provisioning process should be established. This process defines the procedure to remove or change the access granted to an employee when they switch position or leave the organisation. An insider attack can indeed always happen, no matter how loyal
former collaborators were at a certain point of time. Their feelings towards the organisation might change if they didn’t leave willingly.
Testing a website for well-known vulnerabilities is a great way to establish whether it is ready to go live or not, from a security point of view. Identifying the existing vulnerabilities allows more time to fix them, without any damage, before a cybercriminal uses them and actually causes important damages. Security experts can provide assistance, by doing penetration tests and audits for example, to assess a website security.
People tend to use weak passwords as they are easier to remember. However, a password easy to remember is also easy to hack. It is thus important to only allow the use of strong passwords, which combines upper and lower cases, numbers and symbols. In addition, as previously stated in the recommendation number 6, implementing Multi Factor Authentication adds an additional layer to protect the accounts.
There are several steps to carry out when facing a website defacement attack:
As soon as an unusual change is suspected on the website, it must be reported immediately to the IT Responsible within the organisation so they can take the remediation steps as follows.
In order to stop the attack and its damage from expanding to the whole organisation’s network, all the devices infected must be unplugged from Internet. This can be done by removing the ethernet cable or by directly deactivating the Wi-Fi on the devices.
A website defacement represents a cybercrime that must be reported to the police. In order to file a complaint, several elements can be gathered to complete the case: screenshots of the attacked website, screenshots of anything unusual displayed on the devices and the log records from the firewall and servers.
A website defacement attack is punishable by law and should be reported to the authorities to allow them to investigate the people responsible and prevent them from executing other attacks.
If possible, all the devices infected need to be copied on a physical support for forensics purposes.
This helps assess the magnitude of the attack to anticipate what the hacker could use in the future to launch other attacks.
By determining exactly how the attacker got access to a resource, the necessary remediation steps can be taken to make sure this vulnerability cannot be used again for other attacks. This might be for example installing a security patch or changing a compromised password.
Most organisations don’t develop their website in-house. When an external provider is involved, they should be contacted and informed about the incident so they can also take the necessary steps to remediate it.
Not every organisation has enough resources to remediate efficiently to a cyber incident. There are several security specialists that can be hired to help solve the incident. Those specialists can only come from official organisations, such as known consultancy firms, to avoid hiring a scammer.
The aim of this content is to share and raise awareness of good cyber security practice.
Some of this advice may apply differently depending on the context of your organisation.
Always comply with the policy and instructions in force in your organisation.
If in doubt, always ask your IT manager for advice first.