NIS2, Are you on scope?
Belgium's new cybersecurity law enters into force. Check it out now.
Websites of organisations can be the target of numerous attacks such as defacement, denial of service, or even the theft of personal or banking data of Internet users who have created an account on the website. A cyber-attack on an organisation’s website can have multiple consequences on their activities: interruption of services, financial losses, information theft, loss of trust and credibility, remediation costs and even legal liability. This article gathers practical advice to ensure the security of a website.
When a cybercriminal hacks a website, the main purpose is to gain unauthorized access to its configuration and data. Later on, the hackers will use that same data for malicious purposes, which will allow them to earn profit. By being available 24/7, a website represents an attractive target for cybercriminals. There are several reasons that might push them to get access and take control of a website, such as:
As long as a website is visited, it is an attractive target for cybercriminals.
Even if you might think that your website doesn’t have anything interesting for cybercriminals to exploit, you could be wrong. As long as it is visited, it is an attractive target.
The attacker seeks one or more security vulnerabilities that will allow them to gain access to an organisation’s environment. Once in, their goal will be to gain privileges, in terms of access, in order to reach the administrative level type of account and be able to modify whatever they want to and thus control what is displayed to the website’s visitors. In addition, by reaching the administrative level access, which is one with high privileges, they can have an entrance to other of the organisation’s resources and launch other types of attack or disruption.
A good starting point is browsing your own websites as if you were an external user. If any suspicious changes arise or even a complete modification of the webpage that wasn’t done by your marketing or web development team, this is a first indication that the website is compromised.
In addition, detection means can be set up to identify if an intrusion is happening or already happened. Monitoring all the critical systems ensuring an organisation’s operations is a key element in ensuring a good level of protection against a website hack. If something indeed happens, the IT Responsible and their team can be notified through alerts they set up beforehand. In addition, there are several website monitoring tools that can help detect modifications of the content and other type of change done to a website, such as an attacker trying to link the website to newly setup domains.
When thinking of implementing tools to monitor a website, it is important for an organisation to evaluate the costs against the benefits. There are typically three aspects those tools can monitor: availability, speed and content. However, there is no ‘one fits all’ solution. The overall cost will depend on how heavily and regularly an organisation wants the content on their website to be monitored. This is thus specific to each organisation, depending on their needs and requirements: if the website represents a key element to carry out daily operations or provide services to customers, it will be best to invest in website monitoring tools.
Website monitoring tools are a great asset, however the solution chosen must be validated by the organisation’s IT Responsible from a security and performance point of view.
People cannot react properly to suspicious events if they are not aware of the dangers they might be facing when using information and communication technologies. Analysing all current cyber risks, deciding how to mitigate them and defining a set of policies that identify the right code of conduct is important for every organisation. However, all these measures are deemed to fail if they are not properly communicated to and understood by the collaborators. It is thus important to make sure everybody is aware of how to identify a website hacking attack and of the internal processes to notify and remediate an incident.
An organisation’s collaborators are its first line of defence. However, when encountering a cyber scam, they cannot adopt the right reflexes if they don’t know what they are.
There are several ways cybercriminals try to steal collaborators’ credentials in order to get access to an organisation’s resources. It is thus important to have regular informative sessions to train the collaborators about not sharing too much on social media and not clicking on a link or opening a file without analysing where it comes from first.
Using a “defence in depth” approach, the website can be protected by setting up independent methods to secure not only the software and hardware of the server, but also its hosting infrastructure. Those methods can include, for example, a firewall, an application firewall, an antivirus, etc. Combined, they aim at protecting the server against common cyber threats (e.g., malware, DDoS, etc.). If the website hosting is externalised, make sure the provider has sufficient security controls in place to ensure that protection.
A particular protection method to include within the “defence in depth” approach is to set up a Web Application Firewall. This firewall monitors incoming and outgoing network traffic in order to allow or deny communications based on defined security rules. It acts as a controller between the server and the client and by decrypting the traffic, it will analyse the users’ requests to access the network. This way, if it detects something suspicious according to its configurations rules, it can generate alerts and send them to the IT Responsible and their team who will decide on which actions to take next.
The Web Application Firewall protects against attacks that are coming from the web. It doesn’t replace a perimeter firewall, which will block unauthorised access and detect attacks coming from other entry points.
Only the necessary services for the server should be configured, everything else should be forbidden to avoid unused and potentially dangerous entry points. Additionally, specific rules can be implemented such as IP addresses filtering or unauthorizing specific file format. Finally, all unused services and features should be disabled or limited in order to reduce the probability of getting hacked.
Cybercriminals always seek for vulnerabilities to exploit so it is important to keep all systems up-to-date. This makes sure that the latest and more secure version is used.
As with all information and technology systems, updates to the web server components are crucial to make sure any known vulnerabilities is remediated, giving cybercriminals no chance to exploit them.
The typical components of a web server include:
Very few organisations build their website from scratch. They usually use third parties that come with a great amount of plugins and themes. Make sure to also keep those up to date. The developers from the third parties are constantly looking for new vulnerabilities, making the updates is thus crucial to have the least vulnerable version of the components being used.
Data is one of the most valuable assets an organisation has. This is why it should be protected accordingly. It is important to encrypt the data at rest (i.e., when stored in the database) and strictly control the access to the database.
In addition, those databases should be backed up to make sure that even if an incident occurs, all important data can still be recovered. It is important to regularly test those backups to confirm that they can actually be used if needed, after an incident.
In addition to databases, make sure to also backup the website and its configuration. Those backups should also be tested to confirm they can ensure a recovery if needed.
The HTTPS protocol is used on the Internet for secure communication and data transfer over a computer network. It is the secured version of HTTP. Just like HTTP, HTTPS is used to send data between a web browser and a web server. The difference is that HTTPS encrypts the data to increase the security of the transfer. Through the encryption of all exchanges happening between a web browser and a web server, HTTPS ensures that no outsider can eavesdrop the ongoing communications. In fact, even if an attacker is able to intercept the data, as it is encrypted, they will not be able to understand it nor use it.
As stated previously, one of the important steps to take to make a Content Management System secure is to keep it and its plugins up-to-date. Cybercriminals always look for new
vulnerabilities to exploit but security patches are released to fix those vulnerabilities. It is thus important to make the updates as soon as they are available.
In addition, the Content Management System can be protected by not using any default configuration set up for accounts and passwords, but creating one’s own admin account with a strong enough password and in addition implementing Multi-Factor Authentication. Multi Factor Authentication requires a user to provide at least two different methods (e.g., passwords and PIN code, PIN code and a code received via text) to verify their identity and grant them access to the resource they are trying to reach.
Finally, a regular review of the user list must be integrated in the access management process. This applies not only to users having access to the Content Management System, but also to every other user within the organisation in general. This review allows the organisation to check that no test users are still active, and that no users that shouldn’t be there were added.
Directory browsing offers the possibility for people visiting a website to access its repository content, i.e., all the files and folders. Directory browsing should be disabled so attackers cannot randomly find the data by simply using search engines. In addition, files shouldn’t use default or publicly accessible locations.
It is very common for cyber criminals to use an existing account to get access to an organisation’s resources. The access control management should be well established and implemented within an organisation. The basic principles of least privilege and need-to-know must be applied: a user should only get the accesses they require to perform their job, nothing additional. They should always get the minimum required, not extra accesses ‘just in case’.
In addition, a user access provisioning process should be established. This process defines the procedure to remove or change the access granted to an employee when they switch position or leave the organisation. An insider attack can indeed always happen, no matter how loyal former collaborators were at a certain point of time. Their feelings towards the organisation might change if they didn’t leave willingly.
Testing a website for well-known vulnerabilities is a great way to establish whether it is ready to go live or not, from a security point of view. Identifying the existing vulnerabilities allows more time to fix them, without any damage, before a cybercriminal uses them and actually causes important damages. Security experts can provide assistance, by doing penetration tests and audits for example, to assess a website security.
People tend to use weak passwords as they are easier to remember. However, a password easy to remember is also easy to hack. It is thus important to only allow the use of strong passwords, which combines upper and lower cases, numbers and symbols. In addition, implementing Multi Factor Authentication adds an additional layer to protect the accounts.
There are several steps to carry out when facing website hacking:
As soon as an unusual change is suspected on the website, it must be reported immediately to the IT Responsible within the organisation so they can take the remediation steps as follows.
In order to stop the attack and its damage from expanding to the whole organisation’s network, all the devices infected must be unplugged from Internet. This can be done by removing the ethernet cable or by directly deactivating the Wi-Fi on the devices.
A website hack represents a cybercrime that must be reported to the police. In order to file a complaint, several elements can be gathered to complete the case: screenshots of the attacked website, screenshots of anything unusual displayed on the devices and the log records from the firewall and servers.
A website hack is punishable by law and should be reported to the authorities to allow them to investigate the people responsible and prevent them from executing other attacks.
If possible, all the devices infected need to be copied on a physical support for forensics purposes.
This helps assess the magnitude of the attack to anticipate what the hacker could use in the future to launch other attacks.
By determining exactly how the attacker got access to a resource, the necessary remediation steps can be taken to make sure this vulnerability cannot be used again for other attacks. This might be for example installing a security patch or changing a compromised password.
Most organisations don’t develop their website in-house. When an external provider is involved, they should be contacted and informed about the incident so they can also take the necessary steps to remediate it.
Not every organisation has enough resources to remediate efficiently to a cyber incident. There are several security specialists that can be hired to help solve the incident. Those specialists can only come from official organisations, such as known consultancy firms, to avoid hiring a scammer.
The aim of this content is to share and raise awareness of good cyber security practice.
Some of this advice may apply differently depending on the context of your organisation.
Always comply with the policy and instructions in force in your organisation.
If in doubt, always ask your IT manager for advice first.